Computer underground Digest Wed June 16 1993 Volume 5 : Issue 44
Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Archivist: Brendan Kehoe
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Copy Editor: Etaoin Shrdlu, Seniur
CONTENTS, #5.44 (June 16 1993)
File 1--Interview with a Virus Writer (Gray Area Excerpt)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically from email@example.com. The
editors may be contacted by voice (815-753-6430), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG
WHQ) 203-832-8441 NUP:Conspiracy
CuD is also available via Fidonet File Request from 1:11/70; unlisted
nodes and points welcome.
EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
ANONYMOUS FTP SITES:
UNITED STATES: ftp.eff.org (22.214.171.124) in /pub/cud
uglymouse.css.itd.umich.edu (126.96.36.199) in /pub/CuD/cud
halcyon.com( 188.8.131.52) in /pub/mirror/cud
AUSTRALIA: ftp.ee.mu.oz.au (184.108.40.206) in /pub/text/CuD.
EUROPE: nic.funet.fi in pub/doc/cud. (Finland)
ftp.warwick.ac.uk in pub/cud (United Kingdom)
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
Date: 16 Jun 93 22:22:43 CDT
From: GRAY AREAS
Subject: File 1--Interview with a Virus Writer (Gray Area Excerpt)
((MODERATORS' NOTE: The following reprint from GRAY AREAS (Issue #3,
1993) is an edited summary of an interview with a writer of computer
viruses. The summary constitutes less than 20 percent of the entire
interview, so considerable detail has been omitted. We apologize if
we inadvertently over-truncated parts of the discussion for space
GRAY AREAS is a new hard-copy magazine (see CuD 4.65 for a review)
that improves with each issue. Each issue addresses topics in "cutting
edge" culture, including technology, art, music, and leisure. The
current issue (#3) includes an interview with controversial musician
G.G. Allin. Netta Gilboa impresses us as one of the most competent
interviewers on the 'Zine scene, and does for print media what Mike
Wallace and Barbara Walters do for television: She brings incisive
questions to bear on her topic and elicits uncompromising information
(in the Wallace tradition) while never losing sight of the subjects'
humanity (in the Walters tradition). In our view, it's definitely
something worth looking at.
A one year (four issue) subscription is available for $18 from Gray
Areas, Inc. / P.O. Box 808 / Broomall, PA (19008-008). More
information can be obtained from firstname.lastname@example.org))
NOTE: THE FOLLOWING COPYRIGHT MATERIAL MAY NOT BE SEPARATELY
RE-DISTRIBUTED OR CITED WITHOUT EXPLICIT PERMISSION FROM GRAY AREAS
GETTING GRAY WITH URNST KOUCH, COMPUTER VIRUS WRITER
By Netta Gilboa
Many people will dismiss Urnst before they hear what he has to say.
Others will hear what they want to instead of what he actually said.
Those of you who are willing to listen to his reasoning will find the
complex subject of viruses simplified and demystified. Viruses may
never again seem as scary.
I was surprised to learn writing and exchanging viruses is not
illegal. I was surprised to learn virus writers (for the most part)
look down on pirate files and pirate computer BBSs. I also learned
about several new viruses before the anti-virus community did which
seemed strange to me since it was their full time job and just one of
many stories to me.
Whatever you think about Urnst's actions, you'll probably agree with
him that viruses are here to stay with new ones being created every
day. There's material here for everyone. Whether your main interest is
in how to avoid getting stung by a virus, learning how to write one,
or in understanding people who do this for fun, read on.
We're certainly interested in your reactions, pro and con. Did you get
hit by a virus that was more than a minor inconvenience? Did your
opinion about viruses change at all as a result of reading this? Would
you like to hear from other, more malicious virus writers and/or from
the experts who defeat these viruses? We'll print as much of your
mail as we can. Viruses are surely as gray a topic as topics get...
Gray Areas: What is a computer virus?
Urnst Kouch: A computer virus, in simplest terms, is a small program
that must generally have two features associated with it. It has to
be able to find another executable program, so it has to have a search
mechanism, and it has to be able to duplicate itself and attach itself
to a program. So that the next time that program is executed, the
virus executes first. You can think of it as a very small piece of
code that when executed like any program goes out and attaches itself
to another program on your computer such as your word processor. When
you next fire up your word processor, the virus will execute first
because it has placed an instruction at the beginning of your program.
There are many more primitive forms of viruses which don't bother
preserving the integrity of your original program. When they are
executed the first time, they go out and search for another program
and they just write themselves down on top of it. They don't care
about preserving the functionality of the program that they've found.
They essentially just destroy the portion that they have taken up
residence in, and then the next time you would execute your word
processor, it has been infected by this virus, called an overwriting
virus. The virus will then execute again and then look for another
program and your word processor won't execute because it's been
destroyed. You will get a cryptic error message which generally is
generated by the virus.
UK: Oops, usually there is an oops message in there. This is something
people notice right away. Oh, it's not working. Occasionally, some
virus programmers get a little more clever and put a little message in
the virus so the virus when it's done finding other programs to infect
prints a message to the screen that says out of memory or some other
DOS error message.
GA: Any particular reason you chose the handle Urnst Kouch?
UK: No. (Laughs) Just a name.
GA: So in other words, it is not someone's name from history or
UK: No. I got tired of seeing the same names. I've seen so many Count
Zeros and Kilgore Trouts.
GA: So it was an attempt to be unusual?
UK: I don't know if it was an attempt to be unusual. It was just a
name that popped into my head. If you really want to know where it
came from, there used to be a jeans or a sneakers commercial. It said
life is short so play hard, so I just thought, oh well, there's a
great commercial, change it to what most Americans wish it would be,
life is short, lay on the couch. So, that's how the Kouch came about.
Now I needed something to go in front of that. I thought Kouch
sounded vaguely dramatic. Urnst is kind of German. That's where it
came from, just a name. People could almost think that it's a real
name, normally. Stretching.
GA: What demographics about yourself can you share with our readers?
UK: I'm about 35. I have a Ph.D. in chemistry.
GA: How did you personally get interested in viruses?
UK: Well, part of it came out of 1992 when the general media began
covering Michelangelo in such a hysterical panic. I smelled a rat.
This seemed absurd so, knowing something about computers, I started
researching. I eventually wound up writing on it. During my course of
research I wanted to dig up some viruses so that I could have a look
see for myself and, of course, the people in the anti-virus
communities did not turn out to be very forthcoming when I asked for a
few samples of viruses.
GA: They don't even seem to want to answer theoretical questions.
UK: No, they don't even like to do that. So I just went out and
assumed that there was probably a lot of virus code lying around in
underground channels. And this was the case. This leads to a kind of
leveraging effect whereby once you accumulate certain things and start
talking about them, then the more respected avenues begin to open up
for you and the anti-virus researchers take you seriously which is
kind of hypocritical, but it's the way things are. To get access to
some of the virus archives on underground sites, you have to come up
with an original virus that they don't already have. You can either go
out and try and find one, which isn't that hard, or you can write one
yourself and upload it. So that's what I did. It's not hard to write a
virus, and I somehow found a copy of the Mutation Engine which I
thought was interesting.
GA: You should explain what that is, especially for people who don't
UK: The Mutation Engine was briefly mentioned around the time of
Michelangelo as a product by a Bulgarian programmer known as The Dark
Avenger. He's famous in the virus community, well-known to anti-virus
people too. He's written a series of viruses which have found their
way into the West and he's known for trying to make challenging codes.
I guess that would be the best way to express it. Then last year he
uploaded something called Mutation Engine which was a segment of code
which provided any virus that included it with variable encryption.
Now when I am saying variable encryption, some viruses use encryption.
All encryption does is when the virus is done doing it's thing,
finding a file to infect, it will copy itself into that file at this
point, and will encrypt its instructions so that it looks like a hunk
of nonsense attached to the end of the file. The only part of the
virus that remains constant is the decryptor which the encryption
routine adds. The decryptor is the portion that the virus needs to
ungarble all the instructions.
When the infected file is executed, the decryptor is the first thing
to begin to work in it. Now, if you hide suspicious messages in your
virus, when someone is looking at a suspected infected program under a
file viewer which are pretty common tools in utility programs, you
don't want a dead giveaway like, "Ha, Ha, I've got you or f--- you
lamer," sorry for my French but we will be blunt. That's what's in a
lot of stupidly written viruses. And so a simple encryption routine
allows you to hide those kinds of things.
How the Mutation Engine differs is that it provides variable
decryption that has a complex mechanism in which it changes the scheme
of encryption so every time the virus copies itself it adds a
different decryptor on a random basis. The decryptor will change the
content of its instructions; it could change in size, this makes
finding a constant set of instructions impossible because it's
constant. It is a very sophisticated piece of programming and in
comparison to the viruses that it's used in, it is much larger: about
2,000 bytes in size, where most viruses are about 200 or 300 bytes in
size. Mutation Engine viruses benefit from this variable encryption
since scanners, at the time of its release, could not detect viruses
using it. Some still do have some difficulty doing that because a
whole different approach to virus scanning had to be programmed into
the utilities that the manufacturers were making. Now they had to be
able to disassemble the infected file, looking for sets of
instructions, characteristic of the decryptor that the Mutation Engine
used. Without getting too technical, you can use statistical methods
to do this. If you load it into a symbolic debugger and step through
it, you can see that the decryptor follows a pattern. It always
changes every generation, but there is always a constant pattern going
Good programmers can see this and program that into their software so
that the pattern characteristic of the Mutation Engine code can be
flagged. Then we know that the Mutation Engine is there. It was blown
out of proportion because it has a sexy name. The significance I think
of the Mutation Engine is the inspiration it has provided for virus
GA: So, basically, you have been involved and interested in this for
about a year?
UK: Yeah. To get access to virus libraries you had to upload an
original virus and the first one that I came up with was Crypt Lab
virus which was a hack. I uploaded it to a couple of virus exchange
BBSs in this country and then got access to their virus libraries.
>From there it is simple to start building. My library just kind of
snowballed. It's a mistake to think that virus exchanges are a threat
and run by geniuses. That's just not always the case, although some
GA: How would you define your role presently in the virus world?
UK: Just someone who publishes them in an electronic newsletter which
looks at the virus community just as it would look at the anti-virus
community. There are no other publications that just look at both
sides of the coin rather squarely, provide real technical as well as
general information. It covers a broad spectrum of the computer
reading audience. Someone who is almost completely computer
illiterate can at least recognize some things in the Crypt Newsletter,
but not everything. That's it. As a functional part of that I have
to continue to provide semi-interesting code samples that actually
work as well as other things. I think it gets boring really, really
fast, if you're just in the processor pumping out viruses. That's the
hard part. The interesting part for me is actually putting in the
other things: the analysis, the news, the commentary and that kind of
GA: Do you want to mention that you are running a BBS (computer
UK: Yeah, sure. Call anytime. It exists for people to come and get the
Crypt Newsletter if they are interested in finding it without going
through the usual hassles of underground channels like the cool, elite
bulletin board systems. The underground world has become very
exclusive. In a sense it is cliquey, and if you are not associated
with the right people you don't get entrance. It seems to be totally
opposite of what the computer underground started out as, but this is
what it is now. So if you don't want to go to your local pirate BBS
where they stock it, and get through their new user voting screen
whereby a like-minded bunch of buddies decide if a complete stranger
that they've never heard of before should get entrance to this
exclusive domain; if you don't want to put up with that fuss or have
to come up with some virus before you get it; on my BBS, you just get
it. Which is how you should get it everywhere, but I can't control
that, I can't care about it that much. You don't have to be cool to
GA: What skills are required to write a virus?
UK: Almost none. It's a myth that you have to be a programming genius
to write a virus at this point. That may have been true when the idea
was novel. It certainly hasn't been true for the last two or three
years. There's so much source code lying about that anyone with a
passing knowledge of the computer and a little bit of determination, a
desire to do it, can take a stab at hacking an existing virus. This is
rather common when coming up with an original virus which can be
cobbled together with segments of or ideas from others. Writing one
from scratch is the hardest way to do it.
GA: Aren't they all written in programming languages?
UK: Assembly mostly. By far most viruses are written in assembly
GA: So you have to understand what assembly language is?
UK: Yes, you have to know assembly language, be able to recognize
assembly language code and have a general understanding of what
assembly language instructions do. You have to be able to recognize
within a sample of code what the instructions are doing, so that you
can follow the virus. In that sense you do have to immerse yourself
in assembly language coding. But it's not as hard as one would
believe. There are good books, and there's plenty of virus source code
around, so with books in hand and looking at virus code in a dedicated
fashion, you can get the hang of what is going on rather quickly.
Viruses all share a commonality, there's just not a lot of variability
there in terms of what they do.
Some people write viruses in higher languages like C or Pascal. Those
are few and far between because it is difficult to make the virus
agile enough in those languages for them to function efficiently on a
machine. A virus has to be small and quick to do the best job. It is
difficult to do that with languages like C and Pascal simply because
there is a great deal of overhead involved in the languages when they
are compiled. If you look at a program that is written in C to do a
certain function on a computer and then you look at a program that is
written in assembly, the assembly program would be much, much smaller
than the program written in C. C is conversely a language that is
easier for people to understand because it is closer to English.
Whereas assembly language just has a bunch of, at first, what would
appear cryptic instructions.
GA: But it is basically the type thing that anybody with a degree in
computer science can do?
UK: Oh, I would think so, certainly. I don't even think you need a
degree in computer science. I think fifteen year old kids who are
really into computers can write viruses.
GA: And I bet they do.
UK: I'm sure they do.
GA: So how many viruses have you made and which ones are they?
UK: I don't know all of them. Well, there was the Encroacher. That was
in one of the Newsletters. That was a Mutation virus that attacks
Central Point Software's anti-virus program. There might have been
three variants to that. There was the Insufficient virus which is
another Mutation Engine companion virus. You know what a companion
UK: Most viruses function by attaching, we are talking about file
infecting viruses purely here, and most of them attach themselves to
those files. Companion viruses are spawning viruses. A spawning virus
or a companion virus will look for a program on your computer that is
an .EXE and it will make a duplicate of itself. Then it will rename
itself as that program except the extension will be .COM. Because of
the rules of DOS, when you call a certain program which might be your
word processor or something like that, DOS will execute a .COM file
before it will execute an .EXE file. Well, the virus just simply
renamed itself, made a copy of itself, renamed as your word processor.
The virus will execute first and then it will hand off to the word
processor program or the infected target program, and things will
function normally and the virus will, if it is a direct acting run
time virus, it will go off and search for another program to infect.
If it is a resident virus it will now be installed in memory and it
won't have actually changed the infected file at all, so anti-virus
software that checks for changes made in files won't detect a
companion virus unless it is smart enough to look for identical file
names. Very few anti-virus software programs do that.
GA: Certainly when you wrote that one, they probably didn't!
UK: I believe they still don't. Companion virus infections can be
easily removed and the machine restored to total health, simply by
looking for all the small .COM file duplicates that reside next to .EXE's
and deleting them. The virus creates these files as hidden
system read only files. So if you do a simple directory, uneducated
people won't see them. They are going to be hidden like the system
files in your root directory. You won't see them when you do a
directory search. You have to change the attributes on them to see
them so that they are not hidden and read only, or else you have to
have some kind of file manager like X-Tree or PC Tools that
automatically lets you see even the hidden files on your system. It is
a minor annoyance but it does a little bit of stealthiness there.
Almost all companion viruses create themselves hidden files.
Eventually some people start to notice because they start losing disk
space, the disk is filling up with hidden files which are the virus.
GA: Then there was the Crypt Lab virus, right?
GA: And that was recently mentioned in Discover magazine?
UK: Yes, that was at the end of the article. I got the Virus Creation
Laboratory, and I spent a lot of time going through it and creating
some variants to that just to see what it could do. One of those was
Anyway, if you execute the virus, there are three forms to that virus.
One will infect all files until it can't find anymore files to infect.
It will put on a display that says, "Eat My Diarrhea," which I think
it is one of his favorite phrases. Another variant of the virus goes
about doing it's business and while it is infecting other files, it
drops a small program onto files. That does not infect. This destroys
those programs, essentially creating what I call zombies. The zombies
merely display the neon "Eat My Diarrhea - GG Allin and the Texas
Nazis," in neon color. As soon as you run one of those things you know
you've been the victim of a prank or something like that. So that's
what the Diarrhea viruses do. They are created with the Virus Creation
And then there was another virus creation type tool that's been
produced by the members of Phalcon/Skism virus programming group.
There was the virus I made using code from the Virus Creation
Laboratory and the Phalcon/Skism Mass Production Coder I think it's
called. That was called the Mimic virus. And the Mimic virus came in a
couple of flavors. It was a file infecting virus which created a mimic
of the Jerusalem virus. The screen is characteristic of Jerusalem.
Another one I created was the Den Zuk Mimic. With the original Den
Zuk, when the person does the three finger salute (hitting
control-alt-delete keys at the same time) to reboot the computer, this
graphic comes up on the screen and shows Den Zuk. It's kind of a nice
graphic too I must admit. I like that. I put that into Den Zuk Mimic
to make programs show that graphic.
GA: I thought there was some other virus.
UK: Is it recent? In a recent issue of the newsletter?
GA: No, I'm getting it from the VSUM listing. There were four viruses
in the December 1992 issue that listed "Kouch."
UK: I tend to be only really familiar with the recent ones that have
been published. Maybe it will come to me.
GA: What's so exciting about viruses and source codes?
UK: I like the word "interesting" more.
UK: Well, particularly interesting because of the misinformation that
goes around concerning the viruses. There's a great deal of it.
There's a great deal of mystery that shrouds. I don't think there's a
lot of mystery associated with viruses. Viruses, in my opinion, are
rather trivial programs that, once you're thoroughly cognizant of what
a virus can and can't do, become more like a pest if you ever run into
one. You should be able to get rid of it rather quickly in your
machine. And it might interest you to know that one of the anti-virus
software programs in its own virus database in that program displays
the severity of damage that viruses can do. Fully 95 percent of the
viruses listed in that database, are characterized as trivial. It
takes three minutes to reset the machine to proper working order. And
that's fairly accurate, I think, and that's not something that's
common knowledge. People think it's a major catastrophe when they are
hit by a virus. I do not take seriously claims of people being set
back for hours. If they are completely ignorant of a virus, yes. But
someone in the department or in the household knows about viruses. No,
that's just an exaggeration. So viruses are interesting to me because
of that. Because of the great variations in opinions that surround
GA: And also the myths.
UK: The myths on them and the controversies associated with a virus.
When anyone speaks up about viruses.
GA: That's becoming very interesting to me.
UK: Politically incorrect terms. There's always been a great deal of
controversy surrounding this. And so for this reason alone, viruses to
me are interesting. For example, on Prodigy it is okay for dozens of
people to advertise adult bulletin boards, with gigs of pornographic
files available for download. These are not expunged from the Prodigy
computer club as inappropriate. However, if anyone posted a note on
Prodigy saying they want to find a virus, can someone help them locate
a virus, that is immediately spiked. Why is that? I'm not sure. But
GA: I've had a lot of trouble getting in touch with the Virus-L
Newsletter from the WELL.
UK: The Virus-L publication is pretty much dogma. I've seen it a lot,
I've never thought very highly of it. There are bright people that
contribute to it. It is not particularly useful.
GA: Well, it is a major place that people who don't know anything
about viruses go to turn to when they think they've been hit.
UK: Well, they won't find out a lot from that publication. (Laughs)
People only talk about viruses in general terms.
GA: I asked several people to contribute questions. The number one
question people had for you was what gratification or satisfaction do
you get from this?
UK: Well, I enjoy publishing the Crypt Newsletter. It's a challenge to
make it interesting to a lot of different people and I enjoy the
response that comes in. Some of the people that I've met through it
have been rewarding. I don't meet a lot of stumps. I wouldn't continue
to do it if there was absolutely no response and people didn't show
some curiosity and the desire to see more of it. I want to give them
more for their trouble, so that makes it an evolving thing. You want
to see if you can top yourself and make it more interesting. There is
a great need for this kind of look at viruses. I don't think you can
get that from Virus-L to be quite honest with you.
GA: Or from anything else.
UK: You'll get it from some other underground publications, of course.
They are hard to find. Some people are turned off by the smoke and
brimstone they come packaged with. My newsletter is a little bit
different than trying to be so blatantly sociopathic. And I'm sure
there are people who read it and think that I am a sociopath. I don't
think I am, I think that's clear in the newsletter.
GA: I think most people who think you are a sociopath wouldn't read
UK: Probably. They would read it once and then toss it. I really like
the work of Mark Ludwig. The Little Black Book of Computer Viruses, to
me, was extremely interesting. It was the first book that I was able
to get ahold of on computer viruses that had any good information in
it and he's continued to do that kind of thing.
GA: Right, he has a new edition coming out and a newsletter which
prints virus code.
UK: And, so, why is that interesting? Well, he explains why viruses
are interesting for a number of reasons. Part of it because of the
controversy that the concepts brings up. In a way, I think studying
viruses gives you a good understanding of the computer on a really low
level basis, and that's worthwhile. For some people that makes the
computer much more enjoyable as they start to unlock some of its
secrets or understand what is actually going on inside it a little
better. Viruses are kind of an indirect way of getting at that
information. Maybe you're bored in your computer class listening to
the dogma of understanding the operating system of the PC, but maybe
you are interested in computer viruses because you like the concept
associated with practical jokes and want to start to look at computer
viruses a little more. You become more curious, it becomes more
involved and now you are starting to get a better grasp of what
someone is trying to teach you in the computer course at the same
time. It is an indirect method, it's not an obvious way, but I think
that it does happen.
GA: Nowhere Man.
UK: Nowhere Man. He's an interesting individual. He spends a lot of
time programming different things.
GA: So basically there is a social aspect to this too.
UK: Yeah, yeah. Talking to different people around the country,
through the computer and meeting different people, getting their
ideas. They're interesting people.
GA: How much of your time does this take up in an average week?
UK: It depends. I tend to do a lot of it late at night. I think it's
hard to say. Right now I'm spending more time on the BBS than I have
on the Crypt Newsletter.
GA: And regardless of what the BBS was about there's just maintenance
that takes time every week.
UK: Yeah. I'm uncomfortable with quantifying things, so, as much time
as it takes to do it right.
GA: About how many groups are there in the virus world? Active and
UK: There's Phalcon/SKISM, NuKe, there's YAM. There was Rabid. They
supposedly disbanded, but I got a virus the other day that said Rabid
lives again, so maybe they do. The virus doesn't work. (Laughs) You
know what I mean. It's hard for me to tell. There was a British group
called ARCV. The Association of Really Cruel Viruses, that's what it's
called. And they pumped out a bunch of viruses over the summer and the
fall. Their leader was busted by the authorities in England for a
phone fraud related kind of thing. So I have no idea of what the
status of that is. They certainly made quite a few viruses. They have
one resident virus that they subsequently modified quite a bit and
they have a model of a direct action virus which they've also
GA: So about a half a dozen groups more or less?
UK: Yeah, but I'm sure there are smaller groups that I haven't
GA: And individuals?
UK: And individuals. I think that the lone virus programmers are
actually more common than the groups because the groups are never as
monolithic or as united in anything as they're portrayed. They are
just a couple of individuals who have a loose association with each
other. Like NuKe. One of the members of NuKe, Rock Steady, is French
Canadian. Nowhere Man is from the Midwest. They may talk a lot but
obviously they are separated by geographic locations. So how tight can
that organization be? And then NuKe has a division in Australia and
some people there who run the BBSs and do virus programming in
Australia. There's a Scandinavian group, I forgot about them, called
Demoralized Youth who apparently created the Hitler virus which I
included in the Crypt Newsletter. And they produced things like the
PC Byte Bandit which you see on a lot of bulletin boards.
GA: Do such groups exist for other computer types like Mac, and Atari?
UK: Well, that's a good question. I know there are a lot of Commodore
viruses but I don't know if they are groups or the infrastructure is
quite the same. As for Mac, I would think probably not because you
know there aren't many Macintosh viruses.
GA: Are any of those differences between the computer types worth
noting? Like is there a reason why there are fewer Mac viruses, does
it have something to do with their operating system?
UK: Yeah, the operating system on a Macintosh is less open, for the
simplest explanation, than the IBM PC, therefore fewer people are
writing programs that will operate as viruses will on it. It's a more
cryptic system shall we say.
GA: Do some of these groups that you are aware of try to make money or
is all this being done for free?
UK: Well, Aristotle is the sysop of the Black Axis Virus Exchange.
He's the fellow who informally put together, who is formally the head
of what is known as the Vx, like in Rx. It's a loose network of virus
exchanges around this country, about twenty, maybe a little less than
that now. He has a really large collection of viruses, something like
over 2,500. 600 samples of source codes, there's lots of duplications
in there, so he's packaged it up rather neatly and gotten the word out
in almost formal advertisements that he will sell his collection for a
lump sum. I forget what it is. Somewhere between $100-250 dollars. He
tells me he's gotten 40 takers. So there you have someone who is
trying to sell the viruses for money. I've seen advertisements to
this effect on other virus exchange bulletin board systems. Others
would like to sell their virus collections, depending on what the
market will bear, I guess.
GA: How big would you estimate that the virus community is? Can you
estimate the total number of virus exchange boards or the total number
UK: I can't identify the number of users. I can make a rough estimate
of the virus exchange boards. At least 20.
GA: In the whole world?
UK: No, in this country. What do you mean by virus exchange? We've got
to set some rules here. Let's count all the ones that specialize in
this, that have collections of over 1,000 viruses. I'd say at least 20
GA: My interest in this comes from the Michelangelo scare, which of
course we are taking in retrospect with a grain of salt, but they
reported that the people in other countries such as India or wherever,
had so little access to U.S. anti-virus programming. In some of those
countries they don't sell anything legally to remove viruses. So if
they were hit by something, they don't even know where to go to get
something that will clear it up.
UK: You don't need anti-virus software to get rid of something like
Michelangelo or Stoned. You can do it with undocumented commands. If
you've talked to someone who does know something about viruses, and
you didn't have anti-virus software, you could use that and dispatch
something like Michelangelo and Stoned rather quickly.
GA: So you think the reports about problems in other countries are
UK: Well, there's an article which analyzes the media coverage of
Michelangelo and I think that really puts it into perspective. It
really shows the people that tried to actually come up with hard data
after March 6. They just weren't able to come up with anything that I
consider serious data. I remember them coming up with things like
South Africa was reportedly hard hit. Says who? You know what I mean.
You know how journalists work. They get on the telephone for like five
minutes with someone in South Africa and the guy says we've been hit
by a thousand. How does he know? And there was one that was even
funnier. I think it was some military computer in Uruguay or Paraguay.
The virus does exist but I just don't think that it was common. I got
one call from some kid and he's concerned he might have that virus
because he's had floppy disks that are dying right and left on him.
Well, I said, "Do you have any anti-virus software?" I'm trying to
help him over the phone. He says "No." I said, "Do you use bulletin
board systems?" He says "Yes." "Alright, what you want to do is call
up one of these and get some anti-virus program and download it and
copy it immediately to a right-protected floppy disk. Without doing
anything else and once you've got it on there, execute it until it is
all laid out on a diskette for you and then write protect that and
then put it in your floppy drive and scan your hard drive." So that's
what he did and he found out he had the Disk Killer virus, completely
a bird of a different feather. Actually, it is more annoying. It is a
boot sector infector like Michelangelo but once you discover it, you
usually don't have much time left before it activates. It has a very
short activation period after it has been first placed on a disk and
then it encrypts the information on a disk which essentially makes it
useless to you. So he removed it, but it wasn't Michelangelo, he had a
different virus. So where were all the Michelangelo infections? Were
there any? I think it was vastly overstated.
GA: You mentioned before that people who work for software
corporations write viruses.
UK: And they program viruses or collect. There just doesn't seem to be
any motivation to them other than that they are what I call stamp
collectors. They just like to have a large collection of viruses, like
people have large collections of baseball cards. That's a big thing,
baseball card collecting. Why do people want a huge collection of
baseball cards? I don't know. But I have a large collection of
viruses. So, there's that collecting thing and that's not the same
motivation as other people who write viruses. And then there's a
mischief maker, a hell raiser, an angry young man kind of guy. He
wants to put his mark on the world and have revenge on his school or
something like that and maybe he's going to write a virus. I just
don't think that there's any common denominator. Trying to write it
off to one segment of the population is idiotic. Quite frankly, you
can talk about different segments of virus programmers. To judge them
all based upon one set of rules, disgruntled and angry at the world,
is just absurd.
GA: The media does portray that whole image at the Bulgarian virus
UK: Another sexy story.
GA: Why Bulgaria? You are basically saying it's lots of other places
too and that's just a myth?
UK: Well, there are a lot of viruses that came out of Bulgaria. You
can't discount that fact. There were Bulgarian virus programmers and
there is The Dark Avenger and you don't want to minimize that, but
that's not the whole spectrum of it. Maybe they are more serious and
dedicated or they were for a time. But, no, Germany has virus writers,
Poland has virus writers.
GA: Right, Canada.
UK: There are callers to my BBS from Lisbon, South Africa, Canada. I
would assume anywhere there are computers, there are virus
GA: And any place there are disks, there are collectors.
UK: That's right. I mean Scandinavia, India, Thailand have virus
programmers. I would be hard pressed to think of a place that doesn't.
GA: We kind of touched on this before, but how can people best protect
themselves from viruses?
UK: I would say that since virus code and viruses are going to be with
us just as long as computers are going to be with us and if you are
really concerned about it, then you should try to find out some of the
basics of virus behavior so you can rule out a lot of things that
aren't going to affect you. You've got to know that a virus is
dependent upon an executable program to spread on your machine. You
must execute it first. Knowing that, any executable program that comes
into your machine then becomes, if we are not talking about boot
sector infectors here, a possible virus candidate and I would just say
that you should get a perfunctory anti-virus scanner. Find the
cheapest one you can. A lot of companies are now letting the scanner
portion of their software go for free. Don't get a lousy scanner. You
are going to have to do some reading. I can't make it easy for you.
I'm not going to make product recommendations, obviously, but you can
get some for extremely cheap if not free.
GA: So you recommend that people have something?
UK: Yeah, at this point. If you want the least amount of work
involved, get a cheap scanner or an almost free scanner if you can,
and by doing a little reading you will find out what the best product
is. You are just going to have to go a little deeper than the glossy
magazines. Be a good consumer, okay. The chances that you are going to
come across a very clever and totally new virus which is going to
become resident upon your machine and stay invisible for a long period
of time, are exceedingly rare, and I just don't think that you should
concern yourself with that. I have just never been victimized by
anything. I'm more educated so I don't worry about it. I take some
precaution but nothing like some. So get yourself a cheap scanner if
you feel you must have something, and as you go along in your
computing, try to get a good idea of what viruses do. Ignore the hype
associated with them. Most viruses are not 100% transparent. They will
misbehave in a manner that is repeatable. So if you have something on
your machine that's going wrong and it seems to be random, it's
probably not a virus because viruses are made out of discreet
instructions, and they are going to do the same thing. The problem
will repeat itself. So either you have buggy software that is
repeating the same bug or you could have a virus.
If you are going in harm's way, where you might have to worry about
possibly getting a virus infection; like if you are an obsessive,
compulsive downloader, if you use places or services that have a lot
of public flow of disks in and out, if you buy a lot of retail
software from someone that you suspect is rewrapping software that has
been used in someone else's home already, there's a possibility that
you could occasionally become infected, but still it's just not real
common. For boot sector infectors, try to keep those diskettes from
staying in the slot on the A drive at night after you turn your
computer off. If you did that and then your computer starts behaving
weirdly, then you might worry.
GA: You also mentioned the virus that attacks Central Point's
software. If you don't have Central Point that virus isn't going to do
UK: Yeah, right, so what? And then you program to attack something
that presupposes a level of technical understanding which may not be
in your average disgruntled employee. You've got to have someone who
has an ax to grind for a long time to think of a really finely crafted
virus to destroy something. There are one or two viruses like the Dark
Avenger which are extremely destructive on business systems.
GA: What's the scoop with the Proto-T virus?
UK: Oh, that's just a joke. This happens periodically on the networks,
and I first noticed it on the Fidonet. Some prankster or a group of
pranksters uploaded this completely bogus story about an unknown virus
hidden in the archives of one of the numerous PKZip hacks and it was
like science fiction, it described things which were impossible for
GA: Destroying the video card was one.
UK: That's an old one, or writing itself to video memory is completely
nonsensical because the virus would crash almost immediately. Just
from what I know of how people react on the networks, I knew that
there would be hundreds of people beginning to think that there was
some credence to it. This spread all around the world.
GA: Well, with Michelangelo, the news traveled. In 24 hours everybody
knew about Proto-T.
UK: I was just about ready to publish an issue of the Crypt Newsletter
so I had a generic resident virus that I was including in it. I
thought I would just customize it and have Proto-T as the name. I
figured that people would not read the documentation. The real story
is that this was just a name. These Proto-T pranksters came up,
whoever they are, with this stupid Proto-T story; we might as well
give them something to go along with it. It spread, it really spread.
I saw people on Prodigy, some of the hackers that show up on there,
saying that they swore they had copies of source code of Proto-T from
some virus programming newsletter, which means to me that they
stripped the code right out of the Newsletter almost immediately, and
didn't even bother to read the note that came with it. It didn't even
come close to imitating fictitious achievements of the real Proto-T
which were flatly impossible anyway. And it just spread all around.
GA: What about YAM (Youngsters Against McAfee), the name is used
against McAfee so it kind of implies...
UK: You ought to look at their stuff! They spelled McAfee wrong a
couple of times. I don't know, I just don't know. What can I tell you.
I wouldn't have chosen that name but I can understand perhaps why they
might have. For a long time, the thing was to elude Scan. I noticed
this early on. It was an achievement to create a virus that Scan
couldn't catch. Actually it is not much of an achievement.
GA: No, it only lasts a month or two at most until they get a copy.
UK: What's the point? Why is McAfee a whipping boy? He just happens to
be better at public relations than the rest of the anti-virus people.
GA: That's one reason, and the other reason is that because his is
shareware and so many more people have it then the other ones.
UK: Well, it's not just shareware. There are quite a few of his
products that are cross-licensed as retail software. He's got a really
big stake in anti-virus software. He's also the best at dealing with
the reporters like during the Michelangelo scare.
GA: Early viruses used to attack institutions with power, now they
seem to mostly affect individuals. Do you think that's true and, if
so, why the change?
UK: What institutions with power?
GA: Colleges and corporations.
UK: No, I think colleges are still pretty vulnerable, don't you? They
are always going to have computer labs, where people can bring stuff
in indiscriminately. That really hasn't changed and maybe it has
moved a little more to the individuals because computers have moved
more into the homes of individuals.
GA: That's true.
UK: So, before high end PCs were the domain of a small or a medium
size business with one or two individuals who knew how to use them as
the selected employees. Now the computer has become more of a
household appliance, still not totally widespread, of course, but
moving more and more into the household where people can use it as a
GA: Anything that you would recommend to people who would want to read
more, learn more?
UK: I'll give them my sole plug for Mark Ludwig's book on computer
viruses. It is not an evening's read. You get a lot out of that
especially if you come back to it. It impresses upon you the idea of
learning something about assembly language programming, which after
you look at it a couple of times starts to make some sense to you
whether you become an assembly language programmer or not. Probably
not. Springer-Verlag has an academic text on computer viruses but it
costs about $40, probably not something the average person is seeking
to get a hold of.
End of Computer Underground Digest #5.44