-----BEGIN PGP SIGNED MESSAGE-----
Speaking of cryptostacker and beneficial viruses that encrypt files for you in the background, I just got a copy of one in the mail! I think this may be of interest to the group, so I am posting. ......... I can't seem to find mention of what the fast/casual encryption algorithm is. Instead of source code, a hex listing is provided. According to further notes, there is a hot-key for toggling floppy encrypt, and another hot key to uninstall from the hard drive.
All the same, if I get a chance this weekend I'll probably try it out!
Well, good luck with it. I'd personally like to see/do a disassembly of the _entire_ virus before I would install it - security systems are great for back doors, and a virus would be GREAT for such. There are a few things anyone using this program might want to watch for (I have yet to see it, though I'd be VERY interested in disassembling it.... anyone out there with a copy that wouldn't mind sending it _ENCRYPTED_ through E-mail? Full commented disassembly returned to sender ASAP!): 1.) Some anti-virus programs with heuristics are going to have a cow, most likely - CES, F-PROT, TBSCAN are a few that are likely (especially VIRSTOP from F-Prot - if I'm wrong, tell me...) and these are some of the best out there for personal protection (sorry SCAN & CPAV). 2.) I'd recommend NOT using it if you have a special master boot record, like Windows NT or some boot-based security systems or multiple boot choices. There are 9 sectors free at the beginning of most IBM hard drives, I assume this virus uses the first sector and 1/more of the others..... if another program wants to use these as well - I'd bet the virus doesn't notice until too late. 3.) Watch where the virus puts itself on floppies. If it is larger than 512 bytes (almost have to be for its functionality) then there are only three ways I know of to put additional code in: a.) Mark sectors bad, and place code there. Problem: DON'T "FIX" BAD SECTORS ON YOUR DISK WITH NORTON! b.) Use space after root directory entry and FAT to put virus in, just like the Stoned virus. Problem: Trashes data if there are more than 80 files in the root directory. Also sometimes causes other problems with High-Density disks.... And, if a new format of disk comes out - WATCH OUT! c.) Format extra tracks on the floppy - these tracks are rarely very reliable - you might loose information if these tracks give out, depending on the setup of the virus you might loose the disk. d.) This method I haven't seen, but I guess it could happen - create an actual file and allocate it from the FAT.... this might actually be safe, as long as the virus didn't let anyone delete it or write over it. 4.) Watch where it locates itself in memory: most likely it will lower the memory in BIOS before DOS gets loaded (CHKDSK will inform you that you have <640k low memory rather than the usual 65536 bytes....) which is generally relatively safe if the computer has a standard config. It may cause problems depending on where/how/when it allocates memory, though. 5.) What happens when you bypass Int 13h (which is presumably what it hooks) and use absolute disk I/O by directly using the driver? Careful with Norton and other diskfix programs that _might_ do this at times..... 6.) Don't press 'DISINFECT' from your favorite AV program without decrypting your disks first........... My bottome line is this: the virus may be cool, but why a virus? Viruses may work for attacking things, wiping stuff out, hacking stuff, whatever (although they always tend to hit more than the intended target, funny thing about that), but when the only user of a machine WANTS to do something with their machine, why a virus? I mean, honestly...... although I must admit, it solves the problem of distribution of software in the most interesting way - I want to see what happens if a commercial company writes one of these and COPYRIGHTS it...... "This program may only be used by the original purchaser. Any unauthorized copying, lending, or any other method of distribution is STRICTLY PROHIBITED! Violators will be prosecuted to the full extent of the law! You want I should infect this here hard drive? huh? huh? (Y/n)?" "BTW - if you're reading this message and did not buy this software, then we'll be sueing you in two weeks, your modem just dialed our mainframe." I suppose I may be being a bit judgemental, as I am speaking simply from the letter quoted above, but still...... it sounds very reminiscent of Fred Cohen's compression virus..... My Public Key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAixUuYYAAAEEAKNllAee26qGqxJck3Bftdkrz0MUQLABGMZqVem9UW9kjjS+ rMAafauqYTE5/Kdnx+4Asj0Wgfon0YBtRMT0crMcBYNqVp4//RUh7wrxQNvKFeeO ZGuQp2hyHQqh1FDfWsHG4ldGqIV1YuOXq6oeIDkmbwgf8BRgPcZkwUqsF4b1AAUR tCpNaWNoYWVsIEEuIEVsbGlzb24gPGllNjNAdmF4Yi5hY3MudW50LmVkdT4= =0rss - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLG2BMcZkwUqsF4b1AQGe+wP+OeEKZd71ObybB4RuWa6rg761g0sNIqza L733m6EJkuxTzy0c9TwVO+S1+QXiI44O85QOA7dc84YQ0Y65Y6yEzudSSlFAN6UB CpjOQkia18ruY1CXY6mXsCAiNotWHzm2hcXASWLXXXkJi37jnfAOp3N+xWSk2+g6 Zm+0zgWa6hg= =YSOp -----END PGP SIGNATURE-----
participants (1)
-
IE63@vaxb.acs.unt.edu