Date: 02 Nov 1992 16:07:19 -0500 (EST) >From: Guido Sanchez Subject: File 1--Response to the Virus Discussion I've some qualms about this article. It seems that The Dark Adept is, while trying to clear up some common misconceptions, contributing to the ignorance of the computer community at large. Perhaps this was his goal in writing this article, I really don't know. As a writer of viruses and a pillar of spam in the virus writing community , I'd like to clear up some misconceptions on the points raised by The Dark Adept. Let's start off with his definition of viruses.. > What is a virus? > ++++++++++++++++ > A virus is a tiny program that attaches itself to other programs. It does > in fact operate as a biological virus does. It finds a victim program and > infects it with a copy of itself. Then when the victim program is > unsuspectingly run, the virus now inside it is activated. At this point, > it can do one of two things: infect another program, or cause mischief. This is innocent enough, but not altogether true. A virus doesn't always attach itself to another program. If they merely did that, they would be NoWhere near as virulent as the anti-viral community would like John Q. Netrunner to believe. The only efficient way that we are going to get our stuff to spread is to utilize the boot sector of a diskette to contain virulent code. Not file infectors, but actual disk infectors. Once this diskette goes into another computer, that system has a much higher risk than if a mere infected program were to be run. Another array of misleading points being: > How do people catch viruses? > ++++++++++++++++++++++++++++ > Yikes! Here's where all the rumors are! You cannot get a virus from a modem, > a printer, a CRT, etc. Viruses only come from other programs. So, whenever ^^^^^^^^^^^^^^^^^^^ Wrong, as I said before > you add a program to your hard disk or run one off of a floppy, you stand > a chance of catching a virus. Data files (files that are not programs, like > text for your wordprocessor) cannot contain viruses. Only programs can > contain viruses. On IBM PC's, programs usually end in ".exe" or ".com" and > are the files that you run. The programs are the only ones that can contain > viruses. Also overlooking the .SYS, .OVL, and .APP files to name a few which can be infected by file infectors. The data files, true, cannot contribute to the spread of a virus, but they might be corrupted or overwritten with the virus signatures depending on the type of virus. > The only way to activate the virus is to run the program. Say for example > you got a new program called "game.exe". You put it on your hard drive, > but you never run it (i.e., you never tried it). Even if game.exe has a virus > in it, you WILL NOT catch it. The program has to be run at least once to make > the virus active. Wrong again, re the boot sector argument. > Another thing is batch files. These are files on IBM PC's that end in ".bat". > These DO NOT contain viruses. However, .bat files run other programs. So > if the .bat file runs a program that has a virus, the virus WILL be activated. > The cause is NOT the .bat file, but the program that was run BY the .bat > file. This is part fact, part ignorance. On Vx BBSs, there have been seen batch file viruses. That is a batch file which, when run, would use the debug program and insert viral code into memory, subsequently executing it. In this case and others, the cause is both the .BAT file and the DEBUG.EXE program. > What do viruses do? > +++++++++++++++++++ > Well, a number of things. Some erase your disks. Others print silly > messages to your screen. In any case, a virus is not written like other > programs are. It uses things that other programs normally don't. If your > computer is infected by a virus, whenever you turn on the machine that > virus is in the memory, and even if all it does is print "I want a cookie," > it can still interfere with other programs since they don't expect it to > be there. Supposedly, there are some viruses and trojans which can cause physical damage to hardware. Example, the HEADKILL Trojan which supposedly ruins the head of the victim hard drive . Some viruses could overwrite the disk as to not be recognizeable as a DOS compatible disk at all. Taking advantage of a user's ignorance, the STIFFY virus uses the Media Descriptor Table to re-define A: to an 8 inch disk drive no matter what it previously was. It inter-cepts COMMAND.COMs error message and prints a phallic insult, and obviously the acceptable format could not be used, causing massive efforts towards retrieving the 'lost' drive. The TURKEY virus supposedly alters cathode ray dispersion to 'melt' the monitor. Point being that there ARE some annoying little buggers out there, not all of them mere data corruptors or spreaders. > Tell me more about these things... > ++++++++++++++++++++++++++++++++++ > Ok. Viruses can only be made for specific machines. By this I mean > that a virus that infects IBM PC's will NOT be able to infect Macs. > There may be a tiny tiny chance if your Mac is running something like > an IBM Emulator that a virus may cause problems, but in general, if > you have a non-IBM compatible computer, and you can't run IBM software, > then you can't catch IBM viruses and vice-versa. BIG misconception there, buddy. The SHIBOLETH virus, for example, executes MAC code to test for machine type. If there is no error, it runs the MAC section of the viral code. If so, it runs the IBM section of the code. It's rather clumsy, but it DOES withstand transferral to MAC from IBM and back. > + It might miss some or give you false results, so don't rely on it > completely. You MIGHT say that. It takes maybe 4 seconds to render a virus unscannable by McAfee's or Norton. Simply putting in a small NoWhere loop or using an executable compression program and removing the header will usually get the virus through scanners. What about the boot sector infectors mentioned above? Usually on Vx BBSs a dropper program is given out that will 'drop' the virus into the boot sector of the designated drive. Yes, they're THAT user friendly :). > +++Detectors+++ > +++++++++++++++ > What the detectors do is watch for virus activity. For example, some > viruses try and erase your hard disk. What a detector does is sit in > the background and watches for an illegal or abnormal attempt to do > something to the hard disk. Then all sorts of alarms and bells go off > ("Warning Will Robinson! Warning!") and the detector tries to stop > the virus from doing it. Some will also ask you if you want to allow > whatever action is taking place since you might actually be trying to > format your hard disk. This is PARTLY true. What these memory resident things do is keep an eye on specific DOS interrupts and notify the user if a certain interrupt function is being attempted. More often than not these are the interrupts 13h and 21h. Such memory resident alarms can be easily disabled by handling the error quietly or grabbing the interrupt before the memory resident alarm does. > You must know that the detector only checks program files. It would be a > real pain if every time you changed your term paper the detector went off. > However, this is not a weakness since only program files can contain > the viruses. Again, partly true. Integrity Master v1.23 by Wolfgang Stiller keeps track of the crcs of all files and stores them in files called ID.)( . Changing the values in these files or removing them altogether is a common virus technique. > However, since I took a shot at McAfee, I must also state this: I have > known people to use McAfee's software and be 100% satisfied with no > complaints. They like McAfee's software and continue to use it. It > works for them and meets their needs. I hate both McAfee and his software, > and I refuse to use it ever, so you must decide for yourself. Oh, leave John alone :). The least I can say is at least his product is free to the public. I myself prefer Fridrik Skulason's F-PROT program. Not only does it check for more than one virus signature, the heuristic scan is formidable to viruses. It checks for viral-like code, not signatures. It's just one step closer to having a scanner disassemble the program. > "BBS's are the major cause of virus spreading" > ++++++++++++++++++++++++++++++++++++++++++++++ > FALSE FALSE FALSE!! The major cause of virus spreading is LAN's and > also copying from friends. BBS's merely store programs that you can copy > and most people who run BBS's try and make sure none of them have viruses. > A BBS is just copying from a friend over a modem. BBS's do not need to > be shut down or restricted because of viruses. It is up to *you* to > protect yourself from *any* program contamination no matter where > you copy the program from (i.e., a friend or BBS). Well, I do acknowledge that the threat BBSs pose to virulence is minimal, but only because 99% of the time only executable viruses are downloaded and inadvertently run. It's not often an unsuspecting user downloads a 900k TD0 file and gets infected :). Point being that virulence in executable files is minimal compared to that of boot sectors, hence the BBSs ineffectiveness. > Some of you may have heard of Virus Exchange BBS's. Let me explain what > this is: > > (etc...) > > Now on these virus exchange BBS's, they 99% of the time just have virus > SOURCE FILES not virus programs. The source files CANNOT cause infection. > They must be fed to an assembler or a compiler first to become a program. > Remember that for a virus to become active it must be run as a program. > These BBS's do not distribute virus programs, but virus source files. When is the last time you've been on a Vx BBS? I would say that 99% of them possess and strive for the executables, and couldn't care less about the sources. The reason being that Vx sysops usually just care about the power and prestige of having 100+ viruses. Rarely do they actually run the viruses to see if they are. Point being the WHORE! virus, a copy of COMMAND.COM renamed to show how inefficient Vx sysops are at checking the authenticity of their files. They're similar to pirate BBSs in a way, only caring about having the viruses and most of the time not using them. The average pirate BBS will have the latest releases and they'll be downloaded, etc, but maybe 5% of the people downloading will actually use the programs. Viruses are like this. They are usually just a commodity, and only the small 1% care about the source and validity of the files. > For right now, let me just say that in a nutshell, Virus Exchange BBS's do > NOT DIRECTLY cause infections. I think even the so-called "experts" would > agree with that. But of course! Where do you think they get THEIR viruses? :) > "The first virus was written by..." > +++++++++++++++++++++++++++++++++++ > No one knows. However, if you were to ask me, I will say the first > virus was written by the first person who made copy-protection. Why? Or cares, really. I'm sure there are those out there that know of the COREWARS story, so I'll spare relating it here. > "They endanger National Security and the military!" > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Hahahahahahaha! All I have to say is that most viruses (like 99.9%) > attack only personal computers, and any military or government that depends > on personal computers for national security and weaponry has more problems > than viruses. And furthermore, what are they doing letting missile officers > run MacPlaymate on the missile control computer anyhow? Well, most govt. security installations do run LANs, and not only are they susceptible to viruses, there are several viruses designed to seek out and foul up LAN systems. Frankly, PCs are cheaper and more efficient than mainframes from the 80s, and they are used in a wider scope than you'd believe. Well, I'd say that the most likely place to find these virus authors, in step with the end note, are echomail nets designed for virus authors. Like.. * VX_NET - Virus Exchange NET, an up-and-coming non-partisan net. Directed towards unity and making fun of the anti-viral community. * Phalcon/Skism NET - The virus echos are a place for learning, and you can contact the members on this net. * [NuKE] Net - Another net from a virus group, get in contact with them on it. * VIRUS_INFO on FIDO - Surprisingly enough, virus authors abound there with fake names, contributing to confusion and getting a good laugh at the expense of the anti-viral crew. Interestingly enough, there's been some progression of rivalry between the pro-viral and anti-viral communities . Way back when, virus authors released their wares. Then, the anti-viral communities recognized that they could either (i) be altruistic in their ways and help their fellow man or (ii) make a quick buck off of human suffering. They wrote anti-viral wares and organized. The virus authors did not like this. They themselves organized and now have become more Anti-Anti-Viral than Pro-Viral. I have no idea what significance this progression has, and leave it to you capable readers to determine what will happen. Yes, virus authors are in it now more for making fun and avenging themselves of the anti-viral authors, who in turn do the same in their programs. Etc, Etc, Etc. So here's what I do. On my 'underground e-leet Vx' BBS, I make all viruses and other files free on the first call. There's even a command to download entire file bases. Meaning, if you release all of these viruses to your users, they in turn set up BBSs and become Vx sysops themselves. Hopefully, besides using viruses as a commodity, the fledgling sysop will look at a few of the pro-viral utilities and some of the source code. Perhaps the sysop will want to maybe get in on this ASM thing and learn a thing or two, perhaps the sysop will become a virus writer over time. Thus, like the viruses we propagate, we propagate. We force nothing into the minds and computers of others, it's all part of curiosity and voluntary. We help people to find their calling in whatever field of modem-dom they like. I know it's an empty desire, to want other sysops to do the same, but it's a desire nonetheless. In conclusion, I just wanted to clear up some things about both viruses and the pro-viral community. May you all find your calling and make it possible for others to do the same, as that sysop long ago did the same, custom made to do just that . In spirits, Guido Sanchez Oh yes, and if you are interested in the theory of thought viruses, more information can be obtained on the BBS Nun-Beaters Anonymous, 708/251-5094. Thank you for your 'time'. Downloaded From P-80 International Information Systems 304-744-2253