**********************************************
                 The Crypt Newsletter [mid-Sept.'92]: another in
                 an infrequent series of factual, info-glutted, 
                 tongue-in-cheek monographs solely for the enjoyment
                 of the virus programming professional or enthusiast
                 interested in the particulars of electronic mayhem.  
                                      
                                      -*-
                              
                              Edited by URNST KOUCH.
                 **********************************************

       This issue's quote:  "It's a new hobby, folks."
                         --John Dvorak on virus programming, from the 2nd
       edition of Dvorak's Telecommunications, Dvorak and Anis (McGraw-Hill).
       *******************************************************************

       IN THIS ISSUE: Local news...viruses for sale...condensed results of
       NCSA scanner evaluation...viruses as tools of civil disobedience...
       MacMag Peace virus dropper charged with crime...trojan programming
       and stomping out the pernicious threat of hard core pornography...
       Hans Von Braun, enlightened fellow...dummkopf of month award...
       Nowhere Man's CRYPTCOM 2.0...Pallbearer's KONSUMER KORNER...
       the CASINO virus...NUKEX...BATCOMPI trojan...the PENIS trojan...
       CORRUPTO 2 and more.
       
       
       NEWS! NEWS! NEWS! NEWS! NEWS!
       
       Frans "Dutch" Hagelaars nee SomethingAndersswhateversomething,
       Poobah of the Virus echo distributed on the FidoNet,
       clamped down on the public domain Wizard's Retreat BBS
       in Allentown, PA, for refusing to delete virus exchange sysop
       Tim Caton (aka Pallbearer) from its caller base. 

       In order to preserve the transmission of the echo, Wizard
       Retreat sysop Scott Miller has made the echo 'read-only'
       for all local callers. He declined to delete user Caton.
       
       In related news, Phalcon/SKISM's Night Crawler, the other
       FidoNet virus echo user excommunicated in "Dutch's" late Summer
       purge, reappeared in the waning days of August to wish Hagelaars 
       well.
       
       "You, my good man, can go to HELL!" commented the SKISM member.

       In unrelated news: We now reprint a fragment of a recent 
       post from FidoNet Virus echo user and 14-year assembly 
       programmer, Gary Watson. In it Watson protested his being
       labeled a pampered menial by the Crypt Newsletter for constantly
       being allowed to flame on topics which usually get 'lesser' users
       barred. 
       
       "Why would I want to [pass viruses on FidoNet]? "I make a 
       point of *not* collecting them," claimed Mr. Watson.

       Interested readers will be amused to find that the same 
       "Nixon" Watson was recently spotted uploading an archive 
       containing live samples and source code to BADBOY 2, DIAMOND, 
       DIR-2, OUTLAND, MURPHY, MG, MIX, HORSE, PINGPONG, 4096, LEECH, 
       AMSTRAD, CRAZYEDDIE, etc., to the DARK COFFIN BBS.  
       
       The Dark Coffin is hosted by the shunned & hated Caton and,
       incidentally, seems to be the mailing address of this newsletter.
       Small world, isn't it, Gary? Not a collector? INDEED.
       
       ANYWAY, here at the Crypt newsletter, we reckon the Virus 
       echo and its users would be BETTER served if "Dutch" Hagelaars
       took the following steps:
       
            1. Discourage trivial posts like those generated by
            Gyuri "George" K. GK's disjointed messages resemble 
            what can only be described as the distracting chatter 
            of a madman. Hey, try and keep it on the subject, eh? 
            [Oops, hope he's not DAV incognito!]
            
            2. Time to consider instituting separate feeds to all nodes 
            where users persist in posting "SEKRIT" messages in Polish, 
            Danish, Slavonic, Chervonsky, Basque, Martian or whatever. 
            As an Ami Schwein, I speak only de Englise, dammit, and see
            little value in wading through apocryphal messages which appear
            to be written in ecthje fiudoaw resstetiii. (See what I mean?) 
            It's quite possible users from nether-Poo-Stink, Central Europe, 
            feel the same way about MY lingua franca. Do something
            about this. 
            
            3. Encourage more exchange of detailed, high value info
            relevant to virus study, i.e., ripped off copies of
            Virus Bulletin, news briefs, more posting from Virus - L
            Digest (the Crypt Newsletter, heh). At this point, the echo 
            is about as informative as the QModem users help group. 
            Rob Slade and Paul Ferguson are two who DON'T continually 
            transmit useless, anecdotal, horrifyingly re-quoted replies 
            to the fragmented discussions of others (see #1 for an
            example). Many could learn from them. Time to tear the 
            lid off the source code ban, too. The cows have left 
            the barn, boys.
           
       Until these steps are taken, the Virus echo will remain trivial.
       "It's no big loss," said Caton.  Res Ipso Loquitur.
       
       Down on the Gulf of Mexico in Mission, TX, sysop Zendor of the
       Other Side BBS has taken matters into his own hands and started
       charging a small fee for bulk mail delivery of viruses, 
       source code, and related files. For $1.00 cash money, 
       Zendor will supply a catalog; for $10.00, a diskette of the 
       software in his archive.
       
       Compared to the $15.00 asking price for "The Little Black Book of
       Computer Viruses" (American Eagle Publishing, Tucson, AZ) 
       companion diskette, Zendor's terms seem quite fair. Mail him 
       at 1807 Cassandra, Mission, TX 78572, or call The Other Side 
       at 512-618-0154.

       In related news, The Other Side is a member of the WWIV StormLink 
       net and sponsors the "Infected Files" sub nationwide.  In its first
       week, "Infected Files" posts included the source code for
       the SARA GORDON virus (mistakenly posted at the MtE) and debug scripts
       for the FELLOWSHIP and MIMIC2 viruses, among others.  Sadly, it
       didn't take long for someone to cry foul and threaten its closure
       unless all source codes and hex dump transmissions were curtailed.
       The punitive action achieved little, since virus exchange sysops
       continued to freely trade advice and phone numbers at will. Now 
       izzit me, or are all net co-ordinators trained to be morons?  
       What difference is there between posting codes or BBS numbers 
       where codes and live viruses can be freely downloaded? A free 
       no-prize to you if you can explain it to me! Just another case 
       of the Emperor's New Clothes.


       Symantec has taken the step of uploading a freeware version of the
       Norton Antivirus's scan utility, NAVSCA.ZIP, to the IBMSYS and 
       VIRUSFORUM SIG's on COMPUSERVE. This is not the first time
       a colorful commercial outfit has attempted to do battle with the
       shareware market. Back at the time of the Michelangelo scare, 
       XTREE made available a free version of UNVIRUS, the scanning utility
       from its VIRUSAFE package. About the only remarkable points about
       XTREE's program where the amusing cheeping noises it made when 
       searching memory for 'stealth' viruses and the hysterically silly 
       virus descriptions: "Fill in your own virus - This virus is very 
       dangerous and will corrupt all the files on your system, eventually 
       totally destroying the disk!"
       
       As for NAVSCAN's efficacy as a brute-force scanner against the 
       new crop of viral programs? We took it into the Crypt virus 
       lab and scooped up a handful of VCL 1.0 variants 
       (DIARRHEA 1 & 2, HEEVAHAVA and RED HERRING), a few direct action 
       infectors designed with VCL 1.0 but optimized to avoid detection 
       by SCAN v95B (MIMIC 1 & 2, DIOGENES) and two weirdos - COMMANDER
       BOMBER and STARSHIP. The score? No hits. Here at the Crypt
       Newsletter, we deem these results unsuitable for "optimum
       consumer confidence." Even if it's free.

       
       And now for your further infotainment, a newsbrief culled and cribbed
       without permission from a post by FidoNet virus echo user Paul 
       Ferguson. Take it away (and thanks anyway), Paul!

      Reprinted without permission from Federal Computer Week, 17 August 1992 -
      (page 34)

8<-------- Cut Here ---------------

      MOST VIRUS-DETECTION PRODUCTS SUCCESSFUL
      by Richard A. Danca

 Most PC virus-detection products do an excellent job of finding known
viruses on a PC, according to tests run by the National Computer
Security Association, Carlisle, Pa.
 In NCSA's tests, 12 of 16 virus-detection products found more than 90
percent of the 848 viruses or virus variants in NCSA's database. Only
two of the products found fewer than 80 percent of the files.
 NCSA tested all the products it received after announcing it would
conduct the tests, said membership director Paul R. Gates.
 The association will run tests every month, and future tests will
probably include other virus detectors, he said. Questions remain,
however, about the validity of the tests and the hazards viruses pose.
 Three products found 100 percent of the 848 viruses NCSA used in the
test: Virex-PC from Microcom Inc., Norwood, Mass.; Panscan from Panda
Systems, Wilmington, Del.; and Findviru from S&S International,
Berkhamsted, Hertfordshire, Britain.
 NCSA uses the term "infected files" to refer to the viruses it tested
because many viruses are variants of others and because there are no
agreed-upon naming criteria, Gates said, nor did NCSA distinguish
between common and unusual viruses. "The common ones are in there with
the rare ones."

 ONLY DETECTION WAS TESTED

 NCSA tested only virus detection, not removal. Many viruses make it
impossible to re-create programs or data they have infected, so
detection is more important than removal, Gates said. "Mostly what
people do is restore [files] is not to run the remover capability but
to reinstall software" and restore data from backups. "That is the
correct way of doing it."
 One company whose product scored low criticized NCSA's tests and
objectivity. Commcrypt Inc., Beltsville, Md., said the Scan Plus
portion of its Detect Plus software found 73 percent of 2,201 strains
of viruses in a February test NCSA ran. "In a nutshell, we're not
privy to the library we're tested against," said Warren Wertz,
research director at Commcrypt.
 It is possible that some of the files in the NCSA database are "naked
viruses or benign viruses" that cannot damage data.
 The NCSA database was available only to members of the Anti-Virus
Program Developers consortium who paid a membership fee, said
Commcrypt president William H. Landgraf. "If you're willing to pay the
money - $2,000 or more a quarter - they'll provide you with the list
of viruses."
 In a certificate it issued to Commcrypt in February, NCSA said,
"Nearly all of these [2,201] strains have rarely or never been seen
'in the wild.' Scan Plus detected all common viruses."
 Commcrypt has many customers in the U.S. Postal Service and the
federal courts, Wertz said. "They haven't got any viruses - that we
know about - that they couldn't get rid of," he said.
 NCSA and other experts acknowledge that common viruses are far more
likely to cause damage. The most common viruses include strains of
Jerusalem, Stoned and Michelangelo, according to both NCSA and
Commcrypt. In addition, "some people estimate that 90 to 95 percent of
the data lost is because of operator error." Gates said.
 "I have some question about scan tests of viruses that just exist in
the laboratories," said Bryan Seborg, PC and local area network
security program director at the Federal Deposit Insurance Corp.
Seborg is also a virus researcher and instructor at the University of
Maryland.
 Seborg agreed with NCSA's Gates, however, on the limited value of
virus removers. "The ones that do a cleanup are not a good idea."
 FDIC policy requires users to destroy infected files and reinstall
software, For viruses that destroy boot records or hidden MS-DOS
files, the FDIC solution is to use DOS' FDISK or SYS commands, Seborg
said.

AUGUST VIRUS SCANNER TEST RESULTS

VENDOR                 PRODUCT          VERSION     SCORE

Central Point          CPAV               1.3*       94
Certus                 NOVI               1.1D       95
Commcrypt              Detect Plus        2.10       60
Fifth Generation       UTSCAN            24.00       90
Frisk Software         F-PROT             2.04       99
IRIS                   CURE              20.01       93
Leprechaun Software    Virus Buster       3.92       98
McAfee Associates      SCAN                 93       99
Microcom Inc.          Virex-PC           2.2       100
Panda Software         Panscan            4.05      100
RG Software            Vi Spy             9.0        97
S&S International      Findviru           5.60      100
Stiller Research       Integrity Master   1.23A      88
Symantec               NAV                2.0*       70
Trend Micro Devices    PCSCAN             2.0        91
Xtree                  ViruSafe           4.6        86


* Test was run with the August version of the vendors' virus signature
  definition file, which is available to their installed base.

[ Source: National Computer Security Association ]

    [Readers of this issue of the Crypt newsletter are invited to 
    comment, no holds barred, on this study and Danca's article. 
    Send comments to The Dark Coffin BBS, 1-215-966-3576 or
    leave mail for Couch on The Hell Pit.]

    NEXT UP: THE COMPUTER VIRUS AS A TOOL OF INDIVIDUAL EMPOWERMENT   
    by THE FLIM-FLAM MAN
       

    It's time to start thinking in real terms about the computer virus
    as a tool for individual empowerment.

    To avoid an overly windy essay, I'm going to focus on two REAL
    human examples.

    The first deals with a woman in her mid-40's who works for a small
    specialty book publishing firm in the Lehigh Valley of eastern PA.
    (I've kept the descriptions of individuals deliberately vague to
    protect them from inappropriate attention.)
    
    In early 1992 she found herself sexually harassed in the workplace by
    her boss, a man for whom she felt no attraction.  Unable to tell him 
    to bug off, and knowing that in a small business there
    was no place to turn but the street, she became enraged. So she 
    planned a late night smash-and-grab raid into the office to delete 
    certain key files on his personal computer.  This she did. The next 
    day her boss was confused, frustrated and angry over the loss of 
    his precious data. He did not hip to the fact that his work had 
    been sabotaged by the woman quietly smiling in the next room. 
    
    Given the opportunity to use a computer virus for the job, 
    it is not totally unreasonable to assume this woman would have 
    seriously entertained the idea of using it as a tool of redress. 
    In any case, she was a computer vandal. And not the computer vandal 
    most corporate stiffs like to paint: a maladjusted, teen or 
    disgruntled, shirking whiner.  Rather, she was somewhere in between; 
    a reasonable worker pushed deep into a corner. As further food for 
    thought: Do you think that the use of a computer virus, IN THIS
    INSTANCE, would have been BAD?

    A second example: mid-level staffers at a large metropolitan corporation 
    in eastern Pennsylvania have had to grapple with the installation of
    a project implemented on a Macintosh desktop system. The junior 
    technical administrator put in charge of bringing the system online 
    has not proven up to the challenge. After two years of work, the 
    system crashes daily, eats work, locks unpredictably and forces 
    continued overtime on staffers who have to work around its shortcomings. 
    The technical administrator is openly hostile to any suggestions 
    from staffers who are compelled to use the system daily.  The 
    administrator's supervisor will not listen to suggestions from 
    underlings that more expert technical help is necessary. The project 
    has become a costly, political hot potato; its failure would mean 
    the rep of the management team that committed to it two years 
    previously.

    At this point the staffers who must work with the non-functional system
    daily have begun entertaining the idea of inserting a Mac virus into
    the already deeply screwy system.  The rationale for use is that it could 
    force a system crash which the current technical administrator could
    not quickly remedy. Such a disaster might break the logjam of upper  
    management arrogance and force the consultation of someone better
    suited to programming of Macintosh's.  They also feel that since
    viruses are anonymous, the blame would most likely fall on the
    local administrator's head for allowing it to happen.

    This is another graphic example of reasonable workers who feel they've
    been backed into a corner by leaders who seem dumb as stumps. 
    The computer virus is viewed by the victimized as their road to 
    empowerment. 
    
    These workers are smart enough to realize that there 
    is no guarantee that a bad situation will be made better by a 
    virus. But they do think that throwing a monkey wrench into the 
    system, bringing it to a noisy, ugly halt, might buy some breathing 
    room.
    
    As told here, I'm sure most readers WILL feel some empathy for 
    the people above.  It's not a stretch to think of someone in the
    same tight spot. And that is why, as the gap between managers and 
    grunts in a our technological society becomes wider, the computer 
    virus or rogue program will be seen more and more as one of THE tools 
    for empowerment. 
    
    Anyone who works in the corporate security field should be scared 
    white at this prospect. Because the hardest 'virus-droppers' 
    to fight will be the the honest, determined employees, 
    who become progressively alienated by the cynicism and indifference 
    from an organization they work for.

    ***********************************************
    NEWS BREAK! NEWS BREAK! NEWS BREAK! NEWS BREAK!
    ***********************************************

NEWS clip from one of COMPUSERVE's free services:

Online Today

CANADIAN CHARGED WITH PLANTING ALDUS COMPUTER VIRUS

  (Aug. 20)
  Former Canadian computer magazine publisher Richard Brandow, 28,
has been accused of planting a computer virus that tainted thousands
of copies of Aldus Corp. software in 1988.
  According to The Associated Press, Brandow, who now writes for
"Star Trek," has been charged by prosecutors in King County,
Washington with malicious mischief and could face up to 10 years in
on if he is convicted.
  Brandow said he finds the charges surprising. "What are they going
to do?" he asked, "It happened four years ago, and I am here in
Montreal."
  He told AP that he arranged for a message to flash briefly on
computer screens that wished peace "to all Macintosh users around the
s were designed to educate the public
to the danger of viruses. Brandow included his name in the message so
he could be contacted.
  The virus made its way eventually to Aldus where it infected a
master disk for producing copies of Freehand, an illustration
program. After the virus was discovered, Aldus recalled 5,000 copies
of Freehand and replaced another 5,000 copies it had in its
inventory. The incident cost the firm $7,000.
  Ivan Orton, King County senior deputy prosecuting attorney, told AP
it was the first time the state has brought such criminal charges. He
also said he believes the incident was the first time a virus had
tainted commercial software.
  For more news from The Associated Press, consult the Executive News 
Service.(GO APONLINE).
  --Cathryn Conroy

[URNST KOUCH butts in:  In this story, reporter Conroy is refering
to the MacMag Peace virus, commissioned by Brandau, then the editor of MacMag
magazine. Its trigger date of March 2, 1988, was the 
first anniversary of the Mac II - at which time the virus displayed
the universal peace sign, or something to that effect. After Mar 2,
the virus erased itself. Why do the authorities always come up with
a charge YEARS later; a day late and a dollar short, so to speak? And by the
way, it is spelled "Brandau."]

  IN SEARCH OF TROJAN PROGRAMMING or CRYPT NEWSLETTER's CAMPAIGN
  AGAINST THE UNRESTRICTED FLOW OF PC PORNOGRAPHY

  A good deal of this issue is devoted to helping the reader optimize
  his planned trojan programs for real world success.

  Let's face it, trojans which blindly sack the fixed disk and
  contain unencrypted, embedded ASCI strings like "You're fucked now,
  lamer!! Ahahahahaha!" don't cut it in the real world.  Of course,
  such trojans will always work against the PC initiate. But admit it, 
  that's about as much good sport as shooting fish in a barrel. No 
  challenge, no style.  Far better to just put a ballpeen hammer through 
  the monitor and do some real damage.

  A good trojan should distract the user. It should, perhaps, display a
  fine graphic, send a cryptic error message to the monitor, or 
  appear to do . . . nothing.  Good trojan programmers never stoop to that
  old bromide, "You're fucked now, lamer!!"

  So, to start, you will want to subscribe to Lee Jackson's HACK REPORT,
  available at too many public electronic archives to count.
  It's a fine guide and tells you just what's out there; it even
  chronicles the more successful trojans. It is GOOD FOR IDEAS.

  For example, in the pd world, many were duped by the XTRATANK trojan,
  a genuinely clever and twisted set of programs that promised to
  double a user's disk space free of charge. In reality XTRATANK placed 
  Michelangelo and Stoned virus onto the machine in two discrete steps. 
  XTRATANK batted directly to the average user's weakest spot: The 
  desire to gain something for nothing!
  
  Upon installation, a portion of Michelangelo's code was copied 
  to the boot block of the disk. This was not enough to trigger any scanner.  
  After the user realized the program was doing nothing for him, he would 
  uninstall it, probably using the de-installation software.  
  The de-installation software copied the remainder of Michelangelo 
  to the boot block and inserted Stoned into memory.  At this point, 
  a scan run reveals something seriously wrong.  Many were sucked in by 
  XTRATANK.

  But maybe you don't have the time or the will to come up with
  an XTRATANK.  Consider making trojans out of pornographic files.
  It's easy, the trojans are simple to put into the wild and 
  serve a purpose: they burn users whose sexual tastes run to the
  bizaare. For this purpose, I've included  the code to a flashy, but crass,
  display which writes an animated ANSI of a squirting gland directly to 
  the video page. Then it crushes the drive.  The ANSI was converted 
  into code suitable for direct video writes by the most recent version 
  of the LAUGHING DOG screen maker.  The utility of this code is that
  ANSI.SYS does not have to be loaded, the graphic effect will take
  quite nicely without it. (See the appendix file: PENIS.ASM.)

  A second trojan is an update of CORRUPTO, something I designed
  using VCL 1.0. CORRUPTO 2 will display the error message "Cannot
  open lezbosex.dat/Critical errorlevel=25"  when executed and 
  then drop a small proprietary Crypt program which can surgically 
  rewrite the partition onto an executable in the current directory. 
  Include CORRUPTO in an archive with at least one other V-loader of 
  wimmen getting it on with each other or something similar. (The idea 
  here is that Lesbian loaders are a hot download. It's true, they just 
  blow right out the door.) The user runs the first loader in the archive
  and gets an eyeful. He starts polishing his knob and runs CORRUPTO 2. 
  Nothing but the error. Damn! Some cretin took the .DAT file out of 
  the archive, he thinks! Stupid pirates! (Don't forget to include 
  another dummy .DAT file for the real program, to make the sham filth 
  seem even more real.)

  In reality, a partition bomb is now installed upon CORRUPTO, 
  the other V-loader, and any other executable in the directory. 
  When any one of these is invoked, the partition table on the C drive 
  of any 80286 and up machine will be silently and quickly rewritten.  
  The results will be somewhat disruptive to the days computing activity,
  UNLESS the user has a back-up image of the partition saved off disk and
  the wit to reload it.

  There are other benefits in creating trojans for porn directories.
       
       1] Victims never squeal. Most Americans are far too neurotic to
       admit something bad happened to them while they were watching "dirty"
       sex. Its like confessing to your girlfriend you have a problem 
       with horrible anal itching. It's just not done. So they may not even 
       inform the sysop, giving your trojan longer shelf-life.

       2] Such trojans are deceptively simple to upload to 'adult'
       directories, the bigger the better.  Large adult directories
       aren't well-supervised.  Let's face it, even the biggest
       pervert doesn't have enough time in the day to keep track
       of all the squamous product he stocks. Do you think he's gonna look
       at yours closely? Bet against.

       3] Such trojans will not show up in The Hack Report. Lee Jackson
       does not cover this angle, for obvious reasons.

       4] It puts you on the Republican side in the war on porn. You
       can be smug, like them, in knowing that YOU ARE DOING THE
       RIGHT THING when stomping on those presumed vile by the Moral
       Majority. Heck, you might even strike a few Republicans 
       anonymously in this manner.  
       
       5] Think of the kid who's gonna have to explain to his Dad
       why the PC in the study room just went down. You could be steering
       the boy in the right direction by discouraging him from tieing up the
       phone and blowing valuable online time downloading more filth.

   But pd trojans have their place, too. To that end, Crypt Newsletter
   has included the DEBUG script to BATCOMPI.COM, a very effective
   BAT2EXE trojan.  BATCOMPI will, indeed, compile your .BAT files
   into flawless .COM's.  However, don't make a mistake when editing
   your .BATfile!! BATCOMPI will point out the line number and then 
   punish the drive with a heavy stick.  Also included are the
   convincing, BUT COMPLETELY BOGUS, docs for BATCOMPI, written by 
   "Ned Turnquist."  Be sure to include these with BATCOMPI, wherever 
   it goes, to further give it that right patina of legitimacy. (Like 
   XTRATANK, BATCOMPI strikes at the greed of users who wish a 
   "free lunch.")

   And also for your trojan programmer's toolkit, a DEBUG script of
   NOWHERE MAN's CRYPTCOM utility.  CRYPTCOM serves many purposes.
   Use it to put an encryption shell over your trojan, in the
   event that someone might look at it with CHK4BOMB. Use it to
   put an encryption shell on an old virus that you'd like to
   get past an initial run by an up-to-date scanner.
   
   [Also in this issue, a DEBUG scipt of the CASINO virus. The
   CASINO virus is a very fine program, but, unfortunately, it scans.
   If you want to get CASINO past the original round of scanning on
   any machine, CRYPTCOM it.]

   CRYPTCOM is merely part of Nowhere Man's Nowhere Utilities 2.0
   software package.  If you find it helpful, you'll want to dash
   out and obtain the complete package at places like The Hell Pit
   or the BBS's listed at the end of The Crypt Newsletter.

   [For assembly, take the DEBUG script for the appropriate trojan,
   virus, or utility listed in the newsletter appendices and
   go to the C:\> prompt.

   Type, DEBUG <*.scr, where the wildcard is the name of the appropriate
   script. Then <enter>. If DEBUG is in your path, 
   the CASINO virus, BATCOMPI, CRYPTCOM, or NUKEX should now be assembled 
   and sitting in the current directory, ready for use.

   NUKEX? "What's that, URNST?" I hear you screech.  NUKEX is a bonus
   trojan! Invoking NUKEX will immediately abolish the directory
   structure on the C: drive of any machine and along with it,
   all the files on the disk.  NUKEX is heavily cushioned for error
   and will gracefully exit to DOS if something unforseen occurs.
   (However, this is unlikely.) NUKEX is completely silent, too.  
   Recommended uses: as a stand-alone rabbit-punching program or
   for inclusion as a 'dropped' payload, deposited by virus or
   trojan.  NUKEX can be deployed as a subroutine in any
   virus, too. [NUKEX can easily be configured to erase any drive, but
   the copy included with the Crypt Newsletter is good ONLY for
   the C: drive.] I have passed along the source code to Nowhere Man
   who is reviewing it for inclusion in the VCL 2.0.
   NUKEX does not format or overwrite the affected drive. It does
   however, present the user with the unpalatable job of "unerasing"
   hundreds, if not thousands, of files and directory entries.

   NUKEX user note: if invoked from a floppy disk, NUKEX will
   abolish the directory structure on a fixed disk, leaving itself
   intact. If invoked from anywhere on the fixed drive, NUKEX will
   erase itself in the process of deleting the entire disk. So make
   sure you have a backup.]

   These programs and utilities should prove helpful if you are 
   considering going into the 'trojanizing' business. Remember:
   The right tools for the right job!!
   
   ***********************************************
   THE FIRST CRYPT NEWSLETTER NATHAN HALE AWARD!!!
   ***********************************************
   
   Goes to Hans Von Braun, chief sysop for the COMSEC BBS in San Francisco.
   
   Our hats off to Von Braun, a member of the National Computer Security
   Association who seems to firmly believe that bulletins like 40HEX
   magazine should be made freely available to any interested party.

   Since 40HEX describes in detail tricks of virus development, Von Braun
   writes in a recent issue of the NCSA NEWS (a reprint of which was passed
   along to us here at Crypt's editorial bungalow), "We [have been] told
   that there are only a handful of people in the world that should have
   this information; they are antivirus program developers."

   Von Braun writes earlier, "I believe it is better for
   you to HAVE the information than not to have the information."

   Now, please go back to the statement "there are only a handful of
   people in the world that should have this information." Whew!
   That's a grand claim! It almost makes virus code sound more
   dangerous than nuclear secrets.  Of course, you, the Crypt reader
   know this to be patent bullshit.  And, apparently, in some manner
   so does Mr. Von Braun.

   There are two reasons which come to mind when explaining the a-v
   developers' dumbo rationale for the "eat-your-peas, we know what's best,
   no virus code for you" rule. They are:

       1]. They really DO believe, in some Luddite way, that letting
       people onto this stuff instigates virus propagation. They DO
       believe that the average lumpen prole is too irresponsible to
       handle code correctly. This is very Republican and corporate,
       and although extremely deluded, easy to grasp. It is soothing
       balm to many clients' ears.

       2]. And the real kicker: This info
       falls into the realm of "proprietary" secrets.  Giving away
       proprietary information increases your competition, 
       hurts your market advantage, and is, in general, bad for the
       pocket book because it will spawn users who don't require you
       to hold their pecker for them when they encounter a virus.

   So, kudos to Mr. Hans Van Braun for his "interesting" stand.
   We include his mailing address here so that you might send
   your opinion to him on this matter:

                 123 Townsend Street
                 Suite 555
                 San Francisco, CA  94107

    ****************************************************************
    AND THE CRYPT NEWSLETTER's US NEWS & WORLD REPORT IRAQI COMPUTER
    VIRUS PRIZE FOR THIS MONTH . . .
    ****************************************************************
    
    Goes to Michael Callahan (alias Dr. FileFinder), editor of SHAREWARE 
    MAGAZINE. Even after a two issue series interviewing John McAfee,
    Callahan still believes that viruses can permanently damage the
    hard disk. (Talk about dense.) Now you can argue with me on this one, 
    but show me a user who claims his machine was irrevocably damaged 
    by a virus and I'll show you a user too embarrassed to admit 
    he "Pepsi syndrome'd" himself. 
    
    And Patricia Hoffman's virus library IS NOT the national computer
    virus library, Mike.  It may be a big library, but it's not the
    government's, it's not open to private citizens (like national
    libraries) and it is not similar to the American Type Culture
    Collection (ATCC) which is the U.S. clearinghouse for real-live
    microbes of the natural kind. 
    
    ********************************************
    AND THE CRYPT NEWSLETTER VIRUS OF THE MONTH:
    ********************************************
    
    The CASINO virus - from the island of Malta.

    The CASINO virus is a memory resident .COM infector.  It will
    infect COMMAND.COM and will infect .COM files on the internal
    DIR function, DIR function called by any other program and
    when clean files are opened for any reason.

    When CASINO is resident, infected files will show only very small 
    increases in file size, although the virus is not true "stealth."

    The interesting trait of CASINO is its activation:  On any January 15,
    April 15, and Aug. 15, CASINO will display the following message:

    "DISK DESTROYER * A SOUVENIR OF MALTA
    I have just destroyed the FAT on YOUR DISK!
    However, I have a copy in RAM and I'm giving you one last
    chance to restore your precious data!
    WARNING: IF YOU RESET NOW ALL YOUR DATA WILL BE LOST - FOREVER!
    Your data depends on a game of JACKPOT.

    CASINO DE MALTE JACKPOT"

    CASINO will then compel the user to play a game of chance.  If he
    loses, the FAT is destroyed.

    When I described this to Mrs. URNST KOUCH, she said, "That's evil."

    A DEBUG script of the CASINO virus is included with this issue of
    the Crypt Newsletter. Enjoy your copy of CASINO virus.

    PALLBEARER's KONSUMER KORNER: THE TERM PROGRAM FOR VIRUS COLLECTION

/********** FACILITATION OF VIRUS COLLECTION I: THE TERM PROGRAM *************/

      The entire focus of this small article is intended
    to save you and your SysOp time and money in the virus trade. This, num-
    ber one in the series, is designed to help you find the best terminal
    program for your needs. It reflects solely my opinion, but I am
    sure you will find it valuable.
      In the spirit of 'Consumer Reports' and Ralph Nader, I have parked
    myself in front of the computer during much of my spare time to compile
    this report (I know, REAL hard work...). So, without further adieu:

                                  -*-

                       PALLBEARER'S GUIDE TO "TERM"



      (Yeah, I know it's a stupid name, but hey, I'm the author, I'm
    allowed to do stupid things.)

                                  -*-

                First, my old standby: Procomm Plus 2.01

      Well, I have been using a version of Procomm Plus since I started
    collecting virii, and BBSing, for that matter. Many people find
    ProComm to be clumsy. I, personally, enjoy it. Overall, it has two major
    flaws: One - it only supports 3 external protocols; two - it does
    not support AVATAR. Beyond this, I find it very versatile. It
    DOES support many internal protocols, including ZMODEM, XMODEM-CRC, 1K,
    and 1K-G; YMODEM and G, plus a host of other "lesser knowns" such as
    SEAlink, WXMODEM, IMODEM, and, of course, KERMIT, which is run as
    an external. I find the internal ZMODEM inadequate, thus I
    retain DSZ as an external protocol, which I have configured for
    MobyTurbo. HS/Link and Super-Zmodem are also easily supported. On the
    plus side, PCPlus provides COMPUSERVE B+, the famous information
    exchange's protocol of choice. And one BIG feature is the pulldown menus
    from which everything can be configured. With PCPLUS, the only time
    one must ever make use of the install program is if you desire an
    easier way to change modem config and COM ports. PCPLUS also
    supports a Keyboard file for easy user remap, and has a wonderful
    internal utility that speeds up the keyboard of an AT or above. 
    The whole ball of wax, including colors, is configurable from the 
    menus. Of course, the internal split-screen chat is also accessed
    this way.
      The host mode, for you menu fanatics, leaves much to be desired,
    but works nonetheless; those of you desirous of running BBS through
    Procomm Plus Host, however, should remove your collective thumb
    from your ass and get a life.
      Last, the big question with many PC users today: the SPACE. Well,
    Procomm requires over a Meg of space BUT I would allocate 2.5 Megs on
    my drive for it: this includes constant screen captures and little down-
    loads here and there that seem to be forgotten about. For me, space
    is no object, but for many users this problem is one that is
    paramount.

                                  -*-

                               Qmodem 5.0

      Ahh, the term software that sounds like a transfer protocol. After
    testing this package, my only compliment is that it supports plenty
    of external protocols, shrinks out for a DOS shell, supports AVATAR,
    and is frugal on my hard drive. But my REAL advice to those of you who
    have a Qmodem archive? Delete it. This is one of the worst and
    clunkiest terms I have EVER seen. It displays a nice ANSi at startup,
    and has a colorful install program (sort of reminded me of that of
    Windows 3.1), but otherwise bites the big one. I was constantly referring
    to the help screen, since none of the hotkeys from other terms were
    represented (save for the standard PAGEUP/PAGEDOWN file xfers).
    A plus: file transfer data screens are very informative. However,
    this, too, is tainted by a generally hard-to-navigate interface. I will
    admit I did not spend a lot of time with Qmodem, time I still
    regret wasting.
      A final bonus: Qmodem 5.0 features a superior host
    mode with great menus, etc, but only 2 security levels. Well, what do you
    expect from a term program's host, anyway? I repeat myself: If you
    choose a term for its host mode, your thumb smells strangely of shit.

                                  -*-

                              COM-AND 2.8

      I am surprised to admit I was pleased with this SHAREWARE program. It
    incorporated many of the keys of the best of the "off-the-shelf" out
    there. COM-AND also has a hotkey for ASCII download, which will play
    your session back to you later just like a tape recorder. Nice. Or it
    can be speeded up with a simple keystroke to simply scroll across the
    screen. The dialing directory, always an important part of any term,
    was limited in size to 100 entries, but, then again, who keeps 100
    entries in the dialing directory (before you say 'ME!,' look and see
    when the last time you called some of those BBSes was...)? The directory
    gave me a feeling of deja vu, too. It is faintly reminiscent of those
    early releases by DataStorm. The documentation was thorough, and
    an EXCELLENT help screen could be accessed by striking F10.
      One major feature found in COM-AND and in many other "bare-bones"
    terms, is control and configuration almost exclusively
    by script. All of the major configuration files were written
    in plain English, and could be easily modified in the internal editor,
    reached by simple hotkey.
      Another thing that caught my attention, and it should've caught yours
    while reading this report, is that EVERYTHING has a simple hotkey.
    This can be good or bad. The drawback: While you are learn-
    ing the software you must constantly refer to the helpscreen. This will
    cost you time, and time is money (Ma Bell does not come
    cheap). I suggest picking a group of local BBSes and learning COM-AND on
    those while sticking with another, more familiar term, for LD.
    I guarantee, however, as you improve with time, you will notice
    a marked preference for COM-AND while LD calling; you'll be pleased by
    the ease of use and timesaving brought to you by the hotkeys.
      COM-AND also features one more perq: Encryption. All of its user
    script files (logon/logoff, etc) are saved in the .CMD format, which
    as the docs say, prohibit "casual perusal" from people looking for
    passwords, etc. This makes it an excellent candidate for use on a
    multi-user system. All of these are decrypted in memory and may be
    easily edited in the internal editor. Macro and other files are not
    automatically encrypted, but may be garbled manually with a hotkey.
      As for file transfers, COM-AND features all of the major protocols
    (XMODEM, YMODEM, YMODEM-G, CIS-B and B+ enhanced, and, of course, ZMODEM),
    but it leaves much to be desired in the fact that it does not
    (or so it seems) support external protocols. (COM-AND supports external
    additions through an "accessories" menu. It works well but is
    not particularly user-friendly. -Ed.) Now, this is easy enough to 
    fix, write yourself batch files and drop to DOS for your file
    transfers. For those few who find this too difficult (or time consuming
    for bad typists), then either live with the internals, or COM-AND is
    not for you. COM-AND also features an internal Kermit server.
      Overall, I prefer Procomm Plus, thank you very much,
    because of the fact that COM-AND implements externals poorly. Other-
    wise, COM-AND is flawless; a wonder in its configurability.
    Even the nag screen doesn't bother me, all it wants you to do is hit
    a key, and I have to do that with Procomm after it initializes the modem.
    I do consider COM-AND good enough to register!
      It can be picked up from your local pd BBS.

                                  -*-

                             Telemate 3.01

      Last but not least is another shareware answer to term,
    in the spirit of Apogee's Trilogies comes Telemate 3.01, which, like
    Qmodem 4.5 (I tested the registered version, 5.0) and COM-AND, 
    is shareware. Also, along the Apogee lines, Telemate is a superior 
    term program. It supports multiple externals, multiple common and 
    uncommon protocols,  and many different emulations including my 
    'must have', AVATAR.
      Telemate has one queer feature - it plays music to you.
    That's right! I sat down for the first time with Telemate (incidentally,
    I did not receive the data files for the built-in tutorial, so this 
    critique is limited), and did a file transfer, the point of this
    report. When it was completed, I knew my computer meant business
    because it began to play the theme from 'Jeopardy' when I 
    didn't press a key fast enough for Telemate's liking. Later, I 
    discovered this song could be changed during installation. Speaking of
    which, my biggest complaint with Telemate: all of the major
    settings had to be changed from the config program, which was not 
    available on the fly. Also, the Pulldown bar is always exposed
    and includes a status bar at the bottom, giving the user only 23 lines. 
    (As far as I could tell, it was simplest to leave it this way.)
    One unique plus to Telemate is its split-screen and box effects, as 
    though it's being run under Windows. For instance, it is possible 
    to view a text file or the redisplay buffer in one window and have 
    the term in the main window. It is also possible to edit a text 
    or script file in a window with the term in another. I find this a 
    BIG plus to anyone using a term program; it will greatly facilitate 
    your time online.
      Last, I must comment on the dialing directory. Frankly,
    it stunk. The default colors were horrible, and editing the entries was
    a mess. Also, it requires 3 or 4 keystrokes to dial an entry, rather
    than one stroke needed for most terms. The dialing directory also had
    annoying habit of coming up as soon as Telemate was called. Thus,
    if you simply needed to send a string to your modem, you had to wait until
    after initialization and then exit from the dialing directory - or 
    start dialing a BBS in Europe and not even realize it (and the
    author of Telemate refuses to pay phone bills incurred in this manner...
    sheesh, what a pain...).
      All in all, I found Telemate to be an acceptable term program and would
    switch in a second, if the dialing directory were improved. Well,
    there's always next release, for tomorrow is another day (fiddle-dee-dee).

                                  -*-
                              
                               {COMMO} 5.3
 
 
      For all the manly men in the virus collecting community, Fred 
    Brucker's assembly-coded term program could be for you. COMMO's 
    strong points are its raw, unsurpassed speed of operation, extremely 
    small kernel when shelling to DOS and powerful master macro utility
    which controls all functions in simple, intuitive one-stroke
    hotkeys. Alt-D - dial! PageUP - upload! Alt-X: BE GONE! COMMO
    also takes up almost NO space on a hard drive. Hey, even a
    steroid-gobbling idiot can use COMMO! 
      COMMO's disadvantage (and it's one that weenies will be leary of):
    It supports only Xmodem and Ymodem internally. The good news: Zmodem,
    HS/Link and Compuserve B+ are ready for your use. Just drop the 
    programs into the COMMO directory and they are, almost magically, 
    ready for work WITH NO USER CONFIGURATION REQUIRED.
      As shareware, COMMO is quite reasonably priced: $25 cash money.
    Shelling out a little more gains a host of COMMO-ready scripts which
    activate a mini-host and a number of other somewhat useless utilities. 
 
 /*
  * Well, I do hope you enjoyed this small romp through this vail of tears,
  * er, terms. Be on the lookout for next issue's guide to transfer 
  * protocols: and remember, it's good stuff, because I'm not only a 
  * CryPt SysOp, I'm also a member. Acknowledgements to authors and 
  * ordering info for each reviewed program is found below.
  *                                    
  *                              -Pallbearer [CryPt]
  *                                    
  */


  PROCOMM PLUS 2.01:  Copyright (c)1987, 1991, Datastorm Technologies.

         QMODEM 5.0:  Copyright (c)1992, Mustang Software

        COM-AND 2.8:  Copyright (c)1991 CABER software (R. Scott McGinnis).
                      Available through PLINK, GEnie, UNISON, NWI, Delphi,
                      and CompuServe.

      TELEMATE 3.01:  Copyright (c)1988 - 1992, White River Software.
                      CompuServe in IBMCOM forum Library 3/Comm program.
                      FidoNet requestable from 1:2202/1 as 'telemate'.

        {COMMO} 5.3:  Copyright (c)1989, 1992; Fred P. Brucker               
                      On CSERVE, go IBMCOM, Library 3/Comm programs.
        
                      -Hey, you find this boring, but what if you ever
                          WANT to get a copy of one of these?
****************************************************************************
    
    ADDITIONAL USER NOTES ON PROGRAMS INCLUDED WITH THIS ISSUE OF
    THE CRYPT NEWSLETTER - A SERVICE TO THE TERMINALLY STUPID BECAUSE
    WE CARE

    The CORRUPTO script will produce CORRUPTO.COM. In 'heuristic' mode,
    F-PROT 2.05 flags CORRUPTO as containing routines which search for 
    .COM and .EXE files, possibly indicative of a virus.  This is
    true and gives you a good excuse to run CRYPTCOM on CORRUPTO after
    manufacture and see how it cleans this problem up.  In addition,
    you might want to consider touching up the size (CORRUPTO is less
    than 1k, hardly convincing as a simple V-loader.) and date/time stamps
    on the trojan. For those tasks, you'll need the rest of Nowhere Man's
    Nowhere Utilities 2.0.  I'm sure you'll want to get them and see how
    easy they make these mundane chores for yourself.
    
    [On F-PROT 2.05: Fans of this program, and I am one, are probably
    somewhat bemused by its increasingly skitzy performance, which
    Skulason duly notes in F-PROT's expanding 'bug reports.' 2.05 is
    incrediby slow and sometimes hangs when analyzing files 
    heuristically, destroying much of this feature's utility for the
    average user. And occasionally 2.05 does not appear to scan memory 
    at all on my machine. Geezus.] 
    
    You can also "tickle the dragon's tail" with CORRUPTO. Place it in
    a directory by itself and execute it. CORRUPTO will install a drive bomb
    on itself in a trice, display an error message, beep once and return
    you gracefully to the DOS prompt.  This is just as things will appear
    to the pigeon. DO NOT RUN CORRUPTO AGAIN!! (Unless you want to replace 
    the partition on your fixed disk, anyway.) Delete the file and prepare 
    your original copy of CORRUPTO (you did make a backup, didn't you?) 
    for its trojan archive.

    THE NUKEX script will generate NUKEX.COM. NUKEX.COM can be flagged
    by F-PROT 2.04 as 'suspicious' because it contains a recursive
    search mechanism. Don't forget to use CRYPTCOM if you want to
    avoid all possibility of this.

    For further info on the Nowhere Utiltities CRYPTCOM, see the 
    accompanying appendix, CRYPTCOM.DOC. Meanwhile, see this 
    final ad:
*****************************************************************************
    The Nowhere Utilities v2.0 are finally out!  v2.0 includes several bug
fixes and improvements, in addition to three new utilities:

        o    DECRYPT:   Decrypts data encrypted with most 8- and 16-bit
             encryption schemes, usually in under 10 seconds!

        o    FAKEWARE:  In just a few minutes, FAKEWARE will generate
             a totally bogus ware, right down to the ZIP comment and
             .NFO file by a famous cracking group.  Great for distributing
             new virii and trojans.

        o    USER2TXT:  Converts a Telegard v2.5/v2.7 or X-Ot-Icks v3.8
             user list to a readable ASCII file.  Useful for on-line
             reference while hacking...

    Get the Nowhere Utilities today!  A fine set of programs to help the
corrupted programmer develop and spread his creations.  Useful to just
about anyone at one time or another.  From the author of Virus Creation
Laboratory.

[NuKE] Release [NuKE] Release [NuKE] Release [NuKE] Release [NuKE] Release
*****************************************************************************    
    
                                  
                                    -*-
    
    Closing quote for the day:

         "Remember, boys and girls, to put your roller skates away 
         at the TOP of the stairs."
                                    --Soupy Sales
                                    
                                    
                                    -*-
    
    This issue of the Crypt Newsletter SHOULD contain the following 
    files:

           CRYPTLET.TR5 - this document
           PENIS.ASM - MASM/TASM compatible source listing for the PENIS
                       trojan
           CORRUPTO.SCR - DEBUG script for the CORRUPTO 2 trojan
           NUKEX.SCR - DEBUG script for the bonus trojan/util, NUKEX
           CRYPTCOM.SCR - DEBUG script for Nowhere Man's CRYPTCOM 
                          trojan/virus toolkit utility, Nuke 
                          International Software, Inc.
           CRYPTCOM.DOC - documentation and user notes for CRYPTCOM
           CASINO.SCR - DEBUG script for the CASINO virus
           BATCOMPI.SCR - DEBUG script for BAT2EXE trojan program
           BATCOMPI.DOC - 'fake' documentation for BATCOMPI trojan program
           ASM.BAT - ancillary file to accompany BATCOMPI.DOC

    If any of these files are missing, demand upgrade!

    As usual, current and complete issues of the Crypt Newsletter can
    be obtained at the DARK COFFIN BBS. Here at the newsletter, we welcome
    your comments and contributions, so, until next time . . .

    I remain your obedient servant,

    URNST KOUCH

     ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
     º This V/T info phile brought to you by €ç˜ž,                        º
     º Makers/Distributors/Info Specialists in Phine Viruses/Trojans.     º
     ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
     º Dark Coffin úúúúúúúúúúúúúúúúúúúú HQ/Main Support úúú 215.966.3576  º
     ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ
     º VIRUS_MAN úúúúúúúúúúúúúúúúúúúúúú Member Support úúúú ITS.PRI.VATE  º
     º Callahan's Crosstime Saloon úúúú Southwest HQ úúúúúú 314.939.4113  º
     º Nuclear Winter úúúúúúúúúúúúúúúúú Member Board úúúúúú 215.882.9122  º
     ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ