Hacking the Wal-Mart Armorguard Computer Protection System


To use this, you must have a system disk (i.e. a disk that has been
formatted using [format a: /s]) in 3.5″ format under Windows 95, because that
is what they sell all of their computers with.

In this file, instructions to be input into the computer are surrounded
by [ and ]. Keys are surrounded by < and >. So if I say “hit [] I
mean to hold down the control button and hit F1.

The armorguard is a program that prevents you from writing to the
directories, changing the attributes of files, and deleting files. It
basically prevents you from doing anything cool.

The first thing to do is to go into Wal-Mart. Now, go to the
computer section and turn off the screen saver. Shut down as many apps as
you can with the [] and then choosing a program and
hitting enter. You cannot simply do this to the ArmorGuard program.

The next thing to do is to go to the DOS PROMPT. Most Wal-Marts
take the mouse ball out of all of the display mice to make it harder to
control the system. If you are adept at putting your finger inside the mouse
and controlling it that way, fine. Otherwise, just hit [].
This activates the start menu. Select “Programs”, hit enter, then go down to
near the bottom of the “Programs” menu and select “MS-DOS PROMPT”. Hit enter.

Now you are in a DOS window and in the C:\Windows directory. Hit
[cd..] and then hit [fdisk /mbr], which restores the master boot record,
preventing the password prompt from coming up when you reset the computer.

Now just hit [] twice (once gets you to task manager,
twice reboots) and wait. When you see

Starting Windows 95…

on the screen, hit [] really fast just once, then choose “Verify
each step” (or something to that effect), usually choice number 4. It will
give you an A: prompt and say “Please give the path of your command interpreter,
i.e. C:\WINDOWS\COMMAND.COM”. At this point, put the system disk you have
made in the drive and hit [A:\COMMAND.COM]. Say “Yes” to everything except
the following:

Log this bootup? (Bootlog.txt)? (y/n)
C:\armguard.exe? (y/n)
for instance.)

If you have done this right, ARMGUARD SHOULDN’T COME UP AT ALL. If
it does, hit “command prompt only” instead of “Verify each step” and then
specify C:\AUTOEXEC.BAT and C:\CONFIG.SYS if it asks for the configuration
AUTOEXEC.BAT IS THE STARTUP FILE.) Then immediately hit [] and it will
give you step-by-step confirmation for each item. See above for the ones
to say no to. Then you want to hit


and the DOS edit program will come up. Choose “Search” and hit “Find” and
then tell it to find ARM and make sure it’s NOT on match whole word only.
Delete any line with ARM in it that looks like a part of ArmorGuard. This
should prevent it from coming up on Windows.



****************THINGS TO DO AFTER HACKING ARMORGUARD***********


Think of this: Hit “shut down in MS-DOS mode” or start up in MS-DOS mode,
put your boot disk in drive a: and hit the following commands


and then confirm this. You have just started the permanent erasing of
EVERYTHING on the hard drive. You can also do some other cool stuff with


The Ultimate in Wargames Dialers: UltraDial 3.0 Documentation by Paul Levy

…How About A Nice Game Of Chess…

In WarGames

U L T R A – D I A L
= By: Paul Levy =

\ <******> /

/ <******> \

Software Creations For The IBM-PC

The author of this software takes no responsibility for what
occurs during the use of this program. It is distributed
completely free of charge and nothing is expected in return
except that you follow the following guide lines:

1) This software is not to be distributed in a modified
form…including any and all documentation that comes with the
2) This software is not to be distributed for any fee. It’s
author has chosen to distribute it free of charge.
3) This software was not intended for malicious use. Do not use
for any type of illegal computing…under penalty of law.

If you wish to get in contact with the author of this
software or any of the Com-Worx software, you may contact the
Com-Worx RBBS Bulletin Board system in Southern California at
(818) 986-1673. If you find this product well written and user-
friendly, why not try some of the other Com-Worx software such as
Super-File, the “People-Information” manager.


The idea of writing a WARGAMES dialer was inspired by Steve Klein who
wrote the original DIAL.BAS. I took this program and proceeded to cre-
ate DIAL1 and DIAL3 (Steve Klein took DIAL1 and enhanced it to DIAL2).
I began to get sick of constantly updating so I decided to write the
most incredible dialer around, and I think I have succeded. In the
first version of ULTRA-DIAL (ULTRA.EXE), there were many problems, in-
cluding the fact that it did NOT support the Hayes External Modem,
this minor error was fixed and a few other features were added into
ULTRA2.EXE, the next version. I though I had it all down pat with this
version, but my “good ol'” users clued me in to some problems…and
here it is folks, ULTRA3.EXE. I would like everyone to know that this
will be the last version of ULTRA-DIAL, UNLESS I find some incredible
error or some new incredible request for a feature is made. So, you’ll
have to live with this one.

REMEMBER: This program is for the IBM Personal Computer PC or XT (not
AT or any compatible). You must have a Hayes modem (an Anchor Signal-
man may work, it has not been tested) to operate this program. There
is absolutely no exceptions to this…sorry.

Now we’ll cut the lecture and start the documentation!



To operate UltraDial 3.0, you need at least the following:

An IBM Personal Computer
64k Memory
One Floppy Disk Drive
A Hayes Auto-Dial Modem

To operate UltraDial 3.0 with optimum performance, add:

An 80 Coulumn Printer
128k Memory
A RAMdrive Program


To start UltraDial, place the disk that contains
ULTRA3.EXE in drive A: and type:


Within a few moments, a text screen should appear telling
you the rules of Com-Worx. Press a key and you will see the
title screen begin. After the “COM-WORX Presents…” portion, you
will be asked to select COM1: or COM2:, that is communications port
number 1 or communications port #2. Enter the port to which your
modem is connected to (enter a 1 or a 2).
Then you will see the main title screen…press any key to go
The program will then ask you to set the time and date. If
it is already set, simply hit at each of the prompts.
Finally the menu screen will appear and you will have the
following options:

[B]egin a dialing routine
[S]can/Dial found numbers
[P]rint a copy of numbers
[C]ontact the author
[D]elete old numbers
[Q]uit to DOS

These options are explained in detail on the following
pages of this documentation…


This command is the master command of the entire program,
it sets the dialing in motion. You will be using this command
whenever you wish to start dialing…

Your first prompt will be “Do you wish to delete old
numbers that have been found?”. This simply means, do you want
to erase the file that contains the previously found numbers
with carriers and start with a fresh one, or do you want to save
them. Answer “Y” to start a fresh new file, or enter “N” to save
the old one (remember, Ultra3 can only handle 18 numbers per file
because of some problems, print out the file often and start a
fresh one when possible).
The second option is simple, “Do you want the modem speaker
on?”. Answer “Y” if you want the Hayes internal speaker on, and
answer “N”, if you want it off (this is also togglable during the
program operation).
Ok, now you are going to enter the vital numbers that will
make this program run. The next prompt, after the speaker prompt,
is the “PRELIMINARY NUMBER” prompt. This is a new feature to ULTRA
DIAL and I will try to explain it the best I can.
Whatever you enter at the PRELIMINARY NUMBER prompt will be
dialed before EVERY number. This can be helpful for obtaining an
outside line (i.e. hotels and buisnesses sometimes require you dial
a “9” before dialing the outside number you wish to reach). If you
have no use for this, simply hit , if you do want to use this
function, enter the number(s) you wished to be dialed before EVERY
number in the dialing sequence.
Now you are going to enter the starting and ending numbers! Your
first prompt will be to enter the area code, if you want to dial local
simply hit , if not, enter the three digit area code.
The next prompt will be for the beginning number, this will be
the first number to be dialed. Here are some examples of the right
and wrong way to enter numbers:

RIGHT: 9861673 WRONG: 986-1673
5205547 5,205547


The next prompt will be for the ending number, the last number
to be dialed. Use the same format as you saw above.
Now the dialing begins…Your options are now held in function
keys (the darker keys on the left side of the keyboard). There func-
tions are described here…

[F1] – SKIP # – allows you to skip on to the next phone number.
For example, if the computer is on 986-1673 and
you hit [F1] then it will skip to 986-1674 as
soon as you hear the beep.

[F2] – MAIN – takes you directly to the main menu and stops all
active dialing. (Quits to the menu)

[F3] – QUIT – ends the dialing and returns you to DOS.

[F4] – PAUSE – pauses the timer so as to allow more waiting time
and continues to hold the timer until you hit any
key (remember to re-start it with any key).

[F5] – SPKR – toggles the speaker on or off. When pressed, the
screen will clear and you will be asked if you
want the speaker on or off, then dialing will re-
sume from the number you left off on.


If the dialer finds a carrier at a certain number, it beeps,
saves the number to disk, and continues dialing. If it completes
the dialing routine by getting to the last number, it sounds an
alarm to inform you (until you press any key). You are then
returned to the main menu.


This function allows you to see up to 18 of the found
numbers in the file NUMBERS. You can select a number with the up
and down cursor keys on the right side of the keyboard. If at
first the arrow does not move when you hit the cursor up or down,
try hitting . When you have the arrow pointing at the
number you wish to try, hit .
The computer will enter a terminal mode. Anything you type
now will go straight to the modem. The computer will dial the
number you selected and wait for a carrier. When it receives a
carrier, it will connect at 300 baud, even parity, 7 data bits,
and 1 stop bit.
To exit the terminal mode and return to the main menu, hit
the key, up in the left hand corner of the keyboard. It
will ask if you wish to dial another number and you may respond
accordingly with “Y” or “N”.


This function will print a copy of all of the phone numbers
onto the printer. Also, the dates and times that the numbers
were found will be printed. When the printing is complete, the
computer will return to the main menu…


This function was just “an idea” that I thought would encourage
people to report errors more often because it would be so simple to
conatct me. This function will simply enter the terminal mode and
dial The COM-WORX RBBS…Hit to hang-up and exit…


This function will erase the file NUMBERS which contains all
of the phone numbers that have been found. You should use this
at least every 18 numbers found.


This function drops you into DOS (use only when you are
finished using Ultra-Dial).


Introduction to Hacking into LANs by THUG

$$ Introduction to Hacking into LANs.. $$

An official THUG production..
Written by Laughing Gas for Solsbury Hill BBS.

(Please keep the filename as THUGLAN1.TXT where possible)

::: Foreward :::

I don’t have a lot of experience at hacking alot of different
type of LANs, or any secret information that couldn’t be found by
any one else with a little hard work, but in an effort to spare
you that hard work, I wrote this file..

I was going to make this only one file, and include everything in
it, but since it’s already about 13k and that’s without any
specific discussion of the novell system, I’m going to break it
up into a series. Keep a look out for the next file, it’ll have
more information on the actual hacking of a novell system, and
possibly other files focusing on other systems.

Subjects discussed (contents basically):

About LANs: the basics
The basics of a Novell Network, and Logging In
Once you’re in DOS
System Files
Brute force hacking in


::: About LANs: the basics :::

For people who know nothing at all about computers or
telecommunications, or networks, this file probably won’t be very
useful, but I will attempt to provide information in a way that
the least experienced computer user can understand it. To that
ends, here’s a brief section on what exact is a LAN, and how it
works, and so-on.

LAN stands for Local Area Network. A network, in computer terms
is any system which allows a person on one computer to share
resources with one or more other computers. There are two main
types, the LAN and the WAN (Wide Area Network). A WAN is
conforms to the definition of a network the same way a LAN does,
it allows a person on one computer to use the resources of one or
more other computers. So what’s the difference? A LAN is a small
network, usually contained in a single building, and if not, then
in a single complex. A WAN is almost never contained in a single
building or complex, and usually extends over several states, or
across the entire nation, or internationally. An example of a
WAN is the Internet, one of the biggest and most hacked WANs
ever. The Internet is connected all over the world to thousands
upon thousands of computers at universities, military sites,
commerical sites, and more.

Another type of network is a PSN, which is similar to a WAN in
that they always extend out of a complex. PSN stands for Packet
Switching Network. What a PSN does is bundle a packet of data
from the local terminal, assemble it at the local PAD (packet
assembler/disaseembler), send it through a series of in-between
PADS and when it reachs a destination, it is disassembled by that
PAD, and fed to that computer. This allows a PSN which has PADs
which are in a chain where PAD A is local to PAD B and PAD B is
local to PAD C but PAD A is not local to PAD C to send a packet
from A to B to C and not pay the expenses of sending directly
from A to C. A PSN almost always uses phone lines for at least
part of it’s connections.

A WAN or LAN operates on a different principal, it sends
information directly from the local terminal to it’s destination.
In the case of a WAN, the information may pass through phone
lines, but it might not, depending on what exactly you are doing.
On the Internet, if you are connected to a university, you can
log into a computer at that university and you will be on a
direct connection, but you can call another university or
military site from there, and your data will travel over the
phone lines, or maybe even over a PSN or another network.

A LAN will ALWAYS be a local direct connection. The most common
set up on a LAN is that there are 2 or more terminals in one or
more rooms that are hooked up to one or more servers. That is
the case we will assume is true in examples throughout this file
unless otherwise specified. (We’ll also assume that the LAN is
set up with IBM MS/PC-DOS compatible computers)

One scenario for how a LAN is set up would be like this: There
are 20 IBM PS/2 Model 25’s with Dual 720k drives, 640k of memory,
and no hard drive hooked up to an IBM PS/2 Model 80 w/ 20 megs of
memory, a 330 meg hard drive, and a 1.44 meg and 1.2 meg drive.
In this case, the Model 80 would be the server. Each terminal
would have to have a boot disk for the network. (An alternate
situation would be if the computers had BOOT PROMS which redirect
local drive activity to allow the terminals to boot from the
server’s hard drive) If you just put a dos disk in a terminal and
turned it on, you could use the full 640k of memory, and both
drives for whatever you wanted. However, if you put in a network
boot disk, (or ran the network set-up and login programs from any
disk) you would then be connected or logged in to the network.
At this point, you could access any program on the server’s hard
drive (basically giving the 20 non-hard drive machines a 330 meg
drive to share). There only needs to be one copy of each program
that will be run, no matter how many people are using it.
(Assuming of course that the program is network compatible, some
programs such as perhaps a BBS program, or something using
communication interrupts, or with files constantly open, etc. may
not function with a network at all, or crash the terminal or the
whole network.) There are however special programs installed on
the network to allow different terminals to share files and so
on. Data files can be saved on the server’s hard drive, or on
the local disk drives.

One function of the network software is to capture all DOS
interrupts (int 21 for MS/PC-DOS) and decide what to do with
them- either pass them on to DOS, or handle it itself.

::: the Basics of a Novell Network, and logging in :::

Novell Netware ™ is one of the most common pieces of network
software availible for IBM MS/PC-DOS networks.

Basically, novell works like this: either on the boot disk, or
if the computer has boot proms, on the hard drive, in the
AUTOEXEC.BAT you’ll find a setup somewhat like this: (comments
will be preceded by semicolons (;))

prompt $p$g ;changes prompt to include path
mouse ;load mouse driver
;and other such stuff in the very beginning
IPX /options ;prepares the computer for the network
NET3 ;loads network
login 4 ;automatically logs in as computer #4
menu net ;loads the nifty menu

Not all computers will have all of these things, there may not be
mouse drivers, there may be extra things (initialize plotters,
etc, etc) anyway, they should have IPX and NET3, and PROBABLY
login xxx.

The way the login program works is thus; Running LOGIN with no
options will get you a prompt of “Username:” then, after entering
a valid username, “Password: ” (prompts may be different..) if
you don’t enter a valid username, it’ll let you know. If you
enter LOGIN with one option, it will try to process that as a
username, and if it’s valid you’ll recieve just the “Password: ”
prompt. If you enter two parameters, it will process the first
as the username, and the second as the password. If there isn’t
a login xxx type of command, there should be just a LOGIN command
which will prompt you for username and password.

If the network prompts you for a username and password, you’re
stuck, you have to do some hacking to get in. This file mainly
covers what to do once you’re on, but see the section later on
getting in.

The line “menu net” will execute the network’s MENU function with
the menu defined as NET. On my school’s network this has
selections such as Word Perfect, a typing tutor, etc. If there
is another command here, it will run that program. If there is
no command here you are simply in DOS. If you are on the MENU
NET, or any other MENU command, then simply hit the
escape key and answer yes, then press return and you are in
DOS. I believe it is possible to have set up the network to
automatically log you out at this point, but I’ve never seen
this. If this happens, you’ll still be in dos, and you can just
type LOGIN to log in again, if you had to enter a name and
password before, do it again, and there you are, if not, then
type “type autoexec.bat” and see what the login command was, and
enter it again, and you’ll be logged on to the network and in
DOS. If you are automatically put in some other sort of program
when it boots up, then it’s up to you to find out how to get into
DOS on your own.

The format for the menus will be discussed in detail in my next
file, but basically it’s the name of the menu on the first line,
then each menu option on a seperate line, with the commands to
run for that menu option following with at least one space like

—[cut here]—
MAIN MENU ; (menu name)
WORD PERFECT ; (menu option #1)
CD\WP50 ; (change to wp dir)
WP ; (run word perfect)
CD\LOGIN ; (change back to login dir)
FOX-BASE ; (menu option #2)
—[cut here]—
Etcetera, etcetera.

::: Once you’re in DOS :::

To find out what drives are availible to you do this (for you
non-IBM people)

type A: (followed by return) then B: (followed by return) then C:
(return), etc.. all the way through Z:, if you ever get a “Not
ready error reading drive : Abort, Retry or Ignore? ”
just hit abort, it can’t hurt anything. And write down all the
letters which are successful. A-E will most likely be the
terminal’s drives. If the terminal is a diskless terminal, then
A-E probably won’t exist. If not, A and B if they exist will be
floppies, and C-E will be local hard drives. (Although it is
probably possible to configure A-E as network drives too).

It is up to the system adminsitrator(s) how the LAN is set up,
but here is how one of my school’s LANs is set up:

A: terminal floppy (720k)
B: terminal floppy (720k)
C-E: configured as local drives, but there are none installed
F: main network drive
V-Z: specific network programs, these aren’t real drives, rather
“fake” drives created by the SUBST dos program.

the files and directories on F: are..

AUTOEXEC.BAT: 0 byte phoney autoexec (since bootdisks are req’d)
GUIDE .BAT: (loads teachers guide or something)
Directory PUBLIC : contains public info and all net programs
Directory SYSTEM : contains network utilities
Directory MAIL : subdirectories contain mail
Directory LOGIN : dups of other files for logging in & data
Directory DBASE : DBase III
Directory WP50 : contains Word Perfect 5.0
Directory VP : V-planner
Directory TYPING : Typing Tutor
Directory ALPHA : Alphabetic Keyboarding
Directory FOX : Fox-Base
(and some other directories for various programs)

Then the drives V-Z are like this:
V:\VP> (just the F:\VP> directory subst’d to V:)
W:\WP50> (just the W:\WP> directory subst’d to W:)
etc.. through Z:

(subst’d means “substituted” with a DOS program called SUBST.EXE
which allows you to make a directory on one drive into a complete
new virtual drive)

The most interesting programs are in F:\PUBLIC. My system has no
mail on it (how boring), so I don’t have any information on what
the mail directories are like (other than that they are set up
like this:
etc) although I assume it would be easy enough to read the mail
with the TYPE command, or a program of your own for reading text

The SYSTEM directory has some files that are interesting, but the
actual programs also exist in PUBLIC, and the data files are
generally boring (although you might want to scan through them to
see if there is anything interesting..)

::: System Files ::

This is one of the main sections I cut out of the file. The
sequel to this file will have a COMPLETE list of all files
distributed with the network as well as all dos files for non-dos
familiar users, with complete descriptions of what they do, and
how to use them to your advantage.

In the meantime, for non-msdos users, here’s a quick rundown on
how files are handled.

When you type DIR you get a directory listing which shows all the
files and directories in the current subdirectory. A filename
under MSDOS consists of up to 8 characters plus up to 3
characters for an extension. (ie AUTOEXEC.BAT, FILENAME.EXT, or
F.F.) A file with an extension of .COM or .EXE can be executed
by typing the name of the file (and optionally the extension) at
the dos prompt (like C:\PUBLIC>) A file with an extension of
.BAT is a script or shell file which is in straight ascii form
and can be executed also by typing the name at the dos prompt,
but it is executed line by line by the dos command interpreter,
instead of actually loaded as a program with data and code
segments. Dos’s .BATch language is pretty shitty as far as
script languages go, if you’re used to dealing with unix or any
other more advanced language, you’ll hate it.

A file which has a

instead of a file size is a sub-
directory. You can make this your current directory by typing
“CD directory-name” (ie, “CD LAN”) or you can go two sub-
directories by typing “CD LAN1\LAN2”. You can go up one
subdirectory by typing “CD ..” (CD-space-period-period) or up to
the top by typing “CD\”.

Another note: The AUTOEXEC.BAT file is automatically executed
each time the computer is booted from the disk it resides on, so
it’s a good place to add your own commands. The CONFIG.SYS file
loads drivers and such into memory.

I’m not going to cover any more about DOS files or commands here,
there may be some more in the next file, but if you are
completely dos-un-educated I suggest you ask friends or buy a
book. I’m sure there are also dos tutorials availible in text
form. If enough commodore and apple type people ask me, I’ll
write a comprhensive file explaining all the dos commands
basically and some things that a hacker on a dos-system might
want to know. Remember, they do call it MeSsy-DOS, and it is.

::: Brute force hacking into the system :::

If you get just a straight LOGIN.EXE w/ no options in the
Autoexec, or a login w/ a name, but you need to know the password
(I’ve never encountered that) then you have to actually do some
brute force hacking, or social engineering. The two most common
accounts I know of are Supervisor (for the system admin) and
Guest, which will probably left on. On my school’s system there
are accounts 1-20 for each of the computers (in one lab, in
another it’s c1,c2,c3..c20). If the system is secure enough to
force a account/password to be known for each login, then I doubt
you can break out of the autoexec, but its worth a try, just bang
away on Ctrl-C or Ctrl-Break as much as you can. Optionally, if
you have to have a boot disk, then make your own… w/ no
autoexec, so you can just login however you like.. or get someone
already on the system to install a trojan to snag passwords for
you, etc.

About actually finding other passwords once you’re on, there are
several programs availible for various types of LANs on various
types of computers (with source sometimes) which intercept calls,
or log keystrokes from the login program, and store the results
in a hidden file, on an unsecure LAN, these programs are almost
defintely going to yield a 100% success rate, and probably won’t
be found it installed right. And on a LAN as unsecure as the one
at my school, you could stick pirate wares right in the PUBLIC
directory and no one would notice (or at least they haven’t yet).

::: Conclusion :::

Well, that wraps it up. In the next file I’ll include all the
novell specific info, and complete information on all novell

Also, I corrected a lot of mis-information and mis-wording in
this file. I very likely missed some, I’ll include any
corrections in the next file. If you find anything wrong with
it, contact me on Solsbury Hill, we’re in 301.

Laughing Gas, 5/17/91.

SOFTDOCS: Skeleton key: PC Unlocking Utility by the National Authoritarians Society

Skeleton-Key ‘PC Unlocking’ Utility by the National Authoritarians Society.

The author of this program takes ABSOLUTELY NO RESPONSIBILITY
for any harm caused directly or indirectly by this program. The user
assumes FULL RESPONSIBILITY for anything s/he may do with it. Please
do not abuse this program – it is designed for hobbiests and security
consultants who have an interest in this type of program and wish to
see how easily security can be bypassed by even anyone with a good
working knowledge of the system it is implemented on.

Skeleton-Key is designed both to exploit and to demonstrate one of the
built in weaknesses in PC-based networks. It simply goes resident in
memory, and reads keystrokes as they are typed in. If the word “login”
is typed (case insensitive) then it clears a 256-byte buffer and begins
recording keystrokes. Once the buffer is full, it stops recording and
stores the buffer until ‘login’ is typed again, at which point it
starts over. If you haven’t caught it already – the point is that
if a net uses login for users to log into their accounts with, any
accounts logged into will have their account name and password recorded.
If a user mis-spells login, Skeleton-Key will ignore it – remember to do
this when logging in to check the buffer. Checking the buffer is trivial –
just run readkey.com, it will ask you whether to dump the information to a
file or to the screen. If dumped to a file, the filename will be login.txt.
Either way – you now have the last person’s account name, password, and
whatever they did first.

There are some situations in which this program will not work, such as when
another program takes over Int 16h or Int 09h completely…. but for the
most part it is very solid.

Key.COM – this is the installation file. When run, you are given a choice
of methods with which to install the program in memory. These are:

Int 27h
MCB Manipulation
Bios/Dos Manipulation

The advantages/disadvantages are as follows:

Int 27h: This method is a fairly standard one with which user programs can
become resident. The program will go resident at the location in
memory at which it is executed, and will keep the necessary size
+ 100h bytes for the PSP. When Mem /p or something similair is
executed, the name of the file that made the program go resident
will be displayed. The good thing about this is that Anti-Viral
scanners and other security software will generally ignore this.
The bad thing is that others may not, especially if they are
looking for whatever is giving away their passwords.

MCB Manipiulation: This method directly changes DOS’s memory control blocks
to make room for the program at the top of use memory, usually
somewhere around 9fb0:0100. It ends Dos’s memory chain at the
block it starts out in, so once it is memory resident it will
NOT show up on things like Mem /p and System Information (SI),
although the decrease in memory will. This keeps most users from
detecting it, but some anti-viral products may mistake this for
a virus.

BIOS/Dos Manipulation: This method uses BIOS to reserve 1K at the top of
memory for the program. Basically it is the same as above,
except that the available memory to DOS (total – including used)
will decrease by one K, usually from 640k to 639k. This is
noticed by some anti-viral products, and may be noted by adept
users using mem or chkdsk.

I’m including a demo file to test it with – check it out. If you decide
to program a similar program (for some reason this one doesn’t do it for
ya – like if ‘login’ isn’t the word you use) or if you need tech info,
the following should help. Also check out the source code if it is included
inside the file – it will be in some release versions.

Regardless of the method used to go memory-resident, the memory
resident portion of the program is always the same code. It hooks the
regular keyboard interrupt (Int 09h) and, after each activation, it checks
to see if there is a key waiting in the buffer using Int 16h, function 01,
and – if so – checks it to see if login has been spelled. IF so, then it
initiates the buffer and begins storing keystrokes unconditionally until
it has logged 256 keystrokes. It then stops logging until login is typed
again, at which point it starts over. It does not check for typing errors,
so you can bypass it at this point – it is, however, case insensitive.
Oh – with NDos (from reports I’ve heard – not verified) and at least some
versions of Novell (verified) one can do this more simply just by hooking
Int 21h, function 08h – Read Keyboard W/O echo. This does not work on
all systems, however, so I chose a different way to implement it. Also –
one stealthy technique that can be used that I declined to do in this one
is to use one of the ‘holes’ in memory that is never, or rarely, used.
Such places can be found at the top of the interrupt table, at times in
video memory (dangerous – work on this technique for a while and test it
before deciding to run it on the net), and in DOS buffers and the like.
The advantage of this technique is that the memory available to the user
does not decrease, and so obviously MEM and CHKDSK won’t have a clue.
The disadvantages are that there is usually a size limitation on the holes,
and under some circumstances crashes may occur.

Note that the beauty of this program is that one can run it in the morning,
come back at any time during the day, and collect one user’s worth of
information without worrying about the program being present on the
computer’s disk. Also – no matter how tight the security is on the disks,
how encrypted their passwords are, how well chosen and random the users
make their passwords – it works. Always attack something at its weakest
point – in this case, it is the simplistic structure of the IBM workstation.


This file was downloaded from the ….

³Û A D J A C E N T R E A L I T Y B B S Û³
³Û Forum for non-censored discussion and file Û³
³Û exchange for the expierenced computer user. Û³
³Û Û³
³ þ Cracks & Unprotects þ Animations ³
³ þ Encryption þ Home of SFDNC,SU, ³
³ þ Virus/Anti-Virus SFNEW and much more. ³
³ þ Virtual Reality þ ACTIVE message bases ³
³Û Call now at (615) 586-9515 Û³
³Û Û³

Overview of Computer Security by E.A. Bedwell, EDP Specialist


Notes of the presentation to
The Institution of Production Engineers
March 21, 1990 by

E.A.Bedwell, E.D.P. Specialist
ORTECH International (NRC/IRAP)
2395 Speakman Dr., Mississauga L5K 1B3
(416) 822-4111, Ext. 261

The writer wishes to thank the Institution of Production Engineers and
it’s President for the invitation to make this presentation, and to
express sincere appreciation to David Stang, Ph.D., Director of Research,
National Computer Security Association, for his contribution both to this
paper and to computer security in general. And I would be very remiss if
I neglected to mention the professional secretarial assistance provided by
Jane Templeman, who makes our whole team tick like the NRC official time
clock – the one that gives the CBC time signal.

This document is, hopefully, written softly: after all, it might be
easier to digest if I have to eat my words. I do not profess to be “the
expert” in the field of computer security; an expert is someone who knows
more and more about less and less until s/he knows absolutely everything
about nothing. I hope never to stop learning, which means (thankfully)
I’ll never be an expert.

—– —-
1. Definition/Scope of “COMPUTER SECURITY” 2
2. Why Should You Be Concerned? 2
3. Types of Security Breaches 3
4. Reasons for Exposure 7
5. General Security Rules (all computer systems) 8
6. Viruses: 9
6.1 History 9
6.2 Effect 10
6.3 Why do people do it? 10
6.4 Symptoms 10
6.5 Concerns 11
6.6 Known Virus Software (1) 11
6.7 Quick Guide to Virus Names (1) 12
6.8 Table of Virus Effects 16
6.9 Virus Detector/Antidote software 19
6.10 Trojan Horses 20
7. PC Rules of Thumb 22
8. Easy Tricks for PC Security 23
9. So You’re Infected (Cure) 24
10. Summary: What Can You Do? 25
11. Security Policy: Points for Consideration 26
12. To run SCAN (included on this diskette) 29

(1) David Stang, Ph.D, “Network Security in the Federal Government,”,
January, 1990, p.168-169 (updated by E.A.Bedwell, March, 1990)

– 2 –
Tonight’s topic is “Computer Security,” a subject near and dear to my
heart after catching fraud a few times, and cracking system security a
few times. The only unfortunate part of this evening is that I have
enough material to cover an intensive 2 or 3 day seminar and I only have
something over an hour, so in addition to extensive notes from this
presentation, I’ve put an article on viruses, and a PC virus detector
program on diskette for you.


Computer security relates to any potential loss of information or your
ability to operate, regardless of the source of the problem. Of course,
all the publicity about computer security is going to the virus
situation. I don’t want to dissuade anyone from their concerns about
viruses, because it’s definitely a growing problem, and if you get hit,
you’ll be sorry you ever laid eyes on a computer. But, current estimates
indicate that viruses represent only 3% of all the computer problems now
occurring. Of course, if you’re one of the 3%, like CNIB or Barclay’s
Bank Canada were last fall, you’ll feel like you’re the only one on
earth. The difference between viruses and other computer security issues
is apparently one of control: I hope to convince you that you have as
much control over viruses and as little control over the other 97% of
problems as to make them equal threats to the safety of your computer.

I’m going to get to viruses later, their prevention, detection and cure,
but I’d like first like to cover the other major problems that affect
computer security – the other 97% – and I’d like to start with reasons
why you should be concerned about security.


Your data is a valuable asset, just like premises, equipment, raw
materials and inventory. Because so much of modern business depends on
computers – financial systems, engineering design, medical diagnosis,
production and safety control – the destructive potential is greater
every year. There has been more than one company that’s suffered great
losses, and even gone under because of the loss of things like their
accounts receivable records: no one is going to pay you if you don’t
send them a bill, and if they get word of your inability to invoice them,
their darned unlikely to volunteer payment – so you’re in a financial
mess. The same goes for your design information, production data, the
consequences if safety control systems malfunction, or even the simple
loss of your customer list.

Another reason why you should be concerned is, too often, people don’t
think about computer security until it’s too late. There’s a saying in
my industry that, “He who laughs last probably made a backup.” Another
saying is, “Experience is something you don’t get until just after you
needed it the most.” Well, if it means the life of your company, or the
loss of potentially millions of dollars, or even just the information on
your home computer, it might be wise to get at least some basic knowledge
before the disaster strikes.

– 3 –


Now that the ‘why’ is out of the way, let’s break down the 97% of
problems. These are not in a specific order, but just as they came to
me. Nor have I attempted to attach percentages to each type of risk,
because very few computer crimes are actually reported, so any figures
that anyone could estimate would not be realistic:

By far the biggest problem is fraud or theft. Some examples of this are:

CHAOS – 1987 – Hamburg -> NASA data bank info sold to USSR

Foreign exchange } famous because of big $
Electronic Funds Transfer } amounts, and because of the
Insider Trading } publicity they’ve received

Most common: Cookie jar technique – e.g., interest, income tax
(aka ‘Salami’ technique – take a little and no one
will notice)

Specific examples I’ve caught were in Payroll (no crash on < or =), Accounts Payable (dummy companies), Purchasing (failed reasonableness test), and Accounts Receivable (failed balance routine). These were all thefts of money. Another example of theft which is very interesting is the 28-year-old Canadian who was arrested at UNISYS in Pittsburgh on Dec. 13/89 - what he is alleged to have stolen was NCR's trade secrets - to the tune of US$68M, which comes under a different Canadian law from monetary theft. MALICIOUS DAMAGE / VANDALISM The next major type of computer security breach is the disgruntled employee syndrome. Their favourite is the logic bomb or time bomb: on a certain date or condition after they leave the company, something's going to happen, such as at the health centre in LA where all prescriptions suddenly multiplied by 2. That's really serious, even compared to the logic bomb that superzaps all your files off the face of the earth, because someone could die. At least with a superzap, you can recover if you've been backing up and have a disaster recovery plan in effect. Pure physical vandalism occurs more often at educational institutions, but is still a serious threat. I wouldn't let me near your machine if I was angry with you - my vandalism would be difficult to detect (and expensive to repair). A simple application of a magnetized screwdriver ...... LACK OF SECURITY PLANNING IN SYSTEM DESIGN STAGE One of the biggest logic bombs that's going to occur is on January 1/2000. Do you know how many computer systems use a 2 digit number for the year? Do you know how much work it's going to be to adapt systems to recognize 00 as being greater than 99? My grandmother was born in 1886, and most systems show her birth year as 99. If she lives to the year 1999, I wonder if they'll start sending her the baby bonus. This time bomb is not malicious damage, it's pure lack of planning at the system design stage. - 4 - (Lack of Security Planning - continued) Things like balance checks and reasonableness tests are not built into the system from the beginning, and it's not easy to put them in later. Users must participate at the system design stage, because only they know what's reasonable and what can be balanced. Don't expect a computer technician to know everything there is to know about your job. DISTORTED SENSE OF HUMOUR Then there's the practical joker - the one who thinks it's funny to break into the system to see what he can change, or create some dumb message to appear on your screen. That's what happened at IBM when the infamous Christmas tree appeared 2 years ago (1987). The joke was three-fold - first it analyzed your electronic mail distribution lists and reproduced itself to send to everyone you normally send messages to - this clogged the system up with people reading more messages than normal. The second part was a little more technical - everyone who read the message caused a separate load of the offending program to take up space in memory, unlike most systems where two or more people who are doing the same thing are sharing one load of the software. This clogged memory up so that nothing else could run. There was one more part to this: there were delay timers built into the program so it deliberately ran very slowly. The result was that the largest computer network in the world was shut down for 4 hours. Someone must have had a great need for a power trip. MISTAKE Next, there's fumble fingers: you know, the one who keys the formula in as 600 grams instead of 60 grams, or the estimated production time of 2 hours instead of 2 days. Or the one who almost took me into court when he blamed "the computer" for a mistake. Without going into details about that incident, I can say that going through the grilling by several lawyers in a preliminary investigation was not the high point of my career. What saved the situation (for me and the organization) was audit trailing: every time a transaction was entered, the system recorded the terminal i.d., the user i.d., the date and the time. It also saved a copy of the record as it existed prior to the transaction taking place. A more common mistake, though, is to unlatch a diskette door before the light goes out. Few people realize that the FAT (file attributes table) is the last thing written on a disk, and you can corrupt the FAT by removing the disk too early. "EVERYONE DOES IT" SYNDROME Then there's everyone's favourite: copying software. Believe it or not, in Canada, that falls under the Copyright law, not under theft, but it has been successfully prosecuted. Even if you reverse engineer it and make some minor changes, it will come under the "look and feel" test of the Copyright law - if it looks and feels the same as the original, you can be prosecuted. Copying software is illegal, and your company as the registered owner could be held liable if it is detected. - 5 - ILLEGAL ACCESS Many major computer crimes are perpetrated by illegal access: the 14- year old who broke into NASA from his basement computer room is just one example. There is password software on all larger machines, and it's not difficult to put it on PCs. On the larger machines, one of the major problems is not changing the standard passwords that are set when the machine is delivered: the standard user-level password may be USER, the standard operator password may be OPERATOR, and the standard field repair person's password may be REPAIR, and so on. Guess how I've cracked security a couple of times. In a 1988 article by Dr. Cliff Stoll in "Computers and Security,", he reported that in 10 months of systematic testing on computers attached to the US Defense Data Network (Milnet), access was gained in 13% of the attempts simply by guessing at passwords! There should be some rules applied to passwords: not less than 7 or 8 characters, must be changed at least every 60 days, don't use common things like names (another way I've broken security), don't share it under any circumstances and, for heaven's sake, don't post it on the front of your machine or leave it where someone can find it. It's your personal PIN - just like the money machine - and the information you're dealing with is worth money. Some of the most difficult passwords to break (take it from me) are "two words reversed" (e.g., boardwall, hornshoe, cuptea), or foreign language words (e.g., coupdegrace, millegrazie, caliente). Nonsense is good, too: geebleurql is nice. If you're installing password security on a PC, consider whether you should have it so tight that there is no recourse to the DOS level or no ability to boot from the A: drive. You'd need really good password software (or a good technician on staff) if you have both of these facilities - otherwise you can lock yourself out - but it's my preference (especially for the guy who's wiped his root directory twice). PHYSICAL SECURITY Finally, another area that affects computer security or your ability to carry on computer operations, and one that is often overlooked, is simple physical security: keys, thermal shock, vibration, dirt, water, fire, visibility of information, steady power supply, discharge of static electricity, magnetic fields, are all relevant to security. We have one man in our network who should have (a) cabling bolted to his computer and the floor, (b) a key to his unit, and (c) dust protectors (as well as password access only without recourse to the DOS level). When it comes to thermal shock, if you work in an area where the heat is reduced on winter weekends, I strongly recommend you leave your unit running over the weekend - just lock the keyboard. If the air conditioning is shut down, turn your unit off, and don't turn it on until the temperature is 23C or less. And please don't leave your machine sitting in the sun, or in front of an open window to attract dust. The internal temperature raises within 20 mins. or so to >30C, and the effects
of thermal shock are such that it can, first, rock memory chips out of
their sockets, and, worse, misalign the read heads on your disk drive so
that nothing can be read.

– 6 –

(Physical Security – continued)

Vibration, too, is a source of problems, especially for drives. The read
heads actually float over the surface of drives, not on them the way a
record player needle does, and the space tolerance between is measured in
Angstroms (metric version of microinches). Vibration can cause the head
to hit the drive, and you can say goodbye to whatever was written there.

If you’re in a particularly sensitive field, and your information is what
might be called top secret to your company, you might also want to look
at two protection devices: one is encryption, and the other is Tempest
hardware or shielding. Encryption involves translating your data using
algorithms to something unreadable, and de-coding it when you need it. It
uses a “key” to choose the algorithm – dont’ lose the key! It comes in a
few forms: software controlled encryption, hardware based encryption, or
a combination of the two. Most encryptors work with standard algorithms,
but defense departments and other high-security installations prefer
random algorithms. Tempest hardware, or shielding, protects against
sniffing of signals. ( Signal emanation surveillance is called
“sniffing.”) I don’t have a computer here to demonstrate this, but if
you take an old battery-operated transistor radio and set the dial to the
bottom of the AM band around 520, try passing it within a foot of your
computer. Your ear might not pick up the individual signals, but I assure
you there’s equipment that does. That’s why the US Army was blasting rock
music around the Vatican Embassy when Noriega was there – to mask signals.

More important to the average user, though, is avoidance of electro-
magnetic fields (such as ringing phones near a disk or disk drive), and
having an automatic disk head ‘parker’ that moves the heads to a safe zone
every few seconds. That way, something like a brief power failure is less
likely to cause a “head crash” on the disk.

Simple visibility of information is a risk. Recently I went to a bank
with a court order in hand to give me access to an account. The clerk
simply turned the terminal toward me and, if I’d wanted to bother, I could
have had the account numbers of two other people with identical names.
There is screen saving software that will blank your screen after an
inactivity duration you choose, and personnel should be made conscious
that unauthorized viewing of information is a security risk. And watch
what your staff throw out on paper, too.

When it comes to fire and water, there are two basic rules that everyone
can follow: first, don’t smoke around the PC, and second, don’t feed the
PC coffee and donuts. You might be able to save a keyboard or some parts
with a bath in distilled water, possibly followed by drying with a warm
hair dryer, but there’s no guarantee. I prefer pure isopropyl alcohol –
without the hairdryer so I don’t get fried in the process. Don’t blast a
computer with a fire extinguisher if you can avoid it. If you do have a
fire or a flood, though, you’d better have a tested disaster recovery
plan, and your backups stored off-site.

All of these issues are reasonably within your control: fraud, theft,
disgruntled employees, practical jokers, fumble fingers, software copying
and physical security, at least as much as the infamous viruses that are
around, but let’s take a look at why you’re at risk.

– 7 –


Concentration of data in one place

Instantaneous adjustment

Alteration without a trace

Lack of visible records

Complexity of the system


Technical persons can befuddle

General ignorance by non-techie and management

Detection problems

Lack of training

Security checks in programs not specified

Systems not documented

Limited staff resource for programming/management

No separation of duties

Possibility of enormous losses remaining undetected

Reluctance to report – Embarrassment
Lack of sufficient evidence to prosecute
Cost to prosecute outweighs recovery
Company policy (“Press would have a field day”)

– 8 –

5. GENERAL SECURITY RULES (All Systems, big and small)

Disaster Recovery } Backup Backup Backup
Plan } Restore (test it to make sure it works)

Store your backup off-site (not in your car!)

Physical security

Password for access control (don’t stick your password on
the front of your machine!)

Access to menu only – not to system control level

Reasonableness tests

Balance checks (rounding: up, down, (out?); cross-calculations

Audit trails – all records (terminal i.d., user i.d., date and
time stamping, history record retention)

Fall-through coding (if it doesn’t meet a condition, does it go to limbo)

Payroll/Accounts payable: don’t pay the same # twice

Fault tolerance level supported (user friendly/hostile –
balance between fault tolerance & productivity)

Call back or no answer on dial-up systems

UPS (Uninterrupted Power Supply, or allowance for graceful
degradation) – or at least an automatic head parker

Logical view rights (your user ‘privileges’ allows access only to the
data you need to see, e.g., accounting clerks don’t need to see
production formulae)

Multi-user environment: protection against deadly embrace

Automatic logoff on inactivity timer / Screen saver

Policy statement re purchasing/use/theft/illegal
software, etc.

Encryption (?) – don’t lose the key!

Shielding (“Tempest” hardware for secure systems)

Educate users

– 9 –


As in medicine, a virus needs an ‘organism’ to which it may attach itself,
and a virus is ‘contagious’.

In the case of computers, a virus is usually a destructive piece of code
which attaches to a working program, such as your word processor,
spreadsheet or CAD/CAM software. Viruses are usually written to detect
any load of a computer file that has an extension of .EXE, .COM, .OVL,
.BIN – such extensions representing executable programs. Often, the
virus loads itself into memory, then loads the program you just called, so
the virus is sitting at the front. Then when you exit the program, the
virus code calls for the re-writing of the program back onto the disk –
with the virus still sitting at the front. Other viruses simply go
straight into your boot sector, so they get loaded every time you turn on
your machine. Some do both.

However they ‘hide’, and whatever they attach to, they got to your machine
on an infected diskette. If you are infected and then copy your software
to use on another machine, guess what happens? Right! That’s where the
‘contagious’ element comes in.

In 1989, more viruses were discovered than in all previous years. There
were over 110 at the end of the year, and 7 were discovered in December
alone. Sources have been from as far away as Pakistan and Bulgaria.

Only .004% have reported infections, but most are not reported. Consider
this: if only 1% were infected, that would be 1/2 million units in the
U.S. alone. At a cost ranging from $300 to $3,000 per unit to recover,
the problem starts to impact the economy as well as the productivity of
staff at your organization. It cost one Texas company US$10M to shut
down their 3,000-unit network for 4 days to find 35 infected units.

One of the major problems with viruses is that 90% of the users who
recover are re-infected within 30 days. One person at my organization
was re-infected 7 times in 2 months! Most reinfections occur for one of
two reasons (not necessarily in this order): your back-up was infected,
or it was a virus that hid in the boot sector on track 0, and track 0 is
not re-written by the standard “FORMAT” command (only a low-level format
will get rid of a track 0 virus). Be careful of some new software as
well: there has been more than one instance of shrink-wrapped software
being infected (software companies have disgruntled employees, too, it


1959 – Scientific American article about ‘worms’
1963 – caught my first two frauds (Payroll & Accounts Payable)
1970 – Palo Alto lab – worm which directed activities
1982 – Anonymous Apple II worm
1984 – Scientific American CoreWare Series: held contest to
find the most clever/difficult to detect ‘bug’
1987 – Apparent change from intellectual exercise to
dangerous activity.

– 10 –


Massive destruction: Reformatting
Programs erased
Data file(s) modified/erased

Partial/Selective destruction: Modification of data/disk space
File allocation tables altered
Bad sectors created
If match with event, alter or delete

Random havoc: Altering keystroke values
Directories wiped out
Disk assignments modified
Data written to wrong disk

Annoyance: Message
Execution of RAM resident programs
System suspension


Financial gain
Intellectual exercise
Just plain wierd


Change in file size (Usually on .COM, .EXE
.OVL, .BIN, .SYS or .BAT files)
Change in update time or date
Common update time or date
Decrease in available disk or memory space
Unexpected disk access
Printing and access problems
Unexpected system crashes

– 11 –


Variety: Virus vs Bug vs Worm vs Trojan Horse vs Superzapper
vs Trap Doors vs Piggybacking vs Impersonation
vs Wiretapping vs Emulation
Strains / Complexity / Growing Sophistication
Bulletin board use and free software
Largest threats from taking computer work home
Kids using same machine at home
Networked mainframe systems
Travel/airline computers (AA wiped out early 1989)
Work message systems (E-Mail)
POS terminals
Banking / Credit Cards / Money Machines
Income Tax records
Health records

* Global disaster may be on the way *
* No specific laws to deal with malicious programming *
* No single national centre to gather data on infections *


12 viruses (and their strains) account for 90% of all PC infections:
|_| Pakistani Brain
|_| Jerusalem
|_| Alameda
|_| Cascade (1701/1704)
|_| Ping Pong
|_| Stoned
|_| Lehigh
|_| Den Zuk
|_| Datacrime (1280/1168)
|_| Fu Manchu
|_| Vienna (DOS 62)
|_| April First

– 12 –

6.7 QUICK GUIDE TO VIRUS NAMES (Cross referenced)

Name Synonym-1 Synonym-2 Synonym-3 Synonym-4

1168 Datacrime-B
1184 Datacrime II
1280 Datacrime Columbus Day October 12th Friday 13th
1536 Zero Bug
1701/1704 Cascade Falling Letters Falling Tears Autumn Leaves
1704 Cascade
1704 Cascade-B
1704 Cascade-C
1704 Cascade-D
1704 Format 1704 Blackjack Falling Letters
1704 Blackjack 1704 Format Falling Letters
1808 Jerusalem Black Box/Hole Israeli PLO 1808/1813
1813 Jerusalem Black Box/Hole Israeli PLO 1808/1813
2086 Fu Manchu
3066 Traceback
3551 Syslock
500 Virus Golden Gate
512 Virus Friday 13th COM virus
648 Vienna DOS 62 DOS 68 Austrian
AIDS Info Disk
Alameda Virus Yale Merritt Peking Seoul
Alameda-B Sacramento Yale C
Apple II GS LodeRunner
April 1st SURIV01 SURIV02
April 1st-B
Austrian 648 Vienna DOS 62 DOS 68
Australian Stoned New Zealand Marijuana
Autumn Leaves Cascade 1701/1704 Falling Letters Falling Tears
Basit virus Brain Pakistani Brain Lehore
Black Box Jerusalem Israeli Black Hole 1808/1803 PLO
Black Hole Jerusalem Black Box Israeli 1808/1813 PLO
Black Hole Russian
Blackjack 1704 1704 Format Falling Letters
Bouncing Ball Vera Cruz Ping Pong Bouncing Dot Italian virus
Bouncing Dot Italian virus Bouncing Ball Vera Cruz Ping Pong
Brain-B Brain-HD Harddisk Brain Houston virus
Brain-HD Harddisk Brain Houston virus Brain-B

– 13 –

Brain Pakistani Brain Basit virus Lehore
Cascade 1701/1704 Falling Letters Falling Tears Autumn Leaves
Cascade(-B-C-D) 1704
Century Oregon Jan.1, 2000
Columbus Day 1280/Datacrime October 12th Friday 13th
COM virus 512 virus Friday 13th
COM-B Friday 13th-B
COM-C Friday 13th-C
Cookie virus Sesame Street
Dark Avenger
Datacrime 1280
Datacrime-B 1168
Datacrime-II 1184
dBASE virus
Den Zuk Search Venezuelan
Disk Killer Ogre
Do-Nothing (don’t believe it!)
DOS-62 Vienna DOS-68 648 Austrian
DOS-68 Vienna DOS-62 648 Austrian
Falling Tears Cascade 1701/1704 Falling Letters Autumn Leaves
Falling Letters 1704 Blackjack 1704 Format
Falling Letters Cascade 1701/1704 Falling Tears Autumn Leaves
Falling Letters-Boot Ping Pong B
Fat 12 Swap Israeli Boot
FluShot4 (a corrupted version of a virus detector – use FluShot4+)
Friday 13th 1280/Datacrime Columbus Day October 12th COM
Friday 13th-B COM-B 512
Friday 13th-C COM-C
Fumble Type
Fu Manchu 2086
Golden Gate 500 Virus
Golden Gate -B
Golden Gate-C Mazatlan
Golden Gate-D
Harddisk Brain Brain-B Brain-HD Houston virus
Holland Girl Sylvia
Houston virus Brain-B Brain-HD Harddisk Brain
Icelandic Disk-Crunching-virus Saratoga 2
Icelandic 1 Saratoga 1
Icelandic 2 System virus
IRQ v. 41
Israeli Friday13 Jerusalem Black Box/Hole 1808/1813 PLO
Israeli Boot Swap Fat 12

– 14 –

Italian virus Bouncing Ball Vera Cruz Ping Pong Bouncing Dot
Jan.1, 2000 Century Oregon
Jerusalem Israeli Black Box/Hole 1808/1813 PLO Friday 13th
Jerusalem-B New Jerusalem
Lehore Brain Pakistani Brain Basit
LodeRunner Apple II GS
MacMag Peace virus
Madonna (while the nice music plays, your hard disk is being destroyed)
Marijuana New Zealand Stoned
Mazatlan Golden Gate-C
Merritt Alameda virus Yale Peking Seoul
Music virus Oropax virus
New Jerusalem Jerusalem-C
New Zealand Stoned Marijuana Australian
New Zealand-B Stoned-B
New Zealand-C Stoned-C
October 12th 1280/Datacrime Columbus Day Friday 13th
Ogre Disk Killer
Oregon Century
Oropax virus Music virus
Pakistani Brain Lehore Basit Brain
Palette Zero Bug
Peace Virus MacMag
Peking Alameda virus Yale Merritt Seoul
Ping Pong Bouncing Dot Italian virus Bouncing Ball Vera Cruz
Ping Pong-B Falling Letters-Boot
PLO Jerusalem Friday 13th 1808/1813 Israeli
Russian Black Hole
Sacramento Alameda-B Yale C
Saratoga 1 Icelandic 1
Saratoga 2 Icelandic Disk-Crunching-virus
Search Den Zuk Venezuelan
Seoul Alameda virus Yale Merritt Peking
Sesame Street Cookie virus
SF virus
Shoe virus UIUC virus (see also Terse Shoe)

– 15 –

Shoe virus-B
Stoned New Zealand Marijuana Australian
Stoned-B New Zealand-B
Stoned-C New Zealand-C
SRI (destroys anti-viral programs before it damages your system)
SURIV01 April 1st
SURIV02 April 1st
Swap Israeli Boot Fat 12
Sylvia Holland Girl
Syslock 3551
System virus Icelandic 2
Terse Shoe (see also Shoe virus)
TP04VIR Vacsina
TP25VIR Yankee Doodle
TP33VIR Yankee Doodle
TP34VIR Yankee Doodle
TP38VIR Yankee Doodle
TP42VIR Yankee Doodle
TP44VIR Yankee Doodle
TP46VIR Yankee Doodle
Traceback 3066
Typo (boot)
Typo (COM) Fumble
UIUC virus Shoe virus
Venezuelan Den Zuk Search
Vera Cruz Ping Pong Bouncing Dot Italian Virus Bouncing Ball
Vacsina TP04VIR
Vienna DOS-62 DOS-68 648 Austrian
Yale Alameda virus Merritt Peking Seoul
Yale C Alameda-B Sacramento
Yankee Doodle TP25VIR
Yankee Doodle TP33VIR
Yankee Doodle TP34VIR
Yankee Doodle TP38VIR
Yankee Doodle TP42VIR
Yankee Doodle TP44VIR
Yankee Doodle TP46VIR
Zero Bug 1536

– 16 –

6.8 TABLE OF VIRUS EFFECTS (by virus name)

This information is a reformatted version of that which was made
available to the writer by the National Computer Security Association,
Suite 309, 4401-A Connecticut Ave. NW, Washington, D.C., 20008.

This list is not as complete as the list of names preceding. Since
viruses must be created and caught before they can be analyzed for the
type of information that follows, this list will never be as complete as
the list of names. In some instances, you may have been infected with a
variation of the name. You might wish to check this list for all
possible variations of a name you’ve found on the list of synonyms.

Explanation of codes used under “What it does”, and analysis of frequency
of occurrence of each effect:

—— – ———– –
1. Virus uses self-encryption 13 12
2. Virus remains resident 83 74
3. Infects COMMAND.COM 8 7
4. Infects .COM files 62 55
5. Infects .EXE files 41 37
6. Infects .OVL files 15 13
7. Infects floppy disk boot sector 36 32
8. Infects hard disk boot sector 14 13
9. Infects partition table 1 1
10. Corrupts or overwrites boot sector 31 28
11. Affects system run-time operation 53 47
12. Corrupts program or overlay files 57 51
13. Corrupts data files 4 4
14. Formats or erases all/part of the disk 17 15
15. Corrupts file linkage (FAT) 9 8
16. Overwrites program 4 4
17. Mac virus (as opposed to PC virus) 2 2

Increase in Disinfector
VIRUS NAME Prog’m size that works What it does
———- ———– ———– ————

1168/Datacrime B 1168 SCAN/D 1, 4, 12, 14
1184/Datacrime 2 1184 1, 4, 5, 12, 14
123nhalf 3907 2, 5, 11, 13
1280/Datacrime 1280 SCAN/D 1, 4, 12, 14
1514/Datacrime II 1514 SCAN/D 1, 4, 5, 12, 14
1536/Zero Bug 1536 SCAN/D 2, 4, 11, 12
1701/Cascade 1701 M-1704 1, 2, 4, 11, 12
1704/Format 1704 M-1704 1, 2, 4, 11, 12, 14
1704/Cascade 1704 M-1704 1, 2, 4, 11, 12
1704/Cascade-B 1704 M-1704 1, 2, 4, 11, 12
1704/Cascade-C 1704 1, 2, 4, 11, 12
1704/Cascade-D 1704 1, 2, 4, 11, 12
2930 2930 SCAN/D 2, 4, 5, 12

– 17 –

3066/Traceback 3066 M-3066 2, 4, 5, 12
3551/Syslock 3551 SCAN/D 1, 4, 5, 12, 13
3555 3555 1, 3, 4
405 SCAN/D 4, 16
AIDS Info Disk 0 AIDSOUT 11
Alabama 1560 SCAN/D 2, 5, 11, 12, 15
Alameda-B 2, 7, 10
Alameda-C 2, 7, 10
Alameda/Yale MDISK 2, 7, 10
Amstrad 847 SCAN/D 4, 12
April 1st 2, 4, 11
April 1st-B 2, 5, 11
Ashar MDISK 2, 7, 10
Black Hole 1808 2, 4, 5, 6, 11, 12, 15
Brain-B 2, 7, 8, 10
Brain-C 2, 7, 8, 10
Century 2, 4, 5, 6, 11, 12, 14, 15
Century-B 2, 4, 5, 6, 11, 12, 14, 15
Clone-B 2, 7, 10, 15
Clone virus 2, 7, 8, 10
dBASE 1864 SCAN/D 2, 4, 11, 12, 13
DOS-62-B 3, 4, 11
DOS-62-UNESCO 650 3, 4, 11
Dark Avenger 1800 M-DAV 2, 3, 4, 5, 6, 11, 12, 15
Datacrime II-B 1917 SCAN/D 1, 3, 4, 5, 12, 14
Disk Killer MDISK 2, 7, 8, 10, 11, 12, 13, 14
Do-Nothing 608 SCAN/D 4, 12
Fri 13th COM 512 SCAN/D 4, 12
Fri 13th COM-B 512 4, 12
Fri 13th COM-C 512 4, 12
Fu Manchu 2086 SCAN/D 2, 4, 5, 6, 11, 12
Ghost-Boot ver. MDISK 2, 7, 8, 10, 11
Ghost-COM ver. 2351 SCAN/D 4, 10, 12
Golden Gate 2, 7, 10, 14
Golden Gate-B 2, 7, 10, 14
Golden Gate-C 2, 7, 10, 14
Golden Gate-D 2, 7, 10, 14
IRQ v. 41 4, 5, 11
Icelandic I 642 SCAN/D 2, 5, 11, 12
Icelandic II 661 SCAN/D 2, 5, 11, 12
Italian/Ping Pong MDISK 2, 7, 10, 11
Italian-B MDISK 2, 7, 8, 10, 11
Jerusalem 1808 SCAN/D/A 2, 4, 5, 6, 11, 12
Jerusalem-B 1808 M-JERUSLM 2, 4, 5, 6, 11, 12
Jerusalem-C 1808 2, 4, 5, 6, 11, 12
Jerusalem-D 1808 2, 4, 5, 6, 11, 12
Jerusalem-E 1808 2, 4, 5, 6, 11, 12, 15
Jork 2, 7, 10
Lehigh SCAN/D 2, 3, 12, 14, 16
Lehigh-2 2, 3, 12, 14, 15, 16
Lisbon 648 SCAN/D 4, 12

– 18 –

MIX1 1618 SCAN/D 2, 5, 11, 12
New Jerusalem 1808 M-JERUSLM 2, 4, 5, 6, 11, 12
New Zealand MD 7
New Zealand-B 7, 8
New Zealand-C 7, 8
nVIR 11, 17
Ohio MDISK 2, 7, 10
Oropax 2, 4
Pakistani Brain MDISK 2, 7, 10
Palette/Zero Bug 1536 2, 3, 4,
Payday 1808 M-JERUSLM 2, 4, 5, 6, 12
Pentagon MDISK 7, 10
SF Virus 2, 7, 11, 14
SRI 1808 2, 4, 5, 6, 11, 12
SURIV01 897 SCAN/D 2, 4, 11, 12
SURIV02 1488 SCAN/D 2, 5, 11, 12
SURIV03 SCAN/D 2, 4, 5, 6, 11, 12
SYS 2, 7, 8, 11, 12
SYS-B 2, 7, 8, 11, 12
SYS-C 2, 7, 8, 11, 12
Saratoga 632 SCAN/D 2, 5, 11, 12
Saratoga-2 2, 5, 11, 12
Scores 11, 17
Search HD 2, 7, 8, 10, 11
Search-B 2, 7, 10, 11
Search/Den Zuk MDISK 2, 7, 10, 11
Shoe virus 2, 7, 8, 10
Shoe virus-B 2, 7, 10
Stoned/Marijuana MDISK/P 2, 7, 9, 10, 11, 15
SumDOS 1500 4, 5, 14
Sunday 1636 SCAN/D 2, 4, 5, 6, 11, 12
Swap/Israeli Boot MDISK 2, 7, 10
Sylvia/Holland 1332 SCAN/D 2, 4, 12
Terse Shoe virus 2, 7, 10
Typo (Boot) MDISK 2, 7, 8, 10, 11
Typo/Fumble (COM) 867 SCAN/D 2, 4, 11, 12
Vacsina/TP04VIR 2, 4, 5
Vienna-B 648 SCAN/D 2, 4, 5, 12
Vienna/648 648 M-VIENNA 4, 12
Yankee Doodle 2855 SCAN/D 2, 4, 5, 11, 12
Yankee Doodle/TP25VIR 2, 4, 5
Yankee Doodle/TP33VIR 2, 4, 5
Yankee Doodle/TP34VIR 2, 4, 5
Yankee Doodle/TP38VIR 2, 4, 5
Yankee Doodle/TP42VIR 2, 4, 5
Yankee Doodle/TP44VIR 2, 4, 5
Yankee Doodle/TP46VIR 2, 4, 5

– 19 –


*** None offer complete protection ***

Some do NOT test for boot sector viruses, modification of the command
interpreter, branching into the BIOS, etc., unconventional things that
nasty viruses are known to do. This is not a comprehensive list, but
you’ll have an idea of what’s available, either commercially or through
public domain. Look for a product that will detect as many of the
effects identified in the previous section as possible. Warning: some
highly publicized virus detectors only search for ONE (1) virus! Others
are more sophisticated, and may even act as a disinfector as well as a

Old virus symptoms vs file changes

Disk Defender * recommended (add-on board – write-protects hard disk)
Disk watcher
Dr. Panda Utilities
IBM – COMPare in DOS
Mace vaccine
Magic Bullets
Sentry * recommended for systems booted regularly
Virus-Pro * recommended for large corporate environments
Shareware: Novirus

Plus what’s shown on preceding pages as a “Disinfector that works”. I
also have a list of over 100 shareware products that do everything from
detect and/or disinfect to write-protecting the hard drive and requiring
password access …. but my fingers are getting tired from typing at this
point, and there are more important things to cover – after all, if
you’re careful, you won’t need a list of detectors/disinfectors.

– 20 –


While a “virus” is something hidden within another program that is
waiting to make your system really sick, and a “worm” may be something
that lives on its own and usually transmits through networked computers,
a “Trojan Horse” is a little of both, so I’ve included it with this virus
section if only to warn you of its existence. It lives on its own as a
program, and will bring you down like Helen of Troy’s soldiers. “I
wouldn’t copy something like that,” you say. Well, like Helen’s horse,
it comes disguised. It will purport to do something really neat, like
compress files (so you have more disk space available), sort your
directories (so you can find things more easily), or play chess or
another game with you. In actuality, it’s really just waiting to do the
things that viruses do – trash your files, scramble your boot sector, fry
your FAT, or erase your hard disk. It doesn’t usually do anything it
promises to do.

The following are just a few examples of the known Trojan Horses, most
of which come from bulletin boards. Please don’t misunderstand me, most
BB operators are honest people who are trying to help the computer
industry as

Screwing with School Computers, by Liquid Bug

*** Screwing with School Computers ***

Hacking is all about information. To become a hacker you must learn everything you know
on your own or by listening to other hackers. Schools and what they call “education” has little
to do with learning. So this file is here to show you some truly productive things to do at

Most middle and high schools use Macintosh computers for 2 reasons. They’re easier to use
and harder to fuck up. Almost all school computers use some sort of security program. Here I
will discuss how to get around two popular security programs: FoolProof and At Ease. You can
probably use these methods on other programs as well.

– FoolProof: FoolProof is a program that locks up parts of the computer. It is run thru the
extention FoolProof INIT whenever the computer is started up. The first thing to try is to
hold SHIFT during startup to turn the extentions off. Sometimes this works. Sometimes it
doesn’t. If this does work, try to copy FoolProof onto a disk to use as an unlock disk if you
ever come to a computer where the extentions off method doesn’t work. If shift doesn’t work
there is a few other things you can do. If you just want to get into a locked folder just do a
FIND and search for a file you know is inside. Example: You want to get into the System folder.
Go to FIND and search for FINDER, a file you know is inside System Folder. It will bring you to
the Finder, inside the System Folder. From there you can use anything else inside. Sometimes
every single file inside the System Folder will also be locked and then this doesn’t work. If all
else fails you need to get an unlock disk. Here is how to make and use one:

1) Go to an old computer such as a Mac Classic and hold shift during start-up.
2) FoolProof should be turned off along with the extentions.
3) Copy FoolProof onto a disk
4) Take the disk to a locked computer
5) Run FoolProof off the disk
6) It’ll display some message asking you if you want to shut down to other version of
FoolProof running. Click YES.

If you can’t get to a computer where the extentions off method works tell a nice teacher that you
need to move some files and you need FoolProof to be off. He should turn it off and when he
isn’t looking you can copy FoolProof to a disk.

– At Ease: At ease is a different Operating System than the Mac OS and it won’t let you out
unless you have the password. If you have a nack for guessing passwords try that. Do this: hold
COMMAND and hit the POWER key. You should get a box with a little > prompt. Type G FINDER to
get back to the finder. If this doesn’t work run as many applications as you can to clog up
memory. You should soon get a message saying “Not enough memory to run this application, would
you like to close At Ease?” Click yes (no, really?).

Things to do to a computer once its unlocked:
– Change the colors: Go into Control Panel and change the colors of everything. It should
annoy sysadmins a bit.

– Change the font: Change the main font to Zaft Dingbats or Symbol so no one can read the
titles to things.

– Change icons: Change the names and pictures of a bunch of icons

– Put messages in StartUp items: Type a message and put it into the Startup Items menu.

– Shut down on StartUp: Go to Apple Menu Items and get the Shut Down item. Put it into the
StartUp itmes folder. Gee, I wonder what that would do?

– Relock: If you can get a version of FoolProof with no password assigned put it into use
with a different password so teachers will be locked out of their comptuers.

There are bajillions of other cool tricks you could do, so just play around. Remember:
Anyone can delete a file. There’s no challenge in that, its just vandalism. It is much better
to make a kewl alteration to something then to delete it.

Fun stuff to do to Netscape:

– Change the home page location to either, your own page or a really nasty site.

– Change the font to Zaft Dingbats or Symbol

– Select “Always use my colors” on the Color prefs and change the backgroud, foreground and
links to white. It’ll be more than slightly anoying.

Prank E-Mailing:

Change the Identity settings to someone else and send nasty E-Mail messages to all your favorite
teachers. Or if you really hate a teacher you can SPAM them like this:

1) First send as many messages as you can to the target with large attachments.
2) Go on the internet and sign the target up for a million mailing lists. A great place with
tons of mailing lists to sign her/him up for can me found at the “List of Entemology Resources
on the Web — complete”. Just type “insects” at infoseek.
3) Go into a weird newsgroup and type a bunch of messages asking people to mail you back as
the targets adress.

The Administration Shared Disk:

This is the server disk in which all the information about Grades, Discipline and a bunch of
other crap is stored. Sometimes you can find a link to it on a student computer by seraching for
theses words “admin”,”shared disk”, and the name of your school district. If you get to it you
will probably need a User Name and password. Type the name of one of the Sysadmins at the school
in a bunch of formats like “last, first intial”, “last, first”, “first last” and so on. Then
try to guess a password. Use things like the persons kids names, wife’s names and words like
“secret”, “password”, “school”, “education” or other info. And easier way to get onto the
shared disk is to get on it directly from a sysadmin computer. Here is a way to get acess to one:

1) While your class is doing a report get some info on it onto a Mac formatted disk.
2) Right after school gets out, find a nice teacher that looks busy.
3) Tell him/her that you have info on a Mac disk and you need to get it put onto an IBM disk
so you can take it home to work on (tell him you have and IBM at home).
4) Ask him how you would do that (even though you probably know) just to act stupid.
5) He should tell you how and let you use the computer.
6) Start to copy the files and reformatt like you are supposed to be doing really slow until
he turns his back.
7) FIND the sysadmin shared disk and copy as much info as you can into a folder marked personal
on the disk.
8) Finish the copying and formatting.

The reason you named it personal is in case he wants to look in the folder you can just
tell him its private. Now you can read all the info and alter it to your liking. This may
containt info on passwords and other important stuff. After you edit it on the disk do the same
trick again either the next day (pretend you need to change them back to Mac files) or some
other day to a different teacher and replace the info currently on there with the new stuff.
If the reformat trick doesn’t work here are some others:

– One day when you get in trouble and are in the principal or vice-principals office, if he
leaves the room for a while, really quickly copy the files. This is why you should ALWAYS carry
a disk in you pocket. It will come in handy.

– Simply sneak into a clasroom while the teacher’s at lunch

Fun stuff you can get off the net. Go to El Grande’s Mac Hack page (just look up
“El Grande’s Mac Hacks” on infoseek). There are a bunch of cool Mac tricks that are very good
for usage on school computers.

Hacking from home: I’m not quite sure if it would be any use, but here is a way to get
the phone number of any school computer:

If your phone company has a number you can dial to find out where you are at (like 811) then
just do this: Go into a terminal (such as Microsoft Works Communications), dial 811 and listen
really closesly to the computer. You should be able to make out a number.

If your phone company has no such service then try this:

Right before you come home from school do this:

1) Go into a terminal (such as Microsoft Works Communications)
2) Dial your home phone number and let someone pickup and say “Hello” about 5 times or if no
one’s home just let it ring for a while.
3) Go directly home, imediately.
4) Run to the phone and dial *69
5) If no one has called after you did, it should tell you the number of the computer you
dialed from.

Thats about it. This whole time I have been under the assumption that your school uses
Macs. If it doesn’t there are many more tricks you can do on a PC as long as you know your
way around DOS. If you are fluent with DOS you have infinite power on a PC.

| _________________________ |
|| /\ /\ ||
|| \ ___ / ||
|| <.> <.> Liquid Bug ||
|| \ / ||