Computer Viruses - A Protagonist's Point Of View -----===] CORRUPTED PROGRAMMING INTERNATIONAL [===----- == CPI Newsletter #1 == [ Article Written By Doctor Dissector ] Released : June 30, 1989 Call The CPI Headquarters 619-566-7093 1200/2400 Baud :: Open 24 Hours [1.1] Introduction: ------------------- Welcome to "Computer Viruses - A Protagonist's Point Of View." This letter, perhaps the beginning of a small newsletter. Well, this "letter," is written by one person right now, maybe I'll get some people to send in more info, ideas, and examples to CPI. If you would like to contribute, please upload text files to CPI Headquarters (see heading for number) and leave a note to me telling me you are contributing to our magazine. Well, as an overview, this article will cover a few topics dealing with viruses; however, there will be no examples covered as we are short of programmers at the moment. That reminds me, if you would like to become a member of CPI, fill out the accompanying text file and upload it to CPI HQ as an upload to the Sysop, then leave me and the Sysop some mail to tell us you registered to become a member. We will get back to you as soon as possible. The purpose of this magazine is to expand and broaden the general computer user's view and knowledge of the dreadful computer Virus, as well as a bit on Trojans (not the hardware, the SOFTWARE!). Then, after the knowledge of these computer crackers is better understood, the second purpose of this newsletter is to teach both methods of developing and executing a better virus/trojan. We, CPI, feel viruses and trojans are a vital part of the computer world, and should stand along the trades of hacking, phreaking, cracking, pirating, and pyro as an equal, not something to be looked down upon (unless you are hit by one...). In the future, we hope CPI will grow and spread, just like a virus, and encompass a large domain of the crackers, hackers, and other elite out there so that the life of this group will be maintained, and that this newsletter, hopefully, won't be the only issue to be released during the group's existence. Also, please note that this newsletter is purely for the spread of new ideas and to educate the reader of this "new" software technonlogy, and the document, and the author of the document do not encourage or support any illegal use of the information contained, and the reader is solely responsible for their actions after aquiring this document. Doctor Dissector CPI/ANE/TPH Author/Editor Phortune 500 --[ Table Of Contents ]---------------------------------------------------- Phile Subject Author ----- --------------------------------------------------------- 1.1 Introduction & Table Of Contents.........Doctor Dissector 1.2 Viruses- What, Where, Why, How...........Doctor Dissector 1.3 Aspects Of Some Known Viruses............Doctor Dissector 1.4 Ideas For Future Viruses.................Doctor Dissector 1.5 Suggested Reading........................Doctor Dissector 1.6 Conclusion...............................Doctor Dissector 1.x CPI Application..........................Doctor Dissector Subject: CPI Issue 1 2/6 ---------------------------------------------------------------------- [1.2] Viruses- What, Where, Why, How If you are a beginner in this field, you may be curious to what a virus/trojan is. Perhaps you heard about it through some BBS, or known someone who had their system crashed by one. Well, this is for you. In the Trojan War, way back when, there existed the Trojan Horse, right? Well, nowadays, there is a modern version of the Trojan Horse existing is software. The modern, computer, Trojan horse is really simple, a psychedelic hacker implants destructive code into a normal (or fake) file. This modified/fake file, when executed will destroy or remove something from the host computer, usually format the hard drive, delete all files, or something similar. In order to distribute the corrupt phile, the hacker goes and does one or more of various things; depending on how deranged this individual is (hehe). These things are covered in the following section. A virus, in normal terms is an organism which spreads malign from one host to another, transmitting itself through biological lines so that both the previous host and the future host become infected with the virus. Today, there are computer viruses, and just like biological viruses, they spread from file to file, host to host, infecting everything it "sees." These computer viruses can either destroy the code it infects immediately, or over a period of time, corrupt or damage the host system it thrives upon. For example, a virus hidden in a file on a BBS could be downloaded to a host system. Then, the user who downloaded it executes the file, which executes normally (as seen by the operator), but at the same time, the virus attacks other files, and infects them, so that each file owned by the user becomes infected with the virus. Then, at a given time or when something is fulfilled by the host system, the virus becomes a trojan and destroys, encrypts, or damages everything available, infected or un-infected. In general, a virus is a timed trojan that duplicates itself to other files, which, in effect sustains the virus's life- span in the computer world, as more host systems are infiltrated by the disease. Now that I've given you a description of the computer virus and trojan, we can go onto more complex things... well, not really... Ok, now, let's trace the life of a virus. A virus/trojan is born in the mind of some hacker/programmer that decides to develop something out of the ordinary, not all viruses/trojans are destructive, often, some are amusing! Anyway, the hacker programs the code in his/her favorite language; viruses can be developed with virtually any language, BASIC, Pascal, C, Assembly, Machine Code, Batch files, and many more. Then, when the disease is complete and tested, the hacker intentionally infects or implants the code into a host file, a file that would be executed by another un-suspecting user, somewhere out there. Then, the hacker does one or more of many things to distribute his baby. The hacker can upload the infected file to a local BBS (or many local/LD BBS's), give the infected file to a computer enemy, upload the infected file to his/her workplace (if desired...hehe), or execute the phile on spot, on the host system. Then, the virus, gets downloaded or executed, it infiltrates the host system, and either infects other files, or trashes the system instantly. Eventually, the infected system's user gets smart and either trashes his system manually and starts fresh, or some mega- technical user attempts to recover and remove the virus from all of the infected files (a horrendous job). Then, the virus dies, or other host systems that were previously infected continue, and accidentally upload or hand out infected files, spreading the disease. Isn't that neat? Now, to answer your questions; I already explained what a virus/trojan is and how they are developed/destroyed. Now, where do these suckers come from? Why, some hacker's computer room, of course! All viruses and trojans begin at some computer where some maniacal hacker programs the code and implants it somewhere. Then, you ask, why do they do this? Why hack? Why phreak? Why make stupid pyro piles of shit? Think about it... This is an ART! Just like the rest. While Hacking delivers theft of services, Phreaking delivers theft of services, Cracking/Pirating delivers theft of software and copyright law breaks, Pyro delivers unlawful arson/explosives, Viruses and Trojans vandalize (yes, legally it is vandalism and destruction of property) computer systems and files. Also, these are great to get back at arch-computer enemies (for you computer nerds out there), and just wreak havoc among your computer community. Yeah, PHUN at it's best... ---------------------------------------------------------------------- Subject: CPI Issue 1 3/6 ---------------------------------------------------------------------- [1.3] Aspects Of Some Known Viruses Many viruses have been written before and probably after you read this article. A few names include the Israeli, Lehigh, Pakistani Brain, Alameda, dBase, and Screen. Keep in mind that most viruses ONLY infect COM and EXE files, and use the Operating System to spread their disease. Also, many viruses execute their own code before the host file begins execution, so after the virus completes passive execution (without "going off") the program will load and execute normally. Israeli - This one is a TSR virus that, once executed, stayed in memory and infected both COM and EXE files, affecting both HARD and FLOPPY disks. Once executed, the virus finds a place to stay in the system's memory and upon each execution of a COM or EXE file, copies itself onto the host phile. This one is very clever, before infecting the file, it preserves the attributes and date/time stamp on the file, modifies the files attributes (removes READ only status so it can write on it), and then restores all previous values to the file. This virus takes very little space, and increases the host file size by approximately 1800 bytes. The trigger of this virus is the date Friday the 13th. This trigger will cause the virus to either trash the disk/s or delete the files as you execute them, depending on the version. Whoever wrote this sure did a nice job.... Lehigh - This one infects the COMMAND.COM file, which is always run before bootup, so the system is ready for attack at EVERY bootup. It hides itself via TSR type and when any disk access is made, the TSR checks the COMMAND.COM to see if it is infected. Then if it isn't, it infects it, and adds a point to its counter. When the counter reaches 4, the virus causes the disk to crash. This one, however, can be stopped by making your COMMAND.COM Read-Only, and the date/time stamp is not preserved, so if the date/time stamp is recent, one could be infected with this virus. This virus is transferred via infected floppy disks as well as a clean disk in an infected system. It can not infect other hosts via modem, unless the COMMAND.COM is the file being transferred. Pakistani Brain - This one infects the boot sector of a floppy disk. When booting off of the disk, the virus becomes a TSR program, and then marks an unused portion of the disk as "bad sectors." The bad sectors, cannot be accessed by DOS. However, a disk directory of an infected disk will show the volume label to be @ BRAIN. A CHKDSK will find a few bad sectors. When you do a directory of a clean disk on an infected system, the disk will become infected. The virus has no trigger and immediately begins to mark sectors bad even though they are good. Eventually, you will have nothing left except a bunch of bad sectors and no disk space. The virus itself has the ASCII written into it with the words "Welcome the the Dungeon" as well the names of the supposed authors of the virus, and address, telephone number, and a few other lame messages. To inoculate your system against this virus, just type 1234 at byte offset location 4 on the boot track (floppy disks). Alameda - This virus also infects the boot sector of the host system. It is very small and inhabits ONE sector. This one only damages floppy disks. If you boot from a diseased disk, the virus loads itself into HIGH memory and during a warm boot, it remains in memory and infects any other clean disks being booted from on the infected system. It then replaces the boot track with the virus track and replaces the boot track on the last track of the disk, so any data located on the last track is corrupted. All floppy disks inserted during reboot can catch this virus. This virus only infects IBM PC's and XT's, however, it does not infect 286's or 386's. dBase - This one is a TSR virus that works in a manner similar to the Israeli virus. It looks for files with a DBF extension, then it replicates itself in all DBF files, preserving file size, and all attributes. After the first 90 days, the virus destroys your file allocation table and corrupts all data in the DBF files. This virus creates a hidden file, BUG.DAT that indicates the bytes transposed (in order to preserve file specifications). Run a CHKDSK to make sure you don't have any extra hidden files or a BUG.DAT in your dBase directory. If you create a BUG.DAT file manually in your directory, making it read-only, you will be safe from this virus. Screen - This one is another TSR virus that comes on and off periodically. When it is on, it examines the screen memory and looks for any 4 digits starting at a random place on the screen. Then it transposes two of them, this is not a good thing. It infects every COM file in your directory, HARD and FLOPPY disks can be infected. You can use a ASCII searcher to check if you are infected by searching for "InFeCt" in your COM files. If you have this written, read the 4 bytes immediately preceding it and overwrite the first 4 bytes of the program with their value. Then, truncate the program at their stored address. You will rid yourself of this virus. Make sure you use a clean copy of you editor for this. Other viruses include MAC, AMIGA, and many other environments. By the way, other computer systems other than IBM/DOS may become part of CPI if you qualify. Anyway, these are a few viruses I have read on and thus passed the information to you, I hope you can learn from them and get some ideas for some. Subject: CPI Issue 1 4/6 ---------------------------------------------------------------------- [1.4] Ideas For Future Viruses Since I have covered viruses already in existence, lets talk about viruses that can or may exist in the near future. These are not even close to half the ideas possible for destruction with trojans/viruses available, but will pose as a challenge to you who are short of ideas. CSR Virus - A CMOS Stay Resident VIRUS that will implant itself in the CMOS memory of the AT (286/386/486?) which will execute upon every bootup. This one would be VERY nice. Failsafe Virus - Preserves ALL attributes, Preserves file size, remains TSR but hidden to TSR location programs, Modifies attributes to get around Read-Only files, Infects ALL files (Not only COM and EXE), encrypts all data on trigger (irreversible) but preserves original file size/attributes. Format Virus - A virus which is TSR and when a DOS format or any other FORMAT type of call is called, will FORMAT every other track, but will not allow DOS to notice. Write Virus - A virus that intercepts write to disk, which deletes the disk write, and marks sector as bad at write point. ASCII Virus - Virus that would scramble ASCII text in any file at trigger. Low Level Format Virus - Virus that low level formats (BAD format) HD in background with data still intact. I have seen regular background LLF programs, and it keeps data in place, but it does it correctly... hmmm...? Hide Virus - A Virus that hides files slowly. Crash Virus - Virus that emulates typical system crashes/freezes occasionally. Causes BIOS to freeze and write BIOS ERROR messages on screen. Modem Virus - One that remains in boot sector and TSR and monitors data from serial ports, puts in "artificial" line-noise. NICE! These are just a few I thought up... these could be really good... Think of some more and call CPI HQ TODAY! Subject: CPI Issue 1 5/6 ---------------------------------------------------------------------- [1.5] Suggested Reading The following list is a compiled listing of some material I have read as well as other sources you MIGHT find information on concerning viruses and trojan horses. Happy trashing.... "Know Thy Viral Enemy" by Ross M. Greenberg BYTE Magazine June 1989, pg 275-280 "Viruses: Assembly, Pascal, BASIC & Batch" by Tesla Coil ][ Phreakers And Hackers Underground Network Newsletter (PHUN) Issue #3, Volume 2, Phile #2 "A Boot Sector Virus" by Southern Cross Phreakers And Hackers Underground Network Newsletter (PHUN) Issue #4, Volume 2, Phile #3 "Computer Viruses: A High Tech Disease" by Abacus 2600 Magazine Volume 5, Number 2 Subject: CPI Issue 1 6/6 ---------------------------------------------------------------------- [1.6] Conclusion Thus ends the first issue of CPI's "Computer Viruses: A Protagonist's Point Of View." We hope you enjoyed it and we hope it was informative and complete (at least about the specific issues). We, CPI, hope that you will share your information and comments with us at CPI Headquarters, as this newsletter will require both information and an expansion of our current member base. If you feel you have what it takes to gather, read, or program for CPI, send us an application today. Oh yeah, if this happens to be the only issue of CPI, oh well, and many thanx to those who read it at least once, and enjoyed it (or laughed at it). Until our (my?) next issue, have phun and don't get toooo wild...... =====[ CPI Headquarters * 619-566-7093 * 1200/2400bps * 24Hrs ]=====