************************************** The CRYPT newsletter: semi-serious ish number 2, or another in an intermittent series. --URNST KOUCH. M.CS, D.d.(Master: Cork-Screwin', Dirty-Dealin', etc.)* *************************************** *[I got this from George C. Scott in "The Flim-Flam Man." You should ren this excellent movie; perhaps even use 'The Flim-Flam Man' as your 'handle.'!] NEWS! NEWS! NEWS! NEWS! Hot from the gossip-mongers on the FidoNet virus echo: Tim Caton (The Pallbearer) and a member of Phalcon/SKISM, were recently given three month furloughs by moderator Frans "Dutch" SomethingorotherAndersssomething for yakking about virus exchanges, etc., blah-blah-blah. In "Dutch's" own words: they were "excommunicated." "Excommunication" translates loosely as "you can still post, but no one is allowed to reply to you or they will be excommunicated, too." No word from "Dutch" on the inherent 'unworkability' of this arrangement, although Caton continues to post and receive responses. Apparently, even "Dutch" doesn't believe his own spout. As for Caton: "This is just a hobby for me, you hear, a hobby!! I could be baskin' in the sun in Florida!" he bellowed. The "Dutch" policy also does not explain why FidoNet fave Gary ("I've been programming in assembly for 14 years!") Watson is given such a long leash to discuss transfer of viral material when newer members are continually slapped around for discussing the same general topics. Speaking of that rogue, Watson, wasn't it he he who spent a recent afternoon running SCAN over about 650,000 (?!??!) MtE loaded viral samples? Now, izzit me, or does this strike you as nuts? There is such a thing as being thorough, and then there is: CLEARLY INSANE. Working on your Ph.D. thesis Gary? I'm glad I'm not on your committee - pass the No-Doze, Quimby, Watson's giving his research report on the MtE thisafter... SPOTTED ON THE CSERVE VIRUS FORUM: 'Outlaw Joz' and 'Bocephus' viruses have been seen plaguing hapless corporate stiffs. Our salute to whomever is responsible for naming 'Outlaw Joz'! Obviously, they know how to come up with a classy moniker. Also seen (hey, this is like being one of those Audobon society 'birder' weenies): GEEK virus, a mini-epidemic of 4096 and NPOX. And a special slap upside the head to Virus Bulletin 'journalist' Mark Hamilton. Hamilton recently sent derogatory private e-mail blind-siding fellow VIRUSFORUM member Eric Essman as "a sleaze." Amazingly, Hamilton sent it to Essman, too (by mistake, apparently). Essman promptly turned it into a 'public' multi-mail. Oops! Pay more attention to those account addresses, Mark! That's an e-mail faux-pas! THE GENVIR 1.0: THREAT OR MENACE?? Have you seen this program: The GENVIR 1.0 French virus generator? Outwardly, it's quite an elaborate menu-driven viral design suite for "researchers." But when you get to the punchline - the time for it to cough up a virus to your specs - up comes a 'crippleware' nag screen. Better part with the francs first and register, it sez, or no viruses for you! Well, c-a-l-l-l-l-l-l Dr. FileFinder! In any case, the GENVIR 1.0 remains interesting for a number of reasons. First, it's copyright date of 1990 makes it an early attempt, if legit, to derive cash from viral code. This predates Mark Ludwig's "Little Black Book" and viral companion disk by at least two years. Second, it shows that someone thought that a viral programming tool had commercial potential, never mind the possible legal ramifications. Third, since it's 'crippled' shareware, the possibility exists that GENVIR 1.0 is the software equivalent of the Piltdown Man - an elaborate hoax designed to entice saps into sending their hard-earned cash money to an anonymous POB. Haha!! Whatever the truth, the GENVIR 1.0 is surrounded in controversy, generated, perhaps, by the rage of virus fanatics who spend the precious filepoints to download it. Is there a GENVIR virus (like MANTA) floating around? You tell me if you've got the 'registered' version!!* [*Note: if you obtain GENVIR 1.0, better have your pocket French-English dictionary ready. It's 100% frog, but still easily doped out if you've got the patience.] CASH FOR CODE: AN IDEA WHOSE TIME HAS COME? Have you been charging for downloading rights on your exchange? Well, if not, perhaps you should. From what I can tell here in lower Slobville, Pennsylvania, viruses and their source codes are in high demand. And a lot of people who want them have trouble getting at them, either because they don't have a unique virus to upload or don't wish to be bothered with programming one. Now, there's nothing wrong with this attitude. After all, should you have to hand machine your own Mossburg AlleySweeper before you stroll into a firearms store to purchase one? Of course not. If that were so, the locals would be rioting in the streets from here to the Florida Keys over infringement of their constitutional rights. This potential customer base cannot look to the anti-virus community for help. Remember, John McAfee has said something to the effect that passing on the code of Michelangelo would be akin to giving some street urchin a vial of human pathogens. So, the field is wide open for the virus exhanges. Rather than ask for 'donations', why not simply package viral samples in bulk lot and charge what the market will bear, depending upon strain demand or prevalence? Viral samples could also be packaged with descriptive docs to enhance their value and given a guarantee test for 'live' quality before put on line. Think of it. In the long run, who do you think will attract more users: the virus exchange with hundreds of cryptic archives totally loaded with misnamed strains, dummy files, incomplete fragments of code or 100k infected games, or the exchange that distributes well documented, completely characterized, naked viral samples. [This, of course, entails some work. The archivist will have to go through his files and transfer virus-infected utilities/games/etc. to a testing area where the virus can be 'trapped' in a small generic .COMstub before return to the archive. Documents will have to be prepared and formatted, too. This serves a double purpose, screening out 'dead' files.] Anyway, I think you know the answer. Think of the virus archive as a specialty 'chemical' firm providing lab quality goods for interested hobbyists, researchers and the occasional mis-guided . . . um, terrorist. American gadget freaks, particulary computer hobbyists, are inveterate packrats and collectors. In my opinion, those interested WILL pay for quality samples, easily obtained from straightforward BBS's not saddled with idiotic posting ratios, overly chatty menus or disdainful, mocking 'help' prompts. Do yourself a favor. Start making some money off your long distance collection. SCAN 95B AND VCL CODE: A VERY BRIEF RESEARCH REPORT ALMOST TOTALLY DEVOID OF EXACTING DETAIL The news is out. SCAN 95B detects VCL code as the [Con] virus. How long will it take you to retool your custom-designed virus so that it can be ready to head back out into the wild? The answer: not very long. I recently spent 15 minutes breaking SCAN's 'death-grip' on some VCL variants. Simply, the basic technique involves making minor changes to, um, well ... heh-heh, some secrets have to remain 'proprietary' because there are flies on the walls of even the most remote BBS. However, included with this issue of the Cryptletter IS a hex dump of the MIMIC1 virus, a VCL 1.0 product that DOES NOT scan under 95B. So, you can reverse engineer it if you like, but lemme tell ya confidentially, you can probably figure it out yourself in less time than I did. The REAL point of this abstract again demonstrates the inevitable passing of the brute-force scanner. With the advent of Nowhere Man's VCL (and the easy availability of many viral source codes), it remains possible to flood any region with a variety of easily patched, viral samples. Only software which performs functions analogous to something like INTEGRITY MASTER is not obsolete. However, will the average American realize this? Probably not for another five years. ONE FINAL BURNING QUESTION!! Why does Mark Hamilton's Virus Bulletin cost so much? When viral sources are commonplace, when there are 'free' magazines of technical advice like 40Hex, why is there a market for Virus Bulletin? The answer: some haven't caught on. Give someone you know in the corporate security business some source codes, the VCL or PS-MPC, a copy of 40Hex, Nuke Info Journal, or, hey, even the Cryptletter. Once they know where to find 'em, perhaps they'll weigh the cost effectiveness and eventully put Hamilton out of a job. Information is not property/goods in the sense that most Westerners envision it as!! Don't pay throat-cutting prices for things you have a right to be able to research for free! Journals like Virus Bulletin belong in engineering libraries, subscriptions bought and paid for by department funds, available to all, just like any other scientific journal. CRYPTLETTER APPENDICES: AH, THE GOOD STUFF! This issue of Crypt contains two hexdumps of live viruses: MIMIC.DMP and MIMIC2.DMP. Go to the C prompt and type C:\> debug