💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CRYPT › cryptlettr2.vir captured on 2022-06-12 at 10:44:16.
-=-=-=-=-=-=-
**************************************
The CRYPT newsletter: semi-serious ish
number 2, or another in an intermittent
series. --URNST KOUCH. M.CS, D.d.(Master:
Cork-Screwin', Dirty-Dealin', etc.)*
***************************************
*[I got this from George C. Scott in "The Flim-Flam Man."
You should ren this excellent movie; perhaps even use
'The Flim-Flam Man' as your 'handle.'!]
NEWS! NEWS! NEWS! NEWS!
Hot from the gossip-mongers on the FidoNet virus echo:
Tim Caton (The Pallbearer) and a member of
Phalcon/SKISM, were recently given three month furloughs by moderator
Frans "Dutch" SomethingorotherAndersssomething for yakking
about virus exchanges, etc., blah-blah-blah. In "Dutch's"
own words: they were "excommunicated."
"Excommunication" translates loosely as "you can still
post, but no one is allowed to reply to you or they
will be excommunicated, too." No word from "Dutch"
on the inherent 'unworkability' of this arrangement,
although Caton continues to post and receive responses.
Apparently, even "Dutch" doesn't believe his own spout.
As for Caton: "This is just a hobby for me, you hear,
a hobby!! I could be baskin' in the sun in Florida!"
he bellowed.
The "Dutch" policy also does not explain why FidoNet
fave Gary ("I've been programming in assembly for 14
years!") Watson is given such a long leash to discuss
transfer of viral material when newer members are
continually slapped around for discussing the same
general topics.
Speaking of that rogue, Watson, wasn't it he
he who spent a recent afternoon running SCAN over
about 650,000 (?!??!) MtE loaded viral samples?
Now, izzit me, or does this strike you as nuts?
There is such a thing as being thorough, and then
there is: CLEARLY INSANE. Working on your
Ph.D. thesis Gary? I'm glad I'm not on your
committee - pass the No-Doze, Quimby, Watson's giving
his research report on the MtE thisafter...
SPOTTED ON THE CSERVE VIRUS FORUM: 'Outlaw Joz'
and 'Bocephus' viruses have been seen plaguing hapless
corporate stiffs. Our salute to whomever is responsible
for naming 'Outlaw Joz'! Obviously, they know how to
come up with a classy moniker.
Also seen (hey, this is like being one of those Audobon
society 'birder' weenies): GEEK virus, a mini-epidemic of
4096 and NPOX.
And a special slap upside the head to Virus Bulletin
'journalist' Mark Hamilton. Hamilton recently sent
derogatory private e-mail blind-siding fellow VIRUSFORUM member
Eric Essman as "a sleaze." Amazingly, Hamilton sent it
to Essman, too (by mistake, apparently).
Essman promptly turned it into a 'public' multi-mail. Oops!
Pay more attention to those account addresses, Mark!
That's an e-mail faux-pas!
THE GENVIR 1.0: THREAT OR MENACE??
Have you seen this program: The GENVIR 1.0 French virus
generator?
Outwardly, it's quite an elaborate menu-driven viral
design suite for "researchers." But when you get to
the punchline - the time for it to cough up a virus
to your specs - up comes a 'crippleware' nag screen.
Better part with the francs first and register, it
sez, or no viruses for you!
Well, c-a-l-l-l-l-l-l Dr. FileFinder!
In any case, the GENVIR 1.0 remains interesting for a number of
reasons. First, it's copyright date of 1990 makes it an early
attempt, if legit, to derive cash from viral code. This
predates Mark Ludwig's "Little Black Book" and viral companion
disk by at least two years.
Second, it shows that someone thought that a viral programming
tool had commercial potential, never mind the possible legal
ramifications.
Third, since it's 'crippled' shareware, the possibility exists
that GENVIR 1.0 is the software equivalent of the Piltdown
Man - an elaborate hoax designed to entice saps into sending
their hard-earned cash money to an anonymous POB. Haha!!
Whatever the truth, the GENVIR 1.0 is surrounded in controversy,
generated, perhaps, by the rage of virus fanatics who spend the
precious filepoints to download it.
Is there a GENVIR virus (like MANTA) floating around?
You tell me if you've got the 'registered' version!!*
[*Note: if you obtain GENVIR 1.0, better have your pocket
French-English dictionary ready. It's 100% frog, but
still easily doped out if you've got the patience.]
CASH FOR CODE: AN IDEA WHOSE TIME HAS COME?
Have you been charging for downloading rights on your exchange?
Well, if not, perhaps you should. From what I can tell
here in lower Slobville, Pennsylvania, viruses and their source
codes are in high demand. And a lot of people who want them
have trouble getting at them, either because they don't have
a unique virus to upload or don't wish to be bothered with
programming one.
Now, there's nothing wrong with this attitude. After all, should
you have to hand machine your own Mossburg AlleySweeper before you
stroll into a firearms store to purchase one? Of course not.
If that were so, the locals would be rioting in the streets from
here to the Florida Keys over infringement of their constitutional
rights.
This potential customer base cannot look to the anti-virus
community for help. Remember, John McAfee has said something to
the effect that passing on the code of Michelangelo would be akin to
giving some street urchin a vial of human pathogens.
So, the field is wide open for the virus exhanges. Rather
than ask for 'donations', why not simply package viral
samples in bulk lot and charge what the market will bear,
depending upon strain demand or prevalence?
Viral samples could also be packaged with descriptive docs to
enhance their value and given a guarantee test for 'live'
quality before put on line. Think of it. In the long run,
who do you think will attract more users: the virus exchange
with hundreds of cryptic archives totally loaded with misnamed
strains, dummy files, incomplete fragments of code or 100k
infected games, or the exchange that distributes well documented,
completely characterized, naked viral samples. [This, of
course, entails some work. The archivist will have to go
through his files and transfer virus-infected utilities/games/etc.
to a testing area where the virus can be 'trapped' in a small
generic .COMstub before return to the archive. Documents will
have to be prepared and formatted, too. This serves a double
purpose, screening out 'dead' files.]
Anyway, I think you know the answer. Think of the virus archive
as a specialty 'chemical' firm providing lab quality goods for
interested hobbyists, researchers and the occasional mis-guided
. . . um, terrorist.
American gadget freaks, particulary computer hobbyists, are
inveterate packrats and collectors. In my opinion, those
interested WILL pay for quality samples, easily obtained
from straightforward BBS's not saddled with idiotic posting ratios,
overly chatty menus or disdainful, mocking 'help' prompts.
Do yourself a favor. Start making some money off your long
distance collection.
SCAN 95B AND VCL CODE: A VERY BRIEF RESEARCH REPORT ALMOST
TOTALLY DEVOID OF EXACTING DETAIL
The news is out. SCAN 95B detects VCL code as the [Con] virus.
How long will it take you to retool your custom-designed virus
so that it can be ready to head back out into the wild?
The answer: not very long. I recently spent 15 minutes breaking
SCAN's 'death-grip' on some VCL variants. Simply, the basic
technique involves making minor changes to, um, well ... heh-heh,
some secrets have to remain 'proprietary' because there are
flies on the walls of even the most remote BBS.
However, included with this issue of the Cryptletter IS a hex
dump of the MIMIC1 virus, a VCL 1.0 product that DOES NOT
scan under 95B. So, you can reverse engineer it if you
like, but lemme tell ya confidentially, you can probably
figure it out yourself in less time than I did.
The REAL point of this abstract again demonstrates the inevitable
passing of the brute-force scanner. With the advent of Nowhere
Man's VCL (and the easy availability of many viral source codes),
it remains possible to flood any region with a variety of
easily patched, viral samples. Only software which performs
functions analogous to something like INTEGRITY MASTER is not
obsolete. However, will the average American realize this?
Probably not for another five years.
ONE FINAL BURNING QUESTION!!
Why does Mark Hamilton's Virus Bulletin cost so much? When
viral sources are commonplace, when there are 'free' magazines
of technical advice like 40Hex, why is there a
market for Virus Bulletin? The answer: some haven't
caught on. Give someone you know in the corporate security
business some source codes, the VCL or PS-MPC, a copy of 40Hex,
Nuke Info Journal, or, hey, even the Cryptletter.
Once they know where to find 'em, perhaps they'll weigh the
cost effectiveness and eventully put Hamilton out of a job.
Information is not property/goods in the sense that most
Westerners envision it as!! Don't pay throat-cutting prices
for things you have a right to be able to research for free!
Journals like Virus Bulletin belong in engineering libraries,
subscriptions bought and paid for by department funds, available
to all, just like any other scientific journal.
CRYPTLETTER APPENDICES: AH, THE GOOD STUFF!
This issue of Crypt contains two hexdumps of live viruses:
MIMIC.DMP and MIMIC2.DMP.
Go to the C prompt and type C:\> debug <mimic.dmp .
Voila! The MIMIC1 virus is ready to go! Same for MIMIC2.DMP
Some info: MIMIC 1 is an unscanned VCL variant. Encrypted,
.COM appending, MIMIC 1 activates on Fridays and hunts down
.EXE's. The target .EXE's are transformed into DEN ZUKO
'zombies.' When called, the .EXE's/DEN ZUKO 'zombies' will
load and display the fancy-shmancy DEN ZUKO graphic effect.
The 'zombies' are not infectious and will NOT scan as DEN
ZUKO virus. The astute among you will know that DEN ZUKO
is a boot infector. Think of the confusion that could ensue
when the DEN ZUKO graphic appears on a PC screen, but memory
scans clean for boot infectors. I'm sure you see the potential.
The clever will also observe that the hexdump has a rather large
'zero' byte stub. This was the generic stump I attached to
MIMIC1 so that its encryption engine would turn once.
The actual virus is about 1000 bytes smaller than the
final hexdump product.
MIMIC 2 is an unscanned, encrypted .COM/.EXE infector produced
from hybridized VCL and PS-MPC code. On Fridays, MIMIC 2 shuts
down its rounds of infection and goes on an .EXE hunt to
transform them into JERUSALEM virus 'zombies.' The JERUSALEM
'zombies' will go resident when executed, effect system slowdown
and the characteristic black scrolling screen effect. The 'zombies'
do not scan, are not infectious and are not overly bright. They
will load one on top of the other in low RAM (about .9k) if
called in multiples.
And last: CRMBL.ASM - an a86 'falling letters/CASCADE virus'
effect written so that it is easily shot-gunned into VCL
1.0 product. It can also be made into a stand-alone.
My thanks again go out to Nowhere Man, without whom blah-blah-
blah. If you enjoy the Cryptletter, drop me a line, wampum,
rotten fruit, whatever at the DARK COFFIN BBS.
[I am also interesting in keeping Cryptletter reasonably
error free. I've made every effort to determine that the
hex dumps and code as provided will work on an average
IBM PC. However, errors could have crept in in production.
If you find that the hexdumps do not produce working viruses,
I want to know. I will gladly supply you with 'working' copies
if such is ever found to be the case.]
And, finally, finally, finally:
If you are entertaining the idea of contributing or writing
nay-saying commentary to the Cryptletter, please feel free,
but remember to leave a point of contact if you wish
any chance of feedback on it. However, because I don't run
the DARK COFFIN BBS, I take no responsibility for electronic
archives or documents that may ocassionally go astray upon it.
I remain your obedient servant,
--URNST KOUCH [Aug 92]
??????????????????????????????????????????????????????????????????????
? This V/T info phile brought to you by ????, ?
? Makers/Distributors/Archivists of Phine Viruses/Trojans. ?
??????????????????????????????????????????????????????????????????????
? Dark Coffin ???????????????????? HQ/Main Support ??? 215.966.3576 ?
??????????????????????????????????????????????????????????????????????
? VIRUS_MAN ?????????????????????? Member Support ???? ITS.PRI.VATE ?
? Callahan's Crosstime Saloon ???? Southwest HQ ?????? 314.939.4113 ?
? Nuclear Winter ????????????????? Member Board ?????? 215.882.9122 ?
??????????????????????????????????????????????????????????????????????