|
Crypt Newsletter #4
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
**********************************************
The CryPt Newsletter: another in an occasional
series!
**********************************************
NEWS! NEWS! NEWS!
It's been an exciting summer at the Crypt! With the procure-
ment of Nowhere Man's Virus Creation Laboratory, virus researchers
have much to do.
The VCL is a revolutionary tool: an automated interface which
puts a comprehensive viral assembly library into the hands of
those who can benefit by it most. Unlike the Mutation Engine
which has proven itself a thorny, un-user friendly development
with small utility (within two weeks of its widespread release,
most anti-virus scanners had been adjusted to catch it), the
VCL allows the determined virus programmer to create an almost
infinite variety of novel and troublesome programs, limited only
by his patience, dedication and imagination. Fuckin'-A! The
VCL is fun!
Preliminary study of the VCL by anti-virus researchers have
prompted some to declare on the FidoNet virus echo that VCL
code will be easily countered.
This is premature and easily defied. F-PROT, one of the most efficient
of the current crop of scanners CAN detect some VCL variants
in "Secure Scan" and "Heuristic" mode. However, "Secure Scan"
findings are easily patched by incorporation of encryption
routines in the raw code and "trapping" of the nascent virus
body in a small custom-made .COM 'host' shell.* In "heuristic"
mode, F-PROT is dangerous - BUT only when the user 'knows' what
he is looking for! In my experience, few users will even attempt
to use a "heuristic" mode on a regular basis. The reasons are
these: 1) 'Heuristic"+ is a big word and, so, it must be hard to
use (stupid, I know, but true!); and 2) The false positive rate
requires some interpretation (Lazy fucks deserve to be parasitized
by viruses - .Ed).
The same can be said for THUNDERBYTE's TBSCAN
which implements an even more aggressive form of heuristic
scanning. Interpretation of shakey files is easy "when"
the user knows what he is looking for,
more problemmatical when flying blind. In addition,
TBSCAN isn't particularly user-friendly which means most potential
targets of viral attack won't have it in their arsenal. (Thank the
general level of incompetence in American society for this. Virology
is as much sociology as assembly, I say.)
*[This is a simple stunt which suggested itself after reading
Mark Ludwig's "The Little Black Book of Computer Viruses"
(American Eagle Publishing, Tucson, AZ)]
+['Heuristic' - all you have to know is that 'heuristic' means
F-PROT scans for certain 'patterns' of machine instruction:
resident services, self-modification, weird jump intructions,
discontinuous code sequences, garbage instructions, strange
memory entrance, illegal writes or formats to the
disk, etc.]
IN THE MEAT OF THIS ISSUE:
Two VCL-produced virus source-codes: DIARRHEA and DIARRHE6, which
demonstrate one of the nicer features of the VCL, ANSI screen
development and "dropper" routines.
DIARRHEA can be assembled with TASM and linked in the standard
manner. Place the assembled file on a floppy with SHELLT.COM
[Included in this newsletter]. Ensure that SHELLT is in a different
directory for quickest results. Call the virus and it will
promptly infect the shell. This allows the encryption engine to
turn once and supplies the virus in a form easily introduced into the
wild.
Now for the interesting part: DIARRHEA is an appending virus
which displays a BIG ANSI every Friday. It goes
something like this: EAT MY DIARRHEA - GG Allin & The Texas
Nazis. It's a real attention grabber and since DIARRHEA really
doesn't do anything but that, it's got an even chance of
spreading rather nicely before someone gets surprised by
the ANSI. At which point they could go berserk. Hahaha.
[I know, I have a juvenile sense of humor.]
DIARRHE6 is for those more impatient to see immediate results.
DIARRHE6 'drops' a TheDraw prepared .COMfile onto all .EXE
files in the virus's path of infection. This, in effect,
destroys the original program and replaces it with the
BIG ANSI which displays the hated EAT MY DIARRHEA message.
In truth, DIARRHE6 will be noticed fast since .EXE files
are eaten up by the ANSI substitute rather quickly. Don't
expect it to spread too far, although there is the chance that
an inexperienced user will be drawn into thinking that the
destroyed .EXE's are actually infected with a
over-writing virus.
To make this potential a little more polished, I've included
an optional modification for DIARRHE6. I've prepared a
fragment of the WHALE virus in 'define byte' form
in the included file, VIRUS1.DAT. Use your favorite
text editor to replace the ANSI data table at offset
DATA01 in DIARRHE6.ASM with VIRUS1.DAT JUST AS THE FILE IS WRITTEN.
Then assemble.
This will produce a virus which drops a WHALE string
onto .EXE's in its path, instead of the motorized ANSI.
When the victim goes to use a scanner on his damaged files,
he'll find the WHALE or, possibly, a DIR string. Scarey!!!
While he's offhunting for this new strain of WHALE, your modified
version of DIARRHE6 could still be going strong.
[Actually, I'm sure you see the potential here. You could
actually drop an entirely different virus onto the file,
causing a more serious secondary infection.]
Remember that you'll want to let the modified DIARRHE6 infect
SHELLT.COM before you release it so that it encrypts itself and
the embedded WHALE string. This way, it won't scan for
WHALE until the string is 'dropped.' When you assemble this
you will notice the text "Eddie lives . . . somewhere in time!
Written in the city of Sofia, Bulgaria." in the un-encrypted
virus. Yup, it's loosely cribbed from DARK AVENGER even though
the 'dropped' table scans predominantly as WHALE. I put it
there to confuse things even more. When the victim executes
the .EXE this file has been dropped on, the phrase from
the DARK AVENGER (or CRAZY EDDIE) will display. Hahahah!
More confusion! (You can rip it out if you don't like it;
be my guest.) Other scanners may identify the dropped string
as DIR (THUNDERBYTE does) or SPARSE, which is fine. You see, I had
so much fun with the idea I couldn't resist stuffing all
kinds of psychologically troubling nonsense into VIRUS1.DAT.
And, you will need TASM or MASM to fully utilize these listings.
IN CONCLUSION:
Do yourself a big favor and find the VCL. Nowhere Man's creation
is quite a pleasure to use, allowing your wildest creative
juices to flow.
CONFUSION TO YOUR ENEMIES!
-URNST KOUCH
DARK COFFIN BBS 215-966-3576
VIRUS_MAN BBS 215-PRI-VATE
This issue of the CryPt newsletter should contain:
DIARRHE4.ASM - the source listing to DIARRHEA virus
DIARRHE6.ASM - the source listing to DIARRHE6 virus
SHELLT.COM - a helpful shell for initial infection trapping
VIRUS1.DAT - a 'define byte' table for a dummy COMfile
which contains WHALE & DIR virus signature strings as well
as text from CRAZY EDDIE virus.
CRPT.LTR - this newsletter
If it doesn't, DEMAND UPGRADE!!! heh-heh, a little joke.
|
|
