ÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜ ÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜ Û±±Û Û±±±±±±±Û Û±±Û Û±±±±±Û Û±±Û Û±±Û Û±±Û Û±±±±Û Û±±±±±±Û Û±±±±Û Û±±Û ßßßßßßßß Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û Û±±Û ßßßÛ±±Û ßßßÛ±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û ÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û Û±±±±±Û ßß Û±±Û Û±±Û Û±±±±Û Û±±Û Û±±Û Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÜÜÜÜ Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±±±±±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û ßßß ßßßßßßßß ßßß ßß ßß ßßß ßß NEWSLETTER NUMBER 12 ********************************************************************** Another festive, info-glutted, tongue-in-cheek training manual provided solely for the entertainment of the virus programmer, security specialist, casual home/business user or PC hobbyist interested in the particulars - technical or otherwise - of cybernetic data replication and/or mutilation. Jargon free, too. EDITED BY URNST KOUCH, January - February 1993 CRYPT INFOSYSTEMS BBS - 215.868.1823 ********************************************************************** TOP QUOTE: "We live in cheap and twisted times." --Hunter S. Thompson, "Songs of The Doomed," 1990. ------------------------------------------------------------------- IN THIS ISSUE: NEWS . . . Anti-anti-virus virus's revisited: the LOCKJAW series, quick analysis of the SANDRA virus . . . IN THE READING ROOM: critique of various articles; review of MONDO 2000 annual; VIRUS: The comic book! . . . return to MICHELANGELO virus: an appraisal of the media's mishandling of the March 1992 affair and software vendor collusion . . . sophisticated, but warped, humor . . . and the usual potpourri of material. ********************************************************************** ******************************************************************** MICHELANGELO HYPE REVISITED: A SKEPTIC'S VIEW ******************************************************************** Just about a year ago the media exploded with weird stories of impending catastrophe at the hands of a mysterious computer program. Thrown a newsprint and TV body-block by techno-impaired editors and reporters lacking even the sense to pour piss from a boot, the world reeled. But the sky refused to fall and in the best tradition of "calendar" journalism, the Crypt Newsletter has received permission to reprint a critique of the events surrounding March 6, 1992. "THE LITTLE VIRUS THAT DIDN'T: The press couldn't get enough of Michelangelo. But did it fall prey or save the day?" Republished from the Washington Journalism Review, May 1992. The great Michelangelo computer virus scare of 1992 has proved to be another classic example of Chicken Little journalism -- or the Reporters Who Cried Wolf, depending on your tast in fairy tales. At first glance, the story was a sexy one. The virus had an instantly recognizable name. It was attached to a specific date -- March 6 --an attractive hook for editors with a penchant for calendar Page 1 journalism. It was simple: On the birthday of its namesake, the virus would destroy data within the computers it had infiltrated through infected disks. And it boasted big numbers: By one estimate, as many as 5 million IBM and IBM-compatible computers worldwide were going to be victims of Michelangelo, a relatively small computer code written and unleashed by an anonymous, devious programmer. Newspapers around the country ran headlines warning of imminent disaster. "Thousands of PC's could crash Friday," said USA Today. "Deadly Virus Set to Wreak Havoc Tomorrow," said the Washington Post. "Paint It Scary," said the Los Angeles Times. Weeks after M-day, many antiviral software vendors and some reporters still insist the coverage prevented thousands of computers from losing data. John Schneidawind of USA Today says "everyone's PC's would have crashed" had the media not paid much attention to Michelangelo. The San Jose Mercury News credited the publicity with saving the day. One widely quoted antiviral vendor, John McAfee of McAfee Associates, says the press deserves a medal. In reality, many of the predictions were suspect. Those making them, often computer security product vendors or closely related industry associations, usually stood to profit from the widespread coverage. And many reporters bit hard. One vendor who played a key role was McAfee, one of the nation's leading antiviral software manufacturers and founder and chairman of the nonprofit Computer Virus Industry Association (CVIA). It was McAfee who told many reporters that as many as 5 million computers were at risk. He says he made the projection based on a study that the virus had infected 15 percent of computers at 600 sites. Both Reuters and the Associated Press sent the figure around the world. McAfee says he didn't present it the way it was reported. "I told reporters all along that estimates ranged from 50,000 to 5 million," he says. "I said, '50,000 to 5 million, take your pick,' and they did." But researcher Charles Rutstein of the International Computer Security Association (ICSA), a for profit consulting group, says even 50,000 was an exaggeration. Also widely quoted, Rutstein says he told reporters early on to expect no more than 10,000 computers infected worldwide. (There are more than 35 million computers in the United States alone, according to some estimates.) "Five million is just ridiculous, but the press believed it because they had no reason not to," Rutstein says now. "McAfee seems credible." (McAfee responds that the ICSA and other critics are "fringe groups.") While many articles failed to disclose or merely mentioned in passing that McAfee's antiviral software has sold more than 7 million copies of its Viruscan and expects revenues of more than $20 million this year, McAfee scoffs at the idea that he or other vendors hyped the threat to generate sales. "I never contacted a single reporter, I never sent out a press release, I never wrote any articles," he says. "I was just sitting here doing my job and people started calling." He maintains that the coverage of Michelangelo cost him money. "It was the worst thing for our business, short-term," he says. "We offer shareware [where users are trusted to pay], so we got tons of calls from non-paying customers. Page 2 "Before the media starts to crucify the antivirus community," he continues, "they should look in the mirror and see how much [of the coverage] came from their desire to make it a good story." But he adds quickly, "Not that I'm a press-basher." Schneidawind's and AP's efforts after March 6 to track Michelangelo found only a few thousand afflicted computers worldwide, including 2,400 erroneously reported to be at the New Jersey Institute of Technology. The institute actually had only 400 computers infected with any virus; few had Michelangelo. A Philadelphia Inquirer reporter got it wrong, says institute spokeman Paul Hassen, and it spread quickly. "That was the first time I've been that close to a feeding frenzy," he says. Perhaps the most embarrassed news organization was CNN, which on March 6 staked out McAfee's offices in Santa Clara, California, waiting for a doomsday that never came. Soon after the clock struck midnight on March 6, may reporters seemed to suspect they'd been had. The Los Angeles Times, which had quoted McAfee's 5 million figure on March 4, carried a Reuters story three days later that reported the "Black Death" had turned out to be little more than "a common cold." AP downgraded its "mugger hiding in the closet" to a mere "electronic prank." AP Deputy Business Editor Rick Gladstone says the wire service quickly downplayed the story after its initial reports and included comments from the ICSA's Rutstein, who said the threat from the virus had been exaggerated. "Our big oversight was to quote McAfee's 5 million figure in the beginning of the coverage but we backed off that," Gladstone says, adding that his staff "felt somewhat vindicated" when relatively few computers were affected on March 6. "Some of us in the press were suckered," he says. Schneidawind doesn't feel he was. "We went into this with our eyes open," he says. But on March 9, in an article entitled "Computer virus more fright than might" (the subhead was a more confident "Michelangelo kept at bay by early detection"), the USA Today reporter chronicled his frustrations tracking the virus. He reported that he had asked Rutstein and McAfee, again identified as the CVIA chairman, to provide a working sample of Michelangelo. Both declined. "It'd be like giving him a biological virus because he wanted to play with it," McAfee says. McAfee was also "reluctant to divulge the names of companies struck by the virus" according to Reuters. McAfee now estimates that only 10,000 systems were stricken worldwide on March 6, a number he says he derived by counting the number of calls he received from victims and guessing that they estimated 5 percent of the total. But he insists the numbers aren't as important as "the scope of the problem," which, he says the press largely ignored. "For the first time, you had large well-respected companies shipping the virus with their new computers and software. How did it filter into secure environments like that?" Schneidawind agrees. "The estimates may have been overblown, but no one new for sure until the 6th," he says. "Consider the BCCI scandal, where everyone faulted the press for not being there. I'd rather err on the side of caution." Page 3 Schneidawind didn't seem to do that in a sidebar to his March 9 article in which he listed other computer pests poised to strike in March. Supplied by yet another antiviral software vendor, the list did not reveal that most of the bugs were either variants of the same root virus -- known as "Jerusalem" -- or rare species found only in eastern Europe. Like many others the story did not make clear that every week of the year is filled with trigger dates for numerous viruses. (Or that user mistakes destroy more data than viruses do.) More importantly, only a handful of some 1,000 worldwide viruses are common enough that a user may occasionally encounter one. Of those, most only display silly messages or compel the computer to play a tune. On March 6, Michael Rogers and Bob Cohn of Newsweek offered a post mortem to Michelangelo that warned readers to "beware the next round of computer viruses," including the Maltese Amoeba and "the scariest new virus . . . the Mutation Engine." What they and others such as Ted Koppel of ABC's Nightline and John Fried and Michael Rozansky of the Philadelphia Inquirer failed to say was that the Maltese Amoeba had only been active in Ireland. Moreover, the Mutation Engine isn't a virus at all, but a user-friendly encryption tool that virus-writers use to disguise their creations. To their credit, neither The New York Times nor The Wall Street Journal gave much credence to Michelangelo. John Markoff of the Times in particular provided restrained, intelligent coverage that virtually ignored McAfee and other antivirus vendors. And The Journal's Walter Mossberg wrote a "Personal Technology" column that realistically appraised the viral threat as minimal. Unfortunately, the hype over Michelangelo could cause wary journalists to ignore more prevalent destructive viruses that could occur in the future. It will cause more of the rogue programs to be circulated, if only because their creators love the attention. For some soul, the coverage given to Michelangelo must have provided quite an adrenalin rush. It certainly did for the press. --------------------------------------------------------------------- As for a look back a year later: 1. Whatever happened to the Maltese Amoeba? The answer: Who cares? 2. Where is the sound of PC's crashing in 1993 to the tune of the "scariest new virus . . . the Mutation Engine"? ***************************************************************** MODEL ANTI-VIRUS AUTHOR LEGISLATION PRESSED INTO THE HANDS OF THE CRYPT NEWSLETTER: PETER TIPPETT HAS COMPANY NAME ATTACHED TO RISIBLE DRIVEL ***************************************************************** Recently we've had the time to look over a back issue of Virus News and Reviews which contained some "model" legislation designed for the express purpose of combating computer viruses. Devised by Peter Tippett of Certus International, the document makes clear that it was written to impress people ignorant of computers in even the most general sense. It propagates the idiotic notion that writing viruses is some kind of specialized skill, or "art" as Tippett puts it, and by Page 4 regulating individuals expert in the "art," the computer virus problem can be solved. For example, an excerpt from Tippett's "model" in Virus News and Reviews (July 1992): "A computer virus may only be created or modified, but never sold, distributed, or allowed to be distributed, for bonafide research purposes, and then only under the following circumstances: "1. The virus is created for a legitimate, localized research purpose; "2. Strict provisions are made to always contain the virus within the expressed domain of its author/researcher and to not allow the virus to replicate or otherwise move to any media or computing system outside of the author's/researcher's direct control; "3. At least five days before any computer virus is created or modified under this sub-part, the intent to create or modify a computer virus must be publicly announced by its intended author in at least three publicly available publications, each with a circulation of at least 100,000. The announcement will contain at least: 1) the name, company, title, address and telephone number of the responsible party, 2) the name, company, title, address and telephone number of the computer virus author, if different than the responsible party, 3) the address and location of the intended research, 4) the start date and intended finish date of the intended research, and 5) the expressed intent to create or modify a computer virus. "4. The research or study virus, or virus modification must contain within its own code, and in a form that survives replication to all progeny of the parent virus, the name of the responsible party and other information sufficient for anyone of average skill in the art to reliably discover." Point 1 calls for the formation of a judging group which will appraise virus research as worthy of license. To this day, no such group exists in any field of scientific (professional or non-professional) endeavor, at least not in the way envisioned by Tippett's model legislation. The closest things to this are government research and granting agencies like the National Science Foundation. But, while the NSF doesn't have to grant money for research it feels inexpert or uninteresting, it has no power to make it taboo. (It can create an environment where certain avenues of research are seen as "unfundable." This can be crippling in some fields, but not in this case where just about anyone with a couple PC's, a modem and a real desire to work can set up shop.) Tippett's legislation would be a first in this regard. We think this is a laughable assumption that shows a typical businessman's lack of knowledge about how the critical pursuit of information proceeds in any field. (In an aside: Tippett's writing brings to mind Robert X. Cringely's assessment of Lotus Development's Jim Manzi as an American businessman who shuns PC's, hates using them and considers researchers and technical people "dickheads.") Page 5 In Point 3, Tippett requires publication notice for virus creation. This is an unenforceable bureaucratic requirement which would be unlikely to be taken seriously even by people working in a "legitimized" environment. As for Point 4: Many virus authors and researchers already put plenty of identification in their creations. This hasn't changed anything nor does it prevent people from erasing or altering such identification at whim. This point serves no obvious purpose and, in our opinion, is legally meaningless. The remainder of Tippett's "model" is similarly uninformed as to the reality of virus construction and distribution, embarrassing when one considers that he's published in Virus News and Review. But perhaps this is intentional, since the facts are difficult to adequately describe in a mere one-page letter. As a "paper" or proposal in any college course worth its salt, Tippetts' submission would gain a solid F. But for congressional legitimacy, if that's its aim, excellence is not a requirement. Maybe Peter Tippett is a lot smarter than we think. ********************************************************************** IN THE READING ROOM: VIRUS - THE COMIC BOOK! ******************************************************************** It had to happen. There have been sci-fi and techno-thrillers about viruses, so WHY NOT a comic book? You'd expect this to be strange, but so what! Aren't a lot of comics? Why should "Virus," published by Dark Horse, be an exception? But first, a little background. Dark Horse has made its name by peddling an endless flood of titles devoted to squeezing the last drop of greenish ichor from movies like "Alien" and "Predator." That philosophy ensures just about anything it prints is a big hit, selling out immediately in the kinds of comic stores run by tubercular, ex-artfags with an intense dislike for patrons who don't reserve at least ten new titles each month. You'd imagine, then, that a copy of "Virus" was tough for The Crypt Newsletter to find. It was. And if not for alert reader Captain AeroSmith who shipped one air-freight from Cleveland, we might not have seen it at all. That said, the first issue of "Virus" wasn't bad. Fair art, good dialogue and a story that revolves around an abandoned Chinese radar and telemetry ship that comes under the power of some inter-cosmic computer virus that has beamed down into its radio antenna and set up shop in the mainframe. The original crew is butchered, necessitating the trapping of some ocean-wandering riff-raff who think they're going to appropriate the boat for lots of cash money. "Virus" nixes this plan at once by ripping the breast-bone out of one of the thieves with the aid of a computer-controlled winch. "Aaaiiieeee!" screech the trapped sailors. They want out, but not before being attacked by something that looks like a cross between a kite and a flying pipe-wrench made from sails and human integuement. What does this have to do with viruses or the computer Page 6 underground? Who knows! "Virus" is cracked, but I guarantee you'll be negotiating with your local dealer for the next issue. ******************************************************************* IN THE READING ROOM II: MONDO 2000 - A User's Guide To The New Edge by R. U. Sirius, Queen Mu and Rudy Rucker (HaperPerennial) ******************************************************************* "Thanks for a country where no one's allowed to mind their own business . . . Thanks for a nation of finks." --William S. Burroughs in "Mondo 2000" I'm no expert on the "cyberpunk" magazine, but MONDO 2000 - the book - squeezed a smirk out of me when the William Burroughs quote cropped up amidst non sequiturs and chapters on pranking the media and "smart" drugs. That the wizened author of "Naked Lunch" is now a center piece in such an effort surely has some kind of quantum significance. So, know that MONDO 2000 is the literary equivalent of a Ren & Stimpy cartoon: stretches of intense flatulence punctuated by flashes of brilliance and dumb cunning. [Much like the Crypt Newsletter, perhaps.] For instance, the chapters on "smart" drugs and tarantulas (?!) are patent nonsense. The "smart" drug idea comes from that small segment of the populace who've accidentally rediscovered how absorbing a read the Physician's Desk Reference is when your mind has that "roasted" character that comes from too many simultaneous hits of caffeine and unfiltered Camels. Tarantulas, Queen Mu says, are deadly, too. (I knew it, I knew there had to be a reason they sell the ugly things to any schnook who goes into a pet store!) If you can overlook stuff like that, MONDO 2000 is hep. Rudy Rucker's introductory essay, for one thing, is inspirational. And there's plenty of weird computer jokes, BBS's to call, summaries of all the important stuff that's gone down in "cyberspace" in the past ten years - in other words, MONDO 2000's a good book for the coffee table. It will impress your friends, I bet. ******************************************************************** QUICK AND DIRTY DISASSEMBLY OF VIRUS CODE: THE SANDRA VIRUS - AN ENCRYPTED ANTI-ANTI-VIRUS VIRUS SPILLS ITS SECRETS TO ANY LAYMAN ******************************************************************* This month, two articles crossed Crypt Newsletter desks that painted the picture that virus disassembly is a job best left to the experts. It is a common myth - a nuts, self-serving statement propagated by greedheads who WANT you to think that you are a helpless schnook. In reality, anyone who works seriously with viruses knows that in 90% all cases, virus disassembly is about a 5-minute job, tops. As an illustration, the Crypt Newsletter will walk you through a quick and dirty dissection of the SANDRA virus using only two tools: the shareware ZanySoft debugger and the retail Sourcer commenting disassembler programs. Since the Sandra virus came into this country as a "naked" file, there is little need to instruct you in how to execute the virus onto a clean, small, workable "host." Since no virus researcher had to do it, we will presume, in this case, that you won't have to either. (And that leaves room for another chapter in this story in the next issue.) Page 7 The first step is a no-brainer. Fire up Sourcer with the following command line (this presumes you have created the SANDRA virus from the DEBUG script supplied with the Crypt Newsletter): C>SR SANDRA.COM This will load SANDRA into Sourcer and bring up the disassembler's menu. The Sourcer defaults will suffice, so hit "G" for GO. In less than 15 seconds Sourcer will have coughed out a file called SANDRA.LST. Take a look at it. By the black-coated turd from Jesus's arse! What gibberish. You'll see that SANDRA appears to be a small segment of cryptic assembly code instructions, then some words that almost look like English and quite an oodle of hexadecimal values arrayed in columnar "define byte" (or "db") format. This immediately tells the experienced that SANDRA is encrypted, and rather weirdly at that. (If SANDRA had been unencrypted, your job would be finished. The virus would be laid out in front of you.) The next step, then, is to trick the virus into decrypting itself and then writing the "plain text" version to disk. This is simple in theory, only slightly more difficult in practice. Envision that the portion of the virus you want to execute is the decryptor loop, a small stretch of instructions which will unscramble the virus in memory. Might not that segment of cryptic assembly gobble that Sourcer produced on its first pass contain the keys to the decryptor? Yup, good guess. And it looks like this: seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h sandra proc far 3C44:0100 start: 3C44:0100 F8 clc ; Clear carry flag 3C44:0101 E8 002F call sub_2 ; (0133) 3C44:0104 FB sti ; Enable interrupts 3C44:0105 F8 clc ; Clear carry flag 3C44:0106 <--execute to this address jmp loc_6 ;*(027C) 3C44:0106 E9 73 01 db 0E9h, 73h, 01h 3C44:0109 3C data_3 db 3Ch ; xref 3C44:013D 3C44:010A 00 data_4 db 0 ; xref 3C44:0149 You notice that SANDRA starts by calling a sequence of instructions dubbed "sub_2" by Sourcer. Looking down the listing (which is not included here) you see that "sub_2" is another segment of plain-text assembly code. This is the viral unscrambler and when we have returned from it, the virus is ready to cook off. The next job for SANDRA, then, is to begin its work. Looking at the assembly commands above, you see SANDRA jumps (jmp) to a new location, which looks encrypted in the listing you're working on. The idea you want to use is that by executing the virus right up to the "jmp," it's possible to get it to translate itself Page 8 in memory without it looking for a file to infect, infecting that file and re-garbling itself. This is easy to do with any debugger. We'll use the ZanySoft product because it's not as intimidating as DOS's DEBUG to the novice user. In fact, it is almost idiot-proof and requires little overhead on the part of anyone. Fire up the ZanySoft debugger by typing: C>ZD86 ZanySoft is menu driven. Use its "File" drop-down menu to load the virus. Then bring down its "Run" menu and double-click on the "go to xxxx:xxxx" command. This tells ZanySoft to execute the loaded program to a certain address - which it will prompt you to supply -- and stop. The address needed is the one corresponding to the "jmp" in the above listing. Sourcer has supplied it, and it is ear-marked in the diagram: 0106. Type in 0106 at ZanySoft's prompt and hit . The virus is decrypted. Now, return to the "Files" menu and select the option, "Write to .COM." Accept the default value ZanySoft brings up and hit again. The virus has now been written to the disk from memory, and in "plain-text" or unencrypted form. Look at it under a file viewer. Remember those words that looked like English? Well, now they ARE English. You should see some gobble like "the Nazg'l," "dedicated to Sandra H.", and "*.EXE," "*.COM," the latter two giveaways that the virus hunts for these files. Load the unencrypted virus into Sourcer once again. Accept the defaults and hit "Go". Fifteen seconds later the virus has been disassembled for you, only now it's almost all assembly instructions. Is this so mysterious? Even though you may know next to nothing about assembly, you can still use the Sourcer listing to make some informed deductions about the virus. Go to the bottom of the listing and look at the interrupt usage synopsis. It looks like this: ±±±±±±±±±±±±±±±±±± Interrupt Usage Synopsis ±±±±±±±±±±±±±±±±±± Interrupt 16h : Keyboard i/o ah=function xxh Interrupt 20h : DOS program terminate Interrupt 21h : DOS Services ah=function xxh Interrupt 21h : ah=2Ch get time, cx=hrs/min, dx=sec Interrupt 21h : ah=3Bh set current dir, path @ ds:dx Interrupt 21h : ah=3Ch create/truncate file @ ds:dx Interrupt 21h : ah=3Dh open file, al=mode,name@ds:dx Interrupt 21h : ah=3Eh close file, bx=file handle Interrupt 21h : ah=40h write file bx=file handle Interrupt 21h : ah=41h delete file, name @ ds:dx Interrupt 21h : ax=4301h set attrb cx, filename @ds:dx Interrupt 21h : ah=4Eh find 1st filenam match @ds:dx Interrupt 21h : ah=4Fh find next filename match Interrupt 21h : ax=5701h set file date+time, bx=handle As you see, SANDRA has instructions for "find first filename match", "find next filename match" and "set current directory, path." If you've seen this newsletter and its source listings before, you might suspect that SANDRA is a direct-action (or non-resident) virus. Coupled with the .COM/.EXE filemasks, that's a good, educated guess. Page 9 Like any virus, it has a "write to file" function. However, in this case, cross-referencing your listing shows that SANDRA doesn't worry about adding itself to the end of the file during the write. This means SANDRA's an "overwriter." It's the simplest kind of infector, a feature exclusively the domain of primitive direct-action viruses. And since it means that the virus destroys everything it lands on, an instantly noticeable stunt, it marks SANDRA as a trivial pest at best. Your eye might also be drawn to the "delete file" and "truncate file" functions. "Ah-ha!" you say having a vague understanding about how sneaky viruses work. SANDRA deletes files corresponding to the list of plain-text filenames it carries around. And those file names are for anti-virus software programs! SANDRA is an anti-anti-virus virus! Wow. Now you know enough to broadly characterize SANDRA as an encrypted, over-writing virus that tries to delete a raft of anti-virus programs. You might even be tempted to run a test and execute SANDRA against some bait files. If you do that on a typical American system, you'll find another interesting feature at once. A great many systems now use WINDOWS, and that means they're set up with either QEMM or MS-DOS's EMM386 as memory managers. If SANDRA is executed on any of these environments it will generate an "exception" forcing a reboot of the machine. Why is that, for cryin' out loud? Actually, it's another anti-anti-virus measure, although a back-handed one. NEMESIS, a German memory resident anti-virus monitor uses expanded memory to monitor a system at the sector level. Because of this, it requires the user to have the requisite amount of expanded memory and the manager for it: QEMM or EMM. SANDRA seems to make the generous assumption that any machine using one of these might have NEMESIS installed, and it forces a shutdown through EMM to stop the infection and avoid potential detection. Since SANDRA appears to be German, it is not unreasonable that its author might be more concerned about NEMESIS than anyone in the U.S., where the program is nonexistent. In real terms, this feature makes SANDRA, at best, a reluctant virus. On many machines, it will just flat out refuse to infect. By further combing over the code on breaks from hanging about the water-cooler, you'll find that SANDRA deletes the following data-integrity files from selected a-v software: - "ANTIVIR.DAT" - "CHKLIST.CPS" --Central Point AV - "C:\CPAV\CHKLIST.CPS" --same as above - "C:\NAV_._NO" --Norton Antivirus - "NOVIRCVR.CTS" - "NOVIPERF.DAT" - "C:\TOOLKIT\FSIZES.LST" --Solomon's Toolkit - "C:\FSIZES.QCV" --Solomon's Toolkit - "C:\UNTOUCH\UT.UT1" --Untouchable - "C:\UNTOUCH\UT.UT2" --Untouchable - "C:\VS.VS" - "C:\TBAV\VIRSCAN.DAT" --Thunderbyte, truncates file Page 10 - "C:\)(.ID -- Integrity Master, I believe By now, you're very confident you can execute SANDRA without hurting yourself. Actually, you could have done that after a quick look at the interrupt synopsis. In any case, you're still cautious so you install FLU-SHOT. Haha! SANDRA won't infect. And you've uncovered its last interesting secret: it exits when FLU-SHOT or a couple of other resident programs are present. This isn't the definitive book on SANDRA, but it's more than enough for reasonable purposes. After all, this IS the "quick and dirty" guide to virus disassembly. And the rules here can be applied to a full 90% of the viruses you might come across. Sure, there can be the occasional bird with tricks in it to make this kind of fast interpretation a thorny job. But, chances are, you will never see one. So after a few more stabs at this with viruses from the newsletter, your home collection, or wherever, you can sell yourself as an experienced hand at "quick & dirty" virus disassembly. **************************************************************** **************************************************************** THE LOKJAW PROGRAMS: MORE SIMPLE IMPLEMENTATIONS OF RETALIATING ANTI-ANTI-VIRUS VIRUSES **************************************************************** Intrigued by the Proto-T scam, virus writer Nikademus sent his LOCKJAW program to the Crypt Newsletter for examination. The Nikademus LOCKJAW virus is a variant of "Proto-T," a resident .COM infector originally derived from Civil War, altered to delete a series of anti-virus programs when they are executed. As an added fillip, the virus marks the deletion with an entertaining "chomping" graphic effect! The easiest way to soak this up is to head right for the assembly listings included in this issue. The actual file recognition and deletion routines can be adapted for many resident viruses. As an example, the newsletter has transformed LOCKJAW into a spawning .EXE-infecting virus in its "ZWEI" and "DREI" variants. File deletion on load isn't novel in resident viruses. But by coupling it to anti-virus recognition LOCKJAW underscores the necessity of having the user realize he MUST remove the virus from memory before using his software, or at the very least, operate from a write-protected diskette. (Although, as you will see with LOKJAW-DREI, the latter step is also potentially dodgey business.) In the wild, the entertaining virus "chomp" would be removed, as it is a dead giveaway that the virus is present and in control of the machine. (For that matter, so is sudden file deletion. But the effect would remain puzzling to uninformed users.) Taking this idea one step further, LOKJAW-DREI is a modification which removes file deletion and replaces it with a fake disk-trashing routine which the virus uses to strike the hard file when an anti-virus program is called to find it. Although LOKJAW-DREI only makes the drive temporarily inacessible, it doesn't take a great leap of imagination to see its Page 11 potential. Mark Ludwig talked about this at length in an article on "retaliating viruses" published in American Eagle's "Computer Virus Developments Quarterly #1" In that issue he supplied the code for such an animal, the direct action Retaliator virus, an Intruder variant. The point that he made, and a valid one, is that the existence of such a virus on a machine makes it absolutely necessary that the user know what he's doing when he goes out looking for it. The LOCKJAW viruses, however, are easy to "play" with. They will become resident below the 640k boundary and infect .COMs or .EXE's, depending upon the variant, upon execution. They will also show a noticeable 4k drop in memory available to free programs. By running Scan, F-Prot, Integrity Master or Central Point Anti-Virus when LOCKJAW is present, the "retaliating" effect is shown. Of course, this software is deleted so don't use your only copy unless you want it erased. (Not a bad strategy for some software.) LOCKJAW can be removed from memory by simply rebooting from a clean, write-protected system disk. [In a related note: The SANDRA and LOKJAW viruses come with Central Point Anti-virus as a default. Even though the software is continually drubbed in product reviews and word-of mouth gossip, it is included in the coming MS-DOS 6.0. This ensures that it will be even more ubiquitous on home and business machines in 1993 - a fact of interest to virus and competing anti-virus developers alike.] *************************************************************** *************************************************************** IN THE READING ROOM III: CRITIQUE OF DISCOVER PIECE ON THE BULGARIAN VIRUS CONNECTION *************************************************************** I'm sure a number of alert newsletter readers have, by now, browsed through the February issue of Discover magazine and seen the excerpt from another book on "hackers" called "Approaching Zero," to be published by Random House. The digested portion is from a chapter dealing with what authors' Bryan Clough and Paul Mungo call "the Bulgarian virus connection." While it was interesting - outwardly a brightly written article - to someone a little more familiar with the subject matter than the average Discover reader, it was another flawed attempt at getting the story right for a glossy magazine-type readership. First, we were surprised that reporters Mungo and Clough fell short of an interview with virus author, the Dark Avenger. Since they spent so much time referring to him and publishing a few snippets of his mail, it was warranted, even if he is a very tough contact. In addition, they continually exaggerate points for the sake of sensationalism. As for their claim that the Dark Avenger's "Mutating Engine" maybe being the "most dangerous virus ever produced," there's no evidence to support it. First, they continue the hallowed media tradition of calling the Mutation Engine a virus. It's not. The Mutation Engine is a device which we've gone Page 12 over in these pages again and again. The Crypt reader knows it doesn't automatically make the virus horribly destructive, that's a feature virus-writers put into viruses separate from the Engine. And although the first Mutation Engine viruses introduced into the U.S. could not be detected by scanners included in commercial anti-virus software, most of these packages included tools to monitor data passively on any machine. These tools COULD detect Mutation Engine viruses, a fact that can still be demonstrated with copies of the software. And one that almost everyone covering the Mutation Engine angle glosses over, if they bother to mention it at all. In any case, Mutation Engine code is well understood and viruses equipped with it are now no more hidden than viruses which don't include it. Of greater interest, and an issue Mungo and Clough don't get to, is the inspiration the Dark Avenger Mutation Engine supplied to virus programmers. By the summer of 1992, disassembled versions of the Mutation Engine were everywhere, for all intents. It seemed only a matter of time before similar code kernels with more sophisticated properties popped up and this has been the case. Coffeeshop, a virus mentioned in the original Discover piece, is just such an animal, although the authors don't get into it. Coffeeshop utilizes a slightly more sophisticated variable encryptor - called the Trident Polymorphic Engine - which adds a few features not present in the Dark Avenger model as well as decreasing its size. It, too, has been distributed in this country as a device which can be utilized by virus authors interested in shot gunning it into their own creations. It is of Dutch origin, produced by a group of programmers known as "TridenT." TridenT, a group with a taste for whimsy, freely acknowledges the inspiration of the Mutation Engine. Curiously, Coffeeshop is Dutch slang for a place to pick up some marijuana. Very interesting, is it not? However, the Trident Polymorphic Engine is no more inherently dangerous than the Mutation Engine. Viruses utilizing it can be detected by the same tools used to detect Mutation Engine viruses before those could be scanned. The reporters also claim that disassembling a virus to find out what it does is a "difficult and time-consuming process" capable of being carried out "only by specialists." This is another myth which feeds the perception that viruses are incredibly complicated and that one can only be protected from them by the right combination of super-savvy experts. It has little basis in reality which is why we spent some time shooting it in the rear end in an earlier portion of this issue. And that's what's the most irritating about Mungo and Clough's research. In search of the cool story, they further the dated idea that virus-programming is some kind of arcane art, practiced by "manic computer freaks" living in a few foreign countries where politics and the economy are oppressive . While it's true that a few viruses are clever, sophisticated examples of programming, the reality is that almost anyone (from 15-year olds to Page 13 middle-aged men) with a minimal understanding of assembly language can (and does) write them from scratch or cobble new ones together from pieces of found code or toolkits. Since everyone's computers DON'T seem to be crashing from viral infection right and left (remember Michelangelo?), Mungo and Clough, in our opinion, really stretch the danger of the "Bulgarian virus factory." This is such an old story it has almost become shtick, a routine which researcher Vesselin Bontchev (apparently Clough and Mungo's primary source) has parlayed into an intriguing career. A great number of the 200 or so Bulgarian viruses the reporters mention in fear-laden terms ARE already here, too - stocked on a score of BBS's run by programmers and computer enthusiasts. Mungo and Clough write of "the scope of the problem . . . not [becoming] apparent for several years." That's an easy, leading call to make because no one will remember or hold them to it in 2000. The Crypt newsletter suggests "We don't know." Now that would have been more honest. But we doubt if it would have sold as well. [To add insult to injury, the authors warn of the ominous LoveChild virus, counting toward zero, waiting to ambush your hard file. It's worth noting the Skulason's F-Prot casually dismisses LoveChild as a buggy virus which only operates on machines running DOS 3.3. Solomon's Toolkit modestly judges it as capable of "moderate" damage.] =-=In true domino effect, PRODIGY - the "interactive home computer service" for numerous, mixed-up, Bush-voting, Democrat yuppies - recycled segments of the Discover article on January 30 in its "Headline News" section. The un-bylined story loudly proclaimed "the Mutating Engine . . . the most dangerous virus ever" and re- iterated ominous news of LoveChild, a program which won't function on many systems. LoveChild, alert Crypt newsletter readers may be interested to know, "will erase all of a computer's memory," according to PRODIGY Headline News.=-= **************************************************************** IN THE READING ROOM IV: WRITER AND EX-JOCKEY DICK FRANCIS REPORTS ON COMPUTER VIRUSES IN "DRIVING FORCE," HIS LATEST NOVEL OF MYSTERY AND INTRIGUE **************************************************************** It turns out that one of the Crypt Newsletter staffers is a fiend for Dick Francis. In case you don't know, Francis is an entire publishing company unto himself. He cranks out enough material in a year to give Stephen King a run for his money. However, he's never been pegged as a "computer" writer. So it came as a surprise when a staffer shrieked in glee, ran over to where I was lurking by the water-cooler and thrust Francis's manuscript into my face. "Look, look, Michelangelo!!" she gibbered. And there it was, a fictional account of someone's office getting cold-cocked by the virus. But enough of this, here's a teaser: -=[ The computer man, perhaps twenty, with long light brown hair through which he ran his fingers in artistic affectation every few seconds, had given up trying to resuscitate our hardware by the time I got back to the office. "What virus?" I asked, coming to a halt by by Isobel's desk and feeling overly beleaguered. We had flu, we had aliens, we had bodies, we had vandals, we had concussion. A virus in the computer could take the camel to its knees. "All our records," Isobel mourned. Page 14 "And our accounts," chimed Rose. "It's prudent to make backups," the computer man told them mock-sorrowfully, his young face more honestly full of scorn. "Always make backups,ladies." "Which virus?" I asked again. He shrugged, including me in his stupidity rating. "Maybe Michelangelo . . . Michelangelo activates on March 6 and there's still a lot about." "Enlarge," I said. "Surely you know?" "If I knew, I've forgotten." He spelled it out as to an illiterate. "March 6 is Michelangelo's birthday. If you have the virus lying doggo in your computer and you switch on your computer on March 6, the virus activates." "Michelangelo is a boot-section virus," the expert said, and to our blank-looking expressions long-sufferingly explained. "Just switching the machine on does the trick. Simply switching it on, waiting a minute or two and switching off. Switching on is called booting up. All the records on your hard disk are wiped out at once with Michelangelo and you get the message 'Fatal disk error.' That's what happened to your machine. The records are gone. There's no putting them back." "What exactly is a virus?" Rose inquired miserably. "It's a program that tells the computer to jumble up or wipe out everything stored in it." He warmed to his subject. "There are at least three thousand viruses floating around. There's Jerusalem II that activates every Friday the 13th, that's a specially nasty one. It's caused a lot of trouble, has that one." "But what's the point?" I asked. "Vandalism," he said cheerfully. "Destruction and wrecking for its own sake." He ran his fingers through his hair. "For instance, I could design a sweet little virus that would make all your accounts come out wrong. Nothing spectacular like Michelangelo, not a complete loss of everything, just enough to drive you mad. Just enough to make errors so that you'd be forever checking and adding and nothing would ever come out right." He loved the idea, one could see. "How do you stop it?" I asked. "There are all sorts of expensive programs nowadays for detecting and neutralizing viruses. And a whole lot of people thinking up ways to invent viruses that can't be got rid of. It's a whole industry. Lovely, I mean, rotten." Viruses, I reflected, meant income, to him. ]=- How's that? Not bad, for a mystery writer! Why, Francis seems more knowledgable about the subject than the writers of glossy-cover Page 15 "suit" computer publications! But we're not gonna tell you how it ends, you'll just have to dig up "Driving Force" (Putnam) for yourself. ***************************************************************** IN THE READING ROOM V: NEW YORK TIMES AND THE PHRAKR TRAKR - BBS's: THE ROOT OFFAL EVIL (OUCH, PUNNY!) ****************************************************************** In a January 25 'A' section article, a N.Y. Times reporter profiles the "Phrakr Trakr," a federal undercover man keeping our electronic streets safe from cybernetic hoodlums too numerous to mention singly. Reporter Ralph Blumenthal immediately reveals himself as yet another investigator from the mainstream who has never gotten anything from underground BBS's first-hand, focusing on the Phrakr Trakr's tales of nameless computer criminals trafficking in "stolen information, poison recipes and bomb-making instructions." We're not going to dwell on the issue of phone-related phraud and the misappropriation of credit card accounts (which has been well-established), but Blumenthal's continued attention to text files for "turning household chemicals into deadly poisons, [or] how to build an 'Assassin Box' to supposedly send a lethal surge through a telephone line" is sickening. It furthers the generalization that all reporters are fetal-alcohol damaged rubes with little educational background beyond elementary school. Anyone who's seen or stock-piled text files on a BBS knows they're either menacingly written trivial crap or bowdlerized reprints from engineering, biology and chemistry books. In either case, hardly noteworthy unless you're one who can't tell the difference between comic books and real news. The Times delivers a back-to-the-camera photo of the Phrakr Trakr, an overweight man with a handcuff dangling from his suspenders. He "patrols THOUSANDS [emphasis ours] of computer bulletin boards" states the photo's slug-line, an absurd claim which neatly overlooks the fact that there's not enough time in a year to physically accomplish the deed. The Phrakr Trakr has his own newsletter, F.B.I., for "Find um [sic], Bust um [sic], Incarcerate um [sic]." "Got any codez?" indeed. ***************************************************************** FICTUAL FACT/FACTUAL FICTION ***************************************************************** HOUSE AD: CRYPT INFOSYTEMS BBS is now running full-time. Pick up the newest useless files and Crypt Newsletters direct. Bask in the scintillating conversation and avuncular charm of sysop and editor, URNST KOUCH. Meet the very funny PALLBEARER. And acquaint yourself with all their fine friends. The number? 215.868.1823. ----------------------------------------------------------------- GRAY AREAS magazine is looking to interview virus authors for a continuing series of articles. The Crypt Newsletter editorial staff recently had an opportunity to meet with the editor of GRAY AREAS, Netta Gilboa, and came away with the conviction that the magazine is dedicated to exposing all points of view on many subjects. In other words, you don't need a highly paid mouthpiece, a movie contract or the Congressional Medal of Honor to be of interest to its editors. A recent issue featured an excellent interview with John Perry Barlow among other sections too numerous to cover adequately here. Contact GRAY AREAS at any of the following: grayarea@well.sf.ca.us ph: 215.353.8238 mail: POB 808 Broomall, PA 19008-0808 -------------------------------------------------------------------- Phalcon/SKISM programmer Dark Angel has produced the G2, or Second Generation viral code generator. Capable of producing resident .COM/.EXE infecting virus with limited poylmorphism, Dark Angel's documentation states the G2 supersedes the PS-MPC. The Phalcon/SKISM programmer plans to update the G2 code base as time allows; he maintains in the instructions to the program that G2 has much more flexibility than the PS-MPC, capable of multiple arrangements of commented code and data segments. Although the G2 is separate from the PS-MPC, it appears that those users familiar with the former will have no trouble adapting to the latter. --------------------------------------------------------------------- PRODIGY, the "interactive home computer service" for numerous mixed-up, Bush-voting, Democrat yuppies, has cut its work force by 25, putting approximately 250 people onto the street. ---------------------------------------------------------------------- IBM - panicked by the tolling bell of impending corporate doom - has moved to can CEO John Akers, presumably because the company is non-competitive under his leadership. Akers will remain to head the team selected to draft his replacement. Does this make sense to you or are WE nuts? Draft the guy you're firing to find his own replacement. Yes, this is a GOOD PLAN. Sell your IBM stock while you still can. That's the Crypt Newsletter's advice. ____________________________________________________________________ END CREDITS: Thanks and a tip o' the hat to NIKADEMUS, CAPTAIN AEROSMITH and the usual crew of alert readers. Page 16 -------------------------------------------------------------------- The Crypt Newsletter includes virus source code in each issue. If assembled, it will produce working copies of the viruses described. In the hands of incompetents, irresponsibles and and even the experienced, these programs can mess up the software resources of any IBM-compatible PC - most times, irretrievably. Public knowledge that you possess such samples can make you unpopular - even shunned - in certain circles of your computer neighborhood, too. To assemble the software included in this issue of the newsletter, copy the MS-DOS program DEBUG.EXE to your current directory, unzip the newsletter archive into the same directory and type MAKE at the DOS prompt. This issue of the newsletter should contain the following files: CRPTLT.R12 - this document MAKE.BAT - instant "maker" for this issue's software. Ensure that the MS-DOS program DEBUG.EXE is in the machine path or current directory, before typing "MAKE". LOCKJAW.ASM - assembly listing for the LOCKJAW virus LOKJAWZ.ASM - " " " LOKJAW-ZWEI LOKJAWD.ASM - " " " LOKJAW-DREI LOCKJAW.SCR - scriptfile for LOCKJAW LOKJAWZ.SCR - " " LOKJAW-ZWEI LOKJAWD.SCR - " " LOKJAW-DREI SANDRA.SCR - " " SANDRA virus You can pick up the Crypt Newsletter at these fine BBS's, along with many other nifty, unique things. CRYPT INFOSYSTEMS 1-215-868-1823 Comment: Crypt Corporate East DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate West THE HELL PIT 1-708-459-7267 DRAGON'S DEN 1-215-882-1415 RIPCO ][ 1-312-528-5020 AIS 1-304-420-6083 CYBERNETIC VIOLENCE 1-514-425-4540 THE VIRUS/BLACK AXIS 1-804-599-4152 NUCLEAR WINTER 1-215-882-9122 UNPHAMILIAR TERRITORY 1-602-PRI-VATE THE OTHER SIDE 1-512-618-0154 MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564 REALM OF THE SHADOW 1-210-783-6526 STAIRWAY TO HEAVEN 1-913-235-8936 THE BIT BANK 1-215-966-3812 CYGNUS-X 1-215-791-2457 The Crypt Newsletter staff welcomes your comments, anecdotes, thoughtful articles and hate mail. You can contact Urnst Kouch Crypt BBS, CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com Page 17 For those who treasure hardcopy, Crypt Newsletter is available as a FAX subscription: $20 for a ten issue run. It can also be had as one of those Mickey Mouse-looking papyrus newsletters produced by WordPerfect C.A.N.T.'s [Corporate Animal, No Talent] for the same price. All inquiries should be directed to the Crypt Newsletter e-mail addresses. -*- Page 18