💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CRYPT › crptlettr7.vir captured on 2022-06-12 at 10:43:59.
-=-=-=-=-=-=-
*******************************************
The CRYPT Newsletter (#7) - Early Oct.,1992
Another in a continuing series of info-glutted
humorous monographs solely for the enjoyment
of the virus programmer or user interested
in the particulars of cyber-electronic data
replication and corruption.
--Edited by URNST KOUCH
********************************************
This issue's top quote!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Ross Perot is an empty valise."
-Ed Koch on the former Electronic Data
Systems leader's re-entry into the
presidential race.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
IN THIS ISSUE: SPECIAL Election Day viruses: VOTE and
VOTERASE...the DEICIDE virus...FIDO news...INCAPABILITIES:
Off-the-cuff evaluations & fear and loathing on PRODIGY...
from the Reading Room: "Cyberpunk" by Hafner and Markoff
...McAfee Associates close in on "fuck you money"...Vidkun
Quisling Medal awarded...more...
----------------------------------------------------------
NEWS! NEWS! NEWS! VITRIOL! NEWS!
This issue we award the Vidkun Quisling Gold Medal of Rank
Hypocrisy to Gary Watson of Data Systems.
Here at the newsletter bungalow we couldn't help but notice
programmer Gary Watson's insistence that he has
been the victim of a disinformation campaign launched by virus
exchange BBS's. "Do I upload source codes to virus
boards, not so, not so!" is the essence of this claim, aired
on the FidoNet VIRUS_INFO echo.
To help get at the truth, we're releasing a log and archive
listing documenting Watson's visit to the Dark Coffin BBS in
Pennsylvania.
What follows is a reprint of a BBS log generated by WWIV 4.21,
the software in use on Dark Coffin:
1702: Gary Watson #58 23:54:19 08/07/92 [Torrance CA]
Q, S, X, >, >, >, S, Q, Q, X, T, L, >, >, >, *, Q, X, T, *, X, Q, , Q
//S**T! I GOTTA CHECK THE F****N MESSAGE BASES...., T, ?, U, Z, <, >, <, <
<, <, <, <, <, F, //WELL, ONE OF EM AT LEAST, *, U, X, U
>>>+DANGER .ZIP uploaded on NEW UPLOADS<<<
C, C, H, A, T, X, /, \, \, Q, Q, ?, O,
Read: 20 Time on: 16
All comments following // are command line messages one of us used to
type to the other. Notice upload of DANGER.ZIP. Next, the PKUNZIP
listing of what was kept from that archive:
PKUNZIP (R) FAST! Extract Utility Version 1.93 ALPHA 10-15-91
Copr. 1989-1991 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
Searching ZIP: DANGER.ZIP
Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
24704 Implode 7072 72% 09-25-91 10:44 26dbaec9 --w- MIX1.ASM
3193 Implode 1527 53% 03-05-89 22:21 1d1d5ed8 --w- AMST-847.ASM
13009 Implode 3179 76% 01-01-80 00:06 ec3b2f22 --w- BADBOY2.ASM
19037 Implode 6318 67% 06-05-90 11:54 ce10ca04 --w- MURPHEXE.ASM
12453 Implode 2783 78% 04-04-90 17:35 78c45414 --w- STONE.ASM
26586 Implode 5754 79% 04-04-90 17:35 50ad447b --w- DATACRIM.ASM
19495 Implode 7985 60% 01-03-90 23:19 31f550c8 --w- EDDIE.ASM
8897 Implode 2914 68% 05-05-90 18:13 0953d928 --w- DIAMOND.ASM
45577 Implode 10889 77% 05-05-91 18:51 065542d3 --w- V2100_.ASM
15042 Implode 2663 83% 04-18-91 16:58 19fc2ef6 --w- LEECH.ASM
58090 Implode 12176 80% 08-11-92 22:43 ddccc22e --w- VSOURCE.ASM
19310 Implode 6330 68% 03-09-91 15:53 50e8c26a --w- HORSE2.ASM
47596 Implode 11030 77% 03-13-91 18:29 21efc392 --w- 4096.ASM
3042 Implode 1139 63% 12-28-88 12:32 a7404cb9 --w- BOOT1.ASM
10830 Implode 2939 73% 08-11-92 22:43 a7ae08a6 --w- DIR2.ASM
7212 Implode 2215 70% 08-11-92 22:47 4de925cf --w- MASTER.ASM
------ ------ --- -------
334073 86913 74% 16
And an extracted header from one of the source codes, STONE.ASM:
; IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;
; : British Computer Virus Research Centre :
; : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England :
; : Telephone: Domestic 0273-26105, International +44-273-26105 :
; : :
; : The 'New Zealand' Virus :
; : Disassembled by Joe Hirst, November 1988 :
; : :
; : Copyright (c) Joe Hirst 1988, 1989. :
; : :
; : This listing is only to be made available to virus researchers :
; : or software writers on a need-to-know basis. :
; HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
Now, while this isn't IRONCLAD proof of Gary Watson's
duplicity, it IS close enough for most purposes. And, yes, here
at the bungalow we can still imagine cries of "Disinformation!"
or "It's a FRAME-UP!" or "I never did that!" We feel confident
that the reasonable Crypt reader will weigh the veracity of a Gary
Watson (who self-admittedly views those unlike him as "targets" and
has an ego so big he is easily stroked into flaming on the
FidoNet by barbs from those much younger than he) against that
of the urbane and always courteous editors of the Crypt
Newsletter.
We are pleased to award Gary Watson the Quisling Medal.
When ex-New York City mayor Ed Koch was asked to comment on the
Quisling award, he said, "Gary Watson is an empty valise."
A HOT TIP!
Nowhere Man informs the Crypt Newsletter that he is readying
a polymorphic encryption module for domestic release. This is
in addition to his work on VCL 2.0 which could be coming to
you sometime around the holiday season!
*****************************************************************
A CRYPT NEWSLETTER SPECIAL: VOTE and VOTERASE, custom Election
Day viruses!!!
*****************************************************************
In this issue, we give the readers the VOTE! VOTE (or VOTE, SHITHEAD)
is a memory resident, spawning virus which is not detected by the
recent versions of SCAN, Thunderbyte's tbSCAN, Datatechnik's AVScan,
NORTON Antivirus or Central Point Antivirus.
Upon installation, VOTE will reside in a small hole in system memory
invisible to all but the most discerning eye. It hooks INT 21 and
monitors the DOS load function. From there, it will create hidden/
read-only 'companion' files for every .EXE program called. All
of these 'infected' programs will continue to function normally;
VOTE's disk writes are minimal and not likely to be noticed by
anyone NOT looking for the virus. VOTE will accumulate on the
infected system's hard file in an almost totally transparent
manner until Election Day. On Election Day, at the start of the
morning's computing, the first .EXE executed which has a VOTE
'companion' counterpart will result in activation. VOTE will lock
the machine into a loop in which the user is gently but insistently
reminded to go to the polling place. Computing will be impossible
on Nov. 3rd, unless VOTE is completely removed from the system.
After Nov. 3rd, VOTE will again become transparent.
VOTE is an ideal virus and we encourage the Crypt reader to do his
bit (ouch!) to reawaken democracy in this country. VOTE will not harm
files in any way. VOTE is simply removed by booting from
a clean disk, tallying up all the 'hidden/read-only' 348 byte .COM
duplicates of .EXE files, and deleting the .COMfiles. No special
anti-virus software is necessary, as long as the user knows VOTE is
afoot and what to look for.
The Crypt reader will remember the basic characteristics of the
INSUFF spawning virus in issue #6. VOTE utilizes the same principles,
attacking poorly implemented systems auditing and integrity checking
software like that found in CPAV. In fact, VOTE can operate IN THE
TEETH of a number of a-v software default installations. Unlike
unknown resident viruses which instantly attempt to infect a-v
software as it fires up, thus making the set upon program squeal
about file modification, VOTE can successfully 'infect' any
program which can't scan it. It will instantly create a 'companion'
which will go resident any time the a-v program is subsequently
used. Tested against CPAV, SCAN, tbSCAN, AVScan and Leprechaun's
Virus-Buster, VOTE capably created 'companions' for each executable
as they were employed. And none of the packages seemed to mind.
Some a-v types prefer to refer to viruses like VOTE as "worms," because
like the archetypical INTERNET "worm," they do not alter the programs
they 'infect.' Recently, another corporate-military-security stiff
even suggested the term "viro-worm" on the CSERVE VIRUSFORUM. This
is an example of idiot-savant jargon. Good for cowing the uninitiated,
it serves the additional purpose of convincing a dupe that he has
actually gotten value for his money if ever he hands over a certified
check for someone's "computer security paper." You should know
"companion virus" remains a perfectly acceptable term for programs
like VOTE. It is clear, concise and descriptive, something
"viro-worm" is not.
The source code for the VOTE "companion virus," as well as its
DEBUG script, are included in this issue. The TASM listing invites
the reader to extend the life of VOTE beyond November 3rd by simply
changing the activation.
However, for those Crypt subscribers convinced that democracy has failed
and that Election Day is a mere sham perpetrated by the ruling elite,
we include VOTERASE. VOTERASE is exactly like VOTE, EXCEPT on Election
Day it wakes up and expunges all files from an infected system.
VOTERASE displays no message, it merely makes Election Day into an
even harder working day. VOTERASE is quick. Files disappear in mere
fractions of a second. A heavily infected disk could, theoretically,
be emptied in minutes after the start of the day's computing on Nov. 3rd.
The DEBUG script for VOTERASE is included with this issue. (Note:
VOTERASE will not damage the partition table of the hard file or
overwrite programs with gobble. The hard disk will experience boot
failure if its command processor and system files are removed by
VOTERASE. In most cases, a simple restoration from backup after
elimination of VOTERASE should get things moving again.)
The Crypt Newsletter has included the VOTE viruses to commemorate
America's long tradition of rule by and for the people!
Disclaimer: The VOTE viruses are non-partisan. Neither recommend
you vote for any particular candidate.
So remember, just VOTE!!! Your computer could be watching!!
***********************************************************************
***********************************************************************
INCAPABILITIES: PRODIGY USERS GRUMBLE ABOUT NORTON ANTIVIRUS 2.1
***********************************************************************
In Crypt newsletter #6, we reprinted an ad issued by SYMANTEC touting
the new Norton Antivirus's ability to scan for Mutation Engine-loaded
viruses.
To make a point, we created the INSUFF viruses to poke a hole in
this claim. Our tests showed that Norton Antivirus 2.1 did not detect
ANY mutations generated by ANY of the MtE-loaded INSUFF viruses.
Now users of NAV 2.1 are starting to complain on PRODIGY, the
Sears Roebuck electronic info service for novice
computerists, that the SYMANTEC software detects the MtE in some
data files. Henri Delger, a virus watcher on PRODIGY who
advises people with questions on rogue programming, has chronicled
this as a nasty false-positive bug inherent in NAV 2.1. He
recommends users demand free upgrade to the next version. Delger
estimated that NAV 2.1 reliably detects about 40% of known
viruses.
Smart consumer advice: NAV 2.1 will detect false MtE images in your
data, but remains incapable of detecting real MtE infections.
In a spot evaluation of Central Point Software's
Anti-Virus, we ran its scanner against 350 virus samples
generously obtained from Long John Silicon by way of Todor
Todorov's virus collection. CPAV identified 68% of the samples,
as contrasted to F-PROT 2.05, which detected a full 98%.
Smart consumer advice: Why pay $100 for something which works
poorly, when you can have a finely tooled racin' machine for free?
********************************************************************
ADDITIONAL DATA ON HILGRAEVE's HyperACCESS/5 COMM PROGRAM:
You may still be interested in the virus scanner part of Hilgraeve's
HA/5, commented on only briefly in the previous issue. But you
require more information before you unhitch your trucker's wallet.
Here, then, in Hilgraeve's own words:
"To give you the most comprehensive, up-to-date protection possible,
Hilgraeve uses the same signatures as the IBM Virus Scanning
Program, with IBM's consent. This is an excellent source, because
IBM devotes tremendous effort to collecting and identifying
viruses."
Sez who? Does anyone you know actually use IBM software?
Anyway, while HA/5 remains a fine terminal program we continued
to be dismayed at its HyperGuard 'virus filter' performance as we
used it to transfer samples between BBS's in eastern Pennsylvania.
Eventually, we just turned the 'filter' off. As of now, BBS and comm
program scanners have a long way to go before they are of much
practical use. And that doesn't even begin to deal with
programming tricks like PKliting and stand-alone encryption which
are used to 'conceal' scanned viruses and logic bombs during
electronic transfer.
We recommend Hilgraeve delete this feature from future versions of
HA/5 and replace it with an in-line file archiver to complement
the software's handy "Unpack" de-archiver.