God@rky's Virus Heaven Newsletter #2 Written by God@rky (C)Circle-A Computers 1996 All Rights Reserved... ----------------------------------------------------------------------------- **Warning** This magazine deals with Viruses, thier production, and thier distribution, and frankly anything else that is virus related that we wish to publish here. The ethics of this magazine's very existance my upset you. The intent of this magazine is to keep those interested in collecting or authoring viruses up to date as well as we can with some of the information that can be found here and abroad. If you have any questions, comments, ideas or article submissions, by all means send them via E-mail at: godarky@ilf.net ----------------------------------------------------------------------------- CONTENTS Section One - Site News & Corrections Section Two - In The Wild List Section Three - Beginners Guide For Newbie Collectors Section Four - *NEW* Virus Related Newsgroup Section Five - Vx Related Books Section Six - Vx Site Guide (FTP/WWW) - Revised Section Seven - Assembly Language Help For Beginners Section Eight - Out With The Old/In With The New - E'zines Section Nine - Integrety of Virus Collections - Questioned Section Ten - A Call For Help With GVHN ============================================================================= Section One - Site News & Corrections I suppose top of the list should be regarding Virus Bits & Bytes magazine. I have recently contacted Dark Night of VBB. He advised he has been real busy as of late with Life's necessities (Work) and hasn't had time to do anything lately. But that VBB is still around, and waiting for new articles and so forth. So in the future we can expect to see more from VBB. Also in the last issue, in the Disappearing Sites area, I posted of the absense of ChibaCity. Promptly after the release of Issue #1, I recieved several letters with the new URL for ChibaCity. You can now once again enjoy accessing ChibaCity at; http://www.chibacity.com/chiba/vrc.html. One more site that disappeared during the month of November, was was actually that of one of the Virus Bits & Bytes members "RickDogg" the author of the LordNatas v666 bug that came out last August. Anyhow his old site was located on PSInet's "Pipeline USA" service. It actually lasted quite awhile till somebody either reported it, or Pipeline actually found out about this little gem amongst thier homepages. So Rickdogg's entire account disappeared, not just the website. He has picked up residencey at ILF with some of the rest of us. His site can be found at: http://www.ilf.net/rickdogg As well as his two new virus releases which will also be at Virus Heaven. Cicatrix, they guy keeping track of all the viruses around the scene, and putting them in NIFTY collections to keep us all a little more organized, has finally put up a Web site. It is small right now, with very few links to files. Currently though, there is a good portion of his collections available at http://www.ilf.net/god@rky/virii.htm in the "Virus Collections" section of the site. Also there, you will be able to get ahold of VDAT170.ZIP. VDAT is a dos-based virus hypertext (Windows version is currently under development) which is an excellent tool for those in the Vx and Av worlds alike. All kinds of Info is available in it, and is a must see, if you are interested in computer viruses. Keep an eye on this site, it should become a hot site as Cicatrix gets more time to work on it. Anyhow to get to this site, point your favorite browser to http://www.cyberstation.net/~cicatrix and bookmark this bad boy. PhreeX's Site Guide there was a link to TASM 4.0 which led to a TASM v2.0 (1989). ============================================================================= Section Two - In The Wild Lists In The Wild Lists are kinda a strange animal. As you will see in the newest one available which I am pasting into this issue of GVHN, there are some requirements for which your virus must go, before it reaches acknowledgment by an AV company for inclusion in thier scanner. While it is most author's objective to keep thier virus from being detectable by a mainstream scanner. If the virus has anykind of effect on other people's systems, such as a decent infection ratio, it is almost inevitable that it will end up on the ITW lists, as well as on some AV scanner's list of detectable and cleanable virus list. So, as I covered in the last issue, CARO gives the virus it's industry name. Usually, if CARO knows what the AUTHOR named the virus, it will be labeled in the ALIAS field of the ITW list. But CARO's name of the virus is the one that the listing will use as the viruses primary name. A good example of this is the HARE inclusion in this list. There is no alias listed for this virus. Yet many of us know that at least one of the strains was called "HDEUTHANASIA". You will see alot of blanks in the Alias field. What follows is the most recent ITW list I could find. The one at the Dr. Solomon's AV site was from July 1996. That was a little old. The One I have here, came from the archive and was the newest one available there as of November 18th, and it is from October. I have included it almost entirely in it's original state, so you could read what thier basis is for adding viruses to thier list, and so forth. ============================================================================ PC Viruses in the Wild - October 22, 1996 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 44 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. This report is cumulative. That is, this is not just a report of which were seen last month. Monthly data is received from most participants, but the new data is added to the old. Participants are expected to let me know when I should remove their name from a virus that they haven't seen in a year and a half or so. The list should not be considered a list of "the most common viruses", however, since no specific provision is made for a commonness factor. This data indicates only "which" viruses are in the wild, but viruses reported by many (or most) participants are obviously widespread. The WildList is current being used as the basis for in-the-wild virus testing of antivirus products by Virus Bulletin and the NCSA (National Computer Security Association). Additionally, a virus collection based upon the WildList is being used in an effort to standardize the naming of common viruses. The WildList - (c)1993-1996 by Joe Wells - wildlist@vcnet.com ============================================================================ The section below gives the names of participants, along with their geographic region, organization, and antivirus product (if any). The locations with an asterisk (*) note that the reports are regional, all others being multinational or global. Key Participant *Region Organization Product ============================================================================ Ac Alan Candy *New Zealand Applied Insight F-Prot Pro Ad Allan Dyer *Hong Kong Yui Kee Co. Ltd. F-Prot Ae Amir Elbaz Israel EliaShim ViruSafe Bn Barnabas Nagy *Slovokia NaBaware Dr. Solomon's Bq Blend Qapiti *Albania Poly U Tirana None Cb Carl Bretteville Norway Norman Data NVC Cj Craig Jackson USA Datawatch VirexPC Cs Christian Schmid *Austria DataPROT Linz F-Prot Dc Dave Chess USA IBM IBM AntiVirus Dg Dmitry Gryaznov UK S&S Int'l Dr. Solomon's Ek Eugene Kaspersky *Russia KAMI AVP Ev Eduardo Velasquez *Colombia/Vene. SOFTEAM Ltda VirusCOP Ew Eddy Willems *Belgium/Lux. De Vaderlandsche None Fl Ferenc Leitold *Hungary Hunix Ltd. Virus Buster Fs Fridrik Skulason Iceland Frisk Int'l F-Prot Gm Gerard Mannig *France RECIF None Gp Gabriel Pislaru *Romania SoftWin AVX Iw Ian Whalley UK Virus Bulletin None Jd Joost de Raeymaeker *Portugal RSVP Dr. Solomon's Jk Jimmy Kuo USA McAfee ViruScan Jm Jose Martinez *Peru HackSoft S.R.Ltda TH AV Kd K. T. Davies *India Pioneer Micro Vaxine Ks Klas Scholdstrom *Sweden QA Informatik Dr. Solomon's Ls Luca Sambucci *Italy I.C.A.R.O. None Mh Mikko Hypponen *Finland Data Fellows F-Prot Pro Ms Marek Sell *Poland APEXIM MkS_vir Nb Neville Bulsara *India N&N Systems Dr. Solomon's Oh Omar Herrera *Mexico Escuadron AV Aguila AV Pb Pavel Baudis *Czech Republic Alwil Software Avast! Pd Paul Ducklin UK Sophos Plc. Sweep Ra Ruben Arias *Argentina RALP Integ Master Re Ralph Tee *Malaysia R.E.Solutions Armour AV Rf Richard Foley *Ireland Reflex Magnetics TBAV Rk Richard Ku Taiwan Trend Micro PC-cillin Rr Roger Riordan Australia CYBEC VET Rt Roger Thompson USA Thompson Network Doctor Rv Robert Vibert *Canada Sensible Security Dr. Solomon's Rz Righard Zwienenberg Netherlands ESaSS BV ThunderBYTE Sc Shane Coursen USA Symantec NAV Sg Sarah Gordon USA Command Software F-Prot Pro Net Sm Seiji Murakami *Japan Jade Corp Scan Vakzin Td Toralv Dirro *Germany U of Hamburg None Ws Wolfgang Stiller USA Stiller Research Integ Master Yp Ywain Penberthy *So Africa CSIR Virus Lab VPS ============================================================================ The WildList ============================================================================ This main list includes viruses reported by multiple participants, which appear to be non-regional in nature. Technically, this first list is "the" WildList according to my original specification, which required viruses to be verified in the wild by a minimum of two participants. A supplemental list follows that contains viruses reported by single participants. If a virus listed has minor variants, but no specific variant letter is attached, the virus meant is the .A variant. Please note that all the MS Word macro viruses are grouped under WM.name. + Viruses marked with a plus sign (+) are new to the main list this month. CARO Name of Virus [ Alias(es) ] Reported by: ============================================================================ 15_Years................[Espejo, Esto te] AeDcDgEvJkJmRtScSgSm Aircop.Standard.........[...............] OhRk Alfons.1344.............[Iutt99.........] AeFsGpJkJmKsMsPbRrSg Anticad.4096.Mozart.....[Invader........] DgSg AntiCMOS.A..............[Lenart.........] AcAdCbCjDcDgEvEwFlFsGmIwJdJkJmKd KsMhMsPdReRtRvScSgSmWsYp AntiCMOS.B..............[LiXi...........] AcAdCbDcIwKsMsReRzScSmTd AntiEXE.A...............[D3, Newbug.....] AcAdBqCbCjDcDgEvEwFlFsGmGpIwJkJm KdKsMhMsNbPdRfRkRtRvRzScSgSmTdWsYp Arianna.3375............[...............] DcDgLs Avispa.D................[...............] AeDgJkRaRtSc BackFormat.2000.A.......[Backform.......] BnDgFlFsGpJkMs Bad_Sectors.3428........[...............] FlGp Barrotes.1310.A.........[Barrotos.......] DgEvGmJdJkJmPdScYp Boot-437................[...............] AcBqCbCjDcDgFlFsGmGpJkKdKsMsOhPb PdRkRtRzScSgSmWs BootEXE.451.............[BFD, BE-451....] FlFsIwJkMhMsNbRzSg Brasil..................[...............] CjSc Burglar.1150.A..........[GranGrave.1150.] AcAdCbDgFsJkKsMhMsRkRzScWsYp Bye.....................[ByeBye.........] CbDcIwKsMsPdRzTd Byway.A.................[Dir2.Byway.....] DcDgEvFlFsGmIwJdJkJmScSg Byway.B.................[Dir2.Byway.....] DcDgEvJkJm Cascade.1701.A..........[1701...........] CbCjCsDgFlFsGmGpKsMhMsPdRtRzSgSm Ws Cascade.1704.A..........[1704...........] CsDgEkFsGpKsRtScSg Cawber..................[NTU.T4, BacLab.] RtSc Chance.B................[Lennon.........] DcFsJkSc Changsha.A..............[Centry, Changes] MsRrRt Chaos.1241..............[Faust..........] RrSg Chill...................[Chill Touch....] RtSc Chinese_Fish............[Fish Boot......] CjDgRkRrRt Civil_Defence.6672......[CDV 3.3........] DcMsPbSg Cordobes.3334...........[...............] FsJkSc CPW.1527................[Mediera, Mierda] DgEvFsJkJmSc Crazy_Boot..............[...............] DcDgEwFlJkScSgTd +Cruel...................[...............] GmGpMhTd DA_Boys.................[...............] CjDcEwFsIwJkRtScSgWs Dark_Avenger.1800.A.....[Eddie..........] CjDgFsGpRrSgWs Dark_Avenger.2100.SI.A..[V2100..........] DgIwRf DelCMOS.B...............[Int7F-E9, Feint] DgFsIwJmPdRz Delta.1163..............[...............] FsSc DelWin.1759.............[Goblin.1759....] CbDcDgGpJkKsMsPdTd Den_Zuko.2.A............[Den Zuk........] DgRtSg Desperado.1403.C........[...............] JkKs Diablo_Boot.............[...............] DcEvFsJmMhPdRaSc Die_Hard................[DH2, Wix.......] AcAdCbCjDcDgFlFsJkJmKdKsMsNbReRk RtRvRzScSgSmTdWsYp Digi.3547...............[Deliver.Stealth] FsMsPb Dir_II.A................[Creeping Death.] BnCsDgEkFlFsGmJkKsNbOhRkRrScSgWs Yp Disk_Killer.1_00........[Ogre...........] DgEk DR&ET.1710..............[Dret...........] JkMs +Ear.Leonardo.1207.......[...............] DgMs +Edwin...................[...............] DgGmKsSc Empire.Int_10.B.........[...............] RtScSg Empire.Monkey.A.........[Monkey.........] DcGmJkJmKsOhPdRrRtScSg Empire.Monkey.B.........[Monkey 2.......] AcCbCjDcDgEvEwFsGmIwJdJkJmKdKsMh MsNbOhPdRkRrRtRvRzScSgSmTdWsYp EXE_Bug.A...............[CMOS Killer....] DgEwFlFsGmIwJkKsOhPdRfRtScTdWsYp EXE_Bug.C...............[...............] RtYp EXE_Bug.Hooker..........[...............] MhRtYp Fairz...................[Khobar.........] JkKdMsRf Fat_Avenger.............[...............] DcKdRrSm Fichv.2_1...............[905, CHV 2.1...] DgGmRz Filler.A................[DiskFiller.....] CbCjFlKs Finnish_Sprayer.........[Aija...........] FsKsMhSc Flame...................[Stamford.......] FlJkRrSc Flip.2153.A.............[Omicron........] DcDgFsGmKsRv Flip.2343...............[Omicron 2......] DgFsJd Form.A..................[Form 18........] AcAdCbCjCsDcDgEvEwFlFsGmGpIwJdJk JmKdKsLsMhMsNbPbPdRfRtRzScSgSmTd WsYp Form.C..................[...............] CsMs Form.D..................[Form May.......] CsDcEvFlFsGmIwKdMsPdRtScYp Frankenstein............[Frank, Sblank..] DcDgJkKdMs Freddy_Krueger..........[Freddy 2.......] FsJkScWs Frodo.Frodo.A...........[4096, 100 Year.] DcDgEwFsGpKsRr Galicia.................[Telecom........] GpJkRtSc Ginger.2774.............[Gingerbread....] JkRrSc GoldBug.................[...............] DgFlJkMh Green_Caterpillar.1575..[Find, 1575.....] CjDgFlFsGmGpIwJkKdKsOhRrRtScSmWs Hare.7610...............[...............] AcDgFsIwMhRzScYp Hare.7750...............[...............] MhMs Hare.7786...............[...............] FsKsMhMsRz Helloween.1376.A........[1376...........] DcDgFlIwJkJmPbRrScWs Hi.460..................[Hi.............] GpMs Hidenowt................[...............] AeDgGmIwJkJmKdPdScSm HLLC.Even_Beeper.B......[...............] DgMsRz Ibex....................[Bones..........] CbJkMhSc Int40...................[...............] PbPd Istanbul.1349...........[...............] DgMs J&M.....................[Jimi, Hasita...] AdBnCbCjDcFlFsGpIwJkKsMhMsPbPdSm Jerusalem.1244..........[1244...........] DgLsSg Jerusalem.1500..........[Xug.1500.......] JkSc Jerusalem.1808.Standard.[1808, Israeli..] CbCjCsDcDgFlFsJmKsNbRkRtRzSgSmWs Yp Jerusalem.Mummy.1364.A..[Mummy 2.1......] DgRtYp Jerusalem.Sunday.A......[Sunday.........] RkRtSgYp Jerusalem.Zero_Time.Aust[Slow...........] DgJdRrRtSm Jos.1000................[Jabberwocky....] GpMs Joshi.A.................[...............] CjDcDgFsJkJmRkRrRtScSgSmWs Jumper.A................[French Boot, 2k] CbCjDcDgEwFsGmGpJmMsPdRtScSg Jumper.B................[SillyBop, 2kb..] CbDgFsJkKsMhMsSgSm +June_12th.2660..........[Mabuhay........] AdMs Junkie..................[...............] AcAdBnCbCsDcDgEwFlFsGmGpIwJkJmKs LsMhMsPbPdRfRrRtRvRzScSmTdWs Kampana.A...............[AntiTel........] CbCjDcDgEwFsGmIwJdJkKsMhMsPbPdRf RtScSgSmTd Kaos4.697...............[...............] JkMsScSgYp Karnivali.1971..........[...............] DgJk Keypress.1232.A.........[Turku, Twins...] DcDgFlGpJkJmRrRtRzSg Laroux..................[XM.............] DgJkSg Leandro.................[TimeWarp.......] AeCbDcEvFsIwJkJmMhMsPdRtRzScWs Lemming.2160............[...............] RrSc Liberty.2857.A..........[Mystic, Magic..] DcEvRt Little_Red.1465.........[Red Book, Mao..] CjDcDgFsKdMsRtSmTdWsYp MacGyver.2803...........[Shoo...........] GmJkMsRkYp Major.1644..............[Major BBS......] AeCbDgFsJkKsMhMsRzScSg Maltese_Amoeba..........[Amoeba.2367....] CbDgFsGmKsMsRtSgWsYp Mange_Tout.1099.........[1099...........] DgGmJkMsPbSc Manzon.1414.............[...............] CbDcEwFsIwJkKsMhMsPdRrTd Markt.1533..............[Werbe, Media...] DgFs Michelangelo.A..........[...............] AdBnCjCsDcDgEkFlFsGmGpOhPbPdRkRr RtScSgSmWsYp MIREA.1788..............[Lyceum.1788....] AeEkJm Moloch..................[...............] FsSc Mongolian_Boot..........[Mongol.........] DgScSm Music_Bug...............[...............] CjWs Natas.4744..............[Satan, Sat_Bug.] AdCbDcDgEvEwFlFsGpJdJkJmKdKsMhMs NbOhPbPdRkRtRvScSgSmTdYp Necros.1164.............[Gnose, Irish3..] DgRf Neuroquila..............[Havoc, Wedding.] DgJkWs Nightfall.4518.B........[N8Fall.........] CbDgJkPbTd No_Frills.Dudley........[Oi Dudley......] DgJkRrRt No_Frills.No_Frills.843.[...............] JkRrSc Nomenklatura.A..........[Nomen..........] DgMh November_17th.800.A.....[Jan1, Int83.800] DcFlLsSc November_17th.855.A.....[Int83.855......] DcDgFsGmLsMsRtSc NPox.963.A..............[Evil Genius....] FsSc NYB.....................[B1.............] CjDcDgEkEwFlFsIwJkJmKdKsLsMhMsPd RtRvRzScSgSmTdWsYp One_Half.3544...........[Dis, Free Love.] AcAdAeBnCbCsDcDgEkEvEwFlFsGmGpJk JmKdKsLsMhMsNbPbRfRkRtRzScSgSmTd WsYp One_Half.3570...........[...............] FsJk Ontario.1024............[SBC, 1024......] DcRr Parity_Boot.A...........[...............] CbGpIwMhMsTd Parity_Boot.B...........[Generic 1......] CbCjCsDcDgEvEwFlFsGmGpIwJdJkKdKs MhPdRfRtRzScSgSmTdYp Pasta...................[Boot-446.......] DgJkSc Pathogen:SMEG.0_1.......[SMEG...........] DgScWsYp +Paula_Boot..............[...............] FsRa Peter...................[Peter II.......] CbDcFsJdJkMhSmYp Ph33R.1332..............[...............] EwFsJkMh Phx.965.................[PUX.965........] DgJmMsRa Pieck.4444..............[Kaczor.4444....] CbMsRvYp Ping_Pong.B.............[Bouncing-Ball..] DcDgFsGmYp +Plagiarist.2051.........[...............] DgSc Predator.2448...........[2448...........] FsJkKsRvSc QRry....................[Query, Essex...] DcEvJkSc Quandary................[Parity_Boot.Enc] AcDgFsIwJkKsMhMsPdRvSmTd Quicky.1376.............[Quicksilver....] AcCbDgFlFsGmJkPdScTd Quiver..................[Qvr............] EvMh Quox.A..................[Stealth 2......] CbDcFlFsJkRtScSgSm Reverse.948.............[Red Spider.....] MsYp Ripper..................[Jack Ripper....] AcAdCjCsDcDgEwFlFsGmGpIwJkKsMhMs PbPdRfRkRtRvRzScSgSmTdWsYp Russian_Flag............[Slydell, Ekater] DcDgIwJkRzScSmYp Sampo...................[Turbo, Wllop...] AcAdCjDcDgEwFlFsGmIwJkKdKsMhMsNb PbPdRtScSgSmWsYp Sarampo.1371............[...............] DgJdJk Sat_Bug.Sat_Bug.........[Satan Bug......] EvSc Satria.A................[July 4th.......] JkTd Sayha...................[...............] JkSc Screaming_Fist.II.696...[Fist 2, Scream.] CjDgJkRtSg She_Has.................[Breasts........] CbDgIwPdRzTd Sibylle.................[...............] DcDgFl Sleep_Walker.1266.......[Swalker........] RrSc Stealth_Boot.B..........[AMSE, NopB.....] CbCjDcDgEvFsJkMsPdRtScSgSm Stealth_Boot.C..........[AMSE, NopB2....] CbCjEvFsGmJdJkJmPdRtScSgSmYp Stoned.16.A.............[Brunswick......] DcDgSc Stoned.Angelina.A.......[...............] BqCbCsDcDgEvFlGmIwJdJkJmKdMhMsPb PdRkRvScSgSmTdYp Stoned.Azusa.A..........[Hong Kong......] CjCsDgJkKsRrRtScYp Stoned.Bravo............[...............] DgMsYp Stoned.Bunny.A..........[...............] ScSgWsYp Stoned.Daniela..........[...............] MsScSg Stoned.Dinamo...........[...............] DcIwMsRtSc Stoned.June_4th.A.......[Bloody!........] CbCjCsDgJkRkRrScSmWs Stoned.Kiev.............[Epbr...........] CjDcEkMsPdRt Stoned.Lzr..............[Lisa2, Whit....] AdCjDcEvFsRtSc Stoned.Manitoba.........[Stonehenge.....] DcDgFsKsPdRtRvScSm Stoned.No_INT.A.........[Stoned.........] AcCbCjCsDcDgEwFlFsGmIwJkMhOhPbPd RrRtScSgWsYp Stoned.NOP..............[NOP............] DgJkWs Stoned.Spirit...........[...............] AeDgFsGmJkMhMsPbRz Stoned.Standard.A.......[New Zealand....] CjDcDgEkEvFsGmGpJkPdRkRrRtScSmWs Yp Stoned.Swedish_Disaster.[...............] CjDgIw Stoned.W-Boot...........[Stoned.P, Wonka] AdDcEvJkMsPdRrScWs SVC.3103.A..............[SVC 5.0........] DgEkEvSc Swiss_Boot..............[Swiss Army.....] DcFlFsJkKsNbSm Tai-Pan.438.............[Whisper........] CbDcDgFlFsGmJkJmKdKsMhMsPbPdRtSg TdWsYp Tai-Pan.666.............[D2D, Doom2Death] AcBnCbDcDgEkEwJkMhMsRtScSgSmWsYp Tanpro.524..............[...............] AdJkSc Tentacle.10634..........[Tentacle II....] DgJkKsMhRvSc Tentacle.1996...........[...............] DgEwFsJkKsMhRzSc Tequila.A...............[...............] CsDcDgEwFsGmIwJkPdRfRkRtScSgSmTd WsYp Teraz.2717..............[...............] DgIw Three_Tunes.1784........[Flip, PCBB.1784] AeCjDcDgEvJkJmSc Trakia.653..............[...............] RrSc Tremor.4000.A...........[...............] CbCsDgFlFsJkKsMhMsPbRtSgWsYp Trojector.1463..........[Athens.........] DcDgJkKdNbSgSm Trojector.1561..........[...............] GpKsRzSc +TVPO.3873...............[...............] GpRz Unashamed...............[...............] IwJdJkJmLsMhMsPdScYp Unsnared.814............[ V.814.........] AeGpRz Urkel...................[Nwait..........] CjDcFsJkRzScSgWs V-Sign..................[Cansu, Sigalit.] BnCjDcDgFsGmIwJkKdMhMsPbPdRrRtSc SgSmWs Vacsina.TP-05.A.........[RCE-1206.......] CjDgFsRtSc Vacsina.TP-16.A.........[RCE-1339.......] DgFs Vampiro.................[...............] DgRaWs Vienna.648.Reboot.A.....[DOS-62.........] AeDgEkGpRkSg Vinchuca................[...............] DgRaWs VLamiX..................[Die Lamer......] DgFlJkMsRt WelcomB.................[Bupt.9146......] AdCjCsDcDgEvFlGmGpIwJkJmKsMhMsPb PdRtScYp Werewolf.1500.B.........[...............] DgEwFsGmJkMhMsRzScSgSmYp +WM.Buero................[...............] DgJkMhScTd +WM.Colors.A.............[...............] JdJkYp WM.Concept..............[Concept, Prank ] AcAdBqCbCjCsDgEwFlFsIwJdJkJmKdKs MhMsNbPbPdReRfRkRrRvRzScSgSmTdWs Yp WM.Date.................[AntiDMV........] DgPbSc +WM.Divina...............[Divina.........] FsSc WM.Hot..................[Hot............] RvSc WM.Imposter.............[Imposter.......] AcDgIwMhSc +WM.Irish................[Irish..........] JkSc WM.MDMA.................[MDMADMV........] JkMhSc WM.NOP.A................[Nop............] FsMhRzSc +WM.Npad.................[Bandung........] DgJkJmMhRzScTd WM.Nuclear.B............[Nuclear.B......] FlFsYp WM.Wazzu................[Wazzu..........] AdAeCbDgFsJdJkJmKsRkRvSc WXYC....................[...............] CjJmMsOhScSmWs Xeram.1664..............[N-Xeram.1664...] JkPd Xuxa.1984...............[...............] DgFs Yankee Doodle.TP-39.....[RCE-2772.......] DgFs Yankee Doodle.TP-44.A...[RCE-2885.......] DgEkEwFlFsGmGpKsMhMsNbPdRtSgSmTd Yankee Doodle.XPEH.4928.[Micropox.......] CbFlFs ============================================================================ Total for the WildList: 223 ============================================================================ Supplemental List ============================================================================ As was noted at the start of the main list, this list is not, technically, part of "The WildList" as I have defined it. By design, the WildList is a list of viruses verified as being in the wild by a minimum of two WildList participants. The viruses listed below do not currently meet that criteria. This additional list includes viruses reported by a single participant and are often either moving onto the main list, or dropping off of it. Please note especially that this list also tends to be more of a regional reporting mechanism. For example, a virus is often reported as very common by one regional participant, but is found nowhere else in the world. Viruses marked with a minus sign (-) dropped off the main list this month. CARO Name of Virus [Alias(es) ] Reported by: ============================================================================ 15_Years.B..............[Espejo.B.......] Jk A&A.....................[...............] Dg Accept.3773.............[...............] Ra Acid....................[...............] Ew Alphabetic.A............[...............] Mh Anticad.4096.A..........[Plastique 5.12.] Sg AntiCMOS.D..............[AntiCMOS.G.....] Jk Arusiek.817.............[...............] Cb Avalon..................[...............] Fs Baby.962................[_962...........] Ad BackFormat.B............[BackForm.B.....] Ms Barrotes.1303...........[Sta Tecla......] Ev Barrotes.1463...........[...............] Rz Beer.2473...............[...............] Fl Cavaco..................[...............] Jk Chameleon...............[...............] Iw Cosenza.................[...............] Fs Coup.2052...............[...............] Dg Dalian..................[...............] Ad Danish_Boot.............[...............] Sc Datalock.920.A..........[...............] Dg Defo....................[PeterII.Runtime] Fs Deliver.1771............[Blue Shark.....] Ms Diciembre_30_Boot.......[...............] Jm Dual_Gtm.1643...........[BewareBug.1643.] Jk DullBoy.................[...............] Jk DuPoem..................[...............] Jk Error_Vir...............[...............] Mh Face....................[...............] Jk Fighter.5871.APE........[Stealth_Fighter] Ek Finnish.357.............[...............] Ks Finnpoly................[...............] Mh FITW....................[...............] Pd Flag3.1901..............[Furtive.1901...] Jk Form.B..................[...............] Iw Glupak.857..............[...............] Rz Gripe.2040..............[...............] Jk H-Andromeda.1024........[Axe............] Fl Ha!.1224................[Info,Zmaina....] Ms Hack_Master.............[...............] Ae Halt....................[BM_Birthday....] Jk Hi.833..................[Hi.............] Gp Hiroshima.830...........[...............] Jk HLLO.Novademo...........[Nova...........] Ms Horror.1173.............[...............] Td Immortal.2190...........[...............] Ms Indonga.2197............[...............] Dg Infector.1022...........[Alia.1023......] Sc Invisible_Man.2926......[...............] Kd ITV.457.................[...............] Oh IVP.264.B...............[...............] Rz IVP.674.B...............[...............] Ks IVP.Flipper.872.........[...............] Rr Japanese_Xmas...........[Xmas in Japan..] Sm Jerusalem.AntiScan......[...............] Dg Jerusalem.June_13.......[...............] Gp Johana_Boot.............[...............] Jm K-Hate..................[...............] Iw Kmee....................[...............] Fs Kysia.1536..............[Kyokushinkai...] Ms Kysia.3072..............[Kyokushinkai...] Ms Legozz..................[...............] Fl Little_Brother.307......[...............] Jk LTS.....................[...............] Fs Lucho...................[...............] Jm Lutil.591...............[...............] Jk MacGyver.4112...........[...............] Jk Magda...................[Magdzie........] Ms Mannequin...............[...............] Gp Mario.745...............[...............] Ms Matthew.3044............[...............] Ad Menem_Tocoto............[...............] Ra Mirage..................[...............] Dg MISiS...................[Zharinov,NIKA..] Ev Natas.4738..............[...............] Dg Nightfall.*.............[N8Fall.........] Td NJH2LBC.A...............[Korea Boot.....] Dg November_17th.800.B.....[...............] Dc NoWin.2576..............[Zielona........] Ms Oktubre.1784............[...............] Dg Ornate..................[...............] Dg Patras.196..............[...............] Gm PC_Ogre.................[...............] Jk Peligro.1213............[...............] Jm Phx.1295................[...............] Ra Print_Screen_Boot.A.....[India,PrnSn....] Dg PS-MPC.475..............[...............] Sc Pysk.2464...............[...............] Dg Rhubarb.................[RP.............] Ms Scitzo..................[...............] Fl Scroll.1532.............[Kato...........] Ms Sierra..................[...............] Jk SillyCR.409.............[...............] Jk Spectre.513.............[...............] Ks Stealth_Boot.Alfredo....[...............] Dc Stoned.Michelangelo.D...[...............] Fl Stoned.Scale............[BootM1.........] Ae Suriv_1.Argentina.......[...............] Ra Tai-Pan.512.............[...............] Mh Teraz.4004..............[Flaga..........] Ms Turner..................[...............] Ek Ulate...................[...............] Dg Ultra_Violent...........[...............] Jk Unkempt.1350............[...............] Jm Uvjan.2246..............[...............] Ev Uvjan.2262..............[...............] Ev V-160...................[SillyRC.160....] Jk Valentine.2332..........[...............] Jk VCL.541.................[...............] Ks VCL.Genocide.839........[...............] Ms Vienna.Bua..............[Big Caibua.....] Dg Voyage.1134.............[...............] Ws Werewolf.684............[Claws..........] Jk Werewolf.693............[Fangs..........] Jk WM.Boom.................[...............] Sc WM.Concept.B:Fr.........[...............] Jk WM.Concept.C............[...............] Dg WM.Concept.F............[...............] Fs WM.Parasite.............[...............] Sc WM.Taiwan1..............[...............] Rk WM.Wazzu.E..............[...............] Jk Xtc.2153................[...............] Jk Yesmile.................[...............] Fs Zimboot.................[...............] Yp ============================================================================ Total for both lists: 347 ============================================================================ Release notes for the October 15 list: Neville Busara of India and Ralph Tee have been added to the list. Since Rt is already used Ralph Tee is represented by Re. (His company is R.E.S.) Please note that all the MS Word macro viruses are grouped under WM.name. So Concept is now under WM.Concept. This follows the precedent set by some antivirus companies and makes isolating the macro viruses easier for some who use the list just to track macro viruses. E.g. Mac user groups. I am continuously seeking WildList participants, especially for regional reporting in the following countries: Bulgaria, Chile, China, Denmark, Greece, Indonesia, Phillipines, Saudi Arabia, Singapore, South Korea, Spain, Thailand, Turkey, and Ukraine. Such new participants will need to be in a position where they can monitor and verify virus incidents. People who develop av products are best suited. People who represent one or more av products (agents) and provide localized support may also be qualified if they actually verify the viruses or forward samples to developers. If you thus qualify, please send your name, location, organization, product name, favorite brand of beer, and references (preferably CARO members who know you). Send the information to wildlist@vcnet.com. Thanks. ============================================================================ The collation of this list is done by Joe Wells, Editor of the IBM web site for virus information, www.av.ibm.com, who is solely responsible for its contents. The latest WildList is always posted directly by me to the NCSA Security forum on Compuserve, in the Virus Info/Tools library. The official archive location for the WildList is ftp.ncsa.com in pub/virus/wildlist. A complete archive of WildLists is available at the Virus Bulletin web site (http://www.virusbtn.com/WildLists/index.html). The WildList is copyright material, but may be freely quoted or cited in part or in whole. No permission is needed to reprint the list. All mail in regard to the WildList should be sent to wildlist@vcnet.com. ============================================================================ WildList Vol.610 - (c)1993-1996 Joe Wells - 75511,635 - wildlist@vcnet.com ============================================================================ ============================================================================= Section Three - Beginners Guide For Newbie Collectors Due to frequent posts on the Usenet, as well as frequent E-mails asking me some of the basic questions when it comes to collecting, I felt it would probably save everyone some time, to sit back and write a few basics on aquiring and storing viruses. We will start with aquisition. For those who have not learned yet, the Usenet is not a Virus Collector friendly medium. Very few viruses are exchanged via Usenet newsgroups. The only newsgroup which I have seen any sort of exchange going on, has been in alt.comp.virus.source.code. There are a few people who have been exchanging here and there. And there is a virus posted maybe once a week there. Posting to a newsgroup messages like "Please send me a Virus", is not a good way to get viruses. All it will probably get you is some hate mail, maybe some cheezy flames in the newsgroup itself. Other than that it will be your time wasted. I would say the best way, is use your favorite WWW or FTP search engine and search for some keywords (EG virii, virus). In these searches you will pull up an enormous amount of garbage, but you should find something interesting in your travels. Once you have a few sites, it is best to explore the links from those sites to others. And last but not least, download everything you can. Something I don't run into very often, but do every now and again, is someone e-mailing me asking me if I want to trade viruses VIA e-mail. It dosn't sound stupid to them, and maybe to most it dosn't. But I have my entire collection archived and available via FTP and WWW, with the exception of the few files I may have recieved in the last couple of days. What would I possibly have laying around that they don't already have access to? I am not running some ELITE service. I have no ratios no nothing. I provide all of my resources to anyone who wished to aquire them. If you want to send me something I don't have in e-mail, then send it. But virtually everything I have is available on the site. Collection is very easy, and pretty safe as well. There are many different methods of making sure viruses dont get loose on your system. The ultimate safeguard is to not store viruses on a system you value. But since not everyone has multiple computers laying around, there are other ways that are just as safe. How safe is safe? Well the entire Virii Heaven Archive is on one of my hard drives. I use this system every day, and it is the primary system in my household. I have never once had this system infected as the result of these viruses being present on the system. One of the most popular ways people store viruses is with the use of a compression program, such as PKZIP. A standard ZIP file is completely safe to store everything in, as the files inside the ZIP cannot be executed on accident. Some people store thier entire collection in one big zip file, others store each virus individually. Another way which people store the viruses, which I am not a big fan of just because of disk space reasons, is to rename the virus file. The virus named VIRUS.EXE for example could be renamed to VIRUS.EX_ thus making so it wont run. This works, but it lacks the compression which PKZIP or a simmilair compression program might apply, thus wasting disk space. But alas is another option. These are probably the most common ways of storing files. Sure there are many other ways with the technology boom in optical drives and removable hard drives. I keep mine on tape backup as well. But I am sure if you already have these other options, chances are you have already thought to use them for your collection right? For more on Collecting Viruses, there is a little more advice in the beginning of the WWW/FTP Site guide in section 6 of this Newsletter in PhreeX's Site guide. ============================================================================= Section four - *NEW* Virus Related Newsgroup Some time ago, PhreeX and I launched a campaign on Virus Heaven to get some of the Vx scene to be more active in the newsgroup alt.comp.virus. As we feel the newsgroup should be open to the discussion of the creation of viruses. However there was quite an opposition from the AV folks in there, and to be all quite honest, there still is. There wasn't a whole lot of Vx support in the matters, but there was other routes in which for all of us to communicate. VBB's web-based message board was pretty active about that time until it got corrupted, and Dark Night has been too busy to fix it. And there has always been alt.comp.virus.source.code, which did pick up some in the last few months. Well the number of spams is still the same, but at least now there are a couple of on-topic posts each day, as well as some source and an occasional dropper is posted there as well. About a couple of weeks into this whole campaign, PhreeX saw the futility of fighting for alt.comp.virus. And noted that one of the biggest arguements the AV people had, was that it wasn't a binaries newsgroup, and while we had the right to discuss authoring in there, we had no right to post binaries or source code there. At about this point, PhreeX applied to have a new newsgroup built. And a couple of months later, this newsgroup is a reality, and is now available for those who wish to pursue it. The new newsgroup is called "alt.binaries.comp.pro-virus". More than likely, your current ISP has not picked it up. You may wish to contact the appropriate person with your ISP and request that they make it available to you. I will be doing so when I switch ISP's here in a week or two, as I am doubtfull that Teleport.com will pick it up, since run-in's in the past I have had with them were handled ignorantly and with very little investigation. Being that this is in the alt hierchy, it will be un-moderated. And since it is a binaries newsgroup, you will be able to send and recieve viruses in this newsgroup, both source code and executables, and well, anything that is PRO-VIRUS goes here. I hope to be seeing many of you there. I will be there as soon as I change my primary ISP. (Note: Being that ILF is not my primary ISP, the site for Virus Heaven will remain the same, as well as my ILF e-mail address. When my other e-mail address changes, I will let you all know, either by e-mail, or by way of the Web site itself. ============================================================================= Section Five - Vx Related Books This section is going to be somewhat small, as I do not have many books which will be of much use. More than likely, I will just move this section in the next issue, into the WWW/FTP site guide. What you will find below is all the information I have on how to get ahold of some of these books. You will more than likely see Publisher contact information on a few of these as not all of them can be found in your local bookstore. But many bookstores will order for you if you can provide them with publisher information. Or you can just order them yourself by contacting the publisher. CVRL CD-Rom Version 2 Cost= $89.00 (US) This is a collection CD-Rom by Computer Virus Research Lab. You can download a listing of everything on the CD as of the current version available from the site listed below to place your order. This isn't really a book, but there are collections of E-zines on the CD as well. Ordering and info - http://www2.spidernet.net/web/%7Ecvrl/ A Pathology Of Computer Viruses By David Ferbrache This is said to be available at libraries and what not, so it is probably available in your local bookstores maybe as well. Dr. Solomon's Virus Encyclopedia A printed virus encyclopedia. Ordering And Info - http://www.drsolomon.com The Virus Creation Labs - A Journey Into The Underground By Dr. George C. Smith In catalog for $12.95 ISBN 0-929408-09-8 Published By- American Eagle Pub. PO Box 1507 Show Low, Arizona USA 85901 1-800-719-4957 or 1-520-367-1621 Giant Black Book Of Computer Viruses Apparently a cult-classic in the Vx world Sources tell me it is available from American Eagle Pub. American Eagle Pub. PO Box 1507 Show Low, Arizona USA 85901 1-800-719-4957 or 1-520-367-1621 Super Technology '96 Put together by the same author that made the "Giant Black Book Of Computer Viruses". From what was said in the most recent Crypt Newsletter, this is Selling for $399.00 (US) or so. I have recieved mail via the Usenet advising me that this book was offered for $99.00 (US) to those who had bought the "Giant Black Book Of Computer Viruses" in the past. Basically the book details heavily on everything you need to know about viruses and Windows 95. That is pretty much it for now. I have not heard from the author, so I do not know for sure if there is anything available in Super Technology that cannot be found on the net, in regards to Win95 viruses. And anyone who owns this book, I would appreciate a short summary or review on this book, as well as any additional pertinent information I may have left out. ============================================================================= Section Six - Vx Site Guide (FTP/WWW) - Revised The *offical* .o88b. .d88b. .88b d88. d8888b. db db d888888b d88888b d8888b. d8P Y8 .8P Y8. 88'YbdP`88 88 `8D 88 88 `~~88~~' 88' 88 `8D 8P 88 88 88 88 88 88oodD' 88 88 88 88ooooo 88oobY' 8b 88 88 88 88 88 88~~~ 88 88 88 88~~~~~ 88`8b Y8b d8 `8b d8' 88 88 88 88 88b d88 88 88. 88 `88. `Y88P' `Y88P' YP YP YP 88 ~Y8888P' YP Y88888P 88 YD db db d888888b d8888b. db db .d8888. 88 88 `88' 88 `8D 88 88 88' YP Y8 8P 88 88oobY' 88 88 `8bo. `8b d8' 88 88`8b 88 88 `Y8b. `8bd8' .88. 88 `88. 88b d88 db 8D YP Y888888P 88 YD ~Y8888P' `8888Y' --==[\|/]==-- World Wide Web Site/FTP Site list --==[\|/]==-- [] Version 1.04 [] Compiled by Dr. PhreeX Merian Edited by God@rky Brought to you by FoRcE, "Taking on the web with full FoRcE" HUGE thanks to God@rky, this would have not been possiable without you!! -INDEX- Disclaimer A word on safe virus storage -LINKS- Part 1: Virus Genrators/engines Part 2: Some popular viruses Part 3: Mac viruses Part 4: Needed tools (Assemblers) Part 5: Virus related FAQ's/Tutorials Part 6: Virus INFORMATION Links Part 7: Computer Virus links Part 8: Conclusion (By Dr. PhreeX Merin himself!!) Any comments, questions, or additions can be sent to me: phreex@ao.net or you can call me directly 24 hours a day at: 1-809-404-5468 Disclaimer: I (Dr. PhreeX Merian) Can -NOT- nor will I be held responsible for your stupidity, viruses can destroy your/others computers (that is, the data within them,) if you execute a virus you just might get fucked. Collect 'em, study 'em, trade 'em but for god sake do **NOT** execute them. Note: As of 10/13/96 at 19:38:03 PM EST every one of these links was valid, however they may die, if so please take it up with the site owner, not me! A word on safe virus storage: As your collection of viruses (virii) grows so does the risk of self-infection, believe it or not you -CAN- safely store viruses on your hard drive, I have over 3,000 and have NEVER been infected! Here are just a few things you can do to protect yourself. 1) ALWAYS keep viruses zipped up, I can not stress this enough, keep each virus in its own .zip with a text describing it (if possible) you can get a free copy of Pkzip from; http://www.pkware.com remember, if its zipped up it can **NOT** be executed!!! 2) Its a good idea to re-name the file extension to something other than .com or .exe, I use .co_ or .ex_, this way you can NOT accidentily execute the virus. 3) Put all your viruses in 1 (one) directory, I use c:\VIRUS, you can use whatever the hell you want. 4) Get a -GOOD- AV scanner! Because everyone thinks theres is the best you can get reviews and sites at; http://www.virusbtn.com I think FProt is the best, you can download a shareware copy (gag) but thats no fun, I suggest you check the alt.binaries.warez.* groups for a -REAL- copy (its always posted somewhere). 5) Once you get a AV scanner USE IT!!!, remember, you put all your viruses in one directory, most all virus scanners allow you to exclude drives/directories/files when you scan, set your scanner to exclude whatever directory your viruses are in. If you start to get reports of viruses outside of that directory you might have a problem. 6) If you really paranoid you can keep all your viruses on floppy disk, actually, this is a good idea, due to the small size of viruses you can store TONS of 'em on only a few disk's. ZIP drives are also nice to have, so are CDR's. If you put your viruses on disk LABEL the disk so others don't infect you. 7) USE COMMON SENSE! This is really the best protection, don't be an idiot, don't run anything that you don't know what it does, yadda yadda yadda... On with the show...... Here is how this file is aranged; File/Site name http://www.this.is.the.site Review of the site/file will go here... Lets get started!! Please note the following; I would like to keep this file somewhat small, for that reason I will not go into just what each virus/program does, if you wish to know just what one of these does the go here: http://www.Europe.DataFellows.com/vir-info/ I also have omited links directly to virus sims (emulators), theses are used for testing AV scanners and are of little use to the VX community. (God@rky: Actually according to many of the AV folks, virus sims are useless. And that only a good test can be performed by an AV expert. As well as the factoid that the only test they consider a good install test, is the EICAR test.) Part 1 [ Virus Generators ] These are alright, however most of them do not work 100% of the time and the viruses are easily picked up even the most half assed scanners. All of the following are located at: http://www.kuai.se/~panik should these URL's be dead please go directly to the site. Instant Virus Production Kit v1.7 http://www.kuai.se/~panik/archive/ivp.zip This is alright, however all of these are picked up. Mutation Engine 1.00a http://www.kuai.se/~panik/archive/mte.zip Not very user friendly, still, its allright. NuKE Randomic Life Generator v.66b http://www.kuai.se/~panik/archive/nrlg.zip This one is cool. Phalcon/Skism's G2 v.70á http://www.kuai.se/~panik/archive/g2.zip I have yet to use this, word is, it sucks. TridenT Polymorphic Engine v1.4 http://www.kuai.se/~panik/archive/tpe14.zip A nice polymorphic engine. Compact Polymorphic Engine http://www.kuai.se/~panik/archive/cpe-ape.zip A nice polymorphic engine. Rajaat's Tiny Flexible Mutator http://www.kuai.se/~panik/archive/rme11.zip Not very good, however I believe these are not yet picked up by most scanners. NoMut v0.01 http://www.kuai.se/~panik/archive/nomut.txt Decent polymorphic engine. SDFE 2.0 http://www.kuai.se/~panik/archive/sdfe20.txt Nice, however everyone of these is picked up. The Rickety and Hardly Insidious yet New Chaos Engine v2.0 http://www.kuai.se/~panik/archive/rhince2.txt The name says it all. VLAD infinite polymorphic http://www.kuai.se/~panik/archive/vip.txt Ya gotta grab this one!! Small Polymorphic Engine http://www.kuai.se/~panik/archive/spe.txt This is a nice polymorphic engine. Biological Warfare Mutation Engine http://www.kuai.se/~panik/archive/bwme.txt This is the *REAL* one. Mini Mutation Engine v1.0 http://www.kuai.se/~panik/archive/mime1294.zip I have yet to use this. Trojan Horse Construction Kit v2.0 http://www.kuai.se/~panik/archive/thck200.zip My personal favorite when it comes to trojans TSR Time Bomb http://www.kuai.se/~panik/archive/tsr_tb.zip Allright. Virus Creation Laboratory v1.0 http://www.kuai.se/~panik/archive/vcl.zip This one is WAY over hyped, only a few of the viruses work and there all picked up by ANY virus scanner. Skip this one, your not missing a damn thing! BTW, the password is "Chiba City" (without the " ") Virus Lab Creations v1.1 http://www.kuai.se/~panik/archive/vlc.zip A little better than the above. Virus Creation 2000 http://www.kuai.se/~panik/archive/vc2000.zip Lame! Virus Construction Set v1.0 http://www.kuai.se/~panik/archive/vcs10.zip Lame! Biological Warfare Virus Creation Kit http://www.kuai.se/~panik/archive/bw100.zip Good for a virus generator. The Nowhere Utilities 2.0 http://www.kuai.se/~panik/archive/nutils20.zip All of these are picked up Part 2 [ Some Popular Viruses ] These are some of the most *POPULAR* viruses, they might not be the most powerfull however these are the ones you keep hearing about. Most of these come to us from God@rkys virus heaven located at; http://www.ilf.net/god@rky/virii.htm The Hellish Conspiracy Virus http://www.ilf.net/god@rky/virii/hellish.zip Sounds pretty cool, but sure wouldn't want it on my system. Does alot of peculier shit with your PC speaker too. The CriCri Virus http://www.ilf.net/god@rky/virii/cricri.zip Nifty, I have yet to run this. The HARE Virus http://www.ilf.net/god@rky/magazines/vbb-3.zip One of the hottest viruses EVER!! And its a nasty one to!! NOTE: This zip has several viruses, READ THE INCLUDED TEXT! The Tentacle Virus http://www.ilf.net/god@rky/magazines/vbb-3.zip Another virus that rocked the AV/VX community, does really neat stuff to your windows icons!! NOTE: This zip has several viruses, READ THE INCLUDED TEXT! The Rickdog666 Virus http://www.ilf.net/god@rky/magazines/vbb-3.zip This virus got a kid kicked out of school, don't miss this one! NOTE: This zip has several viruses, READ THE INCLUDED TEXT! --MACRO VIRUSES-- Macro viruses are .doc files that, when opened, will infect your machine. HINT: Do not try to open these to veiw them! The Alliance Word Macro Virus http://www.ilf.net/god@rky/virii/alliance.zip Nice virus, brought to you by the alliance. Colors Macro Virus http://www.ilf.net/god@rky/virii/colors95.zip *GREAT* Virus!!! this also comes with source code and a file on making your own Macro viruses!!! Do *NOT* miss this one!!! The Outlaw Macro Virus http://www.ilf.net/god@rky/virii/outlaw.zip This is pretty new, not sure exactly what it does. Word.Easyman Macro Virus http://www.ilf.net/god@rky/virii/wrdesymn.zip A newer Macro virus, I have yet to see the destruction. Word.Saver(SEX) Macro Virus http://www.ilf.net/god@rky/virii/wordsavr.zip Yet another Macro virus. Word.Spooky Macro Virus http://www.ilf.net/god@rky/virii/wrdspook.zip This is one you do *NOT* want to get infected with! Part 3 [ MAC Viruses ] In this era of equality no one is left out, this includes those that fell for the media ploy and own a Macintosh (Apple). So far I know of only this file, taken from God@rkys (http://www.ilf.net/god@rky/virii.htm) Macintosh Viruses (huge file) http://www.ilf.net/god@rky/mac/macvirii.zip I know nothing about these, BTW, funny how they are for the mac yet there in a .zip file 'eh? Part 4 [ Needed Tools ] These are all used in compiling virus source code, I have been told that some of these are *NOT* freeware, IOW there pirated software. a86 Assembler (Shareware) http://www.ilf.net/god@rky/tools/a86v402.zip Shareware assembler, this is a good one for compiling all that .asm code. d86 Debugger (Shareware) http://www.ilf.net/god@rky/tools/d86v402.zip Shareware de-bugger, great to get the source of a compiled virus. SoftIce for Win95 http://www.kuai.se/~panik/archive/softice.zip SUPER de-bugger for windows '95 (also good for cracking software) SoftIce for Windows 3.11 http://www.kuai.se/~panik/archive/m_wice13.zip The same great program for windows 3.1. SoftIce for Dos http://www.kuai.se/~panik/archive/s-ice280.zip The BEST DOS de-bugger! Disaster http://www.kuai.se/~panik/archive/disaster.zip Dos disassembler. IBM Assembly Code Generator http://www.kuai.se/~panik/archive/asmgen.zip A program that genrates source code from an executable. Bubble Chamber Disassembler http://www.kuai.se/~panik/archive/bubble.zip Really good diassembler (What I use) Intelligent Disassembler v1.2 http://www.kuai.se/~panik/archive/id12.zip Good disassembler. Part 5 [ Virus related FAQ's/Tutorials ] These are FAQ's all about viruses, both removal and infection. ALso included are some tutorials on making viruses. x86 Assembly Language FAQ - a86 & d86 http://www.cis.ohio-state.edu/hypertext/faq/usenet/assembly-language/x86/a86/ faq.html Well, its not going to make you an assembly programer but its a good start alt.comp.virus FAQ (This is the FULL current version, very AV) http://www.ilf.net/god@rky/acv_faq.html This is the FULL version of the a.c.v FAQ, not the origonal yet its still very good! alt.virus FAQ (The origonal a.c.v FAQ, very VX) http://www.ilf.net/god@rky/acvx_faq.html This is the *ORIGONAL* a.c.v FAQ, as you can see a.c.v was made as a pro-virus newsgroup! VSUMx606 ftp://ftp.germany.eu.net/pub/comp/msdos/mirror.garbo/virus/vsumx606.zip This is an OK Hypertext. It is said to have lots of errors in it. You know stuff like dates when a virus first appeared and what not, and in some cases what the virus does. The AV people regard it as not a very good Hypertext. It will get the job done in many cases but it is always light years behind what you will find at any of the Vx sites. VDAT170 http://www.cyberstation.net/~cicatrix This is a very good up&coming hypertext. I am impressed with how far it has come in such little time, and think it has the potential to come along much further. Keep an eye on this little gem in the months to come, it could become a valuable asset to those wondering what items in thier collection or infecting thier system are doing. Anti-Debugging Tricks http://www.ilf.net/god@rky/tutorials/antdebug.txt Really good file on anti-debugging tricks, to bad most of its picked up by AV scanners. Black Wolf's Guide To Memory Resident Virii http://www.ilf.net/god@rky/tutorials/memres.txt Good file on MRV. Polymorphic Viruses - Part 1 http://www.ilf.net/god@rky/tutorials/polymorph.txt REALLY GOOD file on Polymorphic Viruses. Polymorphic Viruses - Part 2 http://www.ilf.net/god@rky/tutorials/polymrph2.txt Second part of the above file. Disinfecting Infected Files http://www.ilf.net/god@rky/tutorials/rstut001.txt This should appeal to the AV community, that is the portion of the AV community thats understands this stuff. TSR COM Infections http://www.ilf.net/god@rky/tutorials/rstut002.txt Good file, complete. Constructing Kit on Infecting COM's http://www.ilf.net/god@rky/tutorials/rstut003.txt Good file on COM infection. Infection On Closing http://www.ilf.net/god@rky/tutorials/rstut004.txt I haven't checked this out yet. EXE Infections Part 1 http://www.ilf.net/god@rky/tutorials/rstut005.txt This is something ALL virus coders have to read! EXE Infections Part 2 http://www.ilf.net/god@rky/tutorials/rstut006.txt part 2 to the above file. Directory Stealth http://www.ilf.net/god@rky/tutorials/rstut007.txt GREAT file on getting past MS DOS Checksum Checker! Directory Stealth (Method 2) http://www.ilf.net/god@rky/tutorials/rstut008.txt Second method if improving stealth viruses. Memory Stealth http://www.ilf.net/god@rky/tutorials/rstut009.txt Another GREAT file on TSR's The Dangers of ThunderByte's TBClean Emulation Techniques http://www.ilf.net/god@rky/tutorials/rstut010.txt Article on getting past TBClean's methods of dis-infection. Part 6 [ Virus INFORMATION Links ] These are all pages that provide information on viruses, not the actuall viruses. Dr Solomon's very own personal homepage http://www.pcug.co.uk/~drsolly/ ITs our very own Dr. Sollys homepage (dude, try a
tag) He also offers the laws on computer viruses, ya gotta check that so you know just what laws your breaking! Data Fellows Virus Information Centre http://www.Europe.DataFellows.com/vir-info/ VERY VERY GOOD site, virus list and information! Dr Solomon's - Viruses In The Wild http://www.sands.com/vircen/wild.html Dr. Sollys virus list (not that complete however) CIAC Security Site http://ciac.llnl.gov/ciac See what the goverment has to say about viruses. Part 7 [ Computer Virus WEB pages & FTP sites ] The following are links to WWW pages and FTP sites that offer live viruses and source code for you to download. WARNING: Up until now all the viruses and programs have been safe-to-store however some of the viruses on some of the pages may be in live .exe or .com form, BE CAREFULL!! Information Liberation Front http://www.ilf.net/ VERY NICE site, pay these guys a visit!! The Alliance Virus group http://www.ilf.net/alliance/ Another nicely done site, these guys got it togther!! God@rkys Virus Heaven http://www.ilf.net/god@rky/virii.htm No list would be complete with out this site, hell, most of the stuff above come from his site, VXers or AVers CHECK HIS SITE OUT! Cicatrix's Virus Collection Updates are available here as well, be sure to visit at least once a month to make sure you have the updates. Cicatrix's Site http://www.cyberstation.net/~cycatrix Yes, thats right. The creater of all the virus collections, is making his way into the world wide web. This site in the near future will serve all your mutation engine, construction kit needs and satisfy that urge to collect your copy of VDAT170.ZIP, and excellent resource for AVers and VXers alike. Chiba City http://www.chibacity.com/chibavrc.html Excellent Site, back in action. AuRoDrEpH's Cattle http://www.ilf.net/AURODREPH/virus.htm A site brought to you from VBB's Macro Virus master! A collection of macro viruses are available here, as well as some excellent tutorials and faq's related to many aspects of macro viruses. Be sure to Bookmark this one, as it will be getting better! Paniks Page http://www.kuai.se/~panik/ TONS (TONS!) files!! RickDoggs Virus page http://pwp.usa.pipeline.com/~rickdogg96/index.htm A really good page (he is also the maker of the rickdogg666 virus) Virus Programing http://lila.uc.pt:8082/~pedro/virus.html Good place to start, RARE source and FAQ's Computer Virus Lab - Home Page http://www2.spidernet.net/web/%7Ecvrl/ This page is nothing more than a add for a CD ROM, they boast over 13,000 viruses, however I doubt that .. if anyone have this CD e-mail me! Virus And Other Fine Code Authors http://www.ntplx.com/~sniper/vofca/index.html A VERY nice web page! J & A Virus page http://www.bocklabs.wisc.edu/~janda/ TONS of stuff here. Infection Connection http://pegasus.cc.ucf.edu/~kes65601/ Cool name, wish I thought of that! virii http://wwwmbb.cs.colorado.edu/~mcbryan/bb/23/29/summary.html Well, its a start Dante's inferno http://www2.dgsys.com/~dante/virii.html Only a few viruses. Virii http://www2.netdoor.com/~boomn69/virii/ Neat graphics! some good viruses. Gugi's Virus page http://www.geocities.com/SiliconValley/Park/4650/ Good page. The virus and hacking homepage http://www.cris.com/~Bstock/ Really good site, he gives a description of -EVERY- virus he offers (even has a Coolio midi) Virus Authors Information Site http://members.visi.net/~muja/virus.html Nice, frams use could be better however you get the viruses so it dosen't matter. (I like what he says) Cyber hazzard's http://www.lafayette.edu/~warendaj/virii.html mostly source. Digital hacker alliance homepage http://www.lochnet.com/client/dha/index.html You gotta check this out, tons of stuff. Seths virus page http://home.webserve.net/~eldritch/virii.html Not a whole lot here. virii stuph http://www.angelfire.com/pages0/goodie/virus.html Some good stuff A virus page with no title http://www.geocities.com/SunsetStrip/3192/breaker.html Nice layout, need an update on some of the links. DarkChasms Virus page http://www.geocities.com/SiliconValley/Heights/1789/ Lots of stuff, to many damn midis! Virus/Warez/Hack http://www.agate.net/~krees/virii.html masses of links, no actuall viruses but there are LINKS! Dr. PhreeX Homepage http://www.ao.net/~phreex Its my page, over 1,000 live viruses and tons of source! (you do need the password, ask nicely!) If you have any links to good (or even crappy) virus pages send 'em my way, I will add to this list later.. Part 8 [ Conclusion (By Dr. PhreeX Merin himself!!) ] Well, after a few hours of surfing around andtesting ALL THESE links I give you the "Computer Virus Site List 1.02", this is still a beta, it will be until I can no longer come accross a new virus page, if you know of anything VX related please e-mail me (phreex@ao.net). You might object to this list, many people do, they believe viruses should be illegal and no one should access to them however if you dislike this then fine, don't read it or download from the above sites. The problem is lamer newbie fucks think the internet is like the real world, where there is a organized legal system to stop anyone that does wrong, well .. welcome to cyberspace, people like me will always be here!! For a current copy of this list send a request to phreex@ao.net or looking in the usenet newsgroup alt.comp.virus Regards, Dr. PhreeX Merin, PhD in the cyber underground ============================================================================= Section Seven - Assembly Language Help For Beginners I am continually asked via e-mail to help people *learn* to write viruses and or teach them Assembly language. Usually before this request comes about I am asked what language most viruses are programmed in. When I tell them Assembly, and why it is Assembly language that seems to be the choice of Authors, they ask me "Can you write a virus in (Fill in the blank with a programming language you know other than assembly language?". Viruses as many of you know, have been created in many languages, but for obvious reasons, many people stick with Assembly. Mainly it is the fast, compact code. Well as most of you can see, I am pressed for time as it is maintaining Virus Heaven, let alone teach 50 people a month how to program in assembly. That in combination with the fact that I am learning myself. We then get to the common debate between the AV world and the Vx World, that learning Assembly by writing or studying viruses is a poor way to learn as most virus programmers write poor, buggy code. Buggy code that limits some viruses from being destructive by hindering the payload, or by limiting or crippling it's replication process. I originally intended to make this section a Beginner's Guide to writing Viruses and to get authors more comfortable with Assembly. I was going to start out with a commonly used INT list. But have come to realise that this was impractical for an E-mail based newsletter. One INT list that I have found is available in HTML format, as well as a downloadable text format. Well the text format is zipped, and altogether is around 7mb. It is supposed to be a complete listing. Little to big for me to be e-mailing you all. But I won't leave you high and dry this issue. The Good Dr. Alan Solomon (of DSAV fame) suggested in alt.comp.virus a good site for learning Assembly, which is also an excellent reference tool for those who know some Assembly, but are interested in learning more. There is program samples and Int lists as well as descriptions examples. It is by far the best I have found in my searches. Here is the URL: http://udgftp.cencar.udg.mx/ingles/tutor/Assembler.html Happy Learning. ============================================================================= Section Eight - Out With The Old/In With The New - E'zines Well, with the release of what is said to be the Final issue of VLAD magazine (#7), we are seeing yet another disappearance of a classic Ezine die out. But to re-affirm my statement in the last issue of GVHN, I stated something to the effect that someone will emerge to take the place of the Ezines which are disappearing. And the Alliance has proven me right. The Alliance Virus Group having undergone administrative changes over the last month or two, with the retirement of Rhys, the adjustments to fill in the void left by him, as well as the induction of new members.. AVG is looking the future very seriously and bringing you the Alliance Virus Group Ezine. For more information about this new creation, Visit thier site at http://www.ilf.net/alliance There you will find out the up-to-date nitty-gritty on this Ezine, as well as how to contribute articles, source codes and anything else which may be of use to them. ============================================================================= Section Nine - Virus Collection's Integrity - Questioned Anyone who has hung around alt.comp.virus very long has seen most of the arguments against virus collection, and the active front that is mounting in attempt to stop it. Attempts at oppression in the newsgroup begin with the "Freedom of Expression and/or Speech" according to George Wenzel. Like we have our rights to talk in an unmoderated newsgroup about the distribution and creation (limited) of viruses, George feels that his and other alt.comp.virus viewers and participants rights of Freedom of Speech and Expression grant them the opportunity to write your postmaster about your exercising of your own rights in an unmoderated newsgroup. But it dosn't stop at it being George's right, he also feels it is his moral and ethical duty to report your actions and newsgroup postings to your ISP. This is an attempt to oppress your Freedom of Speech and expression. This has been brought to George's attention in the last week in the newsgroup, But I do not remember seeing a response to this claim. This however isn't only George Wenzel's actions however. There are many more people who float around this newsgroup who would like to shut you up. And I have seen a little easing up of people reporting incidents to postmasters, but then, we don't get to read about all of the incidents of this that occur. I have said time and time again that alt.comp.virus is not an Author or collector friendly medium in which to chat with peers with like interests. Hopefully the new newsgroup, alt.binaries.comp.pro-virus will be a better medium for this. Anyways, the common arguement which leads to this article, is that Virus collections available VIA the Internet have a poor integrity level and are probably not what you are expecting to get. To recently quote George in a post on alt.comp.virus "most likely the files on virus web pages are not *REAL* viruses and are junk files or duplicates". While this can be true to some extent, I have to clear a few things up from this quote, as George has admitted to having little or no programming knowledge of the x86 Assembly language and that most of what he says regarding viruses is based on what his peers in and out of the Antivirus industry claim. I know a good portion of what is available on Virus Heaven is actual viruses. My Source Code area is lacking, primarily because I am tired of weeding out the disassemblies from the source codes. But the executables area is loaded. I do not currently have the time to test every virus that is sent to me. I will take the author's word on what it is. I have done alot of changing in what goes where, as I still do get "viruses" in e-mail which are in all reality trojans (IE They do not replicate). Or I get viruses that have replication routines in them, but wreck the media on a hard drive so fast that there is no real chance for spreading. Being my current shortage of free time, I publically invite George Wenzel himself, an independant virus researcher, or an AV researcher of Dr. Solomon's LTD (DSAV) or Datafellow's (F-Protect) to download and research my collection for this mass ammount of duplicate files or false viruses. You see, if my collection, and those of others who keep decent collections on reputable sites around the net was all crap, like George and his peers claim, they wouldn't be as concerned with the presence of these sites on the net. I think regardless of the ethics of these site's existance, it is a poor claim to make when there is little or no data to back up the claim. Any Researcher who would like to take on this task, please e-mail me, so we can chart your findings. After all, this is computer science, and in science, a hypothesis is nothing but hot air until there is data collected to prove or disprove the hypothesis. ============================================================================= Section Ten - A Call For Help With GVHN Well this concludes this issue of the Virus Heaven Newsletter. Once again all of the articles appearing were written by myself. I do have a couple of submissions for the next issue so far, and will be incorporating them into the 3rd issue. Due to the large interest in this newsletter, I figured I would be an idiot not to offer and accept any submissions for The Virus Heaven Newsletter. So I am hereby making an offer to anyone who wishes to write an article of any type, regarding anything related to virus writing or the Vx scene. I will review all submissions and contributions and include those that are presentable and related in the newsletter, with full credit given to those who wrote and submitted them. I'm interested in seeing some of the work of those who are silently sitting in the corners reading this, as well as your feedback and/or suggestions. All submissions, contributions, comments and/or ideas should be sent to godarky@ilf.net. *Note* All submissions will be subject to editing at my discression. This will mainly consist of grammer/spelling editing as well as keeping things somewhat relavent. =============================================================================