******************************************************************************* ** ** ** United Phreaker's Incorporated ** ** ** ** presents.... ** ** ** ** UPi Newsletter Volume #1, Issue #2 ** ** ** ** The Virus/Trojan Horse Guide ** ** ** ** By: Scarlet Spirit (Vice-Prez of UPi) ** ** ** ******************************************************************************* In this article I will present thoughts, ideas and facts about trojans and virii. Most of them are very destructive and pack quite a punch to your computer (something you don't want to come by in otherwards). First, let us discuss virii since they are quite common and more straight forward than trojans to discuss. There are 10 different types of virii which can effect your system: 1) Virus Infects Fixed Disk Partition Table 2) Virus Infects Fixed Disk Boot Sector 3) Virus Infects Floppy Diskette Boot 4) Virus Infects Overlay Files 5) Virus Infects EXE Files 6) Virus Infects COM Files 7) Virus Infects COMMAND.COM 8) Virus Installs Itself in Memory 9) Virus Uses Self-Encryption 10) Virus Uses STEALTH Techniques There can be any combination of these pretty well. Some of the very packed virii are the Whale which have from 4 through 10 and Fish which has about the same. Now I will explain each of the above virii types in detail. 1) Virus Infects Fixed Disk Partition Table: What happens with this virus is quite interesting. What it will do is either screw up your partition table (organises the computer's HD) totally by rewriting it or erasing it altogether. Some examples are: Azusa, Bloody! and Joshi virii. 2) Virus Infects Fixed Disk Boot Sector: This type of virus will erase or mess up your boot sector beyond repair. There is quite an easy way of protecting yourself from such a virus. All you need to do is get a small util which will back your boot sector up on disk and allow you to restore it in case trouble strikes. This is better than counting on your virus scanner to catch it just in case it misses it. Then you know you have a backup of it if need arrives. Some examples are: 1253, Korea and Invader virii. 3) Virus Infects Floppy Diskette Boot: This type of virus is similar to the one which infects Fixed Disk Boot Sector. The only difference is it's infecting the diskette boot sector and not the fixed disk's. Some examples are: Curse Boot, AirCop and Chaos virii. 4) Virus Infects Overlay Files: A virus of this kind will either alter your overlay files by changing them usually to a given amount of bytes or erasing them totally. I don't know which is worse but they're both quite bad. Some examples are: 4096, Virus 101 and Jerusalm 24 virii. 5) Virus Infects COM Files: This type of virus is similar to the one which infects Overlay files but it infects COM files. It will alter then or erase them just like it would do to the overlays. Sometimes you'll find this type of virus with the one which effects Overlay files to really fuck you up. Some examples are: Mix2, Terror and Brain Slayer virii. 6) Virus Infects EXE Files: Exactly the same as COM files but for EXE's. Some examples are: Striker, Cancer and V-299 virii. 7) Virus Infects COMMAND.COM: This type of virus will alter your COMMAND.COM and really mess your hard drive up. Without COMMAND.COM your HD will not boot by itself. So to cure yourself you'd have to try and boot off disk and restore your HD from there. The odd chance your COMMAND.COM will be corrupt when you try and restore and you'll be forced to reformat. Some examples are: Ontario, Wolfman and Flip virii. 8) Virus Installs Itself in Memory: These types of virii are really a bitch. They'll store themselves in memory and will either sit their until a certain time then execute and still remain their or execute right away begin damaging and every time you try and fix the problem it causes it will execute and start damaging again. Some examples are: Dark Avenger, Ping Pong-B and Stoned virii. 9) Virus Uses Self-Encryption: These virii as soon as they are run will encrypt themselves. This will allow you no access to the file without a password of some kind. This is done so you don't delete the file that the virus is originating from or alter it in any way. Some examples are: 1260, XA1 and Kennedy virii. 10) Virus Uses STEALTH Techniques: That about wraps it up for the different types of virii. Now let's find out where virii are made, how they're packaged and how you can protect yourself from such danger. Most virii are made by programmers as you might guess in many different parts of the world. Some of the best come from Jerusalm, Israel and many other exotic places. They are usually made by people who are experimenting with different types of programming and want a change from making their normal, boring programs. Some are developed in Universities where the programmers hate their computer teacher and want to wipe the main HD out. One of the most common places that virii are made are in some idiots own home. That person feels like getting kicks out of wiping some guys HD out. Oh well, all of us get our jollies from something. Virii come in a variety of packages. If you BBS as you most likely do since you are reading this, the BBS world is a breeding area for virii. They can be hidden in many different ways. For instance if a piece of software comes out, this is the chance the programmer of the virus is waiting for. He will take that piece of software and replace the executible file with his virus. Of course, you thinking "Wow! I've been waiting for this piece of software forever you, run it as soon as you get it!" Next thing you know your HD is going berserk. There are many other tricky ways people hide virii, you never know where they'll be found. You say to yourself "Is there no escape?" Well thank god I can tell you there is. Some of the most skilled programmers have come up with programs to protect you from virii. Some for instance are Mc'Afees Scan, Cleanup and V-Shield. Also Norton's Anti-Virus and Central Point's Anti-Virus. There are many more but these are the most popular. Mc'Afees stuff I like best since it's updated most often and easy to come by. Scan is a program used to check all types of files and your memory for virii. If a virus is detected Mc'Afees scan will tell you which virii were detected, in what files and give you a prefix for using with Cleanup. If virii were detected you use cleanup to clean them out sometimes some files will be lost. V-Shield is just like scan except it's memory resident (TSR) and when loaded it does a scan of memory, Command.Com and itself. Then as you run programs if you happen to run into a virus it will stop you from doing so and tell you what virus you almost ran into. Norton's & Central Point's stuff is similar but all compacted into one program. The only problem is they seem slower, use more memory and are hard to come by the updates. They are also commercial while Mc'Afees stuff is PD. Even with all this protection you can still get hit, try and backup as much as possible. Also wait for other people to try the piece of software and see if it effected their system. You can also try viewing the executable file to see if there is any weird message on it such as in the Violator virus it has a message from RABiD near the end of it. Small executable files are also a hiding place for virii. If you see a small executable file beware, most executable files are quite large. Now let's move on to the other problem, trojans and ANSi bombs. These are virtually undetectable in most cases. They are a lot simpler and smaller than virii usually. One bang and that's all folks. In other words they do one thing and that's it, no memory sticking. There are a few different types I have come by: 1) Slam Bam See Ya Later, Hard Drive 2) Now You See It, Now You Don't 3) Faster than a speeding bullet, then slow as a snail's pace. Now let's explain these funny, but destructive phrases. 1) Slam Bam See Ya Later, Hard Drive: This trojan horse when run will wipe your hard drive and then die. It can do it in many different ways such as destroying your boot sector, overwriting your fat, a simple erasing routine or screwing your COMMAND.COM majorly. These are hidden in just about anything from DSZ.COM to Norton's Disk Optimizer. Some examples are: Giant Killer (By RABiD), EraseBoot, Frogger (Disk Optimizer [Actually Formatter]). 2) Now You See It, Now You Don't: This is an ANSi Bomb/Trojan. It's very easy to make and just about anyone could make one. They use ANSI.SYS's keyboard reassignment routines and wipe your HD clean. They usually are hidden in text or ansi screens. They can easily be prevented by using ZANSI.SYS or another variation of ANSI.SYS. Also there are small TSR's that will protect you from such problems. Some examples are: Well sorry none for you this time since there are so many variations and no names for them. 3) Faster than a speeding bullet, then slow as a snail's pace: This type of trojan will slow your computer down majorly. You can usually set a time for the trojan to go off. After it does then it will slow your computer down bits at a time until it takes like 30 minutes to load Pac-Man. An example is: SlowDown 1.04. There are many other types of trojans and I could be here all day telling you about them. These are the most common ones in order from most common to least common. New ones are made just about everyday which do different things. There are not very many ways you can protect yourself from such trouble yet. FluShot is one of the best ways but it limits your computer in many ways. You can use it to write-protect your HD so no writes will be made or make it so it asks you before a write is being made so you know when an illegal write is being made. There are also programs like TrapDisk which stop formats sometimes caused by trojans and it will prompt you before a format is done. There are also a variety of others. The best way to protect yourself from everything is to keep updated backups. Also waiting for other people to try the piece of software before you do and finding out how they handled it would be a good way of protection. Trojans and ANSi Bombs come in a variety of different packages. They are usually hidden better than virii. Some trojans come in the style of a disk optimizer that really wipes your HD or a DSZ update that will wipe you out as well. They can be found just about anywhere. ANSi Bombs are usually hidden in what seems to be a board add such as README.ROS or something of that nature. No piece of software can be trusted. Trojans and ANSi Bombs also are hidden in the same method as virii as well. So you can refer back to How Virii Are Hidden and Protecting Yourself from Virii paragraphs. This pretty well covers quite a bit about virii and trojans always be careful because everything isn't always as it seems to be. Never stay off guard because the day you do is the day you get hit. Even if you haven't ever come across a virus or trojan before, there's a first time for everything. Scarlet Spirit Sysop of The Shining Realm UPi Vice-President Greetings Go Out To: Phantom Prowler, Black Bird, Tyler, Silent Death, Glass Head, Dr. Dread, The Hellraiser, The Juggernaut, Galaxy Raider, D.J. Bravestar, Iron Christ, Knight Excalibur, Dr. Sysop, Infiltrator, Demon Slayer, Dark Staph, Dragon Highlord, Ninja Boy, Platinum, Neural Plexus, Vision Assembler, Forensic Forsythia, Destroyer, Snowhawk, Dark Rider, The Jammer, Law N.Order, and The Wild Genius. Sorry if I missed your name but I could only include so many. Here are some personal greetings for all those people who make great impacts on me: Nyarlathotep: Cool it on the quoting. Your words are just as good as others. The Enchanter: How are the women? Sell me your HST! Arc Angel: Ahh That's Too Bad... And in a place all his own the person who was responsible for the destruction and take down of Spectrum. Yes, you know him all as that egomaniac from hell, he's the one the only: Space Ace! He thought he could run the group but he didn't have what it took and ended up GIVING UP and FAILING at what he started at. Oh well. No one's perfect. Listing Of Current UPi Members..... President: The Lost Avenger (416) Vice President: Scarlet Spirit (416) Programmers: Damaged Sectorz (602), Mad Hatter (514) Couriers: The Serious One (819) Other Members: Dantesque (416), Inphiniti (216), MCi Sprinter (216), Rocket Richard (313) Call These Other UPi Nodes..... ------------------------------------------------------------------------------- Node BBS Name Area Baud Megs BBS Sysop Number Code Rate Program ------------------------------------------------------------------------------- WHQ The Violent Underground 416 2400 85 Pc Board The Lost Avenger Node #1 The Shining Realm 416 2400 95 Telegard Scarlet Spirit Node #2 Inphiniti's Edge 216 2400 60 Aftershock Inphiniti ------------------------------------------------------------------------------- If you'll like to join UPi as a member or as a node then please leave me mail on any of the numbers listed above. Then I will send you an the appropriate application for you to fill out. From there you must either send me the complete filled application form to me either by sending it in E-mail to me or either by uploading it to any one of the UPi sites.