God@rky's Virus Heaven Newsletter #1 Written by God@rky (C)Circle-A Computers 1996 All Rights Reserved... ----------------------------------------------------------------------------- CONTENTS Section One - The First Edition Section Two - Virus Heaven's Mission Section Three - Disappearance Of Vx Magazines & Authors Section Four - Virus Heaven Vx Site Guide Section Five - Uncanny Virus Ideas Section Six - Naming Viruses - How it is done Section Seven - Government Sites & Viruses & The Laws Section Eight - South Africa Wants Correspondance With The World's Authors & Collectors ============================================================================= Section One - First Edition This is the inaugural issue of the Virus Heaven Newsletter. In the future (Starting W/ Issue #2) this will be available on this WWW Site as well as VIA FTP at ftp.defiant.ilf.net and will be sent out VIA email to those who email me back and request to be put on the mailing list. To subscribe - do the following: Send e-mail to godarky@ilf.net. In the title of that letter put: SUBSCRIBE: Virus Heaven Newsletter *NOTE* This will only be sent out to the e-mail addresses which I recieve the above emails from. So make sure your REAL e-mail address is what shows up in the letter, or you wont get it, as I don't have time to fuck around hunting down people's real e-mail addresses. ============================================== Section Two - The Virus Heaven Newsletter Mission This newsletter has little purpose other than to keep you all aware of what is going on, and to give you someplace else to turn as the presense of Vx magazines continues to dwindle. It is no mystery that Mainstream magazines and sites have been dropping like flies. From what one can tell, the only reason for the disappearances are lack of interest in continuing on. I may get that way one day soon too, but for now I am going strong, and will continue to keep others up-to-date as long as I feel I am not talking to myself. I have yet to hear of any confirmed cases that anyone has been busted recently. As many of you know, my site was one of a few key distribution points for Virus Bits & Bytes Magazine. It has been about 2 months since I have been able to contact Dark Night, so I don't know if another issue will be coming out anytime soon. His site is still available via FTP (see the list in section 4) and via WWW. The VBB message board is broken. I have spoken with Chaos of ILF and he advised he might take a whack at fixing it whenever. He has not heard from Dark Night either. The mission of this Newsletter is simmilair to that of Virus Bits & Bytes magazine, but won't include executables. It has been said by many of the AV folks that distribution of viruses is unethical. If you wanna test out just how strongly they believe this, try posting a uuencoded virus to alt.comp.virus, and see how quickly your ISP (Internet Service Provider) is made aware of your activities. If your ISP is nice, they will either warn you, or they will ignore the complaints. If they share the same view, you could be hunting for a new ISP soon. So in all reality, I don't recommend doing this unless you know your ISP's rules well, and you know they wont mind. There is a newsgroup where you can get away with posting viruses, and that would be alt.comp.virus.source.code... Just last week the much wanted HARE virus aka HDeuthanasia was posted there, as well as some others. The traffic of Virus postings there is pretty low, in fact, out of 100 messages, 70-80 of those will probably multi-level marketing scams or other various forms of spams. So really, this is just another medium for you to recieve info on what is going on in the Vx world, and maybe learn something if I decide to type something worth reading. Enjoy the issue, and I welcome your feedback. You can contact me at godarky@ilf.net. ============================================== Section Three - The Disappearance Of Virus Related E-magazines As many of you old-timers may have noticed, Virus Related magazines just don't seem to last like they used to. A couple of the older, possibly legendary ones have disappeared, and even some of the newer ones have lived a very short life. Luckily enough they have a shelf life which exceeds that of any of Hostess' products and are still readily available for your reading pleasure if you don't mind hunting around. If you do mind hunting around, just check out the Vx Site list at the bottom, and you are sure to find what you are looking for there, if not, let me know where you find it and what it is, so I can check the site out. Yes, months ago the 40hex as well as the VLAD Homepages disappeared. It was kind of a sad thing to see go, but we all know that new talent will squirm it's way out of the woodwork eventually, and we will have something else to read about, new tricks to learn and so on. And also within' the last month or so, the newer mag Virus Bits & Bytes magazine seemed to have screeched to a halt as well. With Dark Night nowhere to be seen or heard from, and a WWW message board that is in ruins, what remains is an in-tact VBB Headquarters/Homepage on the Information Liberation Front server. The VBB site seems to be working basically on Autopilot, and no new issue looks to be in the works at this time, however there is whispering going on that some of the other defuct members have been busy working on a Macro Virus construction kit. Other individual sites have also disappeared as well. Rhy's has dropped out of the Alliance as President (or Chairman or whatever...) in addition to dropping his site at ILF. It is sad to see it go, as it was around for quite some time. I think his leaving is comparable to Materva shutting down his hacking site. And of course we cannot forget the ChibaCity site as well. Although I did hear rumors that it is coming back in a different location. I am sorry to see all of these go, but with thier absence, there will be some new kids to move into our block and hold loud parties, throw beer cans in your lawn, harrass your wife, beat up your son, and probably even date your daughter... But foremostly, there will be some new zines to arise, and of course, there will be new viruses as well. It is estimated that there is still upwards of 200-300 new quality viruses a month being made, so there are still some people writing em out there. ============================================== Section Four - The Vx FTP/WWW Site Guide The concept of this section was created by PhreeX (phreex@ao.net). He compiled most of this information, and has authorized it's use here. It is A basic run-down of some of the better, more complete sites, and covers some other various tid-bits of information as well. It isn't complete by any means, but at this time, life's necessities don't permit me the time to fully update it, so what you see here, is PhreeX's original file minus a few corrections or mini-updates. There wasn't time to visit every Vx site on the map, and Fly-By-Night sites will not appear in this section at this time, since they would probably not be there by the time you got this. Enjoy it The *offical* .o88b. .d88b. .88b d88. d8888b. db db d888888b d88888b d8888b. d8P Y8 .8P Y8. 88'YbdP`88 88 `8D 88 88 `~~88~~' 88' 88 `8D 8P 88 88 88 88 88 88oodD' 88 88 88 88ooooo 88oobY' 8b 88 88 88 88 88 88~~~ 88 88 88 88~~~~~ 88`8b Y8b d8 `8b d8' 88 88 88 88 88b d88 88 88. 88 `88. `Y88P' `Y88P' YP YP YP 88 ~Y8888P' YP Y88888P 88 YD db db d888888b d8888b. db db .d8888. 88 88 `88' 88 `8D 88 88 88' YP Y8 8P 88 88oobY' 88 88 `8bo. `8b d8' 88 88`8b 88 88 `Y8b. `8bd8' .88. 88 `88. 88b d88 db 8D YP Y888888P 88 YD ~Y8888P' `8888Y' --==[\|/]==-- World Wide Web Site/FTP Site list --==[\|/]==-- [] Version 1.03 Beta 1 [] Compiled by Dr. PhreeX Merian Edited by God@rky Brought to you by FoRcE, "Taking on the web with full FoRcE" HUGE thanks to God@rky, this would have not been possiable without you!! -INDEX- Disclaimer A word on safe virus storage -LINKS- Part 1: Virus Genrators/engines Part 2: Some popular viruses Part 3: Mac viruses Part 4: Needed tools (Assemblers) Part 5: Virus related FAQ's/Tutorials Part 6: Virus INFORMATION Links Part 7: Computer Virus links Part 8: Conclusion (By Dr. PhreeX Merin himself!!) Part 9: Version Information, whats to come Any comments, questions, or additions can be sent to me: phreex@ao.net or you can call me directly 24 hours a day at: 1-809-404-5468 Disclaimer: I (Dr. PhreeX Merian) Can -NOT- nor will I be held responsible for your stupidity, viruses can destroy your/others computers (that is, the data within them,) if you execute a virus you just might get fucked. Collect 'em, study 'em, trade 'em but for god sake do **NOT** execute them. Note: As of 10/13/96 at 19:38:03 PM EST every one of these links was valid, however they may die, if so please take it up with the site owner, not me! A word on safe virus storage: As your collection of viruses (virii) grows so does the risk of self-infection, believe it or not you -CAN- safely store viruses on your hard drive, I have over 3,000 and have NEVER been infected! Here are just a few things you can do to protect yourself. 1) ALWAYS keep viruses zipped up, I can not stress this enough, keep each virus in its own .zip with a text describing it (if possible) you can get a free copy of Pkzip from; http://www.pkware.com remember, if its zipped up it can **NOT** be executed!!! 2) Its a good idea to re-name the file extension to something other than .com or .exe, I use .co_ or .ex_, this way you can NOT accidentily execute the virus. 3) Put all your viruses in 1 (one) directory, I use c:\VIRUS, you can use whatever the hell you want. 4) Get a -GOOD- AV scanner! Because everyone thinks theres is the best you can get reviews and sites at; http://www.virusbtn.com I think FProt is the best, you can download a shareware copy (gag) but thats no fun, I suggest you check the alt.binaries.warez.* groups for a -REAL- copy (its always posted somewhere). 5) Once you get a AV scanner USE IT!!!, remember, you put all your viruses in one directory, most all virus scanners allow you to exclude drives/directories/files when you scan, set your scanner to exclude whatever directory your viruses are in. If you start to get reports of viruses outside of that directory you might have a problem. 6) If you really paranoid you can keep all your viruses on floppy disk, actually, this is a good idea, due to the small size of viruses you can store TONS of 'em on only a few disk's. ZIP drives are also nice to have, so are CDR's. If you put your viruses on disk LABEL the disk so others don't infect you. 7) USE COMMON SENSE! This is really the best protection, don't be an idiot, don't run anything that you don't know what it does, yadda yadda yadda... On with the show...... Here is how this file is aranged; File/Site name http://www.this.is.the.site Review of the site/file will go here... Lets get started!! Please note the following; I would like to keep this file somewhat small, for that reason I will not go into just what each virus/program does, if you wish to know just what one of these does the go here: http://www.Europe.DataFellows.com/vir-info/ I also have omited links directly to virus sims (emulators), theses are used for testing AV scanners and are of little use to the VX community. (God@rky: Actually according to many of the AV folks, virus sims are useless. And that only a good test can be performed by an AV expert. As well as the factoid that the only test they consider a good install test, is the EICAR test.) Part 1 [ Virus Generators ] These are alright, however most of them do not work 100% of the time and the viruses are easily picked up even the most half assed scanners. All of the following are located at: http://www.kuai.se/~panik should these URL's be dead please go directly to the site. Instant Virus Production Kit v1.7 http://www.kuai.se/~panik/archive/ivp.zip This is alright, however all of these are picked up. Mutation Engine 1.00a http://www.kuai.se/~panik/archive/mte.zip Not very user friendly, still, its allright. NuKE Randomic Life Generator v.66b http://www.kuai.se/~panik/archive/nrlg.zip This one is cool. Phalcon/Skism's G2 v.70á http://www.kuai.se/~panik/archive/g2.zip I have yet to use this, word is, it sucks. TridenT Polymorphic Engine v1.4 http://www.kuai.se/~panik/archive/tpe14.zip A nice polymorphic engine. Compact Polymorphic Engine http://www.kuai.se/~panik/archive/cpe-ape.zip A nice polymorphic engine. Rajaat's Tiny Flexible Mutator http://www.kuai.se/~panik/archive/rme11.zip Not very good, however I believe these are not yet picked up by most scanners. NoMut v0.01 http://www.kuai.se/~panik/archive/nomut.txt Decent polymorphic engine. SDFE 2.0 http://www.kuai.se/~panik/archive/sdfe20.txt Nice, however everyone of these is picked up. The Rickety and Hardly Insidious yet New Chaos Engine v2.0 http://www.kuai.se/~panik/archive/rhince2.txt The name says it all. VLAD infinite polymorphic http://www.kuai.se/~panik/archive/vip.txt Ya gotta grab this one!! Small Polymorphic Engine http://www.kuai.se/~panik/archive/spe.txt This is a nice polymorphic engine. Biological Warfare Mutation Engine http://www.kuai.se/~panik/archive/bwme.txt This is the *REAL* one. Mini Mutation Engine v1.0 http://www.kuai.se/~panik/archive/mime1294.zip I have yet to use this. Trojan Horse Construction Kit v2.0 http://www.kuai.se/~panik/archive/thck200.zip My personal favorite when it comes to trojans TSR Time Bomb http://www.kuai.se/~panik/archive/tsr_tb.zip Allright. Virus Creation Laboratory v1.0 http://www.kuai.se/~panik/archive/vcl.zip This one is WAY over hyped, only a few of the viruses work and there all picked up by ANY virus scanner. Skip this one, your not missing a damn thing! BTW, the password is "Chiba City" (without the " ") Virus Lab Creations v1.1 http://www.kuai.se/~panik/archive/vlc.zip A little better than the above. Virus Creation 2000 http://www.kuai.se/~panik/archive/vc2000.zip Lame! Virus Construction Set v1.0 http://www.kuai.se/~panik/archive/vcs10.zip Lame! Biological Warfare Virus Creation Kit http://www.kuai.se/~panik/archive/bw100.zip Good for a virus generator. The Nowhere Utilities 2.0 http://www.kuai.se/~panik/archive/nutils20.zip All of these are picked up Part 2 [ Some Popular Viruses ] These are some of the most *POPULAR* viruses, they might not be the most powerfull however these are the ones you keep hearing about. Most of these come to us from God@rkys virus heaven located at; http://www.ilf.net/god@rky/virii.htm The Hellish Conspiracy Virus http://www.ilf.net/god@rky/virii/hellish.zip Sounds pretty cool, but sure wouldn't want it on my system. Does alot of peculier shit with your PC speaker too. The CriCri Virus http://www.ilf.net/god@rky/virii/cricri.zip Nifty, I have yet to run this. The HARE Virus http://www.ilf.net/god@rky/magazines/vbb-3.zip One of the hottest viruses EVER!! And its a nasty one to!! NOTE: This zip has several viruses, READ THE INCLUDED TEXT! The Tentacle Virus http://www.ilf.net/god@rky/magazines/vbb-3.zip Another virus that rocked the AV/VX community, does really neat stuff to your windows icons!! NOTE: This zip has several viruses, READ THE INCLUDED TEXT! The Rickdog666 Virus http://www.ilf.net/god@rky/magazines/vbb-3.zip This virus got a kid kicked out of school, don't miss this one! NOTE: This zip has several viruses, READ THE INCLUDED TEXT! --MACRO VIRUSES-- Macro viruses are .doc files that, when opened, will infect your machine. HINT: Do not try to open these to veiw them! The Alliance Word Macro Virus http://www.ilf.net/god@rky/virii/alliance.zip Nice virus, brought to you by the alliance. Colors Macro Virus http://www.ilf.net/god@rky/virii/colors95.zip *GREAT* Virus!!! this also comes with source code and a file on making your own Macro viruses!!! Do *NOT* miss this one!!! The Outlaw Macro Virus http://www.ilf.net/god@rky/virii/outlaw.zip This is pretty new, not sure exactly what it does. Word.Easyman Macro Virus http://www.ilf.net/god@rky/virii/wrdesymn.zip A newer Macro virus, I have yet to see the destruction. Word.Saver(SEX) Macro Virus http://www.ilf.net/god@rky/virii/wordsavr.zip Yet another Macro virus. Word.Spooky Macro Virus http://www.ilf.net/god@rky/virii/wrdspook.zip This is one you do *NOT* want to get infected with! Part 3 [ MAC Viruses ] In this era of equality no one is left out, this includes those that fell for the media ploy and own a Macintosh (Apple). So far I know of only this file, taken from God@rkys (http://www.ilf.net/god@rky/virii.htm) Macintosh Viruses (huge file) http://www.ilf.net/god@rky/mac/macvirii.zip I know nothing about these, BTW, funny how they are for the mac yet there in a .zip file 'eh? Part 4 [ Needed Tools ] These are all used in compiling virus source code, I have been told that some of these are *NOT* freeware, IOW there pirated software. a86 Assembler (Shareware) http://www.ilf.net/god@rky/tools/a86v402.zip Shareware assembler, this is a good one for compiling all that .asm code. d86 Debugger (Shareware) http://www.ilf.net/god@rky/tools/d86v402.zip Shareware de-bugger, great to get the source of a compiled virus. Turbo Assembler v4.0 http://www.netwalk.com/~silicon/progs/virus/tasm.zip I have been told by a number of people this sells for about $100, either way this is the *BEST* assembler out there! Turbo Link http://www.netwalk.com/~silicon/progs/virus/tlink.zip You might need this also. SoftIce for Win95 http://www.kuai.se/~panik/archive/softice.zip SUPER de-bugger for windows '95 (also good for cracking software) SoftIce for Windows 3.11 http://www.kuai.se/~panik/archive/m_wice13.zip The same great program for windows 3.1. SoftIce for Dos http://www.kuai.se/~panik/archive/s-ice280.zip The BEST DOS de-bugger! Disaster http://www.kuai.se/~panik/archive/disaster.zip Dos disassembler. IBM Assembly Code Generator http://www.kuai.se/~panik/archive/asmgen.zip A program that genrates source code from an executable. Bubble Chamber Disassembler http://www.kuai.se/~panik/archive/bubble.zip Really good diassembler (What I use) Intelligent Disassembler v1.2 http://www.kuai.se/~panik/archive/id12.zip Good disassembler. Part 5 [ Virus related FAQ's/Tutorials ] These are FAQ's all about viruses, both removal and infection. ALso included are some tutorials on making viruses. x86 Assembly Language FAQ - a86 & d86 http://www.cis.ohio-state.edu/hypertext/faq/usenet/assembly-language/x86/a86/ faq.html Well, its not going to make you an assembly programer but its a good start alt.comp.virus FAQ (This is the FULL current version, very AV) http://www.ilf.net/god@rky/acv_faq.html This is the FULL version of the a.c.v FAQ, not the origonal yet its still very good! alt.virus FAQ (The origonal a.c.v FAQ, very VX) http://www.ilf.net/god@rky/acvx_faq.html This is the *ORIGONAL* a.c.v FAQ, as you can see a.c.v was made as a pro-virus newsgroup! VSUMx606 ftp://ftp.germany.eu.net/pub/comp/msdos/mirror.garbo/virus/vsumx606.zip This is an OK Hypertext. It is said to have lots of errors in it. You know stuff like dates when a virus first appeared and what not, and in some cases what the virus does. The AV people regard it as not a very good Hypertext. It will get the job done in many cases but it is always light years behind what you will find at any of the Vx sites. VDAT170 This is a very good up&coming hypertext. I am impressed with how far it has come in such little time, and think it has the potential to come along much further. Keep an eye on this little gem in the months to come, it could become a valuable asset to those wondering what items in thier collection or infecting thier system are doing. Anti-Debugging Tricks http://www.ilf.net/god@rky/tutorials/antdebug.txt Really good file on anti-debugging tricks, to bad most of its picked up by AV scanners. Black Wolf's Guide To Memory Resident Virii http://www.ilf.net/god@rky/tutorials/memres.txt Good file on MRV. Polymorphic Viruses - Part 1 http://www.ilf.net/god@rky/tutorials/polymorph.txt REALLY GOOD file on Polymorphic Viruses. Polymorphic Viruses - Part 2 http://www.ilf.net/god@rky/tutorials/polymrph2.txt Second part of the above file. Disinfecting Infected Files http://www.ilf.net/god@rky/tutorials/rstut001.txt This should appeal to the AV community, that is the portion of the AV community thats understands this stuff. TSR COM Infections http://www.ilf.net/god@rky/tutorials/rstut002.txt Good file, complete. Constructing Kit on Infecting COM's http://www.ilf.net/god@rky/tutorials/rstut003.txt Good file on COM infection. Infection On Closing http://www.ilf.net/god@rky/tutorials/rstut004.txt I haven't checked this out yet. EXE Infections Part 1 http://www.ilf.net/god@rky/tutorials/rstut005.txt This is something ALL virus coders have to read! EXE Infections Part 2 http://www.ilf.net/god@rky/tutorials/rstut006.txt part 2 to the above file. Directory Stealth http://www.ilf.net/god@rky/tutorials/rstut007.txt GREAT file on getting past MS DOS Checksum Checker! Directory Stealth (Method 2) http://www.ilf.net/god@rky/tutorials/rstut008.txt Second method if improving stealth viruses. Memory Stealth http://www.ilf.net/god@rky/tutorials/rstut009.txt Another GREAT file on TSR's The Dangers of ThunderByte's TBClean Emulation Techniques http://www.ilf.net/god@rky/tutorials/rstut010.txt Article on getting past TBClean's methods of dis-infection. Part 6 [ Virus INFORMATION Links ] These are all pages that provide information on viruses, not the actuall viruses. Dr Solomon's very own personal homepage http://www.pcug.co.uk/~drsolly/ ITs our very own Dr. Sollys homepage (dude, try a
tag) He also offers the laws on computer viruses, ya gotta check that so you know just what laws your breaking! Data Fellows Virus Information Centre http://www.Europe.DataFellows.com/vir-info/ VERY VERY GOOD site, virus list and information! Dr Solomon's - Viruses In The Wild http://www.sands.com/vircen/wild.html Dr. Sollys virus list (not that complete however) CIAC Security Site http://ciac.llnl.gov/ciac See what the goverment has to say about viruses. Part 7 [ Computer Virus WEB pages & FTP sites ] The following are links to WWW pages and FTP sites that offer live viruses and source code for you to download. WARNING: Up until now all the viruses and programs have been safe-to-store however some of the viruses on some of the pages may be in live .exe or .com form, BE CAREFULL!! Information Liberation Front http://www.ilf.net/ VERY NICE site, pay these guys a visit!! The Alliance Virus group http://www.ilf.net/alliance/ Another nicely done site, these guys got it togther!! God@rkys Virus Heaven http://www.ilf.net/god@rky/virii.htm No list would be complete with out this site, hell, most of the stuff above come from his site, VXers or AVers CHECK HIS SITE OUT! Cicatrix's Virus Collection Updates are available here as well, be sure to visit at least once a month to make sure you have the updates. Paniks Page http://www.kuai.se/~panik/ TONS (TONS!) files!! RickDoggs Virus page http://pwp.usa.pipeline.com/~rickdogg96/index.htm A really good page (he is also the maker of the rickdogg666 virus) Virus Programing http://lila.uc.pt:8082/~pedro/virus.html Good place to start, RARE source and FAQ's Computer Virus Lab - Home Page http://www2.spidernet.net/web/%7Ecvrl/ This page is nothing more than a add for a CD ROM, they boast over 13,000 viruses, however I doubt that .. if anyone have this CD e-mail me! Virus And Other Fine Code Authors http://www.ntplx.com/~sniper/vofca/index.html A VERY nice web page! J & A Virus page http://www.bocklabs.wisc.edu/~janda/ TONS of stuff here. Infection Connection http://pegasus.cc.ucf.edu/~kes65601/ Cool name, wish I thought of that! virii http://wwwmbb.cs.colorado.edu/~mcbryan/bb/23/29/summary.html Well, its a start Dante's inferno http://www2.dgsys.com/~dante/virii.html Only a few viruses. Virii http://www2.netdoor.com/~boomn69/virii/ Neat graphics! some good viruses. Gugi's Virus page http://www.geocities.com/SiliconValley/Park/4650/ Good page. The virus and hacking homepage http://www.cris.com/~Bstock/ Really good site, he gives a description of -EVERY- virus he offers (even has a Coolio midi) Virus Authors Information Site http://members.visi.net/~muja/virus.html Nice, frams use could be better however you get the viruses so it dosen't matter. (I like what he says) Cyber hazzard's http://www.lafayette.edu/~warendaj/virii.html mostly source. Digital hacker alliance homepage http://www.lochnet.com/client/dha/index.html You gotta check this out, tons of stuff. Seths virus page http://home.webserve.net/~eldritch/virii.html Not a whole lot here. virii stuph http://www.angelfire.com/pages0/goodie/virus.html Some good stuff A virus page with no title http://www.geocities.com/SunsetStrip/3192/breaker.html Nice layout, need an update on some of the links. DarkChasms Virus page http://www.geocities.com/SiliconValley/Heights/1789/ Lots of stuff, to many damn midis! Virus/Warez/Hack http://www.agate.net/~krees/virii.html masses of links, no actuall viruses but there are LINKS! Dr. PhreeX Homepage http://www.ao.net/~phreex Its my page, over 1,000 live viruses and tons of source! (you do need the password, ask nicely!) If you have any links to good (or even crappy) virus pages send 'em my way, I will add to this list later.. Part 8 [ Conclusion (By Dr. PhreeX Merin himself!!) ] Well, after a few hours of surfing around andtesting ALL THESE links I give you the "Computer Virus Site List 1.02", this is still a beta, it will be until I can no longer come accross a new virus page, if you know of anything VX related please e-mail me (phreex@ao.net). You might object to this list, many people do, they believe viruses should be illegal and no one should access to them however if you dislike this then fine, don't read it or download from the above sites. The problem is lamer newbie fucks think the internet is like the real world, where there is a organized legal system to stop anyone that does wrong, well .. welcome to cyberspace, people like me will always be here!! Part 9 [ Past version history, and whats to come ] Version 1.0 Beta 1 Listed a few sites, lots of Virus Gens. Version 1.01 Added more URL's, added section on safe virus storage. Version 1.02 Current. For a current copy of this list send a request to phreex@ao.net or looking in the usenet newsgroup alt.comp.virus Regards, Dr. PhreeX Merin, PhD in the cyber underground ============================================== Section Five - Uncanny Virus Ideas Well at this point, I guess this section would otherwise be empty being this is the first issue. But we cannot have that, so I will improvise and do my best to get us started. This area will mostly consist of Ideas for the Authors with virus writer's block. Or maybe somewhat of a humor section as well. We will see how it goes... If you have ideas you would like to contribute, feel free to e-mail me at godarky@ilf.net and I will put the best of em in the next issue. :) 1. The Eicar Virus. For those of you who don't know what the EICAR file is, I will explain. It is a file which you can append to just about any kind of file and will cause the file to be reported as infected when scanned with an AV product that supports the EICAR test file. It is a big political pissing contest for a standardized Installation test for AV products really. Anyhow, an interesting Idea for a virus might be one that incorporates the EICAR test file as camoflage. Sounds stupid? Think about it. Most of the popular AV products (F-Protect, McAfee's, Norton's (I think) and Dr. Solomon's) all detect it for what it is. It is said that AV companies get the viruses that you write within days (usually) of the first time they are distributed from a site like mine. Usually from someone who has become infected with the virus and sends them an infected file. Well more than likely what are the guys in the virus lab gonna think when they first scan the file and it shows up as the EICAR file? Well one of 2 things, and I think the latter of the 2 is more than likely what will occur until they learn otherwise. The first being that they might do a disassembly of the file and see what they can find in the code. Or they might let the file loose on a hospitol computer and see if they can replicate it. While this could happen, I tend to think that they probably see alot of EICAR infections which would bring me to the second scenario, which they would more than likely write it off at the fact that the person attached the EICAR file to the file in question without even testing it for replication. If this were the case, you could hide all kinds of heinous code behind this, and it would prolong an AV program from detecting your new creation possibly. So now you have an Idea as to how this section will be filled in the future. Send in your revolutionary ideas and they will appear just like this one did. ============================================== Section Six - Naming Viruses So, you author viruses. Do you name them before you write them or after? Well many name them before and many name them after. But in all reality, it dosn't really matter what you name them, as that name probably isn't going to stick. In other words, you, the author of the virus, don't get to choose the name of your own creation. Picture your wife carrying a baby in her womb for 9 months. With a little medical help at the hospitol, the baby is delivered, and the Birthing papers are finished and all that, and now comes the time you get to use that name that you perhaps spent months deciding/arguing on. Imagine if some baby naming organization came in and decided they didn't like that name and stamped some generic name on your child. Pretty crazy huh? Well that is how viruses get thier names, for the most part. I know it is a great misnomer that the Author names the viruses. But I will explain how viruses get thier names when it is thier time. It was explained to me by Dr. Alan Solomon himself, and it is really sort of a strange process when you think about it. You author a virus, we will call it "Satan's Dumpster". You spread Satan's Dumpster to numerous Vx sites and via alt.comp.virus.source.code and so on. Well your virus gets spread enough, and enough infections are reported that it makes the "In The Wild List", well now that it is ready for recognition by the AV community, it is time for Satan's Dumpster to get it's REAL name. Dr. Solomon described this process as a group of beer swilling people who get together in a pub to talk about Viruses. This group is known as CARO. They are the people who come up with the name of your virus. They will decide Satan's Dumpster will be called "Billy Goat". Thus whenever the AV companies decide it is time and the need is there to detect your creation, it will detect it as the Billy Goat virus. Nifty huh? You don't believe me? Remember the HARE virus? The original author named it HDeuthanasia, by the time CARO got ahold of it, it became the HARE virus. It was said it was named after a rabbit. But it is apparent that it was named after the chant which prints on your screen when the virus is activated on your computer in relation to the Hari Krishna religion. If that is not enough for you, howabout the Bizatch virus. It is now detected as the BOZA virus. So before you spend hours and hours thinking of some clever new name for your virus, remember that in the end, that probably wont be the name of the virus. ============================================== Section Seven - Government Sites & Viruses & The Law Dr. Solomon's Virus & Computer Crime related law page is interesting as well as a good resource for you that care about what laws, if any you are breaking. The page has The federal laws for the United States of America, as well as the various state laws (which are more harsh and relate to those of you who reside in a particular state more), as well as laws in the UK and a few other countries. If your country isn't listed and you know the laws, you might visit his site and drop him a line so he can get them posted. The Federal law(s) in the United States are pretty straightforward, and don't really effect you unless you are targeting the government. They state that you are not breaking a federal law, unless you harm a computer of thiers, or one they have interest in. Well that is fine and dandy, but most of the state laws are much harsher, but still are only a slap on the wrist. In my state (Oregon) for example, I believe spreading viruses to a big business, such as say Intel for example, is only a Class B Felony. A Class B felony is a small hit for someone without a prior record. But then you have to remember that this is only 1/2 of the trouble you would get into. This would be the criminal trial. After that is said and done, I am sure Intel would take me to court on a Civil trial and make me poor for hundreds of years if were to live that long. Provided they could prove thier case in a court of law. So if you are not sure what laws, if any, you are breaking, you may want to visit Dr. Solomon's and find out. The reason I recommend his site is because you don't need a degree in criminal law or a latin translator to understand the laws on his page. You also don't have to wade through an entire Law Library to find what you are looking for, like some of the other law sites on the net. There is a direct link on my site which will take you there, or you can look above in Phreex's Site list in the previous section and get the URL for the site. So what does the AV industry think of our sites? Well in the Usenet, they would have you believe that our sites are the tool of Satan (or insert your social/religious equivilant of the Antichrist here) and Virus Authors are not relevant to the existance of the AV industry as it is today. I personally think this is bullshit, but who am I, right? What does the government think of our sites. Well I guess that depends on where you live. The federal government of the U.S. dosn't really give a shit personally. And A branch of them, the CIAC, has actually written me, after visiting my site, and requested that I put a link to thier site on my page. I have done so, because there is information there which some might find useful, *AND* because they were civil in thier e-mail and recognized that sites like mine will exist whether they want then to or not, and that they can actually give them a jump on disinfecting viruses as they come out. The AV companies tend to say they will not use our sites, but I still read every now and then in alt.comp.virus, that there are many informants between the AV world and the Vx world. Which tends to make me think that our sites are used. If I were to send them a Vx dropper file, they would probably incorporate it in thier next version of AV software. They keep telling me that Viruses that make the ITW (In the Wild) list are ones that are spread widely. Well alot of viruses that are spread widely never make that list that appear on my site, The Alliance's site, or any other heavy traffic sites. So this theory has proved inaccurate, or that whoever keeps the ITW list is lazy or waiting for a media frenzy before adding to the list. A site like mine will get anywhere from 200-1000 hits a day, maybe more. And the downloads are unreal. In a week I think a virus can be pretty well wide- spread, at least to fit thier definition of "widespread". But they never appear. But then, what was the virus renamed to huh? ============================================== Section Eight - South African Virus Authors/Collectors would like to Exchange information and Techniques with you. Well about 2 weeks ago, I recieved the following letter in E-mail. It was from South Africa, and they wanted me to spread the word. Well I forwarded the message to a few people, but I didn't feel that did the letter or the cause justice, so I am going to print it up here, and let others have access to the letter as well. Feel free to correspond with them, they Welcome it. :) -----------------------------E-mail Start Here------------------------------- Hi , I'm Rudy from South Africa . I have just started to gather a group of interested Virii "Collectors" and "intelligence gatherers" in South Africa. I (we) would like to communicate with you guys on interesting subjects like "cookbooks" and "recipes". Some of your groups have been established for many years and hold a treasure of knowledge when combined. My real e-mail : Rudy@lexicon.co.za Waiting for your reply ------------------------------E-Mail End Here-------------------------------- ============================================== Well that is it for this issue, I am looking at providing this on a monthly basis. And welcome your feedback. Things to come in the next issue planned are: 1. Beginners Guide for Newbie Collectors 2. Beginners Guide for Newbie Authors And I am sure other ideas will pop-up as well. I welcome your feedback, flames, or other tidbits of info as well. You can mail me at godarky@ilf.net for correspondance.